红帽全球峰会第 7 章 Creating bootc images from scratch
With bootc images from scratch, you can have control over the underlying image content, and tailor your system environment to your requirements.
You can use the bootc-base-imagectl command to create a bootc image from scratch by using an existing bootc base image as a build environment, providing greater control over the content included in the build process. This process takes the user RPMs as input, so you need to rebuild the image if the RPMs change.
The custom base derives from the base container, and does not automatically consume changes to the default base image unless you make them part of a container pipeline.
You can use the bootc-base-imagectl rechunk subcommand on any bootc container image.
If you want to perform kernel management, you do not need to create a bootc image from scratch. See Managing kernel arguments in bootc systems.
7.1. Using pinned content to build images
To ensure the base image version contains a set of packages at exactly specific versions, for example, defined by a lockfile, or an rpm-md or yum repository, you can use several tools to manage snapshots of rpm-md or yum repository repositories.
With the bootc image from scratch feature, you can configure and override package information in source RPM repositories, while referencing mirrored, pinned, or snapshotted repository content. Consequently, you gain control over package versions and their dependencies.
For example, you might want to gain control over package versions and their dependencies in the following situations:
- You need to use a specific package version because of strict certification and compliance requirements.
- You need to use specific software versions to support critical dependencies.
Prerequisites
- A standard bootc base image.
Procedure
The following example creates a bootc image from scratch with pinned content:
# Begin with a standard bootc base image that serves as a "builder" for our custom image. FROM registry.redhat.io/rhel10/rhel-bootc:latest # Configure and override source RPM repositories, if necessary. The following step is required when referencing specific content views or target mirrored/snapshotted/pinned versions of content. RUN rm -vf /etc/yum.repos.d COPY mypinnedcontent.repo /etc/yum.repos # Add additional repositories to apply customizations to the image. However, referencing a custom manifest in this step is not currently supported without forking the code. # Build the root file system by using the specified repositories and non-RPM content from the "builder" base image. # If no repositories are defined, the default build will be used. You can modify the scope of packages in the base image by changing the manifest between the "standard" and "minimal" sets. RUN /usr/libexec/bootc-base-imagectl build-rootfs --manifest=standard /target-rootfs # Create a new, empty image from scratch. FROM scratch # Copy the root file system built in the previous step into this image. COPY --from=builder /target-rootfs/ / # Apply customizations to the image. This syntax uses "heredocs" https://www.docker.com/blog/introduction-to-heredocs-in-dockerfiles/ to pass multi-line arguments in a more readable format. RUN <<EORUN # Set pipefail to display failures within the heredoc and avoid false-positive successful builds. set -xeuo pipefail # Install necessary packages, run scripts, etc. dnf -y install NetworkManager emacs # Remove leftover build artifacts from installing packages in the final built image. dnf clean all rm /var/{log,cache,lib}/* -rf EORUN # Define required labels for this bootc image to be recognized as such. LABEL containers.bootc 1 LABEL ostree.bootable 1 # Optional labels that only apply when running this image as a container. These keep the default entry point running under systemd. STOPSIGNAL SIGRTMIN+3 CMD ["/sbin/init"] # Run the bootc linter to avoid encountering certain bugs and maintain content quality. Place this command last in your Containerfile. RUN bootc container lint
Verification
Save and build your image.
$ podman build -t quay.io/<namespace>/<image>:<tag> . --cap-add=all --security-opt=label=type:container_runtime_t --device /dev/fuseBuild <_image_> image by using the
Containerfilein the current directory:$ podman build -t quay.io/<namespace>/<image>:<tag> .
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}