He aha te ataahua o te wetewete i te wa mahi ipu ki nga waahanga taputapu motuhake? Ina koa, ka timata enei taputapu ki te whakakotahi kia tiakina tetahi ki tetahi.
He maha nga taangata e aro ana ki te whakaaro ki te hanga i nga whakaahua OCI kei roto pūnaha rite ranei. Me kii he CI/CD kei te kohikohi tonu i nga whakaahua, katahi ka penei Ka tino whai hua a Kubernetes mo te whakataurite i te kawenga i te wa e hanga ana. I mua tata nei, ka tukuna noa e te nuinga o nga tangata nga ipu ki te urunga ki tetahi turanga Docker me te tuku i a raatau ki te whakahaere i te whakahau hanga docker. he tino koretake tenei, inaa, he kino rawa atu i te tuku pakiaka kore kupuhipa, sudo ranei.
Koira te take ka ngana tonu te tangata ki te whakahaere i a Buildah i roto i te ipu. I te poto, i hanga e matou me pehea, ki ta matou whakaaro, he pai ki te whakahaere i a Buildah ki roto i tetahi ipu, ka whakairihia nga whakaahua e rite ana ki runga . Kia timata tatou...
whakatikatikanga
Ko enei whakaahua he mea hanga mai i Dockerfiles, ka kitea i roto i te putunga Buildah i te kōpaki .
I konei ka whakaarohia .
# stable/Dockerfile
#
# Build a Buildah container image from the latest
# stable version of Buildah on the Fedoras Updates System.
# https://bodhi.fedoraproject.org/updates/?search=buildah
# This image can be used to create a secured container
# that runs safely with privileges within the container.
#
FROM fedora:latest
# Don't include container-selinux and remove
# directories used by dnf that are just taking
# up space.
RUN yum -y install buildah fuse-overlayfs --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.*
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
Engari i te OverlayFS, i whakatinanahia i te taumata kernel Linux manaaki, ka whakamahia e matou te kaupapa i roto i te ipu , na te mea ka taea e OverlayFS te eke ki te tuku whakaaetanga SYS_ADMIN ma te whakamahi i nga kaha Linux. A kei te pirangi matou ki te whakahaere i a maatau ipu Buildah me te kore he painga pakiaka. He tere te mahi whakakikorua me te pai ake o te mahi i te taraiwa rokiroki VFS. Kia mahara mai i te wa e whakahaere ana i tetahi ipu Buildah e whakamahi ana i te Fuse, me whakarato e koe te taputapu /dev/fuse.
podman run --device /dev/fuse quay.io/buildahctr ...
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
I muri mai ka hanga e matou he whaiaronga mo etahi atu rokiroki. e tautoko ana i te ariā o te hono atu i nga toa whakaahua panui-anake. Hei tauira, ka taea e koe te whirihora i tetahi waahi rokiroki whakakikorua ki runga i tetahi miihini, ka whakamahi i te NFS hei whakairi i tenei rokiroki ki runga i tetahi atu miihini me te whakamahi whakaahua mai i a ia me te kore e tango ma te kume. Kei te hiahia matou ki tenei rokiroki kia taea ai e matou te hono etahi rokiroki whakaahua mai i te kaihautu hei rōrahi me te whakamahi i roto i te ipu.
# Set up environment variables to note that this is
# not starting with user namespace and default to
# isolate the filesystem with chroot.
ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot
Ka mutu, ma te whakamahi i te taurangi taiao BUILDAH_ISOLATION, kei te kii atu matou ki te ipu Buildah kia rere me te wehenga chroot ma te taunoa. Kaore e hiahiatia he whakamaarama taapiri i konei, na te mea kei te mahi tatou i roto i te ipu. Kia taea ai e Buildah te hanga i ona ake ipu kua wehea mokowāingoa, me whai mana te SYS_ADMIN, me whakangawari nga ture SELinux me SECCOMP o te ipu, he rereke ki ta matou hiahia ki te hanga mai i tetahi ipu haumaru.
Rere Buildah i roto i te ipu
Ko te hoahoa ahua ipu Buildah i korerohia i runga ake nei ka taea e koe te whakarereke ngawari i nga tikanga mo te whakarewa i aua ipu.
Te tere me te haumaru
Ko te haumarutanga rorohiko he taupatupatu i waenga i te tere o te mahi me te nui o te whakamarumaru e takai ana. He pono ano tenei korero i te wa e whakahiato ana i nga ipu, na kei raro nei ka whakaarohia e maatau nga whiringa mo taua whakatau.
Ko te ahua o te ipu i korerohia i runga ake nei ka pupuri i tana rokiroki i roto i /var/lib/containers. Na reira, me whakauru tatou i nga ihirangi ki roto i tenei kōpaki, me pehea te mahi i tenei ka tino pa ki te tere o te hanga whakaahua ipu.
Ka whakaarohia e toru nga whiringa.
Kōwhiringa 1. Mena ka hiahiatia te haumarutanga, ka taea e koe te hanga i to ake ake kōpaki mo nga ipu / whakaahua ka hono atu ki te ipu ma te rōrahi-maunga. I tua atu, tuuhia te raarangi horopaki ki roto i te ipu, ki te kōpaki /hanga:
# mkdir /var/lib/containers1
# podman run -v ./build:/build:z -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image1 bud /build
# podman run -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable buildah push image1 registry.company.com/myuser
# rm -rf /var/lib/containers1
Haumarutanga. Ko te hanga i roto i taua ipu he tino haumarutanga: karekau he mana putake ma te whakamahi i nga kaha, ka pa katoa nga here SECOMP me SELinux ki runga. Ka taea ano te whakahaere i taua ipu me te mokowhiti ingoa Kaiwhakamahi ma te taapiri i tetahi whiringa penei —uidmap 0: 100000:10000.
Te mahinga. Engari he iti noa nga mahi i konei, na te mea ko nga whakaahua mai i nga rehita ipu ka kapehia ki te kaihautu i nga wa katoa, a kaore e mahi te keteroki. Ka oti ana mahi, me tuku e te ipu Buildah te ahua ki te rehita me te whakangaro i nga ihirangi kei runga i te kaihautu. Hei te wa i muri mai ka hangaia te ahua ipu, me tango ano mai i te rehitatanga, na te mea i tera wa kaore he mea e toe ana ki te kaihautu.
Kōwhiringa 2. Mena kei te hiahia koe ki nga mahi taumata-Docker, ka taea e koe te whakanoho tika i te ipu / rokiroki ki roto i te ipu.
# podman run -v ./build:/build:z -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah -t image2 bud /build
# podman run -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah push image2 registry.company.com/myuser
Haumarutanga. Koinei te huarahi tino haumaru ki te hanga ipu na te mea ka taea e te ipu te whakarereke i te rokiroki i runga i te kaihautu ka taea pea te whangai i a Podman, CRI-O ranei he ahua kino. I tua atu, ka hiahia koe ki te whakakore i te wehenga SELinux kia taea ai e nga tukanga i roto i te ipu Buildah te taunekeneke me te rokiroki i runga i te ope. Kia mahara he pai ake tenei whiringa i te turanga Docker na te mea kua maukatihia te ipu na te toenga o nga ahuatanga haumaru, kaore e taea te whakahaere noa i tetahi ipu ki runga i te kaihautu.
Te mahinga. I konei ko te morahi, na te mea kua tino whakamahia te keteroki. Mena kua tangohia e Podman, CRI-O ranei te ahua e hiahiatia ana ki te kaihautu, karekau te tukanga Buildah i roto i te ipu e tango ano, a ko nga hanga o muri mai i runga i tenei ahua ka taea hoki te tango i nga mea e hiahiatia ana mai i te keteroki. .
Kōwhiringa 3. Ko te ngako o tenei tikanga ko te whakakotahi i nga whakaahua maha ki te kaupapa kotahi me te kōpaki noa mo nga whakaahua ipu.
# mkdir /var/lib/project3
# podman run --security-opt label_level=s0:C100, C200 -v ./build:/build:z
-v /var/lib/project3:/var/lib/containers:Z quay.io/buildah/stable buildah -t image3 bud /build
# podman run --security-opt label_level=s0:C100, C200
-v /var/lib/project3:/var/lib/containers quay.io/buildah/stable buildah push image3 registry.company.com/myuser
I tenei tauira, kaore matou e muku i te kōpaki kaupapa (/var/lib/project3) i waenga i nga oma, no reira ka whai hua nga hanga katoa o muri mai i roto i te kaupapa mai i te keteroki.
Haumarutanga. He mea kei waenganui i nga whiringa 1 me te 2. I tetahi taha, kaore nga ipu e uru atu ki nga ihirangi kei runga i te kaihautu, na reira, kaore e taea te tuku i tetahi mea kino ki roto i te rokiroki whakaahua Podman/CRI-O. I tetahi atu taha, hei waahanga o tana hoahoa, ka taea e te ipu te whakararuraru i te huihuinga o etahi atu ipu.
Te mahinga. I konei he kino atu i te wa e whakamahi ana i te keteroki tiritahi i te taumata kaihautu, na te mea kaore e taea e koe te whakamahi i nga whakaahua kua oti te tango ma te whakamahi i te Podman/CRI-O. Heoi, ina tango a Buildah i te ahua, ka taea te whakamahi i te ahua ki nga hanga o muri mai i roto i te kaupapa.
Te rokiroki taapiri
У He mea pai ano he toa taapiri (toa taapiri), he mihi ki te wa e whakarewahia ana me te hanga ipu, ka taea e nga miihini ipu te whakamahi i nga toa whakaahua o waho i te aratau panui-anake. Ko te tikanga, ka taea e koe te taapiri i tetahi, neke atu ranei nga putunga panui-anake ki te konae storage.conf kia timata ai koe i te ipu, ka rapuhia e te miihini ipu te ahua e hiahiatia ana kei roto. Ano, ka tangohia e ia te ahua mai i te rehitatanga mena kaore e kitea i roto i tetahi o enei putunga. Ka taea anake e te miihini ipu te tuhi ki te rokiroki tuhi...
