openSUSE Ansible test container

Welcome to SUSE Hackweek 2021! I’m working on some ansible roles and require a custom openSUSE Leap container in order to test them. I’d like a openSUSE Leap based container for testing my Ansible roles. The container should

  • run systemd
  • include some developer tools (e.g. python, curl, vim)

The aim of the container is to mimic a openSUSE Leap system that contains the bare essentials of a typical host system. I’ll use this container to run my Ansible roles against it. Ansible is going to install packages, modify the system configuration, enable services and start some server applications.

In this blog post we’ll cover how to create a custom openSUSE container with podman. Of course it also works with docker, simply replace podman with docker.

Create custom openSUSE container

We’ll work from my requirements, which are systemd,python, curl and vim. The following Dockerfile is all what you need. You might need to adapt the RUN zypper line to adjust to your needs:

# Dockerfile

FROM opensuse/leap
LABEL maintainer="phoenix"
LABEL description="openSUSE Leap container for Ansible testing"

# Adjust to your needs
RUN zypper in -y systemd systemd-sysvinit python python-pip python3 python3-pip curl less vim
# Clear zypper cache
RUN rm -rf /var/cache/zypp/*

# Start container with systemd
ENTRYPOINT ["/sbin/init"]

Create a file called Dockerfile in a new directory. This file contains the recipe to build the new container.

Build and run

In the same directory as the Dockerfile run the following command to build the container:

$ podman build -t feldspaten/leap-ansible .

After successful build you can run the container with

$ podman run -d --tmpfs /tmp --tmpfs /run -v /sys/fs/cgroup/:/sys/fs/cgroup:ro --stop-signal SIGRTMIN+3 --name testcontainer feldspaten/leap-ansible

The required arguments are:

  • --tmpfs /tmp --tmpfs /run are are expected by systemd
  • -v /sys/fs/cgroup/:/sys/fs/cgroup:ro required by systemd
  • --stop-signal SIGRTMIN+3 - systemd does not terminate on SIGTERM but on SIGRTMIN+3
  • grisu48/leap-ansible - Name of the new container, feel free to rename it to your wishes
  • Optional: -d detach from container (i.e. it will run in the background)

Congratulations! You have now a custom openSUSE Leap container running in the background under the name testcontainer!

Capabilities

With the above state tmpfs directives, the container worked without additional capabilities. Other tutorials often require --cap-add SYS_ADMIN, which did not the trick in my case. The container could not start. Using --privileged worked, but is not required, if you add the above stated tmpfs arguments.

Attaching a bash

After running the container with -d, it remains in the background. We’re now attaching a bash terminal, because we want to do something in the container:

$ podman exec -it testcontainer bash

Instead of testcontainer you can of course also use the container ID.

Wihtin the container you can now use any systemd commands to verify, if systemd is working properly, e.g.

add9ed3f9943:/ # systemd-analyze
Startup finished in 1.203s (userspace) = 3h 30min 22.080s

Just give me the container!

See my leap-ansible container on DockerHub or follow the following procedure

$ podman pull grisu48/leap-ansible

Run the container, attach bash

$ CONTAINER=`podman run --rm -d --tmpfs /tmp --tmpfs /run -v /sys/fs/cgroup/:/sys/fs/cgroup:ro --stop-signal SIGRTMIN+3 grisu48/leap-ansible`
$ podman exec -it $CONTAINER bash

Stop the container after bash terminates

$ podman container stop $CONTAINER

Because of the --rm argument in podman run, the container will be deleted after termination.