Similar to docker build -t.

@raggi gave me this idea over twitter.

Basically, we would have this debug or similar verb within the statement that would actually perform a docker attach with a bourne (or maybe changeable?) shell for inspection purposes. This layer would then be committed after exit and the build would continue. If it exits non-zero, it will abort the build like it always does.

Example:

from "debian"
run "echo foo > bar"
debug # shell started, stdin attached, build suspended
run "another command"

I think this could be done trivially by partitioning how the run command works a bit more, the attach+exec are currently coupled: https://github.com/erikh/box/blob/master/builder/executor/docker/docker.go#L254-L263 is the code. This way the run code could largely be re-used as long as we appropriately attach stdin in the debug case.

I also think a flag to enable/disable the verb would be useful, but I think that befits another ticket.

This keyword would accept a source filename, target filename, and a map of parameters. The parameters would be included into a go or erb template (torn on this; go would be much simpler and erb would be more familiar to devops-y types) which would then be copied into the container.

example:

template "hosts.tmpl", "/etc/hosts", hosts: ["127.0.0.1 localhost"]

I'd like to be able to flatten the layers created by box as a layer on top of the base image in the from clause.

This would allow tenancy with multiple services using the the same base image without worker nodes needing to download the entire contents of the base image over and over again with each new release of the container. This would be entirely opt-in by means of explicitly telling flatten to do this.

EX:

from "centos:7"

# install some packages, etc
# set up a service to run

flatten :onTop

WIP, this'll probably be edited a few times.

Right now flatten does a few things wrong:

• it merges the from image with the rest of the images; that's probably not what people want most of the time (although the option should be added in at some point)
• it cannot scope what is flattened and what is not, e.g., flatten two run statements into one, but leave the next copy statement alone.
• it cannot influence the cache, and any post-flattening commands will have their cache invalidated.

Proposal:

Surface-wise, we need to extend the flatten statement itself.

flatten "cacheKey" do
  run "foo"
  run "bar"
end

The cache key can be literally supplied as an argument. Corresponding with a cache key of some sort (this could be derived from environment, local files, other container's files, etc to ensure cache validation occurs safely) could influence the cache in a way that was safe to handle for multiple invocations of each run without corrupting or otherwise poorly influencing the cache. This, however, is completely driven by the end user and could lead to some very bad abuses, consistency problems in their internal build systems, etc. Maybe this should be a separate block statement so it can be filtered without losing flatten functionality.

Block mode is shown here which would allow all the statements inside the flatten to be flattened. Blocks should not be required and it is assumed that flatten without a block will flatten everything to the container before the run statement.

Internals-wise, we need to do two things:

• solve #33
• implement a layer recording device, since 99% of this is here already I don't think it'll take too much effort.
• flatten hooks into new executor calls: FlattenAll() and FlattenLast(n int) which flattens the entire run or the last n elements in the run respectively.

All of the above should satisfy our flatten needs. The full flatten can have the from omitted for free if we track only the layers we created.

Here is the problem: https://github.com/erikh/box/blob/master/builder/verbs.go#L405

Notably, there is no signal handler for copy operations that delete files. Once the signal is handled, the defer never fires and voila, files in /tmp.

Making a note of this for later.

Multi-Build mode is a feature I'm working on that will just let you specify multiple build plans at the same time with the same working dir and it will build them all at once.

Right now I have a small prototype in the multi-mode branch. It does not organize output and is a very naive approach to it, but it does build multiple images at once.

It should probably be extended to do a few things beyond what box already does:

• One line per build, with a count of how many instructions it's been through (I don't think we'll have a count of the total instructions, but this is better than nothing). No statement output.
• Disable debug
• Failed builds should not terminate the program but instead indicate on their build line. At the end of all containers building, it should error.

It'd look something like this:

$ box build.rb build2.rb build3.rb

* build.rb: 42 statements processed
* build2.rb: 7 statements processed
* build3.rb: error: error message here!

https://travis-ci.org/PonyvilleFM/aura/builds/194235237#L1

run like this: PonyvilleFM/aura@90467a5

Essentially one of major limitation of Dockerfile for me had been that the only way to achieve reusability is to either write a shell script, or create an image. I cannot see any example of loading helper methods from another file, is it just like you'd expect it to work in Ruby or I'd have to do something special? (I wouldn't need gems, although would be nice to be able to share stuff, but local libraries would a great option).

> docker inspect wordpress
...
            "Image": "sha256:4bc7f70a42b0858b60fc0e780fabb387c8934faf4bf626876b40e7e1a665485d",
            "Volumes": {
                "/var/www/html": {}
            },
            "WorkingDir": "/var/www/html",
...
> cat wordpress-import.rb
from "wordpress"

inside "/tmp" do
  run "mkdir -p site"
  run "touch site/foo"
end

run "cp -vr /tmp/site /srv/site"
run "cp -vr /tmp/site site"

debug

tag "wordpress-import"
> make wordpress-import
docker run --rm -ti \
	  -v /Users/ilya/Code/wordepress/src/github.com/weaveworks/wordepress/wordpress.local/tools:/Users/ilya/Code/wordepress/src/github.com/weaveworks/wordepress/wordpress.local/tools \
	  -v /var/run/docker.sock:/var/run/docker.sock \
	  -w /Users/ilya/Code/wordepress/src/github.com/weaveworks/wordepress/wordpress.local/tools \
	    erikh/box:latest wordpress-import.rb
+++ Execute: from wordpress
+++ Execute: inside /tmp
+++ Execute: run mkdir -p site
+++ Cache hit: using "sha256:8dc8c36d6ac030bc14db3f799547637592b75971fdf27638de3a308ce6279dc2"
+++ Execute: run touch site/foo
+++ Cache hit: using "sha256:93e26e0bf7d923190a3d37d7e8d7b686922f059657e83594c80f8ab2bdd2ee30"
+++ Execute: run cp -vr /tmp/site /srv/site
------ BEGIN OUTPUT ------
'/tmp/site' -> '/srv/site'
'/tmp/site/foo' -> '/srv/site/foo'
------- END OUTPUT -------
+++ Execute: run cp -vr /tmp/site site
------ BEGIN OUTPUT ------
'/tmp/site' -> 'site'
'/tmp/site/foo' -> 'site/foo'
------- END OUTPUT -------
+++ Execute: debug 
root@b5ba1083dad3:/var/www/html# ls site
ls: cannot access site: No such file or directory
root@b5ba1083dad3:/var/www/html# ls -la
total 8
drwxr-xr-x 2 www-data www-data 4096 Dec  1 14:51 .
drwxr-xr-x 4 root     root     4096 Nov  8 23:22 ..
root@b5ba1083dad3:/var/www/html# ls -la /srv/site
total 8
drwxr-xr-x 2 root root 4096 Dec  1 14:51 .
drwxr-xr-x 3 root root 4096 Dec  1 14:51 ..
-rw-r--r-- 1 root root    0 Dec  1 14:51 foo
root@b5ba1083dad3:/var/www/html#

...I happen to hit https://github.com/erikh/box/issues/54 every other time with this plan.

Since porting to docker/docker/pkg/archive

Hi,

I just discovered box and I love it, to show it to my friends easily, I just create a Formula for Homebrew, the OSX package tools.

Now you can install the last version of box with brew install nikkau/tools/box.

Maybe you can create an "official" Homerew Tap for box?

It's easy : http://docs.brew.sh/How-to-Create-and-Maintain-a-Tap.html
And you can C/C my Formula to save time : https://github.com/Nikkau/homebrew-tools/blob/master/Formula/box.rb

Related to #5

The cause of this is again moby/moby#21651 but we're doing something different here that we can work around by using other APIs.

This is potentially possible to hack around by using ContainerExport, tar it back up, attach it to an image manifest, and upload it with ImageImport.

