ostree native containers
ostree 本地容器
rpm-ostree inherits work in ostree-rs-ext to create “container native ostree” functionality. This elevates OCI/docker containers to be natively supported as a transport mechanism for bootable operating systems.
rpm-ostree 继承 ostree-rs-ext 中的工作,以创建“容器本地 ostree”功能。这将 OCI/docker 容器提升为可作为可引导操作系统的传输机制进行本地支持。
Rebasing a client system
重新定位客户端系统
Use this to switch to booting from a container image:
使用此选项切换到从容器镜像引导:
$ rpm-ostree rebase ostree-unverified-registry:quay.io/fedora/fedora-coreos:stable
However, this model would just be using Docker/OCI transport “on the wire” for content that already exists today. This would aid things like mirroring the OS alongside other container images, but for many users the next step is more interesting:
但是,这个模型只是在现有内容上使用 Docker/OCI 传输“在传输中”。这将有助于像在其他容器映像旁边镜像操作系统这样的事情,但对于许多用户来说,下一步更有趣:
Upgrading 升级
After a rebase, all further rpm-ostree operations work as you’d expect. For example, rpm-ostree upgrade
will look for a new container version. You can also rpm-ostree apply-live
, etc. It also does still work to do “client side” rpm-ostree install
etc.
重新基础之后,所有后续的 rpm-ostree 操作都会按照您的期望进行。例如, rpm-ostree upgrade
将寻找新的容器版本。您还可以 rpm-ostree apply-live
等。仍然可以执行“客户端端” rpm-ostree install
等。
URL format for ostree native containers
ostree 本机容器的 URL 格式
Ostree understand the following URL formats to retrieve and optionally verify the integrity of a container image or its content:
Ostree 理解以下 URL 格式,用于检索容器镜像或其内容,并可选择验证其完整性:
ostree-unverified-image:registry:<oci image>
orostree-unverified-image:docker://<oci image>
: Fetch a container image without verify either the integrity of the container itself not its content. The container image is usually fetched over HTTPS which still provides integrity and confidentiality but not authenticity.
ostree-unverified-image:registry:<oci image>
或ostree-unverified-image:docker://<oci image>
:获取容器镜像,而不验证容器本身或其内容的完整性。容器镜像通常通过 HTTPS 获取,仍然提供完整性和机密性,但不提供真实性。ostree-unverified-registry:<oci image>
: Shortcut for the above use case.
ostree-unverified-registry:<oci image>
:上述用例的快捷方式。ostree-remote-image:<ostree remote>:registry:<oci image>
&ostree-remote-image:<ostree remote>:docker://<oci image>
: Fetch a container image and verify that the included ostree commit is correctly signed by a key as configured locally in the specified ostree remote (/etc/ostree/remotes.d/<ostree remote>.conf
).
ostree-remote-image:<ostree remote>:registry:<oci image>
&ostree-remote-image:<ostree remote>:docker://<oci image>
:获取容器镜像,并验证所包含的 ostree 提交是否由本地在指定 ostree 远程(/etc/ostree/remotes.d/<ostree remote>.conf
)中配置的密钥正确签名。ostree-remote-registry:<ostree remote>:<oci image>
: Shortcut for the above use case.
ostree-remote-registry:<ostree remote>:<oci image>
:上述用例的快捷方式。ostree-image-signed:registry:<oci image>
&ostree-image-signed:docker://<oci image>
: Fetch a container image and verify that the container image is signed according to the policy set in/etc/containers/policy.json
(see containers-policy.json(5)).
ostree-image-signed:registry:<oci image>
&ostree-image-signed:docker://<oci image>
:获取容器镜像并验证该容器镜像是否根据/etc/containers/policy.json
中设置的策略进行签名(参见 containers-policy.json(5))。
ostree (ostree-rs-ext) uses skopeo to fetch container images and thus supports the transports as documented in containers-transports(5).
ostree(ostree-rs-ext)使用 skopeo 来获取容器镜像,因此支持 containers-transports(5) 中记录的传输方式。
Registry authentication 注册表认证
Today, the ostree stack will read /etc/ostree/auth.json
and /run/ostree/auth.json
which are in the same format as documented by containers-auth.json(5).
今天,ostree 堆栈将读取 /etc/ostree/auth.json
和 /run/ostree/auth.json
,这些与 containers-auth.json(5) 中记录的格式相同。
Using custom builds 使用自定义构建
The ostree container functionality supports layered container images; you can use any container buildsystem you like to add additional layers. See coreos-layering-examples many examples. Note: The functionality here is not specific to (Fedora) CoreOS, but it happens to be the farthest along in productizing this at the time of this writing.
ostree 容器功能支持分层容器映像;您可以使用任何容器构建系统来添加额外的层。查看 coreos-layering-examples 中的许多示例。注意:这里的功能与(Fedora)CoreOS 无关,但恰好在撰写本文时产品化程度最高。
This functionality is currently classified as experimental, but it is rapidly heading to stabiliziation.
此功能目前被分类为实验性功能,但正在迅速朝着稳定化方向发展。
Filesystem layout model 文件系统布局模型
The ostree model defines effectively 3 partitions:
ostree 模型有效地定义了 3 个分区:
/usr
: Read-only (at runtime, by default) binaries and data files
/usr
:只读(默认情况下在运行时)的二进制文件和数据文件/etc
: Mutable machine-local configuration files
/etc
:可变的机器本地配置文件/var
: All other state
/var
:所有其他状态
This means that it will not currently work to install e.g. RPM packages that add files in /opt
by default.
这意味着目前无法安装默认情况下添加文件的 RPM 软件包。
Installing packages 安装软件包
You can use e.g. rpm-ostree install
to install packages. This functions the same as with e.g. dnf
or microdnf
. It’s also possible to use rpm
directly, e.g. rpm -Uvh https://mirror.example.com/iptables-1.2.3.rpm
.
您可以使用例如 rpm-ostree install
来安装软件包。这与例如 dnf
或 microdnf
的功能相同。也可以直接使用 rpm
,例如 rpm -Uvh https://mirror.example.com/iptables-1.2.3.rpm
。
Installing config files 安装配置文件
You can use any tooling you want to generate config files in /etc
. When a booted system pulls an updated container images, the changes will also be applied.
您可以使用任何工具来生成 /etc
中的配置文件。当引导系统拉取更新的容器镜像时,更改也将被应用。
Installing non-RPM content
安装非 RPM 内容
A major change compared to previous rpm-ostree is that it is now clearly supported to install non-RPM binaries into /usr
- these are equally “first-class” as binaries from the base image.
与以前的 rpm-ostree 相比的一个重大变化是,现在明确支持将非 RPM 二进制文件安装到 /usr
中 - 这些与基础镜像中的二进制文件一样“一等”。
Adapting software 调整软件
The way ostree works may require some changes in software.
ostree 的工作方式可能需要对软件进行一些更改。
Dealing with /opt
处理 /opt
Some RPMs install files in /opt
, which in the ostree model is /var/opt
. In the case where the files in /opt
are just binaries, one approach is to move them at build time:
一些 RPMs 在 /opt
中安装文件,在 ostree 模型中是 /var/opt
。在 /opt
中的文件只是二进制文件的情况下,一种方法是在构建时将它们移动:
FROM quay.io/fedora/fedora-coreos:testing-devel
RUN mkdir /var/opt && \
rpm -Uvh https://downloads.linux.hpe.com/repo/stk/rhel/7/x86_64/current/hp-scripting-tools-11.60-20.rhel7.x86_64.rpm && \
mv /var/opt/hp/ /usr/lib/hp && \
echo 'L /opt/hp - - - - ../../usr/lib/hp' > /usr/lib/tmpfiles.d/hp.conf && \
ostree container commit
Users and groups 用户和用户组
At the current time, rpm-ostree
will auto-synthesize systemd-sysusers snippets when useradd
or groupadd
are invoked during the process of e.g. rpm-ostree install
.
在当前时间,当 useradd
或 groupadd
在例如 rpm-ostree install
过程中被调用时, rpm-ostree
将自动合成 systemd-sysusers 片段。
This means that user and group IDs are allocated per machine.
这意味着用户和组 ID 是针对每台机器分配的。
Using “ostree container commit”
使用“ostree container commit”
In a container build, it’s a current best practice to invoke this at the end of each RUN
instruction (or equivalent). This will verify compatibility of /var
, and also clean up extraneous files in e.g. /tmp
.
在容器构建中,当前的最佳实践是在每个 RUN
指令(或等效指令)的末尾调用此命令。这将验证 /var
的兼容性,并清理例如 /tmp
中的多余文件。
In the future, this command may perform more operations.
