Using ansible-container to build your next application base image

  • Modifications for Docker-friendliness.
  • Application specific libraries and frameworks
  • Some administration tools, that are especially useful for troubleshouting inside docker
  • Mechanisms for easily running multiple processes, without violating the Docker philosophy

Image building boilerplate with ansible-container

Folders and files organization

Build process orchestration

clean

Initialize

p-env/bin/ansible-container

build

run and stop

  • container.yml is based on 2nd version of the docker-compose spec, while I usually need at least 3.1 in production. Anyway steps are provided — they might work in your case. I usually end with the separate docker-compose.yml v3.1+ in the directory.

tag and push

compose helpers

Building base image with ansible container.

  • agreed folder organization (I do not want to guess each time where and how I need to put logic to run),
  • robust init system.
  • optional support for running multiple processes per container (as long as container remains single logical unit — it does not contradict with Docker philosophy).
  • Depending on project I want to be able to use different base images and do not want to dive into compilation specifics each time.
  • Possibility to run logic under custom users inside container and synchronize, if necessary files and folders with host system.

Why valid init for containers is important

Candidates for container init process

Custom written init script

Dumb-init

Tini

  • protection from software that accidentally creates zombie processes
  • ensures the default signal handlers work for the software you run in your Docker image.
  • easy to inject: Docker images that work without Tini will work with Tini without any changes.

Runit

S6

  • lightweight init process with support of initialization (cont-init.d), finalization (cont-finish.d) as well as fixing ownership permissions (fix-attrs.d).
  • The s6-overlay provides proper PID 1 functionality inside docker container. Zombie processes will be properly cleaned up.
  • Support for multiple processes in a single container (“services”)
  • Usable with all base images — Ubuntu, CentOS, Fedora
  • Distributed as a single .tar.gz file, to keep your image’s number of layers small.
  • A whole set of utilities included in s6 and s6-portable-utils. They include handy and composable utilities.
  • Log rotating out-of-the-box through logutil-service which uses s6-log under the hood.

My_Init

  • protection from software that accidentally creates zombie processes — reaping is implemented as a part of control script.
  • in addition supports startup files in init.d and rc.local directories.
  • supports additional optional services inside container via runit: cron, ssh
  • handles additional magic with environment

Supervisord ?

More ?

Candidates for running multiple services inside container.

SupervisorD

RUnit

S6 (in scope of S6-overlay project)

More ?

Running processes as a different user

  • Application might modify up things that it shouldn’t be
  • If application shares folder with base host, all created files will be owned by root
  • If container is compromised — well, still it is bad if they’re root.

Docker’s native

chpst

Phusion’s setuser

sudo

Your own baseimage built with ansible-container

tini init system based, with supervisor as service manager

tini init system based, with supervisor as service manager

Close to Phusion’s base image

Few figures on produced sizes

Summary

--

--

--

Software engineer, with project management background. Founder @ softasap.com — cool automation for the people :) — have a problem that needs to be solved?

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Mobile Apps vs. Mobile Websites: Which One is Better for Your Business?

Java Multithreading, Concurrency, and Parallelism — Part 21.2

Circle Gradient Keyframe Effects with CSS Transitions and Animations

JUNIOR OR SENIOR: HIRE A SOFTWARE DEVELOPER WHO FITS

FreshHuddle: The first online edition

How to Renew Rancher Certificates

Developing Mobile Apps Using The Latest Technology

The moment is here, what we have been anticipating for, @Shade_Protocol has finally launched, we…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vyacheslav Voronenko

Vyacheslav Voronenko

Software engineer, with project management background. Founder @ softasap.com — cool automation for the people :) — have a problem that needs to be solved?

More from Medium

How To Setup Nginx Reverse Proxy Server On Ubuntu 20.04

Commit and push to multiple Git accounts on the same computer?

What is docker, docker image, docker container? Basic Docker commands.

Assign a fixed IP address to a container in Docker-Compose