github.com/rkt/rkt@v1.30.1-0.20200224141603-171c416fac02/Documentation/packaging.md

github.com/rkt/rkt@v1.30.1-0.20200224141603-171c416fac02/Documentation/packaging.md (about)

     1  # packaging rkt
     2  
     3  This document aims to provide information about packaging rkt in Linux distributions. It covers dependencies, file ownership and permissions, and tips to observe packaging policies.
     4  
     5  ## Build-time dependencies
     6  
     7  Please see [the list of build-time dependencies][build-deps].
     8  
     9  ### Offline builds
    10  
    11  By default, the rkt build will download a CoreOS Container Linux PXE image from the internet and extract some binaries, such as `systemd-nspawn` and `bash`. However, some packaging environments don't allow internet access during the build. To work around this, download the Container Linux PXE image before starting the build process, and use the `--with-coreos-local-pxe-image-path` and `--with-coreos-local-pxe-image-systemd-version` parameters. For more details, see the [configure script parameters documentation][build-config].
    12  
    13  ### Bundling with systemd
    14  
    15  Most Linux distributions don't allow the use of prebuilt binaries, or reuse of code that is already otherwise packaged. systemd falls in this category, as Debian and Fedora already package systemd, and rkt needs systemd.
    16  
    17  - [Debian Policy Manual, section 4.13 Convenience copies of code][debian-policy-4.13]
    18  - [Fedora Packaging Guidelines][fedora-packaging-guidelines]
    19  - [Fedora Packaging Committee][fedora-packaging-committee]
    20  
    21  The configure script's `--with-stage1-flavors` option can be set to `host` to avoid rkt's dependency on systemd in these environments:
    22  
    23  ```
    24  ./configure --with-stage1-flavors=host
    25  ```
    26  
    27  The `stage1-host.aci` archive generated by this build will not contain bash, systemd, or any other binaries from external sources. The binaries embedded in the stage1 archive are all built from the sources in the rkt git repository. The external binaries needed by this `stage1-host.aci` are copied from the host *at run time*. Packages using the `--with-stage1-flavors=host` option must therefore add a run-time dependency on systemd and bash. Whenever systemd and bash are upgraded on the host, rkt will use the new version at run time. It becomes the packager's responsibility to test the rkt package whenever a new version of systemd is packaged.
    28  
    29  For more details, see the [configure script parameters documentation][build-config].
    30  
    31  ### Glide
    32  
    33  rkt uses [Glide][glide] to maintain [a copy of dependencies in its source repository][rkt-vendor].
    34  
    35  ## Run-time dependencies
    36  
    37  Please see [the list of run-time dependencies][run-deps].
    38  
    39  ## Packaging Externals
    40  
    41  ### Ownership and permissions of rkt directories
    42  
    43  In general, subdirectories of `/var/lib/rkt`, and `/etc/rkt` should be created with the same ownership and permissions as described in the [directory list][rkt-dirs].
    44  
    45  Any rkt package should create a system group `rkt`, and `rkt-admin`. The directory `/var/lib/rkt` should belong to group `rkt` with the `setgid` bit set (`chmod g+s`). The directory `/etc/rkt` should belong to group `rkt-admin` with the `setgid` bit set (`chmod g+s`).
    46  
    47  When the ownership and permissions of `/var/lib/rkt` are set up correctly, members of group `rkt` should be able to fetch ACIs. Members of group `rkt-admin` should be able to trust GPG keys, and add additional configurations in `/etc/rkt`. Root privilege is still required to run pods.
    48  
    49  The motivation to have separate `rkt`, and `rkt-admin` groups is that the person who makes administrative changes would likely be different than the unprivileged user who is able to fetch.
    50  
    51  ### systemd units
    52  
    53  A few [example systemd unit files for rkt helper services][rkt-units] are included in the rkt sources. These units demonstrate systemd-managed units to run the rkt [metadata-service][rkt-metadata-svc] with socket-activation, the rkt [api-service][api-service], and a periodic [garbage collection][rkt-gc] service invoked at 12-hour intervals to purge dead pods.
    54  
    55  [build-config]: build-configure.md
    56  [build-deps]: dependencies.md#build-time-dependencies
    57  [debian-policy-4.13]: https://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles
    58  [fedora-packaging-committee]: https://www.mail-archive.com/devel@lists.fedoraproject.org/msg88276.html
    59  [fedora-packaging-guidelines]: https://fedoraproject.org/wiki/Packaging:Guidelines#No_inclusion_of_pre-built_binaries_or_libraries
    60  [glide]: https://glide.sh
    61  [rkt-gc]: subcommands/gc.md
    62  [rkt-metadata-svc]: subcommands/metadata-service.md
    63  [api-service]: subcommands/api-service.md
    64  [rkt-units]: https://github.com/rkt/rkt/tree/master/dist/init/systemd
    65  [rkt-vendor]: https://github.com/rkt/rkt/tree/master/vendor
    66  [run-deps]: dependencies.md#run-time-dependencies
    67  [rkt-dirs]: https://github.com/rkt/rkt/blob/master/dist/init/systemd/tmpfiles.d/rkt.conf