Skip to content
Instruqt Lab Documentation

Container

The container resource defines Docker containers that run as part of your lab’s sandbox environment. Containers provide isolated environments for running applications, services, and tools that participants interact with during the lab.

HCL Syntax

Section titled “HCL Syntax”

Basic Syntax

Section titled “Basic Syntax”
resource "container" "name" {
  image {
    name = "ubuntu:22.04"
  }
}

Full Syntax

Section titled “Full Syntax”
resource "container" "name" {
  image {
    name = "image:tag"
  }


  # Optional configurations
  entrypoint      = ["executable", "param1"]
  command         = ["arg1", "arg2"]
  environment     = { KEY = "value" }
  labels          = { label = "value" }
  dns             = ["8.8.8.8", "8.8.4.4"]
  privileged      = false
  max_restart_count = 3


  # Network configuration
  network {
    id = resource.network.main.meta.id
    ip_address = "10.0.0.5"
    aliases = ["db", "database"]
  }


  # Resource constraints
  resources {
    cpu = 1000      # 1 CPU = 1000
    cpu_pin = [0, 1]
    memory = 512    # MB


    gpu {
      driver = "nvidia"
      device_ids = ["0"]
    }
  }


  # Volumes
  volume {
    source = "/host/path"
    destination = "/container/path"
    type = "bind"
    read_only = false
  }


  # Ports
  port {
    local = "8080"
    host = "8080"
    protocol = "tcp"
  }


  port_range {
    range = "3000-3010"
    enable_host = true
    protocol = "tcp"
  }


  # Security
  capabilities {
    add = ["SYS_ADMIN"]
    drop = ["NET_RAW"]
  }


  # User configuration
  run_as {
    user = "1000"
    group = "1000"
  }


  # Health check
  health_check {
    timeout = "10s"


    http {
      address = "http://localhost/health"
      method = "GET"
    }
  }
}

Resource Structure

Section titled “Resource Structure”
container
├─ image (required)
│  └─ name
├─ basic configuration
│  ├─ entrypoint, command
│  ├─ environment, labels, dns
│  ├─ privileged, max_restart_count
├─ networking
│  └─ network[] (repeatable)
│     ├─ id, ip_address, aliases
├─ storage
│  └─ volume[] (repeatable)
│     ├─ source, destination, type
│     └─ read_only, bind_propagation, selinux_relabel
├─ port exposure
│  ├─ port[] (repeatable)
│  │  ├─ local, remote, host, protocol, open_in_browser
│  └─ port_range[] (repeatable)
│     ├─ range, enable_host, protocol
├─ resource limits
│  └─ resources
│     ├─ cpu, cpu_pin, memory
│     └─ gpu
│        ├─ driver, device_ids
├─ security
│  ├─ capabilities
│  │  ├─ add[], drop[]
│  └─ run_as
│     ├─ user, group
└─ monitoring
   └─ health_check
      ├─ timeout
      ├─ http[] (address, method, body, headers, success_codes)
      ├─ tcp[] (address)
      └─ exec[] (command, script, exit_code)

Fields

Section titled “Fields”
FieldRequiredTypeDescription
imageblockDocker image configuration
entrypointlist(string)Override the default entrypoint
commandlist(string)Command to run in the container
environmentmap(string)Environment variables
labelsmap(string)Docker labels
dnslist(string)Custom DNS servers
privilegedboolRun container in privileged mode. Defaults to false.
max_restart_countnumberMaximum restart attempts. Defaults to 0.
networkblockNetwork attachments (repeatable)
volumeblockVolume mounts (repeatable)
portblockPort mappings (repeatable)
port_rangeblockPort range mappings (repeatable)
resourcesblockResource constraints
capabilitiesblockLinux capabilities configuration
run_asblockUser/group configuration
health_checkblockContainer health check

Image Configuration

Section titled “Image Configuration”

container → image

Configures the Docker image to use for the container.

