Monday, July 27, 2015

Portability Series: Another Base Image

In the previous post, we looked at various challenges when moving existing (read: x86) container setups onto z Systems. One challenge is the widespread use of Ubuntu as Docker base images. The closest thing on z is Debian having roughly the same packaging structure and naming.

Let's have a look how we can easily get to such an environment.

The procedure is similar to the script creating base images for SLES and RHEL. Let's assume we are root and create our environment in /root:
mkdir debian
mkdir debtarget
cd debian

First, get the archive with all the keys for verification of the packages:
ar -x debian-archive-keyring_2014.3_all.deb
tar xJf data.tar.xz
Then, download the debootstrap code which does the heavy lifting:
(Updates since initial posting: at the time of writing, I used version 1.0.71 of debootstrap. For some reason, this is a moving target. Please check for the latest version 1.0.xx in that http directory and replace the 1.0.78 below with it)
ar -x debootstrap_1.0.78_all.deb
tar xzf data.tar.gz
Now the build of the base environment starts (make sure it is all in one line):
PATH=$PATH:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin DEBOOTSTRAP_DIR=/root/debian/usr/share/debootstrap usr/sbin/debootstrap --keyring=usr/share/keyrings/debian-archive-keyring.gpg --arch s390x jessie /root/debtarget

This long line contains: the PATH setting is adjusted (so that the chroot which happens inside debootstrap is happy). The DEBOOTSTRAP_DIR variable is required since we do everything in a directory under /root. The keyring points to the file we've downloaded. We're building on s390x as the architecture, and we are building the Debian release "jessie". All that goes into /root/debtarget. And we take all of the files from the specified Debian server.

For the keyring to provide security value add, it makes sense to have the keyring downloaded from a different site (mirror) than the specified Debian server. If you are paranoid (planning for the case that several Debian servers are compromised), you need to check the keyring manually for integrity.

Update 7/29 for clarification, thanks Matthias:
Instead of jessie, we also can build the wheezy release -- as used in the following blog post. Wheezy is also widely used as Docker base image, and it might be closer to Ubuntu 14.04. So the wheezy build would be kicked of by:
PATH=$PATH:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin DEBOOTSTRAP_DIR=/root/debian/usr/share/debootstrap usr/sbin/debootstrap --keyring=usr/share/keyrings/debian-archive-keyring.gpg --arch s390x wheezy /root/debtarget

Now we only have to import the image into docker:
cd ../debtarget/
tar cf - . | docker import - debian:jessie
(Use "debian:wheezy" if you have built wheezy.) This will get us a Debian image:
[root@r1745034 ~]# docker images
REPOSITORY             TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
debian                 jessie              789de184d56e        31 seconds ago      282.6 MB

Everything should be set up so that even package installation works out of the box:
docker run -t -i debian:jessie bash
root@17c697029ff3:/# apt-get update
Get:1 jessie InRelease [134 kB]
Get:2 jessie/main s390x Packages [6539 kB]
Get:3 jessie/main Translation-en [4585 kB]
Fetched 11.3 MB in 14s (764 kB/s)
Reading package lists... Done
root@17c697029ff3:/# apt-get install vim
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
  libgpm2 vim-runtime
Suggested packages:
  gpm ctags vim-doc vim-scripts
The following NEW packages will be installed:
  libgpm2 vim vim-runtime
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 6015 kB of archives.
After this operation, 29.0 MB of additional disk space will be used.
Do you want to continue? [Y/n]
apt-get update refreshes the package list, and apt-get install performs package installation.

Disclaimer: you might be used professional support on your SLES or RHEL image -- and you might now have the same kind of support contract for Debian.

In the next post, we'll tackle more of the challenges when (im)porting container setups.

No comments:

Post a Comment