Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Container Images for OpenShift - Part 1: Objectives

 

October 11, 2017
Frédéric Giloux
Related topics:
ContainersKubernetes
Related products:
Red Hat OpenShift Container Platform

Share:

    This is a transcript of a session I gave at EMEA Red Hat Tech Exchange 2017, a gathering of all Red Hat solution architects and consultants across EMEA. It is about considerations and good practices when creating images that will run on OpenShift. The content is structured in a series of four posts:

    • Objectives
    • Structuring your images
    • Making your images consumable
    • Cloud readiness

    This is the first part looking at common objectives associated with the usage of container images. These objectives are to be taken into consideration during the design phase of your images.

    Golden Image

    One of the reasons why containers are seeing so much interest is that they allow packaging an application with all its dependencies in a single deployment unit. This deployment unit, the golden image is then moved from one environment to the next one. You may move it from integration to UAT or from staging to production, for instance. Having all dependencies in a single unit guarantees that what has been validated in a previous stage is also what is being deployed in the next one.

    Before the rise of containers, I have seen companies struggling with application promotion. Some of them had written long and detailed installation procedures that had to be manually and carefully followed. Others had invested a large amount of effort in building automation based on puppet, chief, or python scripts. Further, then the initial effort it also required a significant maintenance effort to deal with evolution and changes. Most of them were experiencing issues here and there. What containers bring is a standard and simple approach to this. Application dependencies: operating system, runtime environment (JVM and like), libraries and some of the configurations are part of the container image, which gets simply used for starting container instances in one or the other environment.

    Reproducible

    Subsequent builds of the image should produce the same result. This is important for having a stable reference that can be used for patches, upgrades and further evolution. This requires that dependencies (libraries or other images) used for creating the container image are uniquely referenced and version.

    Agile Standard Operating Environment

    There are obvious benefits of a level of homogeneity in the enterprise software landscape:

    • Time and cost reduction for maintenance by limiting the number of combinations that may need to be supported.
    • Having a known environment when operations are required. The operator knows what to expect, which may be critical for resolving incidents in a timely fashion.
    • Compliance is easier with a few different environments.
    • It is easier to staff. Employees can more easily move from one domain to another as they rely on the same technologies.

    This should be taken into consideration when defining the image landscape. That said strictly enforced and slow evolving SOE has sometimes become an obstacle to business reactivity. Through reusability and easiness to have a central change applied to multiple targets, container images can help with addressing this aspect.

    Reusability

    It is important to limit the number of places where components get injected into images like frameworks, application servers, drivers, scripts. These may be used for ground functionality, connectivity, monitoring, asset tracking and management, security, etc. The idea is that the components of the SOE are created once. Layering approaches with inheritance and composition may support this. Considering the global image landscape rather than single image individual is important in this respect.

    Maintainability

    The central injection point mentioned in the previous chapter also provides a central point for patching and upgrades. These changes, possibly made available as container images by software providers, need to be automatically cascaded so that maintenance is made straightforward.

    In the pre-container era, I have seen companies struggling with keeping their Java or application servers up-to-date with patches and security fixes. Container technologies combine the possibility to apply changes in a central place with having them rolled out across the software landscape with little efforts and possibly no downtime. This can have a huge effect in term of security and reliability. Therefore images need to be designed with maintainability in mind.

    Resource Efficiency

    A minimal consumption of resources: RAM, CPU, storage is an obvious objective when creating applications, hence the images used for their packaging. It means higher density and reduced cost. Containers have the advantage compared to virtual machines that they share the same kernel instead of creating additional instances. This can be pushed further by having containers sharing layers. This is made possible by following some of the objectives already mentioned: SOE and reusability. This plays a bigger role in term of final RAM and storage usage than the image size per se, although the size does impact the time required for pushing and pulling an image.

    Security

    Besides keeping operating systems, application servers and other libraries patched in a timely fashion with the latest security fixes here are other important aspects in regard to security that need to be taken into consideration during the image creation:

    • Reducing the attack surface: This can be done by limiting what is installed inside the image to only what is required for running the container.
    • Limiting capabilities: Privileged containers should be exceptions undergoing specific security measures. Other capabilities like mounting the host file system, binding host ports or running with a specific user id, which may match a user on the host, should be granted only when no other option is available and after impact in term of security has been scrutinized and risks mitigated.
    • Limited resources: The container image should be built in such a way that it is able to run under limited resources (CPU, RAM, network, storage) so that it may not be a vector for denial of services attacks against the host and other containers running on the same host.

    Resiliency

    PaaS platforms like Kubernetes and OpenShift, its enterprise distribution by Red Hat provide monitoring and self-healing mechanisms. Readiness and liveness probes ensure that:

    • No requests are sent to a container when it is not ready, which in practice means that either it hasn't finished starting, it is terminating or one of its dependencies (database, service) is not available.
    • The container is restarted when its liveness check is unsuccessful. Restarting a container brings it to its initial state, similar to a factory reset.

    As an image designer, your responsibility is to make sound readiness and liveness probes available.

    Another aspect is that when OpenShift wants to terminate a container it first takes the container out of the request processing rotation and sends a SIGTERM signal. It lets time to the application to gracefully shutdown before it is terminated, if the allowed period has expired, by a SIGKILL signal. In this regard the application inside the image should finished processing in-flight requests, release resources and terminate when a SIGTERM signal is received.

    Easy to Consume

    Reusability has already been mentioned as an objective. This can, however, be achieved at a good level only when images are easy to consume, which includes the following aspects:

    • Easiness to extend: By inheriting, composing or making use of extension points. Extension points need however to have been thought of in first place. As an image designer, it is your responsibility to think of how one may want to add capabilities or to customize your image and to make it possible in a simple way.
    • Documentation: This includes documenting the image purpose, its usage but also important aspects of running it like its entry point, used ports, directories where the application may write data, etc. Providing a quick start for your image is also a way to help the end user with understanding how the image is supposed to be used.

    I hope you found this first part interesting. In the following articles, we will see what techniques and approaches are available for achieving the objectives that have been stated here. Stay tuned!

    Last updated: April 3, 2023

    Recent Posts

    • How to run a fraud detection AI model on RHEL CVMs

    • How we use software provenance at Red Hat

    • Alternatives to creating bootc images from scratch

    • How to update OpenStack Services on OpenShift

    • How to integrate vLLM inference into your macOS and iOS apps

    What’s up next?

     

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue