| vexxhost-bot | 8c2b6d3 | 2024-06-04 17:31:00 +0200 | [diff] [blame] | 1 | ====== |
| 2 | Images |
| 3 | ====== |
| 4 | |
| 5 | ************* |
| 6 | Build Process |
| 7 | ************* |
| 8 | |
| 9 | This section provides an overview of how the container images used by Atmosphere |
| 10 | are built. Understanding this process is crucial for maintaining and customizing |
| 11 | the images for your specific needs. |
| 12 | |
| 13 | Multi-Stage Builds |
| 14 | ================== |
| 15 | |
| 16 | The images are built using a multi-stage build process. This means that all |
| 17 | build-time dependencies are included only in the intermediate stages and are not |
| 18 | present in the final runtime images. |
| 19 | |
| 20 | Benefits |
| 21 | -------- |
| 22 | |
| 23 | The multi-stage build process offers several benefits which improve the |
| 24 | efficiency, security, and performance of the images. |
| 25 | |
| 26 | Smaller Image Size |
| 27 | ^^^^^^^^^^^^^^^^^^ |
| 28 | |
| 29 | By excluding build-time dependencies, the final images are significantly |
| 30 | smaller. This reduction in size offers several advantages. |
| 31 | |
| 32 | First, it leads to more efficient storage usage, as smaller images consume less |
| 33 | disk space, making it easier to manage and store multiple images. Additionally, |
| 34 | the reduced image size results in faster download times when pulling images from |
| 35 | a container registry, thereby speeding up deployment times. |
| 36 | |
| 37 | Furthermore, smaller images require less network bandwidth, which can be beneficial |
| 38 | in environments with limited network resources. |
| 39 | |
| 40 | Enhanced Security |
| 41 | ^^^^^^^^^^^^^^^^^ |
| 42 | |
| 43 | Reducing the number of packages and dependencies in the final image decreases |
| 44 | the attack surface, thereby enhancing security. With only essential runtime |
| 45 | dependencies included, the opportunities for attackers to exploit |
| 46 | vulnerabilities are significantly reduced, leading to minimized exposure. |
| 47 | |
| 48 | Moreover, a smaller set of packages simplifies auditing, making it easier to |
| 49 | ensure that all components are secure and up-to-date. Additionally, fewer |
| 50 | dependencies mean fewer updates and patches, which simplifies the maintenance |
| 51 | process and reduces the risk of introducing new vulnerabilities. |
| 52 | |
| 53 | Improved Performance |
| 54 | ^^^^^^^^^^^^^^^^^^^^ |
| 55 | |
| 56 | Smaller images lead to faster deployment times and lower resource consumption, |
| 57 | which improves overall system performance. Containers based on smaller images |
| 58 | start up more quickly, enhancing the responsiveness of applications and services. |
| 59 | |
| 60 | Reduced resource consumption translates to lower memory and CPU usage, allowing |
| 61 | more efficient utilization of system resources. Furthermore, faster deployment |
| 62 | and efficient resource use enable better scalability, allowing the system to |
| 63 | handle increased loads more effectively. |
| 64 | |
| 65 | Example |
| 66 | ------- |
| 67 | |
| 68 | The ``openstack-venv-builder`` image is used to build a virtual environment with |
| 69 | all of the Python dependencies required by the OpenStack services. It also |
| 70 | contains a modified version of the ``upper-constraints.txt`` file, which has |
| 71 | many of the dependencies pinned to specific versions and modified to avoid |
| 72 | security vulnerabilities. |
| 73 | |
| 74 | .. literalinclude:: ../../../images/openstack-venv-builder/Dockerfile |
| 75 | :language: dockerfile |
| 76 | :caption: ``images/openstack-venv-builder/Dockerfile`` |
| 77 | |
| 78 | In addition to that image, the ``openstack-python-runtime`` image is a stripped |
| 79 | down base image as a run-time for OpenStack services with no installed |
| 80 | packages than the base Ubuntu image. |
| 81 | |
| 82 | .. literalinclude:: ../../../images/openstack-runtime/Dockerfile |
| 83 | :language: dockerfile |
| 84 | :caption: ``images/openstack-runtime/Dockerfile`` |
| 85 | |
| 86 | With the ``openstack-venv-builder`` & ``openstack-python-runtime`` the image for |
| 87 | a project such as OpenStack Nova can be built using the following Dockerfile. |
| 88 | |
| 89 | This Dockerfile uses the ``openstack-venv-builder`` image to build the virtual |
| 90 | environment and then copies the virtual environment into the final image based |
| 91 | on the ``openstack-python-runtime`` image. With this, it has no other build-time |
| 92 | dependencies and only the runtime dependencies required for the OpenStack Nova |
| 93 | service. |
| 94 | |
| 95 | .. literalinclude:: ../../../images/nova/Dockerfile |
| 96 | :language: dockerfile |
| 97 | :caption: ``images/nova/Dockerfile`` |