nnthanh101/runbooks

By nnthanh101

Updated about 1 month ago

Enterprise CloudOps Automation Toolkit - Multi-variant DevContainer

Image
Languages & frameworks
Integration & delivery
Data science
0

7.7K

nnthanh101/runbooks repository overview

nnthanh101/runbooks — Enterprise CloudOps DevContainer

Enterprise CloudOps automation runtime for teams running AWS/Azure automation, AI agent workflows, Jupyter notebooks, and data analytics — all from a single supply-chain-hardened image family.

Executive Summary

nnthanh101/runbooks is a Chainguard Wolfi-based container family for CloudOps automation, Jupyter analytics, and AI agent workflows. All variants share one non-root, supply-chain-hardened base — only the toolset changes. For Command-Center: pull :prod; for DevContainer or CI: pull :full.

Quick Start

# Command-Center production (JupyterLab + runbooks + Vizro)
docker pull nnthanh101/runbooks:prod
docker run -it --rm -p 8888:8888 \
  -v ~/.aws:/home/os/.aws:ro \
  -v $(pwd):/app/notebooks \
  nnthanh101/runbooks:prod

# Full devcontainer (all features)
docker pull nnthanh101/runbooks:full
docker run -it --rm \
  -v ~/.aws:/home/os/.aws:ro \
  -e ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY \
  nnthanh101/runbooks:full

# VS Code DevContainer
# F1 → "Dev Containers: Reopen in Container"

# PyPI package (the runbooks CLI tool)
pip install runbooks
runbooks --help

5W1H

WhoCloudOps/Python engineers automating AWS; FinOps analysts; Data scientists; Command-Center operators
WhatPython 3.13 + UV + boto3 + Click + Rich + JupyterLab + Vizro + MkDocs + AWS/Azure CLI
WhenDaily CloudOps runbooks, AWS automation, FinOps dashboards, Jupyter analysis, PyPI publishing
WhereVS Code DevContainer (daily dev), GH Actions CI, Command-Center production, PyPI pipeline
WhyPython-first toolchain; IaC tools (Terraform, CDK) would bloat this image unnecessarily
HowMulti-stage Chainguard Wolfi build (builder → core → prod → full), uv lockfile, SHA256-pinned base

Image Variants

TagDockerfile stageSize est.Use CaseKey Contents
corecore~500MBMinimal Python runtimePython 3.13, UV, git, jq, task, bash
prodprod~500MBCommand-Center productioncore + runbooks PyPI + JupyterLab (auto) + MkDocs + Vizro (manual)
full / latestlatest~1.5GBAll features (devcontainer, CI/act)prod + AWS CLI v2 + Azure CLI + Ansible + Node.js + CrewAI + MkDocs

Tag simplification 2026-05-15: core/prod/full replaces the former core/cloudops/latest taxonomy. latest is kept as an alias for full for backward compatibility.

Choosing the right tag
  • Command-Center notebooks/dashboardsprod (JupyterLab + Vizro + runbooks PyPI, minimal size)
  • AWS/Azure automation scriptsfull (boto3 + AWS CLI v2 + Azure CLI included)
  • Lightweight CI stepscore (Python + UV, no extras)
  • Full devcontainer or local act runnerfull (all tools, Node.js, act-compatible)

Business Value

Speed to Production
BeforeAfter
Separate Python environments per teamOne nnthanh101/runbooks:<tag> per workload, same Wolfi base
Manual dependency conflict resolutionUV package manager — deterministic, reproducible installs
"It worked in Jupyter" failures in prodSame Python 3.13 + boto3 in notebooks and production scripts
CrewAI environment setup: hoursdocker pull nnthanh101/runbooks:full + run
Cost Optimization
  • Right-size per workload: core (~500MB) for scripting, prod (~500MB) for notebooks, full (~1.5GB) for all-in-one
  • Multi-arch: linux/amd64 + linux/arm64 — AWS Graviton spot instances for cost-sensitive batch
  • Air-gap ready: Mirror once to ECR/ACR — no runtime Docker Hub dependency
  • UV package manager: 10-100× faster dependency installs vs pip — measurable CI time savings at scale
Risk Reduction
  • Supply chain hardening: Chainguard Wolfi base, sigstore-signed — SHA256-pinned in versions.env
  • Non-root by default: os user (UID 11111) — no privileged container risk
  • No credentials in image: API keys via environment variables only
  • Audit trail: Every release is git-tagged and CI-built — reproducible artifact traceable to commit

GH Actions CI Job

jobs:
  automate:
    runs-on: ubuntu-latest
    container:
      image: nnthanh101/runbooks:full
      options: --user 0
    steps:
      - uses: actions/checkout@v4
      - run: python scripts/aws-automation.py

What's Inside

CategoryToolVersionSource
RuntimePython3.13Chainguard Wolfi base
UV (package manager)0.10.9Binary (SHA256)
GitHub CLI (gh)2.88.1Binary (full only)
CloudAWS CLI v2latestWolfi APK (full only)
Azure CLIlatestWolfi APK (full only)
boto3latestuv pip (all tags via /venv)
Data / NotebooksJupyterLab≥4.3.4uv pip (prod + full)
pandas, plotly, openpyxllatestuv pip (all tags)
Vizro, vizro-ai≥0.1.46uv pip (prod + full)
papermill, nbconvertlatestuv pip (prod + full)
AI/AgentsOpenAI, Anthropic, CrewAIlatestuv pip (full only)
DocumentationMkDocs Materiallatestuv pip (prod + full)
AutomationAnsiblelatestWolfi APK (full only)
Task runnerlatestWolfi APK (all tags)
Starship promptlatestWolfi APK (all tags)
Utilitiesgit, jq, vim, curllatestWolfi APK (all tags)

Exposed Ports

PortServiceTag
8888JupyterLab (jupyter.sh)prod, full
8000MkDocs serve (docs.sh)prod, full
8050Vizro / Dash (start manually: python -m vizro)prod, full (vizro in /venv; not auto-started)

Security Architecture

  • Base: cgr.dev/chainguard/wolfi-base — sigstore-signed, minimal CVE surface
  • Base SHA256: Pinned in RUNBOOKS_BASE_IMAGE in versions.env
  • User: Non-root os (UID 11111) across all tags
  • Dependencies: uv lockfile (uv.lock) for deterministic builds
  • Scanning: Trivy on every CI release per tag, SARIF uploaded to GitHub Security tab

CI/CD Pipeline

Validate → Build 3 tags (amd64+arm64) → Scan (Trivy) → Test → Push → GitHub Security (SARIF)

Air-Gap Deployment

Mirror to ECR/ACR and reference by digest — no runtime Docker Hub dependency.

Docker Hub PyPI

Tag summary

Content type

Image

Digest

sha256:95d61a28c

Size

722.7 MB

Last updated

about 1 month ago

docker pull nnthanh101/runbooks