Applying a new package using CoreOS layering
使用 CoreOS 分层应用新包

This tutorial shows how to layer custom content on top of a containerized Fedora CoreOS image. As an example, it covers how to add the cachefilesd package through Dockerfile directives and how to further configure it on boot with Ignition.
本教程展示了如何在容器化的 Fedora CoreOS 镜像顶部添加自定义内容。作为示例,它涵盖了如何通过 cachefilesd 指令添加 Dockerfile 包,并如何使用 Ignition 在启动时进一步配置它。

This will allow users/admins to derive custom images based on Fedora CoreOS and containing packages not present in the base image. This tutorial is based on a previously discussed request.
这将允许用户/管理员基于 Fedora CoreOS 派生自定义镜像,并包含基础镜像中不存在的包。本教程基于先前讨论的请求。

Note: This is an experimental feature that is subject to change.
注意:这是一个实验性功能,可能会发生变化。

To follow this guide you should have the prerequisites described in the CoreOS documentation.
要按照本指南,您应具备 CoreOS 文档中描述的先决条件。

Let’s first deploy a FCOS environment and do an initial config with Ignition. We are aiming for a simple deployment which is described here.
让我们首先部署一个 FCOS 环境,并使用 Ignition 进行初始配置。我们的目标是进行一个简单的部署,具体描述在这里。

Download Fedora CoreOS next stream
下载 Fedora CoreOS 的下一个流

We depend on some newer rpm-ostree and skopeo functionality. Let’s use the next stream. Information about the streams can be found here.
我们依赖一些更新的 rpm-ostree 和 skopeo 功能。让我们使用下一个流。有关流的信息可以在这里找到。

For the purpose of this tutorial we are using QEMU, but you can use a cloud environment or platform you prefer, the Fedora CoreOS downloads page has all the available options.
为了本教程的目的,我们使用 QEMU,但您可以使用您喜欢的云环境或平台,Fedora CoreOS 下载页面提供了所有可用选项。

# This is the 'next' image we will be using.
# Anything newer than this should work too.
$ RELEASE_URL=$(curl https://builds.coreos.fedoraproject.org/streams/next.json | jq -r '.architectures.x86_64.artifacts.qemu.formats."qcow2.xz".disk.location')

# Download the image.
$ curl -o fedora-coreos.qcow2.xz "$RELEASE_URL"

# Uncompress the qemu image.
$ unxz fedora-coreos.qcow2.xz

First Ignition config via Butane
通过 Butane 进行首次点火配置

Let’s create a very simple Butane config that will perform the following actions:
让我们创建一个非常简单的 Butane 配置,将执行以下操作:

  • Add a systemd drop-in to override the default serial-getty@ttyS0.service.
    添加一个 systemd drop-in 以覆盖默认的 serial-getty@ttyS0.service
    • The override will make the service automatically log the core user in to the serial console of the booted machine.
      覆盖将使服务自动将 core 用户登录到已启动机器的串行控制台。
  • Set the system hostname by dropping a file at /etc/hostname,
    通过在 /etc/hostname 处放置文件来设置系统主机名,
  • Add a /etc/cachefilesd.conf file with our desired values.
    添加一个包含我们所需值的 /etc/cachefilesd.conf 文件。

For this, we create a Butane configuration file autologin.bu with the following content:
为此,我们创建一个 Butane 配置文件 autologin.bu ,内容如下:

variant: fcos
version: 1.4.0
systemd:
  units:
    - name: serial-getty@ttyS0.service
      dropins:
      - name: autologin-core.conf
        contents: |
          [Service]
          # Override ExecStart in main unit
          ExecStart=
          # Add new Execstart with `-` prefix to ignore failure`
          ExecStart=-/usr/sbin/agetty --autologin core --noclear %I $TERM
storage:
  files:
    - path: /etc/hostname
      mode: 0644
      contents:
        inline: |
          tutorial
    - path: /etc/cachefilesd.conf
      mode: 0644
      contents:
        inline: |
          dir /var/cache/fscache
          tag mycache
          brun  8%
          bcull 6%
          bstop 2%
          frun  9%
          fcull 5%
          fstop 4%
          secctx system_u:system_r:cachefiles_kernel_t:s0

