[Buildroot] [All Systems Go!] Buildroot : Using embedded tools to build container images

Arnout Vandecappelle arnout at mind.be
Sun Sep 22 16:46:28 UTC 2019



On 22/09/2019 17:47, Jérémy ROSEN wrote:
> Hey all, I'm glad you liked my talk :)
> 
> Here are a couple of other notes that might be of more interest to the
> buildroot community in general...
> * There Is no tool I could find from the container world that actually
> build an image from scratch, they all are based on debian/redhat, this is
> not good and they don't really have an answer
>   As a side-note, be carefull when you talk about building images with
> container people. It usually means the step of transforming files into a
> filesystem/disk image, not the compilation phase.
> * There was a talk about "rootless containers" i.e containers that are able
> to build other container images without being root, using a suid binary or
> talking to a root-owned daemon. Apparently nobody
>   had heard of fakeroot and they didn't know it was actually possible to
> build an image without loopback-mounting images. (
> https://www.youtube.com/watch?v=e_daVOwB7ok)

 Your talk was a lot more interesting :-)

 But the one thing I took away from it is the pointer to umoci [1]. That tool
seems to be capable of creating an OCI image without running docker. E.g. 'umoci
add-layer' seems to add a tarball as a layer to an image.

> * WRT portable services specifically, the only think that buildroot doesn't
> really do yet is being able to put .service files in images that do not use
> systemd as an init system. (which made perfect sense until portable
> services were introduces in v240)

 Yeah, that would require a disconnect between the init system and the package
that provides it. But it's starting to diverge a lot from Buildroot's purpose
(creating full OS images).

 Note BTW that you'll often still need systemd as a library during the build,
which is also something we don't support at the moment.

 Regards,
 Arnout

[1] ttps://github.com/openSUSE/umoci

> 
> I'll be in Lyon if you want to discuss this some more...
> 
> Cheers
> Jérémy
> 
> Le dim. 22 sept. 2019 à 16:58, Arnout Vandecappelle <arnout at mind.be> a
> écrit :
> 
>>
>>
>> On 22/09/2019 15:13, François Perrad wrote:
>>> Le sam. 21 sept. 2019 à 21:53, Romain Naour <romain.naour at smile.fr> a
>>> écrit :
>>>
>>>> Hello,
>>>>
>>>> My colleague Jeremy Rosen did a presentation at All Systems Go
>> conferences
>>>> about
>>>> building container images using Buildroot:
>>>>
>>>> https://www.youtube.com/watch?v=-CVuBLDpulo
>>
>>  Really interesting talk, thanks for pointing this out!
>>
>>
>>>> It would be interesting to discuss with the community about building
>> such
>>>> container images like light container or systemd's portable services.
>>>>
>>>> It's probably a topic for the next Buildroot Meeting :)
>>>>
>>>>
>>> It seems easy to create a Docker image artifact from a rootfs created by
>>> Buildroot
>>>
>>>     $ cat Dockerfile
>>>     FROM scratch
>>>     ADD rootfs.tar /
>>>
>>>     $ docker build --tag br:my_proj .
>>>     Sending build context to Docker daemon  4.233MB
>>>     Step 1/2 : FROM scratch
>>>      --->
>>>     Step 2/2 : ADD rootfs.tar /
>>>      ---> 60cb2207066c
>>>     Successfully built 60cb2207066c
>>>     Successfully tagged br:my_proj
>>
>>  Does this also work if the tarball is cross-compiled for a different
>> architecture? Probably it does, and it just SIGILLs when you try to run the
>> container...
>>
>>>
>>>     $ docker images
>>>     REPOSITORY          TAG                 IMAGE ID            CREATED
>>>         SIZE
>>>     br                  my_proj             60cb2207066c         2
>> minutes
>>> ago      1.74MB
>>>
>>>     $ docker save -o br_my_proj.tar br:my_proj
>>>     $ ls -1
>>>     br_my_proj.tar
>>>     Dockerfile
>>>     rootfs.tar
>>>
>>> But, it could be nice to add "Docker image" as an option in "Filesystem
>>> images" choice.
>>
>>  Yeah, except unfortunately docker security sucks, so on most distros you
>> need
>> sudo to run any docker command, even 'docker build'.
>>
>>  So, it would be nice if we could generate the OCI image without docker.
>>
>>  Something was said about this in the questions of Jérémy's
>> presentation, but
>> there was no clear answer.
>>
>>  Regards,
>>  Arnout
>>
> 
> 


More information about the buildroot mailing list