Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Podman sysext #1964

Merged
merged 2 commits into from
May 3, 2024
Merged

Podman sysext #1964

merged 2 commits into from
May 3, 2024

Conversation

JeWe37
Copy link
Contributor

@JeWe37 JeWe37 commented Apr 29, 2024

Podman sysext

Initial work on getting a podman sysext to work, see flatcar/Flatcar#112. For now just includes the basic ebuilds required to build the sysext.

A few minor changes to the infrastructure were made, it's now possible to pass the debug flag to emerge when building packages and a sysext can now be built based on multiple packages. The latter was useful as I wanted to include passt for pasta rootless networking in the podman sysext.

Next I intend to look into what a mangle script should include, particularly based on the prior work on podman sysexts based on the docker builder.

This is very much my first time working with this repo, as such I am not familiar with the context. The ebuilds were pulled directly from gentoo. For most, masking on amd64 was disabled and were otherwise kept as-is. For the podman ebuild in particular, gpgme was added as a BDEPEND, as otherwise building the binary package would fail. There appear to be scripts responsible for updating the ebuilds, how does one integrate with those?

How to use

Inside the SDK container, on a host with a kernel that is not too recent(otherwise the ZFS sysext won't build):

./build_packages
./build_image sysext

Testing done

Next to none. This is very much a draft.

  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)
  • Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

@pothos
Copy link
Member

pothos commented Apr 29, 2024

Thanks, for the config or service files we might need to have them be under /usr if that isn't already the case. If /usr is not usable for config files, as is the case for /etc/subuid, /etc/subgid, we would need to create them on load with a helper service. See build_library/sysext_mangle_* and sdk_container/src/third_party/coreos-overlay/coreos-base/oem-*/files/manglefs.sh.

Copy link

github-actions bot commented Apr 29, 2024

@JeWe37
Copy link
Contributor Author

JeWe37 commented Apr 29, 2024

Alright, latest draft takes care of the mangle script. I still want to do more some more testing but not today.

The mangle script in its current form sets up the UID/GID mapping via systemd-tmpfiles which seemed like the neatest solution, alongside the required config files. It also ignores podman* bridge networks, sets up dbus which podman wants for cgroup management, and cleans up extraneous files(only required for development etc.).

@JeWe37
Copy link
Contributor Author

JeWe37 commented Apr 30, 2024

Regarding the BDEPEND issue for podman, that is arguably an upstream issue, filed that as a bug.

For this PR I used Gentoo unstable versions, is that acceptable? Or should I revert to using only the currently stable versions? I also may need to unmask arm64 separately, I can't test on that myself.

@JeWe37
Copy link
Contributor Author

JeWe37 commented Apr 30, 2024

Seems to all be working nicely now. I went through and tested what I can think of, running podman containers in rootful and rootless modes works, so do quadlet and pasta networking.

@JeWe37 JeWe37 marked this pull request as ready for review April 30, 2024 18:41
@JeWe37
Copy link
Contributor Author

JeWe37 commented May 1, 2024

So the gpgme issue makes less sense than I expected. With it being in DEPEND, it is installed into the BOARD_ROOT, which should be sufficient. But somehow it is required to be present in the actual / root. The easiest fix for this is to just add it as a package to the SDK container, but this may be some deeper issue that wouldn't be resolved by doing that.

@JeWe37 JeWe37 temporarily deployed to development May 2, 2024 07:18 — with GitHub Actions Inactive
@pothos
Copy link
Member

pothos commented May 2, 2024

We also need to unmask the arm64 arch for Podman: arm64 build error is - app-containers/podman-5.0.2::portage-stable (masked by: ~arm64 keyword).

@pothos
Copy link
Member

pothos commented May 2, 2024

I kicked off a build again, rebased so that we have your extension built as artifact. I'll give it a try soon - your tests sound very promising, I hope we don't run into corner cases that need workarounds. I didn't expect the quadlet to work, for example, but it kind of makes sense because the daemon-reload we trigger would generate the units.

@JeWe37
Copy link
Contributor Author

JeWe37 commented May 2, 2024

My mistake it seems I committed the removal of gpgme from the BDEPEND from my testing. I'll fix that in a bit.

@pothos
Copy link
Member

pothos commented May 3, 2024

Looks great, you can ignore the test failure here, fix in flatcar/mantle#530 (The other two are failing due to the GitHub Action setup).

Copy link
Member

@pothos pothos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work!

Can you also create a file changelog/changes/2024-05-03-podman.md with

- Provided a Podman Flatcar extension as optional systemd-sysext image with the release. Write 'podman' to `/etc/flatcar/enabled-sysext.conf` through Ignition and the sysext will be installed during provisioning ([scripts#1964](https://github.com/flatcar/scripts/pull/1964))

and when done, please squash all commits into one - but no problem, I can also do it with the merge button.

After merging we should also add a kola tests (new file) and docs for this (extension overview and new file), if you want, you can try this but up to you :)

Enabled user session dbus in base image to support podman rootless mode.
Extension images can now be created from multiple packages by seperating
them with a comma. The podman sysext includes app-containers/podman and
net-misc/passt.
It can be enabled by adding podman to /etc/flatcar/enabled-sysext.conf.
Potential TODO: gpgme had to be added as BDEPEND to podman ebuild.
@JeWe37
Copy link
Contributor Author

JeWe37 commented May 3, 2024

Squashed and changelog added! Commit message is hopefully in the right format.

@pothos pothos merged commit cd849d6 into flatcar:main May 3, 2024
1 check failed
@pothos
Copy link
Member

pothos commented May 3, 2024

Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants