Waa maxay quruxda kala soocida wakhtiga weelka ee qaybo kala duwan oo qalab ah? Gaar ahaan, xaqiiqda ah in qalabkani uu bilaabi karo in la isku daro si ay midba midka kale u ilaaliyo.
Dad badan ayaa soo jiitay fikradda dhismaha sawirada weelka OCI ee gudaha ama nidaam la mid ah. Aynu nidhaahno waxaan haysanaa CI / CD oo si joogto ah u dhisa sawirro, ka dibna wax la mid ah /Kubernetes waxay noqon lahayd mid aad waxtar u leh marka la eego isku dheelitirnaanta culeyska dhismaha. Ilaa dhawaan, dadka intiisa badani waxay si fudud u siiyeen weelasha gelitaanka godka Docker waxayna u ogolaadeen inay maamulaan amarka dhisitaanka. in tani ay tahay mid aan ammaan ahayn, dhab ahaantii, way ka sii xun tahay in la siiyo xidid aan sir ah lahayn ama sudo.
Markaa dadku waxay si joogto ah isku dayayaan inay ku socodsiiyaan Buildah weel. Marka la soo koobo, waan abuurnay sidee, ra'yigeena, ay ugu fiican tahay in lagu socodsiiyo Buildah gudaha weel, oo lagu dhejiyo sawirada u dhigma . Aan bilowno...
sixitaanka
Sawiradan waxaa laga dhisay Dockerfiles, kuwaas oo laga heli karo kaydka Buildah ee galka .
Halkan waxaan ku tixgelin doonaa .
# stable/Dockerfile
#
# Build a Buildah container image from the latest
# stable version of Buildah on the Fedoras Updates System.
# https://bodhi.fedoraproject.org/updates/?search=buildah
# This image can be used to create a secured container
# that runs safely with privileges within the container.
#
FROM fedora:latest
# Don't include container-selinux and remove
# directories used by dnf that are just taking
# up space.
RUN yum -y install buildah fuse-overlayfs --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.*
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
Halkii OverlayFS, oo lagu hirgeliyay heerka Linux kernel ee martida loo yahay, waxaan ku isticmaalnaa barnaamijka gudaha weelka , sababtoo ah hadda OverlayFS waxay kor u qaadi kartaa oo kaliya haddii aad siiso ogolaanshaha SYS_ADMIN iyada oo loo marayo awoodaha Linux. Oo waxaan rabnaa in aan wadno weelasha Buildah iyada oo aan wax mudnaanta xidid ah lahayn. Fuse-overlay aad buu u dhaqso badan yahay oo wuu ka fiican yahay darawalka kaydinta VFS. Ogsoonow marka aad ku shaqaynayso weelka Buildah adoo isticmaalaya Fuse, qalabka /dev/fuse wuxuu u baahan yahay in la bixiyo.
podman run --device /dev/fuse quay.io/buildahctr ...
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
Marka xigta, waxaan u abuurnaa hagaha kaydka dheeraadka ah. waxay taageertaa fikradda isku xidhka kaydka sawirka-kaliya ee dheeraadka ah. Tusaale ahaan, waxaad ku dhejin kartaa meel kaydinta dusha sare ah hal mashiin, ka dibna waxaad isticmaali kartaa NFS si aad ugu dhejiso kaydinta mashiinka kale oo aad isticmaasho sawirada adigoon soo dejineynin adigoo isticmaalaya. Waxaan u baahanahay kaydintan si aan u awoodno inaan ugu xidhno qayb kaydinta sawirka martida loo yahay mug ahaan oo aan ugu isticmaalno gudaha weelka.
# Set up environment variables to note that this is
# not starting with user namespace and default to
# isolate the filesystem with chroot.
ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot
Ugu dambayntii, waxaanu isticmaalnaa doorsoomiyaha deegaanka BUILDAH_ISOLATION si aanu ugu sheegno weelka Buildah inuu ku bilaabo go'doominta chroot si caadi ah. Go'doomin dheeri ah loogama baahna halkan, maadaama aan horeba ugu shaqaynaynay weel. Si ay Buildah u samaysato weel magaceed u gaar ah, SYS_ADMIN mudnaanta ayaa loo baahan yahay, taas oo u baahan doonta dabcinta xeerarka SELinux iyo SECCOMP weelka, taas oo ka hor imanaysa habaynteena si aan uga dhisno weel sugan.
Ku orod Buildah gudaha weel
Nidaamka sawirka weelka Buildah ee kor lagu soo hadal qaaday wuxuu kuu ogolaanayaa inaad si dabacsanaan leh u beddesho sida weelashaas loo furay.
Xawaaraha iyo badbaadada
Badbaadada kombuyuutarku had iyo jeer waa is-afgarad u dhexeeya xawaaraha hawsha iyo inta ilaalinta lagu duudduubay. Hadalkani sidoo kale waa run marka la ururinayo weelasha, markaa hoos waxaan tixgelin doonaa fursadaha tanaasulka noocaas ah.
Sawirka weelka ee kor looga hadlay waxa uu kaydintiisa ku hayn doonaa /var/lib/container. Sidaa darteed, waxaan u baahanahay inaan ku dhejino nuxurka galkan, iyo sida aan tan u sameyno waxay si weyn u saameyn doontaa xawaaraha dhismaha sawirada weelka.
Aynu tixgelinno saddex doorasho.
Doorashada 1. Haddii amniga ugu badan loo baahan yahay, markaa weel kasta waxaad samayn kartaa galkaaga weelasha / sawirka oo waxaad ku xidhi kartaa weelka adigoo isticmaalaya mugga-mount. Oo ka sokow, geli buugga macnaha guud weelka laftiisa, gal gal/dhis:
# mkdir /var/lib/containers1
# podman run -v ./build:/build:z -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image1 bud /build
# podman run -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable buildah push image1 registry.company.com/myuser
# rm -rf /var/lib/containers1
Amniga. Buildah ku dhex ordaya weelka noocaan oo kale ah ayaa leh badbaadada ugu sareysa: laguma siin wax mudnaanta xididka ah awoodaha, iyo dhammaan xayiraadaha SECOMP iyo SELinux ayaa lagu dabaqaa. 0:100000:10000.
Waxqabadka. Laakiin waxqabadka halkan ayaa ah mid aad u yar, maadaama sawir kasta oo ka soo baxa diiwaannada weelka lagu koobiyeeyo martida loo yahay mar kasta, iyo kaydintu kama shaqaynayso ereyga "Sina uma". Marka ay dhameysato shaqadeeda, weelka Buildah waa inuu u soo diraa sawirka diiwaanka oo uu burburiyaa waxa ku jira martigeliyaha. Marka xigta ee sawirka weelka la dhisayo, waa in mar kale laga soo dejiyaa diiwaanka, maadaama aysan waxba ka hari doonin martigeliyaha waqtigaas.
Doorashada 2. Haddii aad u baahan tahay waxqabadka heerka Docker, waxaad si toos ah ugu dhejin kartaa weelka/kaydinta martida loo yahay weelka.
# podman run -v ./build:/build:z -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah -t image2 bud /build
# podman run -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah push image2 registry.company.com/myuser
Amniga. Tani waa habka ugu aaminka yar ee lagu dhiso weelasha, maadaama ay u ogolaanayso weelka inuu wax ka bedelo kaydinta martida loo yahay oo laga yaabo inay simbiriirixato sawir xaasidnimo ah Podman ama CRI-O. Intaa waxaa dheer, waxaad u baahan doontaa inaad joojiso kala-soocidda SELinux si hababka ku jira weelka Buildah ay ula falgalaan kaydka martida loo yahay. Ogsoonow in doorashadani ay wali ka fiican tahay godka Docker-ka, maadaama weelka ay xannibeen astaamaha amniga ee haray oo aysan si fudud u qaadi karin una socodsiin karin weel kasta oo saaran martigeliyaha.
Waxqabadka. Halkan waa ugu badnaan, maadaama kaydintu si buuxda ugu lug leedahay. Haddii Podman ama CRI-O ay horay u soo dejiyeen sawirka la rabo martigeliyaha, markaa habka Buildah ee ku jira weelka ma doonayo inuu mar kale soo dejiyo, dhismooyinka xiga ee ku salaysan sawirkan ayaa sidoo kale awood u yeelan doona inay ka soo qaataan midka lagama maarmaanka ah ee kaydka. .
Doorashada 3. Nuxurka habkani waa in la isku daro dhowr sawir oo hal mashruuc ah oo leh gal guud oo loogu talagalay sawirada weelka.
# mkdir /var/lib/project3
# podman run --security-opt label_level=s0:C100, C200 -v ./build:/build:z
-v /var/lib/project3:/var/lib/containers:Z quay.io/buildah/stable buildah -t image3 bud /build
# podman run --security-opt label_level=s0:C100, C200
-v /var/lib/project3:/var/lib/containers quay.io/buildah/stable buildah push image3 registry.company.com/myuser
Tusaalahan, ma tirtirno galka mashruuca (/var/lib/project3) inta u dhaxaysa orodka, markaa dhammaan dhismooyinka xiga ee mashruuca dhexdiisa ayaa ka faa'iidaysanaya kaydinta.
Amniga. Wax u dhexeeya fursadaha 1 iyo 2. Dhinaca kale, weelku ma heli karaan waxyaabaha ku jira martida loo yahay, sidaas awgeed, ma simbiriirixan karaan wax xun kaydinta sawirka Podman / CRI-O. Dhanka kale, mashruuc u gaar ah, weelku wuxuu faragelin karaa isku xirka weelasha kale.
Waxqabadka. Halkan way ka sii xun tahay isticmaalka kaydka la wadaago ee heerka martigeliyaha, maadaama aadan isticmaali karin sawirro horay loo soo dejiyey iyadoo la adeegsanayo Podman / CRI-O. Si kastaba ha noqotee, marka Buildah uu soo dejiyo sawirka, sawirkaas waxaa loo isticmaali karaa dhismo kasta oo xiga ee mashruuca dhexdiisa.
Kaydinta dheeraadka ah
Π£ waxaa jira wax aad u fiican sida dukaamada dheeraadka ah (dukaamada dheeraadka ah), taas oo ay ugu mahadcelinayaan, marka la bilaabayo iyo la dhisayo weelasha, matoorada weelka waxay isticmaali karaan dukaamada sawirada dibadda ee qaabka akhrinta-kaliya. Dhab ahaantii, waxaad ku dari kartaa hal ama in ka badan kaydinta akhris-kaliya faylka storage.conf, si marka weelku bilaabmo, mishiinka weelka wuxuu u raadin doonaa sawirka la rabo. Waxaa intaa dheer, waxay ka soo dejisan doontaa sawirka diiwaanka kaliya haddii aysan ka helin mid ka mid ah kaydintan. Matoorka weelka ayaa kaliya awood u leh inuu wax ku qoro kaydinta la qori karo...
Haddii aan kor u qaadno oo aan eegno Dockerfile-ka aan u isticmaalno si aan u dhisno sawirka quay.io/buildah/stable, waxaa jira sadar sidan oo kale ah:
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
Xariiqda koowaad, waxaan wax ka beddeleynaa /etc/containers/storage.conf gudaha sawirka weelka, annagoo u sheegayna darawalka kaydinta inuu isticmaalo "additionalimagestores" gudaha /var/lib/galka la wadaago. Xariiqda xigta, waxaan abuurnaa gal la wadaago oo aan ku darno dhowr faylal oo quful ah si aysan u dhicin wax xadgudub ah oo ka imaanaya weelasha / kaydinta. Asal ahaan, waxaanu abuuraynaa oo keliya dukaanka sawirka weelka oo madhan.
Haddii aad ku dhejiso weelasha/kaydinta heer ka sarreeya galkan, Buildah waxay awood u yeelan doontaa inay isticmaasho sawirrada.
Hadda aan ku soo laabano Xulashada 2 ee kor lagu soo hadal qaaday, marka weelka Buildah uu akhrin karo oo u qori karo weelasha / dukaanka martida loo yahay iyo, si waafaqsan, wuxuu leeyahay waxqabadka ugu sarreeya sababtoo ah kaydinta sawirka heerka Podman / CRI-O, laakiin wuxuu siinayaa ugu yaraan amniga. maadaama ay si toos ah wax ugu qori karto kaydinta. Oo hadda waxaan ku dhex daadin doonaa kaydinta dheeraadka ah halkan oo aan heli doono waxa ugu fiican labada adduun.
# mkdir /var/lib/containers4
# podman run -v ./build:/build:z -v /var/lib/containers/storage:/var/lib/shared:ro -v /var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image4 bud /build
# podman run -v /var/lib/containers/storage:/var/lib/shared:ro
-v >/var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable buildah push image4 registry.company.com/myuser
# rm -rf /var/lib/continers4
Ogsoonow in martigeliyaha /var/lib/koonteenarada/kaydinta lagu rakibay /var/lib/la wadaaga weelka gudihiisa habka akhriska-kaliya. Sidaa darteed, ka shaqeynta weel, Buildah waxay isticmaali kartaa sawir kasta oo horay loo soo dejiyey iyadoo la adeegsanayo Podman / CRI-O (hello, xawaaraha), laakiin kaliya waxay u qori kartaa kaydkeeda (hello, amniga). Sidoo kale ogow in tan la sameeyo iyada oo aan la curyaamin kala soocida SELinux ee weelka.
Saameyn muhiim ah
Xaaladna maahan in wax sawiro ah laga tirtiro kaydka hoose. Haddii kale, weelka Buildah wuu burburi karaa.
Taasina maaha dhammaan faa'iidooyinka.
Suurtagalnimada kaydinta dheeraadka ah kuma koobna muuqaalka kore. Tusaale ahaan, waxaad ku dhejin kartaa dhammaan sawirada weelka kaydinta shabakada la wadaago oo waxaad siisaa marin u helitaan dhammaan weelasha Buildah. Aynu nidhaahno waxaanu haynaa boqolaal sawiro oo nidaamkayaga CI/CD uu si joogto ah u isticmaalo si uu u dhiso sawirada weelka lagu shubay. Waxaan ku uruurineynaa dhammaan sawiradan hal marti-geliyaha kaydinta ka dibna, annagoo adeegsanayna aaladaha kaydinta shabakadda ee doorbiday (NFS, Gluster, Ceph, iSCSI, S3 ...), la wadaag kaydintan dhammaan Buildah ama Kubernetes nodes.
Hadda way ku filan tahay in lagu dhejiyo kaydinta shabakadan weelka Buildah ee /var/lib/la wadaago taasina waa - weelasha Buildah mar dambe maaha inay soo dejiyaan sawirada iyada oo la jiido. Sidaa awgeed, waxaanu tuuraynaa marxaladii hore ee dadweynaha waxaanan isla markiiba diyaar u nahay inaan soo rogno weelasha.
Dabcan, tan waxaa loo isticmaali karaa gudaha nidaamka Kubernetes ee nool ama kaabayaasha weelka si loo bilaabo oo loo socodsiiyo weelasha meel kasta iyada oo aan wax sawir ah la jiidin. Waxaa intaa dheer, marka diiwaanka weelku helo codsi riixis ah si loogu dhejiyo sawir la cusboonaysiiyay, waxay si toos ah u soo diri kartaa sawirkan kaydinta shabakada la wadaago, halkaas oo ay isla markiiba diyaar u yihiin dhammaan qanjidhada.
Sawirada weelku waxay mararka qaarkood noqon karaan gigabytes badan oo cabbir ah. Shaqeynta kaydinta dheeraadka ah waxay meesha ka saaraysaa baahida loo qabo in sawirada noocan oo kale ah lagu xidho noodhka waxayna ka dhigaysaa bilawga weelasha ku dhawaad ββisla markiiba.
Intaa waxaa dheer, waxaan hadda ka shaqeyneynaa muuqaal cusub oo mugga korka ah kaas oo ka dhigi doona dhismaha weelasha xitaa si dhakhso ah.
gunaanad
Ku orodka Buildah gudaha weel ku jira deegaanka Kubernetes/CRI-O, Podman, ama xitaa Docker waa suurtagal, waana sahlan tahay oo aad uga ammaan badan isticmaalka docker.socket. Waxaan si aad ah u kordhinay dabacsanaanta ku shaqeynta sawirada, oo hadda waxaad ku socodsiin kartaa siyaabo kala duwan si aad u hesho dheelitirka ugu fiican ee u dhexeeya amniga iyo waxqabadka.
Hawlaha kaydinta dheeraadka ah waxay kuu ogolaaneysaa inaad dedejiso ama xitaa gebi ahaanba tirtirto soo dejinta sawirada qanjidhada.
Source: www.habr.com