Home > Blog > Using Docker Containers - Part 1 - Build a Full Fledged Nuxeo Image

Using Docker Containers – Part 1 – Build a Full Fledged Nuxeo Image

homepage-docker-logoI have been toying around a bit with Docker recently. It’s an open source project to easily create lightweight, portable, self-sufficient containers from any application. The same container that a developer builds and tests on a laptop can run at scale, in production, on VMs, bare metal, OpenStack clusters, public clouds and more. An open source project to pack, ship and run any application as a lightweight container.

If you haven’t tried Docker yet, I invite you to do so. They have a neat getting started page.

Why Docker?

There could be a lot of reasons to use it at Nuxeo. Here are a few I have been thinking about:

  • Jenkins on demand build slaves
  • Cloud deployment (obviously)
  • Remote/unified dev environments
  • On demand converters for Nuxeo

Hence the Part 1 in the title. I can’t tell you when this will end, but I can tell you there will be more :-)

Anyway, I started doing a Nuxeo image. The Docker way would be to have an image for each process (apache2, postgresql, nuxeoctl) but I wanted to start with an all-inclusive image. I thought it would be simpler. :-)

And it is indeed quite simple once you know your way around the supervision tool. Because when you run a Docker image, you can only run one process. So you have to use tools like Supervisor in order to run more processes. I have chosen Supervisor because it was the most widely used as far as I could see on the web. So my first working image contained everything needed to run Nuxeo and used Supervisor to launch everything. And everything was in a single Dockerfile.

A Dockerfile is like a recipe to build an image. It contains a list of steps that are all versioned. Differences between each step of the image are stored on the filesystem. That means that if you add a new step at the end, for instance, you don’t have to go through all the steps again.

Putting every step in a single file is of course not the best way to do it when you want to do different Nuxeo images. For continuous integration, for example, I will need an image with H2, one with PostgreSQL, one with MySQL etc… So I started splitting my Dockerfile to have something more modular. Here’s the result.

The Base Image

The purpose of this image it to give you an up to date Ubuntu distribution with all the dependencies needed by Nuxeo, a nuxeo user and Supervisor to manage your processes. This will be the basis for the next images to build.

[bash]
# Nuxeo Base image is a ubuntu precise image with all the dependencies needed by Nuxeo Platform
#
# VERSION 0.0.1

FROM ubuntu:precise
MAINTAINER Laurent Doguin <ldoguin@nuxeo.com>

# Set locale
RUN locale-gen –no-purge en_US.UTF-8
ENV LC_ALL en_US.UTF-8

# Install dependencies
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get install -y python-software-properties wget sudo net-tools

RUN echo "deb http://archive.ubuntu.com/ubuntu precise main universe" > /etc/apt/sources.list

# Add Nuxeo Repository
RUN apt-add-repository "deb http://apt.nuxeo.org/ precise fasttracks"
RUN wget -q -O – http://apt.nuxeo.org/nuxeo.key | apt-key add –

# Upgrade Ubuntu
RUN apt-get update
RUN apt-get upgrade -y

# Small trick to Install fuse(libreoffice dependency) because of container permission issue.
RUN apt-get -y install fuse || true
RUN rm -rf /var/lib/dpkg/info/fuse.postinst
RUN apt-get -y install fuse

# Install Nuxeo Dependencies
RUN sudo apt-get install -y acpid openjdk-7-jdk libreoffice imagemagick poppler-utils ffmpeg ffmpeg2theora ufraw libwpd-tools perl locales pwgen dialog supervisor unzip vim

RUN mkdir -p /var/log/supervisor

# create Nuxeo user
RUN useradd -m -d /home/nuxeo -p nuxeo nuxeo && adduser nuxeo sudo && chsh -s /bin/bash nuxeo
ENV NUXEO_USER nuxeo

[/bash]

To build this image, get into the folder containing the Dockerfile and run:

[bash]
docker build -t nuxeo/nuxeobase .
[/bash]

It’s always good to use the -t option and give a name to the images you build. It’s even more important since it will be used in the next image.

Note that running this image won’t get you anywhere, there is no Nuxeo installed on it.

An All Inclusive Nuxeo Image

This Docker image is based on the work Mathieu did for our VM. I had to adapt one or two things but it’s really close to the original. I mostly added supervisor since I have this one process limitation. Here’s the configuration I used:

[bash]
[supervisord]
nodaemon=true

[program:sshd]
command=/usr/sbin/sshd -D

[program:apache2]
command=/bin/bash -c "source /etc/apache2/envvars && /usr/sbin/apache2 -DFOREGROUND"
redirect_stderr=true

[program:postgresql]
user=postgres
command=/usr/lib/postgresql/9.3/bin/postgres -D /var/lib/postgresql/9.3/nuxeodb -c config_file=/etc/postgresql/9.3/nuxeodb/postgresql.conf
redirect_stderr=true
autorestart=true

[eventlistener:pgListener]
command=python pgListener.py
events=PROCESS_STATE_RUNNING
numprocs=1

[/bash]

It will run Apache, PostgreSQL and the ssh daemon. But as you can see there is still no trace of a Nuxeo process. It will actually be launched by the pgListener event listener. It’s a python script that waits for the postgresql process to be running. The code is pretty simple as you can see. You just have to use the Supervisor Python API to read Supervisor events. Once the event saying the postgresql process entered the running state occurs, the firstboot.sh script is launched.

[python]
#!/usr/bin/env python

import os
import sys

from supervisor import childutils

def main():
while 1:
headers, payload = childutils.listener.wait()
if headers['eventname'].startswith(‘PROCESS_STATE_RUNNING’):
pheaders, pdata = childutils.eventdata(payload+’n’)
if pheaders['processname'] == "postgresql":
os.system("sh /root/firstboot.sh")
break

childutils.listener.ok()

if __name__ == ‘__main__':
main()
[/python]

Now about the firstboot.sh script. It configures the database if it has not been done already and starts Nuxeo.

[bash]
#!/bin/bash

# Prevent firstboot from being executed twice
if [ -f /root/firstboot_done ]; then
su $NUXEO_USER -m -c "$NUXEOCTL –quiet restart"
exit 0
fi

# PostgreSQL setup

pgpass=$(pwgen -c1)

su postgres -c "psql -p 5432 template1 –quiet -t -f-" << EOF > /dev/null
CREATE USER nuxeo WITH PASSWORD ‘$pgpass';
CREATE LANGUAGE plpgsql;
CREATE FUNCTION pg_catalog.text(integer) RETURNS text STRICT IMMUTABLE LANGUAGE SQL AS ‘SELECT textin(int4out($1));';
CREATE CAST (integer AS text) WITH FUNCTION pg_catalog.text(integer) AS IMPLICIT;
COMMENT ON FUNCTION pg_catalog.text(integer) IS ‘convert integer to text';
CREATE FUNCTION pg_catalog.text(bigint) RETURNS text STRICT IMMUTABLE LANGUAGE SQL AS ‘SELECT textin(int8out($1));';
CREATE CAST (bigint AS text) WITH FUNCTION pg_catalog.text(bigint) AS IMPLICIT;
COMMENT ON FUNCTION pg_catalog.text(bigint) IS ‘convert bigint to text';
EOF

su postgres -c "createdb -p 5432 -O nuxeo -E UTF-8 nuxeo"

# Nuxeo setup

cat << EOF >> /etc/nuxeo/nuxeo.conf
nuxeo.templates=postgresql
nuxeo.db.host=localhost
nuxeo.db.port=5432
nuxeo.db.name=nuxeo
nuxeo.db.user=nuxeo
nuxeo.db.password=$pgpass
EOF

su $NUXEO_USER -m -c "$NUXEOCTL –quiet restart"
# Prevent firstboot from being executed twice
touch /root/firstboot_done

[/bash]

Now about the Dockerfile. Notice the first line that says FROM nuxeo/nuxeobase. It’s the name of the image built earlier. Then what happens is we download the latest LTS, set up environment variables, install PostgreSQL, Apache and the OpenSSH server. Once this is done we add different configuration files and scripts. Supervisor.conf and nuxeo.apache2 are respectively the Supervisor configuration and the Apache configuration. I have already told you about pgListener.py and firstboot.sh. What about the two others?

Postinst.sh is dedicated to configuration. We use it to extract Nuxeo from its archive, create the various files and folders needed (like /etc/nuxeo/, /var/lib/nuxeo, etc..), setup the good permissions, modify nuxeo.conf, drop the main PostgreSQL cluster and create our own nuxeodb cluster and setup Apache.

Entrypoint.sh is run each time you start the Docker container thanks to the ENTRYPOINT command. I use it to re-generate the ssh keys and set a random password if it has not already been done. Then I echo the password and run what’s been given as CMD using exec “$@”

I am not sure if it’s supposed to be used like that, but it allows me to display the password and keep flexibility through CMD, because if you don’t want to run supervisiond directly, you can give /bin/bash at the end of your docker run command.

[bash]
# Nuxeo Platform
#
# VERSION 0.0.1

FROM nuxeo/nuxeobase
MAINTAINER Laurent Doguin <ldoguin@nuxeo.com>

# Download latest LTS nuxeo version
RUN wget http://community.nuxeo.com/static/releases/nuxeo-5.8/nuxeo-cap-5.8-tomcat.zip && mv nuxeo-cap-5.8-tomcat.zip nuxeo-distribution.zip

ENV NUXEOCTL /var/lib/nuxeo/server/bin/nuxeoctl
ENV NUXEO_CONF /etc/nuxeo/nuxeo.conf

# Add postgresql Repository
RUN apt-add-repository "deb http://apt.postgresql.org/pub/repos/apt/ precise-pgdg main"
RUN wget -q -O – https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add –

# Install apache and ssh server
RUN sudo apt-get install -y openssh-server apache2 postgresql-9.3
RUN mkdir -p /var/run/sshd

ADD supervisord.conf /etc/supervisor/conf.d/supervisord.conf
ADD nuxeo.apache2 /etc/apache2/sites-available/nuxeo
ADD postinst.sh /root/postinst.sh
ADD firstboot.sh /root/firstboot.sh
ADD entrypoint.sh /entrypoint.sh
ADD pgListener.py pgListener.py

RUN /root/postinst.sh

EXPOSE 22 80
ENTRYPOINT ["/entrypoint.sh"]
CMD ["/usr/bin/supervisord"]

[/bash]

You can run it like this:

[bash]
docker run -P -d nuxeo/nuxeo
[/bash]

Now your container should be running, let’s see if this is true. Typing docker ps should output something like this:

[bash]
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
02717b82d503 nuxeo/nuxeo:latest /entrypoint.sh /usr/ 5 seconds ago Up 4 seconds 0.0.0.0:49153->22/tcp, 0.0.0.0:49154->80/tcp sick_tesla
[/bash]

Thanks to the -P option used in the run command, all the exposed ports are mapped automatically. So if you go to yourDockerHost:49154 with a web browser, you’ll have the running Nuxeo instance.

Now for some reason, like say debugging, you might want to open an ssh session to the server. We already have the port thanks to docker ps. Now we need the password. It’s in the logs thanks to the entrypoint.sh script, so if you type docker logs 02717b82d503, 02717b82d503 being the container id, you should see something like:

[bash]
Creating SSH2 RSA key; this may take some time …
Creating SSH2 DSA key; this may take some time …
Creating SSH2 ECDSA key; this may take some time …
start: Unable to connect to Upstart: Failed to connect to socket /com/ubuntu/upstart: Connection refused
Default password for the root and nuxeo users: EzeegaiN
2014-01-16 16:11:52,410 CRIT Supervisor running as root (no user in config file)
2014-01-16 16:11:52,410 WARN Included extra file "/etc/supervisor/conf.d/supervisord.conf" during parsing
2014-01-16 16:11:52,436 INFO RPC interface ‘supervisor’ initialized
2014-01-16 16:11:52,436 WARN cElementTree not installed, using slower XML parser for XML-RPC
2014-01-16 16:11:52,437 CRIT Server ‘unix_http_server’ running without any HTTP authentication checking
2014-01-16 16:11:52,437 INFO supervisord started with pid 1
2014-01-16 16:11:53,439 INFO spawned: ‘pgListener’ with pid 70
2014-01-16 16:11:53,441 INFO spawned: ‘sshd’ with pid 71
2014-01-16 16:11:53,443 INFO spawned: ‘postgresql’ with pid 72
2014-01-16 16:11:53,445 INFO spawned: ‘apache2′ with pid 73
2014-01-16 16:11:54,737 INFO success: pgListener entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2014-01-16 16:11:54,738 INFO success: sshd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2014-01-16 16:11:54,739 INFO success: postgresql entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2014-01-16 16:11:54,739 INFO success: apache2 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2014-01-16 16:12:05,617 INFO exited: pgListener (exit status 0; expected)
[/bash]

The password is on the fifth line. So now you can do something like ssh nuxeo@yourDockerHost -p 49153 and open a session to your container.

