NSpawn-OCI

Script to import OCI (Docker) containers to machined as nspawn containers

Requirements

• systemd-machined
• systemd-nspawn
  • these are components of the monolithic systemd software. Availibility and packaging of these components can vary wildy by distro. Refer to your distro's documentation.
• skopeo
• umoci
• --convert requires jq

Usage

This script was tested under Arch Linux. At the time of writing, this script's usage of umoci and machinectl require root access, so this script must be run as root.

import.sh $SOURCE $HOSTNAME [--convert|-c]

$SOURCE can be any supported container transport

$HOSTNAME must be suitable for use as a hostname following a conservative subset of DNS and UNIX/Linux semantics. See machinectl documentation for details.

--convert will read a subset of the OCI config.json and install an equivalent .nspawn file. If the container has empty mount ponts, you will be prompted for a bind point.

How it works

OCI mode

Below is a simplified version of the script containing the important lines.

# step 1: download the container to a temporary directory
skopeo copy "$source" oci:"$skopeo_output":latest
# step 2: convert the container to a format nspawn understands
umoci --verbose unpack --image "$skopeo_output" "$umoci_output" --keep-dirlinks
# step 3: override the default launch options for this container to use oci mode
cat << end > "$override"
[Service]
ExecStart=systemd-nspawn --oci-bundle=/var/lib/machines/%i --machine %i
end
# step 4: import the entire oci bundle
machinectl import-fs "$umoci_output" "$hostname"

Convert mode

Instead of importing the entire OCI runtime bundle and creating an override in systemd for the relevant container, only the rootfs is imported and an .nspawn file is generated from a few common options in the OCI config.json, namely:

• Environment Variables
• Working Directory
• Process Parameters
• Bind Mounts

Three additional options are added, ProcessTwo=true, VirtualEthernet=no, and PrivateUsers=false