Generate RPM and support arbitrary files copied to the host

[giuseppe]

this is a prototype to add "pre installed" system containers. The idea is to have another deployment tree under /usr/lib/containers/atomic that is not handled by "atomic install/uninstall/update", where '/var/lib/containers/atomic' is fully handled by atomic. The systemd files are also copied under '/usr/lib'.

The second patch adds the possibility to install a system container into a rpm. The ---generate-rpm (three dashes) option is hidden for now. The spec file is auto generated, and stuff like Requires, Provides, Conflicts can be specified through labels. So in the Dockerfile something like: LABEL Provides="etcd", will be translated directly to the specfile.

Example:

# atomic --debug install --system ---generate-rpm gscrivano/etcd  
# rpm -i x86_64/atomic-container-etcd-1.0-1.0.x86_64.rpm

[jfilak]

I'm confused, this line looks like you want to install container's /etc to host's /etc.

[giuseppe]

here I am mapping from the temporary directory (where the container was checked out) to the absolute path `/etc' in the host (where the .rpm will install these files)

[jfilak]

Oh sorry, I thought that the destdir variable points to the container's root.

[rhatdan]

I would prefer that the user not need to specify this. This should happen automatically if the image supports generation of rpms for install.

[rhatdan]

Users will forget to do this, and we want to eventually make this the default for all of our system containers.

[giuseppe]

the --generate-rpm doesn't probably belong here, I just didn't know where to add it.

I think we will need a way to just generate the .rpm, so that it can be used as any regular .rpm, you can even install it without using atomic at all.

Installing the .rpm could be the default here, but we will need a way to specify also to install the container in the usual way using /var/lib instead of '/usr/lib' if needed.

[rhatdan]

Right I would say that is the fallback.
I believe the user puts the data in as templates rather then in labels. I am thinking a rpm.yaml file which specifies information for the spec file, but allows atomic CLI to do substitutions like the name of the container so the spec file ends up with foobar_etcd, and we could prefix all executables or paths with the container names.

[rhatdan]

values["DESTDIR"] = (os.path.join("/", os.path.relpath(destination), prefix)) if prefix else destination)

[rhatdan]

Should we just

if prefix:
     return

[rhatdan]

if self.debug:

[rhatdan]

I think there should be a rpm specification template in the container image that triggers the rpm build for install. This should be simpler then the rpm.spec, Perhaps just the files section as well as description, license, summary and potentially some other fields.

Should we default post install of rpm package to

atomic uninstall CONTAINER

[giuseppe]

We can add a spec template, as we do with the other configuration files (and offer a substitution for the list of the installed files, it would be very tedious to list them otherwise). I thought of using labels so we will be able to query resolves/provides/conflicts remotely without fetching the image first.

I have not added a preun script yet. I think it should just be to stop the systemd service. I think "atomic uninstall" should not interfere with rpm to handle/delete the files.

[rhatdan]

Right I guess we could get a circular dependency here.
I guess atomic uninstall should execute

rpm -e PACKAGE.

[giuseppe]

@rhatdan I have addressed your comments for the code.

I have pushed a bunch of other patches to cleanly support copied files to the host.

I have included the idea of @jfilak to copy files from /exports/hostfs to the host. These files are tracked by the rpm when generating one, otherwise they are managed by atomic and removed on "atomic uninstall".

The files copied to the host can be also template files, the same substitution rules that are used for the runc configuration file and the systemd service file apply here.

It is possible to specify that a system container doesn't install any service, so that can be used just as a way to copy files to the host, or to generate an rpm without the overhead of the service+rootfs files.

[rhatdan]

@TomasTomecek PTAL

[rhatdan]

@baude PTAL

[jfilak]

I like this pull request and I told @giuseppe that he has done a great job in private chat. However, there is one thing that concerns me a bit. I think it's a pity that the whole system container thing is bundled in 'atomic' utility. I develop my containers on Fedora and I would appreciate a tool capable of installing a test container on my development machine.

[rhatdan]

atomic command is available on Fedora as well as atomic host. It is a separate package.

[cgwalters]

Atomic Host is part of Fedora. It is Fedora as much as a system managed via yum.

[rhatdan]

Right atomic CLI is available on Fedora Server, Fedora Workstation, Fedora Cloud/Atomic

[jfilak]

So it is possible to develop a DNF plugin installing system containers through 'atomic' utility. It would be cool to run:

dnf container-install gscrivano/etcd

[TomasTomecek]

Would it make sense to add changelog? So users know that the rpm is generated and installed by atomic.

[TomasTomecek]

Got this traceback with image you provided to me:

$ sudo ./atomic --debug install --system ---generate-rpm --display img
Extracting to /tmp/tmprTqPaB/rpmroot/usr/lib/containers/atomic/img
./atomic --debug install --system ---generate-rpm --display img: too few arguments
Try './atomic --debug install --system ---generate-rpm --display img --help' for more information.
Traceback (most recent call last):
  File "./atomic", line 187, in <module>
    sys.exit(_func())
  File "/home/tt/g/atomic/Atomic/install.py", line 90, in install
    return self.syscontainers.install(self.image, self.name)
  File "/home/tt/g/atomic/Atomic/syscontainers.py", line 169, in install
    repo = self._get_ostree_repo()
  File "/home/tt/g/atomic/Atomic/syscontainers.py", line 1507, in generate_rpm
    self._checkout(repo, name, image, 0, False, destination=rootfs, prefix=rpm_content)
  File "/home/tt/g/atomic/Atomic/syscontainers.py", line 276, in _checkout
    return self._do_checkout(repo, name, img, upgrade, values, destination, unitfileout, tmpfilesout, extract_only, remote, prefix, installed_files
=installed_files)
  File "/home/tt/g/atomic/Atomic/syscontainers.py", line 363, in _do_checkout
    was_service_active = self._is_service_active(name)
  File "/home/tt/g/atomic/Atomic/syscontainers.py", line 965, in _is_service_active
    return self._systemctl_command("is-active", name, quiet=True).replace("\n", "") == "active"
AttributeError: 'NoneType' object has no attribute 'replace'

[giuseppe]

@TomasTomecek --display is not really supported when generating an rpm as we need to read information from the files that are installed/checked out from the OSTree repository. I have added a fixup patch though to not cause the traceback when --display is used.

[rhatdan]

I would like to setup a BlueJeans tomorrow to help design this tool to make sure everyone is on the same page. We need this to work for use cases outside of --system containers as well.

[TomasTomecek]

We need this to work for use cases outside of --system containers as well.

This would be awesome. Right now I'm in a process of writing down use cases which could benefit greatly from this feature. Please, invite me to the discussion.

[giuseppe]

yes, this PR makes possible to install arbitrary files on the host and track them with a rpm without requiring a running or even installed container/systemd service.

Every file under /exports/hostfs will be copied to the host file system. If noContainerService is used in the manifest.json file then atomic won't try to install the systemd service and the runc container.

[rhatdan]

@giuseppe I scheduled the meeting tomorrow at 8:30 AM EST. I would like you to take the lead to describe what you are building and display different parts. Could you throw together a Google Doc in the mean time to help facilitate the discussion.

[rhatdan]

BTW Add anyone you would like to the meeting.

[rhatdan]

@TomasTomecek If you could write up your Use Cases, that would be helpful also.

[rh-atomic-bot]

☔ The latest upstream changes (presumably e405c6a) made this pull request unmergeable. Please resolve the merge conflicts.

[rhatdan]

@rh-atomic-bot r+ 4321643

[rh-atomic-bot]

⌛ Testing commit 4321643 with merge 6e1fe7a...

[rh-atomic-bot]

☀️ Test successful - status-redhatci
Approved by: rhatdan
Pushing 6e1fe7a to master...