Complete rework of lxc-fedora template #1371
Conversation
|
This pull request didn't trigger Jenkins as its author isn't in the whitelist. An organization member must perform one of the following:
Those commands are simple Github comments of the format: "jenkins: COMMAND" |
Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
Heavily refactored version of the Fedora container creation template. Removed compatibility to unsupported Fedora releases including sysvinit and yum stuff. Added new commandline arguments found in other templates: --mirror : To set custom HTTP(s) Fedora download mirror --packages : List of custom packages to install into a new container --debug : Run with shell script with 'set -x' There are also some new environment variables which can be used to customize the template behaviour. See --help output. Supports Fedora >=24. By default Fedora 25 will be installed except on Fedora hosts, where the host release is taken. To simplify the code path (or at least not make it more complex) all non-Fedora hosts will now use the LiveOS-image based bootstrap environment even when they would natively support rpm, yum or even dnf (e.g. Gentoo, CentOS). Mainly runs systemd services by default (journald, networkd, resolved logind). Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
|
You need to adapt the required |
|
Ya, I saw too. I adjusted the templates/Makefile.am but it doesn't seem to be happy yet. Will have a look at it tomorrow. |
Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
|
jenkins: test this please |
|
I tried to build a new Fedora image with As far as I understood, the |
templates/lxc-fedora.in
Outdated
| # Set default localtime to the host localtime if not set... | ||
| if [ -e /etc/localtime -a ! -e ${rootfs_path}/etc/localtime ] | ||
| echo "Mounting LiveOS squashfs file system." | ||
| if ! mount -o loop "${cache}/install.img" squashfs/ |
There was a problem hiding this comment.
Is this the correct syntax for mounting a squashfs image? Shouldn't it be
mount -t squashfs -o loop "${cache}/install.img" squashfs/
?
|
Is your squashfs mount syntax correct? |
|
Hmn, it works without specifying the filesystem on my Gentoo box. This is something I just copied from the old template. But I guess it's not wrong to explicitly define it. |
Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
|
The updated version still doesn't work with the stacked LXC builders in my lab environment. Do you have any CI tests for templates? |
|
@stgraber will know more about the image builders. :) |
|
Other than lxc-ubuntu and lxc-ubuntu-cloud which are covered by lxc-test-ubuntu, we don't have commit level or pull request level CI of LXC templates. I'm also considering disabling lxc-test-ubuntu from our normal CI runs as it's by very far the biggest time and bandwidth user. We'd cut our CI time by more than half should we turn that one off. So I'm definitely not looking at adding more standard CI for LXC templates. That being said, we do produce daily images from a whole bunch of templates with various configuration of those templates. Those images are built inside LXC containers using code in github.com/lxc/lxc-ci and are run against the current git master of the templates, so when a template gets broken that's usually how we catch it within 24 hours. |
|
@stgraber Ok, I see. Thanks for the explanation. In the meantime I found the origin of the error: The problem is the loop mount. First I tried to add the loop device nodes to the After manually creating a How is the loop device setup supposed to work in a systemd container? Or would you allow add such a "hack" to the |
Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
Adjust locale setup to official Fedora cloud setup. This will shrink the image size for e.g. Fedora 25 from around 350MB to 260MB. Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
|
Any thoughts and comments on this PR? Is the loopback issue a blocker? |
|
I'll need to find some time to take a closer look at the script, but I don't think the loopback issue is a problem at all. You are correct that systemd based container are lacking the /dev/loopX devices and that those must be manually created. We in fact have code doing exactly that in our current https://github.com/lxc/lxc-ci build-image script. |
|
Ok, thanks for your reply. I still saw that other templates have dedicated support for btrfs subvolumes when creating the rootfs cache. I'm not using btrfs, that's why I didn't implement that yet. If this is something desirable I could have a look at it for sure. |
|
Sorry for the delay. Don't bother about btrfs, that's fine for now. However, one thing that should be sorted out for new templates is security. It looks like this template is downloading over plain http and rsync without doing any kind of gpg checks on the payload. Any chance you can rework things to rely on https for early bootstrap so that folks can't take over the container with an http man in the middle attack? |
Thanks a lot for you reply. Yes, sure, that's something that I missed completely. I tried to mimic the behaviour of the old template which primarily uses rsync and then added optional HTTP support. I guess I should make HTTPS(!) default and only allow rsync (with an appropriate security note) if someone is downloading the image over a slow connection. Let me check the options... |
|
@ganto sounds good. And yes, we have a number of templates that weren't written with security in mind... We're working on fixing those now. |
Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
This mainly affects the download of the bootstrap image when running on a non-Fedora host and the initial download of the repo and release RPMs. The container rootfs creation will then be verified by dnf against the GPG signatures in the repos RPM. Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
|
I guess switching the entire communication to HTTPS by default is what I can do for now. There are no checksums published of the squashfs bootstrap image. I still could try to find a Fedora release GPG key on the host and try to validate the signature of the downloaded |
|
Yeah, sounds good. https to download the bootstrap bits which include the package manager and keyring used for package downloads after that. |
This is another reply to #1356. After a few evenings of scripting and many iterations, I finally have something usable. It's a heavily refactored version of the Fedora container creation template. I removed compatibility to unsupported Fedora releases including sysvinit and yum stuff and tried to get rid of as much code as possible.
On the other hand I added some new commandline arguments found in other templates:
There are also some new environment variables which can be used to customize the template behaviour. See
--helpoutput.Supports Fedora >=24. By default Fedora 25 will be installed except on Fedora hosts, where the host release is taken. To simplify the code path (or at least not make it more complex) all non-Fedora hosts will now use the LiveOS-image based bootstrap environment even when they would natively support rpm, yum or even dnf (e.g. Gentoo, CentOS).
The resulting Fedora container mainly runs systemd services by default (journald, networkd, resolved, logind). Fixes #270.
For users who still want to use the old template (which is still functional) to setup old Fedora containers for testing stuff, I renamed the original
lxc-fedoratemplate tolxc-fedora-legacy