将来,此命令可能执行更多操作。
Creating base images 创建基础镜像
There is now an rpm-ostree compose image
command which generates a new base image using a treefile:
现在有一个 rpm-ostree compose image
命令,它使用 treefile 生成一个新的基础镜像:
$ rpm-ostree compose image --initialize-mode=if-not-exists --format=ociarchive workstation-ostree-config/fedora-silverblue.yaml fedora-silverblue.ociarchive
The --initialize-mode=if-not-exists
command here is what you almost always want: to create the image if it doesn’t exist, but to otherwise check for changes. It isn’t the default for historical reasons.
这里的 --initialize-mode=if-not-exists
命令几乎总是你想要的:如果镜像不存在,则创建镜像,否则检查更改。出于历史原因,这不是默认设置。
$ rpm-ostree compose image --initialize-mode=if-not-exists --format=registry workstation-ostree-config/fedora-silverblue.yaml quay.io/example/exampleos:latest
Adding container image configuration
添加容器镜像配置
By default, the rpm-ostree compose image
command creates container images with a minimal config. It notably does not include a default command or entrypoint.
默认情况下, rpm-ostree compose image
命令使用最小配置创建容器映像。特别是它不包括默认命令或入口点。
To add more configuration to the created OCI images, you can pass an image configuration JSON document via the --image-config=
argument.
要向创建的 OCI 映像添加更多配置,您可以通过 --image-config=
参数传递映像配置 JSON 文档。
Example image configuration JSON (config.json
):
示例映像配置 JSON( config.json
):
{
"Env": [
"FOO=BAR"
],
"Cmd": [
"/bin/bash"
],
"Labels": {
"license": "MIT"
}
}
Example rpm-ostree compose image
command: 示例 rpm-ostree compose image
命令:
rpm-ostree compose image --initialize --format=ociarchive --image-config=config.json manifest.yaml image.ociarchive
You can find the reference for the image configuration JSON format in the OCI Image Format Specification.
您可以在 OCI Image Format Specification 中找到有关图像配置 JSON 格式的参考。
Converting OSTree commits to new base images
将 OSTree 提交转换为新的基础镜像。
The ostree-container model creates a bidirectional bridge between ostree and OCI formatted containers. rpm-ostree compose tree
today is a tool which natively accepts RPMs (and other content) and outputs an OSTree commit.
ostree-container 模型在 ostree 和 OCI 格式的容器之间创建了一个双向桥梁。 rpm-ostree compose tree
今天是一个原生接受 RPM(和其他内容)并输出 OSTree 提交的工具。
In ostree upstream, there is a simplistic CLI (and API) that “encapsulates” a commit into a container image with a single layer:
在 ostree 上游,有一个简单的 CLI(和 API),将一个提交“封装”到一个具有单个层的容器映像中:
$ ostree container encapsulate --repo=/path/to/repo fedora/35/x86_64/silverblue docker://quay.io/myuser/fedora-silverblue:35
The encapsulate
command accepts all the same “transport prefixes” as the skopeo
CLI. For more information, see man skopeo
.
encapsulate
命令接受与 skopeo
CLI 相同的“传输前缀”。有关更多信息,请参阅 man skopeo
。
However, this “single layer” is not an efficient way to deliver content. It means that any time anything in the ostree commit changes, clients need to download a full new tarball.
然而,“单层”并不是传递内容的有效方式。这意味着每当 ostree 提交中的任何内容发生变化时,客户端都需要下载一个全新的 tarball。
The ostree shared library has low level APIs that support creating reproducible “chunked” images. A key adavantage of this is that if e.g. just the kernel changes, one only downloads the layer containing the kernel/initramfs (plus a metadata layer) instead of everything.
ostree 共享库具有支持创建可复制的“分块”镜像的低级 API。这样做的一个关键优势是,例如,如果只有内核发生变化,那么只需下载包含内核/ initramfs 的层(以及一个元数据层),而不是全部内容。
Use a command like this to generate chunked images:
使用以下命令生成分块镜像:
$ rpm-ostree compose container-encapsulate --repo=/path/to/repo fedora/35/x86_64/silverblue docker://quay.io/myuser/fedora-silverblue:35
This “chunked” format is used by default by rpm-ostree compose image
.
这种“分块”格式是 rpm-ostree compose image
默认使用的。