5.7 KiB
Kaniko
Tool to build container images from a Dockerfile without the need of the Docker engine.
TL;DR
Kaniko requires to be run from a container using the gcr.io/kaniko-project/executor image.
It builds images completely in userspace from within the container.
It does so by executing the Dockerfile's commands, in order, in a directory on the current file system. Should a command
make any changes in that directory, Kaniko takes a snapshot of it as a diff layer and updates the resulting image's
metadata.
Kaniko, like Docker, requires a context for the build process.
It is defined by the --context option and supports the following storage solutions:
- GCS Bucket
- S3 Bucket
- Azure Blob Storage
- Local Directory
- Local Tar
- Standard Input
- Git Repository
The executor's image has the following utilities built in:
- Amazon ECR credential helper.
- Azure ACR credential helper.
Enable the cache with the --cache option.
If using the cache, it (either-or):
- Has to be a container registry.
- Has to be pre-populated, as Kaniko is currently not able to manage local caches during execution.
Leverage thewarmerutility in Kaniko for this. Refer Cache and Kaniko.
Setup
docker pull 'gcr.io/kaniko-project/executor'
docker pull 'gcr.io/kaniko-project/executor:debug'
docker pull 'gcr.io/kaniko-project/executor:v1.23.2-debug'
Usage
docker run --rm -ti -v "$PWD:/workspace" 'gcr.io/kaniko-project/executor' --no-push
docker run --rm --name 'kaniko' -ti -v "$PWD:/workspace" 'gcr.io/kaniko-project/executor' \
--context '/workspace/context' --dockerfile '/workspace/context/Dockerfile' --no-push
docker run … \
-e "GOOGLE_APPLICATION_CREDENTIALS=/kaniko/config.json" \
-v "$PWD/gcp-secret.json:/kaniko/config.json:ro" \
-v "$HOME/.docker/config.json:/kaniko/.docker/config.json:ro" \
-v "$HOME/.aws:/root/.aws:ro" \
'gcr.io/kaniko-project/executor' \
--context 'dir://context' \
--destination 'docker-hub-repo/custom-image:1.2.3' \
--destination '012345678901.dkr.ecr.eu-west-1.amazonaws.com/aws-repo:1.2.3' \
--destination 'gcr.io/gcp-project-id/custom-image:1.2.3' \
--destination 'mycr.azurecr.io/azure-repository:1.2.3'
docker run … -v "$PWD/config.json:/kaniko/.docker/config.json:ro" 'gcr.io/kaniko-project/executor:latest'
docker run … 'gcr.io/kaniko-project/executor' … --cache --custom-platform 'linux/amd64' --build-arg VERSION='1.2'
# Populate build caches.
docker run -it --rm -v "$PWD/cache:/cache" 'gcr.io/kaniko-project/warmer' \
--image='maven:3-jdk-11-slim' --image='openjdk:11-jre-slim'
Real world use cases
Create local images using local cache
Uses images from the local cache.
It does not save cache images in the local cache directory since Kaniko is currently not able to manage such
caches during execution. Refer Cache and Kaniko.
Creates a root-owned file called image.tar in the current directory.
Run docker load -i 'image.tar' to load it into Docker as image:1.0.
Image and repository names can only contain the characters abcdefghijklmnopqrstuvwxyz0123456789_-./.
docker run --rm -ti -v "$PWD/cache:/cache" 'gcr.io/kaniko-project/warmer' --image='python:3.10'
docker run --rm -ti -v "$PWD:/workspace" 'gcr.io/kaniko-project/executor:debug' --reproducible \
--no-push --tar-path '/workspace/image.tar' --destination 'image:1.0' \
--cache --cache-dir '/workspace/cache' --cache-repo 'oci://cache'
Test the Dockerfile for an Ansible execution environment the way a GitLab pipeline would need to execute it
docker run --rm -ti -v "$PWD:/workspace" 'gcr.io/kaniko-project/executor:debug' /kaniko/executor --no-push
docker run --rm -ti -v "$PWD:/workspace" --entrypoint '' 'gcr.io/kaniko-project/executor:v1.23.2-debug' \
/kaniko/executor --context '/workspace/someDir' --dockerfile '/workspace/someDir/someDockerfile' --no-push
Usage in GitLab pipelines
build-container:
stage: build
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
script:
- >-
/kaniko/executor
--context "${CI_PROJECT_DIR}"
--destination "${CI_REGISTRY_IMAGE}:latest"