Creating, Hosting Your Own CoreOS Rkt App Container Images(ACI)

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)

Creating, Hosting your own CoreOS Rkt (ACI) Images

Creating your own (ACI) package

The document below uses the ACI image format since we are dealing with Rkt. in the future Rkt might switch to the OCI format. to note Docker is using the OCI image format, which is part of the opencontainer initiative.

The steps below, show you how to create/host and sign your own Rkt package/images, you can also always download/convert any Docker package to the ACI Rkt format.

To create an ACI package, you will need the actool utility included in the CoreOS build, or you can use docker2aci to create/convert your images.

First, Lets create a directory structure, similar to one below.
An example directory layout is below.

Next, create something to run, can be a simple as echo hello.

Now, lets create our manifest, something like the below should work.
Note: For a full list of available options click here.

Next, lets compile the code to create the aci, run the below to do so.

Now, Lets publish the code so we can use it.
Note: The below fetch method is with no security i.e. without a key, if you like to use / configure your own gpg key, you can just follow the below gpg configuration.

To run the application app1, just run the below.

Now, we can distribute / publish the aci to our local image registry servers.

Securing / signing / setting your GPG key on your ACI images

To distribute an aci application, the application image would usually to be secured by using a GPG key to sign the image.

To sign the image we first need to create our own GPG key.

Lets create our own key.

Create a gpg file, something like the below.
cat gpg-batch

Now, lets generate gpg key

Note: If gpg key generating hangs, like the one below. stop the process, and try to install rng-tools. like below

Next, lets output/get the key (required for next step).

Now, lets trust our key, by running the below (use the key output from above).

Now, lets export the public key to use latter.


Enter the key password when prompted which in our case is rkt.

We should now have 3 files, the public GPG key, the aci(app file), and the asc(signature file). we will be using this in next steps to publish the package.

Creating your own (rkt) registry

One of the great benefits of using RKT is the image distribution(hub/registry) is super simple.

You will need a running web server on to host that contains all the images.

  1. Generate web server Certificate (self signed or public)
  2. Create directory structure
  3. Copy aci and gpg keys
  4. Create ac-discovery rules

Generate a certificate

The example below uses a self signed certificate, lets first Generate a CA certificate, so we can sign our certificate.

To do so create a file called cert.conf, like the one below.

Next, run the below openssl commands to generate the certificates.

You should see many files create, we only need 3 of these files.

On CoreOS, run update-ca-certificates, on Ubuntu rename to .crt and run dpkg-reconfigure ca-certificates (if update-ca-certificates is not working).

Web server and directory structure

There are many options you can use for a web server, like flask, etc…
I will use a simple Python HTTPS web server.

Create a file with the below content.

Create a index.html , like the one below.

In the above index.html configuration I am using a separate directory for every application.this

For example in our case, the application is named app1.
Lets create an app1 directory, and copy the app1 application files.

The last configuration is to copy the pubkeys.gpg to the root directory.
Now lets start the web server, by running.

Now, we are ready to test the rkt app discovery by running the below.

A quick verification should show something like the below.

You can also try to run the app something like the below.

Helpful link
CoreOs Signing and Verification Guide
App Container Image Discovery
Rkt meta discovery tag

Adding public packages to your local registry/repository

Below I am going to add etcd to my local registry.

First lets fetch the image from one of the public repository.

Next lets extract the image locally

Now, lets create a tmp directory and extract the etcd image.

Now modify the etcd_tmp/manifest file
Replace all the with (approximately 3 times), for example.

Now lets re-package and sign the aci.

Next, lets update the index.html with the etcd location.

We are almost done, lets create the etcd directory and copy the files.

Finally, lets fetch the image from/to the local repo

Below you can see both the coreos( and the local copy.

Helpful link
Rkt image layout

This concludes the Rkt/Appc application discovery/registry setup, the options are endless once you host your own application registry.

You might also like – Articles related to Docker Kubernetes / Micro-services.

Like what you’re reading? please provide feedback, any feedback is appreciated.

Leave a Reply

Notify of