Lessons learned building a container app library

Adnan Abdulhussein | @prydonius

Who is Bitnami?Bitnami is the leader in packaged applications for any platform.

❯ End-to-end automated build & release

❯ 140+ Apps and language runtimes

❯ 1 million+ App instances deployed monthly

❯ Multi-format: Win/Mac/Linux, VM, Container, K8s chart

❯ Multi-cloud: configuration & deployment for every major cloud provider

What do we do?

Build Deploy Maintain

Components Packages Platforms Updates

Automatically build, deploy and maintain applications for containers, cloud, VMs, or bare metal.

❯ Containers in Development mid-2014

Adopting Containers

How do I get my fancy zsh prompt?

Can I add my SSH keys?

My tmux configuration isn’t being copied in??

Is emacs installed?

Adapting to the mindset...

First Set of Bitnami Images

❯ Released in mid-2015

❯ 8 runtime and infrastructure images

❯ Source available on GitHub

❯ Automatic builds on Docker Hub

❯ Focus on documentation

❯ Dogfooding

"All in One" images

❯ Handful of apps: WordPress, Drupal, etc.

❯ Iterative approach to containerisation

❯ s6-overlay for multi-process supervision

❯ docker run -p 8080:80 bitnami/wordpress

One process per containertask

Multi-Container Apps

❯ Split database from application containers

❯ Orchestrated using Docker Compose

❯ docker-compose up

Not scalable out-of-the-box

❯ Most apps not cloud/container-native

❯ File uploads stored in filesystem

❯ Reliance on .htaccess rules

Development Containers

❯ Released in mid-2016

❯ Containerised popular frameworks

❯ Bring up a development environment in seconds

❯ Bootstraps new app if local directory empty

❯ Mounts local directory for editing locally and reloading server on changes

❯ Defined using ENTRYPOINT in the Dockerfile

❯ Runs on container startup

❯ Receives container's command (CMD) as arguments

❯ Typically used to start an interactive shell

❯ Useful for initialising volumes, writing configuration, waiting for services, etc.

Container Entrypoints

❯ Could choose runtime binary to be the image entrypointFROM bitnami/node:latestENTRYPOINT ["node"]

❯ docker run mynode -e "console.log('hello!')"

Container Entrypoints

if ! app_present; then log "Creating laravel application" cp -r /tmp/app/ /fi

if ! dependencies_up_to_date; then log "Installing/Updating Laravel dependencies (composer)" composer update log "Dependencies updated"fi

wait_for_db

if ! fresh_container; then ...else setup_db log "Initialization finished" touch $INIT_SEMfi

exec tini -- "$@"

Container Entrypoints

❯ tini, dumb-init are simple init systems for containers

❯ These start as PID 1 and run a command as a child process

❯ Correctly handle process signals and reap zombie processes

❯ May not be needed soon

○ built-in to Docker with --init flag

○ Kubernetes' pause container

Container init systems

OptimisingImages

Smaller imagessmaller footprint,

faster transmissionand lower attack surface

Minideb

❯ Released in late-2016

❯ ~50mb Debian base image

❯ Compatible with most software

❯ Familiar package manager with large library

github.com/bitnami/minideb

Multi-stage builds

❯ Available in Docker 17.05+

❯ Define build pipeline in Dockerfile

❯ Copy artifacts between stages

❯ Resulting image built from the final stage

FROM bitnami/node:6 as builderENV NODE_ENV="production"COPY . /appWORKDIR /appRUN npm install # installs native extensions

FROM bitnami/node:6-prodENV NODE_ENV="production"COPY --from=builder /app /appWORKDIR /appEXPOSE 3000CMD ["npm", "start"]

Multi-stage builds

Non-Privileged Containers

❯ Following best practices from OpenShift

❯ Assume UID is unknown, GID is 0 (root)

$ docker run --user 1001 bitnami/minideb iduid=1001 gid=0(root) groups=0(root)

❯ Files can have read-write-execute permissions for root group

❯ Services bind to non-privileged ports

canihaznonprivilegedcontainers.info

Non-Privileged Containers

$ docker run --user 1001 bitnami/minideb

I have no name!@ec12f26b1857:/$

What's Next?

❯ Roll out non-privileged & multi-stage builds to all apps

❯ More docs and tutorials (docs.bitnami.com)

❯ Minimal Centos base image

❯ Container builds with Bazel

❯ Tools for Kubernetes: Helm, Kubeless

Thank You