Kodi kukongola kophatikiza nthawi yachidebe ndi chiyani m'zigawo zosiyana? Makamaka, zida izi zingayambe kuphatikizidwa kuti zitetezane.
Anthu ambiri amakopeka ndi lingaliro lakumanga zithunzi za OCI mkati kapena dongosolo lofanana. Tiyerekeze kuti tili ndi CI / CD yomwe imasonkhanitsa zithunzi nthawi zonse, ndiyeno /Kubernetes ingakhale yothandiza potengera kusanja katundu pakumanga. Mpaka posachedwa, anthu ambiri adangopatsa zida zolowera ku socket ya Docker ndikuwalola kuti aziyendetsa docker build command. kuti izi ndizosatetezeka, kwenikweni, ndizoyipa kwambiri kuposa kupereka mizu yopanda mawu kapena sudo.
Ichi ndichifukwa chake anthu nthawi zonse amayesa kuyendetsa Buildah mu chidebe. Mwachidule, tinapanga momwe, m'malingaliro athu, ndi bwino kuyendetsa Buildah mkati mwa chidebe, ndikuyika zithunzi zofananira . Tiyeni tiyambe...
kusintha
Zithunzizi zimamangidwa kuchokera ku Dockerfiles, zomwe zimapezeka muzosungira za Buildah mufoda .
Pano tikambirana .
# stable/Dockerfile
#
# Build a Buildah container image from the latest
# stable version of Buildah on the Fedoras Updates System.
# https://bodhi.fedoraproject.org/updates/?search=buildah
# This image can be used to create a secured container
# that runs safely with privileges within the container.
#
FROM fedora:latest
# Don't include container-selinux and remove
# directories used by dnf that are just taking
# up space.
RUN yum -y install buildah fuse-overlayfs --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.*
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
M'malo mwa OverlayFS, yokhazikitsidwa pamlingo wa Linux kernel, timagwiritsa ntchito pulogalamuyo mkati mwa chidebe , chifukwa pakadali pano OverlayFS imatha kukwera ngati mutaipatsa SYS_ADMIN zilolezo pogwiritsa ntchito luso la Linux. Ndipo tikufuna kuyendetsa zotengera zathu za Buildah popanda mwayi uliwonse. Fuse-overlay imagwira ntchito mwachangu ndipo imagwira bwino ntchito kuposa woyendetsa VFS. Chonde dziwani kuti poyendetsa chidebe cha Buildah chomwe chimagwiritsa ntchito Fuse, muyenera kupereka /dev/fuse chipangizo.
podman run --device /dev/fuse quay.io/buildahctr ...
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
Kenako timapanga chikwatu chosungirako zowonjezera. imathandizira lingaliro lakulumikiza masitolo owonjezera azithunzi owerengera okha. Mwachitsanzo, mutha kukonza malo osungiramo zokutira pamakina amodzi, kenako gwiritsani ntchito NFS kuyika chosungirachi pamakina ena ndikugwiritsa ntchito zithunzi kuchokera pamenepo osatsitsa kudzera pakukoka. Timafunikira chosungirachi kuti tithe kulumikiza kusungirako zithunzi kuchokera kwa wolandira ngati voliyumu ndikuigwiritsa ntchito mkati mwa chidebecho.
# Set up environment variables to note that this is
# not starting with user namespace and default to
# isolate the filesystem with chroot.
ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot
Pomaliza, pogwiritsa ntchito BUILDAH_ISOLATION zosintha zachilengedwe, tikuuza chotengera cha Buildah kuti chiziyenda ndi chroot kudzipatula mwachisawawa. Kusungunula kowonjezera sikufunikira pano, chifukwa tikugwira ntchito kale m'chidebe. Kuti Buildah ipange zotengera zake zosiyanitsidwa ndi mayina, mwayi wa SYS_ADMIN ukufunika, womwe ungafune kumasula malamulo a SELinux ndi SECCOM, zomwe ndizosemphana ndi zomwe timakonda kumanga kuchokera pachidebe chotetezedwa.
Kuthamanga Buildah mkati mwa chidebe
Chithunzi cha chidebe cha Buildah chomwe chafotokozedwa pamwambapa chimakupatsani mwayi wosintha njira zoyambira zotengera zotere.
Liwiro motsutsana ndi chitetezo
Chitetezo cha makompyuta nthawi zonse chimakhala chosagwirizana pakati pa liwiro la ndondomekoyi ndi kuchuluka kwa chitetezo chomwe chimakulungidwa mozungulira. Mawu awa ndiwowonanso posonkhanitsa zotengera, kotero m'munsimu tiwona zosankha zomwe zingagwirizane nazo.
Chithunzi cha chidebe chomwe chafotokozedwa pamwambapa chisunga chosungirako /var/lib/containers. Chifukwa chake, tiyenera kuyika zomwe zili mufodayi, ndipo momwe timachitira izi zidzakhudza kwambiri kuthamanga kwa zithunzi zachidebe.
Tiyeni tione zinthu zitatu zimene mungachite.
Zosankha 1. Ngati chitetezo chokwanira chikufunika, ndiye kuti pachidebe chilichonse mutha kupanga chikwatu chanu chazotengera/chithunzi ndikuchilumikiza ku chidebecho kudzera pakukweza voliyumu. Komanso, ikani chikwatu chomwe chili mu chidebe chokha, mu /build chikwatu:
# mkdir /var/lib/containers1
# podman run -v ./build:/build:z -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image1 bud /build
# podman run -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable buildah push image1 registry.company.com/myuser
# rm -rf /var/lib/containers1
Chitetezo. Buildah yomwe ikuyenda mu chidebe chotere imakhala ndi chitetezo chokwanira: sichimapatsidwa mwayi uliwonse wogwiritsa ntchito luso, ndipo zoletsa zonse za SECOMP ndi SELinux zimagwira ntchito. 0:100000.
Magwiridwe. Koma magwiridwe antchito apa ndi ocheperako, chifukwa zithunzi zilizonse zochokera m'mabuku amakoperani nthawi zonse, ndipo kusungitsa sikugwira ntchito konse. Mukamaliza ntchito yake, chidebe cha Buildah chiyenera kutumiza chithunzicho ku registry ndikuwononga zomwe zili pa wolandirayo. Nthawi yotsatira chifaniziro cha chidebecho chidzamangidwa, chiyenera kutsitsidwanso kuchokera ku registry, popeza panthawiyo sipadzakhalanso chilichonse pa wolandirayo.
Zosankha 2. Ngati mukufuna magwiridwe antchito a Docker, mutha kuyika chidebe / chosungiramo molunjika mu chidebecho.
# podman run -v ./build:/build:z -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah -t image2 bud /build
# podman run -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah push image2 registry.company.com/myuser
Chitetezo. Iyi ndi njira yotetezeka kwambiri yopangira zotengera chifukwa imalola kuti chidebecho chisinthire zosungirako ndipo chitha kudyetsa Podman kapena CRI-O chithunzi choyipa. Kuphatikiza apo, muyenera kuletsa kulekanitsa kwa SELinux kotero kuti njira zomwe zili mu chidebe cha Buildah zitha kulumikizana ndi zosungirako zomwe zili pa wolandila. Dziwani kuti njirayi ikadali yabwino kuposa socket ya Docker chifukwa chidebecho chimatsekedwa ndi zotsalira zotetezedwa ndipo sichingangoyendetsa chidebe pa wolandirayo.
Magwiridwe. Apa ndizokwanira, popeza caching imagwiritsidwa ntchito mokwanira. Ngati Podman kapena CRI-O adatsitsa kale chithunzi chofunikira kwa wolandila, ndiye kuti njira ya Buildah mkati mwa chidebe sidzayeneranso kutsitsanso, ndipo zomanga zotsatizana ndi chithunzichi zithanso kutenga zomwe akufuna kuchokera ku cache. .
