Execution environments for Ansible and AWX training

Makefile

@@ -1,5 +1,5 @@
 .PHONY: build-all push-all
-images=k8s-training-tools k8s-training-stress securedev-training-curlbot
+images=k8s-training-tools k8s-training-stress securedev-training-curlbot ansible-ee-minimal
 
 build-all:
 	for image in $(images) ; do \

ansible-ee-minimal/Dockerfile

@@ -0,0 +1,104 @@
+ARG EE_BASE_IMAGE="debian:12.11-slim"
+ARG PYCMD="/opt/venv/bin/python3"
+ARG PKGMGR_PRESERVE_CACHE=""
+ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS="--pre"
+ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS=""
+ARG ANSIBLE_INSTALL_REFS="ansible-core==2.17.12 ansible-runner==2.4.1"
+ARG PKGMGR="/usr/bin/apt-get"
+
+# Base build stage
+FROM $EE_BASE_IMAGE as base
+USER root
+ENV PIP_BREAK_SYSTEM_PACKAGES=1
+ARG EE_BASE_IMAGE
+ARG PYCMD
+ARG PKGMGR_PRESERVE_CACHE
+ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
+ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
+ARG ANSIBLE_INSTALL_REFS
+ARG PKGMGR
+
+COPY _build/scripts/ /output/scripts/
+COPY _build/scripts/entrypoint /opt/builder/bin/entrypoint
+ENV VIRTUAL_ENV=/opt/venv
+ENV PATH="$VIRTUAL_ENV/bin:$PATH"
+RUN apt-get update \
+  && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends -o APT::Get::AllowUnauthenticated=true install \
+  git \
+  python3 \
+  python3-pip \
+  python3-venv \
+  && python3 -m venv /opt/venv \
+  && pip install --no-cache-dir --upgrade pip
+RUN /output/scripts/pip_install $PYCMD
+RUN $PYCMD -m pip install --no-cache-dir $ANSIBLE_INSTALL_REFS
+
+# Galaxy build stage
+FROM base as galaxy
+ARG EE_BASE_IMAGE
+ARG PYCMD
+ARG PKGMGR_PRESERVE_CACHE
+ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
+ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
+ARG ANSIBLE_INSTALL_REFS
+ARG PKGMGR
+
+RUN /output/scripts/check_galaxy
+COPY _build /build
+WORKDIR /build
+
+RUN mkdir -p /usr/share/ansible
+RUN ansible-galaxy role install $ANSIBLE_GALAXY_CLI_ROLE_OPTS -r requirements.yml --roles-path "/usr/share/ansible/roles"
+RUN ANSIBLE_GALAXY_DISABLE_GPG_VERIFY=1 ansible-galaxy collection install $ANSIBLE_GALAXY_CLI_COLLECTION_OPTS -r requirements.yml --collections-path "/usr/share/ansible/collections"
+
+# Builder build stage
+FROM base as builder
+ENV PIP_BREAK_SYSTEM_PACKAGES=1
+WORKDIR /build
+ARG EE_BASE_IMAGE
+ARG PYCMD
+ARG PKGMGR_PRESERVE_CACHE
+ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
+ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
+ARG ANSIBLE_INSTALL_REFS
+ARG PKGMGR
+
+RUN $PYCMD -m pip install --no-cache-dir bindep pyyaml packaging
+
+COPY --from=galaxy /usr/share/ansible /usr/share/ansible
+
+COPY _build/bindep.txt bindep.txt
+RUN $PYCMD /output/scripts/introspect.py introspect --user-bindep=bindep.txt --write-bindep=/tmp/src/bindep.txt --write-pip=/tmp/src/requirements.txt
+RUN /output/scripts/assemble
+
+# Final build stage
+FROM base as final
+ENV PIP_BREAK_SYSTEM_PACKAGES=1
+ARG EE_BASE_IMAGE
+ARG PYCMD
+ARG PKGMGR_PRESERVE_CACHE
+ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
+ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
+ARG ANSIBLE_INSTALL_REFS
+ARG PKGMGR
+
+
+COPY --from=galaxy /usr/share/ansible /usr/share/ansible
+
+COPY --from=builder /output/ /output/
+RUN /output/scripts/install-from-bindep && rm -rf /output/wheels
+RUN chmod ug+rw /etc/passwd
+RUN mkdir -p /runner && chgrp 0 /runner && chmod -R ug+rwx /runner
+WORKDIR /runner
+RUN $PYCMD -m pip install --no-cache-dir 'dumb-init>=1.2.5'
+ENV VIRTUAL_ENV=/opt/venv
+ENV PATH="$VIRTUAL_ENV/bin:$PATH"
+RUN apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+  && apt-get autoclean \
+  && apt-get clean all \
+  && rm -rf /var/lib/apt/lists/*
+RUN rm -rf /output
+LABEL ansible-execution-environment=true
+USER 1000
+ENTRYPOINT ["/opt/builder/bin/entrypoint"]
+CMD ["bash"]

ansible-ee-minimal/Makefile

@@ -0,0 +1,22 @@
+.PHONY: cleanup create build_with_podman
+image_name=ghcr.io/zenika-training/ansible-ee-minimal:2.17.12
+
+cleanup:
+	rm -rf _build
+	rm -f Dockerfile
+
+create:
+	ansible-builder create -f execution-environment.yml -c . --output-filename Dockerfile
+
+build_with_podman:
+	podman build --no-cache -f Dockerfile . -t $(image_name)
+
+show_version_with_podman:
+	podman run --rm -ti --name runner $(image_name) ansible --version 
+	podman run --rm -ti --name runner $(image_name) ansible-galaxy collection list
+
+build:
+	docker image build -t $(image_name) .
+
+push: build
+	docker image push $(image_name)

ansible-ee-minimal/README.md

@@ -0,0 +1,33 @@
+# Optimized Execution Environments for Ansible and AWX Training
+
+Ansible and AWX training courses greatly benefit from customized execution environments (EEs). 
+Default images, like the AWX one (nearly 2 GB), pose problems with size, superfluous dependencies, and lengthy loading times.
+
+A default EE image is often too large for training deployments, weighed down by unnecessary collections that slow down downloads and startup.
+
+The advantage of a lightweight and targeted EE is clear: an image of only 500 MB drastically reduces disk footprint, accelerates loading, and ensures a stable, relevant, and controlled environment for practical labs. 
+We only keep what's essential, making training smoother and more effective.
+
+To generate the Dockerfile (the `ansible-builder` tool is required) from `execution-environment.yml`:
+
+```bash
+make cleanup create
+```
+
+To build the container with Podman:
+
+```bash
+make build_with_podman
+```
+
+To display the execution environment versions with Podman:
+
+```bash
+make show_version_with_podman
+```
+
+To build the container with Docker:
+
+```bash
+make build
+```

ansible-ee-minimal/_build/bindep.txt

@@ -0,0 +1,4 @@
+curl
+jq
+ssh
+sshpass

ansible-ee-minimal/_build/requirements.yml

@@ -0,0 +1,5 @@
+collections:
+- name: zenika.training
+  source: https://github.com/Zenika-Training/ansible_collection.git
+  type: git
+  version: main