I'm working on an impl of this now, but it may take a bit. Jotting it down here in case anyone sees the problem and wants to report on it.

https://github.com/erikh/box/blob/master/multi/multi_test.go pulls the ubuntu image. This image is pretty big.

This needs to be modified to use alpine.

If a tty isn't present, the output from run, etc may not be very nice. If a tty is not present we should:

• display more useful text in from invocation
• run option should not be passed TTY flags.

We should also make this a runtime flag.

https://travis-ci.org/erikh/box/builds/170988759 exhibits the issue.

Google Cloud Builder would be a good candidate for fully-remote builder/executor implementation, it supports async and parallel modes, but it's probably easier to start with a serial implementation.
I'm still learning how GCB works in a another project, will update once I have more info.

basically, this would allow your build plan to generate an image based on your host filesystem. Presumably this would only work on linux hosts.

Not sure how possible this is, but I'd like to try.

For example .env files explictly NOT being copied.

Pulls are covered because of the API, but actual downloads of images and uploads of them to docker are currently silent and take some time.

The dockerfile parser is well segmented from the rest of the docker codebase. Extract the parser and apply it to box's executor interface (docker integration only for now).

Omit statements that we don't support, like VOLUME.

This would enable the exploration of different ideas around the build process. It would also make it possible to produce images for runc.

This is a problem with the release process, need to fix it so making a note here.

Basically, copy always copies as root right now. If we getuid/getgid a username inside the container right before copying it, we can modify the tar data at just the right time, allowing this to happen appropriately.

This is a fair bit of work.

Many containers build code in some fashion during their construction. However, for convenience reasons build tools are often left inside the resulting container image. This is not ideal. It would be nice if box provided a convenient way to remove the excess layers.

Some ways of accomplishing this that I can see are:

1. Build an artifact in one container but move that layer to be based on a different image at the end -- effectively omitting intermediate layers.
2. Allow a way to flatten an image with a whitelist directory. E.g. "Flatten all these layers, and only keep files from this particular directory."
3. Allow some layers to be specified as ephemeral. These layers could be removed at the end of a build with parents relinked appropriately by box.

REPL mode that lets you enter commands one at a time and commits as-you-go. This would also include a few new verbs:

• reset <sha> reset to a known sha
• rewind reset to the last sha
• inspect shows data about the current layer
• shell gets a shell in a fresh container at the current layer

in particular, the combination of run and user behaves this way:

run "useradd -m -s /bin/bash terraform"
user "terraform"

Not sure why yet. It could be related to this image not having a cmd or entrypoint and some inheritance issues are happening.

This is related to a design flaw in go-mruby which needs to be patched to change the automatic conversion functions to return errors when conversions cannot occur. Right now, it dereferences a null pointer.

This will take some work and I will reference the relevant issues here, I just wanted to make a note of it for users who are new to the platform.

I've seen this:

[Boxfile] !!! Error: Rel: can't make . relative to ../../examples

...and it was in my project, so I've worked around it.
But my project has vendor/github.com/docker/docker and that resulted in:

[Boxfile] !!! Error: Rel: can't make . relative to ../../../contrib/init/sysvinit-debian/docker.default

I've tried using ignore_list, but it didn't seem to work, so I ended-up deleting those symlinks manually.

I'm looking into fixing this.

When using debug command, I see this once in a while:

+++ Run Error: read unix @->/var/run/docker.sock: use of closed network connection

!!! Error: Could not remove intermediate container "11f3be63b86811762ceb4084c2344816364d78a1afd59b7d129f0def2c3c222e": Error response from daemon: No such container: 11f3be63b86811762ceb4084c2344816364d78a1afd59b7d129f0def2c3c222e
make: *** [wordpress-import] Error 1

Sometimes it only complains about the socket and doesn't complain about removing intermediate container:

+++ Run Error: write unix @->/var/run/docker.sock: use of closed network connection

+++ Tagged: wordpress-import

+++ Eval Response: sha256:1178c61d6a163aff1ca54b3b22fc2f134e75474c9ac3e97cd414f7bb38599482
+++ Finish: 1178c61d6a163aff1ca54b3b22fc2f134e75474c9ac3e97cd414f7bb38599482

It happens either before I get the debug shell, or once I exit it.

