Skip to content

Commit

Permalink
Add support for running bootc bootable containers
Browse files Browse the repository at this point in the history
We attempt to detect if a container image is bootable. We can't easily
retrieve the image's labels, so we instead look for files under
/usr/lib/bootc/install. If there are none, it isn't a bootable
container. If it is a bootable container but we're not running under
Podman, we fail with an error.

Once our container's entrypoint starts running, a background process on
the host (outside the container) queries Podman for the image's name and
ID, which the OCI runtime does not get but bootc-install needs. It then
saves the container image as an OCI archive.

It then runs the original container to generate the VM image. We do this
using krun [1] so that elevated privileges aren't necessary. Our
entrypoint blocks until this is done, and all subsequent logic remains
the same.

We could potentially avoid the OCI archive creation step by mounting the
host's container storage into the container running under krun. This
isn't trivial to achieve due to SELinux label and context mismatches
between the host and the krun environment, so we leave this optimization
for a future date.

Closes #26.

[1] https://github.com/containers/crun/blob/main/krun.1.md

Signed-off-by: Alberto Faria <afaria@redhat.com>
  • Loading branch information
albertofaria committed Apr 23, 2024
1 parent 785b8ef commit 9cbaa3e
Show file tree
Hide file tree
Showing 16 changed files with 408 additions and 75 deletions.
2 changes: 1 addition & 1 deletion docs/1-installing.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ To also set up crun-vm for use with Docker:
1. Install crun-vm's runtime dependencies:

```console
$ dnf install bash coreutils crun genisoimage grep libselinux-devel libvirt-client libvirt-daemon-driver-qemu libvirt-daemon-log openssh-clients qemu-img qemu-system-x86-core shadow-utils util-linux virtiofsd
$ dnf install bash coreutils crun crun-krun genisoimage grep libselinux-devel libvirt-client libvirt-daemon-driver-qemu libvirt-daemon-log openssh-clients qemu-img qemu-system-x86-core sed shadow-utils util-linux virtiofsd
```

2. Install Rust and Cargo if you do not already have Rust tooling available:
Expand Down
16 changes: 16 additions & 0 deletions docs/2-podman-docker.md
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,21 @@ in a container image.
Note that flag `--persistent` has no effect when running VMs from container
images.

### From bootable container images

crun-vm can also work with [bootable container images], which are containers
that package a full operating system:

```console
$ podman run \
--runtime crun-vm \
-it --rm \
quay.io/centos-bootc/fedora-bootc:eln
```

Internally, crun-vm first generates a VM image from the bootable container and
then boots it.

## First-boot customization

### cloud-init
Expand Down Expand Up @@ -337,6 +352,7 @@ be merged with it using the non-standard option `--merge-libvirt-xml <file>`.
> Before using this flag, consider if you would be better served using libvirt
> directly to manage your VM.
[bootable container images]: https://containers.github.io/bootable/
[cloud-init]: https://cloud-init.io/
[domain XML definition]: https://libvirt.org/formatdomain.html
[Ignition]: https://coreos.github.io/ignition/
Expand Down
88 changes: 88 additions & 0 deletions embed/bootc/config.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
{
"ociVersion": "1.0.0",
"process": {
"terminal": true,
"user": { "uid": 0, "gid": 0 },
"args": ["/output/entrypoint.sh", "<IMAGE_NAME>"],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"cwd": "/",
"capabilities": {
"bounding": [],
"effective": [],
"inheritable": [],
"permitted": [],
"ambient": []
},
"rlimits": [
{
"type": "RLIMIT_NOFILE",
"hard": 262144,
"soft": 262144
}
],
"noNewPrivileges": true
},
"root": {
"path": "<ORIGINAL_ROOT>",
"readonly": false
},
"hostname": "bootc-install",
"mounts": [
{
"type": "bind",
"source": "<PRIV_DIR>/root/crun-vm/bootc",
"destination": "/output",
"options": ["bind", "rprivate", "rw"]
},
{
"destination": "/proc",
"type": "proc",
"source": "proc"
},
{
"destination": "/dev/pts",
"type": "devpts",
"source": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
}
],
"linux": {
"namespaces": [
{ "type": "pid" },
{ "type": "network" },
{ "type": "ipc" },
{ "type": "uts" },
{ "type": "cgroup" },
{ "type": "mount" }
],
"maskedPaths": [
"/proc/acpi",
"/proc/asound",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware",
"/proc/scsi"
],
"readonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
}
}
19 changes: 19 additions & 0 deletions embed/bootc/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0-or-later

set -e

image_name=$1

bootc install to-disk \
--source-imgref oci-archive:/output/image.oci-archive \
--target-imgref "$image_name" \
--skip-fetch-check \
--generic-image \
--via-loopback \
--karg console=tty0 \
--karg console=ttyS0 \
--karg selinux=0 \
/output/image.raw

touch /output/success
62 changes: 62 additions & 0 deletions embed/bootc/prepare.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0-or-later

set -o errexit -o pipefail -o nounset

original_root=$1
priv_dir=$2
container_id=$3

__step() {
>&2 printf "\033[36m%s\033[0m\n" "$*"
}

mkfifo "$priv_dir/root/crun-vm/bootc/progress"
exec > "$priv_dir/root/crun-vm/bootc/progress" 2>&1

# this blocks here until the named pipe above is opened by entrypoint.sh

# get info about the container *image*

__step 'Storing the container image as an OCI archive...'

image_info=$(
podman container inspect \
--format '{{.ImageName}}\t{{.Image}}' \
"$container_id"
)

image_name=$( cut -f1 <<< "$image_info" )
image_id=$( cut -f2 <<< "$image_info" )

oci_archive=$priv_dir/root/crun-vm/bootc/image.oci-archive

# save container *image* as an OCI archive

podman save --format oci-archive --output "$oci_archive.tmp" "$image_id"
mv "$oci_archive.tmp" "$oci_archive"

# adjust krun config

__step 'Generating a VM image from the container image...'

__sed() {
sed -i "s|$1|$2|" "$priv_dir/root/crun-vm/bootc/config.json"
}

__sed "<IMAGE_NAME>" "$image_name"
__sed "<ORIGINAL_ROOT>" "$original_root"
__sed "<PRIV_DIR>" "$priv_dir"

# run bootc-install under krun

truncate --size 10G "$priv_dir/root/crun-vm/bootc/image.raw" # TODO: allow adjusting disk size

krun run \
--config "$priv_dir/root/crun-vm/bootc/config.json" \
"crun-vm-$container_id" \
</dev/ptmx

[[ -e /crun-vm/bootc/success ]]

__step 'Booting VM...'
21 changes: 21 additions & 0 deletions scripts/entrypoint.sh → embed/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,11 @@ trap 'exit 143' SIGTERM

set -o errexit -o pipefail -o nounset

is_bootc_container=$1

# clean up locks that may have been left around from the container being killed
rm -fr /var/lock

mkdir -p \
/etc/libvirt \
/tmp \
Expand Down Expand Up @@ -53,6 +58,22 @@ chmod +x /crun-vm/virsh
# remove if present from previous boot
rm -f /crun-vm/ssh-successful

# generate VM image from bootable container

if (( is_bootc_container == 1 )) && [[ ! -e /crun-vm/image/image ]]; then

fifo=/crun-vm/bootc/progress
while [[ ! -e "$fifo" ]]; do sleep 0.2; done
cat "$fifo"
rm "$fifo"

[[ -e /crun-vm/bootc/success ]]

mkdir -p /crun-vm/image
mv /crun-vm/bootc/image.raw /crun-vm/image/image

fi

# launch VM

function __bg_ensure_tty() {
Expand Down
File renamed without changes.
File renamed without changes.
Loading

0 comments on commit 9cbaa3e

Please sign in to comment.