FieldRequiredTypeDescription
namestringDocker image name with optional tag
usernamestringDocker registry username for private repositories
passwordstringDocker registry password for private repositories

Network Configuration

Section titled “Network Configuration”

container → network

Defines network attachments for the container. This block can be repeated to attach the container to multiple networks.

FieldRequiredTypeDescription
idreference to networkReference to the ID of a network resource
ip_addressstringStatic IP address. Auto-assigned if not specified.
aliaseslist(string)Network aliases for the container

Storage Configuration

Section titled “Storage Configuration”

container → volume

Configures volume mounts for the container. This block can be repeated to mount multiple volumes.

FieldRequiredTypeDescription
sourcestringSource path on host or volume name
destinationstringMount path inside container
typestringVolume type: “bind”, “volume”, or “tmpfs”. Defaults to “bind”.
read_onlyboolMount as read-only. Defaults to false.
bind_propagationstringBind propagation: “shared”, “private”, “slave”, “rslave”, “rprivate”
bind_propagation_non_recursiveboolNon-recursive bind mount. Defaults to false.
selinux_relabelstringSELinux relabeling: “shared” or “private”

Port Configuration

Section titled “Port Configuration”

container → port

Defines port mappings between the container and host. This block can be repeated to expose multiple ports.

FieldRequiredTypeDescription
localstringContainer port
remotestringRemote port of the service
hoststringHost port
protocolstringProtocol: “tcp” or “udp”. Defaults to “tcp”.
open_in_browserstringPath to open in browser when host port is defined

Port Range Configuration

Section titled “Port Range Configuration”

container → port_range

Defines port range mappings for exposing multiple consecutive ports. This block can be repeated for multiple port ranges.

FieldRequiredTypeDescription
rangestringPort range (e.g., “3000-3010”)
enable_hostboolEnable host port mapping. Defaults to false.
protocolstringProtocol: “tcp” or “udp”. Defaults to “tcp”.

Resource Constraints

Section titled “Resource Constraints”

container → resources

Configures CPU, memory, and GPU resource limits for the container.

FieldRequiredTypeDescription
cpunumberCPU limit (1 CPU = 1000)
cpu_pinlist(number)Pin container to specific CPU cores
memorynumberMemory limit in MB
gpublockGPU resource configuration

GPU Configuration

Section titled “GPU Configuration”

containerresources → gpu

Configures GPU resources for containers that need hardware acceleration for machine learning, graphics processing, or other compute-intensive tasks.

FieldRequiredTypeDescription
driverstringGPU driver to use (e.g., “nvidia”)
device_idslist(string)GPU device IDs to allocate

Security Configuration

Section titled “Security Configuration”

container → capabilities

Configures Linux capabilities for fine-grained privilege control.

FieldRequiredTypeDescription
addlist(string)Capabilities to add. Defaults to empty list.
droplist(string)Capabilities to remove. Defaults to empty list.

User Configuration

Section titled “User Configuration”

container → run_as

Specifies the user and group under which the container runs.

FieldRequiredTypeDescription
userstringUsername or UID
groupstringGroup name or GID

Health Monitoring

Section titled “Health Monitoring”

container → health_check

Configures health checks to monitor container status and availability.

FieldRequiredTypeDescription
timeoutstringHealth check timeout. Defaults to ”30s”.
httpblockHTTP health check (repeatable)
tcpblockTCP health check (repeatable)
execblockExecute command health check (repeatable)

HTTP Health Check

Section titled “HTTP Health Check”

containerhealth_check → http

Defines an HTTP-based health check that sends requests to specified endpoints.

FieldRequiredTypeDescription
addressstringHTTP endpoint URL
methodstringHTTP method. Defaults to “GET”.
bodystringRequest body
headersmap(list(string))HTTP headers
success_codeslist(number)Expected success codes. Defaults to [200].

