Ansible no.3: ansible-bender

Petr Moravek
Mar 21, 2019 · 3 min read

[2019/03/21] This time we have come together to talk about containers or their images managed by ansible. We have spoken about buildah and podman in concert with above mentioned system management tool.

Initial rehearsal

Actually before you begin you are expected to be familiar with some buzz-words. Let us try to associate their meaning with the context throughout the session.

Ansible

Our old friend thus not need for further details https://www.ansible.com/ and https://github.com/ansible/ansible.

Podman

Podman is a fully-featured container engine. It provides a Docker-compatible command line to ease the transition from other container engines. Most Podman commands can be run as a regular user, without requiring additional privileges. Furthermore, all of this is accomplished without a daemon!

— Podman 1.0 release

Well it is worth to say that podman is written in golang the magic ingredient of today’s fancy and successful projects. It comes from Red Hat and but is has been released into public domain (Apache-2.0 license, Github: tutorial/install).

Our original goal with Podman was to provide a fully-featured debugging experience for CRI-O, but it has become so much more.

Note-podman: Ubuntu users ~ at 16.04LTS you are out of luck :-( Debian, Ubuntu 18.04? Fedora/RHEL family welcome. Do you really want me to build from source and enjoy the hell of dependencies?

Buildah

Buildah is an efficient way to create OCI images. It has a home at Github (Github:Containers/buildah). This is the second piece of puzzle. It is again made with golang. Again born in Red Hat (A daemon-haunted (container) world no longer: …).

Those two pieces has established a new wave of container management tools that are trying to get rid of old mistakes and undesired vulnerabilities. With all that in mind we can say: “The $king is dead, long live the $king!” Where let the variables be: Docker and Podman+Buildah (at this moment ;-)).

Note-buildah: Even Ubuntu 16.04 (Xenial) can build images. But cannot run containers as it lacks CRI-O by default. But can make it by PPA :-)

sudo add-apt-repository ppa:projectatomic/ppa sudo apt-get update

The session

Dockerfile is wrong ! However…

(brought by Tomáš Tomeček)

(slides / their source)

Buildah

  • Dockerfile reborn ( saves your life)
  • From scratch (of course be minimalist)
  • Bash copy (container image mounted)

then marry it with ansible though ~ ansible_bender

  • interface between ansible and buildah (stdin/out/err) it is just another buildah like ssh or local
  • you decide which layers are cached (up to apt upgrade or install ~ slow parts fast)
  • turn ansible playbook from SSH+VM to buildah-inside-container (without modifying the playbook!!!)
  • Docker take on the same topic: docker build -> Buildkit (after few years of stagnation)

plans ~ future is bright

kNative ~ k8s integration (build part by ansible-bender)

Hands-on warm-up

Let’s start in shell

export BASE_IMAGE=fedora:29export CONT_NAME=prgcont

buildah unshare ‘…’ for unprivileged user — still buggy, so become root for now…

buildah pull $BASE_IMAGEbuildah from --name $CONT_NAME $BASE_IMAGEprintf "$CONT_NAME \
ansible_connection=buildah \
ansible_python_interpreter=/usr/bin/python3" >inventory-container
ansible-playbook -i inventory-container -c buildah ./recipe.yaml buildah commit --cmd '/entrypoint.sh' $CONT_NAME my-fancy-image buildah rm $(CONT_NAME)

push it among local docker images:

buildah push prgcont docker-daemon:prgcont:some-name

Hands on second part

Sources

We’ll do two common use cases in this workshop:

  1. Containerizing a test suite. (done)
  2. Running a web app in a container. (done)
ansible-bender push docker-daemon:hugo:latest

Tip: use sen (Github:TomasTomecek/sen) — a terminal UI for docker

QA Part

Question: How does the ansible interface with the buildah?

Answer: stdin/out/err, but the cousin project podman uses structured API called varlink (see FAQ of varlink).

One more thing

  • Quarkus — Red Hat’s take on Java Fast™
  • Drools (BPML) — slow java -> graalvm (AOT) made fast (from Red Hat blog Quarking Drools…)
  • OptaPlanner — a path optimizer (path for your VMs towards right hypervisor)

Off-topic

Question: How to replace legacy of Mirantis Openstack with something fresh?

Answer: Well there is a couple of other projects doing the same thing (deploy and manage Openstack). The well known are TripleO and its commercial cousin Redhat Director but what about to consider shrinking the problem into just making the VM behave like a container? Then it is worth to check the idea behind Container Native Virtualization (aka CNV see as preseneted on Red Hat Summit — May 2018).

Originally published at blog.xlinux.cz on March 21, 2019.

Prague Containers Meetup

We are a group of people fascinated by cloud native.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store