OpenShift 4 - 用Buildah定制UBI容器镜像
滑景胜
关于 UBI
红帽通用基础映像(UBI)被设计为在容器中开发的云原生和Web应用程序用例的基础。你可以使用UBI构建一个容器化的应用程序,将其推送到你所选择的注册服务器上,轻松地与他人分享–由于它是可自由再分配的–甚至可以将其部署到非红帽平台。由于它建立在红帽企业Linux上,UBI是一个可靠、安全和高性能的平台。
UBI是红帽的容器就绪的操作系统映像,允许你建立更小的映像,用于基于容器的系统。目前有如下4类UBI镜像:
- Standard:提供了必要的运行机制和YUM存储库来构建、部署和共享基于UBI的容器。
- Minimal:是一个UBI镜像,它只提供基于RHEL的轻量级镜像所需的基本要素。
- Multi-service:是为旨在运行多个应用服务的容器镜像而设计的,它也包括systemd。
- Micro:与红帽企业Linux 8.4一起发布,为边缘计算和其他远程应用提供最小的UBl足迹。
构建包含可独立运行的应用的容器镜像
下载基础UBI镜像
- 确保环境安装有buildah和podman工具。
$ yum install -y podman buildah
- 使用buildah命令下载适合运行独立应用的红帽ubi镜像到本地。
$ buildah from registry.access.redhat.com/ubi8/ubi
Getting image source signatures
Copying blob e45283d00526 done
Copying blob c51b1b38edbb done
Copying config 18b22de14a done
Writing manifest to image destination
Storing signatures
ubi-working-container
- 查看本地image,确认已经有ubi8镜像了。
$ buildah images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.access.redhat.com/ubi8/ubi latest 18b22de14a6f 7 days ago 234 MB
- 查看buildah下的容器,确认有名为ubi-working-container的容器。
$ buildah containers
CONTAINER ID BUILDER IMAGE ID IMAGE NAME CONTAINER NAME
ede6c61d04ca * 18b22de14a6f registry.access.redhat.com/ub... ubi-working-container
说明:“buildah containers”等同于“buildah ps”或“buildah list”。
5. 查看运行的容器详细信息
$ buildah inspect ede6c61d04ca
{
"Type": "buildah 0.0.1",
"FromImage": "registry.access.redhat.com/ubi8/ubi:latest",
"FromImageID": "18b22de14a6f0b26dd2cffb73a1f5980072ce4e81af759d83d551520e67d483b",
"FromImageDigest": "sha256:557f9b9c5508eaf4f1b6b8420df06a83a96f11a9a19b92f28e6b771186a558ca",
。。。
- 运行容器,查看容器内部的系统信息
$ buildah run ubi-working-container cat /etc/redhat-release
Red Hat Enterprise Linux release 8.4 (Ootpa)
基于UBI镜像,构建新的应用镜像
- 查看容器内部的 yum repo配置。
$ buildah run ubi-working-container cat /etc/yum.repos.d/ubi.repo
[ubi-8-baseos]
name = Red Hat Universal Base Image 8 (RPMs) - BaseOS
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/$basearch/baseos/os
enabled = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
。。。(省略)
- 向本地容器ubi-working-container安装epel-release-latest-8.noarch.rpm包。
$ buildah run ubi-working-container -- yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode.
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs) 39 MB/s | 33 MB 00:00
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) 42 MB/s | 30 MB 00:00
Red Hat Universal Base Image 8 (RPMs) - BaseOS 4.4 MB/s | 786 kB 00:00
Red Hat Universal Base Image 8 (RPMs) - AppStream 39 MB/s | 7.4 MB 00:00
Red Hat Universal Base Image 8 (RPMs) - CodeReady Builder 183 kB/s | 15 kB 00:00
epel-release-latest-8.noarch.rpm 51 kB/s | 22 kB 00:00
Dependencies resolved.
===========================================================================================================================================
Package Architecture Version Repository Size
===========================================================================================================================================
Installing:
epel-release noarch 8-10.el8 @commandline 22 k
Transaction Summary
===========================================================================================================================================
Install 1 Package
Total size: 22 k
Installed size: 32 k
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : epel-release-8-10.el8.noarch 1/1
Running scriptlet: epel-release-8-10.el8.noarch 1/1
Verifying : epel-release-8-10.el8.noarch 1/1
Installed products updated.
