This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Containers

A container is a process that runs on the Photon OS host with its own isolated application, file system, and networking.

Photon OS includes the open source version of Docker. With Docker, Photon OS becomes a Linux run-time host for containers, that is, a Linux cloud container.

The full version of Photon OS includes Kubernetes so you can manage clusters of containers.

1 - Docker Containers

On Photon OS, the Docker daemon is enabled by default. To view the status of the daemon, run the following command:

systemctl status docker

Docker is loaded and running by default on the full version of Photon OS. On the minimal version, it is loaded but not running by default. To start it, run the following command:

systemctl start docker

To obtain information about Docker, run the following command as root:

docker info

After Docker is enabled and started, you can create a container. For example, run the following docker command as root to create a container running Ubuntu 14.04 with an interactive terminal shell:

docker run -i -t ubuntu:14.04 /bin/bash

Photon OS also enables you to run a docker container that runs Photon OS:

docker run -i -t photon /bin/bash

2 - Docker Rootless Support

Run the Docker daemon as a non-root user (Rootless mode)

The Rootless mode allows you to run the Docker daemon and containers as a non-root user. This mitigates the potential vulnerabilities in the daemon and the container runtime.

As long as the prerequisites are met, rootless mode does not require root privileges even during the installation of the Docker daemon.

After its introduction in Docker Engine v19.03 as an experimental feature, the rootless mode was available in Docker Engine v20.10 as a more stable feature.

This feature is available in Photon OS 4.0 and above versions starting from the docker-20.10.14-1 version (in Ph4).

Prerequisites:

  • You must install newuidmap and newgidmap on the host. - Provided by the shadow package in Photon

  • /etc/subuid and /etc/subgid should contain at least 65,536 subordinate UIDs/GIDs for the user. In the following example, the user called testuser has 65,536 subordinate UIDs/GIDs (100000-165535).

  • You can install the pre-required packages using the following command:

    tdnf install -y shadow fuse slirp4netns libslirp

  • Photon 3 or above with docker-20.10.14-1 version (this version is specific to Ph4. For higher versions please refer spec file in the Photon source).

Usage:

You can perform the following tasks with the respective commands for them:

  1. Install docker-rootless using the following command:

    tdnf install -y docker-rootless

  2. Use the following command to add a new user:

    useradd -m test_user

  3. Use the following command to set a password for the new user:

    passwd test_user

  4. Use the following command to log in as the user you created:

    `ssh test_user@localhost`

  5. Run the following command:

    dockerd-rootless-setuptool.sh --help`

    The above command shows something like the following output:

    test_user@photon [ ~ ]$ dockerd-rootless-setuptool.sh --help
Usage: /usr/bin/dockerd-rootless-setuptool.sh [OPTIONS] COMMAND

A setup tool for Rootless Docker (dockerd-rootless.sh).

Documentation: https://docs.docker.com/go/rootless/

Options:
-f, --force Ignore rootful Docker (/var/run/docker.sock)
--skip-iptables Ignore missing iptables

Commands:
check Check prerequisites
install Install systemd unit (if systemd is available) and show how to manage the service
uninstall Uninstall systemd unit

  6. Run the following command, and then check and fix the errors and warnings, if any:

    dockerd-rootless-setuptool.sh`

    Run the following commands:

    a. echo "test_user:100000:65536" >> /etc/subuid

    b. echo "test_user:100000:65536" >> /etc/subgid

    c. echo "kernel.unprivileged_userns_clone = 1" >> /etc/sysctl.d/50-rootless.conf

    d. chmod 644 /etc/subuid /etc/subgid /etc/sysctl.d/50-rootless.conf

    e. sysctl --system

    After you run the above commands, the dockerd-rootless-setuptool.sh check shows the following output:

    test_user@photon [ ~ ]$ dockerd-rootless-setuptool.sh check

[INFO] Requirements are satisfied

  7. After the Requirements are satisfied message appears, run the following command:

    dockerd-rootless-setuptool.sh install

  8. Carefully, go through the output messages of the above command and ensure that everything is fine. Follow the instructions that appear, if any.

  9. Add the following to your .bashrc or .bash_profile:

    export PATH=/usr/bin:$PATH
export DOCKER_HOST=unix:///run/user/$(id -u)/docker.sock

Now, you can run docker run -it photon as a regular user.

Limitations:

Exposing Network Ports Be aware that port numbers below 1024 are called privileged ports and are not available for rootless users. So, you need to use the unprivileged ports such as 8080, and so on. If you want to run an HTTP server, you need to run docker run -p 8080:80. However, if you really need to expose privileged ports, you can do that by adjusting sysctl /proc/sys/net/ipv4/ip_unprivileged_port_start or by setting CAP_NET_BIND SERVICE capability on the binary rootlesskit.

Limiting Resources such as CPU, Memory

Limiting resources with cgroup-related docker run flags such as --cpus, --memory, --pids-limit is supported only while running with cgroup v2 and systemd.

If docker info shows none as Cgroup Driver, the conditions are not satisfied. When these conditions are not satisfied, rootless mode ignores the cgroup-related docker run flags.

3 - Kubernetes

The Kubernetes package provides several services: kube-apiserver, kube-scheduler, kube-controller-manager, kubelet, kube-proxy. These services are managed by systemd. Their configuration resides in a central location: /etc/kubernetes.

For more information, see Running Kubernetes on Photon OS.

4 - Support for distributed builds using Kubernetes

The distributed system using Kubernetes allows the build system to utilize the maximum CPU power across a kubernetes cluster (pods) for faster build process.

Prerequisites

  • Ensure that the NFS server is running
  • Ensure that you have the Kubernetes cluster ready that has access to the NFS server
  • Ensure that you have installed Kubernetes package and have kubeconfig accessible in the build VM.

Triggering Distributed Photon Builds

Perform the following steps in the Photon OS repository:

  1. Update the 'common/data/distributed_build_options.json' configuration file . The following parameters need to be filled:

  • command→ target to run like 'make packages' or 'make packages-minimal' or 'make toolchain-stage-1' or so on. Note: Keep the command with flag 'SCHEDULER_SERVER=enable'.

  • nfs-server-ip→ IP address of the nfs server

  • pods→ number of builder/worker pods you want such as 10 or 20. The default value is 1.

  • nfs-server-path-> path of the nfs mount. For example,/mnt/NFS_PATH/MY_DIR

  1. Run make distributed-build.

Note:

  • This process will make use of the kubeconfig file present under the home directory and start building packages over the specified cluster.
  • It creates one Master pod and multiple worker pods (numbers defined in config.json).
  • The master pod runs the scheduler while the worker or the builder pods build the packages.
  • Distributed Builder monitors the build mob and deletes everything when build has either completed successfully or failed.

The master starts the scheduler server to schedule the packages that have to be built. The worker makes REST calls to scheduler server.get package and notify after the build.

The distributed build also builds cloud images.