In this talk, Adnan Abdulhussein will walk you through Bitnami's journey in maintaining our first handful of container images to the ~70 images of popular open-source apps we have available today. You will learn how to bend entrypoints to your will, improve security with non-root containers, reduce image sizes with multi-stage builds and optimised base images, and more!
3. Who is Bitnami?
Bitnami is the leader in packaged applications for any platform.
❯ End-to-end automated build & release
❯ 140+ Apps and language runtimes
❯ 1 million+ App instances deployed monthly
❯ Multi-format: Win/Mac/Linux, VM, Container, K8s chart
❯ Multi-cloud: configuration & deployment for every major cloud provider
4. What do we do?
Build Deploy Maintain
Components Packages Platforms Updates
Automatically build, deploy and maintain applications for
containers, cloud, VMs, or bare metal.
7. How do I get
my fancy zsh
prompt?
Can I add my
SSH keys?
My tmux
configuration
isn’t being
copied in??
Is emacs
installed?
Adapting to the mindset...
8.
9. First Set of Bitnami Images
❯ Released in mid-2015
❯ 8 runtime and infrastructure images
❯ Source available on GitHub
❯ Automatic builds on Docker Hub
❯ Focus on documentation
❯ Dogfooding
10. "All in One" images
❯ Handful of apps: WordPress, Drupal, etc.
❯ Iterative approach to containerisation
❯ s6-overlay for multi-process supervision
❯ docker run -p 8080:80 bitnami/wordpress
12. Multi-Container Apps
❯ Split database from application containers
❯ Orchestrated using Docker Compose
❯ docker-compose up
13. Not scalable out-of-the-box
❯ Most apps not cloud/container-native
❯ File uploads stored in filesystem
❯ Reliance on .htaccess rules
14. Development Containers
❯ Released in mid-2016
❯ Containerised popular frameworks
❯ Bring up a development environment in seconds
❯ Bootstraps new app if local directory empty
❯ Mounts local directory for editing locally and
reloading server on changes
15. ❯ Defined using ENTRYPOINT in the Dockerfile
❯ Runs on container startup
❯ Receives container's command (CMD) as arguments
❯ Typically used to start an interactive shell
❯ Useful for initialising volumes, writing configuration, waiting for
services, etc.
Container Entrypoints
16. ❯ Could choose runtime binary to be the image entrypoint
FROM bitnami/node:latest
ENTRYPOINT ["node"]
❯ docker run mynode -e "console.log('hello!')"
Container Entrypoints
17. if ! app_present; then
log "Creating laravel application"
cp -r /tmp/app/ /
fi
if ! dependencies_up_to_date; then
log "Installing/Updating Laravel dependencies (composer)"
composer update
log "Dependencies updated"
fi
wait_for_db
if ! fresh_container; then
...
else
setup_db
log "Initialization finished"
touch $INIT_SEM
fi
exec tini -- "$@"
Container Entrypoints
18. ❯ tini, dumb-init are simple init systems for containers
❯ These start as PID 1 and run a command as a child process
❯ Correctly handle process signals and reap zombie processes
❯ May not be needed soon
○ built-in to Docker with --init flag
○ Kubernetes' pause container
Container init systems
21. Minideb
❯ Released in late-2016
❯ ~50mb Debian base image
❯ Compatible with most software
❯ Familiar package manager with large library
github.com/bitnami/minideb
22. Multi-stage builds
❯ Available in Docker 17.05+
❯ Define build pipeline in Dockerfile
❯ Copy artifacts between stages
❯ Resulting image built from the final stage
23. FROM bitnami/node:6 as builder
ENV NODE_ENV="production"
COPY . /app
WORKDIR /app
RUN npm install # installs native extensions
FROM bitnami/node:6-prod
ENV NODE_ENV="production"
COPY --from=builder /app /app
WORKDIR /app
EXPOSE 3000
CMD ["npm", "start"]
Multi-stage builds
24. Non-Privileged Containers
❯ Following best practices from OpenShift
❯ Assume UID is unknown, GID is 0 (root)
$ docker run --user 1001 bitnami/minideb id
uid=1001 gid=0(root) groups=0(root)
❯ Files can have read-write-execute permissions for root group
❯ Services bind to non-privileged ports
canihaznonprivilegedcontainers.info
26. What's Next?
❯ Roll out non-privileged & multi-stage builds to all apps
❯ More docs and tutorials (docs.bitnami.com)
❯ Minimal Centos base image
❯ Container builds with Bazel
❯ Tools for Kubernetes: Helm, Kubeless