Description
Logically bound images
Current documentation: https://containers.github.io/bootc/logically-bound-images.html
Original feature proposal text:
We should support a mechanism where some container images are "lifecycle bound" to the base bootc image.
A common advantage/disadvantage of the below is that the user must manage multiple container images for system installs - e.g. for a disconnected/offline install they must all be mirrored, not just one.
In this model, the app images would only be referenced from the base image as .image files or an equivalent.
This contrasts with physically bound images.
bootc logically bound flow
bootc upgrade follows a flow like:
- fetch new base image
- Read its root filesystem, discover logically bound images
- Pull those images into a new bootc-owned container storage (xref Introduce bootc-owned container store, use for bound images #724 )
- Garbage collect images which are not referenced by any root (e.g. pending/current/rollback).
Current design: symlink to .image or .container files
Introduce /usr/lib/bootc/bound-images.d that is symlinks to .image files or .container files.
Pros:
- Straightforward to implement
- The admin only needs to bump a
:sha256digest in one place to update
Cons:
- Handling systemd specifiers is tricky, we will error out on them
- No separation of concerns: an
.imagefile is intended to pull images not be parsed by an external tool for a separate purpose. - Updates to Quadlet may break the process and/or add (potential) continuous maintenance burden for bootc (i.e., "chasing/reimplementing new features").
- Forces users to use Quadlet even if they have no use for pulling images under systemd.
Note: we expect the .image files to reference images by digest or immutable tag. There is no mechanism to pull images out of band.
Other alternatives considered
New custom config file
A new TOML/usr/lib/bootc/bound-images.d, of the form e.g. 01-myimages.toml:
images = ["quay.io/testos/someimage@sha256:12345", "quay.io/testos/otherimage@sha256:54321"]
authfile = "/etc/containers/my-custom-auth.json"
Pros:
- Easy to just list multiple images vs one image per
.imagefile - TOML format is used by other bootc tooling and some of the container config formats
Cons:
- New file format relating to container images
- May need in the general case to support many of the existing options in
.imagefiles - The admin will need to bump a
:sha256digest in two places to update in general (both in a.containeror.imageand the custom.tomlhere)
Parse existing .image files
Pros:
- Well known
- Spec -> pull translation exists
- Existing spec handles most image pull fields
Cons:
- Would need to extend the spec to include a new
bootc=boundor equivalent opt-in - Handling specifiers is tricky
- Implentation complicated wrt managing systemd
What would happen under the covers here is that bootc would hook into podman and:
- disallow GC of these images even if the unit isn't running (for all deployments)
- Fetch new images (from the new base container image) on
bootc upgrade
TODO:
- docs
- CI test
- PR to fedora bootc examples
- Ensure compatibility with bootc-image-builder bound images fail in bootc-image-builder #715
- install path with
bootc install to-filesystem- simple scenario w/out pull secret? - install path w/pull secret embedded in bootc image? podman pull happens from bootc container
- install path w/bootc-image-builder where it pre-pulls images, demonstrated e2e w/konflux, we probably need to enable a model where bound images are provided in a mirror location or OCI directory
Activity