[go: up one dir, main page]
Scribd
Upload
97 views74 pages

Slides PDF

The document discusses building minimal containers. It begins with an anecdotal story about a container that wanted to get to production but was too big, and the debate between developers and operations about container size. It then provides examples of minimizing container size by removing unnecessary packages and layers. Various tools for building containers directly from packages, such as yum, dnf, debootstrap, Buildroot, and Alpine are mentioned. It emphasizes that container filesystems are just tarballs and can be built in many ways, such as using mktemp and rpm to install packages and then tar and import them into Docker.

Uploaded by

Brian Harrington
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
97 views74 pages

Slides PDF

The document discusses building minimal containers. It begins with an anecdotal story about a container that wanted to get to production but was too big, and the debate between developers and operations about container size. It then provides examples of minimizing container size by removing unnecessary packages and layers. Various tools for building containers directly from packages, such as yum, dnf, debootstrap, Buildroot, and Alpine are mentioned. It emphasizes that container filesystems are just tarballs and can be built in many ways, such as using mktemp and rpm to install packages and then tar and import them into Docker.

Uploaded by

Brian Harrington
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 74

Building minimal containers

by
Brian "redbeard" Harrington
Principal Architect, CoreOS
Getting Weird with Containers
by
Brian "redbeard" Harrington
Principal Architect, CoreOS
Brian Redbeard
Harrington
Principal Architect
CoreOS
redbeard@coreos.com
github.com/brianredbeard
twitter.com/brianredbeard
brianredbeard.com
Brian Redbeard
Harrington
Principal Architect
CoreOS
redbeard@coreos.com
github.com/brianredbeard
twitter.com/brianredbeard
brianredbeard.com
WHO GETS EXCITED ABOUT

TARBALLS
BREAK OUT
STORY

TIME
THE COOKIES
BEER
IT'S
THERE ONCE WAS A LITTLE CONTAINER WHO WANTED TO GET

TO
PRODUCTION
BUT...
MUCH LIKE
REDBEARD
THE CONTAINER WAS
GETTING A LITTLE
TOO BIG
AND ALL THE
PRODUCTION OPS
FOLKS SAID:
IF YOUR CONTAINERS ARE GETTING DEPLOYED
ON MY INFRASTRUCTURE YOU BETTER
COME CORRECT ON
HOW BIG
THEY ARE
TO WHICH THE
DEVELOPERS
REPLY:
BUT DISK SPACE IS
SO CHEAP
AND SSD WRITE CYCLES ARE

EXPENSIVE
BIG CONTAINERS ARE A

PROBLEM
BIG CONTAINERS:
SLOW DOWN YOUR DEPLOYMENTS
(NETWORK)
BIG CONTAINERS:
CONSUME MORE SPACE
(STORAGE)
BIG CONTAINERS:
INCREASE COST OF OBJECT STORAGE
(BUDGET)
BIG CONTAINERS:
DECREASE I/O PERFORMANCE
(STORAGE)
BIG CONTAINERS:
ARE HARDER TO AUDIT
(SECURITY)
BIG CONTAINERS:
NEED TO BE PUT ON A DIET
BUT YOU DON'T NEED TO
TAKE MY WORD FOR IT
EXPERT PICKS (C) BY LEVAR BURTON
LETS LOOK AT AN
EXAMPLE:
HTTP://SHOUT-IRC.COM
The source?
HTTP/1.1 200 OK
Content-Length: 592371
Access-Control-Allow-Origin: https://render.githubusercontent.com
Content-Security-Policy: default-src 'none'
X-XSS-Protection: 1; mode=block
X-Frame-Options: deny
X-Content-Type-Options: nosnif
Strict-Transport-Security: max-age=31536000
Vary: Authorization,Accept-Encoding
ETag: "7138ca6bda5430d1fdbc9f6e530d9cfd11247bd1"
Content-Type: application/zip
Content-Disposition: attachment; filename=shout-0.51.0.zip
Date: Wed, 29 Jul 2015 23:27:30 GMT
The source?
HTTP/1.1 200 OK
Content-Length: 592371
Access-Control-Allow-Origin: https://render.githubusercontent.com
Content-Security-Policy: default-src 'none'
X-XSS-Protection: 1; mode=block
X-Frame-Options: deny
X-Content-Type-Options: nosnif
Strict-Transport-Security: max-age=31536000
Vary: Authorization,Accept-Encoding
ETag: "7138ca6bda5430d1fdbc9f6e530d9cfd11247bd1"
Content-Type: application/zip
Content-Disposition: attachment; filename=shout-0.51.0.zip
Date: Wed, 29 Jul 2015 23:27:30 GMT
take note:
592KB
FROM node

RUN npm -g install shout

EXPOSE 9000

CMD ["shout", "start"]


FROM ubuntu

RUN apt-get update && apt-get upgrade && \


apt-get -y install nodejs

RUN npm -g install shout

EXPOSE 9000

CMD ["shout", "start"]


FROM ubuntu

ENV DEBIAN_FRONTEND noninteractive

RUN apt-get update && apt-get upgrade && \


apt-get -y install nodejs

RUN npm -g install shout

EXPOSE 9000

CMD ["shout", "start"]


FROM ubuntu

ENV DEBIAN_FRONTEND noninteractive


RUN apt-key adv keyserver keyserver.ubuntu.com recv C0A52C50
RUN apt-get update && apt-get upgrade && \
apt-get -y install nodejs

RUN npm -g install shout

EXPOSE 9000

CMD ["shout", "start"]


FROM buildpack-deps:jessie

# verify gpg and sha256: http://nodejs.org/dist/v0.10.31/SHASUMS256.txt.asc


# gpg: aka "Timothy J Fontaine (Work) <tj.fontaine@joyent.com>"
# gpg: aka "Julien Gilli <jgilli@fastmail.fm>"
RUN gpg --keyserver pool.sks-keyservers.net --recv-keys \
7937DFD2AB06298B2293C3187D33FF9D0246406D 114F43EE0176B71C7BC219DD50A3051F888C628D

ENV NODE_VERSION 0.10.38


ENV NPM_VERSION 2.7.3

RUN curl -SLO "http://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-x64.tar.gz" \


&& curl -SLO "http://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
&& gpg --verify SHASUMS256.txt.asc \
&& grep " node-v$NODE_VERSION-linux-x64.tar.gz\$" SHASUMS256.txt.asc | sha256sum -c - \
&& tar -xzf "node-v$NODE_VERSION-linux-x64.tar.gz" -C /usr/local --strip-components=1 \
&& rm "node-v$NODE_VERSION-linux-x64.tar.gz" SHASUMS256.txt.asc \
&& npm install -g npm@"$NPM_VERSION" \
&& npm cache clear

CMD [ "node" ]
$dockerimagesnode
REPOSITORYTAGIMAGEIDCREATEDVIRTUALSIZE
nodelatestc03077d1e6a02weeksago639.7MB
what do we do?
what DO we do?
demystify how a container is built
enumerate other ways to do it
demonstrate how it's done
LETS STEP
INTO THE
KITCHEN

JULIA CHILD (PUBLIC DOMAIN)


WHO GETS EXCITED ABOUT

TARBALLS
REPEAT
AFTER REDBEARD
A CONTAINER FILESYSTEM
IS JUST A
TARBALL
A CONTAINER FILESYSTEM ISN'T
MAGIC...
IT'S JUST A TARBALL
anything that can
make a tarball
CAN MAKE A CONTAINER
$ mktemp -d
/tmp/tmp.d3NqCJe2yJ
# grab gpg key:
$ curl -s -o /tmp/fedora.asc https://getfedora.org/static/8E1431D5.txt
# trust gpg key:
$ sudo rpm --import --root=/tmp/tmp.d3NqCJe2yJ/ /tmp/fedora.asc
# install packages signed with gpg key:
$ dnf --installroot=/tmp/tmp.d3NqCJe2yJ --releasever=22 \
install httpd
$ cd /tmp/tmp.d3NqCJe2yJ
$ tar zcvf ../fedora.tar ./
what do i do with this
hunk of junk?
$ cat /tmp/fedora.tar | docker import - fedora *

(* This has been fixed since the presentation. This is the correct syntax)
is it really
that simple?
YES
really?
YES
IT IS REALLY
THAT SIMPLE
<demo>
</demo>
Don't I need a
Dockerfile?
NO
But I'll humor you....
$catDockerfile
FROMfedora

CMD["/bin/bash"]
<demo>
</demo>
And there are a LOT of
tools to do similar
processes...
yum buildroot
dnf alpine

debootstrap gentoo
time for a PSA...
Are you.....
Utilizing framebuffers?
running a window
manager?
Administering users?
Logging in?
Editing files?
these are the purview of
general purpose
computing
http://buildroot.org
BUILDROOT IS AN SDK FOR BUILDING

MINIMAL
LINUX DISTROS
<demo>
</demo>
Agnostic

Works with Docker, rkt, and others.


The idea is to be able to build this through a continuous integration
system like Buildbot, Jenkins, etc
Signing

Possible through gpgtoday with mechanisms for confirmed


signing.
Able to be automated by using gpgagent to handle safe caching
of credentials.
QUESTIONS?

You might also like