Buthini ubuhle bokudibanisa ixesha lokuqhutywa kwesikhongozeli sibe zizixhobo ezahlukeneyo? Ngokukodwa, ezi zixhobo zinokuqala ukudibanisa ukuze zikhuselene.
Abantu abaninzi batsalelekile kumbono wokwakha imifanekiso ye-OCI ngaphakathi okanye inkqubo efanayo. Masithi sine-CI / CD ehlala iqokelela imifanekiso, emva koko into efana nayo /Kubernetes iya kuba luncedo kakhulu malunga nokulinganisa umthwalo ngexesha lokwakha. Ukuza kuthi ga mva nje, uninzi lwabantu lunike ukufikelela kwizikhongozeli kwi-Docker socket kwaye babavumele ukuba baqhube umyalelo wokwakha we-docker. ukuba oku akukhuselekanga kakhulu, enyanisweni, kubi ngakumbi kunokunika ingcambu engenamagama okanye i-sudo.
Yiyo loo nto abantu bezama rhoqo ukuqhuba i-Buildah kwisikhongozeli. Ngamafutshane, sidale njani, ngokoluvo lwethu, kungcono ukubaleka Buildah ngaphakathi kwisikhongozeli, kwaye uthumele imifanekiso ehambelanayo kwi . Masiqalise...
Yenza ngokwezifiso
Le mifanekiso yakhiwe kwi-Dockerfiles, enokufumaneka kwindawo yokugcina i-Buildah kwifolda .
Apha siza kuqwalasela .
# stable/Dockerfile
#
# Build a Buildah container image from the latest
# stable version of Buildah on the Fedoras Updates System.
# https://bodhi.fedoraproject.org/updates/?search=buildah
# This image can be used to create a secured container
# that runs safely with privileges within the container.
#
FROM fedora:latest
# Don't include container-selinux and remove
# directories used by dnf that are just taking
# up space.
RUN yum -y install buildah fuse-overlayfs --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.*
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
Endaweni ye-OverlayFS, ephunyezwe kwinqanaba le-Linux kernel, sisebenzisa inkqubo ngaphakathi kwesikhongozeli , kuba okwangoku uLondolozo lweFS lunokunyuka kuphela ukuba uyinika SYS_ADMIN iimvume usebenzisa iLinux. Kwaye sifuna ukuqhuba izitya zethu ze-Buildah ngaphandle kwamalungelo eengcambu. I-Fuse-overlay isebenza ngokukhawuleza kwaye inomsebenzi ongcono kunomqhubi wokugcina weVFS. Nceda uqaphele ukuba xa uqhuba isikhongozeli se-Buildah esisebenzisa iFuse, kufuneka unikeze i/dev/fuse isixhobo.
podman run --device /dev/fuse quay.io/buildahctr ...
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
Okulandelayo senza uvimba wogcino olongezelelweyo. ixhasa ingqikelelo yokudibanisa iivenkile ezongezelelweyo zemifanekiso efundwayo kuphela. Umzekelo, ungaqwalasela indawo yokugcina umaleko kumatshini omnye, kwaye emva koko usebenzise i-NFS ukunyusela olu gcino komnye umatshini kwaye usebenzise imifanekiso kulo ngaphandle kokukhuphela ngokutsalwa. Sidinga olu gcino ukuze sikwazi ukudibanisa ukugcinwa komfanekiso othile kwinginginya njengomthamo kwaye uyisebenzise ngaphakathi kwesitya.
# Set up environment variables to note that this is
# not starting with user namespace and default to
# isolate the filesystem with chroot.
ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot
Okokugqibela, ngokusebenzisa i-BUILDAH_ISOLATION imo eguquguqukayo, sixelela isikhongozeli se-Buildah ukuba siqhube nge-chroot yokwahlula ngokungagqibekanga. Ukugquma okongeziweyo akufuneki apha, kuba sele sisebenza kwisikhongozeli. Ukuze i-Buildah yenze ezayo izikhongozeli ezahlulwe kwisithuba samagama, ilungelo le-SYS_ADMIN liyafuneka, eliya kufuna ukuphumza isikhongozeli seSELinux kunye nemithetho ye-SECCOMP, nto leyo echaseneyo nokhetho lwethu lokwakha kwisikhongozeli esikhuselekileyo.
Ukubaleka iBuildah ngaphakathi kwesikhongozeli
Umzobo womfanekiso wesikhongozeli se-Buildah oxoxwe ngasentla ikuvumela ukuba uguquguquke ngeendlela zokusungula ezo zikhongozeli.
Isantya ngokuchasene nokhuseleko
Ukhuseleko lwekhompyuter luhlala luhambelana phakathi kwesantya senkqubo kunye nokuba lungakanani ukhuseleko olusongelwe kuyo. Le ngxelo iyinyani xa uhlanganisa izikhongozeli, ngoko ke apha ngezantsi siza kuthathela ingqalelo iinketho zolungelelwaniso olunjalo.
Umfanekiso wesikhongozeli esixoxwe ngasentla uya kugcina ugcino lwawo kwi/var/lib/containers. Ke ngoko, kufuneka sinyuse umxholo kule folda, kwaye sikwenza njani oku kuya kuchaphazela kakhulu isantya sokwakha imifanekiso yesikhongozeli.
Makhe siqwalasele izinto ezintathu onokukhetha kuzo.
I-1 inketho. Ukuba ukhuseleko oluphezulu luyafuneka, ngoko ke kwisikhongozeli ngasinye ungenza eyakho incwadi yeziqulathi/umfanekiso kwaye uyiqhagamshele kwisingxobo ngokunyuka kwevolyum. Kwaye ngaphandle koko, beka ulawulo lweemeko kwisikhongozeli ngokwaso, kwi/yakha ifolda:
# mkdir /var/lib/containers1
# podman run -v ./build:/build:z -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image1 bud /build
# podman run -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable buildah push image1 registry.company.com/myuser
# rm -rf /var/lib/containers1
Khu seleko. Isakhiwo esisebenza kwisikhongozeli esinjalo sinokhuseleko oluphezulu: ayinikwanga nawaphi na amalungelo engcambu isebenzisa isakhono, kwaye zonke izithintelo zeSECOMP kunye neSELinux ziyasebenza kuyo.Isikhongozeli esinjalo sinokuqhutywa ngeSithuba seGama soMsebenzisi sisodwa ngokongeza ukhetho olufana no-uidmap 0: 100000:10000.
Intsebenzo. Kodwa ukusebenza apha kuncinci, kuba nayiphi na imifanekiso evela kwiirejistri zikhutshelwa kumamkeli rhoqo, kwaye i-caching ayisebenzi kwaphela. Xa ugqiba umsebenzi wayo, isitya se-Buildah kufuneka sithumele umfanekiso kwirejista kwaye utshabalalise umxholo kumgcini. Ngexesha elizayo umfanekiso wesikhongozeli uya kwakhiwa, kuya kufuneka ukhutshelwe kwakhona kwirejista, kuba ngelo xesha akuyi kubakho nto iseleyo kumamkeli.
I-2 inketho. Ukuba ufuna ukusebenza kwenqanaba le-Docker, unokusifaka isikhongozeli somkhosi/ugcino ngqo kwisikhongozeli.
# podman run -v ./build:/build:z -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah -t image2 bud /build
# podman run -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah push image2 registry.company.com/myuser
Khu seleko. Le yeyona ndlela incinci ikhuseleke ngakumbi yokwakha izikhongozeli kuba ivumela isikhongozeli ukuba siguqule ugcino lwenginginya kwaye sinokubanako ukondla iPodman okanye i-CRI-O umfanekiso ongalunganga. Ukongeza, kuya kufuneka ukhubaze ukwahlukana kwe-SELinux ukuze iinkqubo ezikwisikhongozeli se-Buildah zikwazi ukusebenzisana nogcino kumamkeli. Qaphela ukuba olu khetho lusengcono kunesokhethi ye-Docker kuba isikhongozeli sitshixiwe phantsi ngeempawu ezishiyekileyo zokhuseleko kwaye asinakuvele siqhube isikhongozeli kumamkeli.
Intsebenzo. Nantsi iphezulu, kuba i-caching isetyenziswe ngokupheleleyo. Ukuba i-Podman okanye i-CRI-O sele ikhuphele umfanekiso ofunekayo kwinginginya, ngoko inkqubo ye-Buildah ngaphakathi kwesikhongozeli ayisayi kuphinda ikhuphele kwakhona, kwaye ulwakhiwo olulandelayo olusekwe kulo mfanekiso luya kukwazi ukuthatha oko bakufunayo kwi-cache. .
I-3 inketho. Umongo wale ndlela kukudibanisa imifanekiso emininzi kwiprojekthi enye kunye nefolda eqhelekileyo yemifanekiso yesikhongozeli.
# mkdir /var/lib/project3
# podman run --security-opt label_level=s0:C100, C200 -v ./build:/build:z
-v /var/lib/project3:/var/lib/containers:Z quay.io/buildah/stable buildah -t image3 bud /build
# podman run --security-opt label_level=s0:C100, C200
-v /var/lib/project3:/var/lib/containers quay.io/buildah/stable buildah push image3 registry.company.com/myuser
Kulo mzekelo, asiyicimi ifolda yeprojekthi (/var/lib/project3) phakathi kwee-run, ngoko ke zonke ezakhayo ezilandelayo ngaphakathi kweprojekthi zizuza kwi-caching.
Khu seleko. Into ephakathi kweenketho ze-1 kunye ne-2. Ngakolunye uhlangothi, izikhongozeli azikwazi ukufikelela kumxholo kwi-host host kwaye, ngokufanelekileyo, ayikwazi ukukhupha into embi kwi-Podman / CRI-O yokugcina umfanekiso. Ngakolunye uhlangothi, njengenxalenye yoyilo lwayo, isitya sinokuphazamisa ukuhlanganisana kwezinye izitya.
Intsebenzo. Apha kubi ngakumbi xa usebenzisa i-cache ekwabelwana ngayo kwinqanaba lomninimzi, ekubeni awukwazi ukusebenzisa imifanekiso esele ikhutshiwe usebenzisa iPodman/CRI-O. Nangona kunjalo, xa i-Buildah ikhuphela umfanekiso, umfanekiso unokusetyenziswa kulo naluphi na ulwakhiwo olulandelayo ngaphakathi kweprojekthi.
Ugcino olongezelelweyo
Π£ Kukho into epholileyo njengeevenkile ezongezelelweyo (iivenkile ezongezelelweyo), enkosi apho xa usungula kunye nokwakha izitya, iinjini ze-container zingasebenzisa iivenkile zemifanekiso yangaphandle kwimowudi yokufunda kuphela. Ngokusisiseko, unokongeza enye okanye ngaphezulu kokufunda-kuphela kogcino kwifayile yokugcina.conf ukuze xa uqala isikhongozeli, injini yesikhongozeli ijonge umfanekiso ofunekayo kuzo. Ngaphezu koko, iya kukhuphela umfanekiso ovela kwirejista kuphela ukuba ayiwufumani nakweyiphi na kwezi zokugcina. I-injini yesikhongozeli iya kukwazi ukubhala kuphela kwindawo yokugcina ebhalekayo...
Ukuba uskrolela phezulu kwaye ujonge kwiDockerfile esiyisebenzisayo ukwakha umfanekiso quay.io/buildah/stable, kukho imigca efana nale:
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
Kumgca wokuqala, silungisa /etc/containers/storage.conf ngaphakathi komfanekiso wesikhongozeli, ukuxelela umqhubi wokugcina ukuba asebenzise "i-additionalimagestores" kwifolda /var/lib/shared. Kwaye kumgca olandelayo senza ifolda ekwabelwana ngayo kwaye songeza iifayile ezimbalwa zokutshixa ukuze kungabikho kusetyenziswa kakubi kwizikhongozeli / kwindawo yokugcina. Ngokusisiseko, senza nje ivenkile yomfanekiso wesikhongozeli esingenanto.
Ukuba unyusela izikhongozeli/ugcino kwinqanaba eliphezulu kunolu lawulo, i-Buildah iya kukwazi ukusebenzisa imifanekiso.
Ngoku makhe sibuyele kuKhetho lwesi-2 oluxoxwe ngasentla, xa i-container ye-Buildah inokufunda kwaye ibhale kwi-container / ivenkile kwi-host hosts kwaye, ngokufanelekileyo, inokusebenza okuphezulu ngenxa ye-caching imifanekiso kwinqanaba le-Podman / CRI-O, kodwa inikezela ubuncinane bokhuseleko. kuba inokubhala ngokuthe ngqo kwindawo yokugcina. Ngoku masenze ugcino olongezelelweyo apha kwaye sifumane okona kulungileyo kuwo omabini amazwe.
# mkdir /var/lib/containers4
# podman run -v ./build:/build:z -v /var/lib/containers/storage:/var/lib/shared:ro -v /var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image4 bud /build
# podman run -v /var/lib/containers/storage:/var/lib/shared:ro
-v >/var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable buildah push image4 registry.company.com/myuser
# rm -rf /var/lib/continers4
Qaphela ukuba inginginya /var/lib/containers/storage inyuselwe kwi/var/lib/shared ngaphakathi kwesikhongozeli kwindlela yokufunda kuphela. Ngoko ke, ukusebenza kwisitya, i-Buildah inokusebenzisa nayiphi na imifanekiso ekhutshwe ngaphambili usebenzisa iPodman / CRI-O (hello, isantya), kodwa inokubhalela kuphela kwisitoreji sayo (hello, ukhuseleko). Kwakhona qaphela ukuba oku kwenziwa ngaphandle kokuvala ulwahlulo lwe-SELinux lwesikhongozeli.
Kubaluleke kakhulu
Ngaphantsi kweemeko kufuneka ucime nayiphi na imifanekiso kwindawo yokugcina engaphantsi. Ngaphandle koko, i-container ye-Buildah inokuphahlazeka.
Yaye ezi asizizo zonke iingenelo
Amathuba okugcina okongeziweyo awakhawulelwanga kule meko ingentla. Ngokomzekelo, unokubeka yonke imifanekiso yesikhongozeli kwindawo yokugcina inethiwekhi ekwabelwana ngayo kwaye unike ukufikelela kuyo kuzo zonke izitya zeBuildah. Masithi sinamakhulu emifanekiso esetyenziswa rhoqo kwinkqubo yethu yeCI/CD ukwakha imifanekiso yesikhongozeli. Sigxininisa yonke le mifanekiso kwi-host host enye kwaye emva koko, usebenzisa izixhobo zokugcina inethiwekhi ezikhethiweyo (i-NFS, i-Gluster, i-Ceph, i-ISCSI, i-S3 ...), sivula ukufikelela ngokubanzi kolu gcino kuzo zonke iindawo ze-Buildah okanye i-Kubernetes.
Ngoku kwanele ukunyusela lo vimba womnatha kwisikhongozeli se-Buildah kwi/var/lib/shared and that is it-Izikhongozeli ze-Buildah akusafuneki ukuba zikhuphele imifanekiso ngokutsala. Ngaloo ndlela, silahla isigaba sangaphambi kwabemi kwaye silungele ngokukhawuleza ukukhupha izitya.
Kwaye kunjalo, oku kunokusetyenziswa ngaphakathi kwenkqubo ye-Kubernetes ephilayo okanye isiseko sesikhongozeli ukuqalisa kunye nokuqhuba izikhongozeli naphi na ngaphandle kokutsalwa kokukhuphela imifanekiso. Ngaphezu koko, irejistri yesikhongozeli, ifumana isicelo sokutyhala ukulayisha umfanekiso ohlaziyiweyo kuyo, inokuthumela ngokuzenzekelayo lo mfanekiso kwindawo yokugcina inethiwekhi ekwabelwana ngayo, apho ifumaneka khona kwangoko kuzo zonke iindawo.
Imifanekiso yesikhongozeli ngamanye amaxesha inokufikelela kwiigigabytes ezininzi ngobukhulu. Ukusebenza kogcino olongezelelweyo kukuvumela ukuba uthintele ukubumba imifanekiso enjalo kwiindawo ngeendawo kwaye yenza izikhongozeli zokuphehlelela ziphantse zifane kwangoko.
Ukongeza, ngoku sisebenza kwinto entsha ebizwa ngokuba yi-overlay volume mounts, eya kwenza izikhongozeli zokwakha ngokukhawuleza.
isiphelo
Ukubaleka i-Buildah ngaphakathi kwesikhongozeli e-Kubernetes/CRI-O, Podman, okanye nakwi-Docker inokwenzeka, ilula, kwaye ikhuseleke ngakumbi kunokusebenzisa i-docker.socket. Sinyuse kakhulu ububhetyebhetye bokusebenza ngemifanekiso, ukuze ukwazi ukuyiqhuba ngeendlela ezahlukeneyo zokwandisa umlinganiselo phakathi kokhuseleko kunye nokusebenza.
Ukusebenza kokugcinwa okongeziweyo kukuvumela ukuba ukhawuleze okanye uphelise ngokupheleleyo ukukhuphela imifanekiso kwiinodi.
umthombo: www.habr.com