Building containers and images in and for (open)SUSE How it works, what to do and what to avoid. Release Engineer - SUSE Fabian Vogt [email protected] fvogt on freenode.net 

Slide 2/26 Containers? Images? Containers! VM Images and Live media! 

Slide 3/26 Source Code 

Slide 4/26 Our tools ● Not only for packages, also supports images ● Recently gained ability to handle container images natively ● Central tool for official openSUSE components 

Slide 5/26 Our tools ● Integration into OBS ● Builds all kinds of images for all kinds of distros KIWI 

Slide 6/26 Components image.kiwi Metadata Packages config.sh Configuration Packages Provided by OBS Note the project configuration archive.tar.xz Custom files Container images Bootable disk images KIWI 

Slide 7/26 Structure of a kiwi image description ● XML Header ● OBS metainfo ● Image metainfo: Name, author etc. ● Image profiles 

Slide 8/26 ● Image type and the specific configuration (container metainfo, subvolumes etc.) ● Version ● Package manager configuration 

Slide 9/26 ● List of repositories (just use obsrepositories:/ everywhere) ● List of image and bootstrap packages 

Slide 10/26 Image Templates on OBS ● Get started easily with JeOS or derived container images ● „New Image“ on the OBS start page 

Slide 11/26 Size is important 

Slide 12/26 Package selection ● What‘s the use case? ● Don‘t break hard dependencies – that causes breakage. If a broken dep doesn‘t cause breakage, the dep is wrong. ● Use patterns if possible: 

Slide 13/26 Dive into soft dependencies ● Soft dependencies are Recommends and Supplements (Suggests and Enhances don‘t matter in this case) ● A HUGE amount of packages (and patterns) are recommended. Too much to fit on a CD or even DVD now. ● They can be important though: – breeze4-style Supplements: packageand(breeze5-style:libqt4) – minimal_base pattern: Recommends: grub2 

Slide 14/26 What to do with soft deps? Disable soft deps ● Used for JeOS and container images ● Patterns can help a lot ● Needs QA – something might not work as expected Enable soft deps and blacklist packages () ● Used for live media ● Can get messy, blacklist has to be adapted regularly 

Slide 15/26 rpm --excludedocs ● Documentation files are marked as such in .rpm files and the package database ● Installation can be disabled in zypp.conf (rpm.install.excludedocs = yes) and kiwi (true) ● Kiwi does not write it into the target‘s zypp.conf: → Do that in config.sh ● Previously, license files were marked as %doc – mostly fixed in Tumbleweed now, but not completely in Leap (and SLE). Make sure that all packages have their license files available on the medium. 

Container images are special ● No block devices, no kernel, no /sbin/init required ● Metadata is much more important – Name is now global, e.g. opensuse/leap:15.1 – Labels are necessary for usability ● Derived containers are built on top of other image(s) 

How container labels are defined ● We need labels for e.g. image version and build count ● Labels need to be duplicated to be visible in derived images 

How container labels are defined ● OBS Services to the rescue! 

Slide 19/26 What makes an image official? ● Builds inside the openSUSE: namespace on OBS (→ uses the official openSUSE key for signing!) ● Went through openSUSE review processes ● Only uses packages from inside openSUSE: for building 

Slide 20/26 Submitting official images to openSUSE ● Just like packages: osc sr openSUSE:(Factory:Leap)(:Update) ● Poke the release team by mail or IRC to get new images published on download.opensuse.org or registry.o.o 

Slide 21/26 KIWI Profiles ● One .kiwi file → multiple images: Different image types and package selection Combine with OBS _multibuild: + + 

Slide 22/26 KIWI Profiles: MicroOS as example ● Profile = Flavor + Platform, e.g. ContainerHost-kvm-and-xen ● Implemented using kiwi profile dependencies 

Slide 23/26 live-add-yast-repos ● Package setting up repos for the used openSUSE version ● Uses ultimate source of truth: skelcd control.xml ● Install the „live-add-yast-repos“ package and call add-yast-repos in config.sh. ● The package can be removed again. 

Slide 24/26 openSUSE image release process ● Built inside openSUSE:Factory/images ● Binaries released into openSUSE:Factory:ToTest/appliances or /containers ● openQA pulls it from there ● If openQA is successful, :ToTest/images is publish enabled and /containers released into openSUSE:Containers:Tumbleweed ● openSUSE:Containers publishes directly to registry.opensuse.org ● Bot copies container images to registry-1.docker.io 

Slide 25/26 Resources ● https://en.opensuse.org/Building_derived_containers ● https://build.opensuse.org/image_templates ● https://opensource.suse.com/kiwi/development/schema.html 

The end