kaniko & kubernetes 构建镜像
文章目录
kaniko & kubernetes 构建镜像
1. 什么是 kaniko
2. kaniko 是如何工作的
3. 工作原理
4. kaniko 构建上下文
5. 准备
6. 下载 kaniko-demo
7. 常用的 docker 构建方式
8. 验证 docker 构建镜像的条件是什么
9. 验证 docker 容器内可行的构建方式
10. kaniko 构建推送入库
10.1 Git Repository 推送 dockerhub
10.2 Local Directory 推送 dockerhub
10.3 Local Directory 推送私有 regsitry
10.4 Local Directory 推送私有 harbor
10.5 Jenkins Pipeline & kaniko 构建镜像入库
问题
1. failed to push to destination
2. connection reset by peer
3. 400 Bad Request
1. 什么是 kaniko
kaniko 是一种在容器或 Kubernetes 集群内从 Dockerfile 构建容器镜像的工具。
kaniko 不依赖于 Docker 守护进程,而是完全在用户空间中执行 Dockerfile 中的每个命令。这使得在无法轻松或安全地运行 Docker 守护程序的环境中构建容器镜像成为可能,例如标准的 Kubernetes 集群。
2. kaniko 是如何工作的
- 1.读取指定的
Dockerfile。 - 2.将基本映像(在FROM指令中指定)提取到容器文件系统中。
- 3.在独立的
Dockerfile中分别运行每个命令。 - 4.每次运行后都会对用户空间文件系统的做快照。
- 5.每次运行时,将快照层附加到基础层。
3. 工作原理
kaniko作为一个容器镜像运行,它接受三个参数:一个 Dockerfile ,一个构建上下文(context)以及将镜像推送到的镜像仓库。它在执行程序镜像中提取基本镜像的文件系统。然后,在Dockerfile中执行任何命令,快照用户空间中的文件系统。Kaniko在每个命令后都会将一层已更改的文件附加到基本镜像。最后,执行程序将新镜像推送到指定的注册表。由于Kaniko在执行程序镜像的用户空间中完全执行了这些操作,因此它完全避免了在用户计算机上需要任何特权访问。
4. kaniko 构建上下文
kaniko 的构建上下文与您将发送 Docker 守护程序以进行映像构建的构建上下文非常相似;它代表一个包含 Dockerfile 的目录,kaniko 将使用该目录构建您的映像。例如,COPY Dockerfile 中的命令应该引用构建上下文中的文件。
您需要将构建上下文存储在 kaniko 可以访问的地方。运行 kaniko 时,使用--context带有适当前缀的标志来指定构建上下文的位置:
关于 Local Directory的注意事项:此选项是指 kaniko 容器内的目录。如果您希望使用此选项,则需要在构建上下文中将其作为目录挂载到容器中。
关于本地 Tar 的注意事项:此选项指的是 kaniko 容器中的 tar gz文件。如果您希望使用此选项,则需要在构建上下文中将其作为文件挂载到容器中。
关于标准输入的注意事项:kaniko 允许的唯一标准输入是.tar.gz格式。
如果使用 GCS 或 S3 存储桶,您首先需要创建构建上下文的压缩 tar 并将其上传到您的存储桶。运行后,kaniko 将在开始映像构建之前下载并解压构建上下文的压缩 tar。
要创建压缩的 tar,您可以运行:
tar -C <path to build context> -zcvf context.tar.gz .
