Scheduler requirements (kube/container)

ikkeT

The issue

I am testing if I could use Flarum to my needs. I installed it in container, and atm I run it in sort of minikube. I have permanent storage for the container, but it is only attacheable to one container, not many. I have put the whole install to a container. The runtime storage and files are in persistent volume.

Now the question is, does the scheduler need access to runtime files? Or does it get all it needs from DB and redis? Could I spin another flarum container with the same settings file and plugins periodically as kube CronJob, and run the command in there? Or is there something on the runtime directories (storage) that are required by the scheduler?

Flarum information

Flarum 1.8.1

ikke-t/flarum-s2iblob/1.x-ikke/Containerfile
ikke-t/flarumblob/1.x-ikke/composer.json

ctml

I run in Kubernetes as well, and opted to run the scheduler via Kubernetes deployment to avoid any problems with native Kubernetes CronJobs since the scheduler needs to run every minute, which means regular spawning of pods, and since the flarum scheduler is time sensitive it is better (imo) to have a continuous container with the cron implementation inside to avoid potential misses due to unforseen issues (slow image pull, slow scheduling/startup of pod, etc). Below is the Dockerfile I created to build the image used for that deployment.

I still present the assets/storage PVC to it, even though I'm not 100% certain if it needs it just to be safe. I am not using redis either and relying on the queue extension/driver.

# hadolint ignore=DL3007
FROM registry.access.redhat.com/ubi8/ubi-minimal:latest

# hadolint ignore=SC2039
RUN echo -e '[php] \nname=php \nstream=8.0 \nprofiles= \nstate=enabled' > /etc/dnf/modules.d/php.module

# support running as arbitrary user which belogs to the root group
RUN microdnf update -y && microdnf reinstall -y tzdata && ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && \
    microdnf install -y --nodocs \
    php-fpm \
    git \
    libcap \
    php-cli \
    php-gd \
    php-gmp \
    php-intl \
    php-json \
    php-ldap \
    php-mbstring \
    php-mysqlnd \
    php-opcache \
    php-pdo \
    php-xml \
    php-bcmath \
    unzip \
    procps-ng \
    rsync && \
    microdnf clean all

RUN mkdir -p /var/lib/nginx /usr/share/nginx/flarum /var/cache/nginx /run/pids /var/log/php /var/tmp/nginx /usr/local/lib/php && chgrp -R 0 /run/ /var/tmp/ /var/cache/nginx /var/log/ /var/lib/nginx /usr/share/nginx/flarum /usr/local/lib/php && chmod -R g+rwx /var/tmp/ /run/ /var/cache/nginx /var/log/ /var/lib/nginx /usr/share/nginx/flarum /usr/local/lib/php
    
COPY ./php-conf/php.ini /etc/php.ini
COPY ./php-conf/php-fpm.conf /etc/php-fpm.conf
COPY ./php-conf/www.conf /etc/php-fpm.d/www.conf
COPY ./flarum/ /usr/share/nginx/flarum 
COPY ./worker/entrypoint.sh /
COPY ./worker/scheduler.cron /
  

# Latest releases available at https://github.com/aptible/supercronic/releases
ENV SUPERCRONIC_URL=https://github.com/aptible/supercronic/releases/download/v0.2.27/supercronic-linux-amd64 \
    SUPERCRONIC=supercronic-linux-amd64 \
    SUPERCRONIC_SHA1SUM=7dadd4ac827e7bd60b386414dfefc898ae5b6c63

RUN curl -fsSLO "$SUPERCRONIC_URL" \
 && echo "${SUPERCRONIC_SHA1SUM}  ${SUPERCRONIC}" | sha1sum -c - \
 && chmod +x "$SUPERCRONIC" \
 && mv "$SUPERCRONIC" "/usr/local/bin/${SUPERCRONIC}" \
 && ln -s "/usr/local/bin/${SUPERCRONIC}" /usr/local/bin/supercronic \ 
 && chmod g+rx /entrypoint.sh /scheduler.cron

