订阅内容

Image mode is a new approach to build, deploy, and manage Red Hat Enterprise Linux using bootable containers. In a previous blog post, we shared a bootable containers guide from the Fedora community to help you get started.

An important attribute of a bootable container is its immutability. An immutable operating system follows a different paradigm than traditional package-based systems. Immutability by default means security by design. Once deployed, the entire filesystem, with the exception of /etc and /var, is mounted read-only. This means that not even the root user has write privileges. Updates to the system are applied by downloading a new version of the bootable container image from a container registry, and then rebooting into the new state. It's a different way of approaching updates than using a package manager to update the system at runtime. It forces you to be intentional about changes to the operating system and gives you full state control.

Debugging an immutable OS

Production systems usually don't ship with debugging tools to keep the footprint as small as possible. On a traditional package-based system, you can use dnf to install strace for debugging purposes, but that doesn't exactly work in image mode. It's not sustainable to rebuild and reboot a bootable container image with debugging tools. Instead, you need a means to use debugging tools at runtime. Fortunately, there are two options.

Option 1: bootc usr-overlay

The bootc tool is the heart of Image Mode for RHEL and the core technology that enables OCI containers to encompass complete operating systems. Among other things, bootc is responsible for updating the operating system. It has a number of useful features for managing state and performing rollbacks. Additionally, it has functionality that's useful when debugging a system.

Suppose you want to install the strace command to help you debug some processes. You can use the bootc tool to temporarily unlock the operating system image by creating a transient writable overlayfs layer on /usr that gets discarded on reboot.

Open a terminal on the host system, and run the bootc command:

bootc usr-overlay

Now /usr is writable for root until the next reboot, which allows you to use dnf install strace for installation, just as you would on a traditional system.

Option 2: Toolbx

Image mode for RHEL is preinstalled with a development and troubleshooting tool called Toolbx. The command is available in the toolbox RPM, which we discussed in a previous article. It's particularly useful for installing troubleshooting tools at runtime without rebuilding the container image and then rebooting. For similar reasons, it is already popular on operating systems like Fedora CoreOS and Silverblue, which both have a similar design.

Toolbx enables you to use interactive command-line environments for software development, and troubleshooting the host operating system without having to install software on the host. It's built on top of Podman and other standard container technologies from OCI.

Toolbx environments have seamless access to the user’s home directory, Wayland and X11 sockets, networking (including Avahi), removable devices (like USB drives), systemd journal, SSH agent, D-Bus, ulimits, /dev, the udev database, and so on.

Toolbx installs software at runtime on immutable systems by providing a fully mutable container. In this container, you can install your favorite development and troubleshooting tools, editors, and SDKs. For example, it’s possible to do a dnf install -y strace without affecting the host operating system, and yet inspect the processes running on the host.

The Toolbx environment is based on an OCI image. On Red Hat Enterprise Linux, it defaults to the toolbox image from registry.access.redhat.com. This image is used to create a Toolbx container that offers the interactive command-line environment.

To get started, create a new container:

toolbox create

Then enter the environment:

toolbox enter

This presents an interactive command-line environment that looks and feels just like the one on the host operating system. The Toolbx commands are self-documenting. When you type an incomplete command, Toolbx provides documentation on what it expects next.

Toolbx can be used for a lot more than just strace. Everything from Ansible to Nmap to journalctl is possible, and it can be used both as your usual login UID and root. For more use cases and detailed examples, refer to the official Toolbx documentation.

More about bootable containers

If you're interested in bootable containers, we recommend taking a look at the upstream Getting Started Guide and Valentin's presentation on YouTube.


关于作者

Container engineer at Red Hat, bass player, music lover.

Read full bio

Preethi Thomas is an Engineering Manager for the containers team at Red Hat. She has been a manager for over three years. Prior to becoming a manager, she was a Quality Engineer at Red Hat. She is passionate about open source software, software quality, and open management practices and has rich experience working with upstream communities and projects. She is also highly passionate about Diversity and Inclusion and actively participates in outreach activities.

Read full bio

Principal Software Engineer at Red Hat, working on Fedora Silverblue and Workstation, GNOME, and Red Hat Enterprise Linux.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

按频道浏览

automation icon

自动化

有关技术、团队和环境 IT 自动化的最新信息

AI icon

人工智能

平台更新使客户可以在任何地方运行人工智能工作负载

open hybrid cloud icon

开放混合云

了解我们如何利用混合云构建更灵活的未来

security icon

安全防护

有关我们如何跨环境和技术减少风险的最新信息

edge icon

边缘计算

简化边缘运维的平台更新

Infrastructure icon

基础架构

全球领先企业 Linux 平台的最新动态

application development icon

应用领域

我们针对最严峻的应用挑战的解决方案

Original series icon

原创节目

关于企业技术领域的创客和领导者们有趣的故事