ProHoster > Blog > Tsamaiso > Litaelo tsa ho tsamaisa Buildah ka har'a setshelo

Litaelo tsa ho tsamaisa Buildah ka har'a setshelo

Ke botle bofe ba ho kopanya nako ea ho sebetsa ea setshelo hore e be likarolo tse fapaneng tsa lisebelisoa? Ka ho khetheha, lisebelisoa tsena li ka qala ho kopanngoa e le hore li sireletsane.

Litaelo tsa ho tsamaisa Buildah ka har'a setshelo

Batho ba bangata ba khahloa ke mohopolo oa ho aha litšoantšo tsa OCI tse kentsoeng kahare Kubernetes kapa tsamaiso e tšoanang. Ha re re re na le CI / CD e lulang e bokella litšoantšo, ebe ntho e kang RedHat OpenShift/Kubernetes e ka ba molemo haholo mabapi le ho leka-lekanya mojaro nakong ea kaho. Ho fihlela haufinyane tjena, batho ba bangata ba ile ba fa lijana phihlello ho sokete ea Docker mme ba ba lumella ho tsamaisa taelo ea docker build. Lilemong tse 'maloa tse fetileng re ile ra bontšahore sena ha sea sireletseha, ha e le hantle, se mpe le ho feta ho fana ka motso o se nang password kapa sudo.

Ke kahoo batho ba lulang ba leka ho tsamaisa Buildah ka setshelo. Ka bokhutšoanyane, re bōpile mohlala kamoo, ka maikutlo a rona, ho molemo ho tsamaisa Buildah ka har'a setshelo, mme o beha litšoantšo tse tsamaellanang ho quay.io/buildah. Ha re qaleng...

phetoho

Litšoantšo tsena li hahiloe ho tsoa ho Dockerfiles, e ka fumanoang sebakeng sa polokelo ea Buildah foldareng moaho.
Mona re tla sheba mofuta o tsitsitseng oa Dockerfile.

# stable/Dockerfile
#
# Build a Buildah container image from the latest
# stable version of Buildah on the Fedoras Updates System.
# https://bodhi.fedoraproject.org/updates/?search=buildah
# This image can be used to create a secured container
# that runs safely with privileges within the container.
#
FROM fedora:latest

# Don't include container-selinux and remove
# directories used by dnf that are just taking
# up space.
RUN yum -y install buildah fuse-overlayfs --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.*

# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf

Sebakeng sa OverlayFS, e kentsoeng boemong ba Linux kernel, re sebelisa lenaneo ka har'a setshelo fuse-overal/, hobane hajoale OverlayFS e ka nyoloha feela haeba u e fa tumello ea SYS_ADMIN u sebelisa bokhoni ba Linux. 'Me re batla ho tsamaisa lijana tsa rona tsa Buildah ntle le litokelo tsa motso. Fuse-overlay e sebetsa kapele mme e sebetsa hantle ho feta mokhanni oa polokelo ea VFS. Ka kopo hlokomela hore ha u tsamaisa setshelo sa Buildah se sebelisang Fuse, u tlameha ho fana ka sesebelisoa sa /dev/fuse.

podman run --device /dev/fuse quay.io/buildahctr ...
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock

Ka mor'a moo, re theha directory bakeng sa polokelo e eketsehileng. Setshelo/bobolokelo e tšehetsa mohopolo oa ho hokahanya mabenkele a mang a litšoantšo a baloang feela. Ka mohlala, o ka lokisa sebaka sa polokelo ea holim'a mochine o le mong, ebe o sebelisa NFS ho kenya polokelo ena mochine o mong le ho sebelisa litšoantšo ho eona ntle le ho khoasolla ka ho hula. Re hloka polokelo ena e le hore re khone ho hokahanya polokelo ea litšoantšo ho tsoa ho moamoheli e le molumo le ho e sebelisa ka har'a setshelo.

# Set up environment variables to note that this is
# not starting with user namespace and default to
# isolate the filesystem with chroot.
ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot

Qetellong, ka ho sebelisa BUILDAH_ISOLATION tikoloho e feto-fetohang, re bolella sets'oants'o sa Buildah hore se sebetse ka ho itšehla thajana ka chroot. Ha ho hlokahale ho kenya letsoho ho eketsehileng mona, kaha re se re ntse re sebetsa ka har'a setshelo. E le hore Buildah e iketsetse lijana tsa eona tse arohaneng le sebaka sa mabitso, tokelo ea SYS_ADMIN e ea hlokahala, e tla hloka ho phomotsa melao ea SELinux le SECCOM ea setshelo, e leng khahlano le khetho ea rona ea ho aha ho tsoa ka setshelo se sireletsehileng.

