Dab tsi yog qhov kev zoo nkauj ntawm decoupling lub thawv runtime rau hauv cov khoom sib cais? Tshwj xeeb, cov cuab yeej no tuaj yeem pib ua ke kom lawv tiv thaiv ib leeg.
Ntau tus neeg nyiam lub tswv yim ntawm kev tsim cov thawv ntim OCI cov duab nyob hauv los yog zoo sib xws. Cia peb hais tias peb muaj CI / CD uas niaj hnub sau cov duab, ces qee yam zoo li / Kubernetes yuav muaj txiaj ntsig zoo nyob rau hauv cov nqe lus ntawm kev sib npaug thaum tsim. Txog thaum tsis ntev los no, cov neeg feem coob tsuas yog muab cov thawv nkag mus rau Docker lub qhov (socket) thiab tso cai rau lawv khiav lub docker tsim cov lus txib. tias qhov no tsis muaj kev nyab xeeb heev, qhov tseeb, nws tseem phem tshaj qhov muab passwordless hauv paus lossis sudo.
Yog li ntawd, tib neeg pheej sim khiav Buildah hauv ib lub thawv. Hauv luv, peb tsim Yuav ua li cas, hauv peb lub tswv yim, yog qhov zoo tshaj plaws los khiav Buildah hauv ib lub thawv, thiab tshaj tawm cov duab sib xws rau . Cia peb pib ...
hloov
Cov duab no tau tsim los ntawm Dockerfiles, uas tuaj yeem pom hauv Buildah repository hauv daim nplaub tshev .
Ntawm no peb yuav xav txog .
# stable/Dockerfile
#
# Build a Buildah container image from the latest
# stable version of Buildah on the Fedoras Updates System.
# https://bodhi.fedoraproject.org/updates/?search=buildah
# This image can be used to create a secured container
# that runs safely with privileges within the container.
#
FROM fedora:latest
# Don't include container-selinux and remove
# directories used by dnf that are just taking
# up space.
RUN yum -y install buildah fuse-overlayfs --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.*
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
Hloov chaw ntawm OverlayFS, siv ntawm tus tswv tsev Linux kernel qib, peb siv qhov program hauv lub thawv , vim tias tam sim no OverlayFS tsuas tuaj yeem txuas yog tias koj muab nws SYS_ADMIN tso cai siv Linux muaj peev xwm. Thiab peb xav khiav peb cov Buildah ntim yam tsis muaj cov cai hauv paus. Fuse-overlay ua haujlwm sai heev thiab muaj kev ua tau zoo dua li VFS cia tsav tsheb. Thov nco ntsoov tias thaum khiav lub thawv Buildah uas siv Fuse, koj yuav tsum muab cov khoom siv / dev / fuse.
podman run --device /dev/fuse quay.io/buildahctr ...
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
Tom ntej no peb tsim ib daim ntawv teev npe rau kev khaws cia ntxiv. txhawb nqa lub tswv yim ntawm kev txuas ntxiv cov duab nyeem nkaus xwb. Piv txwv li, koj tuaj yeem teeb tsa thaj chaw khaws cia ntawm ib lub tshuab, thiab tom qab ntawd siv NFS txhawm rau txhim kho qhov chaw cia ntawm lwm lub tshuab thiab siv cov duab los ntawm nws yam tsis tas rub tawm. Peb xav tau qhov chaw cia no txhawm rau txhawm rau txuas tau qee cov duab khaws cia los ntawm tus tswv tsev ua lub ntim thiab siv nws hauv lub thawv.
# Set up environment variables to note that this is
# not starting with user namespace and default to
# isolate the filesystem with chroot.
ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot
Thaum kawg, los ntawm kev siv BUILDAH_ISOLATION ib puag ncig hloov pauv, peb tab tom qhia lub thawv Buildah kom khiav nrog chroot cais los ntawm lub neej ntawd. Kev rwb thaiv tsev ntxiv tsis tas yuav tsum muaj ntawm no, vim peb twb ua haujlwm hauv lub thawv. Txhawm rau Buildah los tsim nws tus kheej lub npe sib cais ntim, SYS_ADMIN yuav tsum muaj cai, uas yuav tsum tau so lub thawv SELinux thiab SECOMP cov cai, uas yog qhov tsis sib xws rau peb qhov kev nyiam tsim los ntawm lub thawv ruaj ntseg.
Khiav Buildah hauv ib lub thawv
Daim duab Buildah lub thawv duab tau tham saum toj no tso cai rau koj hloov pauv hloov pauv txoj hauv kev ntawm kev tso cov thawv ntawd.
Ceev piv rau kev nyab xeeb
Kev ruaj ntseg hauv computer yeej ib txwm muaj kev cuam tshuam ntawm qhov ceev ntawm cov txheej txheem thiab ntau npaum li cas kev tiv thaiv yog qhwv ib ncig ntawm nws. Cov lus no kuj muaj tseeb thaum sib sau cov thawv, yog li hauv qab no peb yuav xav txog cov kev xaiv rau kev sib haum xeeb.
Cov duab ntim tau tham saum toj no yuav khaws nws cia hauv /var/lib/containers. Yog li ntawd, peb yuav tsum tau mount cov ntsiab lus rau hauv daim nplaub tshev no, thiab yuav ua li cas peb ua qhov no yuav cuam tshuam rau kev ceev ntawm lub tsev ntim cov duab.
Cia peb xav txog peb txoj kev xaiv.
Qhov 1. Yog tias yuav tsum muaj kev ruaj ntseg siab tshaj plaws, tom qab ntawd rau txhua lub thawv koj tuaj yeem tsim koj tus kheej cov ntawv tais ceev tseg rau ntim / duab thiab txuas rau lub thawv ntawm ntim-mount. Thiab dhau li ntawd, tso cov ntsiab lus hauv phau ntawv hauv lub thawv nws tus kheej, hauv / tsim folder:
# mkdir /var/lib/containers1
# podman run -v ./build:/build:z -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image1 bud /build
# podman run -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable buildah push image1 registry.company.com/myuser
# rm -rf /var/lib/containers1
Kev ruaj ntseg. Buildah khiav hauv lub thawv zoo li no muaj kev ruaj ntseg siab tshaj plaws: nws tsis tau muab cov cai hauv paus siv lub peev xwm, thiab tag nrho cov kev txwv SECOMP thiab SELinux siv rau nws. Lub thawv zoo li no tuaj yeem khiav nrog User Namespace cais los ntawm kev ntxiv kev xaiv xws li βuidmap 0: 100000: 10000.
Kev ua tau zoo. Tab sis qhov kev ua tau zoo ntawm no yog qhov tsawg, vim tias cov duab los ntawm cov thawv ntim khoom tau theej rau tus tswv txhua lub sijhawm, thiab caching tsis ua haujlwm txhua. Thaum ua tiav nws txoj haujlwm, lub thawv Buildah yuav tsum xa cov duab mus rau npe thiab rhuav tshem cov ntsiab lus ntawm tus tswv tsev. Lub sijhawm tom ntej lub thawv duab tau tsim, nws yuav tsum tau rub tawm los ntawm kev sau npe dua, txij li lub sijhawm ntawd yuav tsis muaj dab tsi nyob hauv tus tswv tsev.
Qhov 2. Yog tias koj xav tau Docker-theem kev ua tau zoo, koj tuaj yeem mount lub host ntim / cia ncaj qha rau hauv lub thawv.
# podman run -v ./build:/build:z -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah -t image2 bud /build
# podman run -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah push image2 registry.company.com/myuser
Kev ruaj ntseg. Qhov no yog txoj hauv kev ruaj ntseg tsawg tshaj plaws los tsim cov thawv ntim vim tias nws tso cai rau lub thawv hloov pauv tus tswv tsev khaws cia thiab tuaj yeem muaj peev xwm pub Podman lossis CRI-O cov duab tsis zoo. Tsis tas li ntawd, koj yuav tsum tau lov tes taw SELinux sib cais kom cov txheej txheem hauv Buildah thawv tuaj yeem cuam tshuam nrog kev cia ntawm tus tswv tsev. Nco ntsoov tias qhov kev xaiv no tseem zoo dua li Docker qhov (socket) vim tias lub thawv kaw los ntawm cov yam ntxwv ruaj ntseg ntxiv thiab tsis tuaj yeem khiav ib lub thawv ntawm tus tswv tsev.
Kev ua tau zoo. Ntawm no nws yog qhov siab tshaj plaws, txij li caching tau siv tag nrho. Yog tias Podman lossis CRI-O tau rub tawm cov duab xav tau rau tus tswv tsev, tom qab ntawd cov txheej txheem Buildah hauv lub thawv yuav tsis tas yuav rub tawm nws dua, thiab tom qab tsim raws li daim duab no kuj tseem tuaj yeem nqa qhov lawv xav tau los ntawm lub cache. .
