2015-07-29 16:07:51 +02:00
# Package-Centric Source-Based Container Build System
2015-07-29 18:03:35 +02:00
## Motivation
2015-07-29 16:07:51 +02:00
* There's no standardized way to create container images that include
applications built from upstream sources.
2015-07-29 18:03:35 +02:00
* No standardized way to share artifacts for containers instead of whole
containers
2015-07-29 17:39:40 +02:00
* Application dependencies, which are mostly libraries, are typically
2015-07-29 16:07:51 +02:00
neglected when calculating container dependencies. This causes not knowing
what libraries are installed
2015-07-29 17:57:17 +02:00
## Features
2015-07-29 09:55:55 -07:00
### Package-based container builds
2015-07-29 17:39:40 +02:00
This project aims to find a solution for creating and managing containers in a package-centric manner.
2015-07-29 09:55:55 -07:00
In this context a package is both a definition of how to build (e.g. a Gentoo ebuild or Debian control file)
2015-07-29 17:39:40 +02:00
Every container will be able to specify their dependencies, which can be self-built packages or exact versions of already existing packages.
2015-07-29 09:55:55 -07:00
Like this the user will always exactly know what libraries, files, etc. is available to their container at runtime.
The specified container will have its dependencies on packages which themselves can be packaged separately into one container per package.
2015-07-29 17:39:40 +02:00
2015-07-29 17:57:17 +02:00
### Source-based builds
2015-07-29 09:55:55 -07:00
To allow maximum flexibility for users, the package files must be able to describe source builds, which allows the user to make changes to the source before the package is built and integrated into the target container image.
2015-07-29 17:39:40 +02:00
2015-07-29 17:57:17 +02:00
### Reproducibility
2015-07-29 17:39:40 +02:00
Builds of packages, as well as builds of container images, must be reproducible in a way that the same input always yields the same output.
Because every change of a package yields in a different identity, the system allows to have multiple versions of one software application.
These can differ in properties like source code patches, build configuration options, target architecture, etc..
2015-07-29 17:57:58 +02:00
### Portability of the whole system
2015-07-29 09:55:55 -07:00
As a portable system, builds can be processed locally on a user's workstation or distributed to a bunch of servers.
2015-07-29 17:39:40 +02:00
2015-07-29 17:57:17 +02:00
### Shareable source and binary files
2015-07-29 17:39:40 +02:00
The build system will ship tools that make it easy to discover and share source and binary files that are respectively consumed and produced by the build system.
This will allow for very fast setups of containers that involve only downloading from trusted repositories.
2015-07-29 16:07:51 +02:00
# Usage
## Buildit configuration
2015-07-29 09:55:55 -07:00
**.buildit-config.yaml**
2015-07-29 16:07:51 +02:00
```
---
repository:
name: mysuperbinhost
upload-type: ssh
upload-path: containers@mysuperbinhost .org/containers
2015-07-29 09:55:55 -07:00
download-type: https
2015-07-29 16:07:51 +02:00
download-path: mysuperbinhost.org/containers
```
## Sysadmin needs patched nginx
### Sysadmin
2015-07-29 09:55:55 -07:00
In case a sysadmin needs a patched and specifically configured version of its favorite webserver nginx.
2015-07-29 16:07:51 +02:00
1. Put directories and files in place
2015-07-29 16:09:32 +02:00
---
2015-07-29 16:07:51 +02:00
Directory layout
```
├── nginx-prod
│ ├── container.yaml
│ ├── files
│ │ └── nginx.conf
│ └── pkgs
│ └── nginx
│ ├── patches
│ │ └── https-only.patch
│ └── pkg.yaml
```
2015-07-29 16:09:32 +02:00
---
2015-07-29 16:07:51 +02:00
**pkg.yaml**
```
---
base: www-servers/nginx-1.7.6
author: Sysadmin42 < sys @admin42 .org >
patches:
patches/https-only.patch: "This patch denies all plain http requests"
https://github.com/nginx/nginx/commit/52e4dc2f74fd032dace01acbe5eb29ddf7c1ad96.patch:
"Fix buffer overruns"
use:
with:
- ipv6
- selinux
```
2015-07-29 16:09:32 +02:00
---
2015-07-29 16:07:51 +02:00
**container.yaml**
```
---
- vars:
author: Sysadmin42
name: nginx-production
version: 1.7.6-p1
os: linux
arch: amd64
- package:
type: embedded
path: ./pkgs/nginx
- sync:
src: ./files/nginx.conf
dest: /etc/nginx/nginx.conf
recursive: True
chmod: 0644
- image:
type: aci
content: |
{
"acKind": "ImageManifest",
"acVersion": "0.6.1",
"name": "{{ name }}-{{ version }}",
"labels": [
{"name": "os", "value": "{{ os }}"},
2015-07-29 09:55:55 -07:00
{"name": "arch", "value": "{{ arch }}"}
2015-07-29 16:07:51 +02:00
],
"app": {
"exec": [
"/sbin/nginx"
],
"user": "0",
"group": "0"
}
}
```
2. Build the container
```
2015-07-29 16:19:23 +02:00
$ buildit nginx-prod/ --discover=github.com/sysadmin42/containers,push=True
2015-07-29 16:07:51 +02:00
Building Sysadmin42/nginx-production-1.7.6-p1
2015-07-29 16:15:32 +02:00
Processing package from './pkgs/nginx' for linux/amd64.
HASH: 86c8ef43-f4a4-49ba-a0ee-92900211c7b6
2015-07-29 16:19:23 +02:00
Can't find HASH in any known location...
Defaulting to local build... [OK]
Uploading packages to 'mysuperbinhost' [OK]
Packaging Sysadmin42/nginx-production-1.7.6-p1 as ACI... [OK]
Uploading container spec and image(s) to 'mysuperbinhost' [OK]
2015-07-29 16:07:51 +02:00
```
2015-07-29 17:39:40 +02:00
# Implementation
2015-07-29 18:02:25 +02:00
## Resources
### CoreOS related tools
* https://github.com/derekchiang/acbuild
* https://github.com/coreos/manifest
### Similar Projects
* Previous work of mine: https://embedux.github.io/documentation/usage/rootfs/configuration.yml/index.html
### Operating Systems and Package managers
2015-07-29 17:39:40 +02:00
* http://nixos.org/nixos/about.html
* https://gitweb.gentoo.org/proj/releng.git/tree/releases/weekly/specs/amd64?id=HEAD
* https://github.com/zefhemel/nix-docker
2015-07-29 09:55:55 -07:00
* [nix build farm
2015-07-29 17:39:40 +02:00
paper](http://www.researchgate.net/publication/228629017_The_Nix_Build_Farm_A_declarative_approach_to_continuous_integration)
2015-07-29 17:42:57 +02:00
* https://blogs.gentoo.org/zmedico/2015/07/06/tardelta-generate-a-tarball-of-differences-between-two-tarballs/
2015-07-29 18:02:25 +02:00
* https://github.com/jordansissel/fpm/wiki
2016-08-09 18:37:09 +02:00
## Outlook
The completion of the described container build system will benefit greatly to how container images can be shared and deployed.
### Trusted Containers by reproducibility
Trusting container images has been hard. Being able to reproduce and verify the builds improves this.
### Obsolete Container-Vulnerabilities Scans
Vulnerabilities scans are only necessary if it's unknown what the container image contains. With the new build system the build specification allows to inspect the included container images much more efficiently. Image vendors can directly track contained packages and their CVEs instead of relying on posteriori scans.
### Automatic Container Updates
When identified, regular and security updates to 3rd party packages can trigger rebuilds as well as changed source files of 1st party applications. The update circle can be closed by automatically deploying new containers triggered by the updated images.
Complete automation might be difficult in real-world deployments because software updates sometimes require configuration changes.