然后,将压缩的 tar 复制到您的存储桶中。例如,我们可以使用 gsutil 将压缩的 tar 复制到 GCS 存储桶:
gsutil cp context.tar.gz gs://<bucket name>
5. 准备
6. 下载 kaniko-demo
$ mkdir /root/kaniko && cd /root/kaniko $ git clone https://github.com/Ghostwritten/kaniko-demo.git $ cd kaniko-demo
7. 常用的 docker 构建方式
$ cat Dockerfile FROM klakegg/hugo:0.78.2-alpine AS build RUN apk add -U git COPY . /src RUN make init RUN make build FROM nginx:1.19.4-alpine RUN mv /usr/share/nginx/html/index.html /usr/share/nginx/html/old-index.html COPY --from=build /src/public /usr/share/nginx/html EXPOSE 80
docker build构建镜像最常见的方式
$ docker build --tag devops-toolkit . Sending build context to Docker daemon 18.24MB Step 1/9 : FROM klakegg/hugo:0.78.2-alpine AS build ---> 5729af47368d Step 2/9 : RUN apk add -U git ---> Running in db30d5d0eb9c fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz (1/7) Installing ca-certificates (20191127-r4) (2/7) Installing nghttp2-libs (1.41.0-r0) (3/7) Installing libcurl (7.79.1-r0) (4/7) Installing expat (2.2.9-r1) (5/7) Installing pcre2 (10.35-r0) (6/7) Installing git (2.26.3-r0) (7/7) Installing git-bash-completion (2.26.3-r0) Executing busybox-1.31.1-r19.trigger Executing ca-certificates-20191127-r4.trigger OK: 30 MiB in 30 packages Removing intermediate container db30d5d0eb9c ---> 576762099db7 Step 3/9 : COPY . /src ---> 1c3e3ef910a4 Step 4/9 : RUN make init ---> Running in ff17237c7169 git submodule init Submodule 'themes/forty' (https://github.com/MarcusVirg/forty) registered for path 'themes/forty' git submodule update Cloning into '/src/themes/forty'... Submodule path 'themes/forty': checked out 'dccea57bd2ed194942080d650671b47b6df4183c' cp content/img/banner.jpg themes/forty/static/img/. Removing intermediate container ff17237c7169 ---> 32545a924c20 Step 5/9 : RUN make build ---> Running in d8e1b856a983 hugo Start building sites … | EN -------------------+----- Pages | 19 Paginator pages | 0 Non-page files | 24 Static files | 97 Processed images | 0 Aliases | 0 Sitemaps | 1 Cleaned | 0 Total in 98 ms Removing intermediate container d8e1b856a983 ---> 9d667ded40c1 Step 6/9 : FROM nginx:1.19.4-alpine 1.19.4-alpine: Pulling from library/nginx 188c0c94c7c5: Already exists 0ca72de6f957: Pull complete 9dd8e8e54998: Pull complete f2dc206a393c: Pull complete 85defa007a8b: Pull complete Digest: sha256:9b22bb6d703d52b079ae4262081f3b850009e80cd2fc53cdcb8795f3a7b452ee Status: Downloaded newer image for nginx:1.19.4-alpine ---> e5dcd7aa4b5e Step 7/9 : RUN mv /usr/share/nginx/html/index.html /usr/share/nginx/html/old-index.html ---> Running in 6b8ba00cb3ac Removing intermediate container 6b8ba00cb3ac ---> 3824704d7e36 Step 8/9 : COPY --from=build /src/public /usr/share/nginx/html ---> cf9e66eb77bd Step 9/9 : EXPOSE 80 ---> Running in 3599fcdb4646 Removing intermediate container 3599fcdb4646 ---> 04a5e24fa53e Successfully built 04a5e24fa53e Successfully tagged devops-toolkit:latest
8. 验证 docker 构建镜像的条件是什么
我们创建一个关于 docker 的 pod,并尝试在容器内进行构建镜像。
$ cat docker.yaml --- apiVersion: v1 kind: Pod metadata: name: docker spec: containers: - name: docker image: docker args: ["sleep", "10000"] restartPolicy: Never
创建一个名为 docker 的 pod
$ kubectl apply --filename docker.yaml pod/docker created #等待 $ kubectl wait --for condition=containersready pod docker pod/docker condition met #查看 $ kubectl get pods NAME READY STATUS RESTARTS AGE docker 1/1 Running 0 111s $ kubectl exec -ti docker -- sh / # apk add -U git fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/community/x86_64/APKINDEX.tar.gz (1/6) Installing brotli-libs (1.0.9-r5) (2/6) Installing nghttp2-libs (1.43.0-r0) (3/6) Installing libcurl (7.79.1-r0) (4/6) Installing expat (2.4.1-r0) (5/6) Installing pcre2 (10.36-r0) (6/6) Installing git (2.32.0-r0) Executing busybox-1.33.1-r6.trigger OK: 23 MiB in 28 packages / # git clone https://github.com/vfarcic/kaniko-demo.git Cloning into 'kaniko-demo'... remote: Enumerating objects: 193, done. remote: Counting objects: 100% (193/193), done. remote: Compressing objects: 100% (154/154), done. remote: Total 193 (delta 36), reused 189 (delta 32), pack-reused 0 Receiving objects: 100% (193/193), 5.92 MiB | 6.96 MiB/s, done. Resolving deltas: 100% (36/36), done. / #cd kaniko-demo /kaniko-demo # docker image build --tag devops-toolkit . Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? /kaniko-demo # exit $ kubectl delete -f docker.yaml
