Red Hat SummitChapter 4. Creating a fully self-contained bootc image
If you need your bootc image to include everything required to run workloads, use physically-bound container images. Edge-computing scenarios involving embedded systems on specialized devices, high security, or high hardware control scenarios are likely candidates.
4.1. About physically bound bootc image building
When a bootc image is fully self-contained, everything you need to run workloads is embedded with the bootc image, including MicroShift and application container images. The underlying mechanism is to pre-pull physically-bound images during image build and then make them available at runtime.
Because embedded images might change with each system update, you cannot pull the images directly to the default container storage. Additional image stores do not work in this case because of current implementation limits. These limits do not allow bootc image updates for those container images.
The manifest, layer tarballs, and signatures are exported as individual files into the directory. The dir transport type preserves the digest of the image, which is crucial for the original digest to reference the image.
Technical details to understand include the following items:
- Each image goes into the same top-level directory, but a separate subdirectory.
-
Subdirectories are named after the image reference string
SHA. -
An image list file maps image references to their name
SHA. -
You must install the
microshift-release-infoRPM to get the image references required by MicroShift. - You must have image references for your workloads. Apply the same methods to workload image references that you use for MicroShift image references.
-
When you build the container, you must install the
microshift-release-infoRPM. Therelease-x86_64.jsonandrelease-aarch64.jsonfiles from this RPM reside in the/usr/share/microshift/release/directory. These files contain image references required by MicroShift.
You must keep track of the name of the image. A tag, digest, or a mix of both can reference images. Choosing the best way to reference the images you need can impact the quality and robustness of workloads.
4.2. Embedding container images into a bootc image
First, you must add instructions to an existing Containerfile to copy the images you want and list them in a file to keep track of the copied image names. Then, you must copy images locally from the /usr/lib/containers/storage directory to the local container storage.
You cannot store images in the default or additional container storage directory when you build bootc images. For example, if you update the additional container store setting in /etc/containers/storage.conf to point to the /usr/lib/containers/storage directory, bootc image updates fail.
Prerequisites
- You have root access to the host.
- You installed Podman.
- You installed skopeo.
- You have workload image references.
- You have a Containerfile for building MicroShift images.
Procedure
Add the pull secret to the container build procedure to ensure that images can be pulled by running the following command:
podman build --secret id=pullsecret,src=/<path/to/pull/secret>.json
$ podman build --secret id=pullsecret,src=/<path/to/pull/secret>.json1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- Specify the path to your pull secret in <path/to/pull/secret>.
Add the instructions to physically embed the image at build time by adding the following to your Containerfile:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow When run, the Containerfile extracts the list of MicroShift container image dependencies from the
microshift-release-infoRPM and pulls them into a custom/usr/lib/containers/storagedirectory. The resulting image list file is saved at/usr/lib/containers/storage/image-list.txt.Next, you must copy container images from the custom directory to the main container storage directory so that they are available to MicroShift. Add a script and a systemd service to your Containerfile to copy the embedded images from the
/usr/lib/containers/storagedirectory to the local container storage. Copying happens at runtime before each MicroShift start. Use the following example:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Next steps
- Build the image.
- Test and deploy per your use case.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}