Playing with buildah and ubi-micro: Part 1

buildah is an intriguing open source tool to build of Open Container Initiative (OCI) container images using a scripted approach versus a traditional Dockerfile. It’s fascinating and I’ve started to use podman and buildah to build my project’s images.

I picked ubi-micro as my startingn point. Per Red Hat, ubi-microis the smallest possible image excludinng the package manager and all of its dependencies which are normally included in a container image. This approach is an alternative to the current release of the IBM FHIR Server image. The following only documents my first stages with Java testing.

  1. On Fedora, install the prerequisites.
# sudo dnf install buildah -y
Last metadata expiration check: 0:23:36 ago on Thu 02 Sep 2021 10:06:55 AM EDT.
Dependencies resolved.
=====================================================================================================================================================================
 Package                               Architecture                         Version                                      Repository                             Size
=====================================================================================================================================================================
Installing:
 buildah                               x86_64                               1.21.4-5.fc33                                updates                               7.9 M

Transaction Summary
=====================================================================================================================================================================
Install  1 Package

Total download size: 7.9 M
Installed size: 29 M
Downloading Packages:
buildah-1.21.4-5.fc33.x86_64.rpm                                                                                                     7.2 MB/s | 7.9 MB     00:01
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                6.2 MB/s | 7.9 MB     00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                             1/1
  Installing       : buildah-1.21.4-5.fc33.x86_64                                                                                                                1/1
  Running scriptlet: buildah-1.21.4-5.fc33.x86_64                                                                                                                1/1
  Verifying        : buildah-1.21.4-5.fc33.x86_64                                                                                                                1/1

Installed:
  buildah-1.21.4-5.fc33.x86_64

Complete!
  1. Start the new image
# microcontainer=$(buildah from registry.access.redhat.com/ubi8/ubi-micro)
Trying to pull registry.access.redhat.com/ubi8/ubi-micro:latest...
Getting image source signatures
Copying blob 4f4fb700ef54 done
Copying blob 098a109c8679 done
Copying config c5ba898d36 done
Writing manifest to image destination
Storing signatures
  1. Confirm the container name.
# echo $microcontainer
ubi-micro-working-container
  1. Mount the layer locally and display the path.
# micromount=$(buildah mount $microcontainer)
# echo $micromount
/var/lib/containers/storage/overlay/14c524d6a5ef0e94887bc52685dbe911b40a5a9e39a6df00dc3b02e5f5ad7796/merged
  1. Setup the AdoptOpennJdk repository.
cat <<'EOF' > $micromount/etc/yum.repos.d/adoptopenjdk.repo
[AdoptOpenJDK]
name=AdoptOpenJDK
baseurl=http://adoptopenjdk.jfrog.io/adoptopenjdk/rpm/rhel/8/$basearch
enabled=1
gpgcheck=1
gpgkey=https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public
EOF
  1. Install to micromount without any ancillary dependencies.
yum install \
    --installroot $micromount \
    --releasever 8 \
    --setopt install_weak_deps=false \
    --nodocs -y \
    adoptopenjdk-11-openj9xl.x86_64

Results in:

------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                               8.9 MB/s | 193 MB     00:21
warning: Found bdb Packages database while attempting sqlite backend: using bdb backend.
warning: /var/lib/containers/storage/overlay/14c524d6a5ef0e94887bc52685dbe911b40a5a9e39a6df00dc3b02e5f5ad7796/merged/var/cache/dnf/AdoptOpenJDK-096a01411439d076/packages/adoptopenjdk-11-openj9xl-11.0.10+9.openj9-0.24.0-3.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 74885c03: NOKEY
AdoptOpenJDK                                                                                         13 kB/s | 3.1 kB     00:00
warning: Found bdb Packages database while attempting sqlite backend: using bdb backend.
Importing GPG key 0x74885C03:
 Userid     : "AdoptOpenJDK (used for publishing RPM and DEB files) <adoptopenjdk@gmail.com>"
 Fingerprint: 8ED1 7AF5 D7E6 75EB 3EE3 BCE9 8AC3 B291 7488 5C03
 From       : https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public
  1. Clean up the dependencies
# yum clean all \
 --installroot $micromount
warning: Found bdb Packages database while attempting sqlite backend: using bdb backend.
61 files removed
  1. Unmount the container
buildah umount $microcontainer
  1. Coommit the image
buildah commit $microcontainer ubi-micro-java
  1. Confirm the image
# buildah images
REPOSITORY                                  TAG        IMAGE ID       CREATED          SIZE
localhost/ubi-micro-java                    latest     334404b8ebf2   22 seconds ago   43 MB

It’s about 40M smaller than the ubi-minimal as it has no docs and ancillary dependencies.

Tip: Starting with the IBM FHIR Server

To start with the IBM FHIR Server image, you can use:

buildah from --pull docker.io/ibmcom/ibm-fhir-server:latest

[root@localhost ~]# buildah from --pull docker.io/ibmcom/ibm-fhir-server:latest
Trying to pull docker.io/ibmcom/ibm-fhir-server:latest...
Getting image source signatures
Copying blob e2bef77118c7 done
Copying blob 45cc8b7f2b43 done
Copying blob 5627e846e80f done
Copying blob 5f6bf015319e done
Copying blob 87212cfd39ea done
Copying blob b89ea354ae59 done
Copying blob 4a939b72e1c6 done
Copying blob d3cbf41efb4e done
Copying blob 4feff1abc28e done
Copying blob 9ff4465d271b done
Copying blob 5e41012b4001 done
Copying blob 410af8b678f6 done
Copying blob 2f26dc40d01f done
Copying blob 1415c9c2e161 done
Copying blob e374de62001e done
Copying blob 94d978ce0b1f done
Copying blob 1fabae8675b6 done
Copying blob 7b088cbebf16 done
Copying blob 4167c1ebbd85 done
Copying config 637552c186 done
Writing manifest to image destination
Storing signatures
ibm-fhir-server-working-container

Tip: Pullinng Fedora

If you need to use Fedora, you can use fedora-minimal.

# buildah from --pull registry.fedoraproject.org/fedora-minimal

To remove the image

$ podman image rm registry.fedoraproject.org/fedora-minimal:34

Tip: Runnning with SELINUX

If you are running with SELINUX, you should set specific selinux permissions.

  1. set the permission
$ setsebool -P container_manage_cgroup 1
  1. Confirm the permission
$ getsebool container_manage_cgroup
container_manage_cgroup --> on

References

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.