More Related Content Similar to Die Evolution von Container Image Builds (20) More from Nico Meisenzahl (7) Die Evolution von Container Image Builds2. Nico Meisenzahl
• Senior Cloud & DevOps Consultant at white duck
• GitLab Hero, Microsoft MVP & Docker Community
Leader
• Container, Kubernetes, Cloud-Native & DevOps
© white duck GmbH 2020
Phone: +49 8031 230159 0
Email: nico.meisenzahl@whiteduck.de
Twitter: @nmeisenzahl
LinkedIn: https://www.linkedin.com/in/nicomeisenzahl
Blog: https://meisenzahl.org
3. Agenda
• Container history at a glance
• docker build & dockerd
• Container build – the choice is ours
• Docker Hub limits
© white duck GmbH 2020
4. Linux Container history
© white duck GmbH 2020
Namespaces got introduced
chroot got introduced
(Linux)
2002
Googles uses cgroups at scale
(with Borg)
2003
January – cgroups get
merged into Linux Kernel
August – LXC 1.0 release
2008
Docker hits the scene
2013
June – Docker 1.0 release
June – Kubernetes
announced
November – LXD announced
December – rkt announced
2014
June – Open Container
Initiative (OCI) defined a
common container standard
July – Kubernetes 1.0 release
July – CNCF founded
2015
April – Docker 1.1 with OCI
support based on containerd
December – containerd as
separate project
2016
October – CIO-O 1.0 released
December – Kata Containers
project launched
2017
May – gVisor 1.0 released
2018
5. Issues with docker build (in CI/CD)
• requires the whole Docker Engine
• heavy-weight
• depends on Docker daemon
• Docker Docker daemon requires root
• rootless introduced in 19.03, still an experimental feature (GA with 20.10)
• hard to containerize
© white duck GmbH 2020
6. Issues with docker build (pre 20.10)
• inefficient layer caching (no centralized layer caching)
• no concurrency in multi-stage builds
• no compiler caching
• no secret injection
© white duck GmbH 2020
7. How do we fix this? The choice is ours
© white duck GmbH 2020
and many more …
8. BuildKit
• open-source project by moby
• https://github.com/moby/buildkit
• used by multiple open-source projects
• advantages
• automatic garbage collection
• concurrent dependency resolution and layer builds
• efficient caching (compiler, layer)
• build cache import/export
• secret injection
• supports multi-arch via QEMU
• …
© white duck GmbH 2020
https://www.xenonstack.com/blog/docker-buildkit/
9. Docker with BuildKit
• GA & enabled by default with 20.10
• opt-in for BuildKit with Docker 18.09 and higher
• export DOCKER_BUILDKIT=1
• { "features": { "buildkit": true } } > /etc/docker/daemon.json
• full BuildKit capabilities with buildx
• https://github.com/docker/buildx
• binary included with Docker 19.03 and higher
© white duck GmbH 2020
10. BuildKit standalone
• contains of
• a CLI buildkit
• a daemon buildkitd
• Daemon can be executed as non-root
• supports containerized builds
• can be used ”daemonless”
• containerized with ephemeral daemon
© white duck GmbH 2020
12. buildah
• open-source project introduced by Red Hat
• https://github.com/containers/buildah
• rootless and daemonless
• CLI only
• Dockerfile support
• buildad bud
• can also run container
• for debugging purpose
• use podman for long running
containers
© white duck GmbH 2020
14. Kaniko
• open-source project by Google
• https://github.com/GoogleContainerTools/kaniko
• designed to build container images, inside a container or
Kubernetes
• gcr.io/kaniko-project/executor
• image builds without the need of
any privileges or dependencies
• speed up your builds with caching
• FROM via volume mount
• layers via registry
© white duck GmbH 2020
15. img
• open-source project started by Jess Frazelle
• https://github.com/genuinetools/img
• daemonless and unprivileged
• based on BuildKit
• Docker-like CLI
• can also be executed within a Container
• a bit inactive since 2018
© white duck GmbH 2020
16. k3c
• open-source project by Rancher
• https://github.com/rancher/k3c
• pretty new project, experimental!
• “k3c, similar old school docker, is packaged as a single
binary…”
• allows to run and build container. full stop.
• based on Container Runtime Interface (CRI), containerd
and BuildKit
© white duck GmbH 2020
17. Docker rate-limiting (since Nov 2nd)
• Free plan
• anonymous users: 100 pulls per 6 hours (Source IP)
• authenticated users: 200 pulls per 6 hours
• Pro/Team plan – unlimited
• free opt-in for OSS projects (unlimited pulls)
• was introduced slowly
• starting with 6000 pull per 6 hours
• final limits are active since Nov 18
© white duck GmbH 2020
18. Solutions
• authenticate or opt-in for Pro/Team
• docker login, imagePullSecrets, …
• configure a registry mirror
• run your own
• https://docs.docker.com/registry/recipes/mirror/
• use GitLab Dependency Proxy
• https://docs.gitlab.com/ee/user/packages/dependency_proxy/
• use mirror.gcr.io
• https://cloud.google.com/container-registry/docs/pulling-cached-images
© white duck GmbH 2020
19. Solutions
• Docker
• authenticate via login
• define registry mirror
• Kaniko
• use --registry-mirror to define registry mirror
• Buildah
• authenticate via login
• rewrite default registry via registries.conf
• Img
• authenticate via login
© white duck GmbH 2020