Project Atomic is now sunset

The Atomic Host platform is now replaced by CoreOS. Users of Atomic Host are encouraged to join the CoreOS community on the Fedora CoreOS communication channels.

The documentation contained below and throughout this site has been retained for historical purposes, but can no longer be guaranteed to be accurate.

Project News

How to sneak secrets into your containers, without leaving a trace

Default mounts for all of your containers.

I was presenting OpenShift and really the underlying container technology we are building CRI-O, Buildah and Podman to some customers the other day. After the presentation, one of the customers came over to me and said, the biggest problem they have with their users building containers, was they needed to use certificates in the container in order to access their software repositories. But they did not want the certificates to end up embedded in the containers. I pointed out that Red Hat’s version of Docker allowed you to do volume mounts into containers during a docker build. Also Buildah had the same functionality. But he pointed out that they did not want everyone of their engineers to have to add the volumes, or if they were running a container and wanted to update software and they forgot the volume mount then they could not access the certificates.

Read More »

Problems Are Just Opportunities in Disguise

As a father who’s ushered one child through their teen years, and with two more in the teens now, I know about problems. Problems with the WiFi not working, or the shoes that are two months old and now two sizes too small. Those are the easy ones, the harder ones come in with sleepovers with their significant others, the broken down car after curfew or the death of a classmate. In my at-work life, I was explaining to my scrum master that I’d not been picking off any cards off our board in the past sprint because I’d spent all my time working on issues. He remarked that as a software engineer we’re not so much coders as we’re problem solvers. I guess I can’t escape problems either at work or at home.

Recently one of the folks that talks about Buildah, Podman, and other related container technologies at conferences sent me an email about a problem he was having with a demo script he was hoping to show.

Read More »

Building Kernel Modules with Podman

Building Kernel Modules on Atomic with Podman

The goal of this post is to explain how to build and load a kernel module inside a container using Podman.

Building and using third party kernel modules on Atomic is a challenging task. There are a handful of methods for supporting kernel modules on a Linux system such as kmods, akmods, DKMS, and manually building them by hand. Digging into all of the technical hurdles Atomic faces with each method is a very large topic and a bit out of scope for this blog post, so we will focus on DKMS for the time being.

Using DKMS on Atomic does not work as expected. This means using popular third party kernel modules such as NVidia drivers, VirtualBox, and WireGuard via their supported install methods will not work as a result, but I will explain how we can work around these limitations in this blog post.

Read More »

User namespaces support in Podman

We recently added support for user namespaces to Podman. This has some major benefits for security and added flexibility when running containers. It allows processes to have privileges inside of the container, but no privileges if they escape the container.

Read More »

Pinning Deployments in OSTree Based Systems

Introduction

RPM-OSTree/OSTree conveniently allows you to rollback if you upgrade and don’t like the upgraded software. This is done by keeping around the old deployment; the old software you booted in to. After a single upgrade you’ll have a booted deployement and the rollback deployment. On the next upgrade the current rollback deployment will be discarded and the current booted deployment will become the new rollback deployment.

Typically these two deployments are all that is kept around. However, recently a new pinning feature was added that allows the user to pin a deployment to make sure it doesn’t get garbage collected.

Read More »