Embedding container images in the root partition from a remote registry

You can download and embed containerized applications from a remote container image registry when you build an AutoSD operating system (OS) image. Doing so makes the containerized application available for use from within the AutoSD OS after the system boots.

When you use this method, OSBuild pulls a container from a remote container image registry at build time and embeds it in the AutoSD image.

Important

If you want to include containerized applications in an OS image, pulling containers from a secure remote registry is the only reliable, reproducible, and recommended method for production OS image builds. Although you can also containerize applications locally and embed them from local storage when building an OS image, doing so is not the method recommended for building the OS image and is meant only for development or experimental purposes.

Prerequisites

• You are running a Linux-based host on your local machine.
• You have installed the following software on your local machine:
  • Podman
  • Skopeo
  • ostree
  • PyYAML for Python 3
• You have network access to a remote container image registry.
• You can access a containerized application image on the remote registry. This image can be the auto-apps image you built according to Building a container image for your software and then added to the registry. You can also use any other containerized application images available in the registry.
• You have installed the automotive-image-builder tool. For more information, see Installing Automotive Image Builder.

Procedure

This procedure explains how to create an automotive image builder manifest and build an AutoSD operating system image in the qcow2 format that you can boot in a QEMU virtual machine.

The resulting AutoSD OS image will include a containerized CentOS 10 application image pulled from the quay.io remote container image registry and installed to /usr/share/containers/storage in the AutoSD OS.

Note that you can customize the script and the manifest to pull your own containerized application images from any image registry to which you have access.

1. Create a build manifest file named container_remote.aib.yml:

   $ touch container_remote.aib.yml
   

2. Open the container_remote.aib.yml file in a text editor, add the following YAML code, and save the file:

   Sample manifest for embedding remote container images

   # hosted in a remote container registry
   
   name: container_remote
   
   content:
     repos:
       - id: epel
         baseurl: https://dl.fedoraproject.org/pub/epel/9/Everything/$arch/
     rpms:
       - podman
       # For testing the image only:
       - openssh-server
       - openssh-clients
   
     container_images:
       - source: quay.io/centos/centos
         tag: stream10-development
         name: localhost/cs10
   
     # Required for testing the image only:
     systemd:
       enabled_services:
         # Enable ssh daemon
         - sshd.service
   
   auth:
     # "password"
     root_password: $6$xoLqEUz0cGGJRx01$H3H/bFm0myJPULNMtbSsOFd/2BnHqHkMD92Sfxd.EKM9hXTWSmELG8cf205l6dktomuTcgKGGtGDgtvHVXSWU.
     # Required for testing the image only:
     sshd_config:
       PasswordAuthentication: true
       PermitRootLogin: true
   

3. Export the value of your hardware architecture to a temporary variable:

   $ export arch=$(arch)
   

4. Run the automotive-image-builder tool to build an OS image that embeds the remote containerized application:

   $ sudo automotive-image-builder \
       --verbose \
       --include=/var/lib/containers/storage/ \
       build \
       --distro autosd \
       --target qemu \
       --mode image \
       --build-dir=_build \
       --export qcow2 \
       container_remote.aib.yml \
       container_remote.$arch.qcow2
   

   Note

   You can customize the automotive-image-builder command to set other options for distro name, mode, target, and export format.

5. Verify that the script has created an AutoSD image file named container_remote.<arch>.qcow2 in your present working directory.

After you have created the OS image, assuming that you have installed QEMU, you can boot the AutoSD image in a virtual machine by using the automotive-image-runner utility and verify that the containerized application is included in the built OS image:

1. Run the image in QEMU using automotive-image-runner:

   $ sudo automotive-image-runner container_remote.x86_64.qcow2
   

   If necessary, substitute the filename of your .qcow2 image file.

2. After the image has booted in QEMU, log in with the user name root and the password password.

3. Verify that your containerized application image is available:

   # podman image list
   

   Sample output:

   REPOSITORY           TAG         IMAGE ID      CREATED            SIZE
   localhost/cs10  latest      054a7b912609  About an hour ago  250 MB
   

When you build your OS image, OSBuild copies the application container image from the remote container image registry to your OS image. As defined in the build manifest file, the containerized application is available at localhost/cs10 and can be run by using Podman. However, you must first create container configuration files and configure OSBuild to copy these files to the /etc/containers/systemd directory in your OS image. For more information about these container configuration files, see Running containers from systemd.

Next steps

• If required, you can customize your image further. For more information, see Running containers from systemd, Configuring communication between containers in the root partition, Embedding RPM application packages in the QM partition, and Embedding containerized applications in the QM partition.

Additional resources

• Sample automotive image builder manifest