The document outlines the set of instructions that are required to install Sysbox on Kinvolk's Flatcar Linux distribution.
Due to the enterprise-oriented nature of Flatcar's typical deployments, as well as the extra maintenance cost that it entails from Sysbox maintainers, Flatcar support is currently only offered as part of the Sysbox Enterprise Edition (EE).
Flatcar is a container-optimized Linux distro, meaning that the OS is designed to run workloads inside containers efficiently and securely.
Running Sysbox on Flatcar further increases container security and flexibility, as Sysbox enables containers deployed by Docker or Kubernetes to run with stronger isolation (Linux user-namespace, procfs and sysfs virtualization, initial mount locking, etc.). In addition, Sysbox enables containers to run most workloads that run in virtual machines (including systemd, Docker, and even Kubernetes), thus enabling new powerful use cases for containers beyond microservice deployment.
- 2905.2.3
- 2905.2.6
The method of installation depends on whether Sysbox is installed on a Kubernetes node or a Docker host.
Sysbox Enterprise (EE) can be easily installed on Kubernetes nodes running Flatcar. The installation method in this case fully matches the one of other distributions supported by Sysbox. Please refer to this document for more details.
To install Sysbox on a host machine (physical or VM) running Flatcar, simply use this Container Linux configuration file. This config installs the Sysbox components on the Flatcar host.
NOTE: Add to the config file any other configurations you need for the machine (e.g., users, ssh keys, etc.)
For example, the steps below deploy Sysbox on a Google Compute Engine (GCE) virtual machine:
- Add the ssh authorized key to the flatcar-config.yaml:
passwd:
users:
- name: core
ssh_authorized_keys:
- "ssh-rsa AAAAB3NzaC1yc..."
- Convert the config to the Ignition format. This is done using the
ct
tool, as described in this Kinvolk doc:
$ ct --platform=gce < flatcar-config.yaml > config.ign
- Provision the GCE VM and pass the
config.ign
generated in the prior step as "user-data".
$ gcloud compute instances create flatcar-vm --image-project kinvolk-public --image-family flatcar-stable --zone us-central1-a --machine-type n2-standard-4 --metadata-from-file user-data=config.ign
Created [https://www.googleapis.com/compute/v1/projects/predictive-fx-309900/zones/us-central1-a/instances/flatcar-vm].
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS
flatcar-vm us-central1-a n2-standard-4 10.128.15.196 34.132.170.36 RUNNING
When the VM boots, Sysbox will already be installed and running. You can verify this as follows:
core@flatcar-vm ~ $ systemctl status sysbox
● sysbox.service - Sysbox container runtime
Loaded: loaded (/etc/systemd/system/sysbox.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-07-05 19:35:41 UTC; 3h 10min ago
Docs: https://github.com/nestybox/sysbox
Main PID: 1064 (sh)
Tasks: 2 (limit: 19154)
Memory: 704.0K
CGroup: /system.slice/sysbox.service
├─1064 /bin/sh -c /opt/bin/sysbox/sysbox-runc --version && /opt/bin/sysbox/sysbox-mgr --version && /opt/bin/sysbox/sysbox-fs --version && /bin/sleep infinity
└─1084 /bin/sleep infinity
You can now deploy containers with Docker + Sysbox as follows:
core@flatcar-vm ~ $ docker run --runtime=sysbox-runc -it --rm <some-image>
This will create a container that is strongly secured and is capable of running microservices as well as full OS environments (similar to a VM, but with the efficiency and speed of containers).
For example, to deploy a "VM-like" container that runs Ubuntu Focal + systemd + Docker inside:
core@flatcar-vm ~ $ docker run --runtime=sysbox-runc -it --rm nestybox/ubuntu-focal-systemd-docker
Please refer the Sysbox Quickstart Guide and Nestybox blog site for may more usage examples.
NOTE: If you exclude the --runtime=sysbox-runc
flag, Docker will launch
containers with it's default runtime (aka runc). You can have regular Docker
containers live side-by-side and communicate with Docker + Sysbox containers
without problem.
The flatcar-config.yaml performs the following configurations on a Flatcar host:
-
Places the Sysbox-EE binaries in a directory called
/opt/bin/sysbox
. The binaries include:- sysbox-mgr, sysbox-runc, sysbox-fs, the
shiftfs
module, andfusermount
.
- sysbox-mgr, sysbox-runc, sysbox-fs, the
-
Loads the
shiftfs
module into the kernel.- This module is present in Ubuntu kernels, but typically not present on other distros. It brings multiple functional benefits as described here.
-
Configures some kernel sysctl parameters (the
flatcar-config.yaml
has the details). -
Installs and starts the Sysbox-EE systemd units.
-
Configures Docker to learn about Sysbox-EE and restarts Docker.
The result is that the host is fully configured to run Docker containers with Sysbox.