Images¶
Build Process¶
This section provides an overview of how the container images used by Atmosphere are built. Understanding this process is crucial for maintaining and customizing the images for your specific needs.
Multi-Stage Builds¶
The images are built using a multi-stage build process. This means that all build-time dependencies are included only in the intermediate stages and are not present in the final runtime images.
Benefits¶
The multi-stage build process offers several benefits which improve the efficiency, security, and performance of the images.
Smaller Image Size¶
By excluding build-time dependencies, the final images are significantly smaller. This reduction in size offers several advantages.
First, it leads to more efficient storage usage, as smaller images consume less disk space, making it easier to manage and store multiple images. Additionally, the reduced image size results in faster download times when pulling images from a container registry, thereby speeding up deployment times.
Furthermore, smaller images require less network bandwidth, which can be beneficial in environments with limited network resources.
Enhanced Security¶
Reducing the number of packages and dependencies in the final image decreases the attack surface, thereby enhancing security. With only essential runtime dependencies included, the opportunities for attackers to exploit vulnerabilities are significantly reduced, leading to minimized exposure.
Moreover, a smaller set of packages simplifies auditing, making it easier to ensure that all components are secure and up-to-date. Additionally, fewer dependencies mean fewer updates and patches, which simplifies the maintenance process and reduces the risk of introducing new vulnerabilities.
Improved Performance¶
Smaller images lead to faster deployment times and lower resource consumption, which improves overall system performance. Containers based on smaller images start up more quickly, enhancing the responsiveness of applications and services.
Reduced resource consumption translates to lower memory and CPU usage, allowing more efficient utilization of system resources. Furthermore, faster deployment and efficient resource use enable better scalability, allowing the system to handle increased loads more effectively.
Example¶
The openstack-venv-builder image is used to build a virtual environment with
all of the Python dependencies required by the OpenStack services. It also
contains a modified version of the upper-constraints.txt file, which has
many of the dependencies pinned to specific versions and modified to avoid
security vulnerabilities.
images/openstack-venv-builder/Dockerfile¶# SPDX-License-Identifier: Apache-2.0
# Atmosphere-Rebuild-Time: 2024-06-25T22:49:25Z
ARG RELEASE
FROM registry.atmosphere.dev/library/ubuntu-cloud-archive:${RELEASE} AS requirements
ARG REQUIREMENTS_GIT_REF=18098b9abacbd8d7257bebc1b302294f634441ab
ADD --keep-git-dir=true https://opendev.org/openstack/requirements.git#${REQUIREMENTS_GIT_REF} /src/requirements
RUN cp /src/requirements/upper-constraints.txt /upper-constraints.txt
RUN <<EOF sh -xe
sed -i '/glance-store/d' /upper-constraints.txt
sed -i '/horizon/d' /upper-constraints.txt
EOF
FROM registry.atmosphere.dev/library/python-base:${RELEASE}
RUN <<EOF bash -xe
apt-get update -qq
apt-get install -qq -y --no-install-recommends \
build-essential \
git \
libldap2-dev \
libpcre3-dev \
libsasl2-dev \
libssl-dev \
lsb-release \
openssh-client \
python3 \
python3-dev \
python3-pip \
python3-venv
apt-get clean
rm -rf /var/lib/apt/lists/*
EOF
RUN python3 -m venv --upgrade-deps --system-site-packages /var/lib/openstack
COPY --from=requirements --link /upper-constraints.txt /upper-constraints.txt
RUN pip3 install \
--constraint /upper-constraints.txt \
cryptography \
pymysql \
python-binary-memcached \
python-memcached \
uwsgi
In addition to that image, the openstack-python-runtime image is a stripped
down base image as a run-time for OpenStack services with no installed
packages than the base Ubuntu image.
images/openstack-runtime/Dockerfile¶# SPDX-License-Identifier: Apache-2.0
# Atmosphere-Rebuild-Time: 2024-06-25T22:49:25Z
ARG RELEASE
ARG FROM=registry.atmosphere.dev/library/ubuntu-cloud-archive:${RELEASE}
FROM ${FROM}
ONBUILD ARG PROJECT
ONBUILD ARG SHELL=/usr/sbin/nologin
ONBUILD RUN \
groupadd -g 42424 ${PROJECT} && \
useradd -u 42424 -g 42424 -M -d /var/lib/${PROJECT} -s ${SHELL} -c "${PROJECT} User" ${PROJECT} && \
mkdir -p /etc/${PROJECT} /var/log/${PROJECT} /var/lib/${PROJECT} /var/cache/${PROJECT} && \
chown -Rv ${PROJECT}:${PROJECT} /etc/${PROJECT} /var/log/${PROJECT} /var/lib/${PROJECT} /var/cache/${PROJECT}
With the openstack-venv-builder & openstack-python-runtime the image for
a project such as OpenStack Nova can be built using the following Dockerfile.
This Dockerfile uses the openstack-venv-builder image to build the virtual
environment and then copies the virtual environment into the final image based
on the openstack-python-runtime image. With this, it has no other build-time
dependencies and only the runtime dependencies required for the OpenStack Nova
service.
images/nova/Dockerfile¶# SPDX-License-Identifier: Apache-2.0
# Atmosphere-Rebuild-Time: 2024-06-25T22:49:25Z
ARG RELEASE
FROM registry.atmosphere.dev/library/openstack-venv-builder:${RELEASE} AS build
ARG NOVA_GIT_REF=c199becf52267ba37c5191f6f82e29bb5232b607
ADD --keep-git-dir=true https://opendev.org/openstack/nova.git#${NOVA_GIT_REF} /src/nova
RUN git -C /src/nova fetch --unshallow
COPY patches/nova /patches/nova
RUN git -C /src/nova apply --verbose /patches/nova/*
ARG SCHEDULER_FILTERS_GIT_REF=eb17f39c68606cca7ec68bf3e40d58e0954326ee
ADD --keep-git-dir=true https://github.com/vexxhost/nova-scheduler-filters.git#${SCHEDULER_FILTERS_GIT_REF} /src/nova-scheduler-filters
RUN git -C /src/nova-scheduler-filters fetch --unshallow
RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
pip3 install \
--constraint /upper-constraints.txt \
/src/nova \
/src/nova-scheduler-filters \
python-ironicclient \
storpool \
storpool.spopenstack
EOF
ADD --chmod=644 \
https://github.com/storpool/storpool-openstack-integration/raw/master/drivers/os_brick/openstack/bobcat/storpool.py \
/var/lib/openstack/lib/python3.10/site-packages/os_brick/initiator/connectors/storpool.py
FROM registry.atmosphere.dev/library/openstack-python-runtime:${RELEASE}
ADD https://github.com/novnc/noVNC.git#v1.4.0 /usr/share/novnc
RUN <<EOF bash -xe
apt-get update -qq
apt-get install -qq -y --no-install-recommends \
ceph-common genisoimage iproute2 libosinfo-bin lsscsi ndctl nvme-cli openssh-client ovmf python3-libvirt python3-rados python3-rbd qemu-efi-aarch64 qemu-block-extra qemu-utils sysfsutils udev util-linux swtpm swtpm-tools libtpms0
apt-get clean
rm -rf /var/lib/apt/lists/*
EOF
COPY --from=build --link /var/lib/openstack /var/lib/openstack