Document how to debug Garage distroless container #871

New issue

Open

opened 2024-08-29 15:25:48 +00:00 by Promotion1877 · 3 comments

Promotion1877 commented

2024-08-29 15:25:48 +00:00

Hi, I'm new to garage, and i set it as a docker container, because i run it on a limited server where i can't directly run binaries

Version: dxflrs/garage:v1.0.0

I want to login to the docker container, so i run docker exec -it garage /bin/sh but I get

OCI runtime exec failed: exec failed: unable to start container process: exec: "sh": executable file not found in $PATH: unknown

Is it possible to have the shell in one of the next docker images, so it would be possible to use the CLI interface when needed for maintenance?

Thanks

Hi, I'm new to garage, and i set it as a docker container, because i run it on a limited server where i can't directly run binaries Version: dxflrs/garage:v1.0.0 I want to login to the docker container, so i run docker exec -it garage /bin/sh but I get OCI runtime exec failed: exec failed: unable to start container process: exec: "sh": executable file not found in $PATH: unknown Is it possible to have the shell in one of the next docker images, so it would be possible to use the CLI interface when needed for maintenance? Thanks

quentin commented

2024-08-30 10:02:02 +00:00

Owner

Garage container is, on purpose, a "distroless" container. We see the following advantages to this technical choice:

Container is very small (9.5MB compressed), hence fast to fetch and do not take too much space on disk, which is important in our resource-constrained deployments.
Attack surface is reduced (no useless dependencies, less things to keep updated)
Maintenance is easier (less moving pieces = less chance that something breaks)

To debug a distroless container, you can:

Use all the docker tooling to see what happens (docker logs, etc.)
Use docker debug if you pay for the enterprise/pro plan.
Attach your own ephemeral debugging container (see below)
Build your own distro-based container instead (see below)

An example on how to attach a debugging container to your garage instance:

docker run --rm -it --pid=container:<container id> --net=container:<container id> alpine sh

Then you can explore your container filesystem by doing:

cd /proc/1/root

You can get more explanations and examples by reading Docker: How To Debug Distroless And Slim Containers.

You can also build your own distro-based container by fetching Garage static binary on your own image:

FROM alpine:latest
RUN wget https://garagehq.deuxfleurs.fr/_releases/v1.0.0/x86_64-unknown-linux-musl/garage -O /usr/local/bin/garage \
  && chmod +x /usr/local/bin/garage
CMD [ "/usr/local/bin/garage", "server" ]

Or you can directly extract the binary from our docker image:

FROM dxflrs/garage:v1.0.0 as source
FROM busybox:latest
COPY --from=source /garage /usr/local/bin/garage
CMD [ "/usr/local/bin/garage", "server" ]

These instructions could be added to Garage's documentation.

Garage container is, on purpose, a "distroless" container. We see the following advantages to this technical choice: - Container is very small (9.5MB compressed), hence fast to fetch and do not take too much space on disk, which is important in our resource-constrained deployments. - Attack surface is reduced (no useless dependencies, less things to keep updated) - Maintenance is easier (less moving pieces = less chance that something breaks) To debug a distroless container, you can: - Use all the docker tooling to see what happens (docker logs, etc.) - Use `docker debug` if you pay for the enterprise/pro plan. - Attach your own ephemeral debugging container (see below) - Build your own distro-based container instead (see below) --- An example on how to attach a debugging container to your garage instance: ```bash docker run --rm -it --pid=container:<container id> --net=container:<container id> alpine sh ``` Then you can explore your container filesystem by doing: ``` cd /proc/1/root ``` You can get more explanations and examples by reading [Docker: How To Debug Distroless And Slim Containers](https://iximiuz.com/en/posts/docker-debug-slim-containers/). --- You can also build your own distro-based container by fetching Garage static binary on your own image: ```Dockerfile FROM alpine:latest RUN wget https://garagehq.deuxfleurs.fr/_releases/v1.0.0/x86_64-unknown-linux-musl/garage -O /usr/local/bin/garage \ && chmod +x /usr/local/bin/garage CMD [ "/usr/local/bin/garage", "server" ] ``` Or you can directly extract the binary from our docker image: ```Dockerfile FROM dxflrs/garage:v1.0.0 as source FROM busybox:latest COPY --from=source /garage /usr/local/bin/garage CMD [ "/usr/local/bin/garage", "server" ] ``` --- These instructions could be added to Garage's documentation.

quentin changed title from ~~Docker image doesn't have the shell~~ to Document how to debug Garage distroless container

2024-08-30 10:04:18 +00:00

quentin added the

labels 2024-08-30 10:04:58 +00:00

Promotion1877 commented

2024-08-30 10:55:14 +00:00

Author

Your decision definitely makes sense, and effectively it's a bad habit to have full distros in containers

I wonder if is it also possible to run the garage command via docker exec command? If it's possible, what's the path? I tried docker exec garage-1 garage --help but it says "garage": executable file not found in $PATH

Thanks for the explanation, I am not expert, and I didn't realize I could do that. Tried solutions 3 and 4 and both are working fine. Meanwhile, yesterday I made a python script to add/create/delete layouts/users/buckets via the admin api and once I understood how everything works, it's now easy to use Your decision definitely makes sense, and effectively it's a bad habit to have full distros in containers I wonder if is it also possible to run the garage command via `docker exec` command? If it's possible, what's the path? I tried `docker exec garage-1 garage --help` but it says `"garage": executable file not found in $PATH`