This configuration can then be converted into an Ignition config with Butane:
然后可以使用 Butane 将此配置转换为 Ignition 配置:

$ butane --pretty --strict autologin.bu --output autologin.ign

The resulting Ignition configuration produced by Butane as autologin.ign can be examined by running:
通过运行以下命令,可以查看 Butane 生成的 Ignition 配置:

$ cat autologin.ign

Booting Fedora CoreOS 引导 Fedora CoreOS

Now that we have an Ignition config, we can boot a virtual machine with it. This tutorial uses the QEMU image with libvirt, but you should be able to use the same Ignition config on all the platforms supported by Fedora CoreOS.
现在我们有了一个 Ignition 配置,我们可以使用它来启动一个虚拟机。本教程使用 QEMU 镜像与 libvirt ,但您应该能够在 Fedora CoreOS 支持的所有平台上使用相同的 Ignition 配置。

We use virt-install to create a new Fedora CoreOS virtual machine with a specific config:
我们使用 virt-install 来创建一个具有特定配置的新 Fedora CoreOS 虚拟机:

# Setup the correct SELinux label to allow access to the config
$ chcon --verbose --type svirt_home_t autologin.ign

# Start a Fedora CoreOS virtual machine
$ virt-install --name=fcos --vcpus=2 --ram=2048 --os-variant=fedora-coreos-stable \
    --import --network=bridge=virbr0 --graphics=none \
    --qemu-commandline="-fw_cfg name=opt/com.coreos/config,file=${PWD}/autologin.ign" \
    --disk=size=20,backing_store=${PWD}/fedora-coreos.qcow2

The virt-install command will start an instance named fcos from the fedora-coreos.qcow2 image using the autologin.ign Ignition config. It will auto-attach the serial console of the machine so you will be able to see the image bootup messages.
使用 autologin.ign Ignition 配置从 fedora-coreos.qcow2 镜像启动名为 fcos 的实例的 virt-install 命令。它将自动附加机器的串行控制台,因此您将能够看到镜像引导消息。

Once the machine is booted up you should see a few prompts and then you should be automatically logged in and presented with a bash shell:
一旦机器启动,您应该看到几个提示,然后您将被自动登录并呈现一个 bash shell:

[  OK  ] Started rpm-ostree System Management Daemon.

Fedora CoreOS 32.20200715.3.0
Kernel 5.7.8-200.fc32.x86_64 on an x86_64 (ttyS0)

SSH host key: SHA256:XlbayjbgDKNoAAHQxsEL5Q7BdwLxxWSw4NXN9SALLmo (ED25519)
SSH host key: SHA256:3sx5jseteO4BvdOMWIi0J4koQL015mLonnD0UPTtnZk (ECDSA)
SSH host key: SHA256:K0fn5/TMJOoMs7Fu7RRkE7IBEf2t8OYCfVaVc+GJWGs (RSA)
ens2: 192.168.122.127 fe80::5054:ff:feb9:3d97
Ignition: user provided config was applied
No ssh authorized keys provided by Ignition or Afterburn
tutorial login: core (automatic login)

[core@tutorial ~]$

We can verify that our configuration has been applied: we were automatically logged in to the terminal, and the hostname on the prompt is tutorial.
我们可以验证我们的配置已经应用:我们已经自动登录到终端,并且提示符上的主机名是 tutorial

As we can see our /etc/cachefilesd.conf file:
正如我们所看到的,我们的 /etc/cachefilesd.conf 文件:

[core@tutorial ~]$ cat /etc/cachefilesd.conf
dir /var/cache/fscache
tag mycache
brun  8%
bcull 6%
bstop 2%
frun  9%
fcull 5%
fstop 4%
secctx system_u:system_r:cachefiles_kernel_t:s0

Let’s also make sure there is no cachefiled package installed.
也让我们确保没有安装 cachefiled 软件包。

[core@tutorial ~]$ rpm -qi cachefilesd
package cachefilesd is not installed

Create a derived image with additional content
创建一个带有额外内容的派生镜像。

We are assuming there is a need for debugging on your environment and you need strace and a custom binary. Finally we are going to add keylime and rebase your running FCOS deployment to include them.
我们假设您的环境需要调试,并且您需要 strace 和自定义二进制文件。最后,我们将添加 keylime 并重新基于您正在运行的 FCOS 部署以包含它们。

This would be helpful when IT needs to provide the images or there is a need to add the same system image to multiple hosts. Instead of making the changes on each host which will have different versions of software or configs you can create an image which then you can rebase your systems on. We are using the fcos-derivation-example to start this process.
当 IT 需要提供镜像或需要将相同的系统镜像添加到多个主机时,这将非常有帮助。与在每台主机上进行更改(这些主机将具有不同版本的软件或配置)相比,您可以创建一个镜像,然后可以在其上重新基于您的系统。我们使用 fcos-derivation-example 来启动此过程。

Let’s clone our example code on your local system and enter the directory.
让我们在您的本地系统上克隆我们的示例代码并进入该目录。

$ git clone git@github.com:coreos/fcos-derivation-example.git && cd fcos-derivation-example

Examine the Dockerfile and notice the custom binary and where we are installing strace.
检查 Dockerfile 并注意自定义二进制文件以及我们正在安装 strace 的位置。

$ vi Dockerfile

Let’s add cachefilesd to the install command.
让我们将 cachefilesd 添加到安装命令中。

That would make the last line look like:
这将使最后一行看起来像:

RUN rpm-ostree install strace cachefilesd && rpm-ostree cleanup -m

Time to build the image. In this example we are using podman.
构建镜像的时间。在这个示例中,我们使用 podman。

$ podman build -t localhost/my-custom-fcos .

Inspect the content of the derived image
检查派生镜像的内容

At this point we have an OCI image. You can test to see if it actually has the layered packages.
此时我们有一个 OCI 镜像。您可以测试看看它是否实际包含了分层包。

Let’s get into the container.
让我们进入容器。

$ podman run -it localhost/my-custom-fcos /bin/bash

Run stace inside the container. You should see the following:
在容器内运行 stace。您应该看到以下内容:

$ strace --version
strace -- version 5.15
Copyright (c) 1991-2021 The strace developers <https://strace.io>.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Optional features enabled: stack-trace=libdw stack-demangle m32-mpers mx32-mpers secontext

Which tells us we have successfully installed strace on Fedora CoreOS.
这告诉我们在 Fedora CoreOS 上成功安装了 strace

Next let’s see if cachefilesd is there.
接下来让我们看看 cachefilesd 是否存在。

$ cachefilesd --version

The output should look like the following:
输出应该如下所示:

cachefilesd version 0.10.10

Now that we confirmed our packages are there, we can get out of the container:
现在我们确认了我们的软件包存在,我们可以退出容器:

$ exit

Push the OCI image to a container registry
将 OCI 镜像推送到容器注册表

In order to use our image, we need to push it to an image repository that is accessible to our hosts.
为了使用我们的镜像,我们需要将其推送到一个对我们的主机可访问的镜像仓库。

In this example we will use quay.io. But this can be any compatible container image repository. Quay allows you to build your images directly on their platform which will save you the bandwidth of pushing the image, however we are not using this feature for the tutorial. You can read about that feature here.
在这个示例中,我们将使用 quay.io 。但这可以是任何兼容的容器镜像仓库。Quay 允许您直接在其平台上构建您的镜像,这将为您节省推送镜像的带宽,但是我们在本教程中没有使用这个功能。您可以在这里阅读有关该功能的信息。

You will need to create an account on quay.io.
您需要在 quay.io 上创建一个帐户。

Login to quay.io from your terminal:
从您的终端登录到 quay.io:

$ podman login quay.io

Push the previously built image:
推送先前构建的镜像:

$ podman push localhost/my-custom-fcos quay.io/<YOURUSER>/my-custom-fcos

Note that by default, Quay marks the repository as private. Please follow the Quay documentation to mark the repository as public.
请注意,默认情况下,Quay 将存储库标记为私有。请按照 Quay 文档的说明将存储库标记为公共。

