Using Diego To Schedule One-Off Tasks In Cloud Foundry

June 4, 2015 Andrew Bruce

sfeatured-cloud-foundry Diego, Cloud Foundry’s new runtime, is shaping up to be a versatile tool for a variety of applications beyond its original purpose as the next-generation Cloud Foundry runtime. Lattice, for instance, incorporates Diego to enable deployment of containerized applications across a cluster of machines. In its Vagrant virtual machine form, Lattice is very useful for experimenting with Diego’s features on your local machine without the overhead of deploying Cloud Foundry.

One-off tasks have been difficult to incorporate into an application running on Cloud Foundry for some time (see the hoops you need to jump through to get Rails migrations to run, for example). To solve this problem, Diego’s design incorporates Tasks as first-class citizens. Tasks aren’t yet first-class citizens in Lattice, as the support in the ltc command line isn’t ready. However, you may use Diego’s Receptor API for the purpose of scheduling Tasks.

How To Fail Like Me

As part of some research into this new Tasks capability, I attempted to schedule a simple Ruby app as a Task. I soon ran into a ‘Permission denied’ exception when Bundler tried to install gems. I could reproduce it like this:

Make a Dockerfile that copies an app into a directory and runs ‘bundle install’.
Build the Docker image and push it to Docker Hub.
Make a JSON task payload to send to Diego’s REST API. Set the ‘rootfs’ property to the URL of the image pushed in the previous step. Set the ‘action>run>path’ property to a script that also runs ‘bundle install’.
Start watching the logs for the GUID specified in the JSON:
ltc logs task1
Send the task to Diego via its REST API using curl:
curl -X POST http://192.168.11.11:8888/v1/tasks -d@task-payload.json
The Permission denied exception appears in the watched logs.

You can see an example of this on GitHub.

I’d made a silly mistake: bundling once in the Dockerfile and again in the script. But bundling twice isn’t a million miles away from a real-world requirement: it might be expedient to run Tasks on a root filesystem with a base set of gems, and refresh those gems when a task is run, just in case bug fixes are available.

Solving The Problem

The Dockerfile in this example creates everything as the root user. It’s not good practice to run Bundler as root, and Bundler will tell you this much if you build the Dockerfile yourself:


bundleinstall$ docker build .
Sending build context to Docker daemon 121.3 kB
Sending build context to Docker daemon
Step 0 : FROM ruby:2.2.1-wheezy
---> 89a773167e29
Step 1 : ADD . /app
---> 54f76e9e60d4
Removing intermediate container 8e9651e8672a
Step 2 : WORKDIR /app
---> Running in 52a9c2a29812
---> 4b00258de138
Removing intermediate container 52a9c2a29812
Step 3 : RUN bundle install
---> Running in 2f9a2fb270e1
Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will break this application for all non-root users on this machine.
The Gemfile specifies no dependencies
Resolving dependencies...
Bundle complete! 0 Gemfile dependencies, 1 gem now installed.
Bundled gems are installed into /usr/local/bundle.

(and so on)

Fixing this problem is straightforward in our case. Docker images specified as a rootfs of an LRP or Task are, by default, run as an unprivileged user called ‘vcap’ (an artifact of our VMware heritage: VMware Cloud Application Platform). Therefore, if your Docker image contains files owned by root and your executable expects to be able to modify those files, as running Bundler will do, you’ll run into permission denied errors unless you’ve explicitly set those files’ permissions appropriately.

So, how would we set permissions appropriately in order to prime our gems in the Docker image, allowing a later bundle install on the resulting container to refresh them? The answer is, for the time being, to allow write access to the app directory for all users, and to run Bundler as an unprivileged user inside the Dockerfile when installing gems for the first time.

You can see the modified Dockerfile in the fixed branch.

Note that the USER instruction will not have an effect on the running container, but only on the built image. As explained in the issue encountered by another user, Garden (the container management technology we’re developing) currently ignores USER metadata set in Dockerfiles, and always runs the container as ‘vcap’.

Further Cloud Foundry On Docker Reading

About the Author

Biography

Use Balanced Teams to Suck Less at Software

Your Time is Expensive, Your Machine’s Time is Not

Revisiting the rule of economy

Using Diego To Schedule One-Off Tasks In Cloud Foundry

How To Fail Like Me

Solving The Problem

Further Cloud Foundry On Docker Reading

About the Author

Previous

Next

Using Diego To Schedule One-Off Tasks In Cloud Foundry

How To Fail Like Me

Solving The Problem

Further Cloud Foundry On Docker Reading

About the Author

Previous

Next

Related content in this Stream

Introducing VMWare Tanzu Data Hub, a self-managed Database as a Service (DBaaS) Platform, providing enterprises a way to host their internal DBaaS offering for internal business users.

In the cloud-native landscape, MCAs drive seamless compliance integration. Their expertise ensures proactive security measures align with regulatory standards for sustained innovation & collaboration.

Tanzu Application Platform brings innovation faster with more frequent feature updates. With 1.9, take advantage of enhanced DORA metrics visibility and improved compliance options for companies.

We’re excited to share some great news! Spring Academy Pro content is now free. It will be available to everyone who registers a work, vocational, or educational email address.

March 28, 2024, marks the official minor release date of Spring Cloud Gateway for K8s version 2.2, and it's set to optimize how developers protect access to their GraphQL services.

We are excited to announce that VMware Tanzu Application Service 6.0 is now generally available!

Get a clear picture of your OSS supply chain, and the risks you face from your open source software dependencies, using the all-new Tanzu OSS Health Assessment.

Trivy can now utilize CSAF VEX data to filter out false positives in CVE reports, maximizing the value of VEX documents in VMware Tanzu Application Catalog.

Bitnami-packaged open source software container images available in DockerHub are now signed by Notation, an implementation of the Notary Project specifications and a CNCF-incubating project.

There’s never been a better time to be a Java and Spring developer! Let me show you why with a sneak peak into JD Conference 2024.

If you're into FinOps, you've probably heard of FOCUS. Introducing our FOCUS FlexReports template for AWS, Azure, and GCP. Turn your cloud bills into FOCUS-compliant reports in minutes!

The latest Spring Boot simplifies infrastructure setup with Docker Compose. Now, supporting Bitnami images, it opens new possibilities for developers. Exciting times ahead!

Shape the future of Spring! Participate in the State of Spring Survey 2024. Share insights, collaborate with the community, and drive innovation.

Extend Apache Tomcat support with Tanzu Spring Runtime. Seamless transition, enhanced security, and uninterrupted workflow for Java applications.

Welcome to another edition of What’s new with Tanzu Application Catalog. This is a quarterly round up of all things related to Tanzu Application Catalog.

As we stand at the threshold of a new era in data management, Greenplum continues to lead the industry with its commitment to innovation.

Experience enhanced security with Tanzu Application Platform. Elevate your organization's defenses from code to build with SLSA Level 3, image scanning scheduling & automatic upgrades for new patches.

Explore Spring's exceptional NPS score of 75, surpassing industry benchmarks by 18%. Discover why it matters.