brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ca3d1a71fc82062c140df3faf73ef8d93aba1ec5
oam/knowledge base/kaniko.md
Michele Cereda 3467328c89 chore(containers): improve building images
2025-06-18 19:38:47 +02:00

160 lines
5.7 KiB
Markdown
Raw Blame History

# Kaniko
Tool to build container images from a Dockerfile with**out** the need of the Docker engine.
1. [TL;DR](#tldr)
1. [Create local images using local cache](#create-local-images-using-local-cache)
1. [Usage in GitLab pipelines](#usage-in-gitlab-pipelines)
1. [Further readings](#further-readings)
1. [Sources](#sources)
## TL;DR
Kaniko **requires** to be run from a container using the `gcr.io/kaniko-project/executor` image.
It builds images completely in userspace from within the container.<br/>
It does so by executing the Dockerfile's commands, in order, in a directory on the current file system. Should a command
make any changes in that directory, Kaniko takes a snapshot of it as a _diff_ layer and updates the resulting image's
metadata.
Kaniko, like Docker, requires a context for the build process.<br/>
It is defined by the `--context` option and supports the following storage solutions:
- GCS Bucket
- S3 Bucket
- Azure Blob Storage
- Local Directory
- Local Tar
- Standard Input
- Git Repository
The executor's image has the following utilities built in:
- Amazon ECR credential helper.
- Azure ACR credential helper.
Enable the cache with the `--cache` option.<br/>
If using the cache, it (either-or):
- Has to be a container registry.
- Has to be pre-populated, as Kaniko is currently **not** able to manage local caches during execution.<br/>
Leverage the `warmer` utility in Kaniko for this. Refer [Cache and Kaniko].
<details>
<summary>Setup</summary>
```sh
docker pull 'gcr.io/kaniko-project/executor'
docker pull 'gcr.io/kaniko-project/executor:debug'
docker pull 'gcr.io/kaniko-project/executor:v1.23.2-debug'
```
</details>
<details>
<summary>Usage</summary>
```sh
docker run --rm -ti -v "$PWD:/workspace" 'gcr.io/kaniko-project/executor' --no-push
docker run --rm --name 'kaniko' -ti -v "$PWD:/workspace" 'gcr.io/kaniko-project/executor' \
--context '/workspace/context' --dockerfile '/workspace/context/Dockerfile' --no-push
docker run … \
-e "GOOGLE_APPLICATION_CREDENTIALS=/kaniko/config.json" \
-v "$PWD/gcp-secret.json:/kaniko/config.json:ro" \
-v "$HOME/.docker/config.json:/kaniko/.docker/config.json:ro" \
-v "$HOME/.aws:/root/.aws:ro" \
'gcr.io/kaniko-project/executor' \
--context 'dir://context' \
--destination 'docker-hub-repo/custom-image:1.2.3' \
--destination '012345678901.dkr.ecr.eu-west-1.amazonaws.com/aws-repo:1.2.3' \
--destination 'gcr.io/gcp-project-id/custom-image:1.2.3' \
--destination 'mycr.azurecr.io/azure-repository:1.2.3'
docker run … -v "$PWD/config.json:/kaniko/.docker/config.json:ro" 'gcr.io/kaniko-project/executor:latest'
docker run … 'gcr.io/kaniko-project/executor' … --cache --custom-platform 'linux/amd64' --build-arg VERSION='1.2'
# Populate build caches.
docker run -it --rm -v "$PWD/cache:/cache" 'gcr.io/kaniko-project/warmer' \
--image='maven:3-jdk-11-slim' --image='openjdk:11-jre-slim'
```
</details>
<details>
<summary>Real world use cases</summary>
<details style="padding-left: 1rem">
<summary>Test the Dockerfile for an Ansible execution environment the way a GitLab pipeline would need to execute it</summary>
```sh
docker run --rm -ti -v "$PWD:/workspace" 'gcr.io/kaniko-project/executor:debug' /kaniko/executor --no-push
docker run --rm -ti -v "$PWD:/workspace" --entrypoint '' 'gcr.io/kaniko-project/executor:v1.23.2-debug' \
/kaniko/executor --context '/workspace/someDir' --dockerfile '/workspace/someDir/someDockerfile' --no-push
```
</details>
</details>
## Create local images using local cache
Uses images from the local cache.<br/>
It does **not** _save_ cache images in the local cache directory since Kaniko is currently **not** able to manage such
caches during execution. Refer [Cache and Kaniko].
Creates a root-owned file called `image.tar` in the current directory.<br/>
Run `docker load -i 'image.tar'` to load it into Docker as `image:1.0`.
Image and repository names can only contain the characters `abcdefghijklmnopqrstuvwxyz0123456789_-./`.
```sh
docker run --rm -ti -v "$PWD/cache:/cache" 'gcr.io/kaniko-project/warmer' --image='python:3.10'
docker run --rm -ti -v "$PWD:/workspace" 'gcr.io/kaniko-project/executor:debug' --reproducible \
--no-push --tar-path '/workspace/image.tar' --destination 'image:1.0' \
--cache --cache-dir '/workspace/cache' --cache-repo 'oci://cache'
```
## Usage in GitLab pipelines
```yaml
build-container:
stage: build
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
script:
- >-
/kaniko/executor
--context "${CI_PROJECT_DIR}"
--destination "${CI_REGISTRY_IMAGE}:latest"
```
## Further readings
- [Codebase]
- [Cache and Kaniko]
### Sources
- [Use kaniko to build Docker images]
- [An Introduction to Kaniko]
- [Introducing kaniko: Build container images in Kubernetes and Google Container Builder without privileges]
- [Kaniko: Kubernetes native daemonless Docker image builder]
<!--
Reference
═╬═Time══
-->
<!-- In-article sections -->
<!-- Knowledge base -->
<!-- Files -->
<!-- Upstream -->
[codebase]: https://github.com/GoogleContainerTools/kaniko
[introducing kaniko: build container images in kubernetes and google container builder without privileges]: https://cloud.google.com/blog/products/containers-kubernetes/introducing-kaniko-build-container-images-in-kubernetes-and-google-container-builder-even-without-root-access
<!-- Others -->
[an introduction to kaniko]: https://www.baeldung.com/ops/kaniko
[cache and kaniko]: https://medium.com/swlh/cache-and-kaniko-2cfb766925af
[kaniko: kubernetes native daemonless docker image builder]: https://8grams.medium.com/kaniko-kubernetes-native-daemonless-docker-image-builder-8eec88979f9e
[use kaniko to build docker images]: https://docs.gitlab.com/ee/ci/docker/using_kaniko.html
Reference in New Issue View Git Blame Copy Permalink