Right now the copy progress meter will overrun the line, repeating output in a very annoying fashion until on the interval until the copy is finished.

The problem is that we aren't counting the amount of text in plain text (as opposed to ansi colored) for calculating the length of the string, instead we are counting escape codes and that is bad.

A pure fix would be to get the logger to yield this information instead of parsing it out, but tracking it might not be worth the trouble too. Dunno.

Would be great to be able to set labels, e.g. org.label-schema.vcs-url and org.label-schema.vcs-ref are quite useful for implementing CD etc.

One options to consider is that labels may be passed to tag, as you might want to associate different sets of labels with different tags. It'd make a lot of sense with how we can already set tags as we progress through a build plan.

def build_base_image
end

def enable feature
end

build_base_image

rev = getenv("GIT_COMMIT")
feature = getenv("BUILD_FEATURES").slip(",")

labels = {
  "org.label-schema.vcs-ref" => rev
}

tag "foo:minimal-#{rev}", with_labels: labels

features.each do |feature|
  enable feature
  labels["org.example.features.#{feature}"] = true
end

tag "foo:full-#{rev}", with_labels: labels

Command line option to remove verbs/funcs from the builder so that they cannot be used and will abort the build. This allows users to tune their level of comfort with some of the power that box provides.

I'm seeing this on Docker for Mac 1.13.1-beta42 (15350). I've not reported upstream yet, seems like it needs a bit more investigation.

setexec takes a key/value pair with two potential elements:

• entrypoint: a description of the entrypoint in array form
• cmd: a description of the cmd in array form

This is to prevent races in statements where the entrypoint and cmd could trump each other out of existence. This behavior is really confusing. This statement puts them both into one, allowing the user to set them carefully at the same time.

Right now, if a filename is not provided it listens to stdin for instructions.

In practice, this is ineffective. We'll implement a repl instead per #13 which will solve this problem for most people; the rest can use /dev/stdin or equivalent.

This would make it possible to tag the image after the build.

after { tag "foo" }

With this plan:

from "wordpress"

inside "/tmp" do
  %w(code files).each { |t| copy "./pantheon-data/#{t}.tar.gz", "./pantheon-data/#{t}.tar.gz" }
  run "mkdir -p /srv/site/wp-content/uploads"
  run "tar xzf pantheon-data/code.tar.gz -C /srv/site --strip-components=1"
  run "tar xzf pantheon-data/files.tar.gz -C /srv/site/wp-content/uploads --strip-components=1"
  run "chown www-data -R /srv/site"
  run "rm -rfv pantheon-data"
end

inside "/etc/apache2/sites-available" do
  run "sed 's|\\(DocumentRoot\\ \\)/var/www/html|\\1/srv/site|' -i 000-default.conf default-ssl.conf"
end

workdir "/srv/site"

flatten

tag "wordpress-snapshot"

I somehow end-up with "Cmd": [ "rm -rfv pantheon-data" ]...

The export function would replace the tag verb (which does not actually create a layer). It would be responsible for all image authoring outside of docker commit; additionally:

• saving to file
• tagging images
• converting images to other formats that are not docker (e.g., OCI)

Something like this:

export type: "docker", tag: "foo"
# or
export type: "oci", tag: "foo-oci", file: "foo-oci.tar.gz"

Again, this would replace the tag verb and the tag verb would be rendered obsolete in 0.6 or so.

Please comment! I would love to hear feedback specifically on this feature.

Either directly with go or use something like bats. We need to evaluate:

• tty mode
• debug mode (when available)
• all flags
• running in various execution contexts

We don't do this right now. We should clean up any running containers.

Right now if you specify a path, it will be coerced into a relative path. If you specify a relative path with a higher level directory as its target such as .., it will traverse and copy everything underneath it into the container.

I don't really think this is the best idea.

Also rethink how we handle output right now.