search

openshift / os

89 stars 107 forks source link

support "plain" oscontainers #382

Closed cgwalters closed 3 years ago

cgwalters commented 5 years ago

The ostree-repo-in-container model is simple to implement and easy to explain, but it can also be quite opaque to people, requiring anyone looking at to be an expert in both containers and ostree and RPM.

One thing we could do would be to do something "rojig" like - make the oscontainer just look like a regular container (perhaps with tweaks), and add the extra data into the container JSON - flatpak's OCI bits do something like this.

My main concern here is around SELinux and xattrs - while container images support this, since there's no other use case for shipping labels in container images, they may get corrupted/lost? But OTOH the whole Docker/OCI ecosystem relies utterly on shipping container images "pristine" because the checksum is over compressed data.

In theory this would let us support people doing in a Dockerfile:

FROM quay.io/openshift/machine-os-content
COPY /path/to/crio.rpm /tmp
RUN rpm -Uvh /tmp/crio.rpm

We'd just need to have rpm-ostree perform labeling for any unlabeled files...i.e. rather than having pivot/MCD pass the content of the filesystem to something more like ostree commit rather than just doing a pull.

cgwalters commented 4 years ago

Another option would be to have the MCD support layering RPMs included in the oscontainer (as well as unpacked filesystem trees). This would be pretty easy.

cgwalters commented 4 years ago

Another thing this would completely fix is people keep asking for a way to easily inspect the oscontainer (for e.g. security scanning). The fact that the RHCOS oscontainer is FROM scratch makes this much harder than it needs to be.

We recently merged changes into RHCOS to make the oscontainer be FROM registry.access.redhat.com/ubi8/ubi:latest which will at least allow it to be run: https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/928

See also https://github.com/coreos/coreos-assembler/pull/1107 which is used for this.

We may backport this change to 4.5 if it works out well.

cgwalters commented 4 years ago

Regarding security scanning though, a while ago we merged this coreos-assembler change which adds a pkglist.txt.

A related request is that people want a way to easily inspect the oscontainer inside an OpenShift environment; we recently realized it's possible to use multi-stage builds to do this:

FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2fb100a4d5205416ade455b114eb727f8dedcd862948738983e190a8ef57f375
as oscontainer
FROM registry.fedoraproject.org/fedora:31
COPY --from=oscontainer /pkglist.txt /root
RUN cat /root/pkglist.txt
cgwalters commented 4 years ago

Also if we try to drive some of the container stuff into rpm-ostree, let's look at sharing code with flatpak https://github.com/flatpak/flatpak/pull/3606

ashcrow commented 4 years ago

Regarding security scanning though, a while ago we merged this coreos-assembler change which adds a pkglist.txt.

A related request is that people want a way to easily inspect the oscontainer inside an OpenShift environment; we recently realized it's possible to use multi-stage builds to do this:

FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2fb100a4d5205416ade455b114eb727f8dedcd862948738983e190a8ef57f375
as oscontainer
FROM registry.fedoraproject.org/fedora:31
COPY --from=oscontainer /pkglist.txt /root
RUN cat /root/pkglist.txt

This is really close to what I have recommended in some threads as well. Only addition was a find call for sidecar rpms >> into pkglist and a sort as well :+1:

openshift-bot commented 4 years ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot commented 3 years ago

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

openshift-bot commented 3 years ago

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-ci-robot commented 3 years ago

@openshift-bot: Closing this issue.

In response to [this](https://github.com/openshift/os/issues/382#issuecomment-743282753): >Rotten issues close after 30d of inactivity. > >Reopen the issue by commenting `/reopen`. >Mark the issue as fresh by commenting `/remove-lifecycle rotten`. >Exclude this issue from closing again by commenting `/lifecycle frozen`. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
cgwalters commented 3 years ago

Moved this to https://github.com/ostreedev/ostree/issues/2251