GitHub Actions delivers an immersive platform for testing and deploying all kinds of software, including software that runs in containers. It also offers a container registry with repositories where you can push containers and serve them to anyone on the internet.
By combining these capabilities with Red Hat’s Universal Base Image (UBI) and container technologies such as Podman and Buildah, you can build your own containers on top of a stable Red Hat Enterprise Linux (RHEL) base in GitHub Actions.
The code shown in this post is already in the major/ubi-flask repository in GitHub.
A simple container
Most of my development involves Python and my favorite web framework: Flask. It simplifies web applications by handling a route (a path on a URL) and running code anytime someone accesses the URL. In this example, I wrote a “Hello World” example with a timestamp included:
from datetime import datetime from flask import Flask app = Flask(__name__) @app.route("/") def hello_world(): return f"Hello, World! The current date is: {datetime.now()}"
In this example, when someone accesses the root path, they see the “Hello, World!” text followed by the date and time the request was made. Let’s assemble a brief container build file that tells buildah how to build the container from a UBI:
FROM registry.access.redhat.com/ubi8/ubi # Make a directory for our code and copy it over. RUN mkdir /opt/hello COPY hello/* /opt/hello # Install pip and Python requirements (and clean up). RUN dnf -y install python3-pip && \ dnf clean all RUN pip3 install -r /opt/hello/requirements.txt && \ rm -rf /root/.cache # Set the working directory to where we copied the code. WORKDIR /opt/hello # Expose port 8000. EXPOSE 8000 # Run the Flask application via gunicorn. CMD ["gunicorn", "-b", "0.0.0.0:8000", "hello:app"]
Get to the (GitHub) Action
The container build file and Flask code already exist in my ubi-flask repository in GitHub. We now need to tell GitHub Actions how to build and publish the container on each commit. Everything starts with a workflow YAML file (follow along with mine):
name: Build ubi-flask container on: - push jobs: build: name: Build image runs-on: ubuntu-latest env: IMAGE_NAME: ubi-flask REGISTRY: ghcr.io/major steps:
The initial part of the workflow file controls when the container is built (on every push) and the GitHub container registry URL. The build steps are:
- name: Clone the repository uses: actions/checkout@v2 - name: Buildah Action id: build-image uses: redhat-actions/buildah-build@v2 with: image: ${{ env.IMAGE_NAME }} tags: latest ${{ github.sha }} containerfiles: | ./Containerfile - name: Log in to the GitHub Container registry uses: redhat-actions/podman-login@v1 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Push to GitHub Container Repository id: push-to-ghcr uses: redhat-actions/push-to-registry@v2 with: image: ${{ steps.build-image.outputs.image }} tags: ${{ steps.build-image.outputs.tags }} registry: ${{ env.REGISTRY }}
Let’s analyze this step by step:
-
First, we clone our repository into the GitHub Actions runner.
-
Next, we build the container using our container build file with buildah. The container has two tags: “latest” and the SHA of the most recent commit in git.
-
The GitHub container registry requires authentication before pushing containers, so we use podman to authenticate. (GitHub Actions automatically provides a token in lieu of an API key or password.)
-
Finally, we push the container to the repository with podman and apply both tags from the build stage.
GitHub Actions runs the workflow, in under two minutes in my testing, and a container appears in the list of packages afterwards.
Your container should appear as ubi-flask inside your GitHub account under ghcr.io/username/ubi-flask. My GitHub account is major, so I can pull my container using this URL: ghcr.io/major/ubi-flask
Testing the container
We can test the container by using podman to download the container and run it:
$ podman run -d -p 8000:8000 ghcr.io/major/ubi-flask 2e77848186579003364b20f83d5fea9de58459f63a8a0c9435a8d15a68c53875 $ curl localhost:8000 Hello, World! The current date is: 2021-10-26 17:12:29.639179
Staying up to date
Keep updated with the latest changes in the redhat-actions repositories by using GitHub’s dependabot. Add a small file in your repo to monitor changes to any of the GitHub Actions that you use:
# File: .github/dependabot.yml version: 2 updates: - package-ecosystem: "github-actions" directory: "/" schedule: interval: "daily"
When GitHub detects that one of your actions has an update, dependabot makes a pull request in your repository to update the action version.
Conclusion
Now you can use the technologies you know and trust, such as Podman and Buildah, alongside your software in GitHub. RHEL UBI provide a stable base for testing and deployment on RHEL systems, in Red Hat OpenShift, or on any other container platform.
Read about the various types of RHEL UBI container images and how to build and run containers as a non-root user with podman.
关于作者
Major Hayden is a Principal Software Engineer at Red Hat with a focus on making it easier to deploy Red Hat Enterprise Linux wherever a customer needs it. He is also an amateur radio operator (W5WUT), and he maintains a technical blog at major.io.
产品
工具
试用购买与出售
沟通
关于红帽
我们是世界领先的企业开源解决方案供应商,提供包括 Linux、云、容器和 Kubernetes。我们致力于提供经过安全强化的解决方案,从核心数据中心到网络边缘,让企业能够更轻松地跨平台和环境运营。