Atomic System Containers

Stephen Milner

Giuseppe Scrivano

Atomic System Containers

"Atomic Host is a lightweight, immutable platform, designed with the sole purpose of running containerized applications." --
System Containers aim is to run services as containers. They can be installed on top of the immutable image.
# Atomic System Containers use - **runC** to run an OCI container
- **systemd** to manage the life cycle of the service
- **OSTree** for the storage of the images
- **Skopeo** to retrieve images from a registry

Format and Distribution

- The system containers are built and distributed as any other image
- Metadata and configuration files are added as part of the image itself:
- Converting an existing image is simply a matter of adding some additional files
- Images are read only!
# What configuration files are needed? - *config.json.template* OCI configuration - *service.template* systemd unit file - *manifest.json* Settings for the image - *tmpfiles.template* systemd.tmpfiles
# Configuration files Files ending in *.template* are preprocessed before installation. Anything in the form *$VAR* or *${VAR}* is replaced in the *.template* files.

etcd Dockerfile

FROM fedora

RUN dnf -y install etcd hostname && dnf clean all

COPY /usr/bin/
COPY  /usr/bin/
COPY /usr/bin/
COPY tmpfiles.template config.json.template \ service.template manifest.json /exports/
CMD ["/usr/bin/", "/usr/bin/etcd"]

etcd config.json.template

	"process": {
		"terminal": false,
		"user": {
			"uid": 0,
			"gid": 0
		"env": [

etcd service.template

Description="Etcd Server"



etcd manifest.json

    "version": "1.0",
    "defaultValues": {
	"ETCD_NAME" : "",
    "renameFiles" : {
        "/etc/etcd/etcd.conf" : "$CONF_DIRECTORY/$NAME/etcd.conf",
        "/usr/local/bin/etcdctl" : "/usr/local/bin/${NAME}ctl"
# OCI runtime bundle An OCI runtime bundle is a directory with the image files and a *config.json* file ```bash bundle ├── config.json └── rootfs ├── bin ├── usr └── ... ``` - *rootfs* - contains the file system for the container - *config.json* - describes how to run the container


atomic pull --storage ostree IMAGE

A reference to each layer of the image is maintained in an OSTree repository as a branch:
- Take advantage of an OCI image. Only missing layers are fetched.
- Take advantage of using OSTree storage. Only new files are stored.
# Image Sources #### An IMAGE can be pulled from different sources ##### atomic pull --storage ostree ...
- Registry: IMAGE - Local Docker engine: docker:IMAGE:latest - Tarball: dockertar:/file/to/file.tar


atomic install --system [--name=NAME] [--set=NAME=VALUE] IMAGE

- Checkout the image to /var/lib/containers/atomic/*$NAME.0* - Generate the configuration file for runC - Generate the configuration file for systemd - Create symlink from *$NAME.0* to *$NAME*

Copy files to the host

From /exports/hostfs/

- Every file exported by the container under */exports/hosts* is copied to the host - If requested, these files can be copied to the host through an .RPM generated on the fly - .RPM useful to track ownership of the files using the traditional `rpm -qf`

Atomic Update

atomic containers update [--set=FOO=BAR] CONTAINER

- Checkout the image to /var/lib/containers/atomic/*$NAME.1* - Generate the configuration file for runC - Generate the configuration file for systemd - Stop the service - Remove the old installed files - Copy the new installed files - Change the symlink *$NAME* -> *$NAME.1* (or *.0*) - Restart the service

Atomic Rollback

atomic containers rollback CONTAINER

- Stop the service - Change the symlink *$NAME* -> *$NAME.0* (or *.1*) - Replace installed files to the host with the other version - Change systemd configuration file - Restart the service

OCP 3.6

Tech Preview

Enable all system containers - openshift\_use\_system\_containers=True

Choose individually - openshift\_use\_master\_system\_container=True - openshift\_use\_node\_system\_container=True - openshift\_use\_openvswitch\_system\_container=True

Override the registry - system\_images\_registry=registry


Enable Docker as a system container - openshift\_docker\_use\_system\_container=True

Override the image - openshift\_docker\_systemcontainer\_image\_override=image


Enable CRI-O as a system container - openshift\_use\_crio=True

Override the image - openshift\_crio\_systemcontainer\_image\_override=image
# Questions?