Docker image_build module: features for the power user
As mentioned in last week's blog post, Building Docker images with Puppet, the new image_build module allows for building images, including Docker images, directly from Puppet code. The first post introduces the tool and provides a simple hello-world example; this post aims to demonstrate some of the more powerful or experimental features.
Reducing image size
In the examples we’ve seen so far, the resulting image will contain the Puppet tooling used to build them, which can make the images quite large. In reality, the layers containing Puppet and related tooling are likely to be shared between multiple images, but for those striving for ever-smaller images, even this might not be enough.
Luckily, it’s possible to remove the Puppet build tools from the image during the build, and make sure they are not in any of the layers either, using an alternative builder. The image_build module supports using the Rocker build tool in place of the standard Docker build command. The Rocker output provides a little more detail about the build process, and also allows for mounting folders at build time, which can minimize the size of the resulting image. With Rocker installed, simply pass the
--rocker flag when building:
With this builder, the resulting image is much smaller — in this particular case, by 95MB (approximately 33 percent). It’s worth noting the base image in use here is 126MB too, with the remaining 60MB being Nginx, its dependencies and configuration (i.e. the things you care about anyway).
What’s in the container?
A question that often arises with a move to containers is, "How do you know what’s inside a running container?" Treating containers as black boxes allows for some of the power of common abstractions (like scheduling and consistent deployment tooling), but running black boxes in production can lead to extremely brittle production systems. For instance, from the outside of a container, how can you tell which operating system is in there? Or more specifically, which version of a particular library is present?
The images built using the image_build tool expose some of this information at a standard place, as a JSON file stored at
/inventory.json. This inventory file contains a list of all the packages, as well as users and other information in the image. This is just raw information at the moment, but you can easily query it with something like jq. As an example, let’s run a version of our
puppet/nginx image from the first post, and then use
docker exec to read the inventory file. We’ll then use
jq to do a quick search for package names related to libssl.
Another example might be finding out which operating system a container is running in a standard way.
This functionality is available due to integration with the Puppet Inventory module. This isn’t specific to containers, but it’s particularly useful here, and is another great reason to build your images using image_build.
Passing arguments to Docker build
Docker build supports a range of options for affecting various properties of the build process, from limiting builds to specific memory or CPUs, enabling image verification, specifying ulimits and more. All these options are also available for the
puppet docker build command. You can see them all in the available help page with
puppet docker build --help.
With all these commands available, the user interface for
puppet docker build should (hopefully) be familiar to users of the standard
docker build tools.
These are just a few of the features of image_build. You can print the entire manual page with all the available options using the standard built-in command:
puppet man docker
Let us know in the comments of any other ideas you might have for other features, too. The module is released under an open source license and available on GitHub, so if you’d like to contribute features, please do submit pull requests there as well.
Gareth Rushgrove is a senior software engineer at Puppet.
- For installation info and a Hello World example, see Building Docker images with Puppet.
- Download the new image_build module from the Forge.
- Grab the source code for the image_build module on GitHub.
- Curious about all the work going on with Docker, Kubernetes, containers and more? See the Project Blueshift page.
- Haven't tried Puppet yet? Download our Learning VM for free and get started.