Images

Build Process

This section provides an overview of how the container images used by Atmosphere are built. Understanding this process is crucial for maintaining and customizing the images for your specific needs.

Multi-Stage Builds

The images are built using a multi-stage build process. This means that all build-time dependencies are included only in the intermediate stages and are not present in the final runtime images.

Benefits

The multi-stage build process offers several benefits which improve the efficiency, security, and performance of the images.

Smaller Image Size

By excluding build-time dependencies, the final images are significantly smaller. This reduction in size offers several advantages.

First, it leads to more efficient storage usage, as smaller images consume less disk space, making it easier to manage and store multiple images. Additionally, the reduced image size results in faster download times when pulling images from a container registry, thereby speeding up deployment times.

Furthermore, smaller images require less network bandwidth, which can be beneficial in environments with limited network resources.

Enhanced Security

Reducing the number of packages and dependencies in the final image decreases the attack surface, thereby enhancing security. With only essential runtime dependencies included, the opportunities for attackers to exploit vulnerabilities are significantly reduced, leading to minimized exposure.

Moreover, a smaller set of packages simplifies auditing, making it easier to ensure that all components are secure and up-to-date. Additionally, fewer dependencies mean fewer updates and patches, which simplifies the maintenance process and reduces the risk of introducing new vulnerabilities.

Improved Performance

Smaller images lead to faster deployment times and lower resource consumption, which improves overall system performance. Containers based on smaller images start up more quickly, enhancing the responsiveness of applications and services.

Reduced resource consumption translates to lower memory and CPU usage, allowing more efficient utilization of system resources. Furthermore, faster deployment and efficient resource use enable better scalability, allowing the system to handle increased loads more effectively.

Example

The openstack-venv-builder image is used to build a virtual environment with all of the Python dependencies required by the OpenStack services. It also contains a modified version of the upper-constraints.txt file, which has many of the dependencies pinned to specific versions and modified to avoid security vulnerabilities.

images/openstack-venv-builder/Dockerfile
# SPDX-License-Identifier: Apache-2.0
# Atmosphere-Rebuild-Time: 2024-06-25T22:49:25Z

ARG RELEASE

FROM harbor.atmosphere.dev/library/ubuntu-cloud-archive:${RELEASE} AS requirements
ARG REQUIREMENTS_GIT_REF=18098b9abacbd8d7257bebc1b302294f634441ab
ADD --keep-git-dir=true https://opendev.org/openstack/requirements.git#${REQUIREMENTS_GIT_REF} /src/requirements
RUN cp /src/requirements/upper-constraints.txt /upper-constraints.txt
RUN <<EOF sh -xe
sed -i '/glance-store/d' /upper-constraints.txt
sed -i '/horizon/d' /upper-constraints.txt
EOF

FROM harbor.atmosphere.dev/library/python-base:${RELEASE}
RUN <<EOF bash -xe
apt-get update -qq
apt-get install -qq -y --no-install-recommends \
    build-essential \
    git \
    libldap2-dev \
    libpcre3-dev \
    libsasl2-dev \
    libssl-dev \
    lsb-release \
    openssh-client \
    python3 \
    python3-dev \
    python3-pip \
    python3-venv
apt-get clean
rm -rf /var/lib/apt/lists/*
EOF
RUN python3 -m venv --upgrade-deps --system-site-packages /var/lib/openstack
COPY --from=requirements --link /upper-constraints.txt /upper-constraints.txt
RUN pip3 install \
    --constraint /upper-constraints.txt \
        cryptography \
        pymysql \
        python-binary-memcached \
        python-memcached \
        uwsgi

In addition to that image, the openstack-python-runtime image is a stripped down base image as a run-time for OpenStack services with no installed packages than the base Ubuntu image.

images/openstack-runtime/Dockerfile
# SPDX-License-Identifier: Apache-2.0
# Atmosphere-Rebuild-Time: 2024-06-25T22:49:25Z

ARG RELEASE

ARG FROM=harbor.atmosphere.dev/library/ubuntu-cloud-archive:${RELEASE}
FROM ${FROM}
ONBUILD ARG PROJECT
ONBUILD ARG SHELL=/usr/sbin/nologin
ONBUILD RUN \
    groupadd -g 42424 ${PROJECT} && \
    useradd -u 42424 -g 42424 -M -d /var/lib/${PROJECT} -s ${SHELL} -c "${PROJECT} User" ${PROJECT} && \
    mkdir -p /etc/${PROJECT} /var/log/${PROJECT} /var/lib/${PROJECT} /var/cache/${PROJECT} && \
    chown -Rv ${PROJECT}:${PROJECT} /etc/${PROJECT} /var/log/${PROJECT} /var/lib/${PROJECT} /var/cache/${PROJECT}

With the openstack-venv-builder & openstack-python-runtime the image for a project such as OpenStack Nova can be built using the following Dockerfile.

This Dockerfile uses the openstack-venv-builder image to build the virtual environment and then copies the virtual environment into the final image based on the openstack-python-runtime image. With this, it has no other build-time dependencies and only the runtime dependencies required for the OpenStack Nova service.

images/nova/Dockerfile
# SPDX-License-Identifier: Apache-2.0
# Atmosphere-Rebuild-Time: 2024-12-17T01:27:44Z

ARG RELEASE

FROM harbor.atmosphere.dev/library/openstack-venv-builder:${RELEASE} AS build
ARG NOVA_GIT_REF=c199becf52267ba37c5191f6f82e29bb5232b607
ADD --keep-git-dir=true https://opendev.org/openstack/nova.git#${NOVA_GIT_REF} /src/nova
RUN git -C /src/nova fetch --unshallow
COPY patches/nova /patches/nova
RUN git -C /src/nova apply --verbose /patches/nova/*
ARG SCHEDULER_FILTERS_GIT_REF=77ed1c2ca70f4166a6d0995c7d3d90822f0ca6c0
ADD --keep-git-dir=true https://github.com/vexxhost/nova-scheduler-filters.git#${SCHEDULER_FILTERS_GIT_REF} /src/nova-scheduler-filters
RUN git -C /src/nova-scheduler-filters fetch --unshallow
RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
pip3 install \
    --constraint /upper-constraints.txt \
        /src/nova \
        /src/nova-scheduler-filters \
        python-ironicclient \
        storpool \
        storpool.spopenstack
EOF
ADD --chmod=644 \
    https://github.com/storpool/storpool-openstack-integration/raw/master/drivers/os_brick/openstack/bobcat/storpool.py \
    /var/lib/openstack/lib/python3.10/site-packages/os_brick/initiator/connectors/storpool.py

FROM harbor.atmosphere.dev/library/openstack-python-runtime:${RELEASE}
ADD https://github.com/novnc/noVNC.git#v1.4.0 /usr/share/novnc
RUN <<EOF bash -xe
apt-get update -qq
apt-get install -qq -y --no-install-recommends \
    ceph-common genisoimage iproute2 libosinfo-bin lsscsi ndctl nfs-common nvme-cli openssh-client ovmf python3-libvirt python3-rados python3-rbd qemu-efi-aarch64 qemu-block-extra qemu-utils sysfsutils udev util-linux swtpm swtpm-tools libtpms0
apt-get clean
rm -rf /var/lib/apt/lists/*
EOF
COPY --from=build --link /var/lib/openstack /var/lib/openstack