Using ansible-container to build your next application base image

Most Dockerfiles start from a parent image. Application baseimage is a special Docker image that is configured for correct use within Docker containers and aware about your application requirements, expectations + set of additional tools.

Usually those include, but not limited to:

  • Modifications for Docker-friendliness.
  • Application specific libraries and frameworks
  • Some administration tools, that are especially useful for troubleshouting inside docker
  • Mechanisms for easily running multiple processes, without violating the Docker philosophy

Perhaps every company or agency dealing with dockerized applications have or implemented such one. Until now you could find it in a form of complex shell and makefiles, especially if baseimage was released for multiple OS-es.

The closer ansible-container 1.0.0 release is, the more chances that you would give a try to ansible to take care of your next dockerized application base image.

Let’s briefly dive into tools and components you might need to do so.

Image building boilerplate with ansible-container

Folders and files organization

requirements.txt - defines any specific py tools & libs you want to use together with ansible-container.

.projmodules - list of dependencies (roles, deployables, etc) needed to compile base image. Format similar to gitmodules, but without direct links to commit. Example:

init.sh && init_quick.sh - resolve external dependencies under specified locations (roles under roles, deployables under deployables, etc)

ansible.cfg - by default empty, but you can adjust parameters for your build process according to documentation.

version.txt - information file gitflow based releasing (x.y.z)

image.txt - additional information about image constructed for tagging and pushing parts.

Makefile && docker-helper.sh - orchestration utilities, discussed in the next chapter.

docker-compose.yml - usually I also provide docker-compose configuration, so the image can be immediately tried.

container.yml - definition of the image you are going to build

And, of course, .gitignore - we definitely do not want to commit external resources. p-env - virtual environment created during the build, ansible-deployment - transient output produced by ansible-container itself.

Build process orchestration

clean

Initialize

p-env/bin/ansible-container

build

run and stop

  • container.yml is based on 2nd version of the docker-compose spec, while I usually need at least 3.1 in production. Anyway steps are provided — they might work in your case. I usually end with the separate docker-compose.yml v3.1+ in the directory.

tag and push

Providing example: properly tags api and nginx images built and pushes them to docker hub.

compose helpers

That’s all. Back to primary target.

Building base image with ansible container.

  • agreed folder organization (I do not want to guess each time where and how I need to put logic to run),
  • robust init system.
  • optional support for running multiple processes per container (as long as container remains single logical unit — it does not contradict with Docker philosophy).
  • Depending on project I want to be able to use different base images and do not want to dive into compilation specifics each time.
  • Possibility to run logic under custom users inside container and synchronize, if necessary files and folders with host system.

And final point: as long as possible I want to keep my code organized better, than series of bash command that usually are hard to read and hard to adjust in a way we usually do with programs. And this is where ansible-container will help.

Why valid init for containers is important

Why init process is important: running processes can be visualized are ordered in a tree: each process can spawn child processes, and each process has a parent except for the top-most process. This top-most process is the init process. It is started when you start your container and always has PID 1. This init process is responsible for starting the rest of the system, including starting your application. When some process terminates, it turns into smth referred as “defunct process”, also known as a “zombie process” (https://en.wikipedia.org/wiki/Zombie_process). In simple words, these are ones that are terminated but have not (yet) been waited for by their parent processes.

But what if parent process terminates (intentionally, or unintentionally)? What happens then to its spawned processes? They no longer have a parent process, so they become “orphaned” (https://en.wikipedia.org/wiki/Orphan_process).

And this is where the init process kicks in. It becomes new parent (adopts) orphaned child processes, even though they were never created directly by the init process. The operating system kernel automatically handles adoption. Moreover: the operating system expects the init process to reap adopted children too.

What if not? As long as a zombie is not removed from the system via a wait, it will consume a slot in the kernel process table, and if this table fills, it will not be possible to create further processes in the host system itself. Also, init system implemented wrong often leads to incorrect handling of processes and signals, and can result in problems such as containers which can’t be gracefully stopped, or leaking containers which should have been destroyed.

More reading on a topic:

Upstart, Systemd, SysV usually are too heavy (overkill) to be used inside docker (+ not always easily possible). What are the options ?

Candidates for container init process

Custom written init script

Will work, but really does not guarantee reaping… Let’s examine more robust alternatives.

Dumb-init

dumb-init enables you to simply prefix your command with dumb-init. It acts as PID 1 and immediately spawns your command as a child process, taking care to properly handle and forward signals as they are received.

Project repo: https://github.com/Yelp/dumb-init

Tini

  • protection from software that accidentally creates zombie processes
  • ensures the default signal handlers work for the software you run in your Docker image.
  • easy to inject: Docker images that work without Tini will work with Tini without any changes.

Shipped as precompiled binary for hugh variety of platforms.

