bib: switch to use bootc install to-filesystem (HMS-3453)
#304
Conversation
Hmmm...I know I keep saying this but it seems good to try to keep at least some of this. I haven't dug into the details of the relevant pipelines but as far as I am aware it should be logically equivalent to basically do: current pipeline
this pipeline
Is the problem here mainly that we've lost an ergonomic way to do "find default deployment root" (subject of some debate in osbuild/osbuild). That seems pretty easy to fix if so...something like: And our serialized Or hmmm...maybe actually |
|
Or maybe a
Then one could just directly write to (Side note to self...we would want to detect the etc-transient flag when dealing with |
mvo5
changed the title
bootc install to-filesystembootc install to-filesystem (HMS-3453)
Thank you for your thoughts on this! The issue so far was that I had the misconception that we should not write to the deployment root directly. We have ways in osbuild to find the default deployment since osbuild/osbuild#1553 so that should be straightforward. So it seems we could re-add customizations via:
If that sounds correct we could look into this in a followup. Unfortunately the main thing we need to re-add would be users so we need to carefully explore this - I would love to look into json user records for this, but it needs at least a configuration change to sshd_config [0]. There is the extra complication that it does not solve the issue of clashing UIDs, i.e. if there is a user created by bib with uid=1000 and the bootc-image (for whatever reason) has files belonging to UID=1000 (for a different username). But that is something we can/could detect and just error (not on day-2 though, that would need support from bootc). Alternatively we could just keep using the org.osbuild.ostree.passwd stage [1] (which is what we do today). Thoughts very welcome - but that all sounds like followup material? [0] https://www.freedesktop.org/software/systemd/man/latest/userdbctl.html#Integration%20with%20SSH P.S. There is of course the issue with passwordless ssh in systemd-home systemd/systemd#17300 that may be a problem here too |
mvo5
force-pushed
the
switch-to-bootc-install-to-fs
branch
from
84fe5a4
to
13b7143
Compare
|
Yeah, it is possible to create conflicts by configuring users statically both in the disk image and container image today. (btw I did https://containers.github.io/bootc/building/users-and-groups.html which...doesn't explicitly touch on this but should) I think we have a design question here: When creating users in bib, should it be static (i.e. we create I lean more towards the latter it avoids the physical This relates to whether SSH keys are maintained via tmpfiles.d in This all said, using sysusers for interactive users and JSON user records (or altfiles, or something else) is treading a bit of new ground and it may be simplest to follow the "static" path. |
mvo5
force-pushed
the
switch-to-bootc-install-to-fs
branch
2 times, most recently
from
5f1e24b
to
1648936
Compare
It's more than that, systemd-homed isn't enabled in c9s note. (It's...a giant thing with a lot of system implications, so) |
|
So for this PR, do we hold off until we figure out the customization story, or do we merge it and work on post-deploy customizations separately (in the meantime telling users to do everything in the base container)? |
|
I'd like it if we could merge it now so we get iterating on any issues that might come up with this change. |
With the latest version of images we now use the `bootc install to-filesystem` feature instead of our own ostree deploy pipeline. This means that most of our customizations need to be disabled and we need to decide if we will port them in some form or update our README to encourage the use of derrived containters for them.
On casual reading `nexp` reads almost like a typo of `next` and it's generally a bit short. Let's make it very explicit instead :)
With the move to bootc install to-filesystem we cannot currently customize users except for roots ssh authorized_keys. So make this the only allowed option. Note that it would be nicer if that would be symetric to bootc --root-ssh-authorized-keys that takes a file but our image customizations currently only support a single key. So start here by marking it experimental to unblock tests and fix images to eventually be symetric.
This commit removes the -config options from bib. Blueprint customizations are no longer supported with the move to bootc install to-filesystem. This is fine but we need to reflect it in our docs. It also updates the example with an example how to create an image with an user. This might be slightly controversial but I think it's rather important to give users a quick path to success (and the updated README also links to the upstream docs for a more indepth discussion).
This was removed in osbuild/images#542
Rename the --config option to --iso-config and error if it is used for anything other than the ISO image.
|
Hm, tests fail in GH with: which I cannot reproduce locally so probably related to the env in GH that this runs in :/ |
mvo5
force-pushed
the
switch-to-bootc-install-to-fs
branch
2 times, most recently
from
69c563a
to
0b616b7
Compare
|
Seems containers/bootc@b8f2b6d#diff-fe45e8cd8b566039edc4c6a4e80f355754d32078b45e465a407e22e27c39741aR649 should fix that. What version are we using right now in tests? |
With the switch to bootc we need to adjust the testing. We inject a root ssh key now and just use that for login.
mvo5
force-pushed
the
switch-to-bootc-install-to-fs
branch
from
0b616b7
to
1ebdf76
Compare
Thanks! Nice one I'm not sure what we have, maybe we should print this as part of the metadata for the tests what version of bootc is used. I will look into this, will make understanding issues like this a lot easier :) [edit: looks like this happens with |
Since we're pulling containers, the container ID should be enough, but that might be adding extra steps to the debugging process so maybe you're right. Perhaps running the container and doing a |
|
Hm, this will not work as is I think - centos-bootc is at booc 0.1.7 afaict but we need containers/bootc#407 from 0.1.9 to make the ssh login work. We could explore alternatives of course to the root ssh keys … |
| @@ -233,12 +235,13 @@ func manifestFromCobra(cmd *cobra.Command, args []string) ([]byte, error) { | |||
| } | |||
|
|
|||
| imgref := args[0] | |||
| configFile, _ := cmd.Flags().GetString("config") | |||
| isoConfigFile, _ := cmd.Flags().GetString("iso-config") | |||
There was a problem hiding this comment.
I thought the config actually didn't apply to the ISO at all? Or am I missing something?
| @@ -262,79 +261,6 @@ The following volumes can be mounted inside the container: | |||
| | `/store` | Used for the [osbuild store](https://www.osbuild.org/) | No | | |||
| | `/rpmmd` | Used for the DNF cache | No | | |||
|
|
|||
| ## 📝 Build config | |||
|
|
|||
| A build config is a JSON file with customizations for the resulting image. A path to the file is passed via the `--config` argument. The customizations are specified under a `blueprint.customizations` object. | |||
There was a problem hiding this comment.
Would it be helpful to have a realtime sync on this? I sent an invite.
| @@ -144,7 +144,6 @@ Flags: | |||
| | Argument | Description | Default Value | | |||
| |------------------|------------------------------------------------------------------|:-------------:| | |||
| | **--chown** | chown the ouput directory to match the specified UID:GID | ❌ | | |||
| | **--config** | Path to a [build config](#-build-config) | ❌ | | |||
There was a problem hiding this comment.
The thing is this is used elsewhere so I think we may be partially committed short term.
(There is some things related to this, like the fact I don't quite understand why it's JSON and not TOML as seems would be expected for blueprints, but that's an aside)
There was a problem hiding this comment.
I don't quite understand why it's JSON and not TOML
No real (good) reason other than the initial version BIB was heavily based on https://github.com/osbuild/images/blob/main/cmd/build/main.go, which is used for test image builds and it was simpler to use the json formatting for config files.
Since we're moving towards making it more explicit that this config is an instance of an Image Builder blueprint, I agree that we should make it a toml to make the connection clearer.
| manifestCmd.Flags().String("rpmmd", "/rpmmd", "rpm metadata cache directory") | ||
| manifestCmd.Flags().String("target-arch", "", "build for the given target architecture (experimental)") | ||
| manifestCmd.Flags().StringArray("type", []string{"qcow2"}, fmt.Sprintf("image types to build [%s]", allImageTypesString())) | ||
| manifestCmd.Flags().Bool("local", false, "use a local container rather than a container from a registry") | ||
| // XXX: hide from help? | ||
| manifestCmd.Flags().String("experimental-root-ssh-authorized-key", "", "authorized ssh key for root as string") |
There was a problem hiding this comment.
Not opposed to this, but the more I've been thinking about this (you probably saw) the more I feel we need to build up the story of using blueprints/kickstarts in container builds and align that with disk image generation and not emphasize one-offs like this.
And yes I know I added it to bootc install, but the use case is different there in a way because the bootc install is really low level and I was thinking of it more like a generic low level escape hatch.
But here we can be more opinionated I think.
I am working to unstick this...as you might imagine, Random Process Stuff is holding it up... |
This is indeed another case of a missing syscall in qemu-user, I attached the fix here and will test/sent it to upstream [submitted upstream as https://www.mail-archive.com/[email protected]/msg1034508.html] |
| @@ -265,8 +261,6 @@ func manifestForISO(c *ManifestConfig, rng *rand.Rand) (*manifest.Manifest, erro | |||
| }, | |||
| } | |||
|
|
|||
| img.ISOLabelTmpl = "Container-Installer-%s" | |||
There was a problem hiding this comment.
I think we want something like img.ISOLabel = fmt.Sprintf("Container-Installer-%s", c.Architecture.String()) here instead. I'm not deeply familiar with ISOs, but I think we should keep the label.
There was a problem hiding this comment.
Thank you! I fixed this in #342
|
Fwiw, this is being reworked right now so that the |
That makes sense and looks generally useful, thoguh containers/bootc#462 is arguably what we should be doing here, right? |
(We covered some of this in relatime chat, but I want to record here too) Basically I think there are potential use cases for multiple paths:
In particular an advantage of the disk image flow is that in some cases, it's easier to "secure" the disk image than it is the container image, and having "bootstrap secrets" only in the disk images makes a lot of sense. |
|
Given that we agreed we cannot drop customizations I close this one, the latest approach (that keeps customizations) is in #342 |
This PR switches bib to the version of the images library from PR osbuild/images#462 that defaults to use
bootc install to-filesystem. Because some things will work differently in this model this PR touches a lot of things:-configoption as we currently have only very limited support for them in the new world (for the iso the customizations are still supported via --iso-config)This is ready now but I expect test failures until containers/bootc#407 is available in our tested containers.