[WIP] Add podman machine Containerfile

[rhatdan]

Move some of the functionality in ignition into the building of a bootc based podman-machine.

Does this PR introduce a user-facing change?

none

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rhatdan]

@baude @ashley-cui @cgwalters PTAL

Once we have the design here approved, I can go and remove a lot of code from ignition.go that sets these up.

@cgwalters I do question whether I should setup the config files in /usr/etc or /etc?

[cgwalters]

The preference here is is actually to use /usr/lib/sysctl.d. This configuration is part of the OS.

Otherwise, use /etc. Don't use /usr/etc.

[rhatdan]

Fixed.

[cgwalters]

This can just be dropped currently.

[rhatdan]

Dropped

[cgwalters]

What I'd recommend instead of this is to write these files into /etc/skel - and have the user created on firstboot via systemd-sysusers (per above).

[rhatdan]

There is no support for /etc/subuid and /etc/subgid there though? Or just create those files and let systemd-sysusers create it.

[rhatdan]

Now using /etc/skel

[cgwalters]

This one is tricky...I know we're adding it for compatibility, but going forward I think it'd probably make sense to allocate a podman user for example.

But even more importantly it will work better if we change things to allocate the user on firstboot today.

More on this in https://centos.github.io/centos-bootc/builds/#injecting-users-at-build-time (that could be expanded too)

[cgwalters]

Also, why 501 versus the default?

[rhatdan]

Just going by the entries in ignition.go.

[rhatdan]

Looks like the default user on a MAC is UID=501

[cgwalters]

This is a no-op and unnecessary.

[rhatdan]

Removed

[cgwalters]

And this should be /usr/lib/tmpfiles.d etc.

[rhatdan]

Moved.

[cgwalters]

Hmm, is there really no way to tweak this on the useradd commandline? That'd work better...

[rhatdan]

None that I found.

[cgwalters]

Also what IMO is way nicer to read and maintain is just to have:

COPY rootfs/etc etc
COPY rootfs/usr usr

And then just drop your files in those directories in git.

There's one example of this here

[rhatdan]

I just used usr and etc, but this was a good idea.

[vrothberg]

I will start nasty and request to have comments in all configs and dockerfiles.

Since we can replace some parts that ignition would take at provisiong time to build time, we need comments to keep it maintianable and avoid collective amnesia why something is done the way it is.

[vrothberg]

Why do we need skopeo and buildah?

[rhatdan]

We don't but I think it is useful for debugging and difficult to install if they don't exist.

[vrothberg]

They add 60M to the disk / container so I feel rather hesitant.

[rhatdan]

Ok I can remove.

[cgwalters]

Personally I've quite often wanted the ability to inspect a remote image without fetching it...and that's just in skopeo right? (It would make sense to me to have something like this in podman too...podman image remote-inspect? Dunno)

As far as buildah, I think it's basically because it's been promoted as a peer to podman build, and so it goes where podman goes.

[rhatdan]

The funning thing, my story of skopeo being created is exactly this. we wanted docker inspect --remote. So maybe it is time to add podman image inspect --remote One issue there is inspecting images versus manifest.

--raw versus default. Also --remote might be misinterpreted by CLI.

[vrothberg]

I think this should be a separate issue. Note that skopeo runs on Win and Mac as well. So I don't think this must be part of the podman machine where IMO the focus should be on what Podman needs rather than what some developers may find useful. Ideally, users shouldn't need to ssh into the machine.

[baude]

the user cannot be made in containerfile due to podman machine init --username

[baude]

also, if you want to push forward on this, should be user 1000

[rhatdan]

I would be fine with removing this, but do we want to set the default user for the case where these is no specified --username and then allow the user to modify it. Might be a case where want to use sysusers.

[baude]

long term, i dont think this will work as we will need versioned content ... i.e. podman 5.0, podman 5.1 (or even 5.1.1). I think fedora-coreos-config does this reasonably nicely with YAML that gets read and converted to what you want above. perhaps there is some variable magic we can do here.

[baude]

No code in podman is changed here ... we could make the claim this is all for hacking ... though I would like to see the claim added to the commit and the containerfile. I have a series of long term questions that remain unanswered here but i'll just note them the best i can (given I had intended to do this work but you beat me to it).

1. I'm not confident this is the right place for this ... but i see the dilemma too. You are are trying to move "stuff" from code to containerfiles. Clearly we want that living in podman or podman-machine. However, you are also laying groundwork for a long-term goal of podman-machine operating systems. And that, I'm confident should not live here; however, this approach now mixes the proverbial peanut butter and chocolate. I'd be generally in favor of supporting dev work here ... but no code removal yet.

2. as i said earlier, i think fcos and related has set a nice model for using YAML to control packaging ... it makes it clear, diffs in git are nicer, etc.

3. we need to force a long-term conversation on what the podman-machine os looks like in the future. I will own that. The answer to this question is critical for Podman 5.

[rhatdan]

I think we want to make it easy for people to find an easy example of building a podman machine. We need to figure out the best way of selecting the podman machine perhaps using build-args. Perhaps something like:

ARG PODMAN_VERSION
RUN dnf -y install podman${PODMAN_VERSION}

Then build with:
$ podman build --buildarg PODMAN_VERSION="5.1.*" --tag quay.io/podman/podman-machine:5.1 .

This Containerfile would be just be installing
quay.io/podman/podman-machine:latest
or should it be
quay.io/podman/machine:latest

To eliminate the stutter.

[vrothberg]

Then build with:
$ podman build --buildarg PODMAN_VERSION="5.1.*" --tag quay.io/podman/podman-machine:5.1 .

An alternative may be to build podman directly inside the Dockerfile. A multistage build with injecting the source. The benefit is that it can be built directly in the upstream release process without any downstream delay/lag. This certainly comes at a cost of it not being a distro build.

Just to further sketch out what I mean:

FROM $base-image as podman-build
COPY ./ /src/podman
WORKDIR /src/podman
RUN dnf install -y $build-dependencies
RUN make podman

FROM $base-image
COPY --from=podman-build /src/podman/bin/podman /usr/bin/podman
# All the rest

[cgwalters]

OK so to enable Ignition in derived images, just off the top of my head there are probably two major parts:

• The stuff in e.g. https://github.com/coreos/fedora-coreos-config/tree/testing-devel/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree (and https://github.com/coreos/fedora-coreos-config/tree/testing-devel/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition) ...really, may be hard to avoid just copying all that stuff in the overlays. There was an attempt to RPM-package the Ignition glue but I am not sure how maintained/tested it is. (And of course, regenerating the initramfs, which sadly is a bit harder than just running dracut right now, which is its own bug)
• Setting ignition.platform.id on the kernel cmdline (now see bootc install config which supports injecting kargs, but it may actually be maximally convenient to do this in the disk images, which isn't yet exposed in bib but would likely be easy)

[rhatdan]

@baude can we update this Containerfile to match the current one you are using?