Qhov 3. Lub ntsiab lus ntawm txoj kev no yog muab ob peb dluab rau hauv ib qhov project nrog rau ib tug ntau nplaub tshev rau thawv dluab.
# mkdir /var/lib/project3
# podman run --security-opt label_level=s0:C100, C200 -v ./build:/build:z
-v /var/lib/project3:/var/lib/containers:Z quay.io/buildah/stable buildah -t image3 bud /build
# podman run --security-opt label_level=s0:C100, C200
-v /var/lib/project3:/var/lib/containers quay.io/buildah/stable buildah push image3 registry.company.com/myuser
Hauv qhov piv txwv no, peb tsis rho tawm qhov project nplaub tshev (/var/lib/project3) ntawm kev khiav, yog li txhua qhov kev tsim kho tom ntej hauv qhov project tau txais txiaj ntsig los ntawm caching.
Kev ruaj ntseg. Ib yam dab tsi ntawm cov kev xaiv 1 thiab 2. Ntawm ib sab, cov thawv tsis muaj kev nkag mus rau cov ntsiab lus ntawm tus tswv tsev thiab, raws li, tsis tuaj yeem plam qee yam tsis zoo rau hauv Podman/CRI-O cov duab cia. Ntawm qhov tod tes, ua ib feem ntawm nws cov qauv tsim, lub thawv ntim tuaj yeem cuam tshuam nrog kev sib dhos ntawm lwm lub ntim.
Kev ua tau zoo. Ntawm no nws yog qhov phem tshaj thaum siv cov cache sib koom ntawm tus tswv tsev, txij li koj siv tsis tau cov duab uas twb tau rub tawm siv Podman/CRI-O. Txawm li cas los xij, ib zaug Buildah rub tawm cov duab, cov duab tuaj yeem siv rau hauv ib qho kev tsim tom ntej hauv qhov project.
Ntxiv cia
Π£ Muaj qhov txias zoo li cov khw muag khoom ntxiv (cov khw muag khoom ntxiv), ua tsaug rau qhov uas thaum tsim thiab tsim cov thawv ntim khoom, lub thawv ntim tuaj yeem siv cov khw muag duab sab nraud hauv hom kev nyeem nkaus xwb. Qhov tseem ceeb, koj tuaj yeem ntxiv ib lossis ntau qhov kev nyeem nkaus xwb rau cov ntaub ntawv storage.conf kom thaum koj pib lub thawv, lub thawv cav nrhiav cov duab xav tau hauv lawv. Ntxiv mus, nws yuav rub tawm cov duab los ntawm kev sau npe tsuas yog tias nws tsis pom nws hauv ib qho ntawm cov chaw khaws cia no. Lub cav ntim tshuab tsuas tuaj yeem sau rau sau cia ...
Yog tias koj scroll thiab saib Dockerfile uas peb siv los tsim cov duab quay.io/buildah/stable, muaj cov kab zoo li no:
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
Hauv thawj kab, peb hloov kho /etc/containers/storage.conf hauv lub thawv duab, qhia tus tsav tsheb kom siv "additionalimagestores" hauv /var/lib/shared folder. Thiab nyob rau hauv kab tom ntej no peb tsim ib qho kev sib koom ua ke thiab ntxiv ob peb lub xauv cov ntaub ntawv kom tsis txhob muaj kev tsim txom los ntawm cov thawv / khaws cia. Qhov tseem ceeb, peb tsuas yog tsim lub thawv ntim khoom ntim khoom.
Yog tias koj mount cov thawv / khaws cia ntawm qib siab dua li daim nplaub tshev no, Buildah yuav siv tau cov duab.
Tam sim no cia peb rov qab mus rau Kev Xaiv 2 tau tham saum toj no, thaum lub thawv Buildah tuaj yeem nyeem thiab sau rau cov thawv / khw ntawm cov tswv thiab, raws li, muaj kev ua tau zoo tshaj plaws vim caching cov duab ntawm Podman / CRI-O qib, tab sis muab qhov tsawg kawg nkaus ntawm kev ruaj ntseg. vim nws tuaj yeem sau ncaj qha rau kev khaws cia. Tam sim no cia peb ntxiv qhov cia ntxiv ntawm no thiab tau txais qhov zoo tshaj plaws ntawm ob lub ntiaj teb.
# mkdir /var/lib/containers4
# podman run -v ./build:/build:z -v /var/lib/containers/storage:/var/lib/shared:ro -v /var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image4 bud /build
# podman run -v /var/lib/containers/storage:/var/lib/shared:ro
-v >/var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable buildah push image4 registry.company.com/myuser
# rm -rf /var/lib/continers4
Nco ntsoov tias tus tswv tsev /var/lib/containers/storage yog mounted rau /var/lib/shared hauv lub thawv hauv hom nyeem nkaus xwb. Yog li ntawd, ua haujlwm hauv ib lub thawv, Buildah tuaj yeem siv cov duab uas yav dhau los rub tawm siv Podman / CRI-O (nyob zoo, nrawm), tab sis tsuas yog sau rau nws tus kheej cia (nyob zoo, kev ruaj ntseg). Kuj tseem nco ntsoov tias qhov no ua tiav yam tsis muaj kev cuam tshuam SELinux sib cais rau lub thawv.
Tseem ceeb nuance
Tsis muaj qhov xwm txheej twg koj yuav tsum rho tawm cov duab los ntawm qhov chaw cia khoom. Txwv tsis pub, lub thawv Buildah tuaj yeem tsoo.
Thiab cov no tsis yog txhua qhov zoo
Qhov muaj peev xwm ntawm kev khaws cia ntxiv tsis txwv rau qhov xwm txheej saum toj no. Piv txwv li, koj tuaj yeem tso tag nrho cov duab ntim rau ntawm qhov sib koom sib koom ua ke thiab muab kev nkag mus rau nws rau txhua lub thawv Buildah. Cia peb hais tias peb muaj ntau pua cov duab uas peb cov CI/CD niaj hnub siv los tsim cov duab thawv. Peb mob siab rau tag nrho cov duab no ntawm ib lub chaw cia khoom thiab tom qab ntawd, siv cov cuab yeej khaws cia hauv network nyiam (NFS, Gluster, Ceph, ISCSI, S3 ...), peb qhib dav dav nkag mus rau qhov chaw cia no rau tag nrho Buildah lossis Kubernetes nodes.
Tam sim no nws txaus los txuas lub network cia rau hauv Buildah thawv ntawm /var/lib/shared thiab qhov ntawd yog nws - Buildah ntim tsis tas yuav rub tawm cov duab los ntawm rub. Yog li, peb muab pov tseg rau theem ua ntej cov pej xeem thiab npaj tam sim ntawd los yob tawm cov ntim.
Thiab tau kawg, qhov no tuaj yeem siv tau nyob rau hauv Kubernetes qhov system lossis lub thawv ntim khoom tsim tawm thiab khiav cov ntim txhua qhov chaw yam tsis muaj rub tawm cov duab. Ntxiv mus, lub thawv ntawv sau npe, tau txais kev thov thawb kom xa cov duab tshiab rau nws, tuaj yeem xa cov duab no mus rau qhov sib koom sib koom ua ke, qhov twg nws tam sim ntawd dhau los ua rau tag nrho cov nodes.
Cov duab ntim tau qee zaum ncav cuag ntau gigabytes loj. Kev ua haujlwm ntawm kev khaws cia ntxiv tso cai rau koj kom tsis txhob cloning cov duab zoo li no nyob rau ntawm nodes thiab ua rau lub thawv ntim yuav luag tam sim.
Tsis tas li ntawd, tam sim no peb tab tom ua haujlwm ntawm qhov tshiab feature hu ua overlay ntim mounts, uas yuav ua rau lub tsev ntim tau sai dua.
xaus
Khiav Buildah hauv ib lub thawv hauv Kubernetes/CRI-O, Podman, lossis txawm tias Docker ua tau, yooj yim, thiab muaj kev nyab xeeb ntau dua li siv docker.socket. Peb tau ua kom yooj yim rau kev ua haujlwm nrog cov duab, yog li koj tuaj yeem khiav lawv hauv ntau txoj hauv kev los txhim kho qhov sib npaug ntawm kev ruaj ntseg thiab kev ua haujlwm.
Kev ua haujlwm ntawm kev khaws cia ntxiv tso cai rau koj kom nrawm lossis txawm tias tshem tawm tag nrho cov rub tawm ntawm cov duab mus rau ntawm nodes.
Tau qhov twg los: www.hab.com