Yibuphi ubuhle bokuhlukanisa isikhathi sokusebenza kwesiqukathi sibe izingxenye ezihlukene zamathuluzi? Ikakhulukazi, lawa mathuluzi angaqala ukuhlanganiswa ukuze avikelane.
Abantu abaningi bakhangwa umbono wokwakha izithombe ze-OCI ezifakwe ngaphakathi noma uhlelo olufanayo. Ake sithi sine-CI/CD ehlala iqoqa izithombe, bese kuba into efana nale /Kubernetes kungaba usizo kakhulu mayelana nokulinganisa umthwalo ngesikhathi sokwakha. Kuze kube muva nje, abantu abaningi bamane banikeze iziqukathi ukufinyelela kusokhethi le-Docker futhi bazivumela ukuthi zisebenzise umyalo wokwakha i-docker. ukuthi lokhu akuvikelekile kakhulu, empeleni, kubi kakhulu kunokunikeza impande engenaphasiwedi noma i-sudo.
Yingakho abantu bezama njalo ukusebenzisa i-Buildah esitsheni. Ngamafuphi, sidale ukuthi, ngokubona kwethu, kungcono kanjani ukusebenzisa i-Buildah ngaphakathi kwesitsha, futhi uthumele izithombe ezihambisanayo kuyo . Ake siqale...
Yenza ngokwezifiso
Lezi zithombe zakhiwe zisuka ku-Dockerfiles, ezingatholakala endaweni yokugcina ye-Buildah kufolda .
Lapha sizobheka .
# stable/Dockerfile
#
# Build a Buildah container image from the latest
# stable version of Buildah on the Fedoras Updates System.
# https://bodhi.fedoraproject.org/updates/?search=buildah
# This image can be used to create a secured container
# that runs safely with privileges within the container.
#
FROM fedora:latest
# Don't include container-selinux and remove
# directories used by dnf that are just taking
# up space.
RUN yum -y install buildah fuse-overlayfs --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.*
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
Esikhundleni se-OverlayFS, esetshenziswa kuleveli ye-Linux kernel yokusingatha, sisebenzisa uhlelo ngaphakathi kwesiqukathi , ngoba okwamanje i-OverlayFS ingakhweza kuphela uma uyinikeza izimvume ze-SYS_ADMIN usebenzisa amakhono e-Linux. Futhi sifuna ukusebenzisa iziqukathi zethu ze-Buildah ngaphandle kwamalungelo empande. I-Fuse-overlay isebenza ngokushesha futhi isebenza kangcono kunomshayeli wesitoreji se-VFS. Sicela uqaphele ukuthi uma usebenzisa isiqukathi se-Buildah esisebenzisa i-Fuse, kufanele unikeze idivayisi/dev/fuse.
podman run --device /dev/fuse quay.io/buildahctr ...
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
Okulandelayo sakha uhla lwemibhalo ukuze uthole isitoreji esengeziwe. isekela umqondo wokuxhuma izitolo zezithombe ezengeziwe zokufunda kuphela. Isibonelo, ungamisa indawo yokugcina imbondela emshinini owodwa, bese usebenzisa i-NFS ukukhweza lesi sitoreji komunye umshini futhi usebenzise izithombe ezisuka kuso ngaphandle kokulanda ngokudonsa. Sidinga lesi sitoreji ukuze sikwazi ukuxhuma isitoreji sesithombe esivela kumsingathi njengevolumu futhi sisisebenzise ngaphakathi kwesiqukathi.
# Set up environment variables to note that this is
# not starting with user namespace and default to
# isolate the filesystem with chroot.
ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot
Okokugcina, ngokusebenzisa i-BUILDAH_ISOLATION eguquguqukayo yemvelo, sitshela isiqukathi se-Buildah ukuthi sisebenze ngokuhlukaniswa kwe-chroot ngokuzenzakalelayo. Ukufakwa okungeziwe akudingeki lapha, njengoba sesivele sisebenza esitsheni. Ukuze i-Buildah idale ezayo iziqukathi ezihlukaniswe indawo yamagama, ilungelo le-SYS_ADMIN liyadingeka, okungadinga ukuxegiswa kwemithetho yesiqukathi ye-SELinux neye-SECCOM, okuphambene nalokho esikuthandayo ukwakha kusuka esitsheni esivikelekile.
I-Buildah egijimayo ngaphakathi kwesitsha
Umdwebo wesithombe sesitsha se-Buildah okukhulunywe ngawo ngenhla ukuvumela ukuthi uguqule kalula izindlela zokwethula iziqukathi ezinjalo.
Isivinini ngokumelene nokuphepha
Ukuphepha kwekhompuyutha kuhlala kuhambisana phakathi kwejubane lenqubo nokuthi kungakanani ukuvikeleka okusongwe kuyo. Lesi sitatimende siyiqiniso futhi lapho kuhlanganiswa iziqukathi, ngakho-ke ngezansi sizocubungula izinketho zokuvumelana okunjalo.
Isithombe sesitsha okukhulunywe ngaso ngenhla sizogcina isitoreji saso ku-/var/lib/containers. Ngakho-ke, sidinga ukukhweza okuqukethwe kule folda, futhi ukuthi sikwenza kanjani lokhu kuzothinta kakhulu isivinini sokwakha izithombe zesitsha.
Ake sicabangele izinto ezintathu ongakhetha kuzo.
Inketho ye-1. Uma ukuphepha okuphezulu kuyadingeka, khona-ke esitsheni ngasinye ungazakhela eyakho ifolda yeziqukathi/isithombe bese usixhuma esitsheni usebenzisa ukukhweza ivolumu. Futhi ngaphandle kwalokho, beka uhla lwemibhalo esitsheni ngokwaso, kufolda/yakha ifolda:
# mkdir /var/lib/containers1
# podman run -v ./build:/build:z -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image1 bud /build
# podman run -v /var/lib/containers1:/var/lib/containers:Z quay.io/buildah/stable buildah push image1 registry.company.com/myuser
# rm -rf /var/lib/containers1
Ukuphepha. I-Buildah esebenza esitsheni esinjalo inokuvikeleka okuphezulu: ayinikezwa noma yimaphi amalungelo empande isebenzisa amakhono, futhi yonke imikhawulo ye-SECOMP ne-SELinux iyasebenza kuyo. Isiqukathi esinjalo singasebenza nokuhlukaniswa kwe-User Namespace ngokungeza inketho efana ne--uidmap 0: 100000:10000.
Ukusebenza. Kodwa ukusebenza lapha kuncane kakhulu, njengoba noma yiziphi izithombe ezisuka ekubhalisweni kweziqukathi zikopishelwa kumsingathi ngaso sonke isikhathi, futhi ukulondoloza okwesikhashana akusebenzi nhlobo. Lapho iqeda umsebenzi wayo, isiqukathi se-Buildah kufanele sithumele isithombe kurejista futhi sicekele phansi okuqukethwe kumsingathi. Ngokuzayo lapho kwakhiwa isithombe sesiqukathi, kuyodingeka siphinde silandwe kurejista, njengoba ngaleso sikhathi kuyobe kungasekho lutho kumsingathi.
Inketho ye-2. Uma udinga ukusebenza kwezinga le-Docker, ungakwazi ukukhweza isiqukathi/isitoreji ngqo esitsheni.
# podman run -v ./build:/build:z -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah -t image2 bud /build
# podman run -v /var/lib/containers:/var/lib/containers --security-opt label:disabled quay.io/buildah/stable buildah push image2 registry.company.com/myuser
Ukuphepha. Lena indlela evikeleke kancane yokwakha iziqukathi ngoba ivumela isiqukathi ukuthi siguqule isitoreji kumsingathi futhi singase sikwazi ukondla i-Podman noma i-CRI-O isithombe esinonya. Ngaphezu kwalokho, uzodinga ukukhubaza ukuhlukaniswa kwe-SELinux ukuze izinqubo esiqukathi se-Buildah zikwazi ukusebenzisana nesitoreji kumsingathi. Qaphela ukuthi le nketho isengcono kunesokhethi ye-Docker ngoba isiqukathi sikhiyelwe phansi ngenxa yezici zokuphepha ezisele futhi asikwazi ukuvele sisebenzise isiqukathi kumsingathi.
Ukusebenza. Lapha kuphezulu, ngoba i-caching isetshenziswa ngokugcwele. Uma i-Podman noma i-CRI-O sezivele zilande isithombe esidingekayo kumsingathi, khona-ke inqubo ye-Buildah ngaphakathi kwesiqukathi ngeke kudingeke ukuthi isilande futhi, futhi izakhiwo ezilandelayo ezisekelwe kulesi sithombe nazo zizokwazi ukuthatha ezikudingayo kunqolobane. .
Inketho ye-3. Ingqikithi yale ndlela iwukuhlanganisa izithombe eziningana zibe iphrojekthi eyodwa ngefolda evamile yezithombe zesitsha.
# mkdir /var/lib/project3
# podman run --security-opt label_level=s0:C100, C200 -v ./build:/build:z
-v /var/lib/project3:/var/lib/containers:Z quay.io/buildah/stable buildah -t image3 bud /build
# podman run --security-opt label_level=s0:C100, C200
-v /var/lib/project3:/var/lib/containers quay.io/buildah/stable buildah push image3 registry.company.com/myuser
Kulesi sibonelo, asisusi ifolda yephrojekthi (/var/lib/project3) phakathi kokuqalisa, ngakho konke okwakhayo okulandelanayo ngaphakathi kwephrojekthi kuzuza ekugcinweni kwesikhashana.
Ukuphepha. Okuthile phakathi kwezinketho 1 no-2. Ngakolunye uhlangothi, iziqukathi azikwazi ukufinyelela kokuqukethwe kumsingathi futhi, ngokufanelekile, azikwazi ukunyonyoba okuthile okubi kusitoreji sesithombe sePodman/CRI-O. Ngakolunye uhlangothi, njengengxenye yokuklama kwayo, isitsha singaphazamisa ukuhlanganiswa kwezinye iziqukathi.
Ukusebenza. Lapha kubi kakhulu kunalapho usebenzisa inqolobane eyabiwe ezingeni lomsingathi, ngoba awukwazi ukusebenzisa izithombe esezivele zilandiwe kusetshenziswa iPodman/CRI-O. Kodwa-ke, uma i-Buildah isidawunilode isithombe, isithombe singasetshenziswa kunoma yikuphi ukwakhiwa okulandelayo ngaphakathi kwephrojekthi.
Isitoreji esengeziwe
Π£ Kukhona into epholile njengezitolo ezengeziwe (izitolo ezengeziwe), ngenxa yokuthi lapho kwethulwa futhi kwakhiwa iziqukathi, izinjini zeziqukathi zingasebenzisa izitolo zezithombe zangaphandle kwimodi yokumbondela yokufunda kuphela. Empeleni, ungakwazi ukwengeza isitoreji sokufunda kuphela esisodwa noma eziningi kufayela le-store.conf ukuze kuthi lapho uqala isiqukathi, injini yesiqukathi ibheke isithombe esifiswayo kuzo. Ngaphezu kwalokho, izolanda isithombe kurejista kuphela uma ingasitholi kunoma iyiphi yalezi zindawo zokugcina. Injini yesiqukathi izokwazi ukubhala kuphela endaweni ebhalekayo...
Uma uskrola phezulu bese ubheka i-Dockerfile esiyisebenzisayo ukwakha isithombe esithi quay.io/buildah/stable, kunemigqa efana nalena:
# Adjust storage.conf to enable Fuse storage.
RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
Emgqeni wokuqala, sishintsha /etc/containers/storage.conf ngaphakathi kwesithombe sesitsha, sitshela umshayeli wesitoreji ukuthi asebenzise "i-additionalimagestores" kufolda /var/lib/shared. Futhi emgqeni olandelayo sakha ifolda eyabelwe futhi sengeza amafayela ambalwa wokukhiya ukuze kungabikho ukuhlukumeza okuvela ezitsheni/isitoreji. Empeleni, simane sakha isitolo sesithombe sesitsha esingenalutho.
Uma ukhweza iziqukathi/isitoreji ezingeni eliphezulu kunale folda, i-Buildah izokwazi ukusebenzisa izithombe.
Manje ake sibuyele kuKhetho 2 okukhulunywe ngalo ngenhla, lapho isiqukathi se-Buildah singakwazi ukufunda nokubhalela ezitsheni/isitolo kubabungazi futhi, ngokufanelekile, sisebenza kahle kakhulu ngenxa yezithombe zokulondoloza isikhashana ezingeni le-Podman/CRI-O, kodwa inikeza ubuncane bokuphepha. njengoba ingabhala ngqo kusitoreji. Manje ake sengeze isitoreji esengeziwe lapha futhi sithole okungcono kakhulu kuyo yomibili imihlaba.