结果验证,没有/var/run/docker.sock无法运行。
9. 验证 docker 容器内可行的构建方式
接下来,将本地/var/run/docker.sock挂载至容器内再次尝试。
$ cat docker-socket.yaml
--- apiVersion: v1 kind: Pod metadata: name: docker spec: containers: - name: docker image: docker args: ["sleep", "10000"] volumeMounts: - mountPath: /var/run/docker.sock name: docker-socket restartPolicy: Never volumes: - name: docker-socket hostPath: path: /var/run/docker.sock
再次创建名为 docker 的 pod
$ kubectl apply -f docker-socket.yaml $ kubectl get pods NAME READY STATUS RESTARTS AGE docker 1/1 Running 0 5s #进入容器 $ kubectl exec -ti docker -- sh #安装git工具 / # apk add -U git fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/community/x86_64/APKINDEX.tar.gz (1/6) Installing brotli-libs (1.0.9-r5) (2/6) Installing nghttp2-libs (1.43.0-r0) (3/6) Installing libcurl (7.79.1-r0) (4/6) Installing expat (2.4.1-r0) (5/6) Installing pcre2 (10.36-r0) (6/6) Installing git (2.32.0-r0) Executing busybox-1.33.1-r6.trigger OK: 23 MiB in 28 packages #下载 kaniko-demo / # git clone https://github.com/vfarcic/kaniko-demo.git Cloning into 'kaniko-demo'... remote: Enumerating objects: 193, done. remote: Counting objects: 100% (193/193), done. remote: Compressing objects: 100% (154/154), done. remote: Total 193 (delta 36), reused 189 (delta 32), pack-reused 0 Receiving objects: 100% (193/193), 5.92 MiB | 1.40 MiB/s, done. Resolving deltas: 100% (36/36), done. #docker pod 构建镜像 /kaniko-demo # docker image build --tag devops-toolkit . Sending build context to Docker daemon 17.46MB Step 1/9 : FROM klakegg/hugo:0.78.2-alpine AS build ---> 5729af47368d Step 2/9 : RUN apk add -U git ---> Using cache ---> 576762099db7 Step 3/9 : COPY . /src ---> ebc824abfb73 Step 4/9 : RUN make init ---> Running in 09c194a5e09c git submodule init Submodule 'themes/forty' (https://github.com/MarcusVirg/forty) registered for path 'themes/forty' git submodule update Cloning into '/src/themes/forty'... Submodule path 'themes/forty': checked out 'dccea57bd2ed194942080d650671b47b6df4183c' cp content/img/banner.jpg themes/forty/static/img/. Removing intermediate container 09c194a5e09c ---> 53a8ae3671db Step 5/9 : RUN make build ---> Running in 621916c3c908 hugo Start building sites … | EN -------------------+----- Pages | 19 Paginator pages | 0 Non-page files | 24 Static files | 97 Processed images | 0 Aliases | 0 Sitemaps | 1 Cleaned | 0 Total in 168 ms Removing intermediate container 621916c3c908 ---> 23802d60ff30 Step 6/9 : FROM nginx:1.19.4-alpine ---> e5dcd7aa4b5e Step 7/9 : RUN mv /usr/share/nginx/html/index.html /usr/share/nginx/html/old-index.html ---> Using cache ---> 20bef7997cf5 Step 8/9 : COPY --from=build /src/public /usr/share/nginx/html ---> Using cache ---> 09c4165acba5 Step 9/9 : EXPOSE 80 ---> Using cache ---> d31aae51a63a Successfully built d31aae51a63a Successfully tagged devops-toolkit:latest #登陆 docker.io 仓库 /kaniko-demo # docker login docker.io Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one. Username: ghostwritten Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded #推送镜像入库 /kaniko-demo # docker tag devops-toolkit:latest docker.io/ghostwritten/devops-toolkit:latest /kaniko-demo # docker pull docker.io/ghostwritten/devops-toolkit:latest latest: Pulling from ghostwritten/devops-toolkit Digest: sha256:f8255a312bc2cdcefa118b21f2f4f67877e7031426e2b96505e2a5a29fd6d8a0 Status: Image is up to date for ghostwritten/devops-toolkit:latest docker.io/ghostwritten/devops-toolkit:latest /kaniko-demo # exit $ kubectl delete -f docker-socket.yaml
这次,我们在docker pod内实现了构建镜像并推送入docker.io仓库。
儿接下来用 kaniko 工具 将以上过程实现自动化。
