Over a million developers have joined DZone.

Docker image_build Module: Features for the Power User

With Puppet's new image_build module, building images directly from Puppet code is a snap! This article looks at features that may be of interest to more advanced users.

· DevOps Zone

The DevOps Zone is brought to you in partnership with Sonatype Nexus. The Nexus Suite helps scale your DevOps delivery with continuous component intelligence integrated into development tools, including Eclipse, IntelliJ, Jenkins, Bamboo, SonarQube and more. Schedule a demo today

As mentioned in last week's blog post, Building Docker images with Puppet, the new image_build module allows for building images, including Docker images, directly from Puppet code. The first post introduces the tool and provides a simple hello-world example; this post aims to demonstrate some of the more powerful or experimental features.

Reducing Image Size

In the examples we’ve seen so far, the resulting image will contain the Puppet tooling used to build them, which can make the images quite large. In reality, the layers containing Puppet and related tooling are likely to be shared between multiple images, but for those striving for ever-smaller images, even this might not be enough.

$ docker images | grep puppet/nginx
puppet/nginx    latest    08dd650f39ac    3 weeks ago    282.3 MB

Luckily, it’s possible to remove the Puppet build tools from the image during the build and make sure they are not in any of the layers either, using an alternative builder. The image_build module supports using the Rocker build tool in place of the standard Docker build command. The Rocker output provides a little more detail about the build process, and also allows for mounting folders at build time, which can minimize the size of the resulting image. With Rocker installed, simply pass the --rocker flag when building:

puppet docker build --rocker

With this builder, the resulting image is much smaller — in this particular case, by 95MB (approximately 33%). It’s worth noting that the base image in use here is 126MB, too, with the remaining 60MB being Nginx, its dependencies, and configuration (i.e., the things you care about anyway).

$ docker images | grep puppet/nginx
puppet/nginx    latest    0f2ed65769f8    26 seconds ago      186.7 MB

What’s in the Container?

A question that often arises with a move to containers is, "How do you know what’s inside a running container?" Treating containers as black boxes allows for some of the power of common abstractions (like scheduling and consistent deployment tooling), but running black boxes in production can lead to extremely brittle production systems. For instance, from the outside of a container, how can you tell which operating system is in there? Or, more specifically, which version of a particular library is present?

The images built using the image_build tool expose some of this information at a standard place, as a JSON file stored at /inventory.json. This inventory file contains a list of all the packages, as well as users and other information in the image. This is just raw information at the moment, but you can easily query it with something like jq. As an example, let’s run a version of our puppet/nginx image from the first post and then use docker exec to read the inventory file. We’ll then use jq to do a quick search for package names related to libssl.

$ docker run -d --name webserver puppet/nginx
$ docker exec webserver cat /inventory.json | jq '.resources' | jq 'map(select(.title | contains("libssl")))'
[
  {
    "title": "libssl1.0.0",
    "resource": "package",
    "provider": "apt",
    "versions": [
      "1.0.2g-1ubuntu4.5"
    ]
]

Another example might be finding out which operating system a container is running in a standard way.

$ docker exec webserver cat /inventory.json | jq '.facts.operatingsystem’
"Debian"

This functionality is available due to integration with the Puppet Inventory module. This isn’t specific to containers, but it’s particularly useful here and is another great reason to build your images using image_build.

Passing Arguments to Docker Build

Docker build supports a range of options for affecting various properties of the build process, like limiting builds to specific memory or CPUs, enabling image verification, specifying ulimits and more. All of these options are also available for the puppet docker build command. You can see them all in the available help page with puppet docker build --help.

--cgroup-parent STRING         - cgroup-parent argument passed to underlying
                               build tool
--cpu-period INT               - cpu-period argument passed to underlying
                               build tool
--cpu-quota   INT              - cpu-quota argument passed to underlying build
                               tool
--cpu-shares INT               - cpu-shares argument passed to underlying
                               build tool
--cpuset-cpus STRING           - cpuset-cpus argument passed to underlying
                               build tool
--cpuset-mems STRING           - cpuset-mems argument passed to underlying
                               build tool
--disable-content-trust        - disable-content-trust argument passed to
                               underlying build tool

With all these commands available, the user interface for puppet docker build should (hopefully) be familiar to users of the standard docker build tools.

Feedback

These are just a few of the features of image_build. You can print the entire manual page with all the available options using the standard built-in command:

puppet man docker

Let us know in the comments of any other ideas you might have for other features, too. The module is released under an open source license and available on GitHub, so if you’d like to contribute features, please do submit pull requests there as well.

Gareth Rushgrove is a senior software engineer at Puppet.

The DevOps Zone is brought to you in partnership with Sonatype Nexus. Use the Nexus Suite to automate your software supply chain and ensure you're using the highest quality open source components at every step of the development lifecycle. Get Nexus today

Topics:
docker ,devops ,puppet ,image building

Published at DZone with permission of Gareth Rushgrove, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}