Installed:
epel-release-8-10.el8.noarch
Complete!
- 确认rpm包是安装在UBI镜像中,而不是宿主机的rhel中。
$ rpm -q epel-release
package epel-release is not installed
- 在UBI容器ubi-working-container中安装应用moon-buggy
$ buildah run ubi-working-container -- yum -y install moon-buggy
Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode.
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Extra Packages for Enterprise Linux Modular 8 - x86_64 1.0 MB/s | 610 kB 00:00
Extra Packages for Enterprise Linux 8 - x86_64 13 MB/s | 9.4 MB 00:00
Dependencies resolved.
===========================================================================================================================================
Package Architecture Version Repository Size
===========================================================================================================================================
Installing:
moon-buggy x86_64 1.0.51-25.el8 epel 81 k
Installing dependencies:
alsa-lib x86_64 1.2.4-5.el8 rhel-8-for-x86_64-appstream-rpms 471 k
audiofile x86_64 1:0.3.6-23.el8 epel 141 k
esound-libs x86_64 1:0.2.41-22.el8 epel 84 k
flac-libs x86_64 1.3.2-9.el8 rhel-8-for-x86_64-appstream-rpms 217 k
libogg x86_64 2:1.3.2-10.el8 rhel-8-for-x86_64-appstream-rpms 31 k
Transaction Summary
===========================================================================================================================================
Install 6 Packages
Total download size: 1.0 M
Installed size: 2.7 M
Downloading Packages:
(1/6): audiofile-0.3.6-23.el8.x86_64.rpm 2.3 MB/s | 141 kB 00:00
(2/6): esound-libs-0.2.41-22.el8.x86_64.rpm 521 kB/s | 84 kB 00:00
(3/6): moon-buggy-1.0.51-25.el8.x86_64.rpm 277 kB/s | 81 kB 00:00
(4/6): libogg-1.3.2-10.el8.x86_64.rpm 119 kB/s | 31 kB 00:00
(5/6): flac-libs-1.3.2-9.el8.x86_64.rpm 586 kB/s | 217 kB 00:00
(6/6): alsa-lib-1.2.4-5.el8.x86_64.rpm 1.3 MB/s | 471 kB 00:00
-------------------------------------------------------------------------------------------------------------------------------------------
Total 905 kB/s | 1.0 MB 00:01
warning: /var/cache/dnf/epel-fafd94c310c51e1e/packages/audiofile-0.3.6-23.el8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 2f86d6a1: NOKEY
Extra Packages for Enterprise Linux 8 - x86_64 1.6 MB/s | 1.6 kB 00:00
Importing GPG key 0x2F86D6A1:
Userid : "Fedora EPEL (8) <epel@fedoraproject.org>"
Fingerprint: 94E2 79EB 8D8F 25B2 1810 ADF1 21EA 45AB 2F86 D6A1
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : alsa-lib-1.2.4-5.el8.x86_64 1/6
Running scriptlet: alsa-lib-1.2.4-5.el8.x86_64 1/6
Installing : libogg-2:1.3.2-10.el8.x86_64 2/6
Installing : flac-libs-1.3.2-9.el8.x86_64 3/6
Installing : audiofile-1:0.3.6-23.el8.x86_64 4/6
Installing : esound-libs-1:0.2.41-22.el8.x86_64 5/6
Installing : moon-buggy-1.0.51-25.el8.x86_64 6/6
Running scriptlet: moon-buggy-1.0.51-25.el8.x86_64 6/6
Verifying : audiofile-1:0.3.6-23.el8.x86_64 1/6
Verifying : esound-libs-1:0.2.41-22.el8.x86_64 2/6
Verifying : moon-buggy-1.0.51-25.el8.x86_64 3/6
Verifying : flac-libs-1.3.2-9.el8.x86_64 4/6
Verifying : libogg-2:1.3.2-10.el8.x86_64 5/6
Verifying : alsa-lib-1.2.4-5.el8.x86_64 6/6
Installed products updated.
Installed:
alsa-lib-1.2.4-5.el8.x86_64 audiofile-1:0.3.6-23.el8.x86_64 esound-libs-1:0.2.41-22.el8.x86_64 flac-libs-1.3.2-9.el8.x86_64
libogg-2:1.3.2-10.el8.x86_64 moon-buggy-1.0.51-25.el8.x86_64
Complete!
- 查看本地的容器镜像。当前只有ubi8容器。
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.access.redhat.com/ubi8/ubi latest 18b22de14a6f 7 days ago 234 MB
- 将本地ubi-working-container容器转换名为moon-buggy的镜像。
$ buildah commit ubi-working-container moon-buggy
Getting image source signatures
Copying blob baedd15dd07e skipped: already exists
Copying blob 1e05587d4a9f skipped: already exists
Copying blob d487a9463f88 done
Copying config ff5e289069 done
Writing manifest to image destination
Storing signatures
ff5e28906909086dd354be1b0b7d9bff941f0705f1a2ec23c054d6f5dcba3a75
- 再次查看本地的容器镜像。当前已经有新的应用容器。
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/moon-buggy latest ff5e28906909 18 seconds ago 418 MB
registry.access.redhat.com/ubi8/ubi latest 18b22de14a6f 7 days ago 234 MB
- 基于本地moon-buggy镜像,运行容器。
$ podman run -it moon-buggy /usr/bin/moon-buggy
- 在应用运行界面键入“q”可退出运行。
Moon-Buggy version 1.0.51+esd, Copyright 2004 Jochen Voss <voss@seehuhn.de>
Moon-Buggy comes with ABSOLUTELY NO WARRANTY; for details type 'w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type 'c' for details.
MM MM OOOOO OOOOO NN N
M M M M O O O O N N N
M M M M O O O O N N N
M M M O O O O N N N
M M O O O O N N N
M M OOOOO OOOOO N NN
BBBBBB U U GGGGG GGGGG Y Y
B B U U G G G G Y Y
BBBBBB U U G G Y Y
B B U U G GGG G GGG Y
B B U U G G G G Y
BBBBBB UUUUU GGGGG GGGGG YY
Omm
(|)-(|)
####################################################################################################
####################################################################################################
y,SPC,RET:start game q,n:quit c:show copyright w:show warranty s:show scores r,C-l:redraw
- 查看本地容器,确认包含“charming_neumann”容器。
$ buildah ps --all
CONTAINER ID BUILDER IMAGE ID IMAGE NAME CONTAINER NAME
c8cc546ce9ba * 18b22de14a6f registry.access.redhat.com/ub... ubi-working-container
c9961b90a70e 8050aac88b92 localhost/moon-buggy:latest charming_neumann
构建以服务运行的应用的容器镜像
下载基础UBI镜像
- 下载适合运行后台服务的红帽ubi8镜像ubi-init到本地。可以看到本地容器名称为ubi-init-working-container。
$ buildah from registry.access.redhat.com/ubi8/ubi-init
Getting image source signatures
Copying blob c51b1b38edbb done
Copying blob 26cb90e4ae84 done
Copying blob e45283d00526 done
Copying config 9bbdcc2d3f done
Writing manifest to image destination
Storing signatures
ubi-init-working-container
- 向本地容器中安装httpd服务。
$ buildah run ubi-init-working-container -- yum -y install httpd
Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode.
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs) 26 MB/s | 33 MB 00:01
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) 28 MB/s | 30 MB 00:01
Red Hat Universal Base Image 8 (RPMs) - BaseOS 5.4 MB/s | 786 kB 00:00
Red Hat Universal Base Image 8 (RPMs) - AppStream 37 MB/s | 7.4 MB 00:00
Red Hat Universal Base Image 8 (RPMs) - CodeReady Builder 158 kB/s | 15 kB 00:00
Dependencies resolved.
- 允许容器中的httpd服务在容器启动后自动运行。
buildah run ubi-init-working-container -- systemctl enable httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
- 将index1.html复制到容器中的httpd默认页面。
$ cat << EOF > index1.html
index page 1
EOF
$ buildah copy ubi-init-working-container index1.html /var/www/html/index.html
c03382e8c990233b6ac7ccbef803c6556421825e8e400a0dea41826940713ac7
- 配置容器对外暴露80端口。
$ buildah config --port 80 --cmd "/usr/sbin/init" ubi-init-working-container
- 将本地容器发布成名为el-httpd1的容器镜像。
$ buildah commit ubi-init-working-container el-httpd1
Getting image source signatures
Copying blob baedd15dd07e skipped: already exists
Copying blob 1e05587d4a9f skipped: already exists
Copying blob 5f7bc1e8ff4c skipped: already exists
Copying blob 2a8794f0ce87 [--------------------------------------] 0.0b / 0.0b
Copying config 7d309d19db done
Writing manifest to image destination
Storing signatures
7d309d19dbcf443c4840848eaf974b6c9d36b6b816d3aaedaea1698ac2134399
- 查看本地容器镜像,其中包含上一步发布的el-httpd1 镜像。
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/el-httpd1 latest 7d309d19dbcf 4 minutes ago 414 MB
registry.access.redhat.com/ubi8/ubi-init latest 9bbdcc2d3f32 7 days ago 251 MB
- 运行el-httpd1镜像,并将容器80端口映射到宿主机80端口。
$ podman run -d -p 80:80 el-httpd1
d36f80196646541f2538a56bcd85fb345314847b900ea6f6b3b0a9035dc69cb6
- 查看本地运行的容器
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d36f80196646 localhost/el-httpd1:latest /usr/sbin/init 29 seconds ago Up 28 seconds ago 0.0.0.0:80->80/tcp trusting_hermann
- 查看el-httpd1容器的信息。
$ buildah inspect localhost/el-httpd1
{
"Type": "buildah 0.0.1",
"FromImage": "localhost/el-httpd1:latest",
"FromImageID": "7d309d19dbcf443c4840848eaf974b6c9d36b6b816d3aaedaea1698ac2134399",
"FromImageDigest": "sha256:fbfb75636edd40965aaffc07b6627033ee3a3872ebc92d5fdb755e92176ff551",
。。。
- 确认可以访问容器的httpd服务。
$ curl http://localhost
12.停掉所有运行的容器 。
$ podman stop -a
d36f80196646541f2538a56bcd85fb345314847b900ea6f6b3b0a9035dc69cb6
从头开始创建一个应用镜像
- 执行buildah命令,从scratch创建镜像。
$ buildah from scratch
working-container
- 获取当前工作容器的mount目录。
$ scratchmnt=$(buildah mount working-container)
$ echo ${scratchmnt}
/var/lib/containers/storage/overlay/f8fa6992ba9d780f45dfa476235d3da5dc98deba7f49cee928b448a7bbfe52b6/merged
- 确认工作容器mount的宿主机目录中没有任何文件。
$ ls -l ${scratchmnt}
total 0
- 为当前容器安装httpd服务,安装在“${scratchmnt}”中。
$ yum install --installroot ${scratchmnt} httpd --releasever 8 --setopt=module_platform_id="platform:el8" -y
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) 2.4 MB/s | 7.0 MB 00:02
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs) 1.3 MB/s | 3.7 MB 00:02
Red Hat Enterprise Linux 8 for x86_64 - Supplementary (RPMs) 23 kB/s | 78 kB 00:03
Last metadata expiration check: 0:00:01 ago on Fri 17 May 2019 03:41:34 PM EDT.
Dependencies resolved.
====================================================================================================================
Package Arch Version Repository Size
====================================================================================================================
Installing:
httpd x86_64 2.4.37-11.module+el8.0.0+2969+90015743 rhel-8-for-x86_64-appstream-rpms 1.4 M
<< OUTPUT ABRIDGED >>
Complete!
