Kaniko

• GoogleContainerTools/kaniko

  What is it? ？

  • Tools for building container images
  • Do not rely on Docker, Unwanted root jurisdiction
  • Reproducible container image construction

• gcr.io/kaniko-project/executor:latest

• gcr.io/kaniko-project/executor:debug - contain shell

• Reference resources

  • GitLab runner use Kaniko

• Focus on Kubernetes Build a mirror image

CAUTION

• Only support x86_64
• I won't support it multi-arch and manifest
• Cannot use local layer cache
• Performance may be weaker than dind - GoogleContainerTools/kaniko#875
• registry-mirror Prefix is not supported , for example registry.example.com/dockerhub

# debug  Environmental Science 
docker run --rm -it -w /workspace --entrypoint sh registry.cn-hongkong.aliyuncs.com/cmi/kaniko-project_executor:debug

mkdir -p /workspace /images /cache
cd /workspace

cat <<DOCKERFILE > Dockerfile FROM wener/base RUN apk add coreutils DOCKERFILE
# --no-push  Don't push  --tarPath  Generated  tar  Need to set up  --destination
# --context  Default  /workspace
# --cache  Enable cache  --cache-dir  Basic image cache directory , Default  /cache --cache-repo  Cache warehouse 
# --use-new-run  Experimental characteristics , Improve build performance 
# --reproducible  Remove timestamp 
/kaniko/executor --context $PWD --dockerfile $PWD/Dockerfile \
  --registry-mirror hbcvocvo.mirror.aliyuncs.com \
  --no-push --tarPath /images/build.tar --destination=image \
  --use-new-run --reproducible

# Docker  Authentication configuration 
mkdir -p /kaniko/.docker
#  To configure 
echo "{
    \"auths\":{
    \"$CI_REGISTRY\":{
    \"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
#  Build and push 
/kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG

#  Build... Directly 
# registry.cn-hongkong.aliyuncs.com/cmi/kaniko-project_executor:latest
# gcr.io/kaniko-project/executor:latest
docker run \
  -v "$HOME"/.config/gcloud:/root/.config/gcloud \
  -v /path/to/context:/workspace \
  registry.cn-hongkong.aliyuncs.com/cmi/kaniko-project_executor:latest \
  --dockerfile /workspace/Dockerfile \
  --destination "$PROJECT_ID/$IMAGE_NAME:$TAG" \
  --context dir:///workspace/

dockerhub

cat <<JSON > config.json { "auths": { "https://index.docker.io/v1/": { "auth": "$(echo -n $USER:$PASSWORD | base64)" } } } JSON
docker run --rm -it $PWD/config:/kaniko/.docker/config.json --destination=yourimagename

• https://github.com/GoogleContainerTools/kaniko/issues/1209

Parameters

• Additional Flags

FAQ

Performance issues

• https://github.com/GoogleContainerTools/kaniko/issues/875 Kaniko build’s performance much slower comparing with DID solution

The copy root directory is abnormally blocked

FROM alpine:3.11 as rootfs
RUN echo 7777

FROM alpine:3.11
#  Blocking 
COPY --from=rootfs / /sysroot/
# Workaround https://github.com/GoogleContainerTools/kaniko/issues/960
COPY --from=rootfs /rootfs/ /sysroot/

• https://github.com/GoogleContainerTools/kaniko/issues/960

snapshot Blocking

• https://github.com/GoogleContainerTools/kaniko/issues/970

Reference link ：https://wener.me/notes/devops/container/kaniko