Closed cgwalters closed 3 years ago
Another option would be to have the MCD support layering RPMs included in the oscontainer (as well as unpacked filesystem trees). This would be pretty easy.
Another thing this would completely fix is people keep asking for a way to easily inspect the oscontainer (for e.g. security scanning). The fact that the RHCOS oscontainer is FROM scratch
makes this much harder than it needs to be.
We recently merged changes into RHCOS to make the oscontainer be FROM registry.access.redhat.com/ubi8/ubi:latest
which will at least allow it to be run: https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/928
See also https://github.com/coreos/coreos-assembler/pull/1107 which is used for this.
We may backport this change to 4.5 if it works out well.
Regarding security scanning though, a while ago we merged this coreos-assembler change which adds a pkglist.txt
.
A related request is that people want a way to easily inspect the oscontainer inside an OpenShift environment; we recently realized it's possible to use multi-stage builds to do this:
FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2fb100a4d5205416ade455b114eb727f8dedcd862948738983e190a8ef57f375
as oscontainer
FROM registry.fedoraproject.org/fedora:31
COPY --from=oscontainer /pkglist.txt /root
RUN cat /root/pkglist.txt
Also if we try to drive some of the container stuff into rpm-ostree, let's look at sharing code with flatpak https://github.com/flatpak/flatpak/pull/3606
Regarding security scanning though, a while ago we merged this coreos-assembler change which adds a
pkglist.txt
.A related request is that people want a way to easily inspect the oscontainer inside an OpenShift environment; we recently realized it's possible to use multi-stage builds to do this:
FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2fb100a4d5205416ade455b114eb727f8dedcd862948738983e190a8ef57f375 as oscontainer FROM registry.fedoraproject.org/fedora:31 COPY --from=oscontainer /pkglist.txt /root RUN cat /root/pkglist.txt
This is really close to what I have recommended in some threads as well. Only addition was a find
call for sidecar rpms >>
into pkglist and a sort
as well :+1:
Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen
.
If this issue is safe to close now please do so with /close
.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen
.
If this issue is safe to close now please do so with /close
.
/lifecycle rotten /remove-lifecycle stale
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting /reopen
.
Mark the issue as fresh by commenting /remove-lifecycle rotten
.
Exclude this issue from closing again by commenting /lifecycle frozen
.
/close
@openshift-bot: Closing this issue.
Moved this to https://github.com/ostreedev/ostree/issues/2251
The ostree-repo-in-container model is simple to implement and easy to explain, but it can also be quite opaque to people, requiring anyone looking at to be an expert in both containers and ostree and RPM.
One thing we could do would be to do something "rojig" like - make the oscontainer just look like a regular container (perhaps with tweaks), and add the extra data into the container JSON - flatpak's OCI bits do something like this.
My main concern here is around SELinux and xattrs - while container images support this, since there's no other use case for shipping labels in container images, they may get corrupted/lost? But OTOH the whole Docker/OCI ecosystem relies utterly on shipping container images "pristine" because the checksum is over compressed data.
In theory this would let us support people doing in a
Dockerfile
:We'd just need to have rpm-ostree perform labeling for any unlabeled files...i.e. rather than having pivot/MCD pass the content of the filesystem to something more like
ostree commit
rather than just doing a pull.