ansible-ee-minimal/_build/scripts/assemble

@@ -0,0 +1,169 @@
+#!/bin/bash
+# Copyright (c) 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Make a list of bindep dependencies and a collection of built binary
+# wheels for the repo in question as well as its python dependencies.
+# Install javascript tools as well to support python that needs javascript
+# at build time.
+set -ex
+
+RELEASE=$(source /etc/os-release; echo $ID)
+
+# NOTE(pabelanger): Allow users to force either microdnf or dnf as a package
+# manager.
+PKGMGR="${PKGMGR:-}"
+PKGMGR_OPTS="${PKGMGR_OPTS:-}"
+PKGMGR_PRESERVE_CACHE="${PKGMGR_PRESERVE_CACHE:-}"
+
+PYCMD="${PYCMD:=/usr/bin/python3}"
+PIPCMD="${PIPCMD:=$PYCMD -m pip}"
+
+if [ -z $PKGMGR ]; then
+    # Expect dnf to be installed, however if we find microdnf default to it.
+    PKGMGR=/usr/bin/dnf
+    if [ -f "/usr/bin/microdnf" ]; then
+        PKGMGR=/usr/bin/microdnf
+    fi
+fi
+
+if [ "$PKGMGR" = "/usr/bin/microdnf" ]
+then
+    if [ -z "${PKGMGR_OPTS}" ]; then
+        # NOTE(pabelanger): skip install docs and weak dependencies to
+        # make smaller images. Sadly, setting these in dnf.conf don't
+        # appear to work.
+        PKGMGR_OPTS="--nodocs --setopt install_weak_deps=0"
+    fi
+fi
+
+# NOTE(pabelanger): Ensure all the directory we use exists regardless
+# of the user first creating them or not.
+mkdir -p /output/bindep
+mkdir -p /output/wheels
+mkdir -p /tmp/src
+
+cd /tmp/src
+
+function install_bindep {
+    # Protect from the bindep builder image use of the assemble script
+    # to produce a wheel.  Note we append because we want all
+    # sibling packages in here too
+    if [ -f bindep.txt ] ; then
+        bindep -l newline | sort >> /output/bindep/run.txt || true
+        if [ "$RELEASE" == "centos" ] ; then
+            bindep -l newline -b epel | sort >> /output/bindep/stage.txt || true
+            grep -Fxvf /output/bindep/run.txt /output/bindep/stage.txt >> /output/bindep/epel.txt || true
+            rm -rf /output/bindep/stage.txt
+        fi
+        compile_packages=$(bindep -b compile || true)
+        if [ ! -z "$compile_packages" ] ; then
+            $PKGMGR install -y $PKGMGR_OPTS ${compile_packages}
+        fi
+    fi
+}
+
+function install_wheels {
+    # NOTE(pabelanger): If there are build requirements to install, do so.
+    # However do not cache them as we do not want them in the final image.
+    if [ -f /tmp/src/build-requirements.txt ] && [ ! -f /tmp/src/.build-requirements.txt ] ; then
+        $PIPCMD install $CONSTRAINTS $PIP_OPTS --no-cache -r /tmp/src/build-requirements.txt
+        touch /tmp/src/.build-requirements.txt
+    fi
+    # Build a wheel so that we have an install target.
+    # pip install . in the container context with the mounted
+    # source dir gets ... exciting, if setup.py exists.
+    # We run sdist first to trigger code generation steps such
+    # as are found in zuul, since the sequencing otherwise
+    # happens in a way that makes wheel content copying unhappy.
+    # pip wheel isn't used here because it puts all of the output
+    # in the output dir and not the wheel cache, so it's not
+    # possible to tell what is the wheel for the project and
+    # what is the wheel cache.
+    if [ -f setup.py ] ; then
+        $PYCMD setup.py sdist bdist_wheel -d /output/wheels
+    fi
+
+    # Install everything so that the wheel cache is populated with
+    # transitive depends. If a requirements.txt file exists, install
+    # it directly so that people can use git url syntax to do things
+    # like pick up patched but unreleased versions of dependencies.
+    # Only do this for the main package (i.e. only write requirements
+    # once).
+    if [ -f /tmp/src/requirements.txt ] && [ ! -f /output/requirements.txt ] ; then
+        $PIPCMD install $CONSTRAINTS $PIP_OPTS --cache-dir=/output/wheels -r /tmp/src/requirements.txt
+        cp /tmp/src/requirements.txt /output/requirements.txt
+    fi
+    # If we didn't build wheels, we can skip trying to install it.
+    if [ $(ls -1 /output/wheels/*whl 2>/dev/null | wc -l) -gt 0 ]; then
+        $PIPCMD uninstall -y /output/wheels/*.whl
+        $PIPCMD install $CONSTRAINTS $PIP_OPTS --cache-dir=/output/wheels /output/wheels/*whl
+    fi
+}
+
+PACKAGES=$*
+PIP_OPTS="${PIP_OPTS-}"
+
+# bindep the main package
+install_bindep
+
+# go through ZUUL_SIBLINGS, if any, and build those wheels too
+for sibling in ${ZUUL_SIBLINGS:-}; do
+    pushd .zuul-siblings/${sibling}
+    install_bindep
+    popd
+done
+
+# Use a clean virtualenv for install steps to prevent things from the
+# current environment making us not build a wheel.
+# NOTE(pabelanger): We allow users to install distro python packages of
+# libraries. This is important for projects that eventually want to produce
+# an RPM or offline install.
+$PYCMD -m venv /tmp/venv --system-site-packages --without-pip
+source /tmp/venv/bin/activate
+
+# If there is an upper-constraints.txt file in the source tree,
+# use it in the pip commands.
+if [ -f /tmp/src/upper-constraints.txt ] ; then
+    cp /tmp/src/upper-constraints.txt /output/upper-constraints.txt
+    CONSTRAINTS="-c /tmp/src/upper-constraints.txt"
+fi
+
+# If we got a list of packages, install them, otherwise install the
+# main package.
+if [[ $PACKAGES ]] ; then
+    $PIPCMD install $CONSTRAINTS $PIP_OPTS --cache-dir=/output/wheels $PACKAGES
+    for package in $PACKAGES ; do
+      echo "$package" >> /output/packages.txt
+    done
+else
+    install_wheels
+fi
+
+# go through ZUUL_SIBLINGS, if any, and build those wheels too
+for sibling in ${ZUUL_SIBLINGS:-}; do
+    pushd .zuul-siblings/${sibling}
+    install_wheels
+    popd
+done
+
+if [ -z $PKGMGR_PRESERVE_CACHE ]; then
+  $PKGMGR clean all
+  rm -rf /var/cache/{dnf,yum}
+fi
+
+rm -rf /var/lib/dnf/history.*
+rm -rf /var/log/{dnf.*,hawkey.log}
+rm -rf /tmp/venv