可以将 kaniko 添加到 alpine 图像或将 jq 添加到 kaniko 图像

Possible to add kaniko to alpine image or add jq to kaniko image

这就是我如何使用 kaniko 在我的 gitlab CI 中构建 docker 图像,效果很好。

但我需要读取 json 文件来获取一些值。因此我需要访问 jq.

.gilab-ci.yml

deploy:
  stage: deployment
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  script:
    - mkdir -p /kaniko/.docker
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$(echo -n ${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} | base64)\"}}}" > /kaniko/.docker/config.json
    - |
      /kaniko/executor \
        --context $CI_PROJECT_DIR \
        --dockerfile $CI_PROJECT_DIR/app/Dockerfile \
        --destination $CI_REGISTRY_IMAGE/app:latest \
      done
    - jq # <- Is not working, as jq is not installed

是否可以在镜像中加入jq,避免在这个阶段一直重复安装?

在所有其他阶段,我使用我自己的 alpine 图像,我在我的 CI 管道中添加了我需要的一切。所以另一种选择是将 kaniko 添加到此图像中 - 如果可能的话。这将导致一个图像具有所需的所有实用程序。

Dockerfile

FROM alpine:3.14.2

RUN apk --update add \
  bash \
  curl \
  git \
  jq \
  npm
RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.21.4/bin/linux/amd64/kubectl
RUN chmod u+x kubectl && mv kubectl /bin/kubectl
# Add kaniko to this image??

官方 Kaniko Docker 图像是使用独立的 Go 二进制文件从 scratch 构建的(参见 Dockerfile from Kaniko's GitHub repository)。您可以重新使用官方镜像中的相同二进制文件并将它们复制到您的镜像中,例如:

# Use this FROM instruction as shortcut to use --copy=from kaniko below
# It's also possible to use directly COPY --from=gcr.io/kaniko-project/executor
FROM gcr.io/kaniko-project/executor AS kaniko

FROM alpine:3.14.2

RUN apk --update add \
  bash \
  curl \
  git \
  jq \
  npm
RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.21.4/bin/linux/amd64/kubectl
RUN chmod u+x kubectl && mv kubectl /bin/kubectl

#
# Add kaniko to this image by re-using binaries and steps from official image
#
COPY --from=kaniko /kaniko/executor /kaniko/executor
COPY --from=kaniko /kaniko/docker-credential-gcr /kaniko/docker-credential-gcr
COPY --from=kaniko /kaniko/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
COPY --from=kaniko /kaniko/docker-credential-acr /kaniko/docker-credential-acr
COPY --from=kaniko /etc/nsswitch.conf /etc/nsswitch.conf
COPY --from=kaniko /kaniko/.docker /kaniko/.docker

ENV PATH $PATH:/usr/local/bin:/kaniko
ENV DOCKER_CONFIG /kaniko/.docker/
ENV DOCKER_CREDENTIAL_GCR_CONFIG /kaniko/.config/gcloud/docker_credential_gcr_config.json

编辑:对于调试图像,Docker文件将是:

FROM gcr.io/kaniko-project/executor:debug AS kaniko

FROM alpine:3.14.2

RUN apk --update add \
  bash \
  curl \
  git \
  jq \
  npm
RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.21.4/bin/linux/amd64/kubectl
RUN chmod u+x kubectl && mv kubectl /bin/kubectl

#
# Add kaniko to this image by re-using binaries and steps from official image
#
COPY --from=kaniko /kaniko/ /kaniko/
COPY --from=kaniko /kaniko/warmer /kaniko/warmer
COPY --from=kaniko /kaniko/docker-credential-gcr /kaniko/docker-credential-gcr
COPY --from=kaniko /kaniko/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
COPY --from=kaniko /kaniko/docker-credential-acr /kaniko/docker-credential-acr
COPY --from=kaniko /kaniko/.docker /kaniko/.docker
COPY --from=busybox:1.32.0 /bin /busybox

ENV PATH $PATH:/usr/local/bin:/kaniko:/busybox
ENV DOCKER_CONFIG /kaniko/.docker/
ENV DOCKER_CREDENTIAL_GCR_CONFIG /kaniko/.config/gcloud/docker_credential_gcr_config.json

请注意,您需要使用 gcr.io/kaniko-project/executor:debug(对于最新版本)或 gcr.io/kaniko-project/executor:v1.6.0-debug 作为来源(或其他标签)


测试构建一个小图像,似乎工作正常:

# Built above example with docker build . -t kaniko-alpine
# And ran container with docker run -it kaniko-alpine sh
echo "FROM alpine" > Dockerfile
echo "RUN echo hello" >> Dockerfile
echo "COPY Dockerfile Dockerfile" >> Dockerfile

executor version
executor -c . --no-push

# Output like:
#
# Kaniko version :  v1.6.0
#
# INFO[0000] Retrieving image manifest alpine             
# INFO[0000] Retrieving image alpine from registry index.docker.io 
# INFO[0000] GET KEYCHAIN                                 
# [...] 
# INFO[0001] RUN echo hello                               
# INFO[0001] Taking snapshot of full filesystem...        
# INFO[0001] cmd: /bin/sh                                 
# INFO[0001] args: [-c echo hello]                        
# INFO[0001] Running: [/bin/sh -c echo hello]             
# [...]

请注意,在官方映像之外使用 Kaniko 二进制文件是 not recommended,尽管它可能仍然可以正常工作:

kaniko is meant to be run as an image: gcr.io/kaniko-project/executor. We do not recommend running the kaniko executor binary in another image, as it might not work.

我有同样的需求,因为图像将用作 Gitlab 中工作的基础 CI。 我不得不做一些小的修改才能让它工作。如果有帮助,这是我的版本(在我的情况下不需要 kubectl,我只需要在同一个容器中成为 运行 kaniko 和 vault):

  • 添加了 libcap 来解决这个问题:仅当不使用保管库作为服务器时才安全。
  • 添加了缺失的环境变量 SSL_CERT_DIR
  • 删除了 Busybox(不再需要,因为我们运行正在使用 Alpine 容器)
  • 可选的 kaniko 执行程序入口点
FROM gcr.io/kaniko-project/executor:debug AS kaniko
FROM alpine:3.14.2

RUN apk --update add jq vault libcap
RUN setcap cap_ipc_lock= /usr/sbin/vault

COPY --from=kaniko /kaniko/ /kaniko/

ENV PATH $PATH:/usr/local/bin:/kaniko
ENV DOCKER_CONFIG /kaniko/.docker/
ENV DOCKER_CREDENTIAL_GCR_CONFIG /kaniko/.config/gcloud/docker_credential_gcr_config.json
ENV SSL_CERT_DIR /kaniko/ssl/certs

#ENTRYPOINT ["/kaniko/executor"]