Build and test applications with Ansible Container

Containers are an increasingly popular development environment. As a developer you have a large choice of tools to manage your containers. This article introduces you to Ansible Container and shows how you can run and test your application in a production-like environment.

Getting started

This example uses a simple Flask Hello World application. This application is served by an Apache HTTP server just like in production. First, install the requisite docker package:

sudo dnf install docker

Ansible Container needs to communicate with the docker service through its local socket. The following commands change the socket ownership, and add you to a docker group that can access the socket:

sudo groupadd docker && sudo gpasswd -a $USER docker
MYGRP=$(id -g) ; newgrp docker ; newgrp $MYGRP

Run the id command to ensure the docker group is listed in your group memberships. Finally, enable and start the docker service using sudo:

sudo systemctl enable docker.service
sudo systemctl start docker.service

Setting up Ansible Container

Ansible Container enables you to build container images and orchestrate them using only Ansible playbooks. The application is described in a single YAML file, and instead of using a Dockerfile, lists Ansible roles that make up the container images.

Unfortunately Ansible Container is not yet available as an RPM package in Fedora. To install it, use the python3 virtual environment module.

mkdir ansible-container-flask-example
cd ansible-container-flask-example
python3 -m venv .venv
source .venv/bin/activate
pip install ansible-container[docker]

These commands install Ansible Container with the Docker engine. Ansible Container provides three engines: Docker, Kubernetes and Openshift.

Setting up the project

Now that Ansible Container is installed, set up the project. Ansible Container provides a simple command to create all files needed to get started:

ansible-container init

Now look at the files this command created in the current directory:

  • ansible.cfg
  • ansible-requirements.txt
  • container.yml
  • meta.yml
  • requirements.yml

This project uses only the container.yml file to describe the application services. For more information about the other files, check out the Getting Started documentation of Ansible Container.

Defining the container

Update container.yml as follows:

version: "2"
settings:
  conductor:
    # The Conductor container does the heavy lifting, and provides a portable
    # Python runtime for building your target containers. It should be derived
    # from the same distribution as you're building your target containers with.
    base: fedora:26
    # roles_path:   # Specify a local path containing Ansible roles
    # volumes:      # Provide a list of volumes to mount
    # environment:  # List or mapping of environment variables

  # Set the name of the project. Defaults to basename of the project directory.
  # For built services, concatenated with service name to form the built image name.
  project_name: flask-helloworld
  
services: 
  # Add your containers here, specifying the base image you want to build from.
  # To use this example, uncomment it and delete the curly braces after services key.
  # You may need to run `docker pull ubuntu:trusty` for this to work.
  web:
    from: "fedora:26"
    roles: 
      - base
    ports:
      - "5000:80"
    command: ["/usr/bin/dumb-init", "httpd", "-DFOREGROUND"]
    volumes:
      - $PWD/flask-helloworld:/flaskapp:Z

The conductor section updates the base setting to use a Fedora 26 container base image.

The services section adds the web service. This service uses Fedora 26 and has a role called base to be defined later. It also sets up the port mapping between the container and host. The Apache HTTP server serves the Flask application on port 80 of the container, which redirects to port 5000 of the host. Then this file defines a volume that mounts the Flask application source code to /flaskapp in the container.

Finally the command configuration runs when the container starts. This example uses dumb-init, a simple process supervisor and init system to start the Apache HTTP server.

Ansible role

Now that the container is setup, create an Ansible role to install and configure the dependencies needed by the Flask application. First, create the base role.

mkdir -p roles/base/tasks
touch roles/base/tasks/main.yml

Now edit the main.yml file so that it looks like this:

---
- name: Install dependencies 
  dnf: pkg={{item}} state=present
  with_items:
    - python3-flask
    - dumb-init
    - httpd
    - python3-mod_wsgi

- name: copy the apache configuration
  copy:
    src: flask-helloworld.conf
    dest: /etc/httpd/conf.d/flask-helloworld.conf
    owner: apache
    group: root
    mode: 655

This Ansible role is a simple one. First it installs dependencies. Then, it copies the Apache HTTP server configuration. If you’re not familiar with Ansible roles, check out the Roles documentation.

