diff --git a/doc/talks/stacker101/flow3.png b/doc/talks/stacker101/flow3.png new file mode 100644 index 00000000..2dba6512 Binary files /dev/null and b/doc/talks/stacker101/flow3.png differ diff --git a/doc/talks/stacker101/stacker101.md b/doc/talks/stacker101/stacker101.md index 84371589..560f580f 100644 --- a/doc/talks/stacker101/stacker101.md +++ b/doc/talks/stacker101/stacker101.md @@ -1,6 +1,6 @@ --- title: Stacker 101 -author: Michael McCracken +author: Stacker Maintainers patat: images: backend: iterm2 @@ -44,41 +44,39 @@ next for a minute Ram will discuss why OCI matters --> --- - # Terms - *container* - * a process tree running in a restricted environment + - a process tree running in a restricted environment - *image* - * a packaged* directory tree to be used as the root filesystem for a container - * includes some config for how to run the container, often ignored in k8s + - a packaged* directory tree to be used as the root filesystem for a container + - includes some config for how to run the container, often ignored in k8s - *base image* - * an existing image to start from when building a new image + - an existing image to start from when building a new image - *layer / content-addressed blob* - * implementation detail of current container images, coarse way to share storage + - implementation detail of current container images, coarse way to share storage - *runtime* - * software that unpacks and mounts images and starts containers + - software that unpacks and mounts images and starts containers - *OCI* - * Open Source Spec for container image and runtime tools and data formats - * includes a spec for on-disk image storage and for image repository API + - Open Source Spec for container image and runtime tools and data formats + - includes a spec for on-disk image storage and for image repository API - *OCI Layout* - - just a directory somewhere on disk with one or more container images + - just a directory somewhere on disk with one or more container images - *LXC* (not LXD) - * Open Source library for running and managing containers. Supports OCI among many image types. Builder agnostic. + - Open Source library for running and managing containers. Supports OCI among many image types. Builder agnostic. - *Docker* - * Open Source tool for building, running and managing containers, does many other things. - * OCI specs (but not code) overlap significantly with docker - + - Open Source tool for building, running and managing containers, does many other things. + - OCI specs (but not code) overlap significantly with docker ----- +--- # Goals - efficiency - * small images - + - small images + - trust - - checking hashes + - checking hashes - understandability & maintainability @@ -94,22 +92,21 @@ easy to tell where something came from without tracing through many files and scripts --> ----- - +--- # How does stacker work? -* Get a base container image* +- Get a base container image* -* Import any file deps you need +- Import any file deps you need -* Start a container - - base image as the RFS - - file deps accessible +- Start a container + - base image as the RFS + - file deps accessible -* Run a script in that container to set things up +- Run a script in that container to set things up -* Save any changes as a new image in an OCI Layout +- Save any changes as a new image in an OCI Layout ----- +--- # How is it different? @@ -134,11 +131,11 @@ stacker convert - OCI Native standard storage format - Shell script based mutation - - many changes in one "layer" + - many changes in one "layer" - Linux Only - - Uses LXC and overlayfs - + - Uses LXC and overlayfs + - ----- +--- # `stacker build -f my.stacker.yaml` ![](overview.png) - ----- +--- # get a base image: from a registry @@ -193,9 +188,7 @@ For reproducibility and trust, you have to trust the registry and trust that tag I have an example using the hash in backup if anyone only sort of trusts their registry. --> - - ----- +--- # Importing things @@ -227,7 +220,7 @@ myimage: dest: /etc/conf ``` ----- +--- # Making changes: the `run` section @@ -236,6 +229,7 @@ A script that runs in the container you have set up. ```bash bat -n --decorations always 2.stacker.yaml ``` + 2.stacker.yaml changes made to most files (except those under `/stacker`) are persisted in the final container image. @@ -245,12 +239,11 @@ but *will not* remove them from the image, base images are immutable. Bash by default, but you could make it something else with a starting `#!`. - ----- +--- Alternate syntax: @@ -266,7 +259,7 @@ myimage: you can also use a list of strings like this but it is not as clear and can get confused with Makefile recipe syntax --> ----- +--- # Imports with no dest and no hash @@ -292,7 +285,7 @@ but you can be better than we were! Is there sometimes a reason to do this? yes... sometimes you want just part of it --> -. . . +. . . The less we leave around the better @@ -300,7 +293,7 @@ The less we leave around the better - run utility scripts that dont belong in final image from `/stacker/` -- size matters, but also security scan noise, and sometimes even real issues +- size matters, but also security scan noise, and sometimes even real issues (think libraries for other platforms, test credentials, etc) security scanners will raise bugs for windows libraries if we have them around in our images --> ----- +--- # Debugging failures: what a failure looks like @@ -321,7 +314,6 @@ bat -n --decorations always 3.stacker.yaml . . . - ``` stacker --oci-dir 3 build -f 3.stacker.yaml preparing image test... @@ -339,11 +331,10 @@ error: run commands failed: execute failed: exit status 2 error: exit status 1 ``` ----- +--- # Debugging failures: how to learn more - >1. you can debug it like a regular shell script, `echo` etc. >2. get in there and look around with `--shell-fail` @@ -371,9 +362,7 @@ error: run commands failed: execute failed: exit status 2 error: exit status 1 ``` - - ----- +--- # A build container: minimize final image @@ -385,7 +374,7 @@ error: exit status 1 bat -n --decorations always 4.stacker.yaml ``` ----- +--- # really minimal: from scratch @@ -395,16 +384,16 @@ bat -n --decorations always 1.stacker.yaml ----- +--- # Importing vs. building - Be aware of the tradeoffs - - speed vs. trust - - build time complexity vs debug time complexity + - speed vs. trust + - build time complexity vs debug time complexity - Stackerfile can describe everything, including full build environment - - this is great for tracking down issues + - this is great for tracking down issues - Importing too many things built elsewhere makes your image just another layer to dig through @@ -414,7 +403,7 @@ bat -n --decorations always 1.stacker.yaml build can be slow, building separately --> ----- +--- # Substitutions @@ -435,19 +424,19 @@ myimage: now if you want to know exactly what a stackerfile builds, you are looking in at least two places --> ----- +--- # Where to get stacker -## current release version: +## current release version -https://stackerbuild.io + ## latest release candidate -https://github.com/project-stacker/stacker/releases + ----- +--- # How to make sure it'll work @@ -455,20 +444,19 @@ https://github.com/project-stacker/stacker/releases `stacker check` to the rescue - ```sh $ stacker check os/kernel: Linux 6.2.0-26-generic #26~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Jul 13 16:27:29 UTC 2 error: /local/rchincha/tmp/s/roots: roots dir (--roots-dir) path uses symbolic links, use "/data/hdd/rchincha/tmp/s/roots" instead error: exit status 1 -``` +``` ----- +--- # Other features to use as you get more ambitious @@ -476,21 +464,21 @@ kernel vers etc - stacker grab - dependencies between stacker files ----- +--- -# Thanks! +# Thanks ## how to get in touch / get help Stacker101 webex channel -https://github.com/project-stacker/stacker + ----- +--- # backup slides ----- +--- # building different layer types @@ -500,8 +488,7 @@ use `atomfs` to mount runtime support in the future - ----- +--- # get a base image: from a local OCI layout @@ -511,17 +498,14 @@ from: url: oci:/local/path/to/oci/imagename:v1.0 ``` - ----- +--- # backup: get a base image with hash - paranoid? use the manifest hash of the layer: ```bash bat -n --decorations always 2.stacker.yaml ``` - diff --git a/doc/talks/stacker101/standards-bodies.md b/doc/talks/stacker101/standards-bodies.md new file mode 100644 index 00000000..55f8d67f --- /dev/null +++ b/doc/talks/stacker101/standards-bodies.md @@ -0,0 +1,76 @@ +--- +marp: true +theme: gaia +--- + +# Open Standards For Datacenter Software + +Ramkumar Chinchani +rchincha@cisco.com + +--- + +# Why Open Standards? + +* Avoid vendor lock-in +* Large ecosystem +* Pace of innovation + +--- + +![width:100%](standards-bodies.png) + +--- + +# Regulatory Requirements + +* [Executive Order on Improving the Nation’s Cybersecurity](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/) + * software bill of materials (SBOM) - SPDX + +* [FedRamp](https://www.fedramp.gov) + * [FEDRAMP VULNERABILITY SCANNING REQUIREMENTS FOR CONTAINERS](https://www.fedramp.gov/assets/resources/documents/Vulnerability_Scanning_Requirements_for_Containers.pdf) + +* [NIST](https://www.nist.gov/) + * [NIST Special Publication 800-190/Application Container Security Guide](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf) + +--- + +# `CNCF` Ecosystem +https://cncf.landscape2.io/ + +![width:800px](cncf-landscape2.png) + +--- + +# `OCI` "Standards" + +* _image spec_ + * https://github.com/opencontainers/image-spec +* _runtime spec_ + * https://github.com/opencontainers/runtime-spec +* _distribution spec_ + * https://github.com/opencontainers/distribution-spec + +--- + +# `OCI` Ecosystem + +| Purpose | RedHat | Microsoft | Google | Docker| Cisco | +| --- | --- | --- | --- | --- | --- | +| Build | `buildah` | | `bazel/rules_oci` | `buildx` | `stacker` | +| Push/pull | `skopeo` | `oras` | `crane` | _`docker`_ cli | | +| Run | `podman` | | | `docker` | | +| Sign | `cosign` | `notation` | `cosign` | `notaryv1` | | +| Registry | _`quay`_ | `acr` | _`gar`_ | _`distribution`_ | `zot` | + +--- + +# `CNCF` Meets `OCI` + +![](cri-ecosystem.png) + +--- + +# Putting Everything Together + +![](flow.png) \ No newline at end of file