Atomic System Containers

Giuseppe Scrivano

Atomic System Containers

"Atomic Host is a lightweight, immutable platform, designed with the sole purpose of running containerized applications." --
System Containers aim is to run services as containers. They can be installed on top of the immutable image.
# Atomic System Containers use - **runC** to run an OCI container
- **systemd** to manage the life cycle of the service
- **OSTree** for the storage of the images
- **Skopeo** to retrieve images from a Docker registry

Format and Distribution

- The system containers are built and distributed as any other Docker container
- Metadata and configuration files are added as part of the image itself:
- Converting an existing Docker image is simply a matter of COPYing some additional files from the Dockerfile
- Images are read only!
# So what configuration files are needed? - *config.json.template* OCI configuration - *service.template* systemd unit file - *manifest.json* Settings for the image - *tmpfiles.template* systemd.tmpfiles
# Configuration files Files ending in *.template* are preprocessed before installation. Anything in the form *$VAR* or *${VAR}* is replaced in the *.template* files.

etcd Dockerfile

FROM fedora

RUN dnf -y install etcd hostname && dnf clean all

COPY /usr/bin/
COPY  /usr/bin/
COPY /usr/bin/
COPY tmpfiles.template config.json.template \ service.template manifest.json /exports/
CMD ["/usr/bin/", "/usr/bin/etcd"]

etcd config.json.template

	"platform": {
		"os": "linux",
		"arch": "amd64"
	"process": {
		"terminal": false,
		"user": {
			"uid": 0,
			"gid": 0
		"env": [

etcd service.template

Description="Etcd Server"



etcd manifest.json

    "version": "1.0",
    "defaultValues": {
	"ETCD_NAME" : "",
# OCI runtime bundle An OCI runtime bundle is a directory with the image files and a *config.json* file ```bash bundle ├── config.json └── rootfs ├── bin ├── usr └── ... ``` - *rootfs* - contains the file system for the container - *config.json* - describes how to run the container


atomic pull --storage ostree IMAGE

A reference to each layer of a Docker image is maintained in an OSTree repository as a branch:
- Take advantage of a Docker image. Only missing layers are fetched.
- Take advantage of using OSTree storage. Only new files are stored.
# Image Sources #### An IMAGE can be pulled from different sources ##### atomic pull --storage ostree ...
- Registry: IMAGE - Local Docker engine: docker:IMAGE - Tarball: dockertar:/file/to/file.tar


atomic install --system [--name=NAME] [--set=NAME=VALUE] IMAGE

- Checkout the image to /var/lib/containers/atomic/*$NAME.0* - Generate the configuration file for runC - Generate the configuration file for systemd - Create symlink *$NAME* -> *$NAME.0*

Atomic Update

atomic containers update [--set=FOO=BAR] CONTAINER

- Checkout the image to /var/lib/containers/atomic/*$NAME.1* - Generate the configuration file for runC - Generate the configuration file for systemd - Stop the service - Change the symlink *$NAME* -> *$NAME.1* (or *.0*) - Restart the service

Atomic Rollback

atomic containers rollback CONTAINER

- Stop the service - Change the symlink *$NAME* -> *$NAME.0* (or *.1*) - Change systemd configuration file - Restart the service
# Future plans: ## Better integration with systemd Dynamic users? Networkd? ## OS integrated containers Some containers may need files installed on the host. *atomic install* generates an .rpm file that is managed by the operating system.
# Questions?

Project Atomic: