Arvados

Recent versions of the community.docker collection provide tasks to manage Docker containers and images, as well as connection plugins so you can make a Docker container as a managed node. By combining these, it's possible to use Ansible playbooks to build Docker images. You start a container from a base image, run an Ansible playbook on it, then commit the result.

I've attached an example inventory and playbook. This isn't completely tested; none of our current playbooks are suitable to run this way right now. But I got far enough to illustrate the technique and convince myself it works. This requires a newer version of community.docker than ships with Ansible 8:

ansible-galaxy collection install 'community.docker>=4.6.0'

Then a run looks something like:

ansible-playbook -i docker-inventory.yml -e arvados_build_playbook=install-test-env.yml build-docker-image.yml

To be clear, I don't think this is really a good way to publish Docker images. I wouldn't recommend this for something we want people to pull from Docker Hub. But most of the Docker images we build aren't that, they're basically internal development tooling that we use for environment isolation. If we commit to this build process, and reorganizing our Ansible playbooks a little, we could get rid of a lot of separate build code:

• install-test-env.yml already has 90% of what you need for package builds, if we split that out and add the rest (mostly installing gems) we could get rid of all the separate infrastructure in build/package-build-dockerfiles.
• Similarly build/package-test-dockerfiles could become one small playbook.
• If we made some way to tell install-test-env.yml "I only want the dependencies for Python/Go/whatever," we could use it to build testing images like the CWL conformance tests.

I think making our Ansible playbooks richer and more robust this way, and then taking advantage of that to get rid of a lot of semi-duplicated build infrastructure, would be a win/win.