ã³ã³ãã㌠ã©ã³ã¿ã€ã ãåå¥ã®ããŒã« ã³ã³ããŒãã³ãã«åé¢ããå©ç¹ã¯äœã§ãããã? ç¹ã«ããããã®ããŒã«ã¯çžäºã«ä¿è·ããããã«çµã¿åãããããšãã§ããŸãã
å€ãã®äººã¯ãã³ã³ããåããã OCI ã€ã¡ãŒãžãå
éšã«æ§ç¯ãããšããã¢ã€ãã¢ã«æ¹ãããŠããŸãã
ãã®ããã人ã
ã¯åžžã« Buildah ãã³ã³ãããŒã§å®è¡ããããšããŸãã èŠããã«ãç§ãã¡ãäœæããã®ã¯ã
調æŽ
ãããã®ã€ã¡ãŒãžã¯ãBuildah ãªããžããªã®ãã©ã«ããŒã«ãã Dockerfile ãããã«ããããŸãã
ããã§èŠãŠãããŸã
# stable/Dockerfile
#
# Build a Buildah container image from the latest
# stable version of Buildah on the Fedoras Updates System.
# https://bodhi.fedoraproject.org/updates/?search=buildah
# This image can be used to create a secured container
# that runs safely with privileges within the container.
#
FROM fedora:latest
# Don't include container-selinux and remove
# directories used by dnf that are just taking
# up space.
RUN yum -y install buildah fuse-overlayfs --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.*
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
ãã¹ã Linux ã«ãŒãã« ã¬ãã«ã§å®è£
ããã OverlayFS ã®ä»£ããã«ãã³ã³ããå
ã®ããã°ã©ã ã䜿çšããŸãã
podman run --device /dev/fuse quay.io/buildahctr ...
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
次ã«ãè¿œå ã®ã¹ãã¬ãŒãžçšã®ãã£ã¬ã¯ããªãäœæããŸãã
# Set up environment variables to note that this is
# not starting with user namespace and default to
# isolate the filesystem with chroot.
ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot
æåŸã«ãBUILDAH_ISOLATION ç°å¢å€æ°ã䜿çšããŠãããã©ã«ã㧠chroot åé¢ã§å®è¡ããããã« Buildah ã³ã³ãããŒã«æ瀺ããŸãã ãã§ã«ã³ã³ããå ã§äœæ¥ããŠãããããããã§ã¯è¿œå ã®æç±æã¯å¿ èŠãããŸããã Buildah ãç¬èªã®åå空éåé¢ã³ã³ãããŒãäœæããã«ã¯ãSYS_ADMIN æš©éãå¿ èŠã§ããããã«ã¯ãã³ã³ãããŒã® SELinux ããã³ SECCOMP ã«ãŒã«ãç·©åããå¿ èŠããããŸããããã¯ãå®å šãªã³ã³ãããŒããæ§ç¯ãããšããç§ãã¡ã®å¥œã¿ã«åããŸãã
ã³ã³ããå ã§Buildahãå®è¡ãã