Project repo: https://github.com/krallin/tini

Runit

Project website: http://smarden.org/runit/

S6

S6 provides:

  • lightweight init process with support of initialization (cont-init.d), finalization (cont-finish.d) as well as fixing ownership permissions (fix-attrs.d).
  • The s6-overlay provides proper PID 1 functionality inside docker container. Zombie processes will be properly cleaned up.
  • Support for multiple processes in a single container (“services”)
  • Usable with all base images — Ubuntu, CentOS, Fedora
  • Distributed as a single .tar.gz file, to keep your image’s number of layers small.
  • A whole set of utilities included in s6 and s6-portable-utils. They include handy and composable utilities.
  • Log rotating out-of-the-box through logutil-service which uses s6-log under the hood.

My_Init

Provides

  • protection from software that accidentally creates zombie processes — reaping is implemented as a part of control script.
  • in addition supports startup files in init.d and rc.local directories.
  • supports additional optional services inside container via runit: cron, ssh
  • handles additional magic with environment

Requires: python inside your container. In present form limited to Ubuntu base system only.

Supervisord ?

Good if you anyway used it with your application earlier.

More ?

Candidates for running multiple services inside container.

SupervisorD

RUnit

Typical interaction examples:

/usr/bin/sv status /etc/service/ - get status of services listed in configuration folder

/usr/bin/sv -w 10 down /etc/service/* - shutdown all services with timeout 10

S6 (in scope of S6-overlay project)

Now, each of those run files is an executable that s6 executes to start the process.

Services are controlled by s6-svc binary. It has number of options, but the main idea is that you give it the directory of the service. So for example, if I wanted to send SIGHUP to nginx, I would do s6-svc -h /var/run/s6/services/nginx. Note: that it’s /var/run and not /etc/services.d; This is hugh difference from RUnit. And lastly, the -h is for SIGHUP.

s6-overlay comes with a number of built versions, so you can download the one that matches your Linux setup. If you want to use s6 directly, users of Alpine and a few other flavors of Linux can just install it from their package manager. We’re running Debian and there’s no PPA for it, so we would have to compile s6 on our own

More ?

Running processes as a different user

  • Application might modify up things that it shouldn’t be
  • If application shares folder with base host, all created files will be owned by root
  • If container is compromised — well, still it is bad if they’re root.

If you want to understand, how uid and gid work in Docker containers, take a look on that article: https://medium.com/@mccode/understanding-how-uid-and-gid-work-in-docker-containers-c37a01d01cf

What are the options:

Docker’s native

Success scenario, but not always possible, if container communicates with the host.

chpst

Phusion’s setuser

sudo

Your own baseimage built with ansible-container

Sorry for repeating, but let me emphasize once more: if you want alternative to custom makefiles and tons of hard-to-read shell files, give a try to ansible-container. Ansible-container provides better alternative to the command && command && command (and so on) syntax you’ve been struggling with to build containers. Since Ansible is at the heart of Ansible Container, you can make container builds completely predictable and repeatable, and more over readable.

I have to admit, that although it is already passed 0.9.1, ansible-container is still at it’s early ages with some cumbersome side effects from time to time (https://medium.com/@V_Voronenko/evaluating-ansible-container-as-a-tool-for-custom-docker-containers-build-500a0395a4c8), but it really becomes more robust each minor release, thus if you try it now — your production will be ready for concept when it is released…

Previously running ansible inside container required installing a lot of unnecessary packages, which was causing bigger image sizes. Ansible-cointainer introduced different approach: combination of conductor (managing container with ansible and necessary tools installed) and target container. This allows to keep target image size small and this approach will work on any base image, which allows ansible and python to be installed.

Aim of the current proof of concept: build bootstrap role for building base application image, and thus simplify application play itself.

We want: select preferred init system: tini, dumb-init or init approach by Phusion (phusion-init)

We want: have possibility to choose internal service layer: runit, supervisor or s6.

Following the Phusion’s base image concept, we want optional cron, sshd, and syslog services inside container.

If we ever wanted ssh inside container, let’s provide keypair to trust.

Resulting play is compact and readable like your usual ansible play.

More over — we are not limited to some single approach — we are free to select init system and service system from list of supported. You can always add the new one.

In order to provide some compatibility between systems, I usually

a) put services runners into /etc/service//run — this supports both running via shell, runit, s6. Supervisord might re-execute the same script. b) put image pre-initialization into /etc/myinit.d/*.sh c) always name entry point as docker-entrypoint.sh d) your role, thanks to ansible, migth detect and target multiple basesystems — thus you can choose, for example, often used Alpine or Jessie.

Take a look on role example, that might be used to build such base image: https://github.com/softasap/sa-container-bootstrap

Typical ansible-container play used to build application image using your base play one might look as:

tini init system based, with supervisor as service manager

tini init system based, with supervisor as service manager

Close to Phusion’s base image

More examples on https://github.com/Voronenko/devops-docker-baseimage-demo

Few figures on produced sizes

Summary

Software engineer, with project management background. Founder @ softasap.com — cool automation for the people :) — have a problem that needs to be solved?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store