[Buildroot] [All Systems Go!] Buildroot : Using embedded tools to build container images

[Buildroot] [All Systems Go!] Buildroot : Using embedded tools to build container images

[Romain Naour]

Hello,

My colleague Jeremy Rosen did a presentation at All Systems Go conferences about
building container images using Buildroot:

https://www.youtube.com/watch?v=-CVuBLDpulo

It would be interesting to discuss with the community about building such
container images like light container or systemd's portable services.

It's probably a topic for the next Buildroot Meeting :)

Best regards,
Romain

[Buildroot] [All Systems Go!] Buildroot : Using embedded tools to build container images

[François Perrad]

Le sam. 21 sept. 2019 ? 21:53, Romain Naour <romain.naour@smile.fr> a
?crit :

> Hello,
>
> My colleague Jeremy Rosen did a presentation at All Systems Go conferences
> about
> building container images using Buildroot:
>
> https://www.youtube.com/watch?v=-CVuBLDpulo
>
> It would be interesting to discuss with the community about building such
> container images like light container or systemd's portable services.
>
> It's probably a topic for the next Buildroot Meeting :)
>
>
It seems easy to create a Docker image artifact from a rootfs created by
Buildroot

    $ cat Dockerfile
    FROM scratch
    ADD rootfs.tar /

    $ docker build --tag br:my_proj .
    Sending build context to Docker daemon  4.233MB
    Step 1/2 : FROM scratch
     --->
    Step 2/2 : ADD rootfs.tar /
     ---> 60cb2207066c
    Successfully built 60cb2207066c
    Successfully tagged br:my_proj

    $ docker images
    REPOSITORY          TAG                 IMAGE ID            CREATED
        SIZE
    br                  my_proj             60cb2207066c         2 minutes
ago      1.74MB

    $ docker save -o br_my_proj.tar br:my_proj
    $ ls -1
    br_my_proj.tar
    Dockerfile
    rootfs.tar

But, it could be nice to add "Docker image" as an option in "Filesystem
images" choice.

Fran?ois


> Best regards,
> Romain
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20190922/2eac69fa/attachment.html>

[Buildroot] [All Systems Go!] Buildroot : Using embedded tools to build container images

[Arnout Vandecappelle]

On 22/09/2019 15:13, Fran?ois Perrad wrote:
> Le sam. 21 sept. 2019 ? 21:53, Romain Naour <romain.naour@smile.fr> a
> ?crit :
> 
>> Hello,
>>
>> My colleague Jeremy Rosen did a presentation at All Systems Go conferences
>> about
>> building container images using Buildroot:
>>
>> https://www.youtube.com/watch?v=-CVuBLDpulo

 Really interesting talk, thanks for pointing this out!


>> It would be interesting to discuss with the community about building such
>> container images like light container or systemd's portable services.
>>
>> It's probably a topic for the next Buildroot Meeting :)
>>
>>
> It seems easy to create a Docker image artifact from a rootfs created by
> Buildroot
> 
>     $ cat Dockerfile
>     FROM scratch
>     ADD rootfs.tar /
> 
>     $ docker build --tag br:my_proj .
>     Sending build context to Docker daemon  4.233MB
>     Step 1/2 : FROM scratch
>      --->
>     Step 2/2 : ADD rootfs.tar /
>      ---> 60cb2207066c
>     Successfully built 60cb2207066c
>     Successfully tagged br:my_proj

 Does this also work if the tarball is cross-compiled for a different
architecture? Probably it does, and it just SIGILLs when you try to run the
container...

> 
>     $ docker images
>     REPOSITORY          TAG                 IMAGE ID            CREATED
>         SIZE
>     br                  my_proj             60cb2207066c         2 minutes
> ago      1.74MB
> 
>     $ docker save -o br_my_proj.tar br:my_proj
>     $ ls -1
>     br_my_proj.tar
>     Dockerfile
>     rootfs.tar
> 
> But, it could be nice to add "Docker image" as an option in "Filesystem
> images" choice.

 Yeah, except unfortunately docker security sucks, so on most distros you need
sudo to run any docker command, even 'docker build'.

 So, it would be nice if we could generate the OCI image without docker.

 Something was said about this in the questions of Je?re?my's presentation, but
there was no clear answer.

