The second step in this journey involves creating a Docker image that's customized for your SAS Viya environment. After crafting it, the next move is to push this tailor-made Docker image to a GitLab container registry. But what exactly does the Docker image do? How does it integrate with a Kubernetes executor? And what are the benefits of hosting this image in a private GitLab container registry? Explore the post to uncover these answers.

Post Series

In this post series you will learn how to:

• Register the GitLab Kubernetes Runner.
• Create Your Own Docker Image for SAS Viya – the current post.
• Use GitLab Pipelines to Execute Commands in SAS Viya, using the Docker image you built as the base for your executor.

Summary

For secure execution of SAS Viya jobs using a Kubernetes executor, a Docker image containing essential SAS Viya elements is necessary. This image, which includes the SAS Viya Command Line Interface (CLI) and environment-specific TLS certificates, is pulled by Kubernetes to create an executor pod. The CLI enables task execution and log retrieval within the SAS Viya environment, making the custom Docker image a critical component for operations.

Video

Take a look at the following video, in which we demonstrate the steps to build the Docker image.

Steps

Access Token

To authenticate with your private GitLab container registry, you must obtain an access token from your GitLab project. Navigate to 'Settings' and then 'Access Token' to create one. Ensure the token has 'write_repository' permissions for the necessary access or a role that has these permissions (e.g., Developer).

Container Registry Authentication

To push a Docker image to a private registry, authentication is required. On a system with Docker installed, use your GitLab credentials to log in to the GitLab registry. For the password, use the access token you created in GitLab.

Docker Image

Here is a streamlined version of the instructions:

SAS Viya TLS certificates

Create a folder to house the necessary files. Obtain the certificates using a kubectl command.

mkdir -p docker_gitlab
cd docker_gitlab
mkdir -p files
# Obtain the Truststore Certificate File from Your Cluster
kubectl -n name-of-namespace cp $(kubectl -n name-of-namespace get pod | grep "sas-logon-app" | awk -F" " '{print $1}'):security/trustedcerts.pem files/gelenv_trustedcerts.pem
# Copy the certificate in /files
ls -la
ls -la files

The SAS Viya CLI file

For Linux, download the TGZ file from the SAS Downloads Page in the docker_gitlab/files folder.

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

Dockerfile

Within the docker_gitlab folder, craft a Dockerfile.

tee Dockerfile> /dev/null << EOF
FROM centos:8

MAINTAINER YourName “your email”

RUN sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
RUN sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
RUN dnf update -y && dnf upgrade -y \
        && dnf install epel-release -y \
        && dnf install jq -y \
        && dnf install -y nfs-utils \
        && dnf clean all \
        && rm -rf /var/cache/yum

ADD files/sas-viya-cli-1.21.30-linux-amd64.tgz /usr/local/bin

WORKDIR /usr/local/bin
COPY ./gelenv_trustedcerts.pem .

RUN sas-viya plugins install --repo SAS audit \
        && sas-viya plugins install --repo SAS authorization \
        && sas-viya plugins install --repo SAS batch \
#       && sas-viya plugins install --repo SAS cas \
#       && sas-viya plugins install --repo SAS compute \
        && sas-viya plugins install --repo SAS configuration \
#       && sas-viya plugins install --repo SAS dcmtransfer \
#       && sas-viya plugins install --repo SAS decisiongitdeploy \
#       && sas-viya plugins install --repo SAS devices \
#       && sas-viya plugins install --repo SAS folders \
#       && sas-viya plugins install --repo SAS fonts \
#       && sas-viya plugins install --repo SAS identities \
        && sas-viya plugins install --repo SAS job \
#       && sas-viya plugins install --repo SAS launcher \
#       && sas-viya plugins install --repo SAS licenses \
#       && sas-viya plugins install --repo SAS mip-migration \
#       && sas-viya plugins install --repo SAS models \
#       && sas-viya plugins install --repo SAS notifications \
#       && sas-viya plugins install --repo SAS oauth \
#       && sas-viya plugins install --repo SAS qkbs \
#       && sas-viya plugins install --repo SAS reports \
#       && sas-viya plugins install --repo SAS rtdmobjectmigration \
#       && sas-viya plugins install --repo SAS scoreexecution \
#       && sas-viya plugins install --repo SAS sid-functions \
        && sas-viya plugins install --repo SAS transfer \
#       && sas-viya plugins install --repo SAS workload-orchestrator \
        && sas-viya plugins list

CMD ["/bin/bash"]

EOF

Building a Docker image requires specific files, including the SAS Viya TLS certificates and the SAS Viya CLI file, which can be obtained from the support.sas.com website. Let's examine the Dockerfile steps:

• The process begins by pulling the base image. While we use a CentOS image, alternative modern base images like RedHat's ubi8, which serves as the foundation for many SAS container images, can also be used.
• The next step updates and upgrades the existing packages on the system, followed by the installation of additional repositories, tools, and utilities.
• After setting up the environment, we incorporate the core SAS Viya components by adding the TLS certificates, and then we proceed to install the SAS Viya CLI. We decided to install only a few plugins, to keep the image size light.

Docker Build

Proceed to build the Docker image. Assign a tag to the newly created image. Push the tagged image to your private GitLab container registry.

GITLAB_REGISTRY=registry.gitlab.com/${YOUR_GITLAB_USER}/${YOUR_GITLAB_PROJECT}
TAG=0.07
# Build from Dockerfile
docker build -t ${GITLAB_REGISTRY}/jass/gitlab-runner-sas:${TAG} .

# List images
docker image ls

# Push to GitLab container registry
docker push ${GITLAB_REGISTRY}/jass/gitlab-runner-sas:${TAG}

Discussion

Why a custom image?

The question of using a custom image versus a pre-existing SAS Viya CLI Docker image is valid. While it's true that there is a SAS Viya CLI Docker image available, it's primarily suited for use with a shell executor, not directly with a Kubernetes executor.

For Kubernetes executors, which operate within a pod, having the TLS certificates accessible is essential, as well as the SAS Viya CLI image. There may be alternative methods to achieve this, but they would require further investigation.

Why a private GitLab container registry?

As you have the TLS certificate “baked in” the image, you must keep that image private. You can’t put it on a public registry as you would expose your SAS Viya certificates.

That's exactly the reason for using a private GitLab container registry, a decision rooted in security.

Conclusion

In this post, we've guided you through the steps to create a Docker image customized for your SAS Viya environment and demonstrated how to push the custom Docker image to a GitLab container registry.

Moving forward, we'll explore how to securely run SAS Viya jobs using GitLab CI/CD pipelines.

Thank you for reading!

Acknowledgements

Many thanks to Jan Kostrubiec @JanKostrubiec, Katarzyna Zuk @katarzynazuk, Lars Arne Skår @larsarne, and Neil Griffin @Neil-Griffin, from whom I learned the most about DevOps with SAS Viya and GitLab.

Thank you for your time reading this post. If you liked the post, give it a thumbs up! Please comment and tell us what you think about having conversations with your data. If you wish to get more information, please write me an email.

Find more articles from SAS Global Enablement and Learning here.