Publish debug container image and account-sync sidecar

Author: Ware, Joseph (DLSLtd,RAL,LSCI)

.github/workflows/_account_sync.yml

@@ -0,0 +1,44 @@
+on:
+  workflow_call:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # Need this to get version number from last tag
+          fetch-depth: 0
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Docker Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create tags for publishing image
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}/account-sync
+          tags: |
+            type=ref,event=tag
+            type=raw,value=latest
+
+      - name: Build and publish debug image to container registry
+        if: github.ref_type == 'tag'
+        uses: docker/build-push-action@v6
+        env:
+          DOCKER_BUILD_RECORD_UPLOAD: false
+        with:
+          context: account-sync
+          push: true
+          tags: ${{ steps.debug-meta.outputs.tags }}

.github/workflows/_container.yml

@@ -46,6 +46,26 @@ jobs:
             type=ref,event=tag
             type=raw,value=latest
 
+      - name: Create tags for publishing debug image
+        id: debug-meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=ref,event=tag,suffix=-debug
+            type=raw,value=latest-debug
+
+      - name: Build and publish debug image to container registry
+        if: github.ref_type == 'tag'
+        uses: docker/build-push-action@v6
+        env:
+          DOCKER_BUILD_RECORD_UPLOAD: false
+        with:
+          context: .
+          push: true
+          target: debug
+          tags: ${{ steps.debug-meta.outputs.tags }}
+
       - name: Push cached image to container registry
         if: github.ref_type == 'tag'
         uses: docker/build-push-action@v6

.github/workflows/ci.yml

@@ -45,3 +45,10 @@ jobs:
     uses: ./.github/workflows/_release.yml
     permissions:
       contents: write
+
+  release-account-sync:
+    if: github.ref_type == 'tag'
+    needs: release
+    uses: ./.github/workflows/_account_sync.yml
+    permissions:
+      contents: write

account-sync/Dockerfile

@@ -0,0 +1,10 @@
+ARG PYTHON_VERSION=3.11
+# Use same base image as debug to prevent incompatibilities 
+FROM python:${PYTHON_VERSION}-slim
+
+RUN apt update
+RUN DEBIAN_FRONTEND=noninteractive apt install libnss-ldapd -y
+COPY dls-nslcd.conf /etc/nslcd.conf
+
+ENTRYPOINT [ "nslcd" ]
+CMD [ "--debug" ]

account-sync/dls-nslcd.conf

@@ -0,0 +1,4 @@
+URI ldap://ldap.diamond.ac.uk ldap://ldap2.diamond.ac.uk
+TIMELIMIT 30
+base dc=diamond,dc=ac,dc=uk
+tls_reqcert allow

docs/how-to/debug-in-cluster.md

@@ -0,0 +1,47 @@
+# Debug a container within a cluster
+
+The container build also publishes a debug container for each tagged release of the container with the tag suffixed with `-debug`. This container contains the workspace and has an alternative entrypoint which allows the devcontainer to attach so if you have configured a `livenessProbe` that requires the service to have started it should be disabled.
+
+With the Kubernetes plugin for vscode it is then possible to attach to the container inside the cluster. This may require that the kubeconfig is at `~/.kube/config`, rather than referenced from the environment variable `KUBECONFIG`.
+
+For containers running in the Diamond Kubernetes infrastructure that run as a specific uid (e.g. if mounting the filesystem), it is required to use a sidecar container to provide name resolution with Diamond's LDAP infrastructure and to mount a home directory to download vscode plugins. 
+
+A sidecar for the Debian-based Python image this template uses is published as a container from this repository, the version should match the version of the python-copier-template you are using, to ensure compatibility with the underlying container infrastructure.
+
+```yaml
+- name: debug-account-sync
+    image: ghcr.io/diamondlightsource/python-copier-template/account-sync:<version>
+    volumeMounts:
+    # This allows the nslcd socket to be shared between the main container and the sidecar
+    - mountPath: /var/run/nslcd
+    name: nslcd
+```
+
+The following changes/additions to your `values.yaml` will be required to connect vscode when using the sidecar.
+
+```yaml
+volumes:
+- name: home  # Required for vscode to install plugins
+  hostPath:
+    path: /home/
+- name: nslcd  # Shared volume between main and sidecar container
+  emptyDir:
+    sizeLimit: 500Mi
+
+volumeMounts:
+- mountPath: /home/
+  name: home
+- mountPath: /var/run/nslcd
+  name: nslcd
+
+# Disable any liveness probe, as will not start service automatically
+livenessProbe:
+
+# Required to mount /home/, /dls/ etc.
+podSecurityContext:
+  runAsUser: <uid>
+  runAsGroup: <gid>
+
+image:
+  tag: "<version>-debug"
+```

docs/images/debugging-kubernetes.jpg

@@ -18,6 +18,19 @@ COPY . /context
 WORKDIR /context
 RUN touch dev-requirements.txt && pip install -c dev-requirements.txt .
 
+FROM build AS debug
+
+RUN apt update
+# TODO: Is this required?
+RUN DEBIAN_FRONTEND=noninteractive apt install libnss-ldapd -y
+RUN sed -i 's/files/ldap files/g' /etc/nsswitch.conf
+
+RUN pip install debugpy
+RUN pip install -e .
+
+ENTRYPOINT [ "/bin/bash", "-c", "--" ]
+CMD [ "while true; do sleep 30; done;" ]
+
 # The runtime stage copies the built venv into a slim runtime container
 FROM python:${PYTHON_VERSION}-slim AS runtime
 # Add apt-get system dependecies for runtime here if needed