Lightweight OCI compatible images for OpenStack Projects
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Jean-Philippe Evrard b901ac0bed Remove pylxd before 2.2.7 3 weeks ago
.zuul.d Add placement container building 6 months ago
dockerfiles Update repositories of Centos base to get updated qemu 4 months ago
playbooks Move to opendev 3 weeks ago
scripts Remove pylxd before 2.2.7 3 weeks ago
.gitreview OpenDev Migration Patch 1 month ago
Dockerfile Move to opendev 3 weeks ago Move to opendev 3 weeks ago
bindep.txt Install python3-testsuite for OpenSUSE python3 based containers. 2 months ago
pydep.txt allow using python-ldap instead of pyldap 2 months ago

OpenStack LOCI

OpenStack LOCI is a project designed to quickly build Lightweight OCI compatible images of OpenStack services.

Currently we build and gate images for the following OpenStack projects:

Additionally, we produce a “wheels” image for requirements containing all of the packages listed in upper-constraints.txt.

The instructions below can be used for any OpenStack service currently targeted by LOCI. For simplicity, we will continue to use Keystone as an example.

Keystone Image Layer Info



openSUSE Leap:


Building locally

Note: To build locally, you will need a version of docker >= 17.05.0.

It’s really easy to build images locally:

$ docker build --build-arg PROJECT=keystone \
    --tag keystone:ubuntu

The default base distro is Ubuntu, however, you can use the following form to build from a distro of your choice, in this case, CentOS:

$ docker build \
    --build-arg PROJECT=keystone \
    --build-arg WHEELS="loci/requirements:master-centos" \
    --build-arg FROM=centos:7 \
    --tag keystone:centos

If building behind a proxy, remember to use build arguments to pass these through to the build:

$ docker build \
    --build-arg http_proxy=$http_proxy \
    --build-arg https_proxy=$https_proxy \
    --build-arg no_proxy=$no_proxy \
    --build-arg PROJECT=keystone \
    --tag keystone:ubuntu

For more advanced building you can use docker build arguments to define:

  • FROM The base Docker image to build from. Currently supported are ubuntu:xenial, centos:7, opensuse/leap:15, or a base image derived from one of those distributions. Dockerfiles to bootstrap the base images can be found in the dockerfiles directory, and are a good starting point for customizing a base image.
  • PROJECT The name of the project to install.
  • PROJECT_REPO The git repo containing the OpenStack project the container should contain
  • PROJECT_REF The git ref, branch, or tag the container should fetch for the project
  • UID The uid of the user that will be created (defaults to 42424).
  • GID The gid of the group that will be created (default to 42424).
  • WHEELS The location of the wheels tarball. This accepts a url to a tarball or a Docker image name in the form of [myregistry/]mydockernamespace/requirements[:ubuntu]
  • DISTRO This is a helper variable used for scripts. It would primarily be used in situations where the script would not detect the correct distro. For example, you would set DISTRO=centos when running from an oraclelinux base image.
  • PROFILES The bindep profiles to specify to configure which packages get installed. This is a space separated list.
  • PIP_PACKAGES Specify additional python packages you would like installed. The only caveat is these packages must exist in WHEELS form. So if you wanted to include rpdb, you would need to have built that into your WHEELS.
  • PIP_ARGS Specify additional pip parameters you would like.
  • PIP_WHEEL_ARGS Specify additional pip wheel parameters you would like. Default is PIP_ARGS.
  • DIST_PACKAGES Specify additional distribution packages you would like installed.
  • EXTRA_BINDEP Specify a bindep-* file to add in the container. It would be considered next to the default bindep.txt.
  • EXTRA_PYDEP Specify a pydep-* file to add in the container. It would be considered next to the default pydep.txt.
  • REGISTRY_PROTOCOL Set this to https if you are running your own registry on https, http if you are running on http, or leave it as detect if you want to re-use existing protocol detection.
  • REGISTRY_INSECURE Set this to True if your image registry is running on HTTPS with self-signed certificates to ignore SSL verification. (defaults to False)

This makes it really easy to integrate LOCI images into your development or CI/CD workflow, for example, if you wanted to build an image from this PS you could run:

$ docker build \
    --build-arg PROJECT=keystone \
    --tag mydockernamespace/keystone-testing:418167-1 \
    --build-arg PROJECT_REF=refs/changes/67/418167/1

To build with the wheels from a private Docker registry rather than Docker Hub run:

$ docker build \
    --build-arg PROJECT=keystone \
    --build-arg WHEELS=

To build cinder with lvm and ceph support you would run:

$ docker build \
    --build-arg PROJECT=cinder \
    --build-arg PROFILES="lvm ceph"


The images should contain all the required assets for running the service. But if you wish or need to customize the loci/keystone image that’s great! We hope to have built the images to make this as easy and flexible as possible. To do this we recommend that you perform any required customization in a child image using a pattern similar to:

FROM loci/keystone:master-ubuntu

RUN set -x \
    && apt-get update \
    && apt-get install -y --no-install-recommends your-awesome-binary-package \
    && rm -rf /var/lib/apt/lists/*

A Note on the Stability of LOCI

LOCI is considered stable. There are production installs of OpenStack using LOCI built images at this time.

The project is very low-entropy with very little changing, but this is expected. The highest traffic section of LOCI is the gates.