Setting up rkt
So you want to try rkt, but a package isn’t
available for your distribution. Ideally, you could just run yum install rkt,
but the packages are a ways off from being ready for CentOS and Fedora.
Frustrating. So what do we do? Install ourselves!
The installation process is actually pretty simple. Rkt is written in Go, and has no other dependencies than a relatively recent kernel. In fact, on CentOS, the setup can be reduced to a handful of steps:
Download rkt
The first thing we’ll need to do is download the most recent rkt release (1.1.0 at the time of this writing.) We’ll also want to copy the binary out as our first step:
curl -L https://github.com/coreos/rkt/releases/download/v1.1.0/rkt-v1.1.0.tar.gz | tar -xzv
cp rkt-v1.1.0/rkt /usr/bin/
You cant test that this is working by running rkt version. We’ll need to a do
a few more things before we can create containers though. Do note that most of
these commands either need to be run as root or using sudo.
Create Data Directory
rkt expects it’s data directory to be owned by the rkt group, so we’ll need
to add that:
groupadd rkt
Next, we’ll want to add any local users we want to be able to fetch images and
see status to the group. Unlike adding users to the docker group, this does
not allow all actions, only image management and status.
gpasswd -a $YOUR_USER_HERE rkt && newgrp rkt
Now that we have our group all set up, we can create the data directories. Fortunately, rkt ships with a script to accomplish this for us:
rkt-v1.1.0/scripts/setup-data-dir.sh
This will set up your data dir in /var/lib/rkt. If you want to locate it
elsewhere, just pass your desired location as the first argument to the script.
This does require further configuration work, however, and the default should
work fine for most installations.
Install Stage1 Images
Next we’ll need to install our stage1 images. These are the basis for all other images, and rkt currently ships with three:
stage1-coreos.aci: isolates processes in the way we’ve come to think of as “containers”. You’ll probably use this stage1 90% of the time.stage1-fly.aci: only provides disk isolation.stage1-kvm.aci: uses KVM to provide isolation in virtual machines.
These are some solid options, but we need rkt to be able to find them. Future
versions of rkt will be configured to look in /usr/lib/rkt/stage1-images, so
we’ll put the images there.
mkdir -p /usr/lib/rkt/stage1-images
cp rkt-1.1.0/*.aci /usr/lib/rkt/stage1-images/
Install systemd Service Files
Next, we want to install the service files located at rkt-v1.1.0/init/systemd:
cp rkt-1.1.0/init/systemd/tmpfiles.d/rkt.conf /usr/lib/tmpfiles.d/
cp rkt-1.1.0/init/systemd/rkt-metadata.* /usr/lib/systemd/system/
cp rkt-1.1.0/init/systemd/rkt-gc.* /usr/lib/systemd/system/
systemctl daemon-reload
If you’re on CentOS, you may want to avoid installing the rkt-gc.* services,
as there’s a nasty bug related to
GC. It’s currently slated to be fixed in rkt 1.2, so keep your eye on that.
SELinux
The last hurdle we need to clear before we have a working system is SELinux. CentOS’ current SELinux policy blocks loading a shared library that rkt requires at runtime, so we’ll have to turn it off. If you’re reading this after 1.1.0, please try the test command below before you do this to make sure it’s still necessary (and you may want to follow the upstream bug report):
If you run a container and get this:
$ rkt run quay.io/coreos/alpine-sh --exec=/bin/echo -- 'Hello, rkt!'
[...]
/usr/lib/systemd/systemd: error while loading shared libraries: libselinux.so.1: cannot open shared object file: Permission denied
You’ll need these steps:
sed -i'' 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
setenforce Permissive
Do be aware that this disables SELinux for the entire system. If this is a dealbreaker for you, wait until the bug is fixed. Alternatively, you can use Ubuntu or CoreOS, where this bug does not come up.
Run Some Containers!
Great job, everybody! Now let’s run a container to prove to ourselves that we’ve set things up correctly:
rkt run quay.io/coreos/alpine-sh --exec=/bin/echo -- 'Hello, rkt!'
After some informational messages and trusting the signing key, you should see “Hello, rkt!” in your terminal, which means we’ve arrived at our destination!