Creating a OCI Container within Docker Container


This title sounds funny, but I couldn't find a better one. :)

As OCI 1.0 specification was released it no longer remains as just Docker Container, it is now Linux Container. There are tools being built around OCI specification like buildah, cri-o, skopeo and lot more to come.

I will be creating a ubuntu container using docker and will create alpine container within this ubuntu container using buildah and runc. The fun part is there is no docker or oci daemon running withing ubuntu container.

buildah is a tool under project atomic which facilitates building OCI container images. runc is a CLI tool for spawning and running containers according to the OCI specification.

$ docker run -it --privileged -v libcon:/var/lib/containers/storage -v runcon:/var/run/containers/storage ubuntu bash

This will create a privileged ubuntu container. We are bypassing the container layer for /var/lib/containers/storage and /var/run/containers/storage folders as we will not be able to create another container layer with this layer.

Prior to installing buildah, I need to install some packages, use the following commands in the Ubuntu container.

apt-get update  
apt-get -y install software-properties-common  
add-apt-repository -y ppa:alexlarsson/flatpak  
add-apt-repository -y ppa:gophers/archive  
apt-add-repository -y ppa:projectatomic/ppa  
apt-get update  
apt-get -y install bats btrfs-tools git libapparmor-dev libdevmapper-dev libglib2.0-dev libgpgme11-dev libostree-dev libseccomp-dev libselinux1-dev skopeo-containers go-md2man  
apt-get -y install golang-1.8  

Then to build buildah on Ubuntu follow the steps...

mkdir ~/buildah  
cd ~/buildah  
export GOPATH=`pwd`  
git clone ./src/  
cd ./src/  
PATH=/usr/lib/go-1.8/bin:$PATH make runc all TAGS="apparmor seccomp"  
make install  
buildah --help

buildah uses runc to run commands in a container so we need to make sure runc is accessible.

mkdir /etc/containers  
cp ~/buildah/src/ /etc/containers/  
cp ~/buildah/src/ /usr/local/bin/
So it's time for some fun. Create a new working container, from a specified image.
root@2faae578f9cf:~# buildah from alpine

Getting image source signatures  
Copying blob sha256:88286f41530e93dffd4b964e1db22ce4939fffa4a4c665dab8591fbab03d4926  
 1.90 MiB / 1.90 MiB [=========================================================]
Copying config sha256:7328f6f8b41890597575cbaadc884e7386ae0acc53b747401ebce5cf0d624560  
 0 B / 1.48 KiB [--------------------------------------------------------------]
Writing manifest to image destination  
Storing signatures  
 1.48 KiB / 1.48 KiB [=========================================================]alpine-working-container
List the working containers and their base images.
root@2faae578f9cf:~# buildah containers

1f3daef44a3d     *     abf11ad2ca3c  alpine-working-container  
Run a command inside of the container.
root@2faae578f9cf:~# buildah run --tty alpine-working-container sh  
/ # ps aux
    1 root       0:00 sh
    7 root       0:00 ps aux
/ # cat /etc/alpine-release 
/ # 

It just has started and there's more to explore. Stay tuned. :)

Like it? Click here to Tweet your feedback

Swapnil Jain

RHCA Level X, RHCI ♦ Solution Architect ♦ DevOps Trainer & Consultant