Containerise dependencies required to run tasks in dev workflow #53
Conversation
banjoh
commented
Apr 25, 2025
•
banjoh
commented
- Add tasks to manage container dev environment
- Update documentation to reflect new list of requirements
Signed-off-by: Evans Mungai <[email protected]>
Signed-off-by: Evans Mungai <[email protected]>
Signed-off-by: Evans Mungai <[email protected]>
Signed-off-by: Evans Mungai <[email protected]>
…/platform-examples into em/dockerize-wg-easy-dependencies
Signed-off-by: Evans Mungai <[email protected]>
Signed-off-by: Evans Mungai <[email protected]>
Signed-off-by: Evans Mungai <[email protected]>
Signed-off-by: Evans Mungai <[email protected]>
Signed-off-by: Evans Mungai <[email protected]>
Signed-off-by: Evans Mungai <[email protected]>
Signed-off-by: Evans Mungai <[email protected]>
applications/wg-easy/Taskfile.yaml
Outdated
| # GCP default configuration | ||
| GCP_PROJECT: '{{.GCP_PROJECT | default "replicated-qa"}}' | ||
| GCP_ZONE: '{{.GCP_ZONE | default "us-central1-a"}}' | ||
| VM_NAME: '{{.VM_NAME | default (printf "%s-dev" (or (env "GUSER") "user"))}}' | ||
|
|
||
| # Docker workflow configuration | ||
| IMAGE_NAME: ttl.sh/wg-easy-dev |
There was a problem hiding this comment.
We really shouldn't be using ttl.sh here, it's fine for development but it needs to be available somewhere else for the actual workflow. Is this currently just for you to test and you intend to move it later?
There was a problem hiding this comment.
This is currently for test until we decide on
- if we need to host this image. We need to weigh the need to host the image vs users needing to build the image which take a minute.
- what OCI registry - docker hub? replicated? all of the above?
applications/wg-easy/Taskfile.yaml
Outdated
| # GCP default configuration | ||
| GCP_PROJECT: '{{.GCP_PROJECT | default "replicated-qa"}}' | ||
| GCP_ZONE: '{{.GCP_ZONE | default "us-central1-a"}}' | ||
| VM_NAME: '{{.VM_NAME | default (printf "%s-dev" (or (env "GUSER") "user"))}}' | ||
|
|
||
| # Docker workflow configuration |
There was a problem hiding this comment.
| # Docker workflow configuration | |
| # Workflow container configuration |
applications/wg-easy/Taskfile.yaml
Outdated
| IMAGE_NAME: ttl.sh/wg-easy-dev | ||
| CONTAINER_NAME: wg-easy-dev |
There was a problem hiding this comment.
In a helm chart you would expect to see:
repository: ttl.sh
Image: wg-easy-dev
tag: latest
Shouldn't we just use the same phrasing here? Maybe
DEV_CONTAINER_REPOSITORY
DEV_CONTAINER_IMAGE
DEV_CONTAINER_TAG
| @@ -0,0 +1,68 @@ | |||
| # Base image for all shared Dockerfiles for taskfiles | |||
There was a problem hiding this comment.
Why would this live in a subfolder "container" if it's the only thing in that sub-folder?
Do you expect there to be scripts that are added in the future for entrypoints and such that will live here too?
There was a problem hiding this comment.
I would like to add an entrypoint script for shell completions etc.
| gnupg \ | ||
| sudo \ |
There was a problem hiding this comment.
Are we using these in the container?
There was a problem hiding this comment.
Only yq and jq. I think the rest can be removed.
| sudo \ | ||
|
|
||
| # Install Helm | ||
| && curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash \ |
There was a problem hiding this comment.
Why is this all one big RUN line?
Doesn't this mean that you're forcing the cache to be invalidated if any of these things change rather than only updating the one change? Is there a benefit to it b/c I only see a downside of breaking normal caching behavior.
There was a problem hiding this comment.
Since we are not specifying any tool versions, would any of these tools change, leading to the layer being recreated? To update the tool versions, wouldn't it require docker build --no-cache anyway?
One, though negligible difference is the overall image size. Its smaller when using one layer. 1.23GB vs 1.18GB
| # Create a non-root user for better security | ||
| RUN groupadd -r devuser \ | ||
| && useradd -r -g devuser -m -s /bin/bash devuser \ | ||
| && echo "devuser ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/devuser |
There was a problem hiding this comment.
How does a non-root user provide security when you give it global passwordless sudo? This is root by a different name.
If podman already maps the root UID/GID to the user running the commands is this necessary at all?
There was a problem hiding this comment.
Elevated privileges are not required by any of the tasks. I'll clean that up
| && echo "devuser ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/devuser | ||
|
|
||
| # Set working directory | ||
| WORKDIR /app |
There was a problem hiding this comment.
Personally I'd call this workspace or something. App is kind of an overloaded term, but I can take it or leave it I don't feel strongly about it.
| - **yq:** A command-line YAML processor. ([Installation Guide](https://github.com/mikefarah/yq#install)) | ||
| - **gcloud CLI:** Google Cloud command-line interface (optional, only required for GCP-specific tasks). ([Installation Guide](https://cloud.google.com/sdk/docs/install)) | ||
| - **Standard Unix Utilities:** `find`, `xargs`, `grep`, `awk`, `wc`, `tr`, `cp`, `mv`, `rm`, `mkdir`, `echo`, `sleep`, `test`, `eval` (typically available by default on Linux and macOS). | ||
| - **Docker:** Container runtime for local development. ([Installation Guide](https://docs.docker.com/get-docker/)) |
There was a problem hiding this comment.
made a PR against this PR branch:
| -e USER=devuser \ | ||
| -e REPLICATED_API_TOKEN={{ .REPLICATED_API_TOKEN }} \ | ||
| -w /workspace \ | ||
| {{.IMAGE_NAME}}:{{.IMAGE_TAG}} bash -c 'trap "exit" TERM; while :; do sleep 0.1; done') |
There was a problem hiding this comment.
| {{.IMAGE_NAME}}:{{.IMAGE_TAG}} bash -c 'trap "exit" TERM; while :; do sleep 0.1; done') | |
| {{.IMAGE_NAME}}:{{.IMAGE_TAG}} bash -c 'trap "exit 0" TERM INT; sleep infinity & wait') |
There's no need to process something every .1 seconds just sleep forever, exit on the termination commands
There was a problem hiding this comment.
& wait was the bit I needed. I couldn't get SIGTERM to work with sleep infinity when running in the container
Signed-off-by: Scott Rigby <[email protected]>
banjoh
changed the title
Signed-off-by: Evans Mungai <[email protected]>
Signed-off-by: Evans Mungai <[email protected]>
Signed-off-by: Evans Mungai <[email protected]>
Signed-off-by: Evans Mungai <[email protected]>