Apache HTTP configuration

Next, configure the Apache HTTP server by creating the flask-helloworld.conf file:

$ mkdir -p roles/base/files
$ touch roles/base/files/flask-helloworld.conf

And finally add the following to the file:

<VirtualHost *>
    ServerName example.com

    WSGIDaemonProcess hello_world user=apache group=root
    WSGIScriptAlias / /flaskapp/flask-helloworld.wsgi

    <Directory /flaskapp>
        WSGIProcessGroup hello_world
        WSGIApplicationGroup %{GLOBAL}
    Require all granted
    </Directory>
</VirtualHost>

The important part of this file is the WSGIScriptAlias. This instruction maps the script flask-helloworld.wsgi to the “/” URL. For more details on Apache HTTP server and mod_wsgi, read the Flask documentation.

Flask “hello world”

Finally, create a simple Flask application and the flask-helloworld.wsgi script.

mkdir flask-helloworld
touch flask-helloworld/app.py
touch flask-helloworld/flask-helloworld.wsgi

Add the following to app.py:

from flask import Flask
app = Flask(__name__)

@app.route("/")
def hello():
    return "Hello World!"

Then edit flask-helloworld.wsgi to add this:

import sys
sys.path.insert(0, '/flaskapp/')

from app import app as application

Build and run

Now it’s time to build and run the container with the ansible-container build and ansible-container run commands.

ansible-container build

This command takes a bit of time to complete, so be patient.

ansible-container run

You can now access your flask application at this URL: http://localhost:5000/

Conclusion

You’ve now seen how to use Ansible Container to manage, build and configure your applications running inside a container. All the configuration files and the source code of this example are hosted on Pagure.io. You can use this example as the base to start using Ansible Container on your projects.

For Developers Using Software

15 Comments

  1. Andre

    Hi Clement, thanks for this post.
    Note:
    At the apache http configuration part in the text part you talk about flask-helloworld.conf file but in the the screen below that you state “touch ansible-helloworld.conf”.

    best regards Andre

  2. eeee

    is possible create a docker image for package maker?

    easy way to create my own package with gcc, make, etc.

    • Certainly. You could simply change the install dependencies in the ansible configuration, where in this example it installs the web server, Flask, and WSGI bits.

  3. Seems to e something missing in the error handling. My notoriously sloppy copy from the article kept leading to stack traces(my fault) but sometimes the traces themselves showed additional problems. FOr example, first go round, I didn’t remove a stray{} from container.yaml and got an excetion, which triggered a second exception:

    During handling of the above exception, another exception occurred:

    docker/config.py”, line 28, in set_env
    raise AnsibleContainerConfigException(u”Parsing container.yml – %s” % unicode(exc))
    NameError: name ‘unicode’ is not defined

    which looks like a missing dependency. or something not doing python3 right? This is in a venv, so it should all be python3. Anyway, I was able to fix the original error and moved on to:

    ERROR Error applying role! engine=<container.docker.engine.Engine object at 0x7f60fc5f2050> exit_code=2 playbook=[{‘hosts’: u’web’, ‘roles’: [‘base’], ‘vars’: {}}]
    Traceback (most recent call last):

    File “/_ansible/container/core.py”, line 813, in conductorcmd_build
    raise RuntimeError(‘Build failed.’)
    RuntimeError: Build failed.

    I’m sure I have a syntax problem somewhere, but this is a little hard to debug.
    ERROR Conductor exited with status 1

  4. Should have added this bit:

    An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AttributeError: ‘module’ object has no attribute ‘exceptions’
    failed: [web] (item=[u’python3-flask’, u’dumb-init’, u’httpd’, u’python3-mod_wsgi’]) => {“changed”: false, “failed”: true, “item”: [“python3-flask”, “dumb-init”, “httpd”, “python3-mod_wsgi”], “module_stderr”: “Traceback (most recent call last):\n File \”/tmp/ansible_BendGt/ansible_module_dnf.py\”, line 534, in \n main()\n File \”/tmp/ansible_BendGt/ansible_module_dnf.py\”, line 501, in main\n _ensure_dnf(module)\n File \”/tmp/ansible_BendGt/ansible_module_dnf.py\”, line 190, in _ensure_dnf\n import dnf\n File \”/_usr/lib/python2.7/site-packages/dnf/init.py\”, line 26, in \n warnings.filterwarnings(‘once’, category=dnf.exceptions.DeprecationWarning)\nAttributeError: ‘module’ object has no attribute ‘exceptions’\n”, “module_stdout”: “”, “msg”: “MODULE FAILURE”, “rc”: 0}

    • Clement Verna

      @Adam, I do agree that error handling in Ansible Container could be better. Did you manage to solve the last exception ?

  5. Mark Lamourine

    The one thing I’d add is actually about the setup. When you add users to the docker group, they become effectively root. Like anything else it’s fine if that’s what you meant to do, but you need to protect access to that user in the same way you’d protect access to root.

    I set sudo for my personal account on my laptop so adding that account to the docker group is no big deal. Adding a non-priv account on a server to the docker group is a new potential attack vector that could be easily overlooked.

    The rest looks great and I’m going to go try it now.

    Mark

  6. Benjamin

    worked like a charm, thanks for putting this together!

  7. Jan

    Setting up the virtual environment fails in Fedora 27. Working around by manually installing pip:

    cd ansible-container-flask-example
    python3 -m venv .venv –without-pip
    source .venv/bin/activate
    wget https://bootstrap.pypa.io/get-pip.py
    python get-pip.py
    pip install ansible-container[docker]

    Everything else works fine.

    • @Jan: interesting, these instructions worked fine for me on a standard F27 installation. Have you tried in a fresh user account to see if the issue is some conflict with your personal configuration?

  8. Brian Clark

    I need a second set of eyes on this: When trying to run the example during the ‘build’ command I get a traceback saying something about a socket timeout. I tried to figure this out I think it is a docker error or user error but not sure what. I ran the build command with –debug to see if it would give me a clue.

    2017-11-12T16:39:30.713079 Docker run: [container.docker.engine] caller_file=/home/bclark/myapp/ansible-container-flask-example/.venv/lib64/python3.6/site-packages/container/docker/engine.py caller_func=run_conductor caller_line=435 image=sha256:ac3ab4febc9ee3ef99a3abcebb822fcd6c0b4f54a92895c89a6926dc7faf22d6 params={‘name’: ‘flask-helloworld_conductor’, ‘command’: [‘conductor’, ‘build’, ‘–project-name’, ‘flask-helloworld’, ‘–engine’, ‘docker’, ‘–params’, ‘eyJkZWJ1ZyI6IHRydWUsICJkZXZlbCI6IGZhbHNlLCAic2VsaW51eCI6IHRydWUsICJzdWJjb21tYW5kIjogImJ1aWxkIiwgImZsYXR0ZW4iOiBmYWxzZSwgInB1cmdlX2xhc3QiOiB0cnVlLCAic2F2ZV9jb25kdWN0b3JfY29udGFpbmVyIjogZmFsc2UsICJzZXJ2aWNlc190b19idWlsZCI6IG51bGwsICJjYWNoZSI6IHRydWUsICJjb25kdWN0b3JfY2FjaGUiOiB0cnVlLCAiY29udGFpbmVyX2NhY2hlIjogdHJ1ZSwgImxvY2FsX3B5dGhvbiI6IGZhbHNlLCAic3JjX21vdW50X3BhdGgiOiBudWxsLCAiYW5zaWJsZV9vcHRpb25zIjogIiIsICJyb2xlc19wYXRoIjogW10sICJ3aXRoX3ZvbHVtZXMiOiBbXSwgInZvbHVtZV9kcml2ZXIiOiBudWxsLCAid2l0aF92YXJpYWJsZXMiOiBbXSwgImNvbmZpZ192YXJzIjoge319’, ‘–config’, ‘eyJ2ZXJzaW9uIjogIjIiLCAic2V0dGluZ3MiOiBbWyJjb25kdWN0b3IiLCB7ImJhc2UiOiAiZmVkb3JhOjI2In1dLCBbInByb2plY3RfbmFtZSIsICJmbGFzay1oZWxsb3dvcmxkIl0sIFsicHdkIiwgIi9ob21lL2JjbGFyay9teWFwcC9hbnNpYmxlLWNvbnRhaW5lci1mbGFzay1leGFtcGxlIl1dLCAic2VydmljZXMiOiBbWyJ3ZWIiLCB7ImZyb20iOiAiZmVkb3JhOjI2IiwgInJvbGVzIjogWyJiYXNlIl0sICJwb3J0cyI6IFsiNTAwMDo4MCJdLCAiY29tbWFuZCI6IFsiL3Vzci9iaW4vZHVtYi1pbml0IiwgImh0dHBkIiwgIi1ERk9SRUdST1VORCJdLCAidm9sdW1lcyI6IFsiL2hvbWUvYmNsYXJrL215YXBwL2Fuc2libGUtY29udGFpbmVyLWZsYXNrLWV4YW1wbGUvZmxhc2staGVsbG93b3JsZDovZmxhc2thcHA6WiJdfV1dLCAiZGVmYXVsdHMiOiBbXX0=’, ‘–encoding’, ‘b64json’], ‘detach’: True, ‘user’: ‘root’, ‘volumes’: {‘flask-helloworld_secrets’: {‘bind’: ‘/run/secrets’, ‘mode’: ‘rw’}, ‘/home/bclark/myapp/ansible-container-flask-example’: {‘bind’: ‘/src’, ‘mode’: ‘ro’}, ‘/var/run/docker.sock’: {‘bind’: ‘/var/run/docker.sock’, ‘mode’: ‘rw’}, ‘/home/bclark/.docker/config.json’: {‘bind’: ‘/home/bclark/.docker/config.json’, ‘mode’: ‘rw’}}, ‘environment’: {‘DOCKER_HOST’: ‘unix:///var/run/docker.sock’, ‘ANSIBLE_ROLES_PATH’: ‘/src/roles:/etc/ansible/roles’}, ‘working_dir’: ‘/src’, ‘cap_add’: [‘SYS_ADMIN’], ‘privileged’: True}
    2017-11-12T16:40:30.799135 Unknown exception UnixHTTPConnectionPool(host=’localhost’, port=None): Read timed out. (read timeout=60) [container.cli] caller_file=/home/bclark/myapp/ansible-container-flask-example/.venv/lib64/python3.6/site-packages/structlog/stdlib.py caller_func=exception caller_line=95

    • Clement Verna

      Hi Brian, I did a little bit of DuckDuckGoing and found a similar thread on Docker Compose (https://github.com/docker/compose/issues/1045)

      A possible work around seems to set a longer timeout like so :

      export DOCKER_CLIENT_TIMEOUT=120

      Hope it helps.

      • Brian Clark

        Thanks for the help. It looks like I might not have enough resources. So I tried running with no X got an Internal error but did not see if it happen before the time out or after. Again thanks for the help.

    • @Brian: You may want to check a couple things: (1) Is the docker service started? (

      systemctl status docker.service

      ) (2) Is /var/run/docker.sock permissions 660, owned by root/docker? (3) Is your user in the docker group? (

      id

      )

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions