Package-Centric Source-Based Container Build System

Why?

• There's no standardized way to create container images that include applications built from upstream sources.
• Application dependencies, which typically are libraries, are typically neglected when calculating container dependencies. This causes not knowing what libraries are installed
• Ad-Hoc source builds are time consuming

What for?

• Fast source builds with lots of packages available
• Ad-Hoc source builds if required but defaulting to binary repository
• Reproducible and shareable builds
• Customized Source configuration flags
• Container dependencies reflect dependencies of container applications
• Easy assembling and configuring of containers based on application packages
• Integrable with CI
• Portable

How?

Like what?

• 100% descriptive build spec. Examples:
  • https://embedux.github.io/documentation/usage/rootfs/configuration.yml/index.html
  • http://nixos.org/nixos/about.html
  • https://gitweb.gentoo.org/proj/releng.git/tree/releases/weekly/specs/amd64?id=HEAD
  • https://github.com/zefhemel/nix-docker
  • nix build darm paper
  • https://github.com/jordansissel/fpm/wiki

Usage

Buildit configuration

.builtit-config.yaml

---
repository:
    name: mysuperbinhost
    upload-type: ssh
    upload-path: containers@mysuperbinhost.org/containers
    downnload-type: https
    download-path: mysuperbinhost.org/containers

Sysadmin needs patched nginx

Sysadmin

In case a sysadmin needs a patched and specifically configured version of it's favorite webserver nginx.

1. Put directories and files in place

   ---

   Directory layout

   ├── nginx-prod
   │   ├── container.yaml
   │   ├── files
   │   │   └── nginx.conf
   │   └── pkgs
   │       └── nginx
   │           ├── patches
   │           │   └── https-only.patch
   │           └── pkg.yaml
   

   ---

   pkg.yaml

   ---
   base: www-servers/nginx-1.7.6
   author: Sysadmin42 <sys@admin42.org>
   patches:
       patches/https-only.patch: "This patch denies all plain http requests"
           https://github.com/nginx/nginx/commit/52e4dc2f74fd032dace01acbe5eb29ddf7c1ad96.patch:
           "Fix buffer overruns"
           use:
               with:
                   - ipv6
                   - selinux
   
   

   ---

   container.yaml

   ---
   - vars:
       author: Sysadmin42
       name: nginx-production
       version: 1.7.6-p1
       os: linux
       arch: amd64
   
   - package:
       type: embedded
       path: ./pkgs/nginx
   
   - sync:
       src: ./files/nginx.conf
       dest: /etc/nginx/nginx.conf
       recursive: True
       chmod: 0644
   
   - image:
       type: aci
       content: |
           {
               "acKind": "ImageManifest",
               "acVersion": "0.6.1",
               "name": "{{ name }}-{{ version }}",
               "labels": [
                   {"name": "os", "value": "{{ os }}"},
                   {"name": "arch", "value": {{ arch }}}
               ],
               "app": {
                   "exec": [
                       "/sbin/nginx"
                   ],
                   "user": "0",
                   "group": "0"
               }
           }
   

2. Build the container

   $ buildit nginx-prod/ --discover=github.com/sysadmin42/containers,push=True
   Building Sysadmin42/nginx-production-1.7.6-p1
   Processing package from './pkgs/nginx' for linux/amd64.
       HASH: 86c8ef43-f4a4-49ba-a0ee-92900211c7b6
       Can't find HASH in any known location...
       Defaulting to local build...                                           [OK]
       Uploading packages to 'mysuperbinhost'                                 [OK]
   Packaging Sysadmin42/nginx-production-1.7.6-p1 as ACI...                   [OK]
   Uploading container spec and image(s) to 'mysuperbinhost'                  [OK]