A key part of the idea of this project is that every tool and technique one knows for building application container images should apply to building bootable host systems.
Most configuration for a Linux system boils down to writing a file (
or executing a command (
A common pattern is to add “application” containers that have references embedded in the bootable host container.
For example, one can use the podman systemd configuration files, embedded via a container build instruction:
COPY foo.container /usr/share/containers/systemd
In this model, the application containers will be fetched and run on firstboot. A key choice is whether to refer to images by digest, or by tag. Referring to images by digest ensures repeatable deployments, but requires shipping host OS updates to update the workload containers. Referring to images by tag allows you to use other tooling to dynamically update the workload containers.
A common use case is to produce “generic” or “unconfigured” images that
don’t have any hardcoded passwords or SSH keys and allow the end user to
inject them. Per the install doc this is how the primary base
image produced by this project works. Adding
cloud-init into your image
works across many (but not all) environments.
Another pattern is to add users only when generating a disk image (not in the container image); this is used by bootc-image-builder.
However, some use cases really want an opinionated default authentication story.
This is a highly complex topic. The short version is that instead of invoking
RUN useradd someuser in a container build (or indirectly via an RPM
%post script), you should usesysusers.d.
(Even better, if this is for code executed as part of a systemd unit, investigate
sysusers.d only works for “system” users, not human login users.
There is also systemd JSON user records
which can be put into a container image; however at the time of this
writing while a
sshAuthorizedKeys field exists, it is not synchronized
directly in a way that the SSH daemon can consume.
It is likely that at some point in the future the operating system upgrade logic
(bootc/ostree) will learn to just automatically reconcile changes to
At the current time, a workaround is to include a systemd unit which automatically reconciles things at boot time, via e.g.
ExecStart=/bin/sh -c 'getent someuser || useradd someuser'
For SSH keys, one approach is to hardcode the SSH authorized keys under
so it’s part of the clearly immutable state:
RUN echo 'AuthorizedKeysFile /usr/etc-system/%u.keys' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \
echo 'ssh-ed25519 AAAAC3Nza... email@example.com' > /usr/etc-system/root.keys && chmod 0600 /usr/etc-system/root.keys
Finally of course at scale, often one will want to have systems configured to use the network as source of truth for authentication, using e.g. FreeIPA. That avoids the need to hardcode any users or keys in the image, just the setup necessary to contact the IPA server.
In a default installation, the
/home directories are persistent,
and are symbolic links to
/var/home respectively. This
persistence is typically highly desirable for machines that are somewhat “pet”
like, from desktops to some types of servers, and often undesirable for
scale-out servers and edge devices.
It’s recommended for most use cases that don’t want a persistent home directory to inject a systemd unit like this for both these directories, that uses tmpfs:
Description=Create a temporary filesystem for /var/home
If your systems management tooling discovers SSH keys dynamically on boot (cloud-init, afterburn, etc.) this helps ensure that there’s fewer conflicts around “source of truth” for keys.
While you may find
RUN ostree container commit as part of some
container builds, specifically this project aims to use
root.transient which obviates most of the incompatibility
detection done in that command.
In other words it’s not needed and as of recently does very little. We are likely to introduce a new static-analyzer type process with a different name and functionality in the future.
The following git repositories have some useful examples: