diff --git a/docs/tutorials/05-openshift-rootless-bud.md b/docs/tutorials/05-openshift-rootless-bud.md new file mode 100644 index 0000000000..457385b770 --- /dev/null +++ b/docs/tutorials/05-openshift-rootless-bud.md @@ -0,0 +1,418 @@ +![buildah logo](https://cdn.rawgit.com/containers/buildah/master/logos/buildah-logo_large.png) + +# Buildah Tutorial 5 +## Using Buildah to build images in a rootless OpenShift container + +This tutorial will walk you through setting up a container in OpenShift for building images. + +The instructions have been tested on OpenShift 4.3.28 with Buildah 1.14.8. + +Note that the VFS volume mounting is used instead of the more performant fuse. But the the latter does not work at the moment. + +### Prepare a new namespace + +Create a new project in OpenShift called `image-build`. + +Make the registry URL available to the following steps. + +*Note that you need to change this so it matches your OpenShift installation.* + +````console +$ export REGISTRY_URL=default-route-openshift-image-registry.apps.whatever.com +```` + +Login to OpenShift and its registry: + +````console +$ oc login -n image-build +Username: ... +Password: ... +Login successful. + +You have access to N projects, the list has been suppressed. You can list all projects with 'oc projects' + +Using project "image-build". + +$ oc whoami -t | podman login -u $(id -u -n) --password-stdin $REGISTRY_URL +Login Succeeded! +```` + + +### Make builder image + +This is the image that will host the building. It uses the Buildah stable official image, which is based on Fedora 32. + +The image starts a python web server. This allows us to interact with the container via the OpenShift console terminal, demonstrating that building an image works. + + +First create an ImageStream to hold the image: + +````console +$ oc create -f - < Containerfile-buildah < /etc/subuid \ + && echo build:10000:65536 > /etc/subgid + +# Use chroot since the default runc does not work when running rootless +RUN echo "export BUILDAH_ISOLATION=chroot" >> /home/build/.bashrc + +# Use VFS since fuse does not work +RUN mkdir -p /home/build/.config/containers \ + && echo "driver=\"vfs\"" > /home/build/.config/containers/storage.conf + +USER build +WORKDIR /home/build + +# Just keep the container running, allowing "oc rsh" access +CMD ["python3", "-m", "http.server"] +EOF + +$ podman build -t $REGISTRY_URL/image-build/buildah -f Containerfile-buildah +STEP 1: FROM quay.io/buildah/stable:v1.14.8 +STEP 2: RUN touch /etc/subgid /etc/subuid && chmod g=u /etc/subgid /etc/subuid /etc/passwd && echo build:10000:65536 > /etc/subuid && echo build:10000:65536 > /etc/subgid +--> a25dbbd3824 +STEP 3: CMD ["python3", "-m", "http.server"] +STEP 4: COMMIT default-route-openshift-image-registry.../image-build/buildah +--> 9656f2677e3 +9656f2677e3e760e071c93ca7cba116871f5549b28ad8595e9134679db2345fc + +$ podman push $REGISTRY_URL/image-build/buildah +Getting image source signatures +... +Storing signatures +```` + + +### Create Service Account for building images + +Create a service account which is solely used for image building. + +````console +$ oc create -f - < test-script.sh < Containerfile.test < usr/bin +dr-xr-xr-x. 2 root root 6 Jan 28 18:30 boot +drwxr-xr-x. 5 nobody nobody 360 Jul 8 07:39 dev +drwxr-xr-x. 42 root root 4096 Jul 7 09:07 etc +drwxr-xr-x. 2 root root 6 Jan 28 18:30 home +lrwxrwxrwx. 1 root root 7 Jan 28 18:30 lib -> usr/lib +lrwxrwxrwx. 1 root root 9 Jan 28 18:30 lib64 -> usr/lib64 +drwx------. 2 root root 6 Jul 7 09:06 lost+found +drwxr-xr-x. 2 root root 6 Jan 28 18:30 media +drwxr-xr-x. 2 root root 6 Jan 28 18:30 mnt +drwxr-xr-x. 2 root root 6 Jan 28 18:30 opt +drwxr-xr-x. 2 root root 6 Jul 8 07:46 output +dr-xr-xr-x. 311 nobody nobody 0 Jul 8 07:39 proc +dr-xr-x---. 2 root root 196 Jul 7 09:07 root +drwxr-xr-x. 3 root root 42 Jul 8 07:47 run +lrwxrwxrwx. 1 root root 8 Jan 28 18:30 sbin -> usr/sbin +drwxr-xr-x. 2 root root 6 Jan 28 18:30 srv +dr-xr-xr-x. 13 nobody nobody 0 Jul 5 17:57 sys +-rwxr-xr-x. 1 root root 34 Jul 8 07:47 test-script.sh +drwxrwxrwt. 2 root root 32 Jul 7 09:07 tmp +drwxr-xr-x. 12 root root 144 Jul 7 09:07 usr +drwxr-xr-x. 18 root root 235 Jul 7 09:07 var +STEP 4: RUN dnf update -y | tee /output/update-output.txt +Fedora 33 openh264 (From Cisco) - x86_64 817 B/s | 5.1 kB 00:06 +Fedora - Modular Rawhide - Developmental packag 3.0 MB/s | 3.1 MB 00:01 +Fedora - Rawhide - Developmental packages for t 19 MB/s | 72 MB 00:03 +Dependencies resolved. +Nothing to do. +Complete! +STEP 5: RUN dnf install -y gcc +Last metadata expiration check: 0:00:30 ago on Wed Jul 8 07:48:12 2020. +Dependencies resolved. +================================================================================================================================================================================================================================================== + Package Architecture Version Repository Size +================================================================================================================================================================================================================================================== +Installing: + gcc x86_64 10.1.1-2.fc33 rawhide 30 M +Installing dependencies: + binutils x86_64 2.34.0-7.fc33 rawhide 5.4 M + binutils-gold x86_64 2.34.0-7.fc33 rawhide 857 k + cpp x86_64 10.1.1-2.fc33 rawhide 9.3 M + glibc-devel x86_64 2.31.9000-17.fc33 rawhide 1.0 M + glibc-headers-x86 noarch 2.31.9000-17.fc33 rawhide 472 k + isl x86_64 0.16.1-10.fc32 rawhide 872 k + kernel-headers x86_64 5.8.0-0.rc4.git0.1.fc33 rawhide 1.2 M + libmpc x86_64 1.1.0-8.fc32 rawhide 59 k + libxcrypt-devel x86_64 4.4.16-5.fc33 rawhide 31 k + +Transaction Summary +================================================================================================================================================================================================================================================== +Install 10 Packages + +Total download size: 49 M +Installed size: 147 M +Downloading Packages: +(1/10): binutils-gold-2.34.0-7.fc33.x86_64.rpm 3.3 MB/s | 857 kB 00:00 +(2/10): binutils-2.34.0-7.fc33.x86_64.rpm 16 MB/s | 5.4 MB 00:00 +(3/10): cpp-10.1.1-2.fc33.x86_64.rpm 9.3 MB/s | 9.3 MB 00:01 +(4/10): gcc-10.1.1-2.fc33.x86_64.rpm 33 MB/s | 30 MB 00:00 +(5/10): glibc-devel-2.31.9000-17.fc33.x86_64.rpm 1.2 MB/s | 1.0 MB 00:00 +(6/10): glibc-headers-x86-2.31.9000-17.fc33.noarch.rpm 2.6 MB/s | 472 kB 00:00 +(7/10): isl-0.16.1-10.fc32.x86_64.rpm 12 MB/s | 872 kB 00:00 +(8/10): kernel-headers-5.8.0-0.rc4.git0.1.fc33.x86_64.rpm 11 MB/s | 1.2 MB 00:00 +(9/10): libmpc-1.1.0-8.fc32.x86_64.rpm 534 kB/s | 59 kB 00:00 +(10/10): libxcrypt-devel-4.4.16-5.fc33.x86_64.rpm 589 kB/s | 31 kB 00:00 +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- +Total 35 MB/s | 49 MB 00:01 +Running transaction check +Transaction check succeeded. +Running transaction test +Transaction test succeeded. +Running transaction + Preparing : 1/1 + Installing : binutils-gold-2.34.0-7.fc33.x86_64 1/10 + Installing : binutils-2.34.0-7.fc33.x86_64 2/10 + Running scriptlet: binutils-2.34.0-7.fc33.x86_64 2/10 + Installing : libmpc-1.1.0-8.fc32.x86_64 3/10 + Installing : cpp-10.1.1-2.fc33.x86_64 4/10 + Installing : kernel-headers-5.8.0-0.rc4.git0.1.fc33.x86_64 5/10 + Installing : isl-0.16.1-10.fc32.x86_64 6/10 + Installing : glibc-headers-x86-2.31.9000-17.fc33.noarch 7/10 + Installing : libxcrypt-devel-4.4.16-5.fc33.x86_64 8/10 + Installing : glibc-devel-2.31.9000-17.fc33.x86_64 9/10 + Installing : gcc-10.1.1-2.fc33.x86_64 10/10 + Running scriptlet: gcc-10.1.1-2.fc33.x86_64 10/10 + Verifying : binutils-2.34.0-7.fc33.x86_64 1/10 + Verifying : binutils-gold-2.34.0-7.fc33.x86_64 2/10 + Verifying : cpp-10.1.1-2.fc33.x86_64 3/10 + Verifying : gcc-10.1.1-2.fc33.x86_64 4/10 + Verifying : glibc-devel-2.31.9000-17.fc33.x86_64 5/10 + Verifying : glibc-headers-x86-2.31.9000-17.fc33.noarch 6/10 + Verifying : isl-0.16.1-10.fc32.x86_64 7/10 + Verifying : kernel-headers-5.8.0-0.rc4.git0.1.fc33.x86_64 8/10 + Verifying : libmpc-1.1.0-8.fc32.x86_64 9/10 + Verifying : libxcrypt-devel-4.4.16-5.fc33.x86_64 10/10 + +Installed: + binutils-2.34.0-7.fc33.x86_64 binutils-gold-2.34.0-7.fc33.x86_64 cpp-10.1.1-2.fc33.x86_64 gcc-10.1.1-2.fc33.x86_64 glibc-devel-2.31.9000-17.fc33.x86_64 glibc-headers-x86-2.31.9000-17.fc33.noarch + isl-0.16.1-10.fc32.x86_64 kernel-headers-5.8.0-0.rc4.git0.1.fc33.x86_64 libmpc-1.1.0-8.fc32.x86_64 libxcrypt-devel-4.4.16-5.fc33.x86_64 + +Complete! +STEP 6: COMMIT myimage +Getting image source signatures +Copying blob fd46c60e883a skipped: already exists +Copying blob f3157b126b5d done +Copying config d3a341d4fd done +Writing manifest to image destination +Storing signatures +--> d3a341d4fd9 +d3a341d4fd993fb4ee84f102e5915fe9ab544f4cd72fd9947beec9e745f12302 + +sh-5.0$ buildah images +REPOSITORY TAG IMAGE ID CREATED SIZE +localhost/myimage latest d3a341d4fd99 22 seconds ago 475 MB +registry.fedoraproject.org/fedora 33 71d10e102a30 23 hours ago 191 MB + +sh-5.0$ ls -l output/ +total 4 +-rw-r--r--. 1 build build 288 Jul 8 07:48 update-output.txt +```` \ No newline at end of file diff --git a/docs/tutorials/README.md b/docs/tutorials/README.md index b8a5ed3ebd..d0c51d272d 100644 --- a/docs/tutorials/README.md +++ b/docs/tutorials/README.md @@ -19,3 +19,8 @@ Learn how Buildah can use the ONBUILD instruction in either a Dockerfile or via **[Include Buildah in your build tool](04-include-in-your-build-tool.md)** Learn how to include Buildah as a library in your build tool. + +**[Rootless OpenShift container](05-openshift-rootless-bud.md)** + +Learn how to build an image from a rootless OpenShift container. +