WORKDIR /usr/share/nginx/flarum

ENTRYPOINT ["/entrypoint.sh"]
CMD ["--worker-type=queue"]

ikkeT

Thanks, I will check the supercronic, it's new to me. I was lazyer and just used the php image from redhat catalog. I still keep this open in case someone knew the answer to filesystem access requirent.

ikkeT

@ctml is your above stuff in some public place like git? I'd be curious to see the php and nginx confs. Specificly what do you have in entrypoint to get scheduler going? Just something like superchronic /scheduler.cron & nginx ... or how do you start them?

Perhaps it eould make sense to go for ubi-minimal myself too if we start using the forum. For comparison, mine is here: ikke-t/flarum-s2i

ctml

ikkeT no sorry, I don't have this published publicly but perhaps I'll throw something up and update this post later on. The entrypoint is defined in the Dockerfile itself which I now realize is a script I made and you'd need that so here it is! Again though, I'm using the queue extension and not redis but works just fine for me so you will need to adapt for redis if you go that path.

Originally I used the single image to invoke either the scheduler, or queue directly and ran them both (before Queue supported being invoked by scheduler) so now the worker type should only be scheduler in your Kubernetes deployment container args.

kind: Deployment
...
spec:
...
          args:
            - '--worker-type=scheduler'

entrypoint.sh

#!/bin/bash

VALID_ARGS=$(getopt -o w:q:s: --long worker-type:,queue-memory:,queue-sleep:,queue-tries: -- "$@")
if [[ $? -ne 0 ]]; then
    exit 1;
fi

eval set -- "$VALID_ARGS"
ARG_WORKER_TYPE=""
ARG_QUEUE_MEMORY=256
ARG_QUEUE_SLEEP=10
ARG_QUEUE_TRIES=3

while [ : ]; do
  case "$1" in
    -w | --worker-type)
        ARG_WORKER_TYPE=$2
        echo "argument 'worker-type' set to '$ARG_WORKER_TYPE'"
        shift 2
        ;;
    -m | --queue-memory)
        ARG_QUEUE_MEMORY=$2
        echo "argument 'queue-memory' set to '$ARG_QUEUE_MEMORY'"
        shift 2
        ;;
    -s | --queue-sleep)
        ARG_QUEUE_SLEEP=$2
        echo "argument 'queue-sleep' set to '$ARG_QUEUE_SLEEP'"
        shift 2
        ;;
    -t | --queue-tries)
        ARG_QUEUE_TRIES=$2
        echo "argument 'queue-tries' set to '$ARG_QUEUE_TRIES'"
        shift 2
        ;;
    --) shift; 
        break 
        ;;
  esac
done


case "$ARG_WORKER_TYPE" in
    queue)
        echo "starting flarum queue"
        php /usr/share/nginx/flarum/flarum queue:work --sleep=$ARG_QUEUE_SLEEP --tries=$ARG_QUEUE_TRIES --memory=$ARG_QUEUE_MEMORY
        ;;
    scheduler)
        echo "starting flarum scheduler via supercronic"
        supercronic /scheduler.cron
        ;;
    *)
        echo "worker type must be set"
        sleep 10
        exit 1
    break 
    ;;
esac

scheduler.cron

*/1 * * * * cd /usr/share/nginx/flarum && php flarum schedule:run >> /dev/null 2>&1

nginx.conf

# /etc/nginx/nginx.conf

#user nginx;
pid /var/run/pids/nginx.pid;

# Set number of worker processes automatically based on number of CPU cores.
worker_processes 1;



# Configures default error logger.
error_log /dev/stdout warn;

# Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf;


events {
        # The maximum number of simultaneous connections that can be opened by
        # a worker process.
        worker_connections 10000;
	
	multi_accept on;

