在Google Cloud Build上使用Docker Buildkit

ibrsph3r 于 2024-01-06 发布在 Docker

关注(0)|答案(3)|浏览(180)

我尝试在Google Cloud Build上使用BuildKit和Docker，这样我最终可以使用--secret标志。我使用Build Enhancements for Docker作为参考。
它在我的笔记本电脑上工作时，我使用以下命令：DOCKER_BUILDKIT=1 docker build -t hello-world:latest .
当我在Cloud Build上运行它时，我得到错误“docker.io/docker/dockerfile:experimental not found”。
你知道如何在Cloud Build中使用它吗？
下面是设置（注意：我还没有使用--secret标志）：
Dockerfile：

#syntax=docker/dockerfile:experimental
FROM node:10.15.3-alpine
RUN mkdir -p /usr/src/app && \
    apk add --no-cache tini
WORKDIR /usr/src/app
COPY package*.json ./
RUN npm install --production
COPY . .
RUN chown -R node:node .
USER node
EXPOSE 8080
ENTRYPOINT ["/sbin/tini", "--"]
CMD [ "node", "index.js" ]

字符串
cloudbuild.yaml:

steps:
  - id: 'Build'
    name: 'gcr.io/cloud-builders/docker'
    args: [
      'build',
      '-t', 'gcr.io/$PROJECT_ID/hello-world:latest',
      '.'
    ]
    env:
      - "DOCKER_BUILDKIT=1"

型
云构建日志：

starting build "xxxx"
FETCHSOURCE
Fetching storage object: gs://xxxxx
Copying gs://xxxxx...
/ [0 files][ 0.0 B/ 15.3 KiB] 
/ [1 files][ 15.3 KiB/ 15.3 KiB] 
Operation completed over 1 objects/15.3 KiB. 
BUILD
Already have image (with digest): gcr.io/cloud-builders/docker
#2 [internal] load .dockerignore
#2 digest: sha256:3ce0de94c925587ad30afb764af9bef89edeb62eb891b99694aedb086ee53f50
#2 name: "[internal] load .dockerignore"
#2 started: 2019-07-24 03:21:49.153855989 +0000 UTC
#2 completed: 2019-07-24 03:21:49.195969197 +0000 UTC
#2 duration: 42.113208ms
#2 transferring context: 230B done
#1 [internal] load build definition from Dockerfile
#1 digest: sha256:82b0dcd17330313705522448d60a78d4565304d55c86f55b903b18877d612601
#1 name: "[internal] load build definition from Dockerfile"
#1 started: 2019-07-24 03:21:49.150042849 +0000 UTC
#1 completed: 2019-07-24 03:21:49.189628322 +0000 UTC
#1 duration: 39.585473ms
#1 transferring dockerfile: 445B done
#3 resolve image config for docker.io/docker/dockerfile:experimental
#3 digest: sha256:401713457b113a88eb75a6554117f00c1e53f1a15beec44e932157069ae9a9a3
#3 name: "resolve image config for docker.io/docker/dockerfile:experimental"
#3 started: 2019-07-24 03:21:49.210803849 +0000 UTC
#3 completed: 2019-07-24 03:21:49.361743084 +0000 UTC
#3 duration: 150.939235ms
#3 error: "docker.io/docker/dockerfile:experimental not found"
docker.io/docker/dockerfile:experimental not found
ERROR
ERROR: build step 0 "gcr.io/cloud-builders/docker" failed: exit status 1

型
笔记本电脑Docker版本：

Client: Docker Engine - Community
 Version:           18.09.2
 API version:       1.39
 Go version:        go1.10.8
 Git commit:        6247962
 Built:             Sun Feb 10 04:12:39 2019
 OS/Arch:           darwin/amd64
 Experimental:      false
Server: Docker Engine - Community
 Engine:
  Version:          18.09.2
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.6
  Git commit:       6247962
  Built:            Sun Feb 10 04:13:06 2019
  OS/Arch:          linux/amd64
  Experimental:     false

型
Cloud Build Docker版本：

Step #0 - "Version": Client:
Step #0 - "Version": Version: 18.09.7
Step #0 - "Version": API version: 1.39
Step #0 - "Version": Go version: go1.10.8
Step #0 - "Version": Git commit: 2d0083d
Step #0 - "Version": Built: Thu Jun 27 17:56:17 2019
Step #0 - "Version": OS/Arch: linux/amd64
Step #0 - "Version": Experimental: false
Step #0 - "Version": 
Step #0 - "Version": Server: Docker Engine - Community
Step #0 - "Version": Engine:
Step #0 - "Version": Version: 18.09.3
Step #0 - "Version": API version: 1.39 (minimum version 1.12)
Step #0 - "Version": Go version: go1.10.8
Step #0 - "Version": Git commit: 774a1f4
Step #0 - "Version": Built: Thu Feb 28 05:59:55 2019
Step #0 - "Version": OS/Arch: linux/amd64
Step #0 - "Version": Experimental: false

型
更新：我注意到我使用的是#syntax=docker/dockerfile：experimental，而链接的文章有#syntax=docker/dockerfile：1.0-experimental。当我使用1.0-experimental时，我得到了同样的错误。

docker

来源：https://stackoverflow.com/questions/57175062/using-docker-buildkit-on-google-cloud-build