 Regards,
 Arnout

[Buildroot] [All Systems Go!] Buildroot : Using embedded tools to build container images

[Jérémy ROSEN]

Hey all, I'm glad you liked my talk :)

Here are a couple of other notes that might be of more interest to the
buildroot community in general...
* There Is no tool I could find from the container world that actually
build an image from scratch, they all are based on debian/redhat, this is
not good and they don't really have an answer
  As a side-note, be carefull when you talk about building images with
container people. It usually means the step of transforming files into a
filesystem/disk image, not the compilation phase.
* There was a talk about "rootless containers" i.e containers that are able
to build other container images without being root, using a suid binary or
talking to a root-owned daemon. Apparently nobody
  had heard of fakeroot and they didn't know it was actually possible to
build an image without loopback-mounting images. (
https://www.youtube.com/watch?v=e_daVOwB7ok)
* WRT portable services specifically, the only think that buildroot doesn't
really do yet is being able to put .service files in images that do not use
systemd as an init system. (which made perfect sense until portable
services were introduces in v240)

I'll be in Lyon if you want to discuss this some more...

Cheers
J?r?my

Le dim. 22 sept. 2019 ? 16:58, Arnout Vandecappelle <arnout@mind.be> a
?crit :

>
>
> On 22/09/2019 15:13, Fran?ois Perrad wrote:
> > Le sam. 21 sept. 2019 ? 21:53, Romain Naour <romain.naour@smile.fr> a
> > ?crit :
> >
> >> Hello,
> >>
> >> My colleague Jeremy Rosen did a presentation at All Systems Go
> conferences
> >> about
> >> building container images using Buildroot:
> >>
> >> https://www.youtube.com/watch?v=-CVuBLDpulo
>
>  Really interesting talk, thanks for pointing this out!
>
>
> >> It would be interesting to discuss with the community about building
> such
> >> container images like light container or systemd's portable services.
> >>
> >> It's probably a topic for the next Buildroot Meeting :)
> >>
> >>
> > It seems easy to create a Docker image artifact from a rootfs created by
> > Buildroot
> >
> >     $ cat Dockerfile
> >     FROM scratch
> >     ADD rootfs.tar /
> >
> >     $ docker build --tag br:my_proj .
> >     Sending build context to Docker daemon  4.233MB
> >     Step 1/2 : FROM scratch
> >      --->
> >     Step 2/2 : ADD rootfs.tar /
> >      ---> 60cb2207066c
> >     Successfully built 60cb2207066c
> >     Successfully tagged br:my_proj
>
>  Does this also work if the tarball is cross-compiled for a different
> architecture? Probably it does, and it just SIGILLs when you try to run the
> container...
>
> >
> >     $ docker images
> >     REPOSITORY          TAG                 IMAGE ID            CREATED
> >         SIZE
> >     br                  my_proj             60cb2207066c         2
> minutes
> > ago      1.74MB
> >
> >     $ docker save -o br_my_proj.tar br:my_proj
> >     $ ls -1
> >     br_my_proj.tar
> >     Dockerfile
> >     rootfs.tar
> >
> > But, it could be nice to add "Docker image" as an option in "Filesystem
> > images" choice.
>
>  Yeah, except unfortunately docker security sucks, so on most distros you
> need
> sudo to run any docker command, even 'docker build'.
>
>  So, it would be nice if we could generate the OCI image without docker.
>
>  Something was said about this in the questions of Je?re?my's
> presentation, but
> there was no clear answer.
>
>  Regards,
>  Arnout
>


-- 
[image: SMILE]  <http://www.smile.eu/>

20 rue des Jardins
92600 Asni?res-sur-Seine
*J?r?my ROSEN*
Architecte technique

[image: email] jeremy.rosen at smile.fr
[image: phone]  +33 6 88 25 87 42
[image: url] http://www.smile.eu

[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>

[image: D?couvrez l?univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20190922/3fbf84fd/attachment.html>

[Buildroot] [All Systems Go!] Buildroot : Using embedded tools to build container images

[Arnout Vandecappelle]

On 22/09/2019 17:47, J?r?my ROSEN wrote:
> Hey all, I'm glad you liked my talk :)
> 
> Here are a couple of other notes that might be of more interest to the
> buildroot community in general...
> * There Is no tool I could find from the container world that actually
> build an image from scratch, they all are based on debian/redhat, this is
> not good and they don't really have an answer
>   As a side-note, be carefull when you talk about building images with
> container people. It usually means the step of transforming files into a
> filesystem/disk image, not the compilation phase.
> * There was a talk about "rootless containers" i.e containers that are able
> to build other container images without being root, using a suid binary or
> talking to a root-owned daemon. Apparently nobody
>   had heard of fakeroot and they didn't know it was actually possible to
> build an image without loopback-mounting images. (
> https://www.youtube.com/watch?v=e_daVOwB7ok)

 Your talk was a lot more interesting :-)

 But the one thing I took away from it is the pointer to umoci [1]. That tool
seems to be capable of creating an OCI image without running docker. E.g. 'umoci
add-layer' seems to add a tarball as a layer to an image.

