...
- Are intended to address the build processand validation processes.
- Don't address the fundamentals or principles of container images.
...
General Guidelines | Comments | Disposition |
---|---|---|
When executing " Irrespective of where the Inadvertently including files that are not necessary for building an image results in a larger build context and larger image size. This can increase the time to build the image, time to pull and push it, and the container runtime size. | "this can increase'..." I suggest the very first guideline should be a general statement about image size, as many of these individual items address that general concern | |
2. Exclude with .dockerignoreExclude files not relevant to the build with a This file supports exclusion patterns similar to | ||
3.Use multi-stage buildsMulti-stage builds reduces the size of an image, without worrying about the number of intermediate layers and files. An image is built during the final stage of the build process. The number of image layers can be minimized by leveraging build cache. For a build that contains several layers, order them from the less frequently changed (re-use build cache) to the more frequently changed:
| "the number of layers..." Perhaps say "see below 'Re-use the build cache' | |
4. Don’t install unnecessary packagesAvoid installing extra or unnecessary packages. This will reduce complexity, dependencies, file sizes, and build times, Don't include a text editor in a database image. | ||
5. Decouple applicationsApply the principle of "separation of concerns." Each container should have only one concern. Decoupling applications into multiple containers makes it easier to reuse containers. | ||
6. Minimize the number of layersThe instructions Use multi-stage builds, to only copy the artifacts you need into the final image. Tools and debug information can be added to intermediate build stages without increasing the size of the final image. | "tools and debug info..." I don't understand this. Perhaps an example would be helpful | |
7. Sort multi-line argumentsTo minimize duplication of packages and make the list of packages much easier to update, sort multi-line arguments alphanumerically. | ||
8. Re-use the build cacheAs each instruction in the Dockerfile is examined, the builder looks for an existing image in its cache that can be reused, rather than creating a duplicate image.
Once the cache is invalidated, all subsequent | ||
Build File Instructions | Comments | Disposition |
FROM Use current official repositories for base images. ONAP images must be vendor agnostic; ensure that the base images are cpu architecture-agnostic. | are there base images that are multi-pltfrom, or is there a need to create multiple images for multiple targets? eg. there is 'alpine' and 'arm64v8/alpine' | |
LABEL Labels are unique key-value pairs used to add metadata to container images and containers. They help organize images by project, add licensing information, or to support build and CI pipeline. An image can have more that one label. For each label, begin a new line with "LABEL" and add one or more key-value pairs. | ||
RUN To make the build file (e.g. Dockerfile) more readable, understandable and maintainable: RUN apt-get
Well-formatted example:
ERRORS IN STAGES OF A PIPE 7. Use "set -o pipefail &&" to ensure that the RUN command only succeeds if all stages of a pipe succeed.
| ||
CMD This instruction provides defaults to run the application packaged in a container image. It should always be used in the form:
Typically, CMD should run an interactive shell. That way users get a usable shell when they execute "docker run -it ..." For example:
Note: If the user provides arguments to "docker run", they override the defaults specified in "CMD." | ||
EXPOSE Use well-known ports for your application. For example, an image containing Apache web server should use | ||
ENV Use ENV to avoid hard-coding values for variables and parameters in the your build file. ENV can parameterize container variables. For example, the version of the software in the container (VERSION), the PATH environment variable and other execution environment variables (MAJOR).
Each Example
| ||
ADD or COPY is preferred because it only supports copying of local files into the container and it’s more transparent than ADD .ADD is recommended for local tar file auto-extraction into the image (e.g. If you have to copy several files from your context, To reduce the number of layers and the image size, don't use Example:
| ||
ENTRYPOINTUse Example: By setting ENTRYPOINT ["my_command"] CMD["–version"] The image can be run as $ docker run my_command or $ docker rum my_command --verbose -n 10
Copy the script into the container and run it via Example:
User can then execute: $ docker run redis | ||
VOLUMEThe VOLUME exposes database storage areas, configuration storage, or files/folders created by the container. | ||
USERDo not run containers as root. Use USER to change to an non-root user. Create the user and group as in this example:
Avoid installing or using To minimize the number of layers, avoid switching | ||
WORKDIRAlways use absolute paths for your Use | ||
ONBUILD
Images built from |
Minimizing Container Image Size
...
Recommendation
...
Description
...
Choose a small base image
...
Base images are container images that do not have a parent. Container images usually have their own root filesystem with
an operating system installed. Typically, you will create a new image using a base image that contains an operating system. Consider the following when selecting a base image:
- Operating system distribution: Determine if your application requires specific libraries or tools from a specific operating system
- Base image size: Use small base images, such as busybox (2 MB) or alpine (5 MB). In contrast, a standard minimal operating system, such as Fedora or CentOS could be up to 200MB in size.
- Updates: Use only base images from "official repositories", such as Docker Hub.
...
Be mindful of where your Dockerfile is located (i.e. Understand the build context)
...
Irrespective of where the Dockerfile
is located, all recursive contents of files and directories in the current directory are sent to the Docker daemon as the build context.
Inadvertently including files that are not necessary for building an image results in a larger build context and larger image size.
...
Use multi-stage builds
...
Use multi-stage builds, to only copy the artifacts you need into the final image.
Tools and debug information can be added to intermediate build stages without increasing the size of the final image.
...
Don’t install unnecessary packages
...
Avoid installing extra or unnecessary packages. This will reduce complexity, dependencies, file sizes, and build times. For example, don't include a text editor in a database image.
...
Minimize the number of layers
...
Build Environment
There are concerns in building images outside the scope of the Dockerfile itself
See here for image tagging guidelines: Independent Versioning and Release Process#StandardizedDockerTagging
The CIA has undertaken to reduce image size and ensure images may be build and run on multiple platforms.
This activity has exposed the team to differing approaches taken by project teams to build images. This page
presents best practices for building images, as an extension the the best practices currently described for
Dockerfiles (add link)
Note: the best practices are currently documented both
here https://lf-onap.atlassian.net/wiki/display/DW/Best+Practices
and here https://lf-onap.atlassian.net/wiki/display/DW/Container+Image+Minimization+Guidelines
There are two scenarios for image builds; Local and CSIT.
Local build/test
Local builds are required in order to validate assets such as poms, Dockerfiles, and scripts.
Developers should not push assets into a project repo until there have been validated, and the CSIT
pipeline requires that assets are in repos, ergo, local builds are mandatory.
Local builds involve not simply building images, but running them and testing wether they are behaving properly.
These steps are often not documented, and in some cases require reverse-engineering to
get working.
Documentation
Every project should document steps to building images and testing them locally. This should be part of the project
ReadTheDocs. The CIA team can contribute to documentation as it works through projects. Documentation should be
addressed to an audience that has general Unix and programming skills, but does not have knowledge of project or
arcane topics such as complex maven definitions.
Recommendation: project RTD includes materail describing local build and test of docker images
maven
Many projects build images as part of the workflow of building application targets. While this provides some
convenience, there are drawbacks.
This approach tightly-couples the application build process with the container packaging process, perhaps
unnecessarily so.
Other projects provide shell scripts to build images. This has the benefit of separating the build and packaging steps
Recommendation: TBD
docker-maven-plugin
There are currently several maven plugins in use by ONAP project teams.
The spotify docker-maven-plugin is no longer recommended, as Spotify encourages the use of pre-written Dockerfiles,
as opposed to generating a Dockerfile via plugin configuration.
See https://github.com/spotify/docker-maven-plugin
In addition, this plugin does not execute on all platforms, including Arm, and therefore should not be used.
See https://github.com/spotify/docker-maven-plugin/issues/233
The spotify dockerfile-maven-plugin has the benefit of supporting a pre-written Dockerfile, but also has issues
running on all platforms, and therefore should not be used (TBD - confirm details).
Finally, the fabric8 docker-maven-plugin has been used successfully to build images, using explicit Dockerfiles,
on multiple platforms.
Recommendation: If one uses maven to build images, use the fabric8 docker-maven-plugin (v 0.28.0, as previous don't work on Arm)
Pull Repo
For projects that employ maven to build images, care must be taken to ensure that images may be built on a number
of platforms (e.g. amd64, arm64, etc)
Normative base images are available on DockerHub as multi-platfrom FAT manifests (i.e. a universal label that
lists platform specific images). However, projects often make use of the ONAP nexus registry as a source of images.
While this serves as an image cache that improves CSIT build performance, it breaks multi-platfrom compatibility as
only a platform-specific image is cached, not the multi-platform manifest.
ONAP provides a maven settings.xml file which defines the following:
<docker.pull.registry>nexus3.onap.org:10001</docker.pull.registry>
This in effect hardcodes an amd64 base image for a project using maven as the image build tool.
To address this issue, and avoid changing the ONAP provided settings.xml, one may use the following directive
in the configuration section of the fabric8 docker-maven-plugin
<pullRegistry>${docker.pull.registry}</pullRegistry>
and set the docker.pull.registry variable when invoking maven, e.g.
> mvn install -Pdocker -Ddocker.pull.registry=docker.io
Push Repo
In order to test the maven lifecycle to push images, a developer must instantiate a local docker registry,
configure the pom appropriately, and invoke mvn appropriately.
Start a local docker image repo:
see: https://docs.docker.com/registry/deploying/
> docker run -d -p 5000:5000 --restart=always --name registry registry:2
Add the following directive in the configuration section of the fabric8 docker-maven-plugin
<pushRegistry>${docker.push.registry}</pushRegistry>
and set the docker.push.registry variable when invoking maven, e.g.
> mvn install -Pdocker -Ddocker.push.registry=localhost:5000 docker:push
Note invocation of docker:deploy lifecycle
------------------------------
Notes:
1) alpine images use sh rather then bash. Some side-effects
- In Dockerfile, CMD and ENTRYPOINT
bash - ENTRYPOINT ["startup.sh"]
sh - ENTRYPOINT ["sh", "startup.sh"]