Repo Man

CoreOS and Atomic are two major Linux distributions optimized for containers and available in the enterprise environment. Not only are these distributions hardened accordingly and suitable for providing the run-time environment for Docker containers, but the entire scope of the distribution has been reduced to a minimum, because these hosts are only intended to operate containers, not to activate any other services.

This rather well-intentioned idea causes problems in many environments, however, such as when you need monitoring or backup software, change management tools, or other applications on the system. Unfortunately, it isn't always easy to install the required software packages after the fact. In this article, I explain why this is the case and how to install the required software on your Docker hosts.

An Atomic installation is used as an example. Corresponding operating system images exist for both Red Hat Enterprise Linux and its community variants CentOS and Fedora. I use a Fedora image [1] that serves as the basis for setting up a KVM-based virtual machine that can be made available within a very short span of time using the virt-manager or virt-install tools. On top of that, I take a regular Fedora 22 system, generate a custom Atomic software repository, and fill it with the desired packages. Docker hosts can then use this custom repository.

Atomic with a Package Manager

At this point, some readers might already be wondering why all this effort is necessary. After all, it's usual with RPM-based distributions to be able to install software packages from corresponding repositories using a package manager. However, it's different with Atomic, because it has no package manager. Instead, such hosts use completely prefabricated filesystem trees that are loaded onto the local host from a central repository in an atomic operation and then mounted in the existing filesystem.

After customizing the bootloader and rebooting the system, the new filesystem is now available with the applications contained in it. The operating system is read-only and located under /usr, whereas data that should remain persistent between different OS versions, are under /var. This data is then integrated into the root file system via corresponding links.

For example, the user's home directory is located on an Atomic host under /var/home and is linked to /home. However, the /bin and /sbin folders can be found in /usr and are integrated under /. The two tools rpm-ostree and ostree are used to manage the filesystems.

After installing an Atomic host, you can display the version of the filesystem tree employed and the repository it comes from as follows:

# rpm-ostree status

By creating your own Atomic repository, you can load it with the software packages you want, so they are then available to the Atomic host. As an example, the existing Fedora Atomic repository is to be expanded by the vim tool and its dependencies. To do this, install the required tools (e.g., rpm-ostree-toolbox on a regular Fedora system) and clone the corresponding Git repository from the Fedora Atomic Project (Listing 1).

# dnf install git rpm-ostree-toolbox
# mkdir /srv/atomic/
# cd /srv/atomic/
# git clone https://git.fedorahosted.org/cgit/fedora-atomic.git
# cd fedora-atomic
# git checkout f22

You will find all the relevant files from the Git repository in the fedora-atomic directory.

The fedora-atomic-docker-host.json file describes which packages need to be installed from which Yum repository. Instead of altering this file, simply create a new one and include the existing JSON file, so you can identify possible sources of error more quickly.

Putting Vim on Your System

Listing 2 shows an example for expanding the existing Atomic filesystem tree with the vim-enhanced package. If you want to use packages from other repositories, refer to the corresponding Yum configuration file – which must be in the same directory – using the repos command. The Fedora repository serves as an example here. Now expand the config.ini configuration file to include an additional section by creating a new profile to do so (see Listing 3).

{
   "include": "fedora-atomic-docker-host.json",
   "packages": ["vim"]
}

[...]
[vim]
tree_name = editors
ref = %(os_name)s/%(release)s/%(arch)s/%(tree_name)s
tree_file = %(os_name)s-vim.json

Finally, you can create a new filesystem tree based on the profile just created and then make this available to your Atomic hosts using the built-in web server. Make sure to use the specified profile name when accessing rpm-ostree-toolbox in the config.ini file.

The procedure presented here is just right for testing purposes, because no additional overhead is needed for configuring a web server. In a production environment, it is useful to provide file trees via regular web servers or not to generate any images at all from them. The ostree tool indicates on which port the built-in web server listens for requests:

# cd /srv/atomic
# rpm-ostree-toolbox treecompose -c fedora-atomic/config.ini --ostreerepo /srv/rpm-ostree/fedora-atomic/22/ -p vim
# ostree trivial-httpd -p - /srv/rpm-ostree/fedora-atomic/22

Finally, you can introduce the new filesystem tree on the previously configured Atomic instance and verify that it is also available there now:

# ostree remote add f22-custom http://192.168.122.1:36073 --no-gpg-verify
# ostree remote list -u f22-custom http://192.168.122.1:36073 fedora-atomic http://dl.fedoraproject.org/pub/fedora/linux/atomic/22/

To switch to the new file tree, you need to perform a rebase and then restart the system:

# rpm-ostree rebase f22-custom:fedora-atomic/f22/x86_64/vim
# systemctl reboot

Once the system has rebooted, calling rpm-ostree should confirm that the filesystem tree just created is in use and is now available to the Vim editor on the system (Listing 4).

# rpm-ostree status
  TIMESTAMP (UTC)       VERSION       ID           OSNAME         REFSPEC
* 2015-09-30 12:07:07   22            c4421f1bba   fedora-atomic  f22-custom:fedora-atomic/f22/x86_64/vim
  2015-09-30 10:38:37   22            81b569ae55   fedora-atomic  f22-custom:fedora-atomic/f22/x86_64/docker-host
# rpm -q vim-enhanced
vim-enhanced-7.4.640-4.fc22.x86_64

Conclusions

The increasing use of container virtualization is accompanied by an increase in demand for specialized Linux distributions that do without unnecessary ballast. CoreOS and the Red Hat Atomic host are two such distributions that meet these requirements. The tools presented here can be used to customize the base images to your own needs, such as installing additional software.