Atomic Run Tool for installing/running/managing container images.
Python Shell JavaScript Makefile Go Roff HTML
Clone or download
giuseppe and rh-atomic-bot atomic: honor UNINSTALL after stop of a container
Honor the UNINSTALL label after the specified container was stopped.

Introduced by: 1895984

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1576285

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #1242
Approved by: rhatdan
Latest commit b507039 Jun 19, 2018
Permalink
Failed to load latest commit information.
.copr 1.22 Feb 21, 2018
.github Create PULL_REQUEST_TEMPLATE.md Apr 20, 2017
Atomic atomic: honor UNINSTALL after stop of a container Jun 28, 2018
atomic.d Add configuration compliance scan to "atomic scan" Jun 15, 2017
bash run: add option --runtime Feb 23, 2018
docs syscontainers: --user uses runc by default Apr 26, 2018
tests tests: skip system containers test if skopeo copy to ostree fails Jun 27, 2018
.gitignore dockertar-sha256-helper: drop it Mar 24, 2018
.papr.Dockerfile papr.sh: use Fedora 28 Jun 27, 2018
.papr.sh papr.sh: use Fedora 28 Jun 27, 2018
.papr.yml papr.sh: use Fedora 28 Jun 27, 2018
CHANGELOG.md Bump to 1.19.1 Aug 17, 2017
CONTRIBUTING.md CONTRIBUTING.md: New file Apr 7, 2016
COPYING COPYING: Use the LGPLv2+ to be more compatible with ASL 2.0 etc. Feb 19, 2015
LICENSE Symlink LICENSE -> COPYING Apr 14, 2016
Makefile papr: use Fedora 27 Apr 18, 2018
README-atomic-scan.md Add Atomic scan JSON specification. Aug 19, 2016
README.md Add Atomic scan JSON specification. Aug 19, 2016
Vagrantfile Vagrantfile: update to f28 Jun 27, 2018
atomic Fix tests for f26 Aug 23, 2017
atomic-containers.1.md Move atomic ps to atomic containers Sep 2, 2016
atomic.conf atomic.conf: fix syntax error of the YAML format May 31, 2017
atomic.sh atomic.sh: fix up typo in var name Jul 16, 2015
atomic.sysconfig atomic.sysconfig: leave default TOOLSIMG undefined Jul 17, 2015
atomic_dbus.py Add verification options to dbus Aug 30, 2017
atomic_dbus_client.py Add verification options to dbus Aug 30, 2017
atomicdesign.pdf Add design document Jan 29, 2015
gotar.go Source code for gotar binary Aug 18, 2016
migrate.sh Fixes issues in atomic migrate export and import. Disable test_migrat… Aug 18, 2016
org.atomic.conf Add dbus support for version and verify May 18, 2015
org.atomic.policy Change atomic dbus permissions Jul 8, 2016
org.atomic.service Rename atomic_server.py to atomic_dbus.py Jul 13, 2015
requirements.txt depend on version 2 of docker-py Feb 12, 2018
setup.py Refactor images Nov 29, 2016
test.sh tests: skip system containers test if skopeo copy to ostree fails Jun 27, 2018
vagrant.sh Fix tests for f26 Aug 23, 2017

README.md

Atomic: /usr/bin/atomic

This project defines the entrypoint for Project Atomic hosts. On an Atomic Host, there are at least two distinct software delivery vehicles; Docker (often used in combination with the traditional RPM/yum/dnf), and rpm-ostree to provide atomic upgrades of the host system.

The goal of Atomic is to provide a high level, coherent entrypoint to the system, and fill in gaps in Linux container implementations.

For Docker, atomic can make it easier to interact with special kinds of containers, such as super-privileged debugging tools and the like.

The atomic host subcommand wraps rpm-ostree, currently just providing a friendlier name, but in the future Atomic may provide more unified management.

atomic run

Atomic allows an image provider to specify how a container image expects to be run.

Specifically this includes the privilege level required.

For example if you built an 'ntpd' container application, that required the SYS_TIME capability, you could add meta data to your container image using the command:

LABEL RUN /usr/bin/docker run -d --cap-add=SYS_TIME ntpd

Now if you executed atomic run ntpd, it would read the LABEL RUN json metadata from the container image and execute this command.

atomic install

Most of the time when you ship an application, you need to run an install script. This script would configure the system to run the application, for example it might configure a systemd unit file or configure kubernetes to run the application. This tool will allow application developers to embed the install and uninstall scripts within the application. The application developers can then define the LABEL INSTALL and LABEL UNINSTALL methods, in the image meta data. Here is a simple httpd installation description.

cat Dockerfile

# Example Dockerfile for httpd application
#
FROM		fedora
MAINTAINER	Dan Walsh
ENV container docker
RUN yum -y update; yum -y install httpd; yum clean all

LABEL Vendor="Red Hat" License=GPLv2
LABEL Version=1.0
LABEL INSTALL="docker run --rm --privileged -v /:/host -e HOST=/host -e LOGDIR=/var/log/\${NAME} -e CONFDIR=/etc/\${NAME} -e DATADIR=/var/lib/\${NAME} -e IMAGE=\${IMAGE} -e NAME=\${NAME} \${IMAGE} /bin/install.sh"
LABEL UNINSTALL="docker run --rm --privileged -v /:/host -e HOST=/host -e IMAGE=${IMAGE} -e NAME=${NAME} ${IMAGE} /bin/uninstall.sh"
ADD root /

EXPOSE 80

CMD [ "/usr/sbin/httpd", "-D", "FOREGROUND" ]

atomic install will read the LABEL INSTALL line and substitute ${NAME} with the name specified with the name option, or use the image name, it will also replace${IMAGE} with the image name.

To be used by the application. The install script could populate these directories if necessary.

In my example the INSTALL method will execute the install.sh which we add to the image. The root sub directory contains the following scripts:

The atomic install will set the following environment variables for use in the command:

SUDO_UID The SUDO_UID environment variable. This is useful with the docker -u option for user space tools. If the environment variable is not available, the value of /proc/self/loginuid is used.

SUDO_GID The SUDO_GID environment variable. This is useful with the docker -u option for user space tools. If the environment variable is not available, the default GID of the value for SUDO_UID is used. If this value is not available, the value of /proc/self/loginuid is used.

cat root/usr/bin/install.sh

#!/bin/sh
# Make Data Dirs
mkdir -p ${HOST}/${CONFDIR} ${HOST}/${LOGDIR}/httpd ${HOST}/${DATADIR}

# Copy Config
cp -pR /etc/httpd ${HOST}/${CONFDIR}

# Create Container
chroot ${HOST} /usr/bin/docker create -v /var/log/${NAME}/httpd:/var/log/httpd:Z -v /var/lib/${NAME}:/var/lib/httpd:Z --name ${NAME} ${IMAGE}

# Install systemd unit file for running container
sed -e "s/TEMPLATE/${NAME}/g" etc/systemd/system/httpd_template.service > ${HOST}/etc/systemd/system/httpd_${NAME}.service

# Enabled systemd unit file
chroot ${HOST} /usr/bin/systemctl enable /etc/systemd/system/httpd_${NAME}.service

atomic uninstall

The atomic unistall does the same variable substitution as described for install, and can be used to remove any host system configuration.

Here is the example script we used.

cat root/usr/bin/uninstall.sh

#!/bin/sh
chroot ${HOST} /usr/bin/systemctl disable /etc/systemd/system/httpd_${NAME}.service
rm -f ${HOST}/etc/systemd/system/httpd_${NAME}.service

Finally here is the systemd unit file template I used:

cat root/etc/systemd/system/httpd_template.service

# cat ./root/etc/systemd/system/httpd_template.service
[Unit]
Description=The Apache HTTP Server for TEMPLATE
After=docker.service
BindTo=docker.service

[Service]
ExecStart=/usr/bin/docker start TEMPLATE
ExecStop=/usr/bin/docker stop TEMPLATE
ExecReload=/usr/bin/docker exec -t TEMPLATE /usr/sbin/httpd $OPTIONS -k graceful

[Install]
WantedBy=multi-user.target

For an explaination of the Atomic scan JSON output, see the JSON specification document.