Where are the debian package sources?

[nudgegoonies]

I cannot find a control file or its contents, the systemd units, etc. in the latest releases nor in the master.

[ctalledo]

Hi @nudgegoonies: we currently only offer the packaged version on Ubuntu, we are working on creating packaged versions for other supported distros (Debian, RedHat, etc.) currently. ETA 4 weeks.

I'll make sure that the Sysbox distro compat doc makes this clear.

In general however, Ubuntu is the best platform for Sysbox, because it carries the shiftfs module (as well as some patches to overlayfs to make it work with shiftfs). This makes it easier to use Docker + Sysbox, as it avoids the need to configure Docker in userns-remap mode.

[ctalledo]

If you wish to use Sysbox on Debian, you can always build and install it from source. It's pretty easy since the build occurs inside a container that carries all the build dependencies.

[rodnymolina]

@nudgegoonies, concerning the package sources which I believe is what you're asking about, at this point we are not exposing them as part of our community-edition offering. Can you please clarify why do you need these?

[nudgegoonies]

Thank you very much for your answers.

We are evaluating sysbox-ce for our gitlab-ci runners and our servers run Debian 10 with Backport Kernel 5.10.

I compiled the sysbox-ce master, replaced the binaries in the Ubuntu Focal package, modified the control file removed the preinst script, added the loading of the configfs module and adjusted other scripts and systemd units in the package until it worked.

Thats the reason why i was searching for the Ubuntu debian package sources and the makefile target to build them instead of extracting binary packages and rebuild them with dpkg-build.

I searched through all nestybox repos because i expected the packaging somewhere within these sources to build the github releases :man_facepalming:

[ctalledo]

Sorry to hear you had to go through such trouble to get the packaging going.

As Rodny mentioned earlier, we keep the packaging code private as part of the Sysbox Enterprise Edition. We don't have plans to change this in the near term as we need some differentiators between the Community and Enterprise editions in order to keep the lights on :)

We however will do a better job of generating Sysbox community edition releases more regularly and often, and will upload the packaged version of Sysbox for each release. Hopefully that will help. Let us know otherwise please.

[nudgegoonies]

Nice to hear that upcoming versions support Debian. I have some suggestions regarding the packaging if not already done in the meantime:

• Parse sysbox-fs and sysbox-mgr configuration files via "EnvironmentFile=" with variables of all configuration parameters of sysbox-fs and sysbox-mgr in their systemd units and set all parameters with these variables. The configuration files could be shipped with all options set to their defaults. In my opinion having configuration files is easier to handle than systemd drop ins.
• Make use of journald instead of using logfiles by default. Could be easily changed via the configuration files above if journald as default is not wanted.
• Load configfs module via "install module_name /sbin/modprobe -i -f configfs" file in /etc/modprobe.d/sysbox.conf and run the update-initramfs hook.
• Install executables in /usr/bin instead of /usr/local/bin

[ctalledo]

Thanks @nudgegoonies for the suggestions.

In my opinion having configuration files is easier to handle than systemd drop ins

Yes, this is something we intend to do soon. We also want to centralize the config options in a single file, rather than have them separate for sysbox-mgr and sysbox-fs.

Make use of journald instead of using logfiles by default. Could be easily changed via the configuration files above if journald as default is not wanted.

Makes sense. I gave this a shot sometime ago but for some reason could not get it working (never got to the bottom of it). But yes, it's the right thing to do.

Load configfs module via "install module_name /sbin/modprobe -i -f configfs" file in /etc/modprobe.d/sysbox.conf and run the update-initramfs hook.

I was not aware of a dependency between Sysbox and configfs. Do you know what the dependency is?

Install executables in /usr/bin instead of /usr/local/bin

Good suggestion; we placed them on /usr/local/bin based on the Linux FHS directive that this is where local binaries installed by the system admin go into, but I can see that /usr/bin is a more appropriate directory (and it's the directory where docker, containerd, systemd, etc. are installed).

These are all good suggestions, thanks. We won't have them by the v0.3.0 release however (next week or so) as we are already generating packages and testing them, but I'll create issues so we can track them and have them in the release after that.

Thanks again!

[ctalledo]

I created a couple of issues to track the requests in the prior comment:

1) Sysbox config file: https://github.com/nestybox/sysbox/issues/220 2) Sysbox installer improvements: https://github.com/nestybox/sysbox/issues/221

[nudgegoonies]

Thank you for creating these tickets.

Regarding the configfs module. Without manually loaded before i get the following error:

INFO[2021-03-01 11:47:24] registered new container 52bc313ad87c
INFO[2021-03-01 11:47:24] Container registration completed: id = 52bc313ad87cbf1643147e14e3012dee91f69186c69e264a840d491a1df188f7, initPid = 23315, uid:gid = 165536:165536
INFO[2021-03-01 11:47:24] Container unregistration completed: id = 52bc313ad87cbf1643147e14e3012dee91f69186c69e264a840d491a1df188f7
INFO[2021-03-01 11:47:24] unregistered container 52bc313ad87c
INFO[2021-03-01 11:47:24] released resources for container 52bc313ad87c
docker: Error response from daemon: OCI runtime create failed: container_linux.go:392: starting container process caused: process_linux.go:617: container init caused: rootfs_linux.go:67: setting up rootfs mounts caused: rootfs_linux.go:1080: mounting "tmpfs" to rootfs "/var/lib/docker/165536.165536/overlay2/8bea28c5f78a0534ac53cd7c92ffcf24ea6fca17ab1fc50eb495de4ac3291bb4/merged" at "sys/kernel/config" caused: mkdirall sys/kernel/config with mode 755 failed: mkdir sys/kernel/config: permission denied: unknown.

[nudgegoonies]

Maybe this is a Debian specific? The module is not loaded automatically when needed as you can see above.

By the way, i changed my sysbox packageing regarding loading the configfs module from modprobe.d to modules-load.d. This is easier and does not require a update-initramfs hook. Just place this file here: /usr/lib/modules-load.d/sysbox.conf

configfs

But the module must be loaded within the postinst anyways. Both, modprobe.d and modules-load, take only effect after reboot.

[ctalledo]

Thanks @nudgegoonies. Regarding this error:

mkdirall sys/kernel/config with mode 755 failed: mkdir sys/kernel/config: permission denied: unknown

This is a bit strange, as Sysbox is simply creating a dir in the container's /sys/kernel/config; weird that this operation by itself would result in a dependency on configfs. Something is funky so I'll take a closer look.

[nudgegoonies]

I only found an old debian bug regarding this: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840356 And an old ubuntu bug: https://bugs.launchpad.net/kolla/+bug/1631072

By the way, i had problems with the jq dependency. It is needed in the debconf and *inst scripts. Simply depending on jq is not enough because jq is used before it is installed (install order different). I had to add "Pre-Depends: jq" line in the control file to fix.

[rodnymolina]

@nudgegoonies, yes, I remember seeing something in the past that can probably explain this configfs issue. Will take a look and update our installer dependencies if needed.

Concerning jq, we usually fix this by having users running apt-get install -f, but your suggestion of explicitly setting a pre-dependency may work even better. Will look at that too.

Thanks for reporting these issues and for all the suggestions!

[nudgegoonies]

@rodnymolina Even with "Pre-Depends: jq" jq is not there on the first run of the script. I learned in the debianforum.de that the script is run twice (and thus must be idempotent). And with the "Pre-Depends: jq" the "apt-get install -f" is not needed.

[nudgegoonies]

Another hint regarding debian 10/buster. Of course the backport kernel is needed. But since lastweek also the backport of libseccomp2 is required.

[rodnymolina]

@nudgegoonies, just fyi.

As part of our latest release (v0.3.0), we made a few of the enhancements you suggested to our Sysbox installer:

• We now support Debian Buster and Bullseye.

• jq is not part of the 'pre-configuration' script anymore, as I realized that we were going against Debian's policy guidelines, specifically the ones that deal with debconf limitations. jq is still required, but not at the early stage we were expecting it before.

• And finally, as you suggested, we added a file in /etc/modules-load.d to deal with the configfs module dependency.

As Cesar mentioned above, we will try to have your other suggestions implemented for our next release. I'll go ahead and close this one now as we are tracking those enhancements in separate issues.