github.com/rkt/rkt@v1.30.1-0.20200224141603-171c416fac02/Documentation/aci-hosting.md (about) 1 # ACI hosting 2 3 rkt uses [App Container Images (ACIs)][ACI] as the native packaging format for [application containers][[application-container]. 4 To distribute those images, the appc spec defines an [Image Discovery mechanism][discovery] that relies on the DNS to implement a federated namespace that facilitates distributed retrieval. 5 6 Hosting ACI images is as simple as including some templated HTML `meta` tags that point to the image artifacts in a web page living under the DNS name that corresponds to the image to host. 7 8 This means that, to host ACI images, you only need a web server serving an HTML page with the right `meta` tags and somewhere to host the artifacts. 9 10 ## Example 11 12 For the `coreos.com/etcd` image, you can find in the source the following `meta` tags: 13 14 ``` 15 <meta name="ac-discovery" content="coreos.com/etcd https://github.com/coreos/etcd/releases/download/{version}/etcd-{version}-{os}-{arch}.{ext}"> 16 <meta name="ac-discovery-pubkeys" content="coreos.com/etcd https://coreos.com/dist/pubkeys/aci-pubkeys.gpg"> 17 <meta name="ac-discovery-pubkeys" content="coreos.com/etcd https://coreos.com/dist/pubkeys/app-signing-pubkey.gpg"> 18 ``` 19 20 When a user tries to fetch this image with the command: 21 22 ``` 23 $ rkt fetch coreos.com/etcd:v2.0.10 24 ``` 25 26 These are the steps rkt will do: 27 28 * Go to `coreos.com/etcd` and look for `ac-discovery-pubkeys` tags where the `content` prefix matches `coreos.com/etcd`, fetch the public keys, and prompt the user to trust them if they're not trusted already. 29 * Look for an `ac-discovery` tag with matching `content`. 30 The first line of our example tags matches that so, to fetch the artifacts, rkt will perform a simple template substitution: 31 * It will substitute `{version}` with `v2.0.10` 32 * It will substitute `{os}` with the current OS (for example, `linux`) 33 * It will substitute `{arch}` with the current architecture (for example, `amd64`). 34 * It will substitute `{ext}` with `aci` for the actual image and `aci.asc` for the image signature. 35 * Fetch the image and signature from the resulting URL and verify that the image has a valid and trusted signature. 36 37 ## ACI server example 38 39 Let's use Python's built-in HTTP server to host an example ACI. 40 41 We create an minimal `index.html` file with an `ac-discovery` tag: 42 43 ```html 44 <html> 45 <head> 46 <meta name="ac-discovery" content="localhost/postgres http://localhost/postgres-{version}-{os}-{arch}.{ext}"> 47 </head> 48 </html> 49 ``` 50 51 Put the ACI file in the same directory and start the server on port 80: 52 53 ```bash 54 $ cd /tmp/acis 55 $ ls 56 index.html postgres-latest-linux-amd64.aci 57 $ sudo python3 -m http.server 80 58 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 59 ``` 60 61 Now we can fetch the image. 62 To make things simple, we'll disable image verification and use HTTP instead of HTTPs: 63 64 65 ```bash 66 $ sudo rkt --insecure-options=http,image fetch localhost/postgres 67 Downloading ACI: [=============================================] 7.46 MB/7.46 MB 68 Downloading ACI: [=============================================] 2.65 MB/2.65 MB 69 sha512-f5d991eed255cd081b4ea6e1b378eab4 70 ``` 71 72 [ACI]: https://github.com/appc/spec/blob/v0.8.1/spec/aci.md 73 [application-container]: https://github.com/appc/spec#what-is-an-application-container 74 [discovery]: https://github.com/appc/spec/blob/v0.8.1/spec/discovery.md