There’s been a lot of attention for the Fedora Atomic Workstation project recently, with several presentations at devconf (Kalev Lember, Colin Walters, Jonathan Lebon) and fosdem (Sanja Bonic), blog posts and other docs.
I’ve played with the Atomic Workstation before, but it was always in a VM. That is a low-risk way to try it out, but the downside is that you can jump back to your ‘normal’ system at the first problem… which, naturally, I did. The recent attention inspired me to try again.
This time, I wanted to try it for real and get some actual work done on the Atomic side. So this morning, I set out to convert my main system to Atomic Workstation. The goal I’ve set myself for today was to create a gnome-font-viewer release tarball using a container-based workflow.
There are two ways to install Atomic Workstation. You can either download an .iso and install from scratch, or you can convert an existing system. I chose the second option, following these instructions. By and large, the instructions were accurate and led me to a successful installation. A few notes:
- You need ~10G of free space on your root filesystem
- I got server connection errors several time – just restarting the ostree pull command will eventually let it complete
- The instructions recommend copying grub.cfg from /boot/loader to /boot/grub2/, but that only works for the current tree – if you install updates or add a layer to your ostree image, you have to repeat it. An easier solution is to create a symlink instead.
After a moment of fear, I decided to reboot, and found myself inside the Atomic Workstation – it just worked. After opening a terminal and finding my git checkouts, I felt a little helpless – none of git, gitg, gcc (or many other of the developer tools I’m used to) are around. What now ?
Thankfully, firefox was available, so I went to http://flathub.org and installed gitg as a flatpak, with a single click.
For the other developer tools, remember that my goal was to use a container-based workflow, so my next step was to install buildah, which is a tool to work with containers without the need for docker. Installing the buildah rpm on Atomic Workstation feels a bit like a magic trick – after all, isn’t this an immutable image-based OS ?
What happens when you run
rpm-ostree install buildah
is that rpm-ostree is composing a new image by layering the rpm on top of the existing image. As expected, I had to reboot into the new image to see the newly installed tool.
Next, I tried to figure out some of the basics of working with buildah – here is a brief introduction to buildah that i found helpful. After creating and starting a Fedora-based container with
buildah from fedora buildah run fedora-working-container bash
I could use dnf to install git, gcc and a few other things in the container. So far, so good. But in order to make a gnome-font-viewer release, there is still one thing missing: I need access to my git checkout inside the container. After some browsing around, I came up with this command:
buildah run -v /srv:/srv:rslave fedora-working-container bash
which should make /srv from the host system appear inside the container. And… i was stuck – trying to enumerate the contents of /src in the container was giving me permission errors, despite running as root.
Eventually, it dawned on me that selinux is to blame… The command
sudo chcon -R -h -t container_file_t /srv
is needed to make things work as expected. Alternatively, you could set selinux to be permissive.
From here on, things were pretty straightforward. I additionally needed to make my ssh keys available so I could push my commits from inside the container, and I needed a series of dnf commands to make enough build dependencies and tools available:
dnf install git dnf install meson dnf install gtk3-devel ...
meson . build ninja -Cbuild ninja -Cbuild dist
worked and produced this tarball – success!
So, when you try gnome-font-viewer 3.27.90 remember: it was produced in a container.