3条答案

按热度按时间

fae0ux8s1#

当“registry-mirrors”选项与buildkit结合使用时，似乎存在一个问题，那么buildkit前端图像无法获取：
https://github.com/moby/moby/issues/39120
在构建之前提取它们似乎可以解决这个问题：

- name: 'gcr.io/cloud-builders/docker'
    args: ['pull', 'docker/dockerfile:experimental']
  - name: 'gcr.io/cloud-builders/docker'
    args: ['pull', 'docker/dockerfile:1.0-experimental']

字符串

赞(0）回复(0）举报 2024-01-06

uqzxnwby2#

我也遇到过类似的问题，并设法解决了这个问题。在gcr.io/cloud-builders/docker中使用docker buildkit是不可能的，相反，你必须在docker daemon中运行一个docker，然后在docker-compose中运行另一个docker build。
具体来说，你需要一个docker-compose.yml，它具有：

docker（docker daemon中的docker）
1.构建镜像的docker构建步骤（启用buildkit）
1.一个docker auth和push步骤，授权docker推送到gcr（你需要创建creds.json w/ service role w/ gcs权限，详见底部）
为了验证并推送到gcr，需要使用creds.json进行docker登录。查看详情：https://cloud.google.com/container-registry/docs/advanced-authentication

# deploy/app/docker-compose.yml
version: '3.7'
services:
  docker:
    image: "docker:18.09.9-dind"
    privileged: true
    volumes:
      - docker-certs-client:/certs/client
      - docker-certs-ca:/certs/ca
    expose:
      - 2376
    environment:
      - DOCKER_TLS_CERTDIR=/certs
    networks:
      - docker-in-docker-network
  docker-build:
    image: docker:18.09.9
    working_dir: /project
    command: build -t 'gcr.io/$PROJECT_ID/<image>:<tag>'
    privileged: true
    depends_on: 
      - docker
    volumes:
      - docker-certs-client:/certs/client:ro
      - ../../:/project
    environment:
      - DOCKER_TLS_CERTDIR=/certs
      - DOCKER_BUILDKIT=1
    networks:
      - docker-in-docker-network
  docker-push:
    image: docker:18.09.9
    working_dir: /project
    entrypoint: /bin/sh -c
    command: 
      - |
        cat creds.json | docker login -u _json_key --password-stdin https://gcr.io
        docker push 'gcr.io/$PROJECT_ID/<image>:<tag>'
    privileged: true
    depends_on: 
      - docker
    volumes:
      - docker-certs-client:/certs/client:ro
      - ../../:/project
    environment:
      - DOCKER_CERT_PATH=/certs/client
      - DOCKER_HOST=tcp://docker:2376
      - DOCKER_TLS_VERIFY=1
    networks:
      - docker-in-docker-network
volumes:
  docker-certs-ca:
  docker-certs-client:
networks:
  docker-in-docker-network:

字符串
在cloud-build.yaml中：
1.你需要先解密creds.json（必须先创建并加密）--详情：https://cloud.google.com/docs/authentication/getting-started（push步骤将使用该密钥授权docker登录到gcr）。
1.在daemon模式下从docker-compose运行一个docker daemon（这样它就不会阻止构建和推送步骤）
1.运行构建步骤docker-compose
1.在docker-compose中运行auth和push步骤。

# cloud-build.yaml
steps:
  # decrypt gcloud json secret
  - name: gcr.io/cloud-builders/gcloud
    args:
    - kms
    - decrypt
    - --ciphertext-file=deploy/app/creds.json.enc
    - --plaintext-file=creds.json
    - --location=global
    - --keyring=<...>
    - --key=<...>
  # run docker daemon
  - name: 'docker/compose:1.24.1'
    args: ['-f', 'deploy/app/docker-in-docker-compose.yml', 'up', '-d', 'docker']
    env:
      - 'PROJECT_ID=$PROJECT_ID'
  # build image
  - name: 'docker/compose:1.24.1'
    args: ['-f', 'deploy/app/docker-in-docker-compose.yml', 'up', 'docker-build']
    env:
      - 'PROJECT_ID=$PROJECT_ID'
  # docker auth and push to gcr
  - name: 'docker/compose:1.24.1'
    args: ['-f', 'deploy/app/docker-in-docker-compose.yml', 'up', 'docker-push']
    env:
      - 'PROJECT_ID=$PROJECT_ID'
timeout: 600s

型

展开查看全部

赞(0）回复(0）举报 2024-01-06

3b6akqbq3#

我找到了解决办法：
1.您需要在您的Dokecker文件之前添加从# syntax=docker/dockerfile:1.4信息：https://www.docker.com/blog/image-rebase-and-improved-remote-cache-support-in-new-buildkit/
1.在步骤构建中添加env: 'DOCKER_BUILDKIT=1'
例如：

- name: 'gcr.io/cloud-builders/docker'
  args: ['build', '-t', 'gcr.io/prj-123-23231,'.']
  dir:  ubuntu
  env: 'DOCKER_BUILDKIT=1'

字符串

赞(0）回复(0）举报 2024-01-06

我来回答

在Google Cloud Build上使用Docker Buildkit

3条答案

相关问题

热门标签

最新问答