äžã§èª¬æãã Buildah ã³ã³ãã㌠ã€ã¡ãŒãžå³ã䜿çšãããšããã®ãããªã³ã³ãããŒã®èµ·åæ¹æ³ãæè»ã«å€æŽã§ããŸãã
ã¹ããŒããšå®å šæ§
ã³ã³ãã¥ãŒã¿ãŒã®ã»ãã¥ãªãã£ã¯åžžã«ãããã»ã¹ã®é床ãšãããã»ã¹ã«é©çšãããä¿è·ã®çšåºŠãšã®éã®åŠ¥åç¹ã§ãã ãã®ã¹ããŒãã¡ã³ãã¯ã³ã³ãããçµã¿ç«ãŠããšãã«ãåœãŠã¯ãŸããŸãããã®ããã以äžã§ã¯ãã®ãããªåŠ¥åç¹ã®ãªãã·ã§ã³ãæ€èšããŸãã
äžã§èª¬æããã³ã³ãã㌠ã€ã¡ãŒãžã¯ãã¹ãã¬ãŒãžã /var/lib/containers ã«ä¿æããŸãã ãããã£ãŠãã³ã³ãã³ãããã®ãã©ã«ããŒã«ããŠã³ãããå¿ èŠããããŸãããããã©ã®ããã«è¡ããããã³ã³ãã㌠ã€ã¡ãŒãžã®æ§ç¯é床ã«å€§ãã圱é¿ããŸãã
XNUMXã€ã®ãªãã·ã§ã³ãèããŠã¿ãŸãããã
1ãªãã·ã§ã³ã æ倧éã®ã»ãã¥ãªãã£ãå¿ èŠãªå Žåã¯ãã³ã³ããããšã«ã³ã³ãã/ã€ã¡ãŒãžçšã®ç¬èªã®ãã©ã«ããäœæãããããããªã¥ãŒã ããŠã³ãçµç±ã§ã³ã³ããã«æ¥ç¶ã§ããŸãã ããã«ãã³ã³ããã¹ã ãã£ã¬ã¯ããªãã³ã³ããèªäœã® /build ãã©ã«ããŒã«é 眮ããŸãã
# mkdir /var/lib/containers1
# podman run -v ./build:/build:z -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image1 bud /build
# podman run -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable buildah push image1 registry.company.com/myuser
# rm -rf /var/lib/containers1
ã»ãã¥ãªãã£ã ãã®ãããªã³ã³ãããŒã§å®è¡ããã Buildah ã«ã¯ãæ倧éã®ã»ãã¥ãªãã£ãåãã£ãŠããŸã: æ©èœã䜿çšãã root æš©éã¯äžãããããSECOMP ããã³ SELinux ã®ãã¹ãŠã®å¶éãé©çšãããŸãããã®ãããªã³ã³ãããŒã¯ãâuidmap 0 ã®ãããªãªãã·ã§ã³ãè¿œå ããããšã§ããŠãŒã¶ãŒåå空éãåé¢ããŠå®è¡ããããšãã§ããŸãã 100000:10000ã
ããã©ãŒãã³ã¹ ãã ããã³ã³ãã㌠ã¬ãžã¹ããªã®ã€ã¡ãŒãžã¯æ¯åãã¹ãã«ã³ããŒããããã£ãã·ã¥ã¯ãŸã£ããæ©èœããªããããããã§ã®ããã©ãŒãã³ã¹ã¯æå°éã§ãã äœæ¥ãå®äºãããšãBuildah ã³ã³ããã¯ã€ã¡ãŒãžãã¬ãžã¹ããªã«éä¿¡ãããã¹ãäžã®ã³ã³ãã³ããç Žæ£ããå¿ èŠããããŸãã 次åã³ã³ãã ã€ã¡ãŒãžãæ§ç¯ãããšãã¯ããã®æç¹ã§ã¯ãã¹ãã«ã¯äœãæ®ã£ãŠããªããããã¬ãžã¹ããªããå床ããŠã³ããŒãããå¿ èŠããããŸãã
2ãªãã·ã§ã³ã Docker ã¬ãã«ã®ããã©ãŒãã³ã¹ãå¿ èŠãªå Žåã¯ããã¹ã ã³ã³ãããŒ/ã¹ãã¬ãŒãžãã³ã³ãããŒã«çŽæ¥ããŠã³ãã§ããŸãã
# podman run -v ./build:/build:z -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah -t image2 bud /build
# podman run -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah push image2 registry.company.com/myuser
ã»ãã¥ãªãã£ã ããã¯ãã³ã³ããããã¹ãäžã®ã¹ãã¬ãŒãžãå€æŽã§ããããã«ãªããæœåšçã« Podman ãŸã㯠CRI-O ã«æªæã®ããã€ã¡ãŒãžããã£ãŒãããå¯èœæ§ããããããã³ã³ãããæ§ç¯ããæãå®å šæ§ã®äœãæ¹æ³ã§ãã ããã«ãBuildah ã³ã³ãããŒå ã®ããã»ã¹ããã¹ãäžã®ã¹ãã¬ãŒãžãšå¯Ÿè©±ã§ããããã«ãSELinux åé¢ãç¡å¹ã«ããå¿ èŠããããŸãã ã³ã³ãããŒã¯æ®ãã®ã»ãã¥ãªãã£æ©èœã«ãã£ãŠããã¯ããŠã³ãããŠããããã¹ãäžã§åçŽã«ã³ã³ãããŒãå®è¡ã§ããªãããããã®ãªãã·ã§ã³ã¯ Docker ãœã±ãããããåªããŠããããšã«æ³šæããŠãã ããã
ããã©ãŒãã³ã¹ ããã§ã¯ãã£ãã·ã¥ãå®å šã«äœ¿çšãããŠãããããæ倧å€ã«ãªããŸãã Podman ãŸã㯠CRI-O ãå¿ èŠãªã€ã¡ãŒãžããã¹ãã«æ¢ã«ããŠã³ããŒãããŠããå Žåãã³ã³ããå ã® Buildah ããã»ã¹ã¯ãããå床ããŠã³ããŒãããå¿ èŠã¯ãªãããã®ã€ã¡ãŒãžã«åºã¥ãåŸç¶ã®ãã«ãã§ãå¿ èŠãªãã®ããã£ãã·ã¥ããååŸã§ããŸãã ã
3ãªãã·ã§ã³ã ãã®æ¹æ³ã®æ¬è³ªã¯ãã³ã³ãã ã€ã¡ãŒãžçšã®å ±éãã©ã«ããŒã䜿çšããŠãè€æ°ã®ã€ã¡ãŒãžã XNUMX ã€ã®ãããžã§ã¯ãã«çµåããããšã§ãã
# mkdir /var/lib/project3
# podman run --security-opt label_level=s0:C100, C200 -v ./build:/build:z
-v /var/lib/project3:/var/lib/containers:Z quay.io/buildah/stable buildah -t image3 bud /build
# podman run --security-opt label_level=s0:C100, C200
-v /var/lib/project3:/var/lib/containers quay.io/buildah/stable buildah push image3 registry.company.com/myuser
ãã®äŸã§ã¯ãå®è¡éã§ãããžã§ã¯ã ãã©ã«ã㌠(/var/lib/project3) ãåé€ããªãããããããžã§ã¯ãå ã®åŸç¶ã®ãã¹ãŠã®ãã«ãã¯ãã£ãã·ã¥ã®æ©æµãåããŸãã
ã»ãã¥ãªãã£ã ãªãã·ã§ã³ 1 ãš 2 ã®äžéã®ãã®ãäžæ¹ã§ãã³ã³ããã¯ãã¹ãäžã®ã³ã³ãã³ãã«ã¢ã¯ã»ã¹ã§ããªããããPodman/CRI-O ã€ã¡ãŒãž ã¹ãã¬ãŒãžã«æªæã®ãããã®ãæ»ã蟌ãŸããããšã¯ã§ããŸããã äžæ¹ãèšèšã®äžéšãšããŠãã³ã³ããã¯ä»ã®ã³ã³ããã®çµã¿ç«ãŠã劚ããå¯èœæ§ããããŸãã
ããã©ãŒãã³ã¹ ããã§ã¯ãPodman/CRI-O ã䜿çšããŠæ¢ã«ããŠã³ããŒããããã€ã¡ãŒãžã䜿çšã§ããªãããããã¹ã ã¬ãã«ã§å ±æãã£ãã·ã¥ã䜿çšããå Žåãããç¶æ³ãæªããªããŸãã ãã ããBuildah ãã€ã¡ãŒãžãããŠã³ããŒããããšããã®ã€ã¡ãŒãžã¯ãããžã§ã¯ãå ã®ãã®åŸã®ãã«ãã§äœ¿çšã§ããŸãã
è¿œå ã®ã¹ãã¬ãŒãž
У
äžã«ã¹ã¯ããŒã«ããŠãã€ã¡ãŒãž quay.io/buildah/stable ã®æ§ç¯ã«äœ¿çšãã Dockerfile ãèŠããšã次ã®ãããªè¡ããããŸãã
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
æåã®è¡ã§ã¯ãã³ã³ãã㌠ã€ã¡ãŒãžå ã® /etc/containers/storage.conf ãå€æŽããã¹ãã¬ãŒãž ãã©ã€ããŒã« /var/lib/shared ãã©ã«ããŒå ã®ãAdditionalimagestoresãã䜿çšããããã«æ瀺ããŸãã 次ã®è¡ã§ã¯ãå ±æãã©ã«ããŒãäœæããã³ã³ãããŒ/ã¹ãã¬ãŒãžããã®æªçšããªããããããã€ãã®ãã㯠ãã¡ã€ã«ãè¿œå ããŸãã åºæ¬çã«ã¯ãåã«ç©ºã®ã³ã³ãã㌠ã€ã¡ãŒãž ã¹ãã¢ãäœæããŠããã ãã§ãã
ãã®ãã©ã«ããŒããäžäœã®ã¬ãã«ã«ã³ã³ãããŒ/ã¹ãã¬ãŒãžãããŠã³ããããšãBuildah ã¯ã€ã¡ãŒãžã䜿çšã§ããããã«ãªããŸãã
ããã§ãåè¿°ã®ãªãã·ã§ã³ 2 ã«æ»ããŸãããããã®å ŽåãBuildah ã³ã³ããã¯ãã¹ãäžã®ã³ã³ãã/ã¹ãã¢ã«å¯ŸããŠèªã¿æžãã§ããããã«å¿ããŠãPodman/CRI-O ã¬ãã«ã§ã®ã€ã¡ãŒãžã®ãã£ãã·ã¥ã«ããæ倧ã®ããã©ãŒãã³ã¹ãåŸãããŸãããæå°éã®ã»ãã¥ãªãã£ãæäŸãããŸããã¹ãã¬ãŒãžã«çŽæ¥æžã蟌ãããšãã§ããããã§ãã ããã§ã¹ãã¬ãŒãžãè¿œå ããŠãäž¡æ¹ã®ã¡ãªãããæ倧éã«æŽ»çšããŸãããã
# mkdir /var/lib/containers4
# podman run -v ./build:/build:z -v /var/lib/containers/storage:/var/lib/shared:ro -v /var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image4 bud /build
# podman run -v /var/lib/containers/storage:/var/lib/shared:ro
-v >/var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable buildah push image4 registry.company.com/myuser
# rm -rf /var/lib/continers4
ãã¹ãã® /var/lib/containers/storage ã¯ãã³ã³ããå ã® /var/lib/shared ã«èªã¿åãå°çšã¢ãŒãã§ããŠã³ããããããšã«æ³šæããŠãã ããã ãããã£ãŠãã³ã³ããå ã§åäœãã Buildah ã¯ãPodman/CRI-O ã䜿çšããŠä»¥åã«ããŠã³ããŒããããã€ã¡ãŒãžã䜿çšã§ããŸã (ããã«ã¡ã¯ãã¹ããŒã) ããæžã蟌ã¿ã§ããã®ã¯ç¬èªã®ã¹ãã¬ãŒãž (ããã«ã¡ã¯ãã»ãã¥ãªãã£) ã®ã¿ã§ãã ãŸããããã¯ã³ã³ãããŒã® SELinux åé¢ãç¡å¹ã«ããã«è¡ãããããšã«ã泚æããŠãã ããã
