Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Considered using Kaniko? #46

Open
f0o opened this issue Nov 23, 2020 · 12 comments
Open

Considered using Kaniko? #46

f0o opened this issue Nov 23, 2020 · 12 comments

Comments

@f0o
Copy link

f0o commented Nov 23, 2020

Kaniko supports building images without requiring privileged mode.

https://github.com/GoogleContainerTools/kaniko
@vito
Copy link
Member

vito commented Nov 23, 2020

Yep! Just haven't had time to dig into this yet. It may also be possible to use it to resolve #1. Some context here: concourse/docker-image-resource#190 (comment)

@jmccann
Copy link
Contributor

jmccann commented Nov 25, 2020

I've used kaniko and ran into multiple issues where a Dockerfile that works with docker build didn't work with kaniko. This meant updating the Dockerfile to workaround kaniko bugs. Last I tried kaniko was several months ago. So I'd personally suggest not using it based on my own recent experience.

@f0o
Copy link
Author

f0o commented Nov 26, 2020

@jmccann Can you disclose the Dockerfile that needed hacks? I havent experienced any of those incompatibilities. Using it for almost a year now on the daily for many images

@jmccann
Copy link
Contributor

jmccann commented Nov 28, 2020

@f0o I don't have an example readily available as I've given up for a few months and would have to go back and dig into and/or try again. Also not sure I'm at liberty to share.

But I will say personally I've ran into about 3 separate Dockerfiles I tried to convert to using kaniko that I ran into issues with. I've personally had about a 50% success rate. I've seen others run into issues as well. I will say majority of people seem to be able to use it without issue. But I'm worried that multiple times things that work completely fine with docker build did not work with kaniko.

Unfortunately the cases I've ran into where there were issues with kaniko and not docker were not maybe "typical" builds. However, I wouldn't say they were complete weird edgecases either. But maybe not something that'd be easy to reproduce more generically quickly to share.

I would just say if you decide to move that direction be very aware of if/when people start opening issues for failed builds. 😄

@vito vito mentioned this issue Jan 4, 2021
Closed
vito added a commit that referenced this issue Jan 8, 2021
@vito
support using local image tarballs with FROM
bb2f5be 
This adds 'image args', configurable with IMAGE_ARG_* - similar to
BUILD_ARG_*, only the value points to an image tarball.

The image tarball will be loaded and served by a local registry, and a
reference to the image in the local registry will be provided as the
build arg.

To use this, you must modify your Dockerfile like so:

  ARG base_image=ubuntu
  FROM ${base_image}

Then, when running oci-build-task, specify:

  params:
    IMAGE_ARG_base_image: ubuntu/image.tar

This will remain forward compatible if we ever switch to Kaniko (#46),
which would also require using build args as Kaniko image caching
requires a full digest to be specified in FROM.

fixes #1
closes #2
closes #3
closes #14

Signed-off-by: Alex Suraci <[email protected]>
@vito vito mentioned this issue Jan 8, 2021
Merged
@marcaurele
Copy link

I've used kaniko and ran into multiple issues where a Dockerfile that works with docker build didn't work with kaniko. This meant updating the Dockerfile to workaround kaniko bugs. Last I tried kaniko was several months ago. So I'd personally suggest not using it based on my own recent experience.

? "Last I tried kaniko was several months ago" and "recent experience" from a single user and which are conflicting arguments IMO.

I'm surprised that a single comment without any clear example on the issue seems to block the change forward kaniko. Personally I've been using it for 1-2 years without any issue in all Dockefile. Being able to build without elevated privileges is worth the change.

@jmccann
Copy link
Contributor

jmccann commented May 6, 2021

I guess it could be considered conflicting 😆

I hope I'm not blocking (and don't think I am). I'm just giving my experience.

@vito
Copy link
Member

vito commented May 7, 2021

Definitely isn't blocking - if it was this would be closed. The only thing blocking this is the number of hours in the day and the fairly dramatic code change it would imply, which makes the barrier to entry pretty high for me. Anyone could create an alternative Kaniko-flavored image builder though; there's no monopoly.

@marcaurele
Copy link

I'm new to concourse and I already setup my build with kaniko without specifying a custom image, using the one from gcr.io. What is the added value of creating a custom one like this project on top of such a tool?

@kardashov
Copy link

@marcaurele could you share concourse build using kaniko container snippet here?
I'm trying to build image using private image from gcr.io/ as base image, then push resulting image back to gcr.io/ using kaniko container, but struggling to mount gcp_credentials.json file properly.

@marcaurele
Copy link

marcaurele commented Jul 22, 2022
edited

I do in 2 steps:

  1. Create the credentials file for the registry
  2. Build the image: tasks/build.yml
---
# Kaniko build: `--force` is required on concourse for unknown reason, otherwise
# it does not detect it's inside a container.
platform: linux

image_resource:
  type: registry-image
  source:
    repository: gcr.io/kaniko-project/executor
    tag: debug

params:
  BRANCH: dev
  PUSH:
  TAG_SUFFIX:

inputs:
  - name: repo
  - name: credentials
    optional: true

run:
  path: sh
  args:
    - -ecx
    - |
      CREDENTIALS_FILE=credentials/config.json
      test -f $CREDENTIALS_FILE && cp $CREDENTIALS_FILE /kaniko/.docker/config.json || echo "Missing credentials file!"
      FILE_SHORT_REF=repo/.git/short_ref
      git_short_ref=$(test -f $FILE_SHORT_REF && cat $FILE_SHORT_REF || echo "dev")
      FILE_REF=repo/.git/ref
      git_ref=$(test -f $FILE_REF && cat $FILE_REF || echo "dev")
      destination_flag=$(test -z $PUSH && echo "--no-push" || \
          echo "--destination $REPOSITORY:$git_short_ref$TAG_SUFFIX --destination $REPOSITORY:latest$TAG_SUFFIX")
      /kaniko/executor --force \
          --build-arg "version=$git_ref" \
          --single-snapshot \
          --label org.opencontainers.image.version=$BRANCH \
          --label org.opencontainers.image.revision=$git_ref \
          --label org.opencontainers.image.created=$(date -Iseconds -u) \
          --context repo/ \
          --skip-unused-stages \
          --target $IMAGE_TARGET \
          $destination_flag

@kardashov
Copy link

Thanks @marcaurele!
So the trick is to use DEBUG version on kaniko image which has shell installed https://github.com/GoogleContainerTools/kaniko#debug-image. Works great for me.
In fact, using kaniko in Concourse is so flexible and powerful that it deserves at least mentioning in this guide: https://concourse-ci.org/container-image-guides.html

@marcaurele
Copy link

I think this ticket can be closed as kaniko will require a large effort1 to provide multi-arch build, therefore it's not a good option to follow.

Footnotes

  1. https://github.com/GoogleContainerTools/kaniko/issues/786#issuecomment-1069377414

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@vito @marcaurele @jmccann @f0o @kardashov