Support running from a container #28
Conversation
Unlike on macOS and Windows, on Linux `podman machine` isn't a requirement for running containers given that... well, you can already run containers directly. So setting up a podman machine would purely be for the benefit of `podman-bootc`. OTOH, the alternative of using bootc-image-builder is much more flexible but requires root and is not as streamlined a process if one wants to either just kick the tires or want a faster iteration loop on bootable containers. Let's support running `podman-bootc` from a container. This allows users to get to a functional environment in one command: ``` podman run -ti --device /dev/kvm quay.io/podman/podman-bootc ``` This will bring up the 'bootstrap' podman machine, and give users a shell. Caching is also supported by mounting to `/cache`: ``` podman run -ti -v ~/.cache/podman-bootc:/cache:z --device /dev/kvm \ quay.io/podman/podman-bootc run <image> ``` There is also a one-shot mode for the `run` command. This allows users to boot a bootable container with a *single* command: ``` podman run -ti --device /dev/kvm quay.io/podman/podman-bootc run <image> ``` As opposed to b-i-b, all this works fine in rootless podman. The only main requirement is `/dev/kvm`, which is of course not new. Another way to look at this is that it de-emphasizes podman machine and focuses on the image building, caching, and booting aspects of podman-bootc, which is where the most value is for Linux users. Signed-off-by: Jonathan Lebon <jonathan@jlebon.com>
|
For testing this out, I pushed a build of this image to quay.io/jlebon/podman-bootc. The proposal is to host it at quay.io/podman/podman-bootc. |
|
It would definitely be nice to not require podman machine on Linux. I think @germag is working on a solution that will hopefully still keep the UX of the command simple. Maybe we could make |
|
Thanks so much for looking at this! A few things here. One thing to consider is that I do think in many general cases, the bootc-image-builder container will be part of the user's workflow...so we could consider generalizing it to be more of a "SDK", which could include this. So maybe we s/bootc-image-builder/bootc-sdk/ for example, and teach it to have sub-commands. There's a general tension between this tool and bib around supporting e.g. injecting the bib configs, see #4 ) And actually it'd be pretty nice to support streamlining anaconda+kickstart testing too. But the tricky bit is, the more we dip our toes into that world, the less this specific project is just "podman+bootc" and it's more a "fedora-bootc-cli" tool (as not all bootc containers will use anaconda for example). |
|
cc @ondrejbudai for any thoughts re ⬆️ |
|
I think that creating one project (bootc-sdk, bootc-kit) makes a ton of sense, because I think that the ecosystem would greatly benefit from having a unified set of companion tools. Maybe we can even fold some helpers for (Thanks, @cgwalters for inspiration.) This would mean that the kit image probably gets quite big. Is this an issue? Let me give you an example of a "similar" SDK: The first step of developing an Android app is to download the gargantuan Android SDK (6-10 GiB according to a quick Android search), so I'm not too worried about creating a potentially big SDK. The big advantage is that caching is simple because people are used to caching container images. Also, we can version everything together, which is quite nice from the QA point of view. Another advantage is actually there for the SDK developers: We can deduplicate some code. In
This is an interesting one... I think that a distribution providing a base bootc image and a kit with tooling to work with this image makes quite a lot of sense to me. So I don't think that this is really a disadvantage... |
|
Having an SDK-like container makes sense to me. It's what we have on the CoreOS side with coreos-assembler, and long-term it'd make a lot of sense to collaborate on a shared toolkit. I can imagine cosa becoming a derivation on top of that where it adds e.g. kola and CoreOS-specific logic. |
|
Reiterating what I've shared over Slack. Can we utilize devcontainer for this task? |
That's a very interesting topic. I don't have a lot of familiarity with actually using devcontainers to develop containers honestly (also I keep hitting bugs in vscode when I try to use it), and often just fall back on linux to A challenge here is definitely that we don't want to do container-in-container builds, if we have One thing to bear in mind too is that in in the general case too, we can't require our users use devcontainers. The SDK must be runnable from e.g. a Tekton pipeline as well.
Yeah, there's a whole lot of these qemu wrappers around...including in e.g. coreos-assembler and tmt. The tricky bit here is for the SDK in the general case we need to do cross-platform virt. |
Related to this, I did https://github.com/cgwalters/osbuildbootc which we could revive some code and logic from that. Notably it does the "assemble bootstrap VM rootfs from host environment", so it doesn't strictly require a separate container image. The giant challenge here is that in order to support macOS, we can't just execute everything from a container; it won't work obviously to fork off qemu from the Linux VM. The environment is going to have external dependencies. This said, on Linux I think it makes sense for us to support libvirt as we are today, which is basically an "external service". And then we'd just have an internal abstraction for "bootstrap VM" which would always be podman-machine on macOS, but on Linux we could do something like what's happening here automatically in the background if it's not running. That said, how much of this UX problem would go away if the usage of podman-machine on Linux was just automatic if you didn't have it running? Especially if in this scenario, we automatically handled finding the target container image in the user's store? |
|
There is a potential alternative path to this, which I think would help things a lot...we could try to push podman-machine to store container images externally. I think the original krunvm+podman-machine prototypes were doing this - the container image files were stored on the host (user's home directory). And we could obviously do something similar with podman-machine on linux...in which case of course, things get kind of funny in many cases as we'd be doing podman-remote ➡️ [podman in vm] ➡️ [proxy writer to host user container-storage] That path avoids the whole UX sub-problem on Linux of confusion in needing to do bootc container builds inside podman machine, which I think is at least half the problem. |
|
It sounds like this is not quite what we want right now, so let's close this. (Short-term though, I would probably still mention |
Unlike on macOS and Windows, on Linux
podman machineisn't a requirement for running containers given that... well, you can already run containers directly. So setting up a podman machine would purely be for the benefit ofpodman-bootc.OTOH, the alternative of using bootc-image-builder is much more flexible but requires root and is not as streamlined a process if one wants to either just kick the tires or want a faster iteration loop on bootable containers.
Let's support running
podman-bootcfrom a container. This allows users to get to a functional environment in one command:This will bring up the 'bootstrap' podman machine, and give users a shell. Caching is also supported by mounting to
/cache:There is also a one-shot mode for the
runcommand. This allows users to boot a bootable container with a single command:As opposed to b-i-b, all this works fine in rootless podman. The only main requirement is
/dev/kvm, which is of course not new.Another way to look at this is that it de-emphasizes podman machine and focuses on the image building, caching, and booting aspects of podman-bootc, which is where the most value is for Linux users.