Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support rebase --sysroot for container images #4295

Closed
cgwalters opened this issue Feb 9, 2023 · 4 comments
Closed

support rebase --sysroot for container images #4295

cgwalters opened this issue Feb 9, 2023 · 4 comments
Labels
container-native

Comments

@cgwalters
Copy link
Member

cgwalters commented Feb 9, 2023
edited
Loading

One thing we could do to help coreos/fedora-coreos-tracker#1151
is to support a flow like this:

$ unshare -m   # Avoid leaking mount namespaces
$ coreos-installer install /dev/vda
$ mount /dev/vda4 /mnt
$ mount /dev/vda3 /mnt/boot
$ rpm-ostree rebase --sysroot /mnt ostree-unverified-registry:quay.io/exampleos/foo:latest

We could definitely make this more convenient with e.g. coreos-installer install --mount /mnt /dev/vda which would have coreos-installer use its already extant knowledge of mounts to do it.

We could even streamline this flow like:

$ coreos-installer --ex-container-rebase --ex-container-unsigned quay.io/exampleos/foo:latest /dev/vda

And teach coreos-installer how to invoke rpm-ostree in this way all together.

This would be a shorter term path that would fill the same needs (for CoreOS) as bootc install.
@cgwalters
Copy link
Member Author

That said, the whole

  • running as a systemd unit
  • not as a daemon operating on a separate target root
  • running in a privileged container

bites here...in bootc I did a lot of work to support running in a container, actually bootc doesn't run in systemd today because of this mess.

I think we could probably scope this initially to not running in a privileged container, i.e. coreos-installer and rpm-ostree are both running on a host (e.g. Live ISO). That may help.

@jlebon
Copy link
Member

jlebon commented Feb 14, 2023

Related: #3006

@cgwalters
Copy link
Member Author

Related: #3006

Yes...but OTOH, this is scoped to just switching images, not also layering packages etc. Which is something we actually already support on the ostree side - since it's basically just writing files. (Except of course for things like zipl)

On this topic, wait actually...we already ship what we need here. I just tried this out:

$ unshare -m   # Avoid leaking mount namespaces
$ coreos-installer install /dev/vdb
$ mount /dev/vdb4 /mnt
$ mount /dev/vdb3 /mnt/boot
$ ostree container image deploy --sysroot=/mnt --stateroot fedora-coreos --imgref ostree-unverified-registry:quay.io/fedora/fedora-coreos:testing-devel
error: Performing deployment: Importing: Unencapsulating base: Layer sha256:d3ad2591239620a23a7bb2d00c33cfce93809cce54260d174bb35ddbdeaa253c: Importing objects: Importing object f9/76104c0916a201c2d6677500bbff574d90bc4d0740d906efc0cc4142d88ddf.file: Processing content object f976104c0916a201c2d6677500bbff574d90bc4d0740d906efc0cc4142d88ddf: Importing regfile: min-free-space-percent '3%' would be exceeded, at least 3.6 MB requested

The error here is very revealing - it's because we want to grow the rootfs on firstboot. Which goes right into the design rationale for bootc install making the filesystems directly.

@cgwalters
Copy link
Member Author

Anyways, closing this since I think the raw functionality in ostree container image deploy (clearly distinct from rpm-ostree) is exactly what we want here.

The coreos/fedora-coreos-tracker#1151 issue is a good place to hash out the design stuff on FCOS side.

@cgwalters cgwalters mentioned this issue Feb 14, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
container-native
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cgwalters @jlebon