ProHoster > Блог > Gudanarwa > Shawarwari don gudanar da Buildah a cikin akwati

Shawarwari don gudanar da Buildah a cikin akwati

Menene kyawun ɓata lokacin aikin kwantena zuwa sassa daban-daban na kayan aiki? Musamman waɗannan kayan aikin za a iya fara haɗa su don su kare juna.

Shawarwari don gudanar da Buildah a cikin akwati

Mutane da yawa suna sha'awar ra'ayin gina ginshiƙan hotunan OCI a ciki Kubernetes ko makamancin haka. Bari mu ce muna da CI / CD wanda koyaushe yana tattara hotuna, sannan wani abu kamar Red Hat OpenShift/Kubernetes zai zama da amfani sosai dangane da daidaita nauyi yayin gini. Har zuwa kwanan nan, yawancin mutane kawai suna ba da kwantena damar shiga soket ɗin Docker kuma sun ba su damar gudanar da ginin docker. Shekaru da yawa da suka gabata mun nunacewa wannan yana da matukar rashin tsaro, a gaskiya ma, ya fi muni fiye da ba da tushen kalmar sirri ko sudo.

Shi ya sa mutane a koyaushe suke ƙoƙarin gudu Buildah a cikin akwati. A takaice, mun halitta misali yadda, a cikin ra'ayinmu, ya fi dacewa don gudanar da Buildah a cikin akwati, kuma sanya hotuna masu dacewa a kan quay.io/buildah. Mu fara...

gyara

An gina waɗannan hotuna daga Dockerfiles, waɗanda za a iya samu a cikin ma'ajiyar Buildah a cikin babban fayil ɗin gini.
A nan za mu yi la'akari ingantaccen sigar Dockerfile.

# stable/Dockerfile
#
# Build a Buildah container image from the latest
# stable version of Buildah on the Fedoras Updates System.
# https://bodhi.fedoraproject.org/updates/?search=buildah
# This image can be used to create a secured container
# that runs safely with privileges within the container.
#
FROM fedora:latest

# Don't include container-selinux and remove
# directories used by dnf that are just taking
# up space.
RUN yum -y install buildah fuse-overlayfs --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.*

# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf

Maimakon OverlayFS, wanda aka aiwatar a matakin kernel na Linux, muna amfani da shirin a cikin akwati fuse-overlay, saboda a halin yanzu OverlayFS na iya hawa idan kun ba shi izinin SYS_ADMIN ta amfani da damar Linux. Kuma muna son gudanar da kwantena na Buildah ba tare da wani gata na tushen ba. Fuse-overlay yana aiki da sauri kuma yana da mafi kyawun aiki fiye da direban ajiya na VFS. Lura cewa lokacin gudanar da kwandon Buildah da ke amfani da Fuse, dole ne ku samar da na'urar /dev/fuse.

podman run --device /dev/fuse quay.io/buildahctr ...
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock

Na gaba za mu ƙirƙiri adireshi don ƙarin ajiya. Kwantena/ajiye yana goyan bayan manufar haɗa ƙarin shagunan hotuna masu karantawa kawai. Misali, zaku iya saita wurin ajiya mai rufi akan injin guda, sannan kuyi amfani da NFS don hawa wannan ma'ajiyar akan wata na'ura kuma kuyi amfani da hotuna daga gare ta ba tare da zazzagewa ta hanyar ja ba. Muna buƙatar wannan ma'ajiyar domin mu sami damar haɗa wasu ma'ajiyar hoto daga mai watsa shiri azaman ƙara kuma muyi amfani da shi a cikin akwati.

# Set up environment variables to note that this is
# not starting with user namespace and default to
# isolate the filesystem with chroot.
ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot

A ƙarshe, ta amfani da madaidaicin yanayin BUILDAH_ISOLATION, muna gaya wa kwandon Buildah ya gudana tare da keɓewar chroot ta tsohuwa. Ba a buƙatar ƙarin rufi a nan, tun da mun riga muna aiki a cikin akwati. Domin Buildah ta ƙirƙiro kwantena masu raba suna, ana buƙatar damar SYS_ADMIN, wanda zai buƙaci sassauta ka'idojin SELinux da SECCOMP na kwantena, wanda ya saba wa fifikonmu don ginawa daga amintaccen akwati.

Gudun Buildah a cikin akwati

Hoton hoton kwantena Buildah da aka tattauna a sama yana ba ku damar sassauƙa hanyoyin ƙaddamar da irin waɗannan kwantena.

Gudu da aminci

Tsaro na kwamfuta koyaushe shine daidaitawa tsakanin saurin tsari da kuma adadin kariya da aka nannade a kusa da shi. Wannan bayanin kuma gaskiya ne lokacin haɗa kwantena, don haka a ƙasa za mu yi la'akari da zaɓuɓɓuka don irin wannan sulhu.

Hoton kwandon da aka tattauna a sama zai ajiye ajiyarsa a /var/lib/containers. Don haka, muna buƙatar shigar da abubuwan cikin wannan babban fayil ɗin, kuma yadda muke yin hakan zai shafi saurin gina hotunan kwantena.

Bari mu yi la’akari da zaɓuɓɓuka uku.

Zabin 1. Idan ana buƙatar matsakaicin tsaro, to ga kowane akwati zaka iya ƙirƙirar babban fayil ɗin ku don kwantena/hoton kuma haɗa shi zuwa akwati ta hanyar ƙarar ƙara. Kuma baya ga haka, sanya adireshin mahallin a cikin akwati da kanta, a cikin babban fayil / ginawa:

# mkdir /var/lib/containers1
# podman run -v ./build:/build:z -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable
buildah  -t image1 bud /build
# podman run -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable buildah  push  image1 registry.company.com/myuser
# rm -rf /var/lib/containers1

Tsaro. Buildah yana gudana a cikin irin wannan akwati yana da matsakaicin tsaro: ba a ba shi duk wani gata na tushen amfani da iya aiki ba, kuma duk ƙuntatawa na SECOMP da SELinux sun shafi shi. 0:100000.

Aiki. Amma wasan kwaikwayon a nan ba shi da ƙaranci, tun da kowane hoto daga rajistar gandun daji ana kwafi ga mai masaukin kowane lokaci, kuma caching ba ya aiki kwata-kwata. Lokacin kammala aikinsa, dole ne akwati na Buildah ya aika hoton zuwa wurin yin rajista kuma ya lalata abun ciki akan mai watsa shiri. Lokaci na gaba da aka gina hoton kwantena, za a sake zazzage shi daga wurin rajistar, tunda a lokacin ba za a sami wani abu da ya rage a kan mai masaukin ba.

Zabin 2. Idan kuna buƙatar aikin matakin-Docker, zaku iya hawa ganga/ajiya kai tsaye cikin kwandon.

# podman run -v ./build:/build:z -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah  -t image2 bud /build
# podman run -v /var/lib/containers:/var/lib/containers --security-opt label:disabled  quay.io/buildah/stable buildah push image2 registry.company.com/myuser

Tsaro. Wannan ita ce hanya mafi ƙarancin tsaro don gina kwantena saboda yana ba da damar kwantena don canza ma'ajiyar ma'ajiyar kuma yana iya yuwuwar ciyar da Podman ko CRI-O hoto mai cutarwa. Bugu da ƙari, za ku buƙaci musaki rabuwar SELinux don tafiyar matakai a cikin kwandon Buildah na iya yin hulɗa tare da ajiya akan mai watsa shiri. Lura cewa wannan zaɓin har yanzu ya fi na Docker soket saboda an kulle kwantena ta sauran fasalulluka na tsaro kuma ba zai iya gudanar da akwati kawai a kan mai watsa shiri ba.

Aiki. Anan shine mafi girman, tunda ana amfani da caching cikakke. Idan Podman ko CRI-O sun riga sun zazzage hoton da ake buƙata ga mai gidan, to tsarin Buildah a cikin akwati ba zai sake sauke shi ba, kuma ginin da ya biyo baya dangane da wannan hoton zai iya ɗaukar abin da suke buƙata daga cache. .

Zabin 3. Ma'anar wannan hanyar ita ce haɗa hotuna da yawa cikin aiki ɗaya tare da babban fayil gama gari don hotunan ganga.

# mkdir /var/lib/project3
# podman run --security-opt label_level=s0:C100, C200 -v ./build:/build:z 
-v /var/lib/project3:/var/lib/containers:Z quay.io/buildah/stable buildah  -t image3 bud /build
# podman run --security-opt label_level=s0:C100, C200 
-v /var/lib/project3:/var/lib/containers quay.io/buildah/stable buildah push image3  registry.company.com/myuser

A cikin wannan misalin, ba ma share babban fayil ɗin aikin (/var/lib/project3) tsakanin runduna, don haka duk abubuwan da suka biyo baya a cikin aikin suna amfana daga caching.

Tsaro. Wani abu a tsakanin zaɓuɓɓuka 1 da 2. A gefe guda, kwantena ba su da damar yin amfani da abun ciki akan mai watsa shiri kuma, saboda haka, ba za su iya zame wani abu mara kyau a cikin Podman/CRI-O hoton ajiya ba. A gefe guda, a matsayin wani ɓangare na ƙirarsa, kwantena na iya tsoma baki tare da haɗuwa da sauran kwantena.

Aiki. Anan ya fi muni fiye da lokacin amfani da cache da aka raba a matakin masaukin baki, tunda ba za ku iya amfani da hotunan da aka riga aka sauke ta amfani da Podman/CRI-O ba. Koyaya, da zarar Buildah ta zazzage hoton, ana iya amfani da hoton a kowane ginin da ke gaba a cikin aikin.

Ƙarin ajiya

У kwantena / ajiya Akwai irin wannan abu mai sanyi kamar ƙarin shaguna (karin kantuna), godiya ga wanda lokacin ƙaddamarwa da ginin kwantena, injinan kwantena na iya amfani da shagunan hoto na waje a cikin yanayin rufewa kawai. Ainihin, zaku iya ƙara ma'ajiyar karantawa ɗaya ko fiye zuwa fayil ɗin ajiya.conf ta yadda lokacin da kuka fara akwati, injin kwandon yana neman hoton da ake so a cikinsu. Haka kuma, za ta zazzage hoton daga wurin rajista ne kawai idan ba a same ta a cikin waɗannan ma'ajiyar ba. Injin kwandon kawai zai iya rubutu zuwa ma'ajiyar rubutu...

Idan ka gungurawa ka kalli Dockerfile da muke amfani da shi don gina hoton quay.io/buildah/stable, akwai layi kamar haka:

# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock

A cikin layi na farko, muna canza /etc/containers/storage.conf a cikin hoton akwati, yana gaya wa direban ajiya don amfani da "additionalimagestores" a cikin /var/lib/shared fayil. Kuma a cikin layi na gaba mun ƙirƙiri babban fayil ɗin da aka raba tare da ƙara fayilolin kulle guda biyu don kada a cutar da kwantena/ajiya. Mahimmanci, kawai muna ƙirƙirar kantin sayar da hoto mara komai.

Idan kun hau kwantena/ajiya a matakin da ya fi wannan babban fayil ɗin, Buildah zai iya amfani da hotunan.

Yanzu bari mu koma Zaɓin 2 da aka tattauna a sama, lokacin da kwandon Buildah zai iya karantawa da rubutawa zuwa kwantena / kantin sayar da kan runduna kuma, bisa ga haka, yana da matsakaicin aiki saboda caching hotuna a matakin Podman / CRI-O, amma yana ba da mafi ƙarancin tsaro. tunda yana iya rubutawa kai tsaye zuwa ajiya. Yanzu bari mu ƙara ƙarin ajiya anan kuma mu sami mafi kyawun duniyoyin biyu.

# mkdir /var/lib/containers4
# podman run -v ./build:/build:z -v /var/lib/containers/storage:/var/lib/shared:ro -v  /var/lib/containers4:/var/lib/containers:Z  quay.io/buildah/stable 
 buildah  -t image4 bud /build
# podman run -v /var/lib/containers/storage:/var/lib/shared:ro  
-v >/var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable buildah push image4  registry.company.com/myuser
# rm -rf /var/lib/continers4

Lura cewa an ɗora kayan /var/lib/containers/storage zuwa /var/lib/raba cikin akwati a yanayin karantawa kawai. Sabili da haka, yin aiki a cikin akwati, Buildah na iya amfani da duk wani hotuna da aka sauke a baya ta amfani da Podman / CRI-O (sannu, gudun), amma zai iya rubutawa kawai zuwa ajiyar kansa (sannu, tsaro). Hakanan lura cewa ana yin wannan ba tare da kashe rabuwar SELinux don akwati ba.

Muhimmin nuance

Babu wani yanayi da ya kamata ku share kowane hoto daga ma'ajiyar da ke ƙasa. In ba haka ba, kwandon Buildah na iya faduwa.

Kuma waɗannan ba duk fa'idodin ba ne

Yiwuwar ƙarin ajiya baya iyakance ga yanayin da ke sama. Misali, zaku iya sanya duk hotunan ganga akan ma'ajin cibiyar sadarwar da aka raba kuma ku ba da dama ga duk kwantena na Buildah. Bari mu ce muna da ɗaruruwan hotuna waɗanda tsarin mu na CI/CD ke amfani da su akai-akai don gina hotunan kwantena. Muna mayar da hankalin duk waɗannan hotuna akan mai masaukin ajiya guda ɗaya sannan, ta amfani da kayan aikin ajiya na cibiyar sadarwa da aka fi so (NFS, Gluster, Ceph, ISCSI, S3 ...), muna buɗe damar gabaɗaya zuwa wannan ajiyar ga duk Buildah ko Kubernetes nodes.

Yanzu ya isa ya hau wannan ajiyar cibiyar sadarwa a cikin kwandon Buildah akan /var/lib/shared kuma shi ke nan - Buildah kwantena ba su da sauke hotuna ta hanyar ja. Don haka, muna jefar da lokacin kafin yawan jama'a kuma muna shirye nan da nan don fitar da kwantena.

Kuma ba shakka, ana iya amfani da wannan a cikin tsarin Kubernetes mai rai ko kayan aikin kwantena don ƙaddamar da gudanar da kwantena a ko'ina ba tare da wani zazzage hotuna ba. Bugu da ƙari, wurin yin rajistar kwantena, yana karɓar buƙatar turawa don loda sabon hoto zuwa gare shi, zai iya aika wannan hoton kai tsaye zuwa ma'ajin cibiyar sadarwa da aka raba, inda nan take ya zama samuwa ga duk nodes.

Hotunan kwantena wani lokaci suna iya kaiwa gigabytes da yawa girma. Ayyukan ƙarin ajiya yana ba ku damar guje wa cloning irin waɗannan hotuna a fadin nodes kuma yana sa ƙaddamar da kwantena kusan nan take.

Bugu da ƙari, a halin yanzu muna aiki a kan wani sabon fasalin da ake kira overlay volume mounts, wanda zai sa kwantena gini da sauri.

ƙarshe

Gudun Buildah a cikin akwati a cikin Kubernetes/CRI-O, Podman, ko ma Docker abu ne mai yuwuwa, mai sauƙi, kuma mafi aminci fiye da amfani da docker.socket. Mun haɓaka sassaucin aiki tare da hotuna, don haka zaku iya gudanar da su ta hanyoyi daban-daban don haɓaka daidaito tsakanin tsaro da aiki.

Ayyukan ƙarin ajiya yana ba ku damar hanzarta ko ma kawar da zazzagewar hotuna gaba ɗaya zuwa nodes.

source: www.habr.com

Add a comment