    	# Preferred connection method for newer linux versions.
    	# Essential for linux, optmized to serve many clients with each thread.
    	#
    	use epoll;
}


worker_rlimit_nofile 102400;

http {
        # Includes mapping of file name extensions to MIME types of responses
        # and defines the default type.
        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        # Name servers used to resolve names of upstream servers into addresses.
        # It's also needed when using tcpsocket and udpsocket in Lua modules.
        #resolver 208.67.222.222 208.67.220.220;

        # Don't tell nginx version to clients.
        server_tokens off;

        # Specifies the maximum accepted body size of a client request, as
        # indicated by the request header Content-Length. If the stated content
        # length is greater than this size, then the client receives the HTTP
        # error code 413. Set to 0 to disable.
        client_max_body_size 200m;

        # proxy timeout - php
        #proxy_connect_timeout  660s;
        proxy_send_timeout  600s;
        proxy_read_timeout  600s;
        fastcgi_send_timeout 600s;
        fastcgi_read_timeout 600s;
        #uwsgi_read_timeout 660s;
        #uwsgi_connect_timeout 660s;

        #fastcgi_buffers 16 16k;
        #fastcgi_buffer_size 32k;
        #proxy_buffer_size   128k;
        #proxy_buffers   4 256k;
        #proxy_busy_buffers_size   256k;

	proxy_http_version 1.1;
	proxy_set_header Connection "";
	# Cache
    	fastcgi_cache_path /dev/shm levels=1:2 keys_zone=ocp:16m inactive=60m max_size=256m;
    	fastcgi_cache_key "$scheme$request_method$host$request_uri$query_string";

                # Timeout for keep-alive connections. Server will close connections after
        # this time.
        keepalive_timeout 300;
        keepalive_requests 500;

        # Sendfile copies data between one FD and other from within the kernel,
        # which is more efficient than read() + write().
        sendfile on;

        # Don't buffer data-sends (disable Nagle algorithm).
        # Good for sending frequent small bursts of data in real time.
        tcp_nodelay on;

        # Causes nginx to attempt to send its HTTP response head in one packet,
        # instead of using partial frames.
        tcp_nopush on;


        # Path of the file with Diffie-Hellman parameters for EDH ciphers.
        #ssl_dhparam /etc/ssl/nginx/dh2048.pem;

        # Specifies that our cipher suits should be preferred over client ciphers.
        ssl_prefer_server_ciphers on;

        # Enables a shared SSL cache with size that can hold around 8000 sessions.
        ssl_session_cache shared:SSL:2m;


	# Compression
    	# Enable Gzip compressed.
    	gzip on;

    	# Enable compression both for HTTP/1.0 and HTTP/1.1.
    	gzip_http_version  1.1;

    	# Compression level (1-9).
    	# 5 is a perfect compromise between size and cpu usage, offering about
    	# 75% reduction for most ascii files (almost identical to level 9).
    	gzip_comp_level    5;

    	# Don't compress anything that's already small and unlikely to shrink much
    	# if at all (the default is 20 bytes, which is bad as that usually leads to
    	# larger files after gzipping).
    	gzip_min_length    256;

    	# Compress data even for clients that are connecting to us via proxies,
    	# identified by the "Via" header (required for CloudFront).
    	gzip_proxied       any;

    	# Tell proxies to cache both the gzipped and regular version of a resource
    	# whenever the client's Accept-Encoding capabilities header varies;
    	# Avoids the issue where a non-gzip capable client (which is extremely rare
    	# today) would display gibberish if their proxy gave them the gzipped version.
    	gzip_vary          on;

    	# Compress all output labeled with one of the following MIME-types.
    	gzip_types
      	application/atom+xml
      	application/javascript
      	application/json
      	application/rss+xml
      	application/vnd.ms-fontobject
      	application/x-font-ttf
      	application/x-web-app-manifest+json
      	application/xhtml+xml
      	application/xml
      	font/opentype
      	image/svg+xml
      	image/x-icon
      	text/css
      	text/plain
      	text/x-component;
      	# text/html is always compressed by HttpGzipModule

