Kedu ihe ịma mma dị n'ịkọwa oge ịgba ọsọ akpa ka ọ bụrụ ngwa ngwa dị iche iche? Karịsịa, ngwaọrụ ndị a nwere ike ịmalite ijikọta ka ha wee chebe ibe ha.
Ọtụtụ ndị mmadụ na-adọrọ mmasị n'echiche nke ịmepụta ihe oyiyi OCI n'ime ma ọ bụ usoro yiri ya. Ka anyị kwuo na anyị nwere CI/CD na-anakọta ihe oyiyi mgbe niile, mgbe ahụ ihe dị ka / Kubernetes ga-aba uru nke ukwuu n'ihe gbasara ịhazi ibu n'oge a na-ewu ụlọ. Ruo n'oge na-adịbeghị anya, ọtụtụ ndị mmadụ na-enye igbe ohere ịnweta oghere Docker ma nye ha ohere ka ha rụọ ọrụ iwu docker. na nke a enweghị nchebe, n'ezie, ọ ka njọ karịa inye mgbọrọgwụ ma ọ bụ sudo na-enweghị paswọọdụ.
Ọ bụ ya mere ndị mmadụ ji agbalị mgbe niile ịgba ọsọ Buildah n'ime akpa. Na nkenke, anyị kere otú, n'echiche anyị, kasị mma na-agba ọsọ Buildah n'ime a akpa, ma biputere kwekọrọ ekwekọ oyiyi na . Ka anyị bido...
ukpụhọde
Ewubere onyonyo ndị a site na Dockerfiles, nke enwere ike ịhụ na ebe nchekwa Buildah na nchekwa .
N'ebe a, anyị ga-atụle .
# stable/Dockerfile
#
# Build a Buildah container image from the latest
# stable version of Buildah on the Fedoras Updates System.
# https://bodhi.fedoraproject.org/updates/?search=buildah
# This image can be used to create a secured container
# that runs safely with privileges within the container.
#
FROM fedora:latest
# Don't include container-selinux and remove
# directories used by dnf that are just taking
# up space.
RUN yum -y install buildah fuse-overlayfs --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.*
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
Kama OverlayFS, emejuputa atumatu na onye ọbịa Linux kernel larịị, anyị na-eji mmemme n'ime akpa , n'ihi na ugbu a OverlayFS nwere ike ịrịgo naanị ma ọ bụrụ na ị nye ya ikike SYS_ADMIN site na iji ike Linux. Ma anyị chọrọ ịgba ọsọ Buildah anyị na-enweghị ohere mgbọrọgwụ ọ bụla. Fuse-overlay na-arụ ọrụ ngwa ngwa ma nwee arụmọrụ dị mma karịa onye na-anya nchekwa VFS. Biko mara na mgbe ị na-eji akpa Buildah na-eji Fuse, ị ga-enyerịrị ngwaọrụ / dev/fuse.
podman run --device /dev/fuse quay.io/buildahctr ...
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
Ọzọ anyị na-emepụta ndekọ maka nchekwa ọzọ. na-akwado echiche nke ijikọ agbakwunyere ụlọ ahịa onyonyo naanị ọgụgụ. Dịka ọmụmaatụ, ịnwere ike ịhazi ebe nchekwa machie n'otu igwe, wee jiri NFS bulie nchekwa a na igwe ọzọ wee jiri onyonyo sitere na ya na-enweghị nbudata site na ịdọrọ. Anyị chọrọ nchekwa a ka anyị wee nwee ike jikọọ ụfọdụ nchekwa onyonyo sitere na onye ọbịa dị ka olu wee jiri ya n'ime akpa ahụ.
# Set up environment variables to note that this is
# not starting with user namespace and default to
# isolate the filesystem with chroot.
ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot
N'ikpeazụ, site na iji BUILDAH_ISOLATION mgbanwe gburugburu ebe obibi, anyị na-agwa akpa Buildah ka ọ na-eji iche iche chroot na-agba ọsọ na ndabara. Achọghị ihe mkpuchi ọzọ ebe a, ebe anyị na-arụ ọrụ na akpa. Ka Buildah wee mepụta arịa ndị kewapụrụ aha nke ya, achọrọ SYS_ADMIN ihe ùgwù, nke ga-achọ izu ike SELinux na iwu SECCOMP nke akpa ahụ, nke megidere mmasị anyị iji wuo site na akpa echekwara.
Na-agba ọsọ Buildah n'ime akpa
Eserese ihe onyonyo Buildah a tụlere n'elu na-enye gị ohere ịgbanwe n'ụzọ dị iche iche nke ibido arịa dị otú ahụ.
Ọsọ na nchekwa
Nchekwa Kọmputa mgbe niile bụ nkwekọrịta n'etiti ọsọ nke usoro ahụ na ole nchebe na-ekpuchi ya. Okwu a bụkwa eziokwu mgbe ị na-achịkọta arịa, yabụ n'okpuru anyị ga-atụle nhọrọ maka nkwekọrịta dị otú ahụ.
Foto akpa a tụlere n'elu ga-edobe nchekwa ya na /var/lib/containers. Ya mere, anyị kwesịrị ịkwanye ọdịnaya n'ime folda a, otu anyị si eme nke a ga-emetụta ngwa ngwa nke ihe oyiyi akpa.
Ka anyị tụlee nhọrọ atọ.
Nhọrọ 1. Ọ bụrụ na achọrọ nchekwa kachasị, mgbe ahụ maka akpa ọ bụla ị nwere ike ịmepụta folda nke gị maka arịa / onyonyo wee jikọọ ya na akpa ahụ site na ugwu ugwu. Na agbakwunyere, tinye akwụkwọ ndekọ aha n'ime akpa n'onwe ya, na folda / wuo:
# mkdir /var/lib/containers1
# podman run -v ./build:/build:z -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image1 bud /build
# podman run -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable buildah push image1 registry.company.com/myuser
# rm -rf /var/lib/containers1
Nche. Buildah na-agba ọsọ n'ime akpa dị otú ahụ nwere nchekwa kachasị: enyeghị ya ohere mgbọrọgwụ ọ bụla site na iji ikike, yana ihe mgbochi SECOMP na SELinux niile na-emetụta ya. Ụdị akpa dị otú ahụ nwere ike ịme ya na aha njirimara aha site na ịgbakwunye nhọrọ dị ka -uidmap 0: 100000:10000.
Ọrụ. Mana arụmọrụ ebe a pere mpe, ebe ọ bụ na a na-eṅomi onyonyo ọ bụla sitere na ndekọ akpa na onye ọbịa oge ọ bụla, caching anaghị arụ ọrụ ma ọlị. Mgbe ọ na-arụcha ọrụ ya, akpa Buildah ga-eziga ihe oyiyi ahụ na ndekọ ma bibie ọdịnaya dị na onye ọbịa ahụ. Oge ọzọ a na-ewu ihe oyiyi akpa ahụ, a ga-ebudata ya na ndekọ ọzọ, ebe ọ bụ na n'oge ahụ ọ dịghị ihe ga-ahapụ na onye ọbịa.
Nhọrọ 2. Ọ bụrụ na ịchọrọ ịrụ ọrụ ọkwa Docker, ị nwere ike ibunye akpa / nchekwa nke onye ọbịa ozugbo n'ime akpa ahụ.
# podman run -v ./build:/build:z -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah -t image2 bud /build
# podman run -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah push image2 registry.company.com/myuser
Nche. Nke a bụ ụzọ kachasị nchebe iji wuo arịa n'ihi na ọ na-enye ohere ka akpa ahụ gbanwee ebe nchekwa ndị ọbịa ma nwee ike inye Podman ma ọ bụ CRI-O ihe oyiyi ọjọọ. Na mgbakwunye, ị ga-mkpa gbanyụọ SELinux nkewa ka usoro na Buildah akpa nwere ike na-emekọrịta ihe na nchekwa na onye ọbịa. Rịba ama na nhọrọ a ka dị mma karịa oghere Docker n'ihi na ejiri njiri nchekwa ndị ọzọ kpọchiri akpa ahụ na enweghị ike ịgbanye akpa na onye ọbịa.
Ọrụ. N'ebe a, ọ kachasị, ebe ọ bụ na ejiri caching mee ihe n'ụzọ zuru ezu. Ọ bụrụ na Podman ma ọ bụ CRI-O ebudatala ihe oyiyi achọrọ na onye ọbịa ahụ, usoro Buildah n'ime akpa ahụ agaghị ebudata ya ọzọ, na ihe ndị na-esote na-adabere na ihe oyiyi a ga-enwekwa ike iburu ihe ha chọrọ na cache. .
Nhọrọ 3. Isi ihe dị na usoro a bụ ijikọta ọtụtụ onyonyo n'otu ọrụ yana nchekwa nchekwa maka ihe onyonyo akpa.
# mkdir /var/lib/project3
# podman run --security-opt label_level=s0:C100, C200 -v ./build:/build:z
-v /var/lib/project3:/var/lib/containers:Z quay.io/buildah/stable buildah -t image3 bud /build
# podman run --security-opt label_level=s0:C100, C200
-v /var/lib/project3:/var/lib/containers quay.io/buildah/stable buildah push image3 registry.company.com/myuser
N'ihe atụ a, anyị anaghị ehichapụ folda ọrụ (/var/lib/project3) n'etiti ọsọ, ya mere ihe niile na-esote n'ime ọrụ ahụ na-erite uru na caching.
Nche. Ihe dị n'etiti nhọrọ 1 na 2. N'otu aka ahụ, arịa enweghị ohere ịnweta ọdịnaya na onye ọbịa na, ya mere, enweghị ike ịdọrọ ihe ọjọọ n'ime nchekwa ihe oyiyi Podman/CRI-O. N'aka nke ọzọ, dịka akụkụ nke imewe ya, akpa nwere ike igbochi mgbakọ nke ihe ndị ọzọ.
Ọrụ. N'ebe a, ọ dị njọ karịa mgbe ị na-eji cache nkekọrịta na ọkwa nnabata, ebe ọ bụ na ịnweghị ike iji ihe oyiyi ebudatara site na iji Podman/CRI-O. Agbanyeghị, ozugbo Buildah budata onyonyo a, enwere ike iji onyonyo a rụọ ụlọ ọ bụla na-esote n'ime ọrụ ahụ.
Nchekwa agbakwunyere
У Enwere ihe dị mma dị ka ụlọ ahịa ndị ọzọ (ụlọ ahịa ndị ọzọ), ekele nke mgbe ị na-ebupụta ma na-ewu arịa, engines akpa nwere ike iji ụlọ ahịa ihe oyiyi dị n'èzí na-agụ naanị ihe mkpuchi. N'ikpeazụ, ị nwere ike itinye otu ma ọ bụ karịa na-agụ naanị nchekwa na faịlụ storage.conf nke mere na mgbe ịmalitere akpa ahụ, igwe akpa ahụ na-achọ ihe oyiyi achọrọ n'ime ha. Ọzọkwa, ọ ga-ebudata onyonyo site na ndekọ naanị ma ọ bụrụ na ọ hụghị ya na nke ọ bụla n'ime ebe nchekwa ndị a. Igwe akpa ahụ ga-enwe ike ide naanị na nchekwa ederede...
Ọ bụrụ na ị pịgharịa gaa leba anya na Dockerfile nke anyị na-eji wuo onyonyo quay.io/buildah/stable, enwere ahịrị dị ka nke a:
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
N'ahịrị nke mbụ, anyị na-agbanwe /etc/containers/storage.conf n'ime ihe oyiyi akpa ahụ, na-agwa onye ọkwọ ụgbọ ala ka ọ jiri "additionalimagestores" na / var / lib / òkè nchekwa. Na ahịrị na-esote anyị na-emepụta folda nkekọrịta ma gbakwunye faịlụ mkpọchi ole na ole ka enweghị mmegbu site na arịa / nchekwa. N'ezie, anyị na-ekepụta ụlọ ahịa ihe onyonyo akpa ihe efu.
Ọ bụrụ na ị na-ebuli akpa / nchekwa n'ogo dị elu karịa folda a, Buildah ga-enwe ike iji ihe onyonyo a.
Ugbu a, ka anyị laghachi na Nhọrọ 2 nke a tụlere n'elu, mgbe akpa Buildah nwere ike ịgụ ma dee na arịa / ụlọ ahịa na ndị ọbịa ma, ya mere, nwere arụmọrụ kachasị elu n'ihi na-echekwa ihe oyiyi na ọkwa Podman / CRI-O, ma na-enye nchebe kacha nta. ebe ọ nwere ike dee ozugbo na nchekwa. Ugbu a, ka anyị tinyekwuo nchekwa ebe a wee nweta ihe kacha mma nke ụwa abụọ ahụ.
# mkdir /var/lib/containers4
# podman run -v ./build:/build:z -v /var/lib/containers/storage:/var/lib/shared:ro -v /var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image4 bud /build
# podman run -v /var/lib/containers/storage:/var/lib/shared:ro
-v >/var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable buildah push image4 registry.company.com/myuser
# rm -rf /var/lib/continers4
Rịba ama na etinyere /var/lib/containers/nchekwa nke onye ọbịa na /var/lib/kekọrịta n'ime akpa na ọnọdụ ọgụgụ naanị. Ya mere, na-arụ ọrụ n'ime akpa, Buildah nwere ike iji ihe oyiyi ọ bụla ebudatara na mbụ site na iji Podman / CRI-O (ndewo, ọsọ), ma ọ nwere ike ide naanị na nchekwa nke ya (ndewo, nchekwa). Rịba ama na a na-eme nke a na-enweghị gbanyụọ nkewa SELinux maka akpa ahụ.
Nuance dị mkpa
N'ọnọdụ ọ bụla, ịkwesighi ihichapụ onyonyo ọ bụla na ebe nchekwa dị n'okpuru. Ma ọ bụghị ya, akpa Buildah nwere ike daa.
Ndị a abụghịkwa uru niile
Ohere nke nchekwa agbakwunyere abụghị naanị na ọnọdụ dị n'elu. Dịka ọmụmaatụ, ị nwere ike idowe onyonyo akpa niile na nchekwa netwọkụ ekekọrịtara wee nye ohere ịbanye na arịa Buildah niile. Ka anyị kwuo na anyị nwere ọtụtụ narị onyonyo nke sistemu CI/CD anyị na-eji eme ihe mgbe niile iji wuo ihe onyonyo akpa. Anyị na-etinye foto ndị a niile n'otu ebe nchekwa na mgbe ahụ, na-eji ngwaọrụ nchekwa netwọk kacha amasị (NFS, Gluster, Ceph, ISCSI, S3 ...), anyị na-emeghe ohere izugbe na nchekwa a na Buildah ma ọ bụ Kubernetes ọ bụla.
Ugbu a ezuola ịkwanye nchekwa netwọkụ a n'ime akpa Buildah na / var / lib / kesara ya bụ - Buildah containers agaghịzi ebudata onyonyo site na ịdọrọ. N'ihi ya, anyị na-atụfu ndị tupu-ebi na-adọ ma dị njikere ozugbo tụgharịa ndị containers.
Ma n'ezie, enwere ike iji nke a n'ime sistemu Kubernetes dị ndụ ma ọ bụ akụrụngwa akpa iji malite ma mee arịa ebe ọ bụla na-enweghị nbudata onyonyo ọ bụla. Ọzọkwa, ndekọ akpa, na-anata arịrịọ ntanye iji bulite onyonyo emelitere na ya, nwere ike izipu onyonyo a na-akpaghị aka na ebe nchekwa netwọkụ nkekọrịta, ebe ọ na-adị maka oghere niile ozugbo.
Onyonyo akpa nwere ike iru ọtụtụ gigabytes n'ogo mgbe ụfọdụ. Ịrụ ọrụ nke nchekwa ndị ọzọ na-enye gị ohere ịzenarị cloring dị otú ahụ oyiyi n'ofe ọnụ na-eme ka mwepu arịa fọrọ nke nta ozugbo.
Na mgbakwunye, anyị na-arụ ọrụ ugbu a na ihe ọhụrụ a na-akpọ overlay volume mounts, nke ga-eme ka arịa ụlọ dị ngwa ngwa.
nkwubi
Ịgba Buildah n'ime akpa dị na Kubernetes/CRI-O, Podman, ma ọ bụ ọbụna Docker nwere ike ime, dị mfe ma dị nchebe karịa iji docker.socket. Anyị abawanyela mgbanwe mgbanwe nke iji onyonyo arụ ọrụ, yabụ ị nwere ike ịme ha n'ụzọ dị iche iche iji bulie nguzozi n'etiti nchekwa na arụmọrụ.
Ọrụ nke nchekwa ndị ọzọ na-enye gị ohere ịme ngwa ngwa ma ọ bụ ọbụna kpochapụ nbudata ihe oyiyi na ọnụ.
isi: www.habr.com