> * WRT portable services specifically, the only think that buildroot doesn't
> really do yet is being able to put .service files in images that do not use
> systemd as an init system. (which made perfect sense until portable
> services were introduces in v240)

 Yeah, that would require a disconnect between the init system and the package
that provides it. But it's starting to diverge a lot from Buildroot's purpose
(creating full OS images).

 Note BTW that you'll often still need systemd as a library during the build,
which is also something we don't support at the moment.

 Regards,
 Arnout

[1] ttps://github.com/openSUSE/umoci

> 
> I'll be in Lyon if you want to discuss this some more...
> 
> Cheers
> J?r?my
> 
> Le dim. 22 sept. 2019 ? 16:58, Arnout Vandecappelle <arnout@mind.be> a
> ?crit :
> 
>>
>>
>> On 22/09/2019 15:13, Fran?ois Perrad wrote:
>>> Le sam. 21 sept. 2019 ? 21:53, Romain Naour <romain.naour@smile.fr> a
>>> ?crit :
>>>
>>>> Hello,
>>>>
>>>> My colleague Jeremy Rosen did a presentation at All Systems Go
>> conferences
>>>> about
>>>> building container images using Buildroot:
>>>>
>>>> https://www.youtube.com/watch?v=-CVuBLDpulo
>>
>>  Really interesting talk, thanks for pointing this out!
>>
>>
>>>> It would be interesting to discuss with the community about building
>> such
>>>> container images like light container or systemd's portable services.
>>>>
>>>> It's probably a topic for the next Buildroot Meeting :)
>>>>
>>>>
>>> It seems easy to create a Docker image artifact from a rootfs created by
>>> Buildroot
>>>
>>>     $ cat Dockerfile
>>>     FROM scratch
>>>     ADD rootfs.tar /
>>>
>>>     $ docker build --tag br:my_proj .
>>>     Sending build context to Docker daemon  4.233MB
>>>     Step 1/2 : FROM scratch
>>>      --->
>>>     Step 2/2 : ADD rootfs.tar /
>>>      ---> 60cb2207066c
>>>     Successfully built 60cb2207066c
>>>     Successfully tagged br:my_proj
>>
>>  Does this also work if the tarball is cross-compiled for a different
>> architecture? Probably it does, and it just SIGILLs when you try to run the
>> container...
>>
>>>
>>>     $ docker images
>>>     REPOSITORY          TAG                 IMAGE ID            CREATED
>>>         SIZE
>>>     br                  my_proj             60cb2207066c         2
>> minutes
>>> ago      1.74MB
>>>
>>>     $ docker save -o br_my_proj.tar br:my_proj
>>>     $ ls -1
>>>     br_my_proj.tar
>>>     Dockerfile
>>>     rootfs.tar
>>>
>>> But, it could be nice to add "Docker image" as an option in "Filesystem
>>> images" choice.
>>
>>  Yeah, except unfortunately docker security sucks, so on most distros you
>> need
>> sudo to run any docker command, even 'docker build'.
>>
>>  So, it would be nice if we could generate the OCI image without docker.
>>
>>  Something was said about this in the questions of Je?re?my's
>> presentation, but
>> there was no clear answer.
>>
>>  Regards,
>>  Arnout
>>
> 
> 

[Buildroot] [All Systems Go!] Buildroot : Using embedded tools to build container images

[François Perrad]

Le dim. 22 sept. 2019 ? 16:58, Arnout Vandecappelle <arnout@mind.be> a
?crit :

