Cool! Nice one, Julian! David Cook Systems Librarian Prosentient Systems 72/330 Wattle St Ultimo, NSW 2007 Australia
Office: 02 9212 0899 Direct: 02 8005 0595 -----Original Message----- From: Julian Maurice <julian.maur...@biblibre.com> Sent: Thursday, 20 February 2020 7:27 PM To: dc...@prosentient.com.au; 'Kyle Hall' <kyle.m.h...@gmail.com> Cc: 'koha-devel' <koha-devel@lists.koha-community.org> Subject: Re: [Koha-devel] Minimal docker images for Koha I gave another try at multi-stage builds. It turns out you can tag the intermediate image by building them first with `docker build --target <stage> ...` so my problem with multi-stage builds is gone :) The result is an image of ~875MB. I pushed it on https://hub.docker.com/r/julianmaurice/koha with the tag master-slim Le 19/02/2020 à 01:17, dc...@prosentient.com.au a écrit : > Mmm that’s a good point. The smaller attack surface is something I > harp on about a lot when it comes to making minimal images. That’s > actually led me down some very fun rabbit holes about operating > systems and Linux in particular. > > For instance, here’s the Dockerfile for ubuntu:latest. It’s actually > quite minimal with the majority of the work being done by “ADD > ubuntu-bionic-core-cloudimg-amd64-root.tar.gz /”, which can be found > at > https://partner-images.canonical.com/core/bionic/current/ubuntu-bionic-core-cloudimg-amd64-root.tar.gz. > When you open that up, it’s just a small Ubuntu root file system. Now > what does that get us? First I’ll backtrack. > > When the host boots, GRUB 2 finds the desired Linux kernel, loads the > kernel and the initramfs, and then transfers control to the kernel, > which runs the initramfs’s /init script (which typically invokes > systemd these days). That /init script finds the “real” root file > system, mounts it, and then executes systemd on the real root file > system, which acts as the init system and becomes our old faithful PID 1. > > Obviously that process doesn’t correspond to a container’s lifecycle. > When a container is started, the kernel is already running and the > root file system is already mounted. There’s already kernel mode and > user mode code running to manage the computer. Docker gives us > isolation using Linux kernel features like cgroups and namespaces, and > takes care of special file system cases like /dev, /proc/, and /sys for us. > > So a person doesn’t need a whole OS file system just to run a single > program in Docker. > > However, in our case, it gets complicated quickly, since Koha needs > MySQL client libraries, Zebra client libraries, and whatever other > libraries and files our Perl modules need (DateTime leverages OS-level > datetime files I think, there’s libxml, probably GD, etc.). If we were > really thorough, we probably could get Koha running in a very minimal > container, but it would take some work. It could be fun though. > > David Cook > > Systems Librarian > > Prosentient Systems > > 72/330 Wattle St > > Ultimo, NSW 2007 > > Australia > > Office: 02 9212 0899 > > Direct: 02 8005 0595 > > *From:*Koha-devel <koha-devel-boun...@lists.koha-community.org> *On > Behalf Of *Kyle Hall > *Sent:* Tuesday, 18 February 2020 10:43 PM > *To:* Julian Maurice <julian.maur...@biblibre.com> > *Cc:* koha-devel <koha-devel@lists.koha-community.org> > *Subject:* Re: [Koha-devel] Minimal docker images for Koha > > This is fantastic Julian! The only thing I can contribute that hasn't > already been said by you or David is to suggest taking a look at > MiniDeb as a base image ( https://github.com/bitnami/minideb ). I > would also suggest using quay.io <http://quay.io> to build and host > your Docker images, as it has built in security scanning. I prefer > minimal install images not for size reduction ( though it is nice ), > but for the smaller attack surface they provide. Fewer things > installed means fewer exploits available! > > Kyle > > --- > > http://www.kylehall.info > ByWater Solutions ( http://bywatersolutions.com ) Meadville Public > Library ( http://www.meadvillelibrary.org ) Crawford County Federated > Library System ( http://www.ccfls.org ) > > On Mon, Feb 17, 2020 at 12:59 PM Julian Maurice > <julian.maur...@biblibre.com <mailto:julian.maur...@biblibre.com>> wrote: > > Hi all, > > I've been playing with docker lately, and I tried to build a minimal > docker image for Koha. Here are the results. > > My goals were: > * Install only required "things" to get Koha up and running, and > nothing > else (no testing or dev tools), > * No external dependencies except CPAN > * Follow Docker best practices as much as possible > > The resulting images are here: > https://hub.docker.com/repository/docker/julianmaurice/koha > > and the Dockerfiles are here: > https://github.com/jajm/koha-docker > > A few things worth mentioning: > > * I tried to build the smallest image possible by using alpine or perl > slim images at first but it was not that great, because the perl > version > shipped with those images is missing some libs, which cause > MARC::Charset to build a database of several hundreds MBs (which is > only > 5MBs with a standard perl version). So I chose a more standard image > (debian:buster) as base. > > * Koha doesn't work well when running with a perl version different > than > the system perl installed in /usr/bin/perl. For example, the > updatedatabase doesn't work when called from the web installer. This is > because Perl scripts are called directly as executable files, and > shebangs contain '/usr/bin/perl'. Same problem from > misc/translator/translate which calls tmpl_process3.pl > <http://tmpl_process3.pl>. > > * I tried to make the Koha installation as self-contained as possible. > Almost everything is installed as a non-root user in /home/koha, > including Perl dependencies. > > * It doesn't need a reverse proxy such as apache or nginx. The > necessary > URL rewriting is handled in PSGI file. The container expose two ports, > one for intranet, the other one for OPAC. > > * Each Perl dependency is installed in its latest version, so expect > things to break. I can only confirm that the webinstaller, basic > cataloguing and search/indexation work. I did not test anything else. > > * There are docker-compose.yml files in the github repository to get > Koha running quickly with mariadb, memcached and elasticsearch. > > * Zebra is not installed > > * Images weigh ~1.15GB uncompressed (koha sources included) > > If you made it this far, thanks for reading :) > And if you want to use these docker images, you should start by reading > https://github.com/jajm/koha-docker/blob/master/README.md > > -- > Julian Maurice > BibLibre > _______________________________________________ > Koha-devel mailing list > Koha-devel@lists.koha-community.org > <mailto:Koha-devel@lists.koha-community.org> > https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel > website : http://www.koha-community.org/ > git : http://git.koha-community.org/ > bugs : http://bugs.koha-community.org/ > -- Julian Maurice BibLibre
signature.asc
Description: PGP signature
_______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
