Containers are an approach to virtualization that allow a single operating system to host many working configurations, with each working configuration running as a process that is isolated from all other processes, including even the host operating system. Each container comprises a working configuration—or application—and all of its dependencies that are not already available from the host operating system or from another container that is also running on the host operating system.
LXC—Linux containers—eliminate the need for a hypervisor by leveraging a Linux kernel feature called control groups. Control groups allow a Linux-based operating system to isolate CPU, memory, network, file system volumes, and processes into a userspace commonly referred to as a container. This approach to virtualization allows a single operating system to host many working configurations, with each working configuration running in isolation from the other containers and the host itself, without the need for a hypervisor or a guest operating system. Each container comprises a working configuration—or application—and all of its dependencies that are not already available from the host operationg system or from another conttainer.
chef-container is a distribution of the chef-client that includes components designed to support the unique requirements of running the chef-client from within a Linux container.
The best practice for securing credentials like private keys, secrets, and certificates that are used with containers is to not store them within the container images. To support this best practice, knife container by default deletes these files upon the completion of the image build. The process for mounting or otherwise making these files available to the chef-client varies, depending on the solution being used for containers.
Docker is an open-source engine that helps automates the deployment of any working configuration as a lightweight, portable, self-sufficient container. Docker packages a container (a working configuration) into a Docker image, which is then uploaded to the Docker registry. From there, any node that runs the Docker engine can launch this image as a new container. Docker containers can be run anywhere: the same container used by a developer to build and test their code on a laptop can also be run in production, on a virtual machine, a bare-metal server, as part of an OpenStack cluster, and so on. Using Docker helps to
Chef can be used to manage Docker containers, including:
Credentials such as private keys, secrets, and certificates should not be kept in Docker images. By default, secure credentials are deleted after the knife container docker build process is completed. In order for the resulting image to launch properly, the secure credentials must be mounted into the /etc/chef/secure directory. Credentials must be copied into a folder on the host machine, and then mounted into the container using the -v flag of the docker run command: https://docs.docker.com/reference/commandline/cli/#run.
For example, if all secure credentials are located in the /etc/chef-container/secure directory on the Docker host, run the following command:
$$ docker run -d -v /etc/chef-container/secure:/etc/chef/secure:ro NAMESPACE/IMAGE
Use the --include-credentials option with the docker init subcommand to override the default behavior and include these secure credentials in the image. For example:
$ knife container docker init example/apache2 -r 'recipe[apache2]' --include-credentials
You will need to define the container_service for the services defined by the apache2 recipe. These will be managed by the runit init scheme that comes with chef-container. For more information about container_service, see http://docs.getchef.com/containers.html#container-services.
A Dockerfile contains all of the settings needed to use a container with Chef. The following Dockerfile settings are required:
| Setting | Description |
|---|---|
| ADD <src> <dest> | The path to the location from which files are copied (<src>) and the location in the container’s file system (<dest>) to which those same files will be added. Default value: chef/ /etc/chef/. |
| CMD | Use to specify additional parameters to ENTRYPOINT. Default value: --onboot. |
| ENTRYPOINT | Use to specify that a container be run as an executable. This setting may appear only once in a Dockerfile. Default value: ["chef-init"], which will run the container as the chef-client. |
| FROM | The image from which a container will be built. This must be the first setting in a Dockerfile. This value of this setting is the REPO_NAME_OR_IMAGE_NAME value that is specified when using the docker init argument with the knife container subcommand. Default value: chef/ubuntu_12.04. |
| RUN | A command to be run inside the container. There may be more than one command specified. Default value: chef-init --bootstrap. |
For more information about these settings, plus the full list of settings available to a Dockerfile, see http://docs.docker.io/reference/builder/.
The knife container plugin is used to initialize and build containers. Use the knife container docker arguments to initialize containers using Docker.
Note
This plugin requires that Docker be installed on the same machine from which the plugin will be run. See http://docs.docker.com/installation/ for more information about how to install Docker.
Install this plugin
To install the knife-container plugin, run one of the following commands. When using the ChefDK:
$ chef gem install knife-container
and when using RubyGems:
$ /opt/chef/embedded/bin/gem install knife-container
where /opt/chef/embedded/bin/ is the path to the location in which the chef-client looks for Knife plugins. If the chef-client was installed using RubyGems, omit this path.
The docker build argument is used to build a Docker container image.
This argument has the following syntax:
$ knife container docker build NAMESPACE_OR_IMAGE_NAME
This argument has the following options:
The docker init argument is used to set up a Dockerfile context for the local workstation.
This argument has the following syntax:
$ knife container docker init REPO_NAME_OR_IMAGE_NAME
This argument has the following options:
Create a Dockerfile
$ knife container docker init docker -r 'recipe[apache2]' -z -b
will create a directory named docker with a subdirectory named demo in the Chef::Config[:knife][:dockerfiles_path] path. In the docker directory, a subdirectory named chef is created, which contains all of the files and folders that are necessary for the chef-client to run successfully inside a container. The Dockerfile is similar to:
FROM chef/ubuntu_12.04
ADD chef /etc/chef
RUN chef-init --bootstrap
ENTRYPOINT ["chef-init"]
CMD ["--onboot"]
Local mode
$ knife container docker init example/apache2 -r 'recipe[apache2]' -z
will create a directory named example with a subdirectory named demo in the Chef::Config[:knife][:dockerfiles_path] path. In the example directory, a subdirectory named chef is created, which contains all of the files and folders that are necessary for the chef-client to run successfully inside a container.
You will need to define the container_service for the services defined by the apache2 recipe. These will be managed by the runit init scheme that comes with chef-container. For more information about container_service, see http://docs.getchef.com/containers.html#container-services.
Server mode
$ knife container docker init example/apache2 -r 'recipe[apache2]'
will create a directory named example with a subdirectory named demo in the Chef::Config[:knife][:dockerfiles_path] path. In the example directory, a subdirectory named chef is created, which contains all of the files and folders that are necessary for the chef-client to run successfully inside a container.
Include secure credentials in image
To override the default behavior and include secure credentials in an image:
$ knife container docker init example/apache2 -r 'recipe[apache2]' --include-credentials
You will need to define the container_service for the services defined by the apache2 recipe. These are managed by the runit init scheme that comes with chef-container. For more information about container_service, see http://docs.getchef.com/containers.html#container-services.
The service that runit will manage is defined as an attribute of the container. This may be done by editing the first-boot.json file or by adding an attribute to a cookbook.
For example, the first-boot.json file may look similar to:
{
"run_list": [
"recipe[recipe_name]"
],
"container_service": {
"service_resource_name": {
"command": "service_run_command"
}
}
}
where:
For example, if the service is Nginx, the container_service paramaters would be similar to:
{
"run_list": [
"recipe[nginx]"
],
"container_service": {
"nginx": {
"command": "/usr/sbin/nginx -c /etc/conf/nginx.conf"
}
}
}
The container service setting may also be specified using an attributes file in a cookbook. For example:
default['container_service']['service_resource_name']['command'] = 'service_run_command'
or, using the same Nginx example as above:
default['container_service']['nginx']['command'] = '/usr/sbin/nginx -c /etc/conf/nginx.conf'