Discussion:
Export/Save only the top layer of a container
sukram
2014-02-09 22:40:05 UTC
Permalink
Hi,
we are currently investigating if docker could be a useful tool for our
continues integration setup. The biggest problem we would like to address
is using docker diff functionality to provision less data to clients which
already own a test environment based on base images 5GB+. The problem we
actually have is that we can't setup a docker registry thought security
constraints. Instead we would like to commit the diff of a container to a
SVN repository, supply it to the other clients and import it again. The
problem with this process is that it's currently impossible to export only
the top layer of a container and run it on the target with the existing
base images. We already figured out a solution by exporting the aufs diff
folder of the running container, and overriding the aufs container of the
target client.

Is there a why with standard Docker features to export and import only the
changes of a running container and use the same base image on two diffrent
systems?

Thanks for your ideas.
Bryan Murphy
2014-02-09 23:25:34 UTC
Permalink
Post by sukram
we are currently investigating if docker could be a useful tool for our
continues integration setup. The biggest problem we would like to address
is using docker diff functionality to provision less data to clients which
already own a test environment based on base images 5GB+. The problem we
actually have is that we can't setup a docker registry thought security
constraints. Instead we would like to commit the diff of a container to a
SVN repository, supply it to the other clients and import it again. The
problem with this process is that it's currently impossible to export only
the top layer of a container and run it on the target with the existing
base images. We already figured out a solution by exporting the aufs diff
folder of the running container, and overriding the aufs container of the
target client.
Is there a why with standard Docker features to export and import only the
changes of a running container and use the same base image on two diffrent
systems?
What you are doing sounds very similar to what we are doing. We started
using "docker save/load", but this took too long. We then started
extracting just the layers we wanted from the "docker save" archive, but
even that takes too long, so we currently export direct from the file
system like you.

In our case, we're multi-tenant and store our builds on shared
infrastructure, but we need to maintain strict separation between our
tenants. We use aes and rsa encryption when storing and distributing the
layers (each tenant has their own key).

We've found the registry to be less than ideal. We don't want to pay for
the extra infrastructure, nor do we want add to the cognitive burden of our
support staff by having /yet another/ service that they have to support.
We already have expertise with nginx, apache, ssl and use a CDN for
distribution which our infrastructure already uses. We do not want to
introduce yet another service (and point of failure) into the mix.

I would love to have the option to export an arbitrary layer via the api,
so +1 from me. It would make things much smoother for us.

Bryan
Jérôme Petazzoni
2014-02-27 00:27:08 UTC
Permalink
Hi,
Post by Bryan Murphy
[...] The biggest problem we would like to address is using docker diff
functionality to provision less data to clients which already own a test
environment based on base images 5GB+. The problem we actually have is that
we can't setup a docker registry thought security constraints. Instead we
would like to commit the diff of a container to a SVN repository, supply it
to the other clients and import it again. [...]
What you are doing sounds very similar to what we are doing. We started
Post by Bryan Murphy
using "docker save/load", but this took too long. We then started
extracting just the layers we wanted from the "docker save" archive, but
even that takes too long, so we currently export direct from the file
system like you. [...]
Suggestion:
- run a local-only private registry (e.g. listening on 127.0.0.1:1271)
- push image to that private registry
- retrieve the ID of the topmost layer
- get it straight from the local registry
- ship it wherever you want
- apply it on top of existing base image
Would that work for you?

Yes, it means running a local private registry; but it's local (no exposed
service), it comes pre-packaged on stackbrew, and it's just used as a kind
of export cache, so it can be nuked any time.

HTH,
--
@jpetazzo <https://twitter.com/jpetazzo>
Latest blog post:
http://jpetazzo.github.io/2014/01/29/docker-device-mapper-resize/
Deni Bertović
2015-02-06 14:27:22 UTC
Permalink
Hi everyone,

Is this still the best way to go about solving this situation? Or have
there been any recent developments that automate it somehow?

Thanks.

-Deni
Post by sukram
Hi,
we are currently investigating if docker could be a useful tool for our
continues integration setup. The biggest problem we would like to address
is using docker diff functionality to provision less data to clients which
already own a test environment based on base images 5GB+. The problem we
actually have is that we can't setup a docker registry thought security
constraints. Instead we would like to commit the diff of a container to a
SVN repository, supply it to the other clients and import it again. The
problem with this process is that it's currently impossible to export only
the top layer of a container and run it on the target with the existing
base images. We already figured out a solution by exporting the aufs diff
folder of the running container, and overriding the aufs container of the
target client.
Is there a why with standard Docker features to export and import only the
changes of a running container and use the same base image on two diffrent
systems?
Thanks for your ideas.
Peter Waller
2015-02-14 11:03:26 UTC
Permalink
I'd like to see a way to get at specific layers without having to save the
whole thing, too.
Post by Deni Bertović
Hi everyone,
Is this still the best way to go about solving this situation? Or have
there been any recent developments that automate it somehow?
Thanks.
-Deni
Post by sukram
Hi,
we are currently investigating if docker could be a useful tool for our
continues integration setup. The biggest problem we would like to address
is using docker diff functionality to provision less data to clients which
already own a test environment based on base images 5GB+. The problem we
actually have is that we can't setup a docker registry thought security
constraints. Instead we would like to commit the diff of a container to a
SVN repository, supply it to the other clients and import it again. The
problem with this process is that it's currently impossible to export only
the top layer of a container and run it on the target with the existing
base images. We already figured out a solution by exporting the aufs diff
folder of the running container, and overriding the aufs container of the
target client.
Is there a why with standard Docker features to export and import only
the changes of a running container and use the same base image on two
diffrent systems?
Thanks for your ideas.
Aidan Hobson Sayers
2015-02-16 06:42:40 UTC
Permalink
Building on Jerome's idea, I've made https://github.com/aidanhs/dlgrab today.
Pass a layer id and it'll export that layer, or an image reference to
export the top layer of that image. It works by pretending to be a registry
with all the layers except the one you want, in order to trick the docker
daemon into sending just that one.

It tries to create the correct layout for docker save, so you should be
able to `dlgrab` a bunch of layers, tar them all up and docker load them
back in. Which is exactly what the second example in the readme
demonstrates.

There's a download ready on the releases page and I'd be interested in any
feedback.
Note that the docker daemon is sill a bottleneck so the main utility of
this is probably to skim some smaller layers off the top of images and cart
those around.

Aidan
Post by Peter Waller
I'd like to see a way to get at specific layers without having to save the
whole thing, too.
Post by Deni Bertović
Hi everyone,
Is this still the best way to go about solving this situation? Or have
there been any recent developments that automate it somehow?
Thanks.
-Deni
Post by sukram
Hi,
we are currently investigating if docker could be a useful tool for our
continues integration setup. The biggest problem we would like to address
is using docker diff functionality to provision less data to clients which
already own a test environment based on base images 5GB+. The problem we
actually have is that we can't setup a docker registry thought security
constraints. Instead we would like to commit the diff of a container to a
SVN repository, supply it to the other clients and import it again. The
problem with this process is that it's currently impossible to export only
the top layer of a container and run it on the target with the existing
base images. We already figured out a solution by exporting the aufs diff
folder of the running container, and overriding the aufs container of the
target client.
Is there a why with standard Docker features to export and import only
the changes of a running container and use the same base image on two
diffrent systems?
Thanks for your ideas.
Continue reading on narkive:
Loading...