And there you go now you have a fully functional docker container to test Nuxeo.

Document
Management
with the
Nuxeo Platform Watch the webinar >
img
img
img
img
Tagged : docker

18 thoughts on “Using Docker Containers – Part 1 – Build a Full Fledged Nuxeo Image

  1. Great post Laurent. Some of the files are posted on the article, but is there anywhere I can get all of the files you use in the nuxeo/nuxeo Dockerfile?

  2. Great post Laurent. Some of the files are posted on the article, but is there anywhere I can get all of the files you use in the nuxeo/nuxeo Dockerfile?

  3. Hi Laurent,

    supervisord (at least on my installation) seems to be killing child sshd processes and i’m struggling to find how modify this behaviour in it’s configuration. Could you please point me the right direction ?

    2014-01-18 23:38:06,263 INFO spawned: ‘sshd’ with pid 10
    2014-01-18 23:38:07,266 INFO success: sshd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
    2014-01-18 23:48:41,739 CRIT reaped unknown pid 12)
    2014-01-18 23:49:23,535 CRIT reaped unknown pid 38)

  4. Hi Laurent,

    supervisord (at least on my installation) seems to be killing child sshd processes and i’m struggling to find how modify this behaviour in it’s configuration. Could you please point me the right direction ?

    2014-01-18 23:38:06,263 INFO spawned: ‘sshd’ with pid 10
    2014-01-18 23:38:07,266 INFO success: sshd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
    2014-01-18 23:48:41,739 CRIT reaped unknown pid 12)
    2014-01-18 23:49:23,535 CRIT reaped unknown pid 38)

  5. HI Jan, I try reproducing this with only sshd in my supervisor.conf but could not. And I must say I am not a supervisor expert :-) Can you show us your ocnfiguration?

  6. HI Jan, I try reproducing this with only sshd in my supervisor.conf but could not. And I must say I am not a supervisor expert :-) Can you show us your ocnfiguration?

  7. Laurent, I am trying to understand the point of docker. From what I can understand, it allows one to create a container that mimics a full fledged OS but with resource limits. And it is built upon technology provided by LXC http://linuxcontainers.org/ Once I have a docker image built, what can I do with it ? Does it make sense to run it on EC2 for example ?

  8. Laurent, I am trying to understand the point of docker. From what I can understand, it allows one to create a container that mimics a full fledged OS but with resource limits. And it is built upon technology provided by LXC http://linuxcontainers.org/ Once I have a docker image built, what can I do with it ? Does it make sense to run it on EC2 for example ?

  9. You can run it on any machine that has docker installed on it. So you could take a big EC2 instance, install docker on it and then deploy and use any Docker image you want. And you can choose any other machine than EC2, as long as it has docker on it.

  10. You can run it on any machine that has docker installed on it. So you could take a big EC2 instance, install docker on it and then deploy and use any Docker image you want. And you can choose any other machine than EC2, as long as it has docker on it.

  11. Cool stuff Laurent, small suggestion: always add a: RUN apt-get update -y before doing any install This will make sure your image will have the latest software, and not be dependent on the versions that come with the base ubuntu:precise layer. (and I mean before line 14 of the Base image, I did notice you do it later on… )

  12. Cool stuff Laurent, small suggestion: always add a: RUN apt-get update -y before doing any install This will make sure your image will have the latest software, and not be dependent on the versions that come with the base ubuntu:precise layer. (and I mean before line 14 of the Base image, I did notice you do it later on… )

  13. This problem occurs when sshd hasn’t generated host keys. The first time that ‘service sshd start’ is executed, it generates some host keys. Unfortunately, running sshd daemon directly (rather than via the init.d script) skips the host key generation step.

    In your dockerfile, use (note that all containers will have the same host key):
    RUN service sshd start && service sshd stop

  14. This problem occurs when sshd hasn’t generated host keys. The first time that ‘service sshd start’ is executed, it generates some host keys. Unfortunately, running sshd daemon directly (rather than via the init.d script) skips the host key generation step.

    In your dockerfile, use (note that all containers will have the same host key):
    RUN service sshd start && service sshd stop

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>