He aha ka nani o ka hoʻokaʻawale ʻana i ka manawa holo pahu i nā ʻāpana mea hana ʻokoʻa? ʻO ka mea nui, hiki ke hoʻomaka e hui pū ʻia kēia mau mea hana e pale ai kekahi i kekahi.
Nui nā poʻe i ka manaʻo o ke kūkulu ʻana i nā kiʻi OCI containerized i loko a i ʻole ʻōnaehana like. E ʻōlelo kākou he CI/CD e hōʻiliʻili mau i nā kiʻi, a laila kekahi mea like / Kubernetes he mea maikaʻi loa ia ma ke ʻano o ke kau ʻana i ka ukana i ka wā o ke kūkulu ʻana. A hiki i kēia manawa, hāʻawi wale ka hapa nui o nā poʻe i nā pahu i kahi kumu Docker a ʻae iā lākou e holo i ke kauoha docker build. ʻaʻole palekana kēia, ʻoiaʻiʻo, ʻoi aku ka maikaʻi ma mua o ka hāʻawi ʻana i ka root passwordless a sudo.
ʻO ia ke kumu e hoʻāʻo mau ai ka poʻe e holo iā Buildah i loko o kahi pahu. I ka pōkole, hana mākou pehea, i ko mākou manaʻo, ʻoi aku ka maikaʻi o ka holo ʻana iā Buildah i loko o kahi pahu, a kau i nā kiʻi pili ma . E hoʻomaka kākou...
hoʻoponopono
Kūkulu ʻia kēia mau kiʻi mai Dockerfiles, hiki ke loaʻa ma ka waihona Buildah ma ka waihona .
Maanei kakou e nana ai .
# stable/Dockerfile
#
# Build a Buildah container image from the latest
# stable version of Buildah on the Fedoras Updates System.
# https://bodhi.fedoraproject.org/updates/?search=buildah
# This image can be used to create a secured container
# that runs safely with privileges within the container.
#
FROM fedora:latest
# Don't include container-selinux and remove
# directories used by dnf that are just taking
# up space.
RUN yum -y install buildah fuse-overlayfs --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.*
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
Ma kahi o OverlayFS, hoʻokō ʻia ma ka pae kernel Linux host, hoʻohana mākou i ka papahana i loko o ka ipu , no ka mea hiki i kēia manawa ke kau wale ʻo OverlayFS inā hāʻawi ʻoe iā SYS_ADMIN i nā ʻae me ka hoʻohana ʻana i nā mana Linux. A makemake mākou e holo i kā mākou pahu Buildah me ka loaʻa ʻole o nā pono kumu. Hana wikiwiki ʻo Fuse-overlay a ʻoi aku ka maikaʻi ma mua o ka mea hoʻokele mālama VFS. E ʻoluʻolu, i ka wā e holo ana i kahi pahu Buildah e hoʻohana ana i ka Fuse, pono ʻoe e hāʻawi i ka mea / dev/fuse.
podman run --device /dev/fuse quay.io/buildahctr ...
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
A laila hana mākou i kahi papa kuhikuhi no kahi mālama hou. kākoʻo i ka manaʻo o ka hoʻohui ʻana i nā hale kūʻai kiʻi heluhelu wale nō. No ka laʻana, hiki iā ʻoe ke hoʻonohonoho i kahi waihona overlay ma kahi mīkini, a laila hoʻohana i ka NFS e kau i kēia waihona ma kahi mīkini ʻē aʻe a hoʻohana i nā kiʻi mai ia mea me ka hoʻoiho ʻole ʻana ma o ka huki. Pono mākou i kēia waihona i mea e hiki ai ke hoʻohui i kahi waihona kiʻi mai ka host ma ke ʻano he leo a hoʻohana i loko o ka ipu.
# Set up environment variables to note that this is
# not starting with user namespace and default to
# isolate the filesystem with chroot.
ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot
ʻO ka mea hope loa, ma ka hoʻohana ʻana i ka mea hoʻololi kaiapuni BUILDAH_ISOLATION, ke haʻi nei mākou i ka pahu Buildah e holo me ka hoʻokaʻawale chroot ma ka paʻamau. ʻAʻole koi ʻia ka insulation hou ma ʻaneʻi, no ka mea ke hana nei mākou i kahi pahu. I mea e hana ai ʻo Buildah i kāna mau ipu i hoʻokaʻawale ʻia i ka inoa, pono ka pono SYS_ADMIN, kahi e pono ai e hoʻomaha i nā lula SELinux a me SECCOMP o ka ipu, he mea kūʻē i kā mākou makemake e kūkulu mai kahi pahu paʻa.
Holo i Buildah i loko o kahi pahu
ʻO ke kiʻi kiʻi pahu Buildah i kūkākūkā ʻia ma luna nei e hiki iā ʻoe ke hoʻololi i nā ʻano o ka hoʻokuʻu ʻana i ia mau ipu.
ʻO ka wikiwiki a me ka palekana
ʻO ka palekana kamepiula he kuʻikahi ma waena o ka wikiwiki o ke kaʻina hana a me ka nui o ka pale i uhi ʻia a puni. He ʻoiaʻiʻo nō hoʻi kēia ʻōlelo i ka wā e hōʻuluʻulu ai i nā ipu, no laila e noʻonoʻo mākou i nā koho no ia ʻano kuʻikahi.
ʻO ke kiʻi pahu i kūkākūkā ʻia ma luna nei e mālama i kāna waihona i /var/lib/containers. No laila, pono mākou e kau i ka ʻike i loko o kēia waihona, a pehea mākou e hana ai e hoʻopilikia nui i ka wikiwiki o ke kūkulu ʻana i nā kiʻi ipu.
E noʻonoʻo kākou i ʻekolu mau koho.
Kō koho 1. Inā koi ʻia ka palekana nui, a laila no kēlā me kēia pahu hiki iā ʻoe ke hana i kāu waihona ponoʻī no nā ipu / kiʻi a hoʻopili iā ia i ka ipu ma o ka volume-mount. A ma waho aʻe, e kau i ka papa kuhikuhi pōʻaiapili i loko o ka pahu ponoʻī, ma ka waihona /build:
# mkdir /var/lib/containers1
# podman run -v ./build:/build:z -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image1 bud /build
# podman run -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable buildah push image1 registry.company.com/myuser
# rm -rf /var/lib/containers1
Ka maluhia. Loaʻa ka palekana o ke kūkulu ʻana i loko o ia ipu: ʻaʻole ia i hāʻawi ʻia i nā pono kumu me ka hoʻohana ʻana i nā mea hiki, a pili nā palena SECOMP a me SELinux a pau iā ia. 0:100000.
Ka hana. Akā, he mea liʻiliʻi ka hana ma ʻaneʻi, no ka mea, ua kope ʻia nā kiʻi mai nā waihona waihona ipu i ka mea hoʻokipa i kēlā me kēia manawa, a ʻaʻole hana ka cache. I ka hoʻopau ʻana i kāna hana, pono e hoʻouna ka pahu Buildah i ke kiʻi i ke kākau inoa a hoʻopau i ka ʻike ma ka mea hoʻokipa. I ka manawa aʻe e kūkulu ʻia ai ke kiʻi pahu, pono e hoʻoiho hou ʻia mai ka papa inoa, no ka mea ma ia manawa ʻaʻohe mea i koe ma ka host.
Kō koho 2. Inā makemake ʻoe i ka hana Docker-level, hiki iā ʻoe ke kau pololei i ka ipu hoʻokipa / mālama i loko o ka ipu.
# podman run -v ./build:/build:z -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah -t image2 bud /build
# podman run -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah push image2 registry.company.com/myuser
Ka maluhia. ʻO kēia ke ala palekana loa e kūkulu i nā ipu no ka mea hiki i ka ipu ke hoʻololi i ka mālama mālama a hiki ke hānai iā Podman a i ʻole CRI-O i kahi kiʻi ʻino. Eia hou, pono ʻoe e hoʻopau i ka hoʻokaʻawale ʻana o SELinux i hiki i nā kaʻina hana i loko o ka pahu Buildah ke launa pū me ka waiho ʻana ma ka host. E hoʻomanaʻo ʻoi aku ka maikaʻi o kēia koho ma mua o kahi Docker socket no ka mea ua paʻa ka pahu i ke koena o nā hiʻohiʻona palekana a ʻaʻole hiki ke holo wale i kahi pahu ma ka host.
Ka hana. Eia ka mea kiʻekiʻe loa, ʻoiai ua hoʻohana piha ʻia ka caching. Inā ua hoʻoiho mua ʻo Podman a i ʻole CRI-O i ke kiʻi i koi ʻia i ka mea hoʻokipa, a laila ʻaʻole pono e hoʻoiho hou ke kaʻina hana Buildah i loko o ka ipu, a ʻo nā kūkulu hou e pili ana i kēia kiʻi e hiki ke lawe i nā mea e pono ai lākou mai ka cache. .
Kō koho 3. ʻO ke kumu o kēia ʻano hana ʻo ia ka hoʻohui ʻana i kekahi mau kiʻi i hoʻokahi papahana me kahi waihona maʻamau no nā kiʻi pahu.
# mkdir /var/lib/project3
# podman run --security-opt label_level=s0:C100, C200 -v ./build:/build:z
-v /var/lib/project3:/var/lib/containers:Z quay.io/buildah/stable buildah -t image3 bud /build
# podman run --security-opt label_level=s0:C100, C200
-v /var/lib/project3:/var/lib/containers quay.io/buildah/stable buildah push image3 registry.company.com/myuser
Ma kēia hiʻohiʻona, ʻaʻole mākou e holoi i ka waihona papahana (/var/lib/project3) ma waena o nā holo, no laila e pōmaikaʻi nā kūkulu hou aʻe i loko o ka papahana mai ka hoʻopaʻa ʻana.
Ka maluhia. ʻO kekahi mea ma waena o nā koho 1 a me 2. Ma kekahi ʻaoʻao, ʻaʻole hiki i nā pahu ke komo i ka ʻike ma ka mea hoʻokipa a, no laila, ʻaʻole hiki ke hoʻokuʻu i kahi mea ʻino i loko o ka waihona kiʻi Podman / CRI-O. Ma ka ʻaoʻao ʻē aʻe, ma ke ʻano o kāna hoʻolālā ʻana, hiki i kahi pahu ke hoʻopilikia i ka hui ʻana o nā ipu ʻē aʻe.
Ka hana. Eia ʻoi aku ka ʻino ma mua o ka hoʻohana ʻana i kahi huna huna ma ka pae hoʻokipa, ʻoiai ʻaʻole hiki iā ʻoe ke hoʻohana i nā kiʻi i hoʻoiho ʻia me ka hoʻohana ʻana iā Podman/CRI-O. Eia naʻe, i ka manawa e hoʻoiho ai ʻo Buildah i ke kiʻi, hiki ke hoʻohana ʻia ke kiʻi i nā kūkulu hou aʻe i loko o ka papahana.
Waihona hou
У Aia kekahi mea ʻoluʻolu e like me nā hale kūʻai ʻē aʻe (nā hale kūʻai ʻē aʻe), mahalo i ka wā e hoʻomaka ai a kūkulu i nā ipu, hiki i nā mīkini pahu ke hoʻohana i nā hale kūʻai kiʻi waho ma ke ʻano heluhelu-wale nō. ʻO ka mea nui, hiki iā ʻoe ke hoʻohui i hoʻokahi a ʻoi aku paha nā waihona heluhelu-wale i ka waihona storage.conf i ka wā e hoʻomaka ai ʻoe i ka ipu, e ʻimi ka mīkini pahu i ke kiʻi i makemake ʻia i loko o lākou. Eia kekahi, e hoʻoiho i ke kiʻi mai ka papa inoa wale nō inā ʻaʻole i loaʻa iā ia ma kekahi o kēia mau waihona. Hiki i ka mīkini pahu ke kākau wale i kahi waihona hiki ke kākau ʻia...
Inā ʻoe e ʻōwili i luna a nānā i ka Dockerfile a mākou e hoʻohana ai e kūkulu i ke kiʻi quay.io/buildah/stable, aia nā laina e like me kēia:
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
Ma ka laina mua, hoʻololi mākou /etc/containers/storage.conf i loko o ke kiʻi pahu, e haʻi ana i ka mea hoʻokele mālama e hoʻohana i "additionalimagestores" i loko o ka waihona /var/lib/shared. A ma ka laina aʻe, hana mākou i kahi waihona like ʻole a hoʻohui i ʻelua mau faila laka i ʻole ka hoʻomāinoino ʻana mai nā ipu / waihona. ʻO ka mea nui, ke hana nei mākou i kahi hale kūʻai kiʻi pahu kaʻawale.
Inā ʻoe e kau i nā ipu / waihona ma kahi kiʻekiʻe ma mua o kēia waihona, hiki iā Buildah ke hoʻohana i nā kiʻi.
I kēia manawa, e hoʻi kāua i ke koho 2 i kūkākūkā ʻia ma luna, i ka wā e hiki ai i ka pahu Buildah ke heluhelu a kākau i nā ipu / hale kūʻai ma nā mea hoʻokipa a, no laila, loaʻa ka hana kiʻekiʻe ma muli o ka hoʻopaʻa ʻana i nā kiʻi ma ka pae Podman/CRI-O, akā hāʻawi i ka palena iki o ka palekana. no ka mea hiki iā ia ke kākau pololei i kahi waihona. ʻĀnō e hoʻohui i kahi waihona hou aʻe a loaʻa ka maikaʻi o nā ao ʻelua.
# mkdir /var/lib/containers4
# podman run -v ./build:/build:z -v /var/lib/containers/storage:/var/lib/shared:ro -v /var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image4 bud /build
# podman run -v /var/lib/containers/storage:/var/lib/shared:ro
-v >/var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable buildah push image4 registry.company.com/myuser
# rm -rf /var/lib/continers4
E hoʻomaopopo ua kau ʻia ka /var/lib/containers/storage i /var/lib/shared i loko o ka ipu ma ke ʻano heluhelu-wale nō. No laila, e hana ana i loko o kahi pahu, hiki iā Buildah ke hoʻohana i nā kiʻi i hoʻoiho mua ʻia me ka hoʻohana ʻana iā Podman/CRI-O (hello, speed), akā hiki ke kākau wale i kāna waihona ponoʻī (hello, palekana). E hoʻomaopopo hoʻi ua hana ʻia kēia me ka ʻole o ka hoʻokaʻawale ʻana iā SELinux no ka ipu.
ʻOihana nui
ʻAʻole pono ʻoe e holoi i nā kiʻi mai ka waihona waihona. A i ʻole, hāʻule paha ka pahu Buildah.
A ʻaʻole kēia nā mea maikaʻi a pau
ʻAʻole i kaupalena ʻia nā mea hiki ke hoʻopaʻa ʻia i ke ʻano o luna. No ka laʻana, hiki iā ʻoe ke kau i nā kiʻi pahu a pau ma kahi waihona pūnaewele kaʻana like a hāʻawi i ke komo iā ia i nā pahu Buildah āpau. E ʻōlelo kākou he mau haneli kiʻi i hoʻohana mau ʻia e kā mākou ʻōnaehana CI/CD e kūkulu i nā kiʻi pahu. Hoʻopaʻa mākou i kēia mau kiʻi a pau i hoʻokahi mea mālama mālama a laila, me ka hoʻohana ʻana i nā hāmeʻa mālama pūnaewele i makemake ʻia (NFS, Gluster, Ceph, ISCSI, S3...), wehe mākou i ke komo ākea i kēia waihona i nā node Buildah a i ʻole Kubernetes.
I kēia manawa ua lawa ka kau ʻana i kēia waihona pūnaewele i loko o ka pahu Buildah ma /var/lib/shared a ʻo ia - ʻaʻole pono nā pahu Buildah e hoʻoiho i nā kiʻi ma o ka huki. No laila, hoʻolei mākou i ka pae mua o ka lehulehu a mākaukau koke mākou e ʻōwili i nā ipu.
A ʻoiaʻiʻo, hiki ke hoʻohana ʻia i loko o kahi ʻōnaehana Kubernetes ola a i ʻole nā mea hana pahu e hoʻomaka a holo i nā ipu ma nā wahi āpau me ka huki ʻole ʻana o nā kiʻi. Eia kekahi, ʻo ka waihona waihona, e loaʻa ana i kahi noi paʻi e hoʻouka i kahi kiʻi hou iā ia, hiki ke hoʻouna maʻalahi i kēia kiʻi i kahi waihona pūnaewele kaʻana like, kahi e loaʻa koke ai i nā nodes a pau.
Hiki i nā kiʻi paʻa ke piʻi i nā gigabytes i kekahi manawa. ʻO ka hana o kahi waihona hou e hiki ai iā ʻoe ke pale aku i ka cloning i kēlā mau kiʻi ma nā nodes a hana i ka hoʻokuʻu ʻana i nā ipu kokoke i ka manawa koke.
Eia kekahi, ke hana nei mākou i kahi hiʻohiʻona hou i kapa ʻia ʻo overlay volume mounts, kahi e wikiwiki ai ke kūkulu ʻana i nā ipu.
hopena
ʻO ka holo ʻana i Buildah i loko o kahi pahu ma Kubernetes/CRI-O, Podman, a i ʻole Docker hiki ke hiki, maʻalahi, a ʻoi aku ka palekana ma mua o ka hoʻohana ʻana i docker.socket. Ua hoʻonui nui mākou i ka maʻalahi o ka hana ʻana me nā kiʻi, no laila hiki iā ʻoe ke holo iā lākou ma nā ʻano ʻano like ʻole e hoʻonui ai i ke kaulike ma waena o ka palekana a me ka hana.
ʻO ka hana o kahi waihona hou e hiki ai iā ʻoe ke wikiwiki a hoʻopau paha i ka hoʻoiho ʻana i nā kiʻi i nā nodes.
Source: www.habr.com