éèŠãªãã¥ã¢ã³ã¹
ãããªãç¶æ³ã§ããåºç€ãšãªããªããžããªããã€ã¡ãŒãžãåé€ããªãã§ãã ããã ããããªããšãBuildah ã³ã³ãããã¯ã©ãã·ã¥ããå¯èœæ§ããããŸãã
å©ç¹ã¯ããã ãã§ã¯ãããŸãã
è¿œå ã¹ãã¬ãŒãžã®å¯èœæ§ã¯äžèšã®ã·ããªãªã«éå®ãããŸããã ããšãã°ããã¹ãŠã®ã³ã³ãã㌠ã€ã¡ãŒãžãå ±æãããã¯ãŒã¯ ã¹ãã¬ãŒãžã«é 眮ãããã¹ãŠã® Buildah ã³ã³ãããŒã«ãã®ã€ã¡ãŒãžãžã®ã¢ã¯ã»ã¹ãèš±å¯ã§ããŸãã CI/CD ã·ã¹ãã ãã³ã³ãã㌠ã€ã¡ãŒãžãæ§ç¯ããããã«å®æçã«äœ¿çšããæ°çŸã®ã€ã¡ãŒãžããããšããŸãã ããããã¹ãŠã®ã€ã¡ãŒãžã 3 ã€ã®ã¹ãã¬ãŒãž ãã¹ãã«éäžãããåªå ãããã¯ãŒã¯ ã¹ãã¬ãŒãž ããŒã« (NFSãGlusterãCephãISCSIãSXNUMX...) ã䜿çšããŠããã®ã¹ãã¬ãŒãžãžã®äžè¬çãªã¢ã¯ã»ã¹ããã¹ãŠã® Buildah ãŸã㯠Kubernetes ããŒãã«éããŸãã
ããã§ããã®ãããã¯ãŒã¯ ã¹ãã¬ãŒãžã /var/lib/shared ã® Buildah ã³ã³ããã«ããŠã³ãããã ãã§ååã§ããBuildah ã³ã³ããã¯ãã«çµç±ã§ã€ã¡ãŒãžãããŠã³ããŒãããå¿ èŠããªããªããŸããã ãããã£ãŠãäºåèšå®ãã§ãŒãºãæŸæ£ããããã«ã³ã³ãããŒãããŒã«ã¢ãŠãããæºåãæŽããŸãã
ãããŠãã¡ããããããã©ã€ã Kubernetes ã·ã¹ãã ãŸãã¯ã³ã³ãã ã€ã³ãã©ã¹ãã©ã¯ãã£å ã§äœ¿çšããŠãã€ã¡ãŒãžããã« ããŠã³ããŒãããããšãªãã©ãã§ãã³ã³ãããèµ·åããŠå®è¡ã§ããŸãã ããã«ãã³ã³ãã㌠ã¬ãžã¹ããªã¯ãæŽæ°ãããã€ã¡ãŒãžãã¢ããããŒãããããã·ã¥ ãªã¯ãšã¹ããåä¿¡ãããšããã®ã€ã¡ãŒãžãå ±æãããã¯ãŒã¯ ã¹ãã¬ãŒãžã«èªåçã«éä¿¡ããããã§ãã¹ãŠã®ããŒããå³åº§ã«å©çšã§ããããã«ãªããŸãã
ã³ã³ãã㌠ã€ã¡ãŒãžã®ãµã€ãºã¯æ°ã®ã¬ãã€ãã«éããå ŽåããããŸãã è¿œå ã¹ãã¬ãŒãžã®æ©èœã«ãããããŒãéã§ã®ãã®ãããªã€ã¡ãŒãžã®ã¯ããŒã³äœæãåé¿ããã³ã³ãããŒãã»ãŒç¬æã«èµ·åã§ããããã«ãªããŸãã
ããã«ãçŸåšãã³ã³ãããŒã®æ§ç¯ãããã«é«éåãããªãŒããŒã¬ã€ ããªã¥ãŒã ããŠã³ããšåŒã°ããæ°æ©èœã®éçºã«åãçµãã§ããŸãã
ãŸãšã
Kubernetes/CRI-OãPodmanãããã«ã¯ Docker ã®ã³ã³ããå 㧠Buildah ãå®è¡ããããšã¯ãå®è¡å¯èœãã€ç°¡åã§ãdocker.socket ã䜿çšãããããã¯ããã«å®å šã§ãã ã€ã¡ãŒãžã®æäœã®æè»æ§ãå€§å¹ ã«åäžãããããããŸããŸãªæ¹æ³ã§ã€ã¡ãŒãžãå®è¡ããŠãã»ãã¥ãªãã£ãšããã©ãŒãã³ã¹ã®ãã©ã³ã¹ãæé©åã§ããããã«ãªããŸããã
è¿œå ã¹ãã¬ãŒãžã®æ©èœã䜿çšãããšãããŒããžã®ã€ã¡ãŒãžã®ããŠã³ããŒããé«éåããããå®å
šã«äžèŠã«ãããããããšãã§ããŸãã
åºæïŒ habr.com