- 设置可以在容器启动后自动运行httpd服务。
$ chroot ${scratchmnt} systemctl enable httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
- 复制index2.html文件到容器中的/var/www/html/index.html文件。
$ cat << EOF > index2.html
index page 2
EOF
$ cp index2.html ${scratchmnt}/var/www/html/index.html
- 再次查看容器对应的挂载的宿主机目录。
$ ls -l ${scratchmnt}
total 12
lrwxrwxrwx. 1 root root 7 Apr 23 2020 bin -> usr/bin
dr-xr-xr-x. 4 root root 30 Jun 3 16:17 boot
drwxr-xr-x. 2 root root 18 Jun 3 16:17 dev
drwxr-xr-x. 53 root root 4096 Jun 3 16:18 etc
drwxr-xr-x. 2 root root 6 Apr 23 2020 home
lrwxrwxrwx. 1 root root 7 Apr 23 2020 lib -> usr/lib
lrwxrwxrwx. 1 root root 9 Apr 23 2020 lib64 -> usr/lib64
drwxr-xr-x. 2 root root 6 Apr 23 2020 media
drwxr-xr-x. 2 root root 6 Apr 23 2020 mnt
drwxr-xr-x. 2 root root 6 Apr 23 2020 opt
dr-xr-xr-x. 2 root root 6 Apr 23 2020 proc
dr-xr-x---. 2 root root 6 Apr 23 2020 root
drwxr-xr-x. 13 root root 162 Jun 3 16:18 run
lrwxrwxrwx. 1 root root 8 Apr 23 2020 sbin -> usr/sbin
drwxr-xr-x. 2 root root 6 Apr 23 2020 srv
dr-xr-xr-x. 2 root root 6 Apr 23 2020 sys
drwxrwxrwt. 2 root root 6 Apr 23 2020 tmp
drwxr-xr-x. 12 root root 144 Jun 3 16:17 usr
drwxr-xr-x. 20 root root 4096 Jun 3 16:18 var
- 卸载容器的文件系统。
$ buildah unmount working-container
66fa1c4c764491a77cdf7b1b16a646dbf17dbe8925ff9a1b1e8866aad46fd3e8
- 设置httpd服务运行在容器的80端口。
$ buildah config --port 80 --cmd "/usr/sbin/init" working-container
- 将本地容器发布成名为el-httpd2的容器镜像。
$ buildah commit working-container el-httpd2
Getting image source signatures
Copying blob 9b095605ad72 done
Copying config 098c1605a7 done
Writing manifest to image destination
Storing signatures
098c1605a7cbe3a1cdd3a0e28fc3a19d996e8fba26656834caf4a30c22f62fd3
- 查看本地容器镜像,确认已经有el-httpd2镜像了。
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/el-httpd2 latest 098c1605a7cb 24 seconds ago 657 MB
localhost/el-httpd1 latest 9c105d0cc696 5 minutes ago 414 MB
registry.access.redhat.com/ubi8/ubi-init latest 9bbdcc2d3f32 7 days ago 251 MB
- 根据el-httpd2镜像运行容器。
$ podman run -d -p 80:80 el-httpd2
bb0f61fe23ffc9ea60be24f9c2f09db9b4794a5d60e9f4989663b05fa9edb6f8
- 查看运行容器的信息。
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bb0f61fe23ff localhost/el-httpd2:latest /usr/sbin/init 1 second ago Up Less than a second ago 0.0.0.0:80->80/tcp cranky_haslett
- 查看el-httpd2镜像的信息。
$ buildah inspect localhost/el-httpd2
- 确认可以访问容器的httpd服务。
$ curl http://localhost
- 停掉所有运行的容器 。
$ podman stop -a
在 S2I 中使用UBI镜像
以下操作需要提前登录OpenShift。
- 执行命令,根据基于UBI8的openjdk-11构建quarkus-quickstarts应用。
$ oc new-app --context-dir=getting-started --name=quarkus-quickstart registry.access.redhat.com/ubi8/openjdk-11~https://github.com/quarkusio/quarkus-quickstarts.git#1.13.3.Final
- 根据service生成route。
$ oc expose svc/quarkus-quickstart
- 确认应用可以访问。
$ export URI="http://$(oc get route | grep quarkus-quickstart | awk '{print $2}')"
$ curl $URI/hello/greeting/quarkus
hello quarkus
参考
https://access.redhat.com/documentation/zh-cn/red_hat_enterprise_linux/8/html-single/building_running_and_managing_containers/index
类似资料: