准备 buildah

构建 buildah

$ sudo apt install libgpgme-dev libdevmapper-dev libseccomp-dev
$ git clone https://github.com/containers/buildah.git
$ cd buildah/
$ git checkout v1.26.1
$ make
$ sudo cp bin/buildah /usr/bin/
$ buildah --version
buildah version 1.26.1 (image-spec 1.0.2-dev, runtime-spec 1.0.2-dev)

配置 buildah

$ sudo mkdir /etc/containers/
$ sudo vi /etc/containers/policy.json
{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ]
}

containers-policy.json
https://github.com/containers/image/blob/v5.21.1/docs/containers-policy.json.5.md

准备 debootstrap

安装 debootstrap

$ sudo apt install debootstrap

测试 debootstrap

debootstrap 命令行参数如下：

$ debootstrap [OPTION]... <suite> <target> [<mirror> [<script>]]

<mirror> 为 apt 源地址，参数根据实际情况进行调整，当前 KylinV10 桌面版的地址如下：

deb http://archive.kylinos.cn/kylin/KYLIN-ALL 10.1 main universe multiverse restricted
deb http://archive2.kylinos.cn/deb/kylin/production/PART-V10-SP1/custom/partner/V10-SP1 default all

<script> 在 Ubuntu 下（KylinV10 桌面版实际上就是 Ubuntu）都是指向的 gutsy：

$ ls -l /usr/share/debootstrap/scripts/focal
lrwxrwxrwx 1 root root 5 Apr 27 00:56 /usr/share/debootstrap/scripts/focal -> gutsy
$ ls -l /usr/share/debootstrap/scripts/jammy
lrwxrwxrwx 1 root root 5 Apr 27 00:56 /usr/share/debootstrap/scripts/jammy -> gutsy

可以通过 --print-debs 测试看看效果：

$ debootstrap --print-debs --variant minbase --no-check-gpg 10.1 /tmp/$$ \
http://archive.kylinos.cn/kylin/KYLIN-ALL gutsy
$ debootstrap --print-debs --variant minbase --include bash --no-check-gpg --verbose 10.1 /tmp/$$ \
http://archive.kylinos.cn/kylin/KYLIN-ALL gutsy

制作镜像

制作镜像的命令行如下：

$ sudo su
# buildah from scratch
working-container
# scratchmnt=$(buildah mount working-container)
# debootstrap --components main,universe,multiverse,restricted \
--variant minbase --include libc6,kysec-utils --exclude bash --no-check-gpg \
10.1 $scratchmnt \
http://archive.kylinos.cn/kylin/KYLIN-ALL gutsy
# buildah config --cmd /bin/sh working-container
# buildah commit working-container kylinv10d
# buildah unmount working-container

可以将制作的镜像转成本地 docker 镜像：

# buildah push kylinv10d docker-daemon:kylinv10d:latest
# docker images
REPOSITORY     TAG       IMAGE ID       CREATED          SIZE
kylinv10d      latest    f2c291e1ff10   19 seconds ago   363MB

注意：当前 KylinV10 桌面版的 bash 安装包存在如下问题，所以需要在上面的命令行中将 bash 排除（可以后面再通过 dpkg 解压 bash 安装包来进行手工安装）。

Preparing to unpack .../bash_5.0-6kylin1k6_amd64.deb ...
dpkg (subprocess): unable to execute new bash package pre-installation script (/var/lib/dpkg/tmp.ci/preinst): No such file or directory
dpkg: error processing archive /var/cache/apt/archives/bash_5.0-6kylin1k6_amd64.deb (--unpack):
 new bash package pre-installation script subprocess returned error exit status 2
Errors were encountered while processing:
 /var/cache/apt/archives/bash_5.0-6kylin1k6_amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

故障规避

使用 buildah 的过程中，使用 buildah run 运行容器可能会出现如下的错误（通过 unshare 命令可以模拟出来这个错误）：

# buildah run working-container id
error running container: error from  creating container for [/usr/bin/id]: : fork/exec : no such file or directory
ERRO[0000] did not get container create message from subprocess: EOF 
error while running runtime: exit status 1

通过添加 --isolation chroot 选项可以规避这个问题：

# buildah run --isolation chroot working-container id
uid=0(root) gid=0(root) groups=0(root)

使用 docker 运行容器没有这个问题。

最后修改于 2022-06-12