-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Podman sysext #1964
Podman sysext #1964
Conversation
Thanks, for the config or service files we might need to have them be under |
Build action triggered: https://github.com/flatcar/scripts/actions/runs/8940147973 |
Alright, latest draft takes care of the mangle script. I still want to do more some more testing but not today. The mangle script in its current form sets up the UID/GID mapping via systemd-tmpfiles which seemed like the neatest solution, alongside the required config files. It also ignores podman* bridge networks, sets up dbus which podman wants for cgroup management, and cleans up extraneous files(only required for development etc.). |
Regarding the BDEPEND issue for podman, that is arguably an upstream issue, filed that as a bug. For this PR I used Gentoo unstable versions, is that acceptable? Or should I revert to using only the currently stable versions? I also may need to unmask arm64 separately, I can't test on that myself. |
Seems to all be working nicely now. I went through and tested what I can think of, running podman containers in rootful and rootless modes works, so do quadlet and pasta networking. |
So the gpgme issue makes less sense than I expected. With it being in DEPEND, it is installed into the BOARD_ROOT, which should be sufficient. But somehow it is required to be present in the actual / root. The easiest fix for this is to just add it as a package to the SDK container, but this may be some deeper issue that wouldn't be resolved by doing that. |
We also need to unmask the arm64 arch for Podman: arm64 build error is |
I kicked off a build again, rebased so that we have your extension built as artifact. I'll give it a try soon - your tests sound very promising, I hope we don't run into corner cases that need workarounds. I didn't expect the quadlet to work, for example, but it kind of makes sense because the daemon-reload we trigger would generate the units. |
My mistake it seems I committed the removal of gpgme from the BDEPEND from my testing. I'll fix that in a bit. |
Looks great, you can ignore the test failure here, fix in flatcar/mantle#530 (The other two are failing due to the GitHub Action setup). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work!
Can you also create a file changelog/changes/2024-05-03-podman.md
with
- Provided a Podman Flatcar extension as optional systemd-sysext image with the release. Write 'podman' to `/etc/flatcar/enabled-sysext.conf` through Ignition and the sysext will be installed during provisioning ([scripts#1964](https://github.com/flatcar/scripts/pull/1964))
and when done, please squash all commits into one - but no problem, I can also do it with the merge button.
After merging we should also add a kola tests (new file) and docs for this (extension overview and new file), if you want, you can try this but up to you :)
Enabled user session dbus in base image to support podman rootless mode. Extension images can now be created from multiple packages by seperating them with a comma. The podman sysext includes app-containers/podman and net-misc/passt. It can be enabled by adding podman to /etc/flatcar/enabled-sysext.conf. Potential TODO: gpgme had to be added as BDEPEND to podman ebuild.
Squashed and changelog added! Commit message is hopefully in the right format. |
Thank you |
Podman sysext
Initial work on getting a podman sysext to work, see flatcar/Flatcar#112. For now just includes the basic ebuilds required to build the sysext.
A few minor changes to the infrastructure were made, it's now possible to pass the debug flag to emerge when building packages and a sysext can now be built based on multiple packages. The latter was useful as I wanted to include passt for pasta rootless networking in the podman sysext.
Next I intend to look into what a mangle script should include, particularly based on the prior work on podman sysexts based on the docker builder.
This is very much my first time working with this repo, as such I am not familiar with the context. The ebuilds were pulled directly from gentoo. For most, masking on amd64 was disabled and were otherwise kept as-is. For the podman ebuild in particular, gpgme was added as a BDEPEND, as otherwise building the binary package would fail. There appear to be scripts responsible for updating the ebuilds, how does one integrate with those?
How to use
Inside the SDK container, on a host with a kernel that is not too recent(otherwise the ZFS sysext won't build):
Testing done
Next to none. This is very much a draft.
changelog/
directory (user-facing change, bug fix, security fix, update)/boot
and/usr
size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.