Atomic System Containers



Giuseppe Scrivano

gscrivan@redhat.com
@gscrivano

Atomic System Containers




"Atomic Host is a lightweight, immutable platform, designed with the sole purpose of running containerized applications." -- http://projectatomic.io
System Containers aim is to run services as containers. They can be installed on top of the immutable image.
# Atomic System Containers use - **runC** to run an OCI container
- **systemd** to manage the life cycle of the service
- **OSTree** for the storage of the images
- **Skopeo** to retrieve images from a Docker registry

Format and Distribution

- The system containers are built and distributed as any other Docker container
- Metadata and configuration files are added as part of the image itself:
- Converting an existing Docker image is simply a matter of COPYing some additional files from the Dockerfile
- Images are read only!
# So what configuration files are needed? - *config.json.template* OCI configuration - *service.template* systemd unit file - *manifest.json* Settings for the image - *tmpfiles.template* systemd.tmpfiles
# Configuration files Files ending in *.template* are preprocessed before installation. Anything in the form *$VAR* or *${VAR}* is replaced in the *.template* files.

etcd Dockerfile


FROM fedora

RUN dnf -y install etcd hostname && dnf clean all

COPY etcd-env.sh /usr/bin/etcd-env.sh
COPY install.sh  /usr/bin/install.sh
COPY uninstall.sh /usr/bin/uninstall.sh
COPY tmpfiles.template config.json.template \ service.template manifest.json /exports/
CMD ["/usr/bin/etcd-env.sh", "/usr/bin/etcd"]

etcd config.json.template


...
	"platform": {
		"os": "linux",
		"arch": "amd64"
	},
	"process": {
		"terminal": false,
		"user": {
			"uid": 0,
			"gid": 0
		},
		"env": [
			"NAME=$NAME",
			"ETCD_NAME=$ETCD_NAME",
			"ETCD_ADVERTISE_CLIENT_URLS=$ETCD_ADVERTISE_CLIENT_URLS",
			"ETCD_LISTEN_CLIENT_URLS=$ETCD_LISTEN_CLIENT_URLS"
...
                  
                

etcd service.template


[Unit]
Description="Etcd Server"
After="network.target"

[Service]
ExecStart="$EXEC_START"
ExecStop="$EXEC_STOP"
Restart="on-failure"
WorkingDirectory="$DESTDIR"
RuntimeDirectory="${NAME}"

[Install]
WantedBy="multi-user.target"

etcd manifest.json


{
    "version": "1.0",
    "defaultValues": {
	"ETCD_NAME" : "",
	"ETCD_ADVERTISE_CLIENT_URLS" : "",
	"ETCD_LISTEN_CLIENT_URLS" : "",
	"ETCD_INITIAL_ADVERTISE_PEER_URLS" : "",
	"ETCD_LISTEN_PEER_URLS" : "",
	"ETCD_INITIAL_CLUSTER" : "",
# OCI runtime bundle An OCI runtime bundle is a directory with the image files and a *config.json* file ```bash bundle ├── config.json └── rootfs ├── bin ├── usr └── ... ``` - *rootfs* - contains the file system for the container - *config.json* - describes how to run the container

Storage

atomic pull --storage ostree IMAGE

A reference to each layer of a Docker image is maintained in an OSTree repository as a branch:
- Take advantage of a Docker image. Only missing layers are fetched.
- Take advantage of using OSTree storage. Only new files are stored.
# Image Sources #### An IMAGE can be pulled from different sources ##### atomic pull --storage ostree ...
- Registry: IMAGE - Local Docker engine: docker:IMAGE - Tarball: dockertar:/file/to/file.tar

Installation

atomic install --system [--name=NAME] [--set=NAME=VALUE] IMAGE

- Checkout the image to /var/lib/containers/atomic/*$NAME.0* - Generate the configuration file for runC - Generate the configuration file for systemd - Create symlink *$NAME* -> *$NAME.0*

Atomic Update

atomic containers update [--set=FOO=BAR] CONTAINER

- Checkout the image to /var/lib/containers/atomic/*$NAME.1* - Generate the configuration file for runC - Generate the configuration file for systemd - Stop the service - Change the symlink *$NAME* -> *$NAME.1* (or *.0*) - Restart the service

Atomic Rollback

atomic containers rollback CONTAINER

- Stop the service - Change the symlink *$NAME* -> *$NAME.0* (or *.1*) - Change systemd configuration file - Restart the service
# Future plans: ## Better integration with systemd Dynamic users? Networkd? ## OS integrated containers Some containers may need files installed on the host. *atomic install* generates an .rpm file that is managed by the operating system.
# Questions?



http://scrivano.org/static/system-containers-demo

Project Atomic: https://www.projectatomic.io