manageiq icon indicating copy to clipboard operation
manageiq copied to clipboard
verified publisher icon ManageIQ

Bundle container images with appliances

Open agrare opened this issue 2 years ago • 7 comments

In order to run podman-based workers or built-in floe containers on appliances we have to be able to package docker images and deploy them on an appliance without requiring a podman pull at runtime.

One possibility is to package the images in an RPM that would podman load the image into a podman image registry.

It is simple to create alternate image registries by specifying an alternate graphRoot via --root when pulling or loading images.

Related:

  • RPM build https://github.com/ManageIQ/manageiq-rpm_build/pull/455

agrare avatar Apr 05 '24 16:04 agrare

It seems the image storage directory has to be owned by manageiq if we are going to run the containers as that user. I tried to have e.g. /var/lib/manageiq/containers/storage owned by root with runRoot and tmpDir pointing somewhere else, but podman always tries to create other files/directories in the main imagestore

TODO try additionalimagestores in /etc/containers/storage.conf, doesn't seem to work for non-root containers?

agrare avatar Apr 05 '24 16:04 agrare

For building the RPM I tried using podman load in manageiq.spec.in but that fails due to UID/GID errors

+ podman load --root=/root/rpmbuild/BUILDROOT/manageiq-19.0.0-20240405144727.el9.x86_64/var/lib/manageiq/data/containers/storage --input manageiq-gemset-19.0.0/bundler/gems/manageiq-providers-embedded_terraform-a6319eeb8602/content/containers/opentofu-runner_latest
time="2024-04-05T14:59:24Z" level=warning msg="Using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids if not using a network user"
Getting image source signatures
Copying blob sha256:d858e3d4ed076bae0562df26c2c251d1140619a80531f5e6edf1b4b2af55cdb3
Copying blob sha256:4222f9694f4be6c22d86d8a24a6e26d49ed01d1c393bb053ea8003928635446a
Copying blob sha256:c0d7d10a1b4e234d1c9057f8f793cff397a738d3334d3d40b93519d9e81a25ee
Copying blob sha256:716476e198e5a004dab028219afa022f8d56cc497b4f92ee770c52b01d9b61e6
Copying blob sha256:048b0fef4f933bbe51ac1da3d7d93ed17f8bc3c46c05703f41a24f243da46a90
Copying blob sha256:39146e33ec19ce2b054da412b06ccc57e648f3078cdc01dfd1523b9cb22de066
Error: payload does not match any of the supported image formats:
 * oci: writing blob: adding layer with blob "sha256:d858e3d4ed076bae0562df26c2c251d1140619a80531f5e6edf1b4b2af55cdb3": processing tar file(potentially insufficient UIDs or GIDs available in user namespace (requested 0:42 for /etc/shadow): Check /etc/subuid and /etc/subgid if configured locally and run "podman system migrate": lchown /etc/shadow: invalid argument): exit status 1
 * oci-archive: creating temp directory: untarring file "/var/tmp/container_images_oci172047747": read /root/rpmbuild/BUILD/manageiq-gemset-19.0.0/bundler/gems/manageiq-providers-embedded_terraform-a6319eeb8602/content/containers/opentofu-runner_latest: is a directory
 * docker-archive: detecting compression for file "manageiq-gemset-19.0.0/bundler/gems/manageiq-providers-embedded_terraform-a6319eeb8602/content/containers/opentofu-runner_latest": detecting compression: read manageiq-gemset-19.0.0/bundler/gems/manageiq-providers-embedded_terraform-a6319eeb8602/content/containers/opentofu-runner_latest: is a directory
 * dir: open manageiq-gemset-19.0.0/bundler/gems/manageiq-providers-embedded_terraform-a6319eeb8602/content/containers/opentofu-runner_latest/manifest.json: no such file or directory
error: Bad exit status from /var/tmp/rpm-tmp.LXgPB2 (%install)

And it doesn't seem possible to add subuid/subgid in the build container for podman to work properly.

++ whoami
+ echo root:100000:65536
++ whoami
+ echo root:100000:65536
+ podman system migrate
time="2024-04-05T15:30:43Z" level=error msg="running `/usr/bin/newuidmap 13160 0 0 1 1 100000 65536`: newuidmap: write to uid_map failed: Operation not permitted\n"
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1
error: Bad exit status from /var/tmp/rpm-tmp.vbVQ1m (%install)

We might need to package the .tar.gz files and podman load them at install time.

agrare avatar Apr 05 '24 16:04 agrare

@bdunne Please also take a look here.

Fryguy avatar Apr 05 '24 17:04 Fryguy

This issue has been automatically marked as stale because it has not been updated for at least 3 months.

If you can still reproduce this issue on the current release or on master, please reply with all of the information you have about it in order to keep the issue open.

miq-bot avatar Jul 08 '24 00:07 miq-bot

This issue has been automatically marked as stale because it has not been updated for at least 3 months.

If you can still reproduce this issue on the current release or on master, please reply with all of the information you have about it in order to keep the issue open.

miq-bot avatar Oct 14 '24 00:10 miq-bot