        # Specifies the main log format.
        log_format main '$remote_addr - "$http_x_forwarded_for" - $remote_user [$time_local] "$request" '
                        '$status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent"';

        # Sets the path, format, and configuration for a buffered log write.
        access_log /dev/stdout main;


        # Includes virtual hosts configs.
        include /etc/nginx/conf.d/*.conf;
}

flarum.conf (nginx)

server {
    #proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;
    
    client_max_body_size 500M;
    client_body_timeout 120s;
    listen 8080 ssl http2;
## modify to your liking based on your host
    server_name   community.*;

## modify based on your certificate
    ssl_certificate  /etc/ssl/certs/tls.crt;
    ssl_certificate_key  /etc/ssl/certs/tls.key;
    
    client_body_temp_path /var/tmp/nginx/client_temp 1 2;
    proxy_temp_path /var/tmp/nginx/proxy_temp 1 2;
    fastcgi_temp_path /var/tmp/nginx/fastcgi_temp 1 2;
    uwsgi_temp_path /var/tmp/nginx/uwsgi_temp 1 2;
    scgi_temp_path /var/tmp/nginx/scgi_temp 1 2;

    # prevent redirect to listening port in URI
    port_in_redirect off;
    index index.php;
    root /usr/share/nginx/flarum/public;
    
    # Uncomment the following lines if you are not using a `public` directory
    # to prevent sensitive resources from being exposed.
    # location ~* ^/(\.git|composer\.(json|lock)|auth\.json|config\.php|flarum|storage|vendor) {
    #   deny all;
    #   return 404;
    # }

    # Pass requests that don't refer directly to files in the filesystem to index.php
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }
    
    # The following directives are based on best practices from H5BP Nginx Server Configs
    # https://github.com/h5bp/server-configs-nginx

    # Expire rules for static content
    location ~* \.(?:manifest|appcache|html?|xml|json)$ {
        add_header Cache-Control "max-age=0";
    }

    location ~* \.(?:rss|atom)$ {
        add_header Cache-Control "max-age=3600";
    }

    location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
        add_header Cache-Control "max-age=2592000";
        access_log off;
    }

    location ~* \.(?:css|js)$ {
        add_header Cache-Control "max-age=31536000";
        access_log off;
    }

    location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
        add_header "Access-Control-Allow-Origin" "*";
        add_header Cache-Control "max-age=2592000";
        access_log off;
    }

    location ~ \.php$ {
        # add fastcgi_pass line here, depending if you use socket or port
        include fastcgi_params;
        fastcgi_read_timeout 660s;
        fastcgi_pass unix:/var/run/php-fpm.sock;
        fastcgi_param REMOTE_ADDR $remote_addr;
        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
    }
}

ikkeT

ctml thanks again, I'll take a look and test around a bit.

Still qurious to hear if someone knows if storage needs to be shared for scheduler..

ikkeT

I tested this now. I can run the scheduler with the supercronic. I don't seem to have anything that uses cron yet, but it runs with succeeded return code. This was without shared storage. Then I tried moving storage from ReadWriteIOnce to ReadWrite many by rsyncing the flarum storage and public/assets stuff into NFS, and creating NFS mount with RWX storage.

Flarum now fails to start as it doesn't have permissions to some storage/sessions files. Have you gone around this? As OpenShift makes random uid on each start for the pod, and trusts group permissions are properly set to root, I see there are some sessions where group doesn't have at least write bits set. It's probably along such.

I could of course just nail down the uid for flarum, but I'd rather get it to work properly. Did you fix this somehow?

My Containerfile and entrypoint are now modified.

ikkeT

I need to dig into this a bit more for sharing the FS. It seems this s2i image don't follow the standard group permission scheme like normally in openshift:

-rw-r--r--.  1 1000190000 1000190000    118 Jul  4 16:42 zl30YY
-rw-rw-r--.  1 1000190000 1000190000    118 Jul  4 15:13 zoYNg
``