Mena ka panuku koe ki runga ka titiro ki te Dockerfile e whakamahia ana e matou hei hanga i te ahua quay.io/buildah/stable, he rarangi penei:
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
I te rarangi tuatahi ka whakarereketia e matou /etc/containers/storage.conf i roto i te ahua ipu, ka kii atu ki te taraiwa rokiroki ki te whakamahi "additionalimagestores" i roto i te /var/lib/shared folder. A i te rarangi e whai ake nei ka waihangahia he kōpaki tiritahi me te taapiri i nga konae raka e rua kia kore ai he mahi kino mai i nga ipu / rokiroki. Ko te tikanga, kei te hanga noa matou i tetahi toa ahua ipu kau.
Mena ka whakairihia e koe nga ipu/pupuhi ki te taumata teitei ake i tenei kōpaki, ka taea e Buildah te whakamahi i nga whakaahua.
Inaianei me hoki ano ki te Kōwhiringa 2 i korerohia i runga ake nei, ka taea e te ipu Buildah te panui me te tuhi ki nga ipu/toa i runga i nga kaihautu, a, na reira, he tino mahi na te keteroki whakaahua i te taumata Podman/CRI-O, engari he iti rawa te haumarutanga. na te mea ka taea te tuhi tika ki te rokiroki. Inaianei me taapiri atu he rokiroki ki konei ka whiwhi i te pai o nga ao e rua.
# mkdir /var/lib/containers4
# podman run -v ./build:/build:z -v /var/lib/containers/storage:/var/lib/shared:ro -v /var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image4 bud /build
# podman run -v /var/lib/containers/storage:/var/lib/shared:ro
-v >/var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable buildah push image4 registry.company.com/myuser
# rm -rf /var/lib/continers4
Kia mahara ko te /var/lib/containers/storage a te kaihautu kei te whakairihia ki /var/lib/tiritiri i roto i te ipu i roto i te aratau panui-anake. Na reira, ma te mahi i roto i te ipu, ka taea e Buildah te whakamahi i nga whakaahua i tangohia i mua ma te whakamahi i te Podman/CRI-O (kia ora, tere), engari ka taea anake te tuhi ki tana ake rokiroki (kia ora, haumaru). Kia mahara ano ka mahia tenei me te kore e whakakore i te wehenga SELinux mo te ipu.
Rawe nui
Kaua rawa e whakakore i nga whakaahua mai i te putunga o raro. Ki te kore, ka pakaru pea te ipu Buildah.
A ehara enei i nga painga katoa
Ko nga waahi mo te rokiroki taapiri kaore i te iti ki te ahuatanga o runga ake nei. Hei tauira, ka taea e koe te whakanoho i nga whakaahua ipu katoa ki runga i te rokiroki whatunga tiritahi me te tuku uru ki nga ipu Buildah katoa. Me kii he maha nga whakaahua ka whakamahia e to maatau punaha CI/CD hei hanga whakaahua ipu. Ka arotahi matou ki enei whakaahua katoa ki tetahi kaihautu rokiroki, katahi ka whakamahi i nga taputapu rokiroki whatunga pai ake (NFS, Gluster, Ceph, ISCSI, S3...), ka whakatuwherahia e matou te urunga whanui ki tenei rokiroki ki nga waahanga katoa o Buildah, Kubernetes ranei.
Inaianei kua nui ki te whakauru i tenei rokiroki whatunga ki roto i te ipu Buildah i runga i /var/lib/shared a koira - kua kore nga ipu Buildah e tango whakaahua ma te kume. No reira, ka makahia e matou te waahanga o mua i te taupori ka rite tonu ki te huri i nga ipu.
Ae ra, ka taea te whakamahi i roto i te punaha Kubernetes ora, i nga hanganga ipu hei whakarewa me te whakahaere ipu ki nga waahi katoa kaore he tango whakaahua. I tua atu, ka taea e te rehita ipu, te tono pana ki te tuku i tetahi whakaahua kua whakahoutia ki a ia, ka taea te tuku aunoa i tenei ahua ki te rokiroki whatunga tiritahi, ka waatea tonu ki nga pona katoa.
I etahi wa ka eke nga whakaahua ipu ki te maha o nga gigabyte te rahi. Ma te mahi o te rokiroki taapiri ka taea e koe te karo i nga whakaahua pera puta noa i nga kohanga me te tuku i nga ipu ka tata tonu.
I tua atu, kei te mahi matou i tenei wa i runga i tetahi waahanga hou e kiia nei ko te whakakikorua i nga pikinga rōrahi, ka tere ake te hanga ipu.
mutunga
Ko te whakahaere i te Buildah i roto i te ipu i Kubernetes/CRI-O, Podman, tae noa ki Docker ka taea, ngawari, me te tino haumaru atu i te whakamahi docker.socket. Kua tino whakanuia e matou te ngawari o te mahi me nga whakaahua, na reira ka taea e koe te whakahaere i roto i nga momo huarahi hei arotau i te toenga i waenga i te haumarutanga me te mahinga.
Ko te mahinga o te rokiroki taapiri ka taea e koe te tere, te whakakore ranei i te tango i nga whakaahua ki nga node.
Source: will.com