From 888d46a2f6087ab8b4c188e258793a15e2bc809b Mon Sep 17 00:00:00 2001 From: David Kwon Date: Thu, 8 Aug 2024 09:25:35 -0400 Subject: [PATCH] Update ubi to configure kubedock and podman (#179) Add podman, buildah, skopeo, fuse and kubedock functionality from developer image to base image Signed-off-by: David Kwon --- README.md | 26 ++++++++++- base/ubi8/Dockerfile | 50 ++++++++++++++++++++++ base/ubi8/entrypoint.sh | 13 +----- base/ubi8/kubedock_setup.sh | 49 +++++++++++++++++++++ {universal => base}/ubi8/podman-wrapper.sh | 0 universal/ubi8/Dockerfile | 43 +------------------ universal/ubi8/entrypoint.sh | 48 +-------------------- 7 files changed, 126 insertions(+), 103 deletions(-) create mode 100755 base/ubi8/kubedock_setup.sh rename {universal => base}/ubi8/podman-wrapper.sh (100%) diff --git a/README.md b/README.md index dec8faed..9d597fa0 100644 --- a/README.md +++ b/README.md @@ -15,12 +15,13 @@ $ docker run -ti --rm \ quay.io/devfile/base-developer-image:ubi8-latest \ bash ``` -### Included Developement Tools +### Included Development Tools | Tool | ubi8 based image | |---------------------|-------------------------------------| | `bash` |`bash` | | `bat` |`` | +| `buildah` |`buildah` | | `curl` |`curl` | | `ps` |`ps` | | `diff` |`diffutils` | @@ -32,6 +33,7 @@ $ docker run -ti --rm \ | `ip` |`iproute` | | `jq` |`jq` | | `htop` |`NOT AVAILABLE (fedora only)` | +| `kubedock` |`` | | `less` |`less` | | `lsof` |`lsof` | | `man` |`man` | @@ -39,6 +41,7 @@ $ docker run -ti --rm \ | `netcat` |`NOT AVAILABLE` | | `netstat` |`net-tools` | | `openssh-client` |`openssh-clients` | +| `podman` |`podman` | | `7z` |`p7zip-plugins` | | `ripgrep` |`` | | `rsync` |`rsync` | @@ -50,6 +53,7 @@ $ docker run -ti --rm \ | `sudo` |`sudo` | | `ss` |`NOT AVAILABLE` | | `ssl-cert` |`NOT AVAILABLE` | +| `stow` |`stow` | | `tail` |`` | | `tar` |`tar` | | `time` |`time` | @@ -59,7 +63,25 @@ $ docker run -ti --rm \ | `wget` |`wget` | | `zip` |`zip` | | `zsh` |`NOT AVAILABLE (fedora only)` | -| **TOTAL SIZE** | **412MB** (143MB compressed) | +| **TOTAL SIZE** | **903MB** (341MB compressed) | + +### Extending the base image +When extending the base image, `source kubedock_setup` should be called in the new image's entrypoint to set up kubedock support. This sets up a wrapper for podman to use kubedock for the following podman commands if the `KUBEDOCK_ENABLED` env variable is set to `true`: +``` +podman run +podman ps +podman exec +podman cp +podman logs +podman inspect +podman kill +podman rm +podman wait +podman stop +podman start +``` + +An example is available in the Universal Developer Image dockerfile [here](https://github.com/devfile/developer-images/blob/main/universal/ubi8/entrypoint.sh#L3). ## Developer Universal Image diff --git a/base/ubi8/Dockerfile b/base/ubi8/Dockerfile index fa962461..ea50af11 100644 --- a/base/ubi8/Dockerfile +++ b/base/ubi8/Dockerfile @@ -28,6 +28,12 @@ RUN dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.n perl-Digest-SHA net-tools openssh-clients rsync socat sudo time vim wget zip stow && \ dnf clean all +## podman buildah skopeo +RUN dnf -y module enable container-tools:rhel8 && \ + dnf -y update && \ + dnf -y reinstall shadow-utils && \ + dnf -y install podman buildah skopeo fuse-overlayfs + ## gh-cli RUN \ TEMP_DIR="$(mktemp -d)"; \ @@ -91,6 +97,50 @@ RUN \ cd - && \ rm -rf "${TEMP_DIR}" + +# Define user directory for binaries +RUN mkdir -p /home/tooling/.local/bin && \ + chgrp -R 0 /home && chmod -R g=u /home && chown -R 10001 /home/tooling +ENV PATH="/home/user/.local/bin:$PATH" +ENV PATH="/home/tooling/.local/bin:$PATH" + +# Set up environment variables to note that this is +# not starting with usernamespace and default to +# isolate the filesystem with chroot. +ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot + +# Tweaks to make rootless buildah work +RUN touch /etc/subgid /etc/subuid && \ + chmod g=u /etc/subgid /etc/subuid /etc/passwd && \ + echo user:10000:65536 > /etc/subuid && \ + echo user:10000:65536 > /etc/subgid + +# Adjust storage.conf to enable Fuse storage. +RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf +RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; \ + touch /var/lib/shared/overlay-images/images.lock; \ + touch /var/lib/shared/overlay-layers/layers.lock + +# But use VFS since not all environments support overlay with Fuse backend +RUN mkdir -p "${HOME}"/.config/containers && \ + (echo '[storage]';echo 'driver = "vfs"') > "${HOME}"/.config/containers/storage.conf && \ + chown -R 10001 "${HOME}"/.config + +# Add kubedock +ENV KUBEDOCK_VERSION 0.15.5 +ENV KUBECONFIG=/home/user/.kube/config +RUN curl -L https://github.com/joyrex2001/kubedock/releases/download/${KUBEDOCK_VERSION}/kubedock_${KUBEDOCK_VERSION}_linux_amd64.tar.gz | tar -C /usr/local/bin -xz --no-same-owner \ + && chmod +x /usr/local/bin/kubedock +COPY --chown=0:0 kubedock_setup.sh /usr/local/bin/kubedock_setup + +# Configure Podman wrapper +ENV PODMAN_WRAPPER_PATH=/usr/bin/podman.wrapper +ENV PODMAN_ORIGINAL_PATH=/usr/bin/podman.orig +COPY --chown=0:0 podman-wrapper.sh "${PODMAN_WRAPPER_PATH}" + +COPY --chown=0:0 podman-wrapper.sh /usr/bin/podman.wrapper +RUN mv /usr/bin/podman /usr/bin/podman.orig + COPY --chown=0:0 entrypoint.sh / COPY --chown=0:0 .stow-local-ignore /home/tooling/ RUN \ diff --git a/base/ubi8/entrypoint.sh b/base/ubi8/entrypoint.sh index e4b5b55b..0cdf9eb0 100644 --- a/base/ubi8/entrypoint.sh +++ b/base/ubi8/entrypoint.sh @@ -1,16 +1,5 @@ #!/bin/bash -# Ensure $HOME exists when starting -if [ ! -d "${HOME}" ]; then - mkdir -p "${HOME}" -fi - -# Add current (arbitrary) user to /etc/passwd and /etc/group -if ! whoami &> /dev/null; then - if [ -w /etc/passwd ]; then - echo "${USER_NAME:-user}:x:$(id -u):0:${USER_NAME:-user} user:${HOME}:/bin/bash" >> /etc/passwd - echo "${USER_NAME:-user}:x:$(id -u):" >> /etc/group - fi -fi +source kubedock_setup exec "$@" diff --git a/base/ubi8/kubedock_setup.sh b/base/ubi8/kubedock_setup.sh new file mode 100755 index 00000000..51df8ae6 --- /dev/null +++ b/base/ubi8/kubedock_setup.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +# Kubedock setup script meant to be run from the entrypoint script. + +if [ "${KUBEDOCK_ENABLED:-false}" = "true" ]; then + echo + echo "Kubedock is enabled (env variable KUBEDOCK_ENABLED is set to true)." + + SECONDS=0 + KUBEDOCK_TIMEOUT=${KUBEDOCK_TIMEOUT:-10} + until [ -f $KUBECONFIG ]; do + if ((SECONDS > KUBEDOCK_TIMEOUT)); then + break + fi + echo "Kubeconfig doesn't exist yet. Waiting..." + sleep 1 + done + + if [ -f $KUBECONFIG ]; then + echo "Kubeconfig found." + + KUBEDOCK_PARAMS=${KUBEDOCK_PARAMS:-"--reverse-proxy --kubeconfig $KUBECONFIG"} + + echo "Starting kubedock with params \"${KUBEDOCK_PARAMS}\"..." + + kubedock server ${KUBEDOCK_PARAMS} >/tmp/kubedock.log 2>&1 & + + echo "Done." + + echo "Replacing podman with podman-wrapper..." + + ln -f -s /usr/bin/podman.wrapper /home/tooling/.local/bin/podman + + export TESTCONTAINERS_RYUK_DISABLED="true" + export TESTCONTAINERS_CHECKS_DISABLE="true" + + echo "Done." + echo + else + echo "Could not find Kubeconfig at $KUBECONFIG" + echo "Giving up..." + fi +else + echo + echo "Kubedock is disabled. It can be enabled with the env variable \"KUBEDOCK_ENABLED=true\"" + echo "set in the workspace Devfile or in a Kubernetes ConfigMap in the developer namespace." + echo + ln -f -s /usr/bin/podman.orig /home/tooling/.local/bin/podman +fi diff --git a/universal/ubi8/podman-wrapper.sh b/base/ubi8/podman-wrapper.sh similarity index 100% rename from universal/ubi8/podman-wrapper.sh rename to base/ubi8/podman-wrapper.sh diff --git a/universal/ubi8/Dockerfile b/universal/ubi8/Dockerfile index a36eb7a4..e90c9b26 100644 --- a/universal/ubi8/Dockerfile +++ b/universal/ubi8/Dockerfile @@ -44,7 +44,7 @@ RUN curl -fsSL "https://get.sdkman.io/?rcupdate=false" | bash \ && sdk install jbang \ && sdk flush archives \ && sdk flush temp" \ - && chgrp -R 0 /home/tooling && chmod -R g=u /home/tooling + && chgrp -R 0 /home/tooling && chmod -R g=u /home/tooling # sdk home java ENV JAVA_HOME_8=/home/tooling/.sdkman/candidates/java/8.0.402-tem @@ -96,12 +96,6 @@ ENV KUBECONFIG=/home/user/.kube/config USER 0 -# Define user directory for binaries -RUN mkdir -p /home/tooling/.local/bin && \ - chgrp -R 0 /home && chmod -R g=u /home -ENV PATH="/home/user/.local/bin:$PATH" -ENV PATH="/home/tooling/.local/bin:$PATH" - # Required packages for AWT RUN dnf install -y libXext libXrender libXtst libXi @@ -206,46 +200,11 @@ ENV TKN_VERSION=1.14.0 RUN curl -L https://mirror.openshift.com/pub/openshift-v4/clients/pipelines/${TKN_VERSION}/tkn-linux-amd64.tar.gz | tar -C /usr/local/bin -xz --no-same-owner \ && chmod +x /usr/local/bin/tkn /usr/local/bin/opc /usr/local/bin/tkn-pac -## podman buildah skopeo -RUN dnf -y module enable container-tools:rhel8 && \ - dnf -y update && \ - dnf -y reinstall shadow-utils && \ - dnf -y install podman buildah skopeo fuse-overlayfs RUN echo 'alias docker=podman' >> ${PROFILE_EXT} -# Set up environment variables to note that this is -# not starting with usernamespace and default to -# isolate the filesystem with chroot. -ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot - -# Tweaks to make rootless buildah work -RUN touch /etc/subgid /etc/subuid && \ - chmod g=u /etc/subgid /etc/subuid /etc/passwd && \ - echo user:10000:65536 > /etc/subuid && \ - echo user:10000:65536 > /etc/subgid - -# Adjust storage.conf to enable Fuse storage. -RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf -RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; \ - touch /var/lib/shared/overlay-images/images.lock; \ - touch /var/lib/shared/overlay-layers/layers.lock - -# But use VFS since we were not able to make Fuse work yet... -RUN mkdir -p "${HOME}"/.config/containers && \ - (echo '[storage]';echo 'driver = "vfs"') > "${HOME}"/.config/containers/storage.conf - # Configure container engine COPY --chown=0:0 containers.conf /etc/containers/containers.conf -# Install kubedock -ENV KUBEDOCK_VERSION 0.15.5 -RUN curl -L https://github.com/joyrex2001/kubedock/releases/download/${KUBEDOCK_VERSION}/kubedock_${KUBEDOCK_VERSION}_linux_amd64.tar.gz | tar -C /usr/local/bin -xz --no-same-owner \ - && chmod +x /usr/local/bin/kubedock - -# Configure the podman wrapper -COPY --chown=0:0 podman-wrapper.sh /usr/bin/podman.wrapper -RUN mv /usr/bin/podman /usr/bin/podman.orig - ENV K8S_VERSION=1.28 ## kubectl RUN < KUBEDOCK_TIMEOUT )); then - break - fi - echo "Kubeconfig doesn't exist yet. Waiting..." - sleep 1 - done - - if [ -f $KUBECONFIG ]; then - echo "Kubeconfig found." - - KUBEDOCK_PARAMS=${KUBEDOCK_PARAMS:-"--reverse-proxy --kubeconfig $KUBECONFIG"} - - echo "Starting kubedock with params \"${KUBEDOCK_PARAMS}\"..." - - kubedock server ${KUBEDOCK_PARAMS} > /tmp/kubedock.log 2>&1 & - - echo "Done." - - echo "Replacing podman with podman-wrapper..." - - ln -f -s /usr/bin/podman.wrapper /home/tooling/.local/bin/podman - - export TESTCONTAINERS_RYUK_DISABLED="true" - export TESTCONTAINERS_CHECKS_DISABLE="true" - - echo "Done." - echo - else - echo "Could not find Kubeconfig at $KUBECONFIG" - echo "Giving up..." - fi -else - echo - echo "Kubedock is disabled. It can be enabled with the env variable \"KUBEDOCK_ENABLED=true\"" - echo "set in the workspace Devfile or in a Kubernetes ConfigMap in the developer namespace." - echo - ln -f -s /usr/bin/podman.orig /home/tooling/.local/bin/podman -fi - +source kubedock_setup # Stow ## Required for https://github.com/eclipse/che/issues/22412