Nderupi runako rwekuparadzanisa mudziyo wenguva yekumhanya muzvikamu zvakasiyana zvematurusi? Kunyanya, chokwadi chekuti zvishandiso izvi zvinogona kutanga kubatanidzwa kuitira kuti vadzivirire mumwe nemumwe.
Vanhu vazhinji vanokwezvwa nepfungwa yekuvaka OCI mudziyo mifananidzo mukati kana hurongwa hwakafanana. Ngatiti isu tine CI / CD inogara ichivaka mifananidzo, uye chimwe chinhu chakadai /Kubernetes inogona kubatsira zvakanyanya maererano nekuvaka mutoro kuenzanisa. Kusvika nguva pfupi yadarika, vanhu vazhinji vakangopa midziyo kuwana kune Docker socket uye vakavabvumira kuti vamhanye docker kuvaka command. kuti izvi hazvina kuchengetedzeka, kutaura zvazviri, zvakatonyanya kupfuura kupa password isina midzi kana sudo.
Saka vanhu vari kuramba vachiedza kumhanya Buildah mumudziyo. Muchidimbu, takagadzira sei, mumaonero edu, zviri nani kumhanya Buildah mukati memudziyo, uye akaisa iyo inoenderana mifananidzo pa . Ngatitangei...
kuchinja
Iyi mifananidzo inovakwa kubva kuDockerfiles, iyo inogona kuwanikwa muBuildah repository mufolda .
Pano tichakurukura .
# stable/Dockerfile
#
# Build a Buildah container image from the latest
# stable version of Buildah on the Fedoras Updates System.
# https://bodhi.fedoraproject.org/updates/?search=buildah
# This image can be used to create a secured container
# that runs safely with privileges within the container.
#
FROM fedora:latest
# Don't include container-selinux and remove
# directories used by dnf that are just taking
# up space.
RUN yum -y install buildah fuse-overlayfs --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.*
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
Panzvimbo yeOverlayFS, inoshandiswa pamwero weLinux kernel yemuenzi, isu tinoshandisa chirongwa mukati memudziyo. , nekuti parizvino OverlayFS inogona chete kukwira kana iwe ukapa SYS_ADMIN mvumo kuburikidza neLinux kugona. Uye isu tinoda kumhanya midziyo yedu yeBuildah pasina chero midzi ropafadzo. Fuse-overlay inokurumidza uye inoita zvirinani kupfuura mutyairi weVFS. Ziva kuti kana uchimhanyisa mudziyo weBuildah uchishandisa Fuse, iyo /dev/fuse mudziyo inoda kupihwa.
podman run --device /dev/fuse quay.io/buildahctr ...
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
Tevere, isu tinogadzira dhairekitori kune mamwe marepositories. inotsigira pfungwa yekubatanidza mamwe ekuverenga-chete mifananidzo repositori. Semuenzaniso, unogona kuseta nzvimbo yekuchengetera pamusoro pamuchina mumwe, wobva washandisa NFS kukwirisa iyi chengetedzo pane mumwe muchina uye kushandisa mifananidzo kubva mairi pasina kudhawunirodha kuburikidza nekudhonza. Isu tinoda iyi chengetedzo kuitira kuti tikwanise kubatanidza imwe chengetedzo yemufananidzo kubva kune iyo host sevhoriyamu uye toishandisa mukati memudziyo.
# Set up environment variables to note that this is
# not starting with user namespace and default to
# isolate the filesystem with chroot.
ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot
Chekupedzisira, isu tinoshandisa iyo BUILDAH_ISOLATION nharaunda shanduko kuudza iyo Buildah mudziyo kuti utange ne chroot yekuzviparadzanisa nevamwe nekukasira. Kuwedzera kuzviparadzanisa nevamwe hakudiwi pano, sezvo tave kutoshanda mumudziyo. Kuti Buildah igadzire midziyo yayo-yakaparadzaniswa nemazita, iyo SYS_ADMIN rombo inodiwa, izvo zvinoda kusunungura iyo SELinux uye SECCOM yemidziyo mitemo, izvo zvingapesana neseta yedu kuvaka kubva mumudziyo wakachengeteka.