TCP Health Check

Section titled “TCP Health Check”

containerhealth_check → tcp

Defines a TCP-based health check that verifies network connectivity.

FieldRequiredTypeDescription
addressstringTCP address to check

Exec Health Check

Section titled “Exec Health Check”

containerhealth_check → exec

Defines a command-based health check that executes a script or command to determine container health.

FieldRequiredTypeDescription
commandlist(string)Command to execute
scriptstringScript to execute
exit_codenumberExpected exit code. Defaults to 0.

Computed Attributes

Section titled “Computed Attributes”

These attributes are set by the system after the container is created:

Field Type Description
container_name string Fully qualified domain name for the container
image.id string Unique identifier for the image
network[].name string Network name as created by the system
network[].assigned_address string IP address assigned by the system

Validation Rules

Section titled “Validation Rules”
  • Volume source paths are made absolute relative to the config file location
  • For bind mounts, the source path must exist on the host
  • Port mappings must use valid port numbers (1-65535)
  • CPU values should be multiples of 1000 for whole CPUs
  • Memory values are in megabytes

Examples

Section titled “Examples”

Basic Container

Section titled “Basic Container”
resource "container" "ubuntu" {
  image {
    name = "ubuntu:22.04"
  }
}

Web Application Container

Section titled “Web Application Container”
resource "container" "webapp" {
  image {
    name = "myapp:latest"
  }


  environment = {
    NODE_ENV = "production"
    PORT = "3000"
  }


  port {
    local = "3000"
    host = "8080"
  }


  resources {
    cpu = 2000    # 2 CPUs
    memory = 1024 # 1GB
  }


  health_check {
    timeout = "5s"


    http {
      address = "http://localhost:3000/health"
      method = "GET"
    }
  }
}

Database Container with Volume

Section titled “Database Container with Volume”
resource "container" "postgres" {
  image {
    name = "postgres:15"
  }


  environment = {
    POSTGRES_PASSWORD = "secret"
    POSTGRES_DB = "myapp"
  }


  volume {
    source = "postgres-data"
    destination = "/var/lib/postgresql/data"
    type = "volume"
  }


  port {
    local = "5432"
  }


  network {
    id = resource.network.backend.meta.id
    aliases = ["db", "database"]
  }
}

Development Container with Multiple Networks

Section titled “Development Container with Multiple Networks”
resource "container" "devbox" {
  image {
    name = "instruqt/devbox:latest"
  }


  privileged = true


  network {
    id = resource.network.frontend.meta.id
    ip_address = "10.0.1.10"
  }


  network {
    id = resource.network.backend.meta.id
    ip_address = "10.0.2.10"
  }


  volume {
    source = "./code"
    destination = "/workspace"
    type = "bind"
  }


  volume {
    source = "/var/run/docker.sock"
    destination = "/var/run/docker.sock"
    type = "bind"
  }


  capabilities {
    add = ["SYS_PTRACE"]
  }


  run_as {
    user = "developer"
    group = "developer"
  }
}

GPU-Enabled Container

Section titled “GPU-Enabled Container”
resource "container" "ml_workspace" {
  image {
    name = "tensorflow/tensorflow:latest-gpu"
  }


  resources {
    cpu = 4000
    memory = 8192


    gpu {
      driver = "nvidia"
      device_ids = ["0", "1"]
    }
  }


  environment = {
    CUDA_VISIBLE_DEVICES = "0,1"
  }
}

Best Practices

Section titled “Best Practices”
  1. Image Tags: Always specify explicit image tags rather than using latest
  2. Resource Limits: Set appropriate CPU and memory limits to prevent resource exhaustion
  3. Health Checks: Configure health checks for services to ensure availability
  4. Non-Root Users: Use the run_as block to run containers as non-root users when possible
  5. Volume Types: Use named volumes for persistent data and bind mounts for development files
  6. Network Aliases: Use meaningful aliases for service discovery
  7. Environment Variables: Use environment variables for configuration instead of hardcoding values