使用Kaniko进行构建

kaniko是一个从Dockerfile,容器或Kubernetes集群内构建容器映像的工具。

kaniko不依赖于Docker守护程序,并且在用户空间中完全执行Dockerfile中的每个命令。这样可以在无法轻松或安全地运行Docker守护程序的环境中构建容器映像,例如标准Kubernetes集群。

kaniko执行程序映像负责从Dockerfile构建映像并将其推送到注册表。在执行程序映像中,提取基本映像的文件系统(Dockerfile中的FROM映像)。然后,在Dockerfile中执行命令,在每个文件系统之后对用户空间中的文件系统进行快照。在每个命令之后,将一层已更改的文件附加到基本图像(如果有的话)并更新图像元数据。

在kubernetes上构建还有另外一种选择,就是docker in docker,将宿主机的/var/run/docker.dock挂载到pod,并使用宿主机Docker守护程序执行构建。但是docker in docker必须运行在特权模式下,这会产生安全风险。

在Docker中运行kaniko

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# mkdir app && cd app
# vim Dockerfile
FROM 192.168.100.100/library/alpine:3.9
WORKDIR /app
RUN echo "hello" > world.txt
# docker run --env DOCKER_CONFIG=/kaniko -v /root/app:/workspace -v /etc/pki/ca-trust/source/anchors/harbor-ca.pem:/kaniko/ssl/certs/ca.pem -v /root/.docker/config.json:/kaniko/config.json 192.168.100.100/k8s.gcr.io/executor:debug -d 192.168.100.100/library/test:test
INFO[0000] Downloading base image 192.168.100.100/library/alpine:3.9
INFO[0000] Error while retrieving image from cache: getting file info: stat /cache/sha256:25b4d910f4b76a63a3b45d0f69a57c34157500faf6087236581eca221c62d214: no such file or directory
INFO[0000] Downloading base image 192.168.100.100/library/alpine:3.9
INFO[0000] Unpacking rootfs as cmd RUN echo "hello" > world.txt requires it.
INFO[0002] Taking snapshot of full filesystem...
INFO[0002] RUN echo "hello" > world.txt
INFO[0002] cmd: /bin/sh
INFO[0002] args: [-c echo "hello" > world.txt]
INFO[0002] Taking snapshot of full filesystem...
2019/03/08 15:35:14 existing blob: sha256:6c40cc604d8e4c121adcb6b0bfe8bb038815c350980090e74aa5a6423f8f82c0
2019/03/08 15:35:14 pushed blob sha256:4c1586bb248bd4662909b9c520aec7d405ba28f72be717bda7f906328ba93ed2
2019/03/08 15:35:14 pushed blob sha256:acf567dd059c0c462de4ef165221491959c8195b5777a7f87bdd9de7fc939bea
2019/03/08 15:35:14 192.168.100.100/library/test:test: digest: sha256:c430406eda9f80eed55c12625585bb7da6947edd0332bf559a9514d7d8328601 size: 588
# docker run -it 192.168.100.100/library/test:test cat /app/world.txt
hello

注1:

  • –env DOCKER_CONFIG=/kaniko:设置环境变量
  • -v /root/app:/workspace:将/app目录挂载到/workspace构建上下文
  • -v /etc/pki/ca-trust/source/anchors/harbor-ca.pem:/kaniko/ssl/certs/ca.pem:将私有镜像仓库的证书挂载到/kaniko/ssl/certs/下
  • -v /root/.docker/config.json:/kaniko/config.json:将docker配置文件挂载到/kaniko下
  • 192.168.100.100/k8s.gcr.io/executor:debug:运行kaniko容器(gcr.io/kaniko-project/executor)
  • -d 192.168.100.100/library/test:test:推送的镜像

注2:对于开源镜像仓库harbor,push到镜像仓库后无法显示在UI上。对于公有云来说,由于各自的认证方式有别,push镜像可能会无法上传,hub.docker.com、阿里云容器镜像服务都可以push,网易云镜像中心无法push,提示“no token in bearer response:
{“errors”:[{“code”:”DENIED”,”message”:”Real name authentication required”}]}”。

在kubernetes中运行kaniko

示例dockerfile

1
2
3
4
# vim Dockerfile 
FROM 192.168.100.100/library/alpine:3.9
WORKDIR /app
RUN echo "hello" > world.txt