Mhanya Buildah mukati memudziyo
Iyo Buildah mudziyo wemufananidzo chirongwa chakurukurwa pamusoro chinokutendera iwe kuchinjika kusiyanisa kuti midziyo yakadai inotangwa sei.
Speed ββββyakatarisana nekuchengeteka
Kuchengetedzwa kwekombuta kunogara kuri kukanganisa pakati pekumhanya kwemaitiro uye kuti yakawanda sei chengetedzo yakaputirwa pairi. Chirevo ichi ndechechokwadi zvakare pakuunganidza midziyo, saka pazasi isu tichafunga nezve sarudzo dzekubvumirana kwakadaro.
Mufananidzo wemidziyo wakurukurwa pamusoro unochengeta chengetedzo yayo mukati /var/lib/containers. Naizvozvo, isu tinofanirwa kukwirisa zvirimo kune iyi folda, uye maitiro atinoita izvi anokanganisa zvakanyanya kumhanya kwekuvaka mifananidzo yemidziyo.
Ngatikurukurei zvinhu zvitatu zvingasarudzwa.
Sarudzo 1. Kana kuchengetedzeka kwakanyanya kuchidiwa, saka kune yega yega mudziyo unogona kugadzira yako dhairekitori yemidziyo / mufananidzo uye woibatanidza kune mudziyo kuburikidza nevhoriyamu-gomo. Uye kunze kweizvozvo, isa dhairekitori remukati mumudziyo pachayo, mune / kuvaka folda:
# mkdir /var/lib/containers1
# podman run -v ./build:/build:z -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image1 bud /build
# podman run -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable buildah push image1 registry.company.com/myuser
# rm -rf /var/lib/containers1
Chengetedzo. Buildah inomhanya mumudziyo wakadaro ine kuchengetedzwa kwakanyanya: haipihwe chero midzi ropafadzo nekugona, uye zvese SECOMP neSELinux zvirambidzo zvinoshanda pairi. 0:100000:10000.
Performance. Asi kuita pano kushoma, sezvo chero mifananidzo kubva mumidziyo yekunyoresa inokopwa kune muenzi nguva yega yega, uye caching haishande kubva paizwi rekuti "hapana". Kana yapedza basa rayo, mudziyo weBuildah unofanirwa kutumira chifananidzo kune registry uye kuparadza zvirimo pane mubati. Nguva inotevera painovakwa mufananidzo wemudziyo, uchafanirwa kudhawunirodwa zvakare kubva kurejista, nekuti hapana chinozosara pamubati panguva iyoyo.
Sarudzo 2. Kana iwe uchida kuita kweDocker-level, unogona kukwidza mudziyo wemuenzi / chengetedzo zvakananga mumudziyo.
# podman run -v ./build:/build:z -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah -t image2 bud /build
# podman run -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah push image2 registry.company.com/myuser
Chengetedzo. Iyi ndiyo nzira isina kuchengetedzeka yekuvaka midziyo, sezvo ichibvumira mudziyo kuti ugadzirise chengetedzo pane mugadziri uye inogona kutsvedza mufananidzo wakashata muPodman kana CRI-O. Pamusoro pezvo, iwe unozofanirwa kudzima SELinux kupatsanurwa kuitira kuti maitiro ari muBuildah mudziyo agone kupindirana nerepository pane anotambira. Ziva kuti iyi sarudzo ichiri nani pane yeDocker socket, sezvo mudziyo wakavharwa neasara ekuchengetedza maficha uye haugone kungotora nekumhanyisa chero mudziyo pane iyo host.
Performance. Pano ndiyo yakanyanya, sezvo caching inobatanidzwa zvizere. Kana Podman kana CRI-O yakatodhawunirodha mufananidzo waunoda kumugadziri, saka iyo Buildah maitiro mukati memudziyo haafanire kuidhawunirodha zvakare, uye inotevera inovaka yakavakirwa pamufananidzo uyu zvakare ichakwanisa kutora inodiwa kubva kune cache. .
Sarudzo 3. Izvo zvakakosha zveiyi nzira ndeyekubatanidza mifananidzo yakati wandei kuita imwe purojekiti ine yakajairika folda yemifananidzo yemidziyo.
# mkdir /var/lib/project3
# podman run --security-opt label_level=s0:C100, C200 -v ./build:/build:z
-v /var/lib/project3:/var/lib/containers:Z quay.io/buildah/stable buildah -t image3 bud /build
# podman run --security-opt label_level=s0:C100, C200
-v /var/lib/project3:/var/lib/containers quay.io/buildah/stable buildah push image3 registry.company.com/myuser
Mumuenzaniso uyu, isu hatidzime purojekiti folda (/var/lib/project3) pakati pekumhanya, saka zvese zvinotevera zvinovaka mukati meprojekiti zvinotora mukana wecaching.
Chengetedzo. Chimwe chinhu pakati pezvisarudzo 1 uye 2. Kune rumwe rutivi, midziyo haina ruzivo rwezvinyorwa pane muiti uye, maererano naizvozvo, haigoni kutsvedza chimwe chinhu chakaipa muPodman / CRI-O yekuchengetedza mifananidzo. Kune rumwe rutivi, mukati meprojekti yayo pachayo, mudziyo unogona kukanganisa kuungana kwemamwe midziyo.
Performance. Pano zvakaipisisa pane kushandisa cache yakagovaniswa padanho rekugamuchira, sezvo usingakwanise kushandisa mifananidzo yakatodhawunirwa uchishandisa Podman / CRI-O. Nekudaro, kana Buildah yatora iyo mufananidzo, iwo mufananidzo unogona kushandiswa mune chero anotevera anovaka mukati meprojekiti.
Kuwedzera kuchengetedza
Π£ kune chinhu chinotonhorera sezvimwe zvitoro (zvekuwedzera zvitoro), nekuda kwekuti, kana uchitanga nekuvaka midziyo, injini dzemidziyo dzinogona kushandisa zvitoro zvemifananidzo zvekunze mukuverenga-chete overlay mode. Muchokwadi, iwe unogona kuwedzera imwe kana yakawanda yekuverenga-chete yekuchengetedza kune yekuchengetedza.conf faira, kuitira kuti kana mudziyo unotanga, injini yemidziyo ichatsvaga mufananidzo unodiwa mavari. Uyezve, iyo inozodhawunirodha mufananidzo kubva kune registry chete kana ikasaiwana mune chero yeiyi storages. Iyo injini yemidziyo inongokwanisa kunyora kune inonyorwa kuchengetedza ...
Kana tikakwenya kumusoro totarisa kuDockerfile yatinoshandisa kuvaka iyo quay.io/buildah/stable image, pane mitsetse yakaita seiyi:
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
Pamutsetse wekutanga, tinoshandura /etc/containers/storage.conf mukati memufananidzo wemudziyo, tichiudza mutyairi wekuchengetedza kuti ashandise "additionalimagestores" mu /var/lib/shared folder. Uye mumutsetse unotevera, tinogadzira folda yakagovaniswa uye tinowedzera akati wandei ekiyi mafaera kuti pasave nekushungurudzwa kubva mumidziyo / kuchengetedza. Chaizvoizvo, tiri kungogadzira isina chinhu mudziyo wemifananidzo chitoro.
Kana iwe ukaisa midziyo / yekuchengetedza nhanho pamusoro peiyi folda, Buildah inozokwanisa kushandisa iyo mifananidzo.
Zvino ngatidzokere kuSarudzo 2 yakurukurwa pamusoro, apo chigadziko cheBuildah chinogona kuverenga nekunyora kumidziyo / chitoro pane mauto uye, nekudaro, ine yakanyanya kuita nekuda kwechifananidzo caching paPodman / CRI-O level, asi inopa hushoma hwekuchengetedza, sezvo inogona kunyora zvakananga mukuchengetedza. Uye ikozvino tichazokwevera mune imwe chengetedzo pano towana zvakanakisa zvepasirese.
# mkdir /var/lib/containers4
# podman run -v ./build:/build:z -v /var/lib/containers/storage:/var/lib/shared:ro -v /var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image4 bud /build
# podman run -v /var/lib/containers/storage:/var/lib/shared:ro
-v >/var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable buildah push image4 registry.company.com/myuser
# rm -rf /var/lib/continers4
Ziva kuti iyo mubati /var/lib/containers/storage yakaiswa ku/var/lib/yakagovaniswa mukati memudziyo mune yekuverenga-chete modhi. Nokudaro, kushanda mumudziyo, Buildah inogona kushandisa chero mifananidzo yakatodhindwa uchishandisa Podman / CRI-O (mhoroi, kumhanya), asi inogona kungonyorera kune yayo yekuchengetera (hesi, chengetedzo). Ziva zvakare kuti izvi zvinoitwa pasina kudzima SELinux kupatsanurwa kwemudziyo.
Important nuance
Chero mamiriro ezvinhu haafanire kubviswa chero mifananidzo kubva pane iri pasi repository. Zvikasadaro, mudziyo weBuildah unogona kuparara.
Uye handizvo zvese zvinobatsira.
Mikana yekuwedzera yekuchengetedza haina kuganhurirwa pane zviri pamusoro apa. Semuenzaniso, iwe unogona kuisa ese emidziyo mifananidzo mune yakagovaniswa network yekuchengetedza uye nekupa mukana kune iyo kune ese Buildah midziyo. Ngatitii isu tine mazana emifananidzo iyo yedu CI / CD system inogara ichishandisa kuvaka mifananidzo ine midziyo. Isu tinotarisisa iyi mifananidzo yese pane imwechete yekuchengetedza uyezve, tichishandisa yakasarudzika network yekuchengetedza maturusi (NFS, Gluster, Ceph, iSCSI, S3 ...), kugovera iyi chengetedzo neese Buildah kana Kubernetes node.
Zvino zvakwana kukwidza iyi network yekuchengetedza muBuildah mudziyo pa/var/lib/shared uye ndizvozvo - Buildah midziyo haichafaniri kurodha mifananidzo kuburikidza nekudhonza zvachose. Nekudaro, isu tinokanda kunze pre-population chikamu uye tabva tagadzirira kuburitsa midziyo.
Uye zvechokwadi, izvi zvinogona kushandiswa mukati meiyo Kubernetes system mhenyu kana mudziyo wemidziyo kuvhura uye kumhanya midziyo chero kupi pasina chero mufananidzo kudhonza. Uyezve, kana registry yemidziyo ikagamuchira chikumbiro chekuisa iyo yakagadziridzwa mufananidzo kwairi, inogona kutumira otomatiki mufananidzo uyu kune yakagovaniswa network yekuchengetedza, iyo inowanikwa ipapo ipapo kune ese node.
Mifananidzo yeContainer dzimwe nguva inogona kuve yakawanda gigabytes muhukuru. Kushanda kwezvimwe zvichengetedzo kunobvisa kudiwa kwekugadzira mifananidzo yakadaro nemanodhi uye kunoita kuti kutangwa kwemidziyo kuite pakarepo.
Pamusoro pezvo, isu parizvino tiri kushanda pachinhu chitsva chepamusoro chepamusoro vhoriyamu inokwirisa iyo ichaita kuti midziyo yekuvaka iwedzere kukurumidza.
mhedziso
Kumhanya Buildah mukati memudziyo muKubernetes/CRI-O nharaunda, Podman, kana kunyange Docker inogoneka, uye iri nyore uye yakachengeteka zvakanyanya pane kushandisa docker.socket. Isu takawedzera zvakanyanya kuchinjika kwekushanda nemifananidzo, uye ikozvino iwe unogona kuimhanyisa nenzira dzakasiyana siyana kune yakanakisa chiyero pakati pekuchengetedza uye kuita.
Iko kushanda kwezvimwe zvichengetedzo zvinokutendera kuti ukurumidze kana kutobvisa zvachose kurodha kwemifananidzo kune node.
Source: www.habr.com