Rebase the OS to the derived image
将操作系统重新基于派生镜像

For this step we go back to our Fedora CoreOS VM console.
对于这一步骤,我们回到 Fedora CoreOS VM 控制台。

We need to stop the Zincati service so that auto-updates won’t interfere with our manual operations.
我们需要停止 Zincati 服务,以防止自动更新干扰我们的手动操作。

[core@tutorial ~]$ sudo systemctl stop zincati.service

Next, we call rpm-ostree to rebase our system using the image we just pushed to quay.
接下来,我们调用 rpm-ostree 来使用我们刚刚推送到 quay 的镜像重新设置我们的系统。

[core@tutorial ~]$ sudo rpm-ostree rebase \
    ostree-unverified-registry:quay.io/<YOURUSER>/my-custom-fcos

We can check if there is a new deployment is staged:
我们可以检查是否有新的部署已经准备就绪:

[core@tutorial ~]$ rpm-ostree status

We should see a new deployment staged like this:
我们应该看到一个像这样分阶段的新部署:

State: idle
AutomaticUpdatesDriver: Zincati
  DriverState: inactive
Deployments:
  ostree-unverified-registry:quay.io/<YOURUSER>/my-custom-fcos
                    Digest: sha256:506f0924d117af1d16fe81264d531faad1a96af8c1590ba4782b0e8bf0020d1a
                 Timestamp: 2021-12-22T21:27:42Z
                      Diff: 2 added

Now that we confirmed that our new deployment is staged we can reboot.
现在我们确认了我们的新部署已经分阶段,我们可以重新启动。

[core@tutorial ~]$ sudo systemctl reboot

More information about this step can be read here.
关于这一步骤的更多信息可以在这里阅读。

Booted into new deployment with layered content
启动到具有分层内容的新部署

Now your host should have your custom binary and extra packages ready to use. Explore it by running cachefilesd, strace and playing with the configured services.
现在您的主机应该已经准备好使用您的自定义二进制文件和额外的软件包。通过运行 cachefilesdstrace 来探索它,并尝试配置的服务。

For example we can verify that cachefiled is installed:
例如,我们可以验证 cachefiled 是否已安装:

[core@tutorial ~]$ rpm -qi cachefilesd
Name        : cachefilesd
Version     : 0.10.10
Release     : 12.fc35
Architecture: x86_64
Install Date: Thu Jan  6 01:57:06 2022
Group       : Unspecified
Size        : 75373
License     : GPLv2+
Signature   : RSA/SHA256, Sun Jul 25 04:33:13 2021, Key ID db4639719867c58f
Source RPM  : cachefilesd-0.10.10-12.fc35.src.rpm
Build Date  : Wed Jul 21 19:15:26 2021
Build Host  : buildvm-x86-22.iad2.fedoraproject.org
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://people.redhat.com/~dhowells/fscache/
Bug URL     : https://bugz.fedoraproject.org/cachefilesd
Summary     : CacheFiles user-space management daemon
Description :
The cachefilesd daemon manages the caching files and directory that are that
are used by network file systems such a AFS and NFS to do persistent caching to
the local disk.

Let’s also verify if our pre-configured /etc/cachefilesd has not changed.
让我们还要验证一下我们预先配置的 /etc/cachefilesd 是否没有改变。

[core@tutorial ~]$ cat /etc/cachefilesd.conf

We should see the same values we setup through ignition, installing the package should not change the config file.
我们应该看到我们通过引导设置的相同值,安装软件包不应更改配置文件。

Taking down the Virtual Machine
关闭虚拟机。

Congratulations you now have a Fedora CoreOS host with your desired packages layered in. If you are done exploring the VM you now delete it. First escape out of the serial console by pressing CTRL + ] and then type:
恭喜您现在拥有一个 Fedora CoreOS 主机,并已添加您想要的软件包。如果您已经完成了对虚拟机的探索,现在可以删除它。首先通过按 CTRL + ] 键退出串行控制台,然后输入:

$ virsh destroy fcos
$ virsh undefine --remove-all-storage fcos