挂载harbor镜像仓库CA证书

1
2
# kubectl create configmap ca-certificates --from-file=/etc/pki/ca-trust/source/anchors/harbor-ca.pem
configmap/ca-certificates created

挂载docker配置文件

1
2
# kubectl create configmap docker-config --from-file=/root/.docker/config.json 
configmap/docker-config created

配置yaml文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# vim kaniko.yaml 
apiVersion: v1
kind: Pod
metadata:
name: kaniko
spec:
restartPolicy: Never
initContainers:
- name: git-clone
image: alpine/git
args:
- clone
- --single-branch
- --
- https://github.com/zhijiansd/gityun.git
- /context
volumeMounts:
- name: context
mountPath: /context

containers:
- name: kaniko
image: registry.cn-hangzhou.aliyuncs.com/gityun/executor:debug
args: ["--dockerfile=/context/Dockerfile",
"--context=/context",
"--destination=192.168.100.100/library/test:test"]
volumeMounts:
- name: ca-certificates
mountPath: /kaniko/ssl/certs/
- name: docker-config
mountPath: /kaniko/.docker/
- name: context
mountPath: /context
restartPolicy: Never
volumes:
- name: ca-certificates
configMap:
name: ca-certificates
- name: docker-config
configMap:
name: docker-config
- name: context
emptyDir: {}

注:

  • 配置Init容器使用镜像 “alpine/git” clone相关项目并挂载为context,将相关代码传递到kaniko容器进行构建
  • 使用configmap将harbor的CA证书和docker配置文件config.json挂载到kaniko

运行并查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# kubectl create -f kaniko.yaml 
pod/kaniko created
# kubectl get pod|grep kaniko
kaniko 0/1 Completed 0 29s
# kubectl logs kaniko
INFO[0000] Downloading base image 192.168.100.100/library/alpine:3.9
INFO[0000] Error while retrieving image from cache: getting file info: stat /cache/sha256:25b4d910f4b76a63a3b45d0f69a57c34157500faf6087236581eca221c62d214: no such file or directory
INFO[0000] Downloading base image 192.168.100.100/library/alpine:3.9
INFO[0001] Unpacking rootfs as cmd RUN echo "hello" > world.txt requires it.
INFO[0002] Taking snapshot of full filesystem...
INFO[0002] WORKDIR /app
INFO[0002] cmd: workdir
INFO[0002] Changed working directory to /app
INFO[0002] Creating directory /app
INFO[0002] Taking snapshot of files...
INFO[0002] RUN echo "hello" > world.txt
INFO[0002] cmd: /bin/sh
INFO[0002] args: [-c echo "hello" > world.txt]
INFO[0002] Taking snapshot of full filesystem...
2019/03/10 08:06:41 existing blob: sha256:6c40cc604d8e4c121adcb6b0bfe8bb038815c350980090e74aa5a6423f8f82c0
2019/03/10 08:06:41 pushed blob sha256:a45d1670e71fec26e7147195023edc9fd26f93bbd4412fea4998528122ea43a0
2019/03/10 08:06:41 pushed blob sha256:a04e0385010a9eedddbdd6ddca8e90725d0b981fb7954948af67b538c781727f
2019/03/10 08:06:41 pushed blob sha256:e67312291a1a10d69480c1dd22c9af51a659e48ae07ba8221877397fd74e51fe
2019/03/10 08:06:41 192.168.100.100/library/test:test: digest: sha256:5c3d933724e54a605f84a233eccb95e00c1870f02f213de2157b7d143686edba size: 748

注:

  • 日志上关于 cache 的 error 提示我根据官方提供的 flags 添加了相关命令,依然会出现该错误,但是这不影响,镜像依然 push 到了harbor
  • 使用 kubernetes 构建到 harbor ,镜像依然无法显示在UI上,但是可以pull
  • 对于公有云,全都无法 push,提示“connect: connection refused”
  • 所以,最后这是一个半成品,没啥用,但是尝试了,还是写下来记录一下

附:

ZhiJian wechat
欢迎您扫一扫上面的二维码,订阅我的微信公众号!
-------------本文结束,感谢您的阅读-------------