Zosankha 3. Chofunikira cha njirayi ndikuphatikiza zithunzi zingapo kukhala pulojekiti imodzi yokhala ndi chikwatu chodziwika bwino chazithunzi zachidebe.
# mkdir /var/lib/project3
# podman run --security-opt label_level=s0:C100, C200 -v ./build:/build:z
-v /var/lib/project3:/var/lib/containers:Z quay.io/buildah/stable buildah -t image3 bud /build
# podman run --security-opt label_level=s0:C100, C200
-v /var/lib/project3:/var/lib/containers quay.io/buildah/stable buildah push image3 registry.company.com/myuser
Muchitsanzo ichi, sitichotsa chikwatu cha polojekiti (/var/lib/project3) pakati pa ma runs, kotero kuti zonse zomwe zimamangidwa mkati mwa projekiti zimapindula ndi caching.
Chitetezo. Chinachake pakati pa zosankha 1 ndi 2. Kumbali imodzi, zotengera zilibe mwayi wopeza zomwe zili pagulu ndipo, motero, sizingalowetse china chake choyipa posungira zithunzi za Podman/CRI-O. Kumbali ina, monga gawo la kapangidwe kake, chidebe chimatha kusokoneza kusonkhana kwa zida zina.
Magwiridwe. Apa ndizoipa kuposa kugwiritsa ntchito cache yogawana pamsinkhu wolandila, popeza simungagwiritse ntchito zithunzi zomwe zidatsitsidwa kale pogwiritsa ntchito Podman/CRI-O. Komabe, Buildah ikatsitsa chithunzichi, chithunzicho chingagwiritsidwe ntchito pazomanga zilizonse mkati mwa polojekitiyo.
Zosungirako zowonjezera
Π£ Pali zinthu zoziziritsa kukhosi monga masitolo owonjezera (owonjezera), chifukwa chake poyambitsa ndikumanga zotengera, injini zachidebe zimatha kugwiritsa ntchito masitolo azithunzi akunja mumachitidwe owerengera okha. Kwenikweni, mutha kuwonjezera chosungira chimodzi kapena zingapo zowerengera zokha ku fayilo yosungirako.conf kuti mukangoyambitsa chidebecho, injini yachidebe imayang'ana chithunzi chomwe mukufuna. Komanso, izo kukopera fano ku kaundula kokha ngati sachipeza mu iliyonse ya storages izi. Injini ya chidebeyo ingotha ββkulembera kumalo osungira olembedwa ...
Ngati mungasunthe ndikuyang'ana pa Dockerfile yomwe timagwiritsa ntchito kupanga chithunzicho quay.io/buildah/stable, pali mizere ngati iyi:
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
Mu mzere woyamba, timasintha /etc/containers/storage.conf mkati mwa chithunzi cha chidebe, ndikuwuza woyendetsa galimoto kuti agwiritse ntchito "additionalimagestores" mu /var/lib/shared foda. Ndipo mumzere wotsatira timapanga chikwatu chogawana ndikuwonjezera mafayilo angapo a loko kuti pasapezeke nkhanza kuchokera pazotengera / zosungira. Kwenikweni, tikungopanga sitolo yopanda zithunzi zachidebe.
Mukayika zotengera/zosungira pamalo apamwamba kuposa chikwatuchi, Buildah azitha kugwiritsa ntchito zithunzizo.
Tsopano tiyeni tibwerere ku Njira 2 yomwe takambirana pamwambapa, pomwe chidebe cha Buildah chimatha kuwerenga ndikulembera ku zotengera / sitolo pa makamu ndipo, motero, imakhala ndi magwiridwe antchito ambiri chifukwa chazithunzi zosungira pamlingo wa Podman/CRI-O, koma imapereka chitetezo chochepa. popeza imatha kulemba mwachindunji ku yosungirako. Tsopano tiyeni tiwonjezere zosungirako apa ndikupeza zabwino koposa zonse.
# mkdir /var/lib/containers4
# podman run -v ./build:/build:z -v /var/lib/containers/storage:/var/lib/shared:ro -v /var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image4 bud /build
# podman run -v /var/lib/containers/storage:/var/lib/shared:ro
-v >/var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable buildah push image4 registry.company.com/myuser
# rm -rf /var/lib/continers4
Zindikirani kuti /var/lib/containers/storage ya wolandilayo adayikidwa ku /var/lib/shared mkati mwa chidebecho powerenga-pokha. Choncho, pogwira ntchito mu chidebe, Buildah angagwiritse ntchito zithunzi zilizonse zomwe zidatsitsidwa kale pogwiritsa ntchito Podman / CRI-O (hello, speed), koma amatha kulemba kusungirako kwake (hello, chitetezo). Dziwaninso kuti izi zimachitika popanda kuletsa kulekanitsa kwa SELinux pa chidebecho.
Chofunika kwambiri
Mulimonse momwe zingakhalire, musachotse zithunzi zilizonse kuchokera munkhokwe yomwe ili pansi. Apo ayi, chidebe cha Buildah chikhoza kuwonongeka.
Ndipo izi si zabwino zonse
Kuthekera kwa kusungirako kowonjezera sikungokhala pazomwe zili pamwambapa. Mwachitsanzo, mutha kuyika zithunzi zonse za chidebe pamalo osungira omwe amagawana maukonde ndikupereka mwayi wofikira ku zida zonse za Buildah. Tiyerekeze kuti tili ndi zithunzi zambiri zomwe makina athu a CI/CD amagwiritsa ntchito nthawi zonse popanga zithunzi zachidebe. Timayika zithunzi zonsezi pamtundu umodzi wosungirako, kenako, pogwiritsa ntchito zida zosungirako maukonde (NFS, Gluster, Ceph, ISCSI, S3...), timatsegula mwayi wofikira kusungirako kumalo onse a Buildah kapena Kubernetes.
Tsopano ndikokwanira kuyika zosungirako za netiweki mu chidebe cha Buildah pa / var/lib/shared ndipo ndi momwemo - Zotengera za Buildah siziyeneranso kutsitsa zithunzi kudzera pakukoka. Chifukwa chake, timataya gawo lokhala ndi anthu ambiri ndipo tili okonzeka nthawi yomweyo kutulutsa zotengerazo.
Ndipo zowonadi, izi zitha kugwiritsidwa ntchito mkati mwa Kubernetes system kapena zotengera zotengera kukhazikitsa ndikuyendetsa zotengera kulikonse popanda kutsitsa zithunzi. Komanso, kaundula chidebe, kulandira kukankhira pempho kukweza chithunzi kusinthidwa kwa izo, akhoza basi kutumiza chithunzichi kwa nawo kusungirako maukonde, kumene nthawi yomweyo kupezeka mfundo zonse.
Zithunzi za Container nthawi zina zimatha kufika ma gigabytes ambiri kukula kwake. Kugwira ntchito kwa malo osungira owonjezera kumakupatsani mwayi wopewa kupanga zithunzi zotere m'malo onse ndikupanga zotengera zoyambira nthawi yomweyo.
Kuphatikiza apo, pakali pano tikugwira ntchito yatsopano yotchedwa overlay volume mounts, yomwe ipangitsa kuti zotengera zomanga zikhale mwachangu kwambiri.
Pomaliza
Kuthamanga Buildah mkati mwa chidebe mu Kubernetes/CRI-O, Podman, kapena Docker ndikotheka, kosavuta, komanso kotetezeka kwambiri kuposa kugwiritsa ntchito docker.socket. Tawonjezera kwambiri kusinthasintha kogwira ntchito ndi zithunzi, kotero mutha kuziyendetsa m'njira zosiyanasiyana kuti muwongolere bwino pakati pa chitetezo ndi magwiridwe antchito.
Kugwira ntchito kwa zosungirako zowonjezera kumakupatsani mwayi wofulumizitsa kapena kuchotseratu kutsitsa kwazithunzi kumanode.
Source: www.habr.com