Add optional embedding of container images #239
Merged
Commits on Aug 27, 2024
-
This version has volume support that is needed for embedding images. Signed-off-by: Jacob Weinstock <[email protected]>
-
Docker was warning about the case of `FROM` not matching `AS`. Signed-off-by: Jacob Weinstock <[email protected]>
-
Add optional embedding of container images into DinD:
This helps use cases where images already existing in the DinD cache is needed. Air gap envs, latency constrained/concerned envs, etc. Signed-off-by: Jacob Weinstock <[email protected]>
-
Add note on embedded images being optional:
Signed-off-by: Jacob Weinstock <[email protected]>
-
Add platform option to pull-images.sh:
This makes it so that the correct architecture for the embedded images are pulled. Signed-off-by: Jacob Weinstock <[email protected]>
-
Don't git track the images.txt file:
There is an example file already. The images.txt will be something the user creates for themselves. Signed-off-by: Jacob Weinstock <[email protected]>
-
This removes the need to mv the directory of embedded images. This is accomplished by bind mount (rw) the read only images location onto the /var/lib/docker directory in the Hook-docker container. This means that start up doesn't need to wait for the mv command to complete. So startup doesn't incur any delay like it was with the mv. This also means that we can embed a lot more images with having start up issue. In testing, I found that if enough images, compared to the amount of memory available, were embedded then HookOS would not boot up. It would max out on memory. It's possible with enough time that it would have booted but i didnt wait longer than about 30min. Signed-off-by: Jacob Weinstock <[email protected]>
-
Change the way the images are presented to hook-docker:
Instead of having hook-docker know about mounting the embedded images, the images get mounted with the right permissions and made available to hook-docker at the "usual" location. This decouples this embedding process from hook-docker. This should allow the two to only be coupled by the mount point of /var/run/images. Signed-off-by: Jacob Weinstock <[email protected]>
-
Add newlines to all files without them:
Signed-off-by: Jacob Weinstock <[email protected]>
-
It adds an unnecessary place to need to be aware of when adding or renaming files. Signed-off-by: Jacob Weinstock <[email protected]>
-
Make the docker:dind image configurable:
Allows users to specify specific versions of docker:dind to use. Signed-off-by: Jacob Weinstock <[email protected]>
-
Refactor script to pull images:
This pulls images from the local docker client instead of from the DinD container. This will allow for registries that need logged into and any proxying that might be needed to occur during an image pull. Signed-off-by: Jacob Weinstock <[email protected]>
-
When existing images in the local Docker image cache existed for an image the `--platform` arg doesn't matter. This means that when an existing amd64 image is already in the cache the arm64 pulls will not happen. To fix this we always delete the image before pulling. Signed-off-by: Jacob Weinstock <[email protected]>
-
This resolves issues with needing to mount the docker.sock and needing sudo. Signed-off-by: Jacob Weinstock <[email protected]>
-
Add note on Docker storage driver:
Because hook-docker uses the overlay2 storage driver, the local docker client using pull-images.sh must also use the overlay2 storage driver. Signed-off-by: Jacob Weinstock <[email protected]>
-
Remove note on host Docker storage driver:
The host Docker storage driver actually doesn't matter at all because we use DinD. This was my mistake. Signed-off-by: Jacob Weinstock <[email protected]>
-
This adds the ability to remove the "source image" tag from the final embedded images. This leaves only the "additional tag". Signed-off-by: Jacob Weinstock <[email protected]>
-
Signed-off-by: Jacob Weinstock <[email protected]>
-
Check that DinD uses the overlay2 storage driver:
As hook-docker uses the overlay2 storage driver the DinD image must use the overlay2 storage driver too. Signed-off-by: Jacob Weinstock <[email protected]>
-
Add ssl certs to SSH container:
This resolves an issue with things like apk not working in the ssh container. Signed-off-by: Jacob Weinstock <[email protected]>
-
Remove tabs that were causing the build to fail. Signed-off-by: Jacob Weinstock <[email protected]>
-
Update go.mod dependencies. Check for tink-worker image and don't fail the image pull if it doesn't exist. With embedded images, the tink worker could potentially already exist in the local Docker image cache. And the image name could be something unreachable via the network (for example: 127.0.0.1/embedded/tink-worker). Signed-off-by: Jacob Weinstock <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.