Conversation
deviantony
left a comment
There was a problem hiding this comment.
I did a quick review, what are the issues with this implementation? Any errors in the logs?
api/http/proxy/manager.go
Outdated
| } else { | ||
| } | ||
| case "npipe": | ||
| var namedPipePath = strings.Replace(endpoint.URL, "npipe:", "", 1) |
There was a problem hiding this comment.
I think that you can use endpoint.URL.Path here instead of strings.Replace(endpoint.URL, "npipe:", "", 1)
api/http/proxy/transport.go
Outdated
| func newNamedPipeTransport(namedPipePath string) *http.Transport { | ||
| return &http.Transport{ | ||
| Dial: func(proto, addr string) (conn net.Conn, err error) { | ||
| return npipe.Dial(namedPipePath) |
There was a problem hiding this comment.
Issue might come from here... Looks like @StefanScherer is using github.com/Microsoft/go-winio here. You might want to give it a try.
See: develop...StefanScherer:npipe_support#diff-d678b9df77b49ad5bb4195768e75b3afR45
| $('#loadingViewSpinner').hide(); | ||
| $scope.endpoint = data; | ||
| if (data.URL.indexOf('unix://') === 0) { | ||
| if (data.URL.indexOf('unix://') === 0 || data.URL.indexOf('npipe:') === 0) { |
There was a problem hiding this comment.
Shouldn't that be data.URL.indexOf('npipe://') instead?
| $('#createResourceSpinner').show(); | ||
| var name = 'local'; | ||
| var URL = 'unix:///var/run/docker.sock'; | ||
| var URL = 'npipe:\\\\.\\pipe\\docker_engine'; |
There was a problem hiding this comment.
Of course we won't replace the socket by the npipe when merged. At the moment, this is still acceptable for tests.
Regarding the UX during the first endpoint initialization, we have multiple choices here:
- Detect the platform where Portainer is running and automatically adapt the
URLvalue with either the socket path or named pipe - Replace the two options ('local' and 'remote') by Local (Linux), Local (Windows) and Remote.
There was a problem hiding this comment.
Agreed, this was just a testing hack - I'll rebase out that commit
app/services/api/endpointService.js
Outdated
| var endpoint = { | ||
| Name: 'local', | ||
| URL: 'unix:///var/run/docker.sock', | ||
| URL: 'npipe:\\\\.\\pipe\\docker_engine', |
There was a problem hiding this comment.
Same thing here, I think that we'll need to have createLocalLinuxEndpoint and createLocalWindowsEndpoint.
There was a problem hiding this comment.
@deviantony what do you want to do here? Is there a way to extricate the server host OS with angular?
api/http/proxy/named_pipe.go
Outdated
| @@ -0,0 +1,35 @@ | |||
| package proxy | |||
There was a problem hiding this comment.
Is this file really useful? Looks similar to api/http/proxy/socket.go.
|
Ah, using @StefanScherer's changes to use
|
|
Ok, great ! Please have a look at my comments, there are a few things I'd like to change. |
StefanScherer
left a comment
There was a problem hiding this comment.
Thanks @friism for pushing this forward 👍. Hadn't the time to open a PR. So we can work on this one.
| This feature is not yet available for <u>native Docker Windows containers</u>. | ||
| </p> | ||
| <p class="text-primary"> | ||
| Please ensure that you have started the Portainer container with the following Docker flag <code>-v "/var/run/docker.sock:/var/run/docker.sock"</code> in order to connect to the local Docker environment. |
There was a problem hiding this comment.
The user should also see some hints how to do this with Windows <code>-v \\.\pipe\\docker_engine:\\.\pipe\\docker_engine</code>.
api/http/proxy/local.go
Outdated
| package proxy | ||
|
|
||
| // unixSocketHandler represents a handler to proxy HTTP requests via a unix:// socket | ||
| // represents a handler to proxy HTTP requests via a unix:// socket and npope:// named pipes |
There was a problem hiding this comment.
a typo -> s/npope/npipe/
| $('#createResourceSpinner').show(); | ||
| var name = 'local'; | ||
| var URL = 'unix:///var/run/docker.sock'; | ||
| var URL = 'npipe:////./pipe/docker_engine'; |
There was a problem hiding this comment.
I also thought how we get the server OS here. Maybe this should be left empty and the EndponitService uses the defaults for the correct platform? @deviantony WDYT
app/services/api/endpointService.js
Outdated
| var endpoint = { | ||
| Name: 'local', | ||
| URL: 'unix:///var/run/docker.sock', | ||
| URL: 'npipe:////./pipe/docker_engine', |
There was a problem hiding this comment.
same here, keep it empty and use default in Go server side?
|
@deviantony @StefanScherer ready for review |
StefanScherer
left a comment
There was a problem hiding this comment.
Awesome. Will test this later today.
Do we need a version check or notice when someone tries this on current Windows OS?
| </p> | ||
| <p class="text-primary"> | ||
| Please ensure that you have started the Portainer container with the following Docker flag <code>-v "/var/run/docker.sock:/var/run/docker.sock"</code> in order to connect to the local Docker environment. | ||
| Please ensure that you have started the Portainer container with the following Docker flag <code>-v /var/run/docker.sock:/var/run/docker.sock</code> (MacOS/Linux) or <code>-v \\.\pipe\docker_engine:\\.\pipe\docker_engine</code> (Native Windows containers) in order to connect to the local Docker environment. |
There was a problem hiding this comment.
I suggest to remove MacOS and instead only mention Linux containers.
I'm working from a Mac to start Portainer on a Windows Docker host as well.
This reminds me of LCOW, let's see what combinations we can use there? 🤓
There was a problem hiding this comment.
~For now, I'd rather not see the information message for the Windows platform. As this feature is not available yet for Windows container, it may confuse our current Windows users.
I'd go for merging the support of the named pipe, without really being able to use it before the ability to mount the named pipe is released (no changes on the front-end for now).~
EDIT: We'll merge this PR when the ability to mount the named pipe in a container is available.
As @StefanScherer said, I'd rather see the MacOS mention removed as well.
|
I compiled the PR and tested it on Windows.
Then I select local and see the new message with the -v option for Linux and Windows.
Then I sometimes saw error messages that the local connection couldn't be established, so I pressed again. In this case only the dashboard shows an error:
It seems that the dashboard directly communicates with the local connection? When I open the endpoints I see the primary (from the -H option) and the connection I had to select before seeing the dashboard.
So maybe the named pipe is not available directly after starting the container and portainer.exe is accessing it too early? I'll try more in a different Azure VM. |
There was a problem hiding this comment.
Good work !
Two things here:
-
Regarding the API, please see my comment about introducing a
Localfield in thepostEndpointsRequeststruct -
Regarding the front-end, I would rather not see any change in the
initEndpoint.htmlview yet. The ability to mount the named pipe inside a container is not available yet and this may confuse our Windows users.
EDIT: Disregard my comment regarding the front-end, we can keep this PR open and only merge it when the ability to mount the named pipe in a container is available.
| </p> | ||
| <p class="text-primary"> | ||
| Please ensure that you have started the Portainer container with the following Docker flag <code>-v "/var/run/docker.sock:/var/run/docker.sock"</code> in order to connect to the local Docker environment. | ||
| Please ensure that you have started the Portainer container with the following Docker flag <code>-v /var/run/docker.sock:/var/run/docker.sock</code> (MacOS/Linux) or <code>-v \\.\pipe\docker_engine:\\.\pipe\docker_engine</code> (Native Windows containers) in order to connect to the local Docker environment. |
There was a problem hiding this comment.
~For now, I'd rather not see the information message for the Windows platform. As this feature is not available yet for Windows container, it may confuse our current Windows users.
I'd go for merging the support of the named pipe, without really being able to use it before the ability to mount the named pipe is released (no changes on the front-end for now).~
EDIT: We'll merge this PR when the ability to mount the named pipe in a container is available.
As @StefanScherer said, I'd rather see the MacOS mention removed as well.
api/http/handler/endpoint.go
Outdated
| type ( | ||
| postEndpointsRequest struct { | ||
| Name string `valid:"required"` | ||
| URL string `valid:"required"` |
There was a problem hiding this comment.
I'd rather introduce a boolean in postEndpointsRequest, something like Local to specify if the creation of the endpoint should rely on the platform check. This field would be required.
I don't really like the fact that the creation of a local endpoint relies on the Name field and an empty URL. Could you update the api/swagger.yaml file as well?
| service.createLocalEndpoint = function(name, URL, TLS, active) { | ||
| var endpoint = { | ||
| Name: 'local', | ||
| URL: 'unix:///var/run/docker.sock', |
There was a problem hiding this comment.
Based on my comment above, the payload for the endpoint creation should contain the new Local field.
This is strange, if you used the EDIT: Could you test again after the rebase? We need to ensure that the npipe error cannot be reproduced. @friism could you rebase on the latest version of the |
24293a7 to
f0f4815
Compare
|
rebased, @StefanScherer feel free to give a whirl. Still need to do the API-related changes |
|
@StefanScherer can I use the latest version of microsoft/nanoserver image? Also, could any of you confirm that the container console feature is working? |
|
@deviantony If you are running Windows Server 2016 (10.0.14393.x) then you cannot run the microsoft/nanoserver:1709 container. To be able to run this you need Windows Server 1709 (10.0.16299.x). The kernel version of host and container must match. Only with Server 1709 + HyperV feature enable you are also able to run older 10.0.14393 images with And yes, the console (cmd.exe into the portainer container as nano has no powershell.exe) works:
Only the xterm.js (right?) shows some window shade effect, but this also happens in older versions. BTW: The next PowersShell 6 beta 9 renames powershell.exe to pwsh.exe. |
|
Thanks! Giving it a look |
|
Here's what I'm getting right now. I had to update to the latest docker/dockerd.exe from master.dockerproject.org first. Process isolation (default on Windows Server 1709) - works with Is that consistent with what you're seeing @friism and @StefanScherer ? I also double checked that it was being handled by running with
|
|
@PatrickLang I also saw |
So, let's say I would like this to be part of our next Portainer release, what information message would I need to show to the users? Can I still use microsoft/nanoserver:latest or is microsoft/nanoserver:1709 mandatory? If I understand correctly, this feature woud only be available for Windows Server 1709 (10.0.16299.x) users? |
|
@deviantony Yes, microsoft/nanoserver:1709 is mandatory at the moment and will only work on Windows Server 1709 without the HyperV isolation mode.
Maybe this: Please ensure that you have started the Portainer container with the following Docker flag -v /var/run/docker.sock:/var/run/docker.sock (Linux) or -v \.\pipe\docker_engine:\.\pipe\docker_engine (Native Windows Server 1709 containers) in order to connect to the local Docker environment. Maybe there will be a fix for HyperV isolation in the future, then Windows 10 users could use that. I've used the manifest-tool today to provide multi-os-version manifest list to support both Windows versions. This works fine, so the docker engine pulls the image with the matching os.version number. |
|
@StefanScherer would there be any con to use We could also merge this, or keep it open, until it can affect a wider userbase. |
|
@deviantony yes, if you only use I was able to produce a manifest list for multiple Windows OS versions today with Creating a second Windows image for 1709 would work even on an older Windows Docker host. I did that eg. for a curl image with a manifest.yml and these steps in AppVeyor. At least having this PR merged and available with only one Windows image would be better than nothing. But as portainer/portainer was the first best use-case for multi-arch as we just can I'll explain my steps in a blog post soon to get more feedback on that approach. |
|
Well, there is still some work to do before this PR can be merged but I agree with you, it'd be neat to have this feature implemented even if it will be only available to a specific set of users. Ping me when your blog post is ready, I'm keen to add 1709 support :) |
|
@deviantony https://stefanscherer.github.io/poc-build-images-for-1709-without-1709/ 🎃 |
|
We still have no answer in microsoft/go-winio#67 This PR waits for the refactoring to make it work for Linux again, @friism ping me if I should take care of the remaining steps. |
|
that's a great goal! |
|
There is no AF_UNIX support in Docker engine on Windows yet. See moby/moby#36442 for first ideas. Also Golang has to support it first. |
|
npipe support is very theoretical at the moment.
I'm using the dockerd.exe from D4W Edge in a Windows Server 1803 on Azure. With this setup I can run But on Windows 10 there is only hyperv isolation mode and this is not supported for npipe mounts. |
|
@friism, @StefanScherer 18.03.1-ee-1 is out so can we now get forward with this one? |
|
@olljanat named pipes into process isolated containers will work with 18.03.1. use with hyper-v isolated containers requires PRs that landed too late to make it into 18.03.1-ee-1: |
|
@carlfischer1 based on my experience I would not recommend Hyper-V isolation mode for anyone anyway because of much bigger overhead and worse performance. So can we get this one merged so we can start using it on environments which are using process isolation mode? |
|
@olljanat The implementation of this POC relied on the microsoft/go-winio library. We've spotted an issue during our tests which has still not been fixed: microsoft/go-winio#67 I believe that we should wait for an update on this topic before going further. |
|
Closed in favor of #2018 |
I hadn't noticed @StefanScherer had also started this work here: develop...StefanScherer:npipe_support
The current code is ~~~not~~~ working. ~~~It seems like the named-pipe dial doesn't work correctly. I've checked that the right named pipe url is fed in.~~~