>
>
> On 22/09/2019 15:13, Fran?ois Perrad wrote:
> > Le sam. 21 sept. 2019 ? 21:53, Romain Naour <romain.naour@smile.fr> a
> > ?crit :
> >
> >> Hello,
> >>
> >> My colleague Jeremy Rosen did a presentation at All Systems Go
> conferences
> >> about
> >> building container images using Buildroot:
> >>
> >> https://www.youtube.com/watch?v=-CVuBLDpulo
>
>  Really interesting talk, thanks for pointing this out!
>
>
> >> It would be interesting to discuss with the community about building
> such
> >> container images like light container or systemd's portable services.
> >>
> >> It's probably a topic for the next Buildroot Meeting :)
> >>
> >>
> > It seems easy to create a Docker image artifact from a rootfs created by
> > Buildroot
> >
> >     $ cat Dockerfile
> >     FROM scratch
> >     ADD rootfs.tar /
> >
> >     $ docker build --tag br:my_proj .
> >     Sending build context to Docker daemon  4.233MB
> >     Step 1/2 : FROM scratch
> >      --->
> >     Step 2/2 : ADD rootfs.tar /
> >      ---> 60cb2207066c
> >     Successfully built 60cb2207066c
> >     Successfully tagged br:my_proj
>
>  Does this also work if the tarball is cross-compiled for a different
> architecture? Probably it does, and it just SIGILLs when you try to run the
> container...
>
> >
> >     $ docker images
> >     REPOSITORY          TAG                 IMAGE ID            CREATED
> >         SIZE
> >     br                  my_proj             60cb2207066c         2
> minutes
> > ago      1.74MB
> >
> >     $ docker save -o br_my_proj.tar br:my_proj
> >     $ ls -1
> >     br_my_proj.tar
> >     Dockerfile
> >     rootfs.tar
> >
> > But, it could be nice to add "Docker image" as an option in "Filesystem
> > images" choice.
>
>  Yeah, except unfortunately docker security sucks, so on most distros you
> need
> sudo to run any docker command, even 'docker build'.
>
>
see section "Manage Docker as a non-root user" in
https://docs.docker.com/install/linux/linux-postinstall/
on Ubuntu, I just run:
    $ sudo usermod -aG docker $USER

Fran?ois

 So, it would be nice if we could generate the OCI image without docker.
>
>  Something was said about this in the questions of Je?re?my's
> presentation, but
> there was no clear answer.
>
>  Regards,
>  Arnout
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20190922/a48244b8/attachment.html>

[Buildroot] [All Systems Go!] Buildroot : Using embedded tools to build container images

[Peter Korsgaard]

>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:

Hi,

 >  Does this also work if the tarball is cross-compiled for a different
 > architecture? Probably it does, and it just SIGILLs when you try to run the
 > container...

Yes. Even easier is just

docker import output/images/rootfs.tar <myproject:mytag>

 >  Yeah, except unfortunately docker security sucks, so on most distros you need
 > sudo to run any docker command, even 'docker build'.

 >  So, it would be nice if we could generate the OCI image without docker.

I believe you can do similar with E.G. buildah:

https://github.com/containers/buildah

But you anyway need buildah/docker/.. to then finally do something with
the docker image afterwards, so perhaps just documenting the 'docker
import' oneliner is enough and not try to do it Buildroot.

-- 
Bye, Peter Korsgaard

[Buildroot] [All Systems Go!] Buildroot : Using embedded tools to build container images

[Jérémy ROSEN]

Le dim. 22 sept. 2019 ? 18:46, Arnout Vandecappelle <arnout@mind.be> a
?crit :

>
>
> On 22/09/2019 17:47, J?r?my ROSEN wrote:
>
> > * WRT portable services specifically, the only think that buildroot
> doesn't
> > really do yet is being able to put .service files in images that do not
> use
> > systemd as an init system. (which made perfect sense until portable
> > services were introduces in v240)
>
>  Yeah, that would require a disconnect between the init system and the
> package
> that provides it. But it's starting to diverge a lot from Buildroot's
> purpose
> (creating full OS images).
>
> While I don't strictly disagree with that sentence, I believe that
buildroot is the best tool available (the only tool ?) to reliably build
light containers

You can do it with yocto (I tried that too) but it's a real pain. With
buildroot, you start with en empty config, set the arch, add the software
you want and you're good.

Honestly I know no tool that even approch this simplicity for light
containers. It already works.

regards
Jeremy


-- 
[image: SMILE]  <http://www.smile.eu/>

20 rue des Jardins
92600 Asni?res-sur-Seine
*J?r?my ROSEN*
Architecte technique

[image: email] jeremy.rosen at smile.fr
[image: phone]  +33 6 88 25 87 42
[image: url] http://www.smile.eu

[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>

[image: D?couvrez l?univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20190922/dc97a3ab/attachment.html>

[Buildroot] [All Systems Go!] Buildroot : Using embedded tools to build container images

[Arnout Vandecappelle]

On 22/09/2019 20:07, Fran?ois Perrad wrote:
[snip]
>>  Yeah, except unfortunately docker security sucks, so on most distros you
>> need
>> sudo to run any docker command, even 'docker build'.
>>
>>
> see section "Manage Docker as a non-root user" in
> https://docs.docker.com/install/linux/linux-postinstall/
> on Ubuntu, I just run:
>     $ sudo usermod -aG docker $USER

 Yes, but the thing is, putting a user in the docker group is more or less the
same as giving them root access. So putting NOPASSWD in sudoers is basically
doing the same thing.

 For people who can use sudo, fine, but they can just as well do sudo.

 For people who can't use sudo (e.g. because the (build) machine is centrally
managed and users are not trusted), any competent sysadmin will also not allow
them to use docker.

 Regards,
 Arnout

[Buildroot] [All Systems Go!] Buildroot : Using embedded tools to build container images

[Esben Haabendal]

Arnout Vandecappelle <arnout@mind.be> writes:

> On 22/09/2019 15:13, Fran?ois Perrad wrote:
>> Le sam. 21 sept. 2019 ? 21:53, Romain Naour <romain.naour@smile.fr> a
>> ?crit :
>> 
>>> Hello,
>>>
>>> My colleague Jeremy Rosen did a presentation at All Systems Go conferences
>>> about
>>> building container images using Buildroot:
>>>
>>> https://www.youtube.com/watch?v=-CVuBLDpulo
>
>  Really interesting talk, thanks for pointing this out!
>
>
>>> It would be interesting to discuss with the community about building such
>>> container images like light container or systemd's portable services.
>>>
>>> It's probably a topic for the next Buildroot Meeting :)
>>>
>>>
>> It seems easy to create a Docker image artifact from a rootfs created by
>> Buildroot
>> 
>>     $ cat Dockerfile
>>     FROM scratch
>>     ADD rootfs.tar /
>> 
>>     $ docker build --tag br:my_proj .
>>     Sending build context to Docker daemon  4.233MB
>>     Step 1/2 : FROM scratch
>>      --->
>>     Step 2/2 : ADD rootfs.tar /
>>      ---> 60cb2207066c
>>     Successfully built 60cb2207066c
>>     Successfully tagged br:my_proj
>
>  Does this also work if the tarball is cross-compiled for a different
> architecture? Probably it does, and it just SIGILLs when you try to run the
> container...
>
>> 
>>     $ docker images
>>     REPOSITORY          TAG                 IMAGE ID            CREATED
>>         SIZE
>>     br                  my_proj             60cb2207066c         2 minutes
>> ago      1.74MB
>> 
>>     $ docker save -o br_my_proj.tar br:my_proj
>>     $ ls -1
>>     br_my_proj.tar
>>     Dockerfile
>>     rootfs.tar
>> 
>> But, it could be nice to add "Docker image" as an option in "Filesystem
>> images" choice.
>
>  Yeah, except unfortunately docker security sucks, so on most distros you need
> sudo to run any docker command, even 'docker build'.
>
>  So, it would be nice if we could generate the OCI image without docker.

You can do that with buildah:
https://github.com/containers/buildah

It allows building OCI images from scratch without root priveleges.
It supports both building from Dockerfile and using a CLI that is more
convenient for scripting.

/Esben

[Buildroot] [All Systems Go!] Buildroot : Using embedded tools to build container images

[Esben Haabendal]

Peter Korsgaard <peter@korsgaard.com> writes:

>>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:
>
> Hi,
>
>  >  Does this also work if the tarball is cross-compiled for a different
>  > architecture? Probably it does, and it just SIGILLs when you try to run the
>  > container...
>
> Yes. Even easier is just
>
> docker import output/images/rootfs.tar <myproject:mytag>
>
>  >  Yeah, except unfortunately docker security sucks, so on most distros you need
>  > sudo to run any docker command, even 'docker build'.
>
>  >  So, it would be nice if we could generate the OCI image without docker.
>
> I believe you can do similar with E.G. buildah:
>
> https://github.com/containers/buildah
>
> But you anyway need buildah/docker/.. to then finally do something with
> the docker image afterwards, so perhaps just documenting the 'docker
> import' oneliner is enough and not try to do it Buildroot.

Sorry for the duplicate comment about buildah.

To do something with an OCI image build with buildah, you should
consider using podman (https://github.com/containers/libpod), as it also
can be used without root priveleges, so should be feasible on shared
servers.

/Esben

[Buildroot] [All Systems Go!] Buildroot : Using embedded tools to build container images

[Arnout Vandecappelle]

On 23/09/2019 09:44, Esben Haabendal wrote:
> Peter Korsgaard <peter@korsgaard.com> writes:
> 
>>>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:
>>
>> Hi,
>>
>>  >  Does this also work if the tarball is cross-compiled for a different
>>  > architecture? Probably it does, and it just SIGILLs when you try to run the
>>  > container...
>>
>> Yes. Even easier is just
>>
>> docker import output/images/rootfs.tar <myproject:mytag>
>>
>>  >  Yeah, except unfortunately docker security sucks, so on most distros you need
>>  > sudo to run any docker command, even 'docker build'.
>>
>>  >  So, it would be nice if we could generate the OCI image without docker.
>>
>> I believe you can do similar with E.G. buildah:
>>
>> https://github.com/containers/buildah
>>
>> But you anyway need buildah/docker/.. to then finally do something with
>> the docker image afterwards, so perhaps just documenting the 'docker
>> import' oneliner is enough and not try to do it Buildroot.
> 
> Sorry for the duplicate comment about buildah.
> 
> To do something with an OCI image build with buildah, you should
> consider using podman (https://github.com/containers/libpod), as it also
> can be used without root priveleges, so should be feasible on shared
> servers.

 I may be wrong, but as I understand it, all these tools actually call docker
under the hood. They can be used without root privileges because they are
installed with all the necessary suid bits and caps and stuff. However, AFAIU,
you can't build and install them as non-root and then create an image with it.

 umoci was the only tool I found that seemed to *really* not require root.

 Regards,
 Arnout

[Buildroot] [All Systems Go!] Buildroot : Using embedded tools to build container images

[Esben Haabendal]

Arnout Vandecappelle <arnout@mind.be> writes:

> On 23/09/2019 09:44, Esben Haabendal wrote:
>> Peter Korsgaard <peter@korsgaard.com> writes:
>> 
>>>>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:
>>>
>>> Hi,
>>>
>>>  >  Does this also work if the tarball is cross-compiled for a different
>>>  > architecture? Probably it does, and it just SIGILLs when you try to run the
>>>  > container...
>>>
>>> Yes. Even easier is just
>>>
>>> docker import output/images/rootfs.tar <myproject:mytag>
>>>
>>>  >  Yeah, except unfortunately docker security sucks, so on most distros you need
>>>  > sudo to run any docker command, even 'docker build'.
>>>
>>>  >  So, it would be nice if we could generate the OCI image without docker.
>>>
>>> I believe you can do similar with E.G. buildah:
>>>
>>> https://github.com/containers/buildah
>>>
>>> But you anyway need buildah/docker/.. to then finally do something with
>>> the docker image afterwards, so perhaps just documenting the 'docker
>>> import' oneliner is enough and not try to do it Buildroot.
>> 
>> Sorry for the duplicate comment about buildah.
>> 
>> To do something with an OCI image build with buildah, you should
>> consider using podman (https://github.com/containers/libpod), as it also
>> can be used without root priveleges, so should be feasible on shared
>> servers.
>
>  I may be wrong, but as I understand it, all these tools actually call docker
> under the hood.

You are wrong.  Buildah and Podman does not call docker in any way.

> They can be used without root privileges because they are
> installed with all the necessary suid bits and caps and stuff.

No suid bit.

> However, AFAIU, you can't build and install them as non-root and then
> create an image with it.

System must be configured to allow normal users to run unprivileged
containers (sysctl kernel.unprivileged_userns_clone=1).  Setting this
naturally requires privileges.

>  umoci was the only tool I found that seemed to *really* not require
>  root.

I suspect that there might some restrictions on what is possible when
using umoci as an unprivileged user (see
https://umo.ci/quick-start/rootless/).

/Esben