Container Reference

Quick reference for container standards, base images, and specifications.

---

SKAO base images

Select images from artefact.skao.int as your starting point:

Image	Description
ska-base	CIS hardened Ubuntu 22.04 base image
ska-build-python	Ubuntu 22.04 build image for Python applications with Python 3.10
ska-python	Ubuntu 22.04 runtime image for Python applications with Python 3.10
ska-build-node	Ubuntu 22.04 build/test image for JavaScript with Node 22 and Cypress 14.2.0
ska-node	Ubuntu 22.04 runtime image for JavaScript with Node 22
ska-webserver	Ubuntu 22.04 with Nginx 1.27.3 and Python 3.10 for static sites and API proxying
ska-cuda	NVIDIA Ubuntu 22.04 runtime for CUDA applications with CUDA 12.14.x and Python 3.10.x
ska-build-cuda	NVIDIA Ubuntu 22.04 build image for CUDA applications with CUDA 12.14.x and Python 3.10.x

Note

ska-build is deprecated. Use ska-build-python.

Image metadata labels

All SKAO images include these labels (also in /etc/skao.metadata):

Label	Description
int.skao.image.created	ISO 8601 creation date
int.skao.image.version	Image version
int.skao.image.tags	Associated tags
int.skao.image.team	Responsible SKAO team
int.skao.image.url	Documentation URL
int.skao.image.source	Source code URL
int.skao.image.baseImage	Parent base image

Recommended image labels

Add these labels to your images for traceability:

LABEL \
    author="Your Name <your.name@skao.int>" \
    description="Short description of this image" \
    license="Apache2.0" \
    int.skao.team="Your Team" \
    int.skao.application="widget" \
    int.skao.version="1.0.0" \
    int.skao.repository="https://gitlab.com/ska-telescope/ska-project"

Dockerfile directive quick reference

Directive	Usage
FROM	Base image — use stable tags with major.minor version (python:3.9)
ARG	Build-time variables — set defaults, override with --build-arg
ENV	Runtime environment variables — only for values needed in final image
RUN	Execute commands — combine related commands to minimise layers
COPY	Copy files — preferred over ADD (no auto-extraction behaviour)
ADD	Copy files — auto-extracts archives (use sparingly)
WORKDIR	Set working directory — always use for clarity
USER	Switch user — run as non-root when possible
EXPOSE	Document ports — informational, does not publish
VOLUME	Document mount points — informational, provides annotation
ENTRYPOINT	Main executable — use exec format ["app"]
CMD	Default arguments — use exec format ["arg1", "arg2"]
LABEL	Metadata — add provenance and traceability info
ONBUILD	Trigger for child images — use sparingly, can cause confusion

Container standards checklist

Structuring applications:

• ☐ One discrete application per container

• ☐ Single executable entry point

• ☐ No multi-process init (supervisord)

• ☐ Proper signal handling from PID 1

• ☐ One Git repository per container image

Building images:

• ☐ Containers are immutable — no internal state

• ☐ Minimal image size and layers

• ☐ Layers ordered from static to volatile

• ☐ Package cache cleaned after installs

• ☐ No unnecessary packages (debuggers, editors)

• ☐ Multi-stage builds for compiled dependencies

• ☐ No secrets embedded in images

Naming and tagging:

• ☐ Image name matches application name

• ☐ Commit hash tag for development builds

• ☐ Semantic version tags for releases

• ☐ -dev suffix for debug images

• ☐ Never use :latest in production

Running containers:

• ☐ Memory and CPU limits set

• ☐ Read-only mounts where possible

• ☐ Non-root user when possible

• ☐ No privileged mode unless essential

• ☐ No --net=host unless essential

• ☐ Configuration via environment variables or files

• ☐ Logging to stdout/stderr

Kubernetes storage classes

Available in SKAO-managed clusters:

Class	Backend	Usage
nfss1 / nfs	CephFS	Shared network filesystem (ReadWriteMany)
bds1 / block	RBD	Single concurrent use ext4 (ReadWriteOnce)

Naming convention: <type><class><version>[-location]

• bd = block device, nfs = network filesystem

• s = standard, i = IOPS optimised, t = throughput optimised

Helm chart structure

charts/myapp/
    Chart.yaml          # Metadata and dependencies
    LICENSE             # Optional: chart license
    README.md           # Optional: human-readable docs
    values.yaml         # Default configuration
    charts/             # Dependent charts
    templates/          # Kubernetes manifests
    templates/NOTES.txt # Optional: post-install notes
    templates/tests/    # Test pods for 'helm test'

Kubernetes resource labels

Apply these labels to all resources for filtering and identification:

Label	Purpose
app.kubernetes.io/name	Application name (matches resource name)
app.kubernetes.io/instance	Release/deployment instance
app.kubernetes.io/version	Application version
app.kubernetes.io/component	Component type (database, api)
app.kubernetes.io/part-of	Parent application suite
app.kubernetes.io/managed-by	Tool managing this resource (helm)
helm.sh/chart	Chart name and version

External references

• OCI Image Specification

• OCI Runtime Specification

• Dockerfile Best Practices

• Kubernetes Documentation

• Helm Best Practices

• SKAO Central Artefact Repository

---

See Also

• Tutorial: Develop with Containers

• How-to: Container Tasks

• How containers work