Few days back we had rkt v1.14.0 release from CoreOS. You can read details about the release in their official blog post. I decided to give it a try on a Fedora 24 box, I followed the official documentation. The first step was to download rkt, and acbuild tools.
To download, and install acbuild tool, I did the following: (Btw, as it was a cloud instance, I just moved the binaries to my sbin path)
$ wget https://github.com/containers/build/releases/download/v0.4.0/acbuild-v0.4.0.tar.gz $ tar xzvf acbuild-v0.4.0.tar.gz $ sudo mv acbuild-v0.4.0/* /usr/sbin/
Now for rkt, do the following.
$ wget https://github.com/coreos/rkt/releases/download/v1.14.0/rkt-v1.14.0.tar.gz $ tar xzvf rkt-v1.14.0.tar.gz $ cd rkt-v1.14.0 $ ./rkt help $ sudo cp -r init/systemd/* /usr/lib/systemd/
Now I had to modify a path inside
./scripts/setup-data-dir.sh file, at line 58 I wrote the following.
systemd-tmpfiles --create /usr/lib/systemd/tmpfiles.d/rkt.conf
Next step is to execute the script. This will create the required directories, and fix the permission issues. Before that I will also create a group, and add my current user to the group. Remember to logout, and login again for it.
$ sudo groupadd rkt $ export WHOAMI=$(whoami); sudo gpasswd -a $WHOAMI rkt $ sudo ./scripts/setup-data-dir.sh
rkt documentation suggests to disable SELinux for trying out, I tried to run it with SELinux in Enforcing mode, and then created local policy based on the errors. I have also opened a bug for the rawhide package.
# ausearch -c 'systemd' --raw | audit2allow -M localrktrawhide # semodule -i localrktrawhide.pp
After all this we are finally in a state to start using rkt in the system.
The Try out document says to trust the signing key of etcd, I am going to do that, and then test by fetchin the image.
$ sudo ./rkt trust --prefix coreos.com/etcd $ ./rkt fetch coreos.com/etcd:v2.3.7 image: searching for app image coreos.com/etcd image: remote fetching from URL "https://github.com/coreos/etcd/releases/download/v2.3.7/etcd-v2.3.7-linux-amd64.aci" image: keys already exist for prefix "coreos.com/etcd", not fetching again image: downloading signature from https://github.com/coreos/etcd/releases/download/v2.3.7/etcd-v2.3.7-linux-amd64.aci.asc Downloading signature: [=======================================] 490 B/490 B Downloading ACI: [=============================================] 8.52 MB/8.52 MB image: signature verified: CoreOS Application Signing Key <email@example.com> sha512-7d28419b27d5ae56cca97f4c6ccdd309
You can view the images, with a image list subcommand.
$ ./rkt image list ID NAME SIZE IMPORT TIME LAST USED sha512-5f362df82594 coreos.com/rkt/stage1-coreos:1.14.0 162MiB 1 day ago 1 day ago sha512-86450bda7ae9 example.com/hello:0.0.1 7.2MiB 15 hours ago 15 hours ago sha512-7d28419b27d5 coreos.com/etcd:v2.3.7 31MiB 48 seconds ago 48 seconds ago
From here, you can just follow the getting started guide. I used the debug flag to see what is going on.
$ sudo ./rkt --insecure-options=image --debug run ../hello/hello-0.0.1-linux-amd64.aci image: using image from local store for image name coreos.com/rkt/stage1-coreos:1.14.0 image: using image from file ../hello/hello-0.0.1-linux-amd64.aci stage0: Preparing stage1 stage0: Writing image manifest stage0: Loading image sha512-86450bda7ae972c9507007bd7dc19a386011a8d865698547f31caba4898d1ebe stage0: Writing image manifest stage0: Writing pod manifest stage0: Setting up stage1 stage0: Wrote filesystem to /var/lib/rkt/pods/run/d738b5e3-3fe9-4beb-ae5c-3e8f4153ee57 stage0: Pivoting to filesystem /var/lib/rkt/pods/run/d738b5e3-3fe9-4beb-ae5c-3e8f4153ee57 stage0: Execing /init networking: loading networks from /etc/rkt/net.d networking: loading network default with type ptp Spawning container rkt-d738b5e3-3fe9-4beb-ae5c-3e8f4153ee57 on /var/lib/rkt/pods/run/d738b5e3-3fe9-4beb-ae5c-3e8f4153ee57/stage1/rootfs. Press ^] three times within 1s to kill container. systemd 231 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT -GNUTLS -ACL +XZ -LZ4 +SECCOM$ +BLKID -ELFUTILS +KMOD -IDN) Detected virtualization rkt. Detected architecture x86-64. Welcome to Linux! Set hostname to <rkt-d738b5e3-3fe9-4beb-ae5c-3e8f4153ee57>. [ OK ] Listening on Journal Socket. [ OK ] Created slice system.slice. Starting Create /etc/passwd and /etc/group... [ OK ] Created slice system-prepare\x2dapp.slice. [ OK ] Started Pod shutdown. [ OK ] Started hello Reaper. [ OK ] Listening on Journal Socket (/dev/log). Starting Journal Service... [ OK ] Started Create /etc/passwd and /etc/group. [ OK ] Started Journal Service. Starting Prepare minimum environment for chrooted applications... [ OK ] Started Prepare minimum environment for chrooted applications. [ OK ] Started Application=hello Image=example.com/hello. [ OK ] Reached target rkt apps target. [111534.724440] hello: 2016/09/10 14:48:59 request from 172.16.28.1:35438
While the above container was running, I tested it out from another terminal, and then stopped it.
$ ./rkt list UUID APP IMAGE NAME STATE CREATED STARTED NETWORKS 865b862e hello example.com/hello:0.0.1 running 8 seconds ago 8 seconds ago default:ip4=172.16.28.2 $ curl 172.16.28.2:5000 hello $ sudo ./rkt stop 865b862e "865b862e-21f5-43e0-a280-3b4520dad97c"
I hope this post will help you to try out rkt on a Fedora system. Feel free to comment if you have question, or ask over twitter.