Skip to content

Comments

toolbox: add support for multi-layered docker images#5

Merged
jepio merged 3 commits intoflatcar:flatcar-masterfrom
oliwer:multi-layer-images
Oct 5, 2021
Merged

toolbox: add support for multi-layered docker images#5
jepio merged 3 commits intoflatcar:flatcar-masterfrom
oliwer:multi-layer-images

Conversation

@oliwer
Copy link
Contributor

@oliwer oliwer commented Sep 24, 2021

Handle multi-layered Docker images correctly

This is intended to fix flatcar/Flatcar#465 and flatcar/Flatcar#508

Currently, toolbox assumes all Docker images are made of 1 layer : it puts the name of the layer tarball in a variable and passes it to tar. This fails if the images has multiple layers, as the variable contains several filenames.

This patch simply adds a for loop to extract each layer in sequence.

How to use

Run toolbox with a multi-layered docker image, like ubuntu-debootstrap:14.04.

Testing done

$ cat .toolboxrc
TOOLBOX_DOCKER_IMAGE=ubuntu-debootstrap
TOOLBOX_DOCKER_TAG=14.04
$ toolbox
14.04: Pulling from library/ubuntu-debootstrap
Image docker.io/library/ubuntu-debootstrap:14.04 uses outdated schema1 manifest format. Please upgrade to a schema2 image for better future compatibility. More information at https://docs.docker.com/registry/spec/deprecated-schema-v1/
c02c7df4a131: Pull complete 
a3ed95caeb02: Pull complete 
Digest: sha256:b424724203198bdb60d79368bf967c71534dd25f2b7703021110f04e1a81b78c
Status: Downloaded newer image for ubuntu-debootstrap:14.04
docker.io/library/ubuntu-debootstrap:14.04
0539e3ca23a9804b912d4c7fd9d71acd4f4303648056c8817dff756216a8e474/
0539e3ca23a9804b912d4c7fd9d71acd4f4303648056c8817dff756216a8e474/VERSION
0539e3ca23a9804b912d4c7fd9d71acd4f4303648056c8817dff756216a8e474/json
0539e3ca23a9804b912d4c7fd9d71acd4f4303648056c8817dff756216a8e474/layer.tar
898cb62b73684611dcb1f478fa1731683cabc30ddbdc692b0fb027b69cec1033.json
d78a692d1a017b78c77045caff969c337a9e5f83cc1309efbab2c0c982c1ac12/
d78a692d1a017b78c77045caff969c337a9e5f83cc1309efbab2c0c982c1ac12/VERSION
d78a692d1a017b78c77045caff969c337a9e5f83cc1309efbab2c0c982c1ac12/json
d78a692d1a017b78c77045caff969c337a9e5f83cc1309efbab2c0c982c1ac12/layer.tar
manifest.json
...
Untagged: ubuntu-debootstrap:14.04
Untagged: ubuntu-debootstrap@sha256:b424724203198bdb60d79368bf967c71534dd25f2b7703021110f04e1a81b78c
Deleted: sha256:898cb62b73684611dcb1f478fa1731683cabc30ddbdc692b0fb027b69cec1033
Deleted: sha256:c05c8727aa340e50ec560afe8159ced1e88a461579d51fcde5b91f9e918817a6
Deleted: sha256:45befd8a8901eecc964f2c766a93cb8f0f49752a31db8db3af854798f75ebf8e
Spawning container odc-ubuntu-debootstrap-14.04 on /var/lib/toolbox/odc-ubuntu-debootstrap-14.04.
Press ^] three times within 1s to kill container.
root@ip-10-188-70-239:~#

@jepio
Copy link
Member

jepio commented Sep 28, 2021

Thanks for this contribution. I checked what happens when a layer removes a file:

  • the original file is kept
  • a "whiteout" file is created.

Might not cause any damage in practice but it's better to avoid it.

Do you think this could be rewritten to instead use docker export? I think approximately the following steps are necessary (excuse my bad variable naming):

containerref=$(docker create ${imageref})
docker export -o ${containerref}.tar ${containerref}
docker rm ${containerref}
tar xpvf ${containerref}.tar -C ${machinepath}

I also noticed that the resulting tarballs are not gzipped in either case, so we may as well drop that from the name.

@jepio jepio self-assigned this Sep 28, 2021
@oliwer
Copy link
Contributor Author

oliwer commented Sep 30, 2021

Good idea. It's much cleaner using docker export. It solved another bug at the same time, where toolbox would crash if there are multiple versions of an image installed.

I also modified the TOOLBOX_DOCKER_ARCHIVE case to support multiple layers. I tried to replace wget by a docker import, but this did not work well: the exported tarball seems corrupt and contains both layers and parts of the filesystem. I suspect that's because when doing docker create of the imported archive, I was forced to provide an initial command for the container. Anyway, for now the old method seems more reliable.

Btw, any reason why you used the -p flag for tar in your example?

@jepio
Copy link
Member

jepio commented Oct 4, 2021

@oliwer awesome; I didn't know about the TOOLBOX_DOCKER_ARCHIVE variable, but from searching the internet this appears to be something long obsolete (and that used a different tarball structure) so we can remove that branch all together. Let me know if you can still do that and i'll merge immediately after (I was gone a couple of days).

tar -p: i pass it out of habit, the -p preserves permissions but tar does that when run as root by default so there's no need for it here.

@oliwer
Copy link
Contributor Author

oliwer commented Oct 4, 2021

Done! I also thought this was a weird feature.

I had to change an error message because the old one did not make sense anymore. Hopefully that's good enough.

Copy link
Member

@jepio jepio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

Now what remains is updating the commit in the ebuild in flatcar-linux/coreos-overlay, would you want to do that? The files are here: https://github.com/flatcar-linux/coreos-overlay/tree/943ce52f94b140922e25559e774c6570c41ca577/app-admin/toolbox, the xxx-9999.ebuild needs changes and the xxx-r15.ebuild symlink needs to be renamed to xxx-r16.ebuild.

@jepio jepio merged commit a851cb8 into flatcar:flatcar-master Oct 5, 2021
@oliwer
Copy link
Contributor Author

oliwer commented Oct 5, 2021

Those filenames look weird... but sure, i'll open a PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Toolbox command now requires single layer docker images

2 participants