Atomic System Containers



Stephen Milner
(@ashcrow/smilner@redhat.com)

Giuseppe Scrivano
(@gscrivano/gscrivan@redhat.com)

Atomic System Containers




"Atomic Host is a lightweight, immutable platform, designed with the sole purpose of running containerized applications." -- http://projectatomic.io
System Containers aim is to run services as containers. They can be installed on top of the immutable image.
# Atomic System Containers use - **runC** to run an OCI container
- **systemd** to manage the life cycle of the service
- **OSTree** for the storage of the images
- **Skopeo** to retrieve images from a registry

Format and Distribution

- The system containers are built and distributed as any other image
- Metadata and configuration files are added as part of the image itself:
- Converting an existing image is simply a matter of adding some additional files
- Images are read only!
# What configuration files are needed? - *config.json.template* OCI configuration - *service.template* systemd unit file - *manifest.json* Settings for the image - *tmpfiles.template* systemd.tmpfiles
# Configuration files Files ending in *.template* are preprocessed before installation. Anything in the form *$VAR* or *${VAR}* is replaced in the *.template* files.

etcd Dockerfile


FROM fedora

RUN dnf -y install etcd hostname && dnf clean all

COPY etcd-env.sh /usr/bin/etcd-env.sh
COPY install.sh  /usr/bin/install.sh
COPY uninstall.sh /usr/bin/uninstall.sh
COPY tmpfiles.template config.json.template \ service.template manifest.json /exports/
CMD ["/usr/bin/etcd-env.sh", "/usr/bin/etcd"]

etcd config.json.template


...
	"process": {
		"terminal": false,
		"user": {
			"uid": 0,
			"gid": 0
		},
		"env": [
			"NAME=$NAME",
			"ETCD_NAME=$ETCD_NAME",
			"ETCD_ADVERTISE_CLIENT_URLS=$ETCD_ADVERTISE_CLIENT_URLS",
			"ETCD_LISTEN_CLIENT_URLS=$ETCD_LISTEN_CLIENT_URLS"
...
                  
                

etcd service.template


[Unit]
Description="Etcd Server"
After="network.target"

[Service]
ExecStart="$EXEC_START"
ExecStop="$EXEC_STOP"
Restart="on-failure"
WorkingDirectory="$DESTDIR"
RuntimeDirectory="${NAME}"

[Install]
WantedBy="multi-user.target"

etcd manifest.json


{
    "version": "1.0",
    "defaultValues": {
	"ETCD_NAME" : "",
	"ETCD_ADVERTISE_CLIENT_URLS" : "",
	"ETCD_LISTEN_CLIENT_URLS" : "",
	"ETCD_INITIAL_ADVERTISE_PEER_URLS" : "",
	"ETCD_LISTEN_PEER_URLS" : "",
	"ETCD_INITIAL_CLUSTER" : "",
                  
                  
    "renameFiles" : {
        "/etc/etcd/etcd.conf" : "$CONF_DIRECTORY/$NAME/etcd.conf",
        "/usr/local/bin/etcdctl" : "/usr/local/bin/${NAME}ctl"
    }
                  
                
# OCI runtime bundle An OCI runtime bundle is a directory with the image files and a *config.json* file ```bash bundle ├── config.json └── rootfs ├── bin ├── usr └── ... ``` - *rootfs* - contains the file system for the container - *config.json* - describes how to run the container

Storage

atomic pull --storage ostree IMAGE

A reference to each layer of the image is maintained in an OSTree repository as a branch:
- Take advantage of an OCI image. Only missing layers are fetched.
- Take advantage of using OSTree storage. Only new files are stored.
# Image Sources #### An IMAGE can be pulled from different sources ##### atomic pull --storage ostree ...
- Registry: IMAGE - Local Docker engine: docker:IMAGE:latest - Tarball: dockertar:/file/to/file.tar

Installation

atomic install --system [--name=NAME] [--set=NAME=VALUE] IMAGE

- Checkout the image to /var/lib/containers/atomic/*$NAME.0* - Generate the configuration file for runC - Generate the configuration file for systemd - Create symlink from *$NAME.0* to *$NAME*

Copy files to the host

From /exports/hostfs/

- Every file exported by the container under */exports/hosts* is copied to the host - If requested, these files can be copied to the host through an .RPM generated on the fly - .RPM useful to track ownership of the files using the traditional `rpm -qf`

Atomic Update

atomic containers update [--set=FOO=BAR] CONTAINER

- Checkout the image to /var/lib/containers/atomic/*$NAME.1* - Generate the configuration file for runC - Generate the configuration file for systemd - Stop the service - Remove the old installed files - Copy the new installed files - Change the symlink *$NAME* -> *$NAME.1* (or *.0*) - Restart the service

Atomic Rollback

atomic containers rollback CONTAINER

- Stop the service - Change the symlink *$NAME* -> *$NAME.0* (or *.1*) - Replace installed files to the host with the other version - Change systemd configuration file - Restart the service

OCP 3.6

Tech Preview

Enable all system containers - openshift\_use\_system\_containers=True

Choose individually - openshift\_use\_master\_system\_container=True - openshift\_use\_node\_system\_container=True - openshift\_use\_openvswitch\_system\_container=True

Override the registry - system\_images\_registry=registry

Docker

Enable Docker as a system container - openshift\_docker\_use\_system\_container=True

Override the image - openshift\_docker\_systemcontainer\_image\_override=image

CRI-O

Enable CRI-O as a system container - openshift\_use\_crio=True

Override the image - openshift\_crio\_systemcontainer\_image\_override=image
# Questions?