[Koha-devel] Minimal docker images for Koha
dcook at prosentient.com.au
dcook at prosentient.com.au
Fri Feb 21 01:22:28 CET 2020
Cool! Nice one, Julian!
David Cook
Systems Librarian
Prosentient Systems
72/330 Wattle St
Ultimo, NSW 2007
Australia
Office: 02 9212 0899
Direct: 02 8005 0595
-----Original Message-----
From: Julian Maurice <julian.maurice at biblibre.com>
Sent: Thursday, 20 February 2020 7:27 PM
To: dcook at prosentient.com.au; 'Kyle Hall' <kyle.m.hall at gmail.com>
Cc: 'koha-devel' <koha-devel at lists.koha-community.org>
Subject: Re: [Koha-devel] Minimal docker images for Koha
I gave another try at multi-stage builds. It turns out you can tag the intermediate image by building them first with `docker build --target <stage> ...` so my problem with multi-stage builds is gone :)
The result is an image of ~875MB. I pushed it on https://hub.docker.com/r/julianmaurice/koha with the tag master-slim
Le 19/02/2020 à 01:17, dcook at prosentient.com.au a écrit :
> Mmm that’s a good point. The smaller attack surface is something I
> harp on about a lot when it comes to making minimal images. That’s
> actually led me down some very fun rabbit holes about operating
> systems and Linux in particular.
>
> For instance, here’s the Dockerfile for ubuntu:latest. It’s actually
> quite minimal with the majority of the work being done by “ADD
> ubuntu-bionic-core-cloudimg-amd64-root.tar.gz /”, which can be found
> at https://partner-images.canonical.com/core/bionic/current/ubuntu-bionic-core-cloudimg-amd64-root.tar.gz.
> When you open that up, it’s just a small Ubuntu root file system. Now
> what does that get us? First I’ll backtrack.
>
> When the host boots, GRUB 2 finds the desired Linux kernel, loads the
> kernel and the initramfs, and then transfers control to the kernel,
> which runs the initramfs’s /init script (which typically invokes
> systemd these days). That /init script finds the “real” root file
> system, mounts it, and then executes systemd on the real root file
> system, which acts as the init system and becomes our old faithful PID 1.
>
> Obviously that process doesn’t correspond to a container’s lifecycle.
> When a container is started, the kernel is already running and the
> root file system is already mounted. There’s already kernel mode and
> user mode code running to manage the computer. Docker gives us
> isolation using Linux kernel features like cgroups and namespaces, and
> takes care of special file system cases like /dev, /proc/, and /sys for us.
>
> So a person doesn’t need a whole OS file system just to run a single
> program in Docker.
>
> However, in our case, it gets complicated quickly, since Koha needs
> MySQL client libraries, Zebra client libraries, and whatever other
> libraries and files our Perl modules need (DateTime leverages OS-level
> datetime files I think, there’s libxml, probably GD, etc.). If we were
> really thorough, we probably could get Koha running in a very minimal
> container, but it would take some work. It could be fun though.
>
> David Cook
>
> Systems Librarian
>
> Prosentient Systems
>
> 72/330 Wattle St
>
> Ultimo, NSW 2007
>
> Australia
>
> Office: 02 9212 0899
>
> Direct: 02 8005 0595
>
> *From:*Koha-devel <koha-devel-bounces at lists.koha-community.org> *On
> Behalf Of *Kyle Hall
> *Sent:* Tuesday, 18 February 2020 10:43 PM
> *To:* Julian Maurice <julian.maurice at biblibre.com>
> *Cc:* koha-devel <koha-devel at lists.koha-community.org>
> *Subject:* Re: [Koha-devel] Minimal docker images for Koha
>
> This is fantastic Julian! The only thing I can contribute that hasn't
> already been said by you or David is to suggest taking a look at
> MiniDeb as a base image ( https://github.com/bitnami/minideb ). I
> would also suggest using quay.io <http://quay.io> to build and host
> your Docker images, as it has built in security scanning. I prefer
> minimal install images not for size reduction ( though it is nice ),
> but for the smaller attack surface they provide. Fewer things
> installed means fewer exploits available!
>
> Kyle
>
> ---
>
> http://www.kylehall.info
> ByWater Solutions ( http://bywatersolutions.com ) Meadville Public
> Library ( http://www.meadvillelibrary.org ) Crawford County Federated
> Library System ( http://www.ccfls.org )
>
> On Mon, Feb 17, 2020 at 12:59 PM Julian Maurice
> <julian.maurice at biblibre.com <mailto:julian.maurice at biblibre.com>> wrote:
>
> Hi all,
>
> I've been playing with docker lately, and I tried to build a minimal
> docker image for Koha. Here are the results.
>
> My goals were:
> * Install only required "things" to get Koha up and running, and
> nothing
> else (no testing or dev tools),
> * No external dependencies except CPAN
> * Follow Docker best practices as much as possible
>
> The resulting images are here:
> https://hub.docker.com/repository/docker/julianmaurice/koha
>
> and the Dockerfiles are here:
> https://github.com/jajm/koha-docker
>
> A few things worth mentioning:
>
> * I tried to build the smallest image possible by using alpine or perl
> slim images at first but it was not that great, because the perl
> version
> shipped with those images is missing some libs, which cause
> MARC::Charset to build a database of several hundreds MBs (which is
> only
> 5MBs with a standard perl version). So I chose a more standard image
> (debian:buster) as base.
>
> * Koha doesn't work well when running with a perl version different
> than
> the system perl installed in /usr/bin/perl. For example, the
> updatedatabase doesn't work when called from the web installer. This is
> because Perl scripts are called directly as executable files, and
> shebangs contain '/usr/bin/perl'. Same problem from
> misc/translator/translate which calls tmpl_process3.pl
> <http://tmpl_process3.pl>.
>
> * I tried to make the Koha installation as self-contained as possible.
> Almost everything is installed as a non-root user in /home/koha,
> including Perl dependencies.
>
> * It doesn't need a reverse proxy such as apache or nginx. The
> necessary
> URL rewriting is handled in PSGI file. The container expose two ports,
> one for intranet, the other one for OPAC.
>
> * Each Perl dependency is installed in its latest version, so expect
> things to break. I can only confirm that the webinstaller, basic
> cataloguing and search/indexation work. I did not test anything else.
>
> * There are docker-compose.yml files in the github repository to get
> Koha running quickly with mariadb, memcached and elasticsearch.
>
> * Zebra is not installed
>
> * Images weigh ~1.15GB uncompressed (koha sources included)
>
> If you made it this far, thanks for reading :)
> And if you want to use these docker images, you should start by reading
> https://github.com/jajm/koha-docker/blob/master/README.md
>
> --
> Julian Maurice
> BibLibre
> _______________________________________________
> Koha-devel mailing list
> Koha-devel at lists.koha-community.org
> <mailto:Koha-devel at lists.koha-community.org>
> https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : http://www.koha-community.org/
> git : http://git.koha-community.org/
> bugs : http://bugs.koha-community.org/
>
--
Julian Maurice
BibLibre
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 484 bytes
Desc: not available
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20200221/b997c7b8/attachment.sig>
More information about the Koha-devel
mailing list