rkt can discovery, retrieve, verify, and store images without root privileges.
core@core-02 ~ $ rkt fetch quay.io/coreos/alpine-sh
rkt: searching for app image quay.io/coreos/alpine-sh
rkt: remote fetching from URL "https://quay.io/c1/aci/quay.io/coreos/alpine-sh/latest/aci/linux/amd64/"
prefix: "quay.io/coreos/alpine-sh"
key: "https://quay.io/aci-signing-key"
gpg key fingerprint is: BFF3 13CD AA56 0B16 A898 7B8F 72AB F5F6 799D 33BC
Quay.io ACI Converter (ACI conversion signing key) <[email protected]>
Key "https://quay.io/aci-signing-key" already in the keystore
rkt: downloading signature from https://quay.io/c1/aci/quay.io/coreos/alpine-sh/latest/aci.asc/linux/amd64/
Downloading signature: [=======================================] 473 B/473 B
Downloading ACI: [=============================================] 2.65 MB/2.65 MB
rkt: signature verified:
Quay.io ACI Converter (ACI conversion signing key) <[email protected]>
sha512-a2fb8f390702d3d9b00d2ebd93e7dd1c
core@core-02 ~ $
From inside the container, ps and ls show the isolated process namespace and container filesystem. The os-release file shows the container's OS personality.
core@core-02 ~ $ sudo rkt run --interactive quay.io/coreos/alpine-sh -- /bin/sh
rkt: using image from file /usr/share/rkt/stage1-coreos.aci
rkt: using image from local store for image name quay.io/coreos/alpine-sh
/ # ps
PID USER TIME COMMAND
1 root 0:00 /usr/lib/systemd/systemd --default-standard-output=tty --
2 root 0:00 /usr/lib/systemd/systemd-journald
4 root 0:00 /bin/sh -c /bin/sh /bin/sh
5 root 0:00 /bin/sh
6 root 0:00 ps
/ # ls /
bin etc lib media proc run sys usr
dev home linuxrc mnt root sbin tmp var
/ # cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.2.3
PRETTY_NAME="Alpine Linux v3.2"
HOME_URL="http://alpinelinux.org"
BUG_REPORT_URL="http://bugs.alpinelinux.org"
/ #
Meanwhile, outside the container, the host systemd can monitor and arrange logging and other lifecycle management for rkt pods.
core@core-02 ~ $ systemctl status
● core-02
State: running
Jobs: 0 queued
Failed: 0 units
Since: Tue 2016-02-02 19:35:01 UTC; 10h ago
CGroup: /
├─1 /usr/lib/systemd/systemd --switched-root --system --deserialize 2
├─machine.slice
│ └─machine-rkt\x2dcd642877\x2d8ef5\x2d4b0a\x2d8202\x2d2c6c9415b9cf.s
│ ├─1857 /usr/lib/systemd/systemd --default-standard-output=tty --l
│ └─system.slice
│ ├─systemd-journald.service
│ │ └─1860 /usr/lib/systemd/systemd-journald
│ └─alpine-sh.service
│ ├─1864 /bin/sh -c /bin/sh /bin/sh
│ └─1866 /bin/sh
└─system.slice
├─dbus.service
│ └─643 /usr/bin/dbus-daemon --system --address=systemd: --nofork -
├─update-engine.service
│ └─649 /usr/sbin/update_engine -foreground -logtostderr
├─system-sshd.slice
│ ├─[email protected]:22-10.0.2.2:64676.service
│ │ ├─ 819 sshd: core [priv]
core@core-02 ~ $
Machinectl reveals the transient name assigned to our rkt "virtual machine":
core@core-02 ~ $ machinectl list
MACHINE CLASS SERVICE
rkt-cd642877-8ef5-4b0a-8202-2c6c9415b9cf container nspawn
1 machines listed.
Given the pod's machine name, we can stop the pod with the machinectl tool.
core@core-02 ~ $ sudo machinectl poweroff rkt-cd642877-8ef5-4b0a-8202-2c6c9415b9cf
core@core-02 ~ $ machinectl list
MACHINE CLASS SERVICE
0 machines listed.
core@core-02 ~ $
Long-running rkt pods can be managed as systemd services, with standard tools and practices. An automatic nested systemd manages process lifecycles inside the container. Container apps can be inspected with familiar tools, and even integrated with local management scripts.
core@core-02 ~ $ sudo systemd-run --slice=machine rkt run --net=host quay.io/josh_wood/caddy
Running as unit run-1907.service.
core@core-02 ~ $ systemctl status run-1907.service
● rkt-caddy.service - /bin/rkt run --net=host quay.io/josh_wood/caddy
Loaded: loaded (/run/systemd/system/run-1907.service; static; vendor preset: disabled)
Drop-In: /run/systemd/system/run-1907.service.d
└─50-Description.conf, 50-ExecStart.conf, 50-Slice.conf
Active: active (running) since Wed 2016-02-03 06:37:48 UTC; 24s ago
Main PID: 1908 (ld-linux-x86-64)
CGroup: /machine.slice/run-1907.service
├─1908 stage1/rootfs/usr/lib/ld-linux-x86-64.so.2 stage1/rootfs/us...
├─1928 /usr/lib/systemd/systemd --default-standard-output=tty --lo...
└─system.slice
├─caddy.service
│ └─1933 /bin/caddy
└─systemd-journald.service
└─1929 /usr/lib/systemd/systemd-journald
Feb 03 06:37:50 core-02 rkt[1908]: Downloading signature: 473 B/473 B
Feb 03 06:37:51 core-02 rkt[1908]: Downloading ACI: 0 B/4.54 MB
Feb 03 06:37:51 core-02 rkt[1908]: Downloading ACI: 16.4 KB/4.54 MB
Feb 03 06:37:52 core-02 rkt[1908]: Downloading ACI: 819 KB/4.54 MB
Feb 03 06:37:53 core-02 rkt[1908]: Downloading ACI: 2.96 MB/4.54 MB
Feb 03 06:37:54 core-02 rkt[1908]: Downloading ACI: 4.54 MB/4.54 MB
Feb 03 06:37:54 core-02 rkt[1908]: rkt: signature verified:
Feb 03 06:37:54 core-02 rkt[1908]: Quay.io ACI Converter (ACI conversion si...o>
Feb 03 06:37:55 core-02 rkt[1908]: [38154.032938] caddy[4]: Activating priv...e.
Feb 03 06:37:55 core-02 rkt[1908]: [38154.035398] caddy[4]: :2015
Hint: Some lines were ellipsized, use -l to show in full.
core@core-02 ~ $ sudo systemctl stop run-1907.service
rkt can fetch Docker images from common docker registries, and convert and execute them on the fly. Unfortunately, Docker images can't be cryptographically verified.
core@core-02 ~ $ sudo rkt run --insecure-options=image --interactive docker://busybox -- /bin/sh
rkt: using image from local store for image name coreos.com/rkt/stage1-coreos:0.16.0
rkt: remote fetching from URL "docker://busybox"
Downloading sha256:eeee0535bf3: [==============================] 676 KB/676 KB
Downloading sha256:a3ed95caeb0: [==============================] 32 B/32 B
/ # ps
PID USER TIME COMMAND
1 root 0:00 /usr/lib/systemd/systemd --default-standard-output=tty --
2 root 0:00 /usr/lib/systemd/systemd-journald
4 root 0:00 /bin/sh -c "sh" /bin/sh
5 root 0:00 sh
7 root 0:00 ps
/ # ls /
bin dev etc home proc root sys tmp usr var
/ # uname -a
Linux rkt-a6470cfe-7b6c-498c-917d-a254a312f0aa 4.4.0-coreos-r2 #2 SMP Fri Jan 29 22:00:35 UTC 2016 x86_64 GNU/Linux
~ #
Trying out all the features available in rkt can leave a lot of experimental pods laying around. rkt reaps exited pods and container images from the local store after a configurable grace period. This is easy to automate with a periodic schedule to keep the rkt store tidy:
core@core-02 ~ $ sudo rkt list
UUID APP IMAGE NAME STATE NETWORKS
81627cc6 caddy quay.io/josh_wood/caddy:latest exited
cd642877 alpine-sh quay.io/coreos/alpine-sh:latest exited
d65abad6 alpine-sh quay.io/coreos/alpine-sh:latest exited
core@core-02 ~ $ sudo rkt gc
Moving pod "81627cc6-6d19-48db-8a29-d2e043d060f7" to garbage
Moving pod "cd642877-8ef5-4b0a-8202-2c6c9415b9cf" to garbage
Moving pod "d65abad6-2951-4c5a-a32d-c851145d3320" to garbage
Pod "81627cc6-6d19-48db-8a29-d2e043d060f7" not removed: still within grace period (30m0s)
Pod "cd642877-8ef5-4b0a-8202-2c6c9415b9cf" not removed: still within grace period (30m0s)
Pod "d65abad6-2951-4c5a-a32d-c851145d3320" not removed: still within grace period (30m0s)
core@core-02 ~ $ sudo rkt list
UUID APP IMAGE NAME STATE NETWORKS
81627cc6 caddy quay.io/josh_wood/caddy:latest exited
cd642877 alpine-sh quay.io/coreos/alpine-sh:latest exited
d65abad6 alpine-sh quay.io/coreos/alpine-sh:latest exited
core@core-02 ~ $ sudo rkt gc --grace-period=0
Garbage collecting pod "81627cc6-6d19-48db-8a29-d2e043d060f7"
Garbage collecting pod "cd642877-8ef5-4b0a-8202-2c6c9415b9cf"
Garbage collecting pod "d65abad6-2951-4c5a-a32d-c851145d3320"
core@core-02 ~ $ sudo rkt list
UUID APP IMAGE NAME STATE NETWORKS
core@core-02 ~ $
The acbuild tool is a simple unix utility for constructing ACI manifests and container filesystems. acbuild presents options for mapping ports, mounting filesystems, and specifying the base containers FROM which higher-level images are built -- a dep, or dependency, in acbuild parlance. Rather than implementing its own DSL for container construction, acbuild leverages the command line environment to enable familiar shell scripting and even Makefile-driven build pipelines.
This example acbuild bash script constructs an Apache webserver app container.
#!/usr/bin/env bash
set -e
if [ "$EUID" -ne 0 ]; then
echo "This script uses functionality which requires root privileges"
exit 1
fi
# Start the build with an empty ACI
acbuild --debug begin
# In the event of the script exiting, end the build
acbuildEnd() {
export EXIT=$?
acbuild --debug end && exit $EXIT
}
trap acbuildEnd EXIT
# Name the ACI
acbuild --debug set-name example.com/nginx
# Based on alpine
acbuild --debug dep add quay.io/coreos/alpine-sh
# Install nginx
acbuild --debug run apk update
acbuild --debug run apk add nginx
# Add a port for http traffic over port 80
acbuild --debug port add http tcp 80
# Add a mount point for files to serve
acbuild --debug mount add html /usr/share/nginx/html
# Run nginx in the foreground
acbuild --debug set-exec -- /usr/sbin/nginx -g "daemon off;"
# Save the ACI
acbuild --debug write --overwrite nginx-latest-linux-amd64.aci