On Tue, Apr 4, 2023 at 3:36 AM Adrian Dudau <[email protected]> wrote:
> Hello, > > We have a situation where we have a number of pre-built containers in a > repository that I would like to get into the target image at runtime. I > want to avoid having to pull them with Podman at runtime and am also > trying to avoid having to rebuild them with Yocto. > > There are several presentations floating around (and at least one that I did) talking about the pros and cons of the different approaches. One way to summarize the options is: there are a lot of different ways to do what you are describing, but most only work for non-production systems (and are usually not upstreamable solutions) due to things like root requirements, licensing, SBOM, artifacts, binary package feeds, etc. > My approach so far has been to try and do podman pull and build a local > store at build time using bitbake and then have the whole store installed > into the rootfs. But I hit a bug with with using sudo in bitbake and Bruce > suggested that this might not even be the best approach, so I came here > asking for other suggestions. > As I had mentioned in the other OE core thread, I spent about a month in this development cycle working on various options to get a framework into meta-virt to accomplish this task. It isn't ready yet, as I am completing the package upgrades for the release, and had to do the 6.1 and 6.3 kernels for the release .. but I will be picking it back up again in the upcoming weeks and would at least have some broken code to share, and see if anyone wants to lend a hand. What I'm establishing right now (for the container part), are some base container images and multi-lib definitions, that allow containers to be built and either directly installed to a container backing store or via sometime like podman load to read and install the container to their specific root/container store. The tricky bits are disassembling what the cli's do, and finding the underlying manipulation libraries. By working directly with them (which would preferably have been oci-* tools by now) , I'm locating where we need elevated permissions and mapping them to something pseudo can support. podman tries to manipulate namespaces, etc, even on a load -> save cycle, when really, it doesn't need to .. since we aren't actually running the containers. I ran out of time knee deep into the internals of everything from pseudo, sudo and the various container libraries. And yes, I did see many things that you've also been seeing with sudo, and didn't get to the bottom of it yet, but it wasn't my focus so I put it into the "pickup later" bucket. If anyone reading my description above has dug into the namespaces or sudo issues, I'm sure we'd all love to hear from you! Cheers, Bruce > > Best regards, > --Adrian > > > > *Adrian Dudau* > > Senior Software Engineer > > *M: **+46 709 714 069* > > adrian.dudau@*keyfactor.com <https://www.keyfactor.com/>* > > > > *Seamless orchestration. **Every key, every certificate.* > > Follow Keyfactor on *LinkedIn* > > *PrimeKey and Keyfactor merged > <https://www.keyfactor.com/press-releases/keyfactor-and-primekey-merge-to-bring-machine-identity-management-to-the-mainstream/>* > in June 2021. Moving forward, communication will come from Keyfactor. > *PrimeKey.com > <https://www.primekey.com/>* will be live throughout 2022. > > > CONFIDENTIALITY NOTICE > > This communication may contain privileged or other confidential > information. If you received this email in error, then please advise the > sender by reply email and immediately delete the message and any > attachments without copying or disclosing the contents. Thank you. > > > > -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#7981): https://lists.yoctoproject.org/g/meta-virtualization/message/7981 Mute This Topic: https://lists.yoctoproject.org/mt/98055400/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/leave/6693005/21656/1014668956/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