Ho matha Buildah ka hare ho setshelo

Setšoantšo sa sets'oants'o sa sets'oants'o sa Buildah se boletsoeng ka holimo se u lumella ho fapanyetsana mekhoa ea ho qala lijana tse joalo.

Lebelo khahlano le polokeho

Tšireletso ea k'homphieutha e lula e le ho sekisetsa pakeng tsa lebelo la ts'ebetso le hore na tšireletso e pota-potiloe hakae. Polelo ena e boetse ke 'nete ha ho bokelloa lijana, kahoo ka tlase re tla nahana ka likhetho bakeng sa ho sekisetsa ho joalo.

Setšoantšo sa setshelo se boletsoeng ka holimo se tla boloka polokelo ea sona ho /var/lib/containers. Ka hona, re hloka ho kenya litaba ka har'a foldara ena, 'me hore na re etsa sena joang ho tla ama lebelo la ho haha ​​​​lits'oants'o tsa setshelo.

A re hlahlobeng lintho tse tharo tseo re ka khethang ho li etsa.

Khetho ea 1 Haeba ts'ireletso e phahameng e hlokahala, joale bakeng sa setshelo se seng le se seng u ka iketsetsa foldara ea hau bakeng sa lijana/setšoantšo ebe u se hokela setshelo ka ho phahamisa molumo. Ntle le moo, beha buka ea litaba ka har'a setshelo ka boeona, ho foldareng ea / aha:

# mkdir /var/lib/containers1
# podman run -v ./build:/build:z -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable
buildah  -t image1 bud /build
# podman run -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable buildah  push  image1 registry.company.com/myuser
# rm -rf /var/lib/containers1

Tshireletso. Buildah e sebetsang ka har'a sets'oants'o se joalo e na le ts'ireletso e phahameng: ha e fuoe litokelo tsa motso ka ho sebelisa bokhoni, 'me lithibelo tsohle tsa SECOMP le SELinux li sebetsa ho eona. 0:100000.

Tshebetso. Empa ts'ebetso mona e nyane, kaha litšoantšo leha e le life tse tsoang ho li-container registries li kopitsoa ho moamoheli nako le nako, 'me caching ha e sebetse ho hang. Ha e phethela mosebetsi oa eona, setshelo sa Buildah se tlameha ho romela setšoantšo ho registry mme se senye litaba ho moamoheli. Nakong e tlang ha setšoantšo sa setshelo se hahuoa, se tla tlameha ho kopitsoa hape ho tsoa ho registry, kaha ka nako eo ho tla be ho se na letho ho moamoheli.

Khetho ea 2 Haeba o hloka ts'ebetso ea boemo ba Docker, o ka kenya setshelo / polokelo ka kotloloho ka sejaneng.

# podman run -v ./build:/build:z -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah  -t image2 bud /build
# podman run -v /var/lib/containers:/var/lib/containers --security-opt label:disabled  quay.io/buildah/stable buildah push image2 registry.company.com/myuser

Tshireletso. Ena ke tsela e sireletsehileng haholo ea ho haha ​​​​lits'oants'o hobane e lumella setshelo ho fetola polokelo ea moamoheli mme se ka fepa Podman kapa CRI-O setšoantšo se kotsi. Ntle le moo, o tla hloka ho tima karohano ea SELinux e le hore lits'ebetso tse ka har'a setshelo sa Buildah li ka sebelisana le polokelo ho moamoheli. Hlokomela hore khetho ena e ntse e le betere ho feta sokete ea Docker hobane setshelo se notletsoe ke likarolo tse setseng tsa ts'ireletso mme ha se khone ho tsamaisa setshelo ho moamoheli.

Tshebetso. Mona ke boholo, kaha caching e sebelisoa ka botlalo. Haeba Podman kapa CRI-O e se e kopitse setšoantšo se hlokahalang ho moamoheli, joale ts'ebetso ea Buildah ka har'a setshelo ha e na ho tlameha ho e jarolla hape, 'me meaho e latelang e thehiloeng setšoantšong sena le eona e tla khona ho nka seo ba se hlokang ho tsoa ho cache. .

Khetho ea 3 Ntho ea bohlokoa ea mokhoa ona ke ho kopanya litšoantšo tse 'maloa morerong o le mong ka foldara e tloaelehileng bakeng sa litšoantšo tsa setshelo.

# mkdir /var/lib/project3
# podman run --security-opt label_level=s0:C100, C200 -v ./build:/build:z 
-v /var/lib/project3:/var/lib/containers:Z quay.io/buildah/stable buildah  -t image3 bud /build
# podman run --security-opt label_level=s0:C100, C200 
-v /var/lib/project3:/var/lib/containers quay.io/buildah/stable buildah push image3  registry.company.com/myuser

Mohlaleng ona, ha re hlakole foldara ea projeke (/var/lib/project3) lipakeng tsa li-run, ka hona, meaho eohle e tlang ka har'a projeke e rua molemo ho caching.

Tshireletso. Ntho e 'ngoe e pakeng tsa khetho ea 1 le ea 2. Ka lehlakoreng le leng, lijana ha li na mokhoa oa ho fumana litaba ho moamoheli 'me, ka hona, li ke ke tsa thella ntho e mpe ka har'a polokelo ea setšoantšo sa Podman/CRI-O. Ka lehlakoreng le leng, e le karolo ea moralo oa eona, setshelo se ka kena-kenana le kopano ea lijana tse ling.

Tshebetso. Mona ho hobe ho feta ha u sebelisa cache e arolelanoang boemong ba moeti, kaha u ke ke ua sebelisa litšoantšo tse seng li jarollotsoe ka Podman/CRI-O. Leha ho le joalo, hang ha Buildah e khoasolla setšoantšo, setšoantšo se ka sebelisoa meahong efe kapa efe e latelang ka har'a projeke.

Polokelo e eketsehileng

У lijana/bobolokelo Ho na le ntho e pholileng joalo ka mabenkele a eketsehileng (mabenkele a tlatsetso), ka lebaka leo ha ho qala le ho haha ​​​​lijana, lienjineri tsa lijana li ka sebelisa mabenkele a litšoantšo a kantle ka mokhoa oa ho bala feela. Ha e le hantle, o ka eketsa polokelo e le 'ngoe kapa ho feta ho boloka.conf faele e le hore ha u qala setshelo, enjene ea setshelo e sheba setšoantšo se lakatsehang ho tsona. Ho feta moo, e tla khoasolla setšoantšo ho tsoa ho ngolisoang feela haeba e sa e fumane ho efe kapa efe ea polokelo ena. Enjene ea setshelo e tla khona ho ngolla polokelong e ngoloang feela...

Haeba u ea holimo 'me u sheba Dockerfile eo re e sebelisang ho haha ​​​​setšoantšo sa quay.io/buildah/stable, ho na le mela e kang ena:

# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock

Moleng oa pele, re fetola /etc/containers/storage.conf ka hare ho setšoantšo sa setshelo, re bolella mokhanni oa polokelo hore a sebelise "additionalimagestores" ho foldareng ea /var/lib/shared. 'Me moleng o latelang re theha foldara e arolelanoang ebe re eketsa lifaele tse' maloa tsa senotlolo e le hore ho se ke ha e-ba le tlhekefetso e tsoang lijaneng / polokelong. Ha e le hantle, re theha lebenkele la litšoantšo tse se nang letho.

Haeba u beha lijana/polokelo boemong bo phahameng ho feta sephutheli sena, Buildah e tla khona ho sebelisa litšoantšo.

Joale ha re khutleleng ho Khetho ea 2 e boletsoeng ka holimo, ha setshelo sa Buildah se khona ho bala le ho ngolla lijana / lebenkele ho mabotho, ka hona, se na le ts'ebetso e phahameng ka lebaka la litšoantšo tsa caching boemong ba Podman / CRI-O, empa se fana ka bonyane ba ts'ireletso. kaha e ka ngola ka ho toba polokelong. Joale ha re kenyeng polokelo e eketsehileng mona 'me re fumane tse ntle ka ho fetisisa lefatšeng ka bophara.

# mkdir /var/lib/containers4
# podman run -v ./build:/build:z -v /var/lib/containers/storage:/var/lib/shared:ro -v  /var/lib/containers4:/var/lib/containers:Z  quay.io/buildah/stable 
 buildah  -t image4 bud /build
# podman run -v /var/lib/containers/storage:/var/lib/shared:ro  
-v >/var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable buildah push image4  registry.company.com/myuser
# rm -rf /var/lib/continers4

Hlokomela hore moamoheli /var/lib/containers/storage e kentsoe ho /var/lib/shared ka hare ho setshelo ka mokhoa oa ho bala feela. Ka hona, ho sebetsa ka setshelo, Buildah e ka sebelisa litšoantšo leha e le life tse neng li kopitsoe pele ho sebelisoa Podman / CRI-O (hello, speed), empa e ka ngolla feela polokelo ea eona (hello, tšireletso). Hape hlokomela hore sena se etsoa ntle le ho thibela karohano ea SELinux bakeng sa setshelo.

Ntho ea bohlokoa haholo

Ha ho na maemo ao u lokelang ho hlakola litšoantšo leha e le life sebakeng sa polokelo e ka tlase. Ho seng joalo, setshelo sa Buildah se ka senyeha.

'Me tsena hase melemo eohle

Menyetla ea polokelo e eketsehileng ha e felle feela boemong bo ka holimo. Mohlala, o ka beha litšoantšo tsohle tsa setshelo sebakeng sa polokelo ea marang-rang e arolelanoang mme o fane ka phihlello ho lijana tsohle tsa Buildah. Ha re re re na le litšoantšo tse makholo tseo sistimi ea rona ea CI/CD e li sebelisang khafetsa ho aha litšoantšo tsa setshelo. Re tsepamisitse litšoantšo tsena kaofela ho moamoheli a le mong oa polokelo ebe re sebelisa lisebelisoa tsa polokelo ea marang-rang tse ratoang (NFS, Gluster, Ceph, ISCSI, S3 ...), re bula phihlello e akaretsang ea polokelo ena ho li-node tsohle tsa Buildah kapa Kubernetes.

Hona joale ho lekane ho kenya sebaka sena sa polokelo ea marang-rang ka har'a setshelo sa Buildah ho / var / lib / share 'me ke phetho - Lijana tsa Buildah ha li sa tlameha ho khoasolla litšoantšo ka ho hula. Kahoo, re lahla karolo ea pele ho baahi 'me hang-hang re itokiselitse ho ntša lijana.

Ehlile, sena se ka sebelisoa ka har'a sistimi e phelang ea Kubernetes kapa lisebelisoa tsa lisebelisoa ho qala le ho tsamaisa lijana kae kapa kae ntle le ho khoasolla litšoantšo. Ho feta moo, ngoliso ea setshelo, e fumanang kopo ea ho sutumelletsa ho kenya setšoantšo se ntlafalitsoeng ho eona, e ka romella setšoantšo sena sebakeng sa polokelo ea marang-rang se arolelanoang, moo se fumanehang hang-hang ho li-node tsohle.

Litšoantšo tsa li-container ka linako tse ling li ka fihla li-gigabyte tse ngata ka boholo. Ts'ebetso ea polokelo e eketsehileng e u lumella ho qoba ho kopanya litšoantšo tse joalo ho pholletsa le li-node mme e etsa hore lijana tsa ho qala hang-hang li be teng.

Ho feta moo, hajoale re ntse re sebetsana le tšobotsi e ncha e bitsoang overlay volume mounts, e tla etsa hore lijana tsa ho haha ​​​​ka potlako li be kapele.

fihlela qeto e

Ho mathela Buildah ka har'a setshelo ho Kubernetes/CRI-O, Podman, kapa esita le Docker hoa khoneha, ho bonolo ebile ho bolokehile ho feta ho sebelisa docker.socket. Re ekelitse haholo matla a ho sebetsa ka litšoantšo, kahoo o ka li tsamaisa ka mekhoa e fapaneng ho ntlafatsa tekatekano lipakeng tsa ts'ireletso le ts'ebetso.

Ts'ebetso ea polokelo e eketsehileng e u lumella ho potlakisa kapa ho felisa ka botlalo ho jarolla litšoantšo ho li-node.

Source: www.habr.com

Eketsa ka tlhaloso