Docker image for keepalived

[vaibhavsood]

Hi,

Want to check if there is a docker image/Dockerfile for keepalived which is officially supported? I could not find one under dockerhub official images https://hub.docker.com/explore/

If not, want to check if there is any plan to add an official keepalived image to dockerhub? https://docs.docker.com/docker-hub/official_repos/#how-do-i-create-a-new-official-repository

[pqarmitage]

Bertrand Gouny maintains code for building a keepalived docker image at https://github.com/osixia/docker-keepalived . The image is downloadable from https://hub.docker.com/r/osixia/keepalived/ .

The latest keepalived version for which an image has been built is v1.3.6, although editing the makefile and image/Dockerfile to change the version to 1.3.7 successfully builds an image with keepalived v1.3.7.

[pqarmitage]

If the above isn't suitable for you, please add further comments to this issue and reopen it if possible.

Closing for now.

[vaibhavsood]

Hi @pqarmitage thanks and sorry for the delayed response

Reopening this since i want to check if it will be feasible to host the image under the official image namespace (https://hub.docker.com/_/) and not under hub.docker.com/r/osixia namespace.

This would move the nightly build etc of the containers to Docker's servers

The work involved to achieve this is out here: https://docs.docker.com/docker-hub/official_repos/#how-do-i-create-a-new-official-repository

The motivations for making an image official are also mentioned in the link above

Basically in brief the steps followed are these:

1) First check with the community if it makes sense and is feasible to create an official image (im doing that right now). Some subjective considerations are in the link above

2) Create a PR under official-images github, this is reviewed by Docker considering feasibility etc

3) Once official, future maintainence to be done by the community, mainly involving updating version numbers etc

[pqarmitage]

@acassen will need to confirm whether he is happy with the idea of an "official" keepalived docker image.

I have to confess that I am not particularly familiar with Docker containers, but I think there are a number of issues that, in any event, would need to be resolved first.

The first is what keepalived configure options are appropriate; for example RedHat use --enable-snmp --enable-snmp-rfc --enable-sha1 which adds the functionality that most people would want, although some may want json, and others dbus functionality. I agree that disabling dynamic linking is reasonable given that the libraries are installed in the container.

The next issue is what privileges does the container have within the host. If the iptables, ipset and ip_vs modules are not loaded within the host (or built into the kernel), then keepalived in the container will have limited functionality, unless the container can be set to allow keepalived from within the container to load kernel modules (for example for snap containers the confinement is set to classic). Or can the docker container be configured to ensure those modules are loaded when the container is run?

This is probably a lack of understanding on my part, but since the idea of keepalived is about adding and managing IP addresses, it seems to me that those addresses added in the container will need to be exposed to the networks of the host. How is the mapping between the host networks and the container networks established and maintained? Is this resolved by using --network=host, and is it possible to set that as default for the container when it is built?

My final concern is about kernel versions. keepalived uses a number of kernel features, and what features are available is determined at configure (i.e. pre compile) time (for example keepalived will assume different levels of functionality for Linux 4.0, 4.1, 4.3, 4.4, 4.5 and 4.10 and 16 different earlier kernel versions) based on the kernel headers being used. If the kernel on which the container is running is older than the kernel headers with which keepalived was built, then keepalived may well try using kernel functionality that doesn't exist in the container and at the moment, in general, it doesn't check if the kernel it is running on doesn't support those features.

I hope the above doesn't come across as being negative. If keepalived can be made to work within a Docker environment, then I think this would be really useful and is an excellent idea. My concern is that keepalived operates quite close to the kernel, significantly more so than most applications, and hence my questions to make sure that it really will work within a Docker environment.

[coretemp]

I am fairly sure that it can work in a Docker environment, but many of the supposed benefits of Docker would not materialize in many cases, exactly because of the reasons @pqarmitage mentioned.

It would only result in people saying "it doesn't work". Adding a FAQ explaining why there is no Dockerfile seems to be best.

On Alpine Linux you can do the following hack https://github.com/gw0/docker-alpine-kernel-modules, but it will likely be operating system dependent until a new standard is defined.

[acassen]

Mainly maintaining docker stuff should not be shipped as part of Keepalived. IMHO, it must out of keepalived toolchain and maintained on a dedicated git repo.

[johannbg]

For upstream projects mkosi ( Make Operating System Image) is a better choice these days and requires just couple of hundred k in size in upstream git repos in form of mkosi configuration files and requires only systemd + mkosi on the host system and then it's just matter of build/test systems/developers/end users running

git clone https://github.com/acassen/keepalived.git cd ./keepalived sudo mkosi

Which would use upstream mkosi configuration to create a testable bootable image.

For downstream, on atleast the parent distributions ( Arch,Fedora,Debia, OpenSuse ) users can already do cross distro builds to create an image, for example to test the keepalive component in debian latest you simply do mkosi -d debian -t raw_gpt -b --checksum --password CHANGEME --package keepalived,vim -o keepalived-test.raw

Which is bootable via nspawn systemd-nspawn -b -i keepalived-test.raw

Or virtualized with qemu qemu-system-x86_64 -m 512 -smp 2 -bios /usr/share/ovmf/x64/OVMF_CODE.fd -drive format=raw,file= keepalived-test.raw etc.

If there is interest for mkosi I can submit pull request for mkosi since I already am using mkosi to generate test images of Fedora 30 with Keepalived + Haproxy and systemd-networkd.

[pqarmitage]

@johannbg It would be very useful if you could submit a pull request so that we can have a look it at and decide if it is something we can include.

[lijiajia3515]

forward +1

[sebastian-philipp]

Ceph uses docker.io/arcts/keepalived which is unfortunately pretty old by now.

Would be super great to have a official image for us.

[pqarmitage]

@sebastian-philipp When I last looked at the link in https://github.com/acassen/keepalived/issues/665#issuecomment-342776485 it appeared to involve quite a lot of work to set up an official docker image. Having no knowledge of creating or using docker containers this was not something I wanted to spend potentially quite some time doing, especially since https://github.com/acassen/keepalived/issues/665#issuecomment-365076086 confirms that the problems I identified in https://github.com/acassen/keepalived/issues/665#issuecomment-342829862 are correct.

If you could create all the necessary files in another github repo, and include a full write up of what needs to be done, and then post the details in this issue, then I think that would be the way forward.

[viceice]

keepalived is working fine in docker / kubernetes

https://github.com/janeczku/keepalived-ingress-vip

[mhazan01]

need a working updated docker for ceph on unbuntu 22.04, anyone got one ?