This project defines the entrypoint for Project Atomic hosts. On anAtomic Host, there are at least two distinct softwaredelivery vehicles; Docker (often used in combination with thetraditional RPM/yum/dnf), and rpm-ostree to provide atomic upgrades of thehost system.
The goal of Atomic is to provide a high level, coherent entrypoint tothe system, and fill in gaps in Linux container implementations.
For Docker,atomic can make it easier to interact with special kindsof containers, such as super-privileged debugging tools and the like.
Theatomic host subcommand wrapsrpm-ostree, currently justproviding a friendlier name, but in the future Atomic may provide moreunified management.
Atomic allows an image provider to specify how a container image expects to berun.
Specifically this includes the privilege level required.
For example if you built an 'ntpd' container application, that required theSYS_TIME capability, you could add meta data to your container image using thecommand:
LABEL RUN /usr/bin/docker run -d --cap-add=SYS_TIME ntpd
Now if you executedatomic run ntpd, it would read theLABEL RUN jsonmetadata from the container image and execute this command.
Most of the time when you ship an application, you need to run an installscript. This script would configure the system to run the application, forexample it might configure a systemd unit file or configure kubernetes torun the application. This tool will allow application developers to embed theinstall and uninstall scripts within the application. The applicationdevelopers can then define the LABEL INSTALL and LABEL UNINSTALL methods, inthe image meta data. Here is a simple httpd installation description.
cat Dockerfile
# Example Dockerfile for httpd application#FROMfedoraMAINTAINERDan WalshENV container dockerRUN yum -y update; yum -y install httpd; yum clean allLABEL Vendor="Red Hat" License=GPLv2LABEL Version=1.0LABEL INSTALL="docker run --rm --privileged -v /:/host -e HOST=/host -e LOGDIR=/var/log/\${NAME} -e CONFDIR=/etc/\${NAME} -e DATADIR=/var/lib/\${NAME} -e IMAGE=\${IMAGE} -e NAME=\${NAME} \${IMAGE} /bin/install.sh"LABEL UNINSTALL="docker run --rm --privileged -v /:/host -e HOST=/host -e IMAGE=${IMAGE} -e NAME=${NAME} ${IMAGE} /bin/uninstall.sh"ADD root /EXPOSE 80CMD [ "/usr/sbin/httpd", "-D", "FOREGROUND" ]
atomic install will read the LABEL INSTALL line and substitute${NAME} withthe name specified with the name option, or use the image name, it will alsoreplace${IMAGE} with the image name.
To be used by the application. The install script could populate thesedirectories if necessary.
In my example the INSTALL method will execute the install.sh which we add tothe image. The root sub directory contains the following scripts:
Theatomic install will set the following environment variables for use in the command:
SUDO_UIDTheSUDO_UID environment variable. This is useful with the docker-u option for user space tools. If the environment variable is not available, the value of/proc/self/loginuid is used.
SUDO_GIDTheSUDO_GID environment variable. This is useful with the docker-u option for user space tools. If the environment variable is not available, the default GID of the value forSUDO_UID is used. If this value is not available, the value of/proc/self/loginuid is used.
cat root/usr/bin/install.sh
#!/bin/sh# Make Data Dirsmkdir -p ${HOST}/${CONFDIR} ${HOST}/${LOGDIR}/httpd ${HOST}/${DATADIR}# Copy Configcp -pR /etc/httpd ${HOST}/${CONFDIR}# Create Containerchroot ${HOST} /usr/bin/docker create -v /var/log/${NAME}/httpd:/var/log/httpd:Z -v /var/lib/${NAME}:/var/lib/httpd:Z --name ${NAME} ${IMAGE}# Install systemd unit file for running containersed -e "s/TEMPLATE/${NAME}/g" etc/systemd/system/httpd_template.service > ${HOST}/etc/systemd/system/httpd_${NAME}.service# Enabled systemd unit filechroot ${HOST} /usr/bin/systemctl enable /etc/systemd/system/httpd_${NAME}.service
Theatomic unistall does the same variable substitution as described forinstall, and can be used to remove any host system configuration.
Here is the example script we used.
cat root/usr/bin/uninstall.sh
#!/bin/shchroot ${HOST} /usr/bin/systemctl disable /etc/systemd/system/httpd_${NAME}.servicerm -f ${HOST}/etc/systemd/system/httpd_${NAME}.service
Finally here is the systemd unit file template I used:
cat root/etc/systemd/system/httpd_template.service
# cat ./root/etc/systemd/system/httpd_template.service[Unit]Description=The Apache HTTP Server for TEMPLATEAfter=docker.serviceBindTo=docker.service[Service]ExecStart=/usr/bin/docker start TEMPLATEExecStop=/usr/bin/docker stop TEMPLATEExecReload=/usr/bin/docker exec -t TEMPLATE /usr/sbin/httpd $OPTIONS -k graceful[Install]WantedBy=multi-user.target