# mkdir /var/lib/containers4
# podman run -v ./build:/build:z -v /var/lib/containers/storage:/var/lib/shared:ro -v /var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable
buildah -t image4 bud /build
# podman run -v /var/lib/containers/storage:/var/lib/shared:ro
-v >/var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable buildah push image4 registry.company.com/myuser
# rm -rf /var/lib/continers4
Qaphela ukuthi /var/lib/containers/storage sikasokhaya sikhwezwe ku-/var/lib/kwabelwane ngaphakathi kwesiqukathi kumodi yokufunda kuphela. Ngakho-ke, ukusebenza esitsheni, i-Buildah ingasebenzisa noma yiziphi izithombe ezilandwe ngaphambilini kusetshenziswa iPodman/CRI-O (sawubona, isivinini), kodwa ingabhalela kuphela isitoreji sayo (sawubona, ukuphepha). Futhi qaphela ukuthi lokhu kwenziwa ngaphandle kokukhubaza ukuhlukaniswa kwe-SELinux kwesiqukathi.
Ukubaluleka okubalulekile
Ngaphansi kwezimo akufanele ususe noma yiziphi izithombe endaweni yokugcina engaphansi. Uma kungenjalo, isiqukathi se-Buildah singaphahlazeka.
Futhi lezi akuzona zonke izinzuzo
Amathuba esitoreji esengeziwe awakhawulelwe kulesi simo esingenhla. Isibonelo, ungabeka zonke izithombe zesiqukathi endaweni yokugcina yenethiwekhi eyabiwe futhi unikeze ukufinyelela kuzo zonke iziqukathi ze-Buildah. Ake sithi sinamakhulu ezithombe ezisetshenziswa isistimu yethu ye-CI/CD ukwakha izithombe zeziqukathi. Sigxilisa zonke lezi zithombe kumsingathi wesitoreji esisodwa bese, sisebenzisa amathuluzi okugcina enethiwekhi akhethwayo (NFS, Gluster, Ceph, ISCSI, S3...), sivula ukufinyelela okuvamile kulesi sitoreji kuwo wonke amanodi e-Buildah noma e-Kubernetes.
Manje sekwanele ukukhweza lesi sitoreji senethiwekhi kusiqukathi se-Buildah ku-/var/lib/kwabelwana ngakho - Iziqukathi ze-Buildah akusadingeki zilande izithombe ngokudonsa. Ngakho-ke, silahla isigaba sangaphambi kokugcwala kwabantu futhi silungele ngokushesha ukukhipha iziqukathi.
Futhi-ke, lokhu kungasetshenziswa ngaphakathi kwesistimu ebukhoma ye-Kubernetes noma ingqalasizinda yesiqukathi ukuze uqalise futhi uqhube iziqukathi noma yikuphi ngaphandle kokudonsa ukulandwa kwezithombe. Ngaphezu kwalokho, irejista yeziqukathi, ithola isicelo sokucindezela ukulayisha isithombe esibuyekeziwe kuyo, ingathumela ngokuzenzakalelayo lesi sithombe kwisitoreji senethiwekhi esabelwe, lapho sitholakala khona ngokushesha kuwo wonke ama-node.
Izithombe zesitsha kwesinye isikhathi zingafinyelela amagigabhayithi amaningi ngosayizi. Ukusebenza kwesitoreji esengeziwe kukuvumela ukuthi ugweme ukuhlanganisa izithombe ezinjalo kuwo wonke ama-node futhi kwenza iziqukathi zokuqalisa zicishe zifane ngaso leso sikhathi.
Ukwengeza, okwamanje sisebenzela isici esisha esibizwa ngokuthi ama-overlay volume mounts, okuzokwenza iziqukathi zokwakha zisheshe nakakhulu.
isiphetho
Ukusebenza kwe-Buildah ngaphakathi kwesitsha esiku-Kubernetes/CRI-O, Podman, noma ngisho ne-Docker kuyenzeka, kulula, futhi kuvikeleke kakhulu kunokusebenzisa i-docker.socket. Sikhulise kakhulu ukuguquguquka kokusebenza ngezithombe, ukuze ukwazi ukuzisebenzisa ngezindlela ezihlukene ukuze uthuthukise ibhalansi phakathi kokuvikeleka nokusebenza.
Ukusebenza kwesitoreji esengeziwe kukuvumela ukuthi usheshise noma ususe ngokuphelele ukulandwa kwezithombe kumanodi.
Source: www.habr.com