3

这就是我使用 kaniko 在我的 gitlab CI 中构建 docker 映像的方式,效果很好。

但我需要读取一个 json 文件来获取一些值。因此我需要访问jq.

.gilab-ci.yml

deploy:
  stage: deployment
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  script:
    - mkdir -p /kaniko/.docker
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$(echo -n ${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} | base64)\"}}}" > /kaniko/.docker/config.json
    - |
      /kaniko/executor \
        --context $CI_PROJECT_DIR \
        --dockerfile $CI_PROJECT_DIR/app/Dockerfile \
        --destination $CI_REGISTRY_IMAGE/app:latest \
      done
    - jq # <- Is not working, as jq is not installed

是否可以将 jq 添加到图像中以避免在此阶段始终重复安装它?

在所有其他阶段,我使用的是我自己的 alpine 图像,我在 CI 管道中添加了我需要的一切。因此,另一种选择是将 kaniko 添加到此图像中-如果可能的话。这将导致一个图像具有所需的所有实用程序。

Dockerfile

FROM alpine:3.14.2

RUN apk --update add \
  bash \
  curl \
  git \
  jq \
  npm
RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.21.4/bin/linux/amd64/kubectl
RUN chmod u+x kubectl && mv kubectl /bin/kubectl
# Add kaniko to this image??
4

1 回答 1

3

官方 Kaniko Docker 映像是scratch使用独立的 Go 二进制文件构建的(请参阅Kaniko 的 GitHub 存储库中的 Dockerfile)。您可以重复使用官方镜像中的相同二进制文件并将它们复制到您的镜像中,例如:

# Use this FROM instruction as shortcut to use --copy=from kaniko below
# It's also possible to use directly COPY --from=gcr.io/kaniko-project/executor
FROM gcr.io/kaniko-project/executor AS kaniko

FROM alpine:3.14.2

RUN apk --update add \
  bash \
  curl \
  git \
  jq \
  npm
RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.21.4/bin/linux/amd64/kubectl
RUN chmod u+x kubectl && mv kubectl /bin/kubectl

#
# Add kaniko to this image by re-using binaries and steps from official image
#
COPY --from=kaniko /kaniko/executor /kaniko/executor
COPY --from=kaniko /kaniko/docker-credential-gcr /kaniko/docker-credential-gcr
COPY --from=kaniko /kaniko/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
COPY --from=kaniko /kaniko/docker-credential-acr /kaniko/docker-credential-acr
COPY --from=kaniko /etc/nsswitch.conf /etc/nsswitch.conf
COPY --from=kaniko /kaniko/.docker /kaniko/.docker

ENV PATH $PATH:/usr/local/bin:/kaniko
ENV DOCKER_CONFIG /kaniko/.docker/
ENV DOCKER_CREDENTIAL_GCR_CONFIG /kaniko/.config/gcloud/docker_credential_gcr_config.json

编辑:对于调试图像,Dockerfile 将是:

FROM gcr.io/kaniko-project/executor:debug AS kaniko

FROM alpine:3.14.2

RUN apk --update add \
  bash \
  curl \
  git \
  jq \
  npm
RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.21.4/bin/linux/amd64/kubectl
RUN chmod u+x kubectl && mv kubectl /bin/kubectl

#
# Add kaniko to this image by re-using binaries and steps from official image
#
COPY --from=kaniko /kaniko/ /kaniko/
COPY --from=kaniko /kaniko/warmer /kaniko/warmer
COPY --from=kaniko /kaniko/docker-credential-gcr /kaniko/docker-credential-gcr
COPY --from=kaniko /kaniko/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
COPY --from=kaniko /kaniko/docker-credential-acr /kaniko/docker-credential-acr
COPY --from=kaniko /kaniko/.docker /kaniko/.docker
COPY --from=busybox:1.32.0 /bin /busybox

ENV PATH $PATH:/usr/local/bin:/kaniko:/busybox
ENV DOCKER_CONFIG /kaniko/.docker/
ENV DOCKER_CREDENTIAL_GCR_CONFIG /kaniko/.config/gcloud/docker_credential_gcr_config.json

请注意,您需要使用gcr.io/kaniko-project/executor:debug(对于最新版本)或gcr.io/kaniko-project/executor:v1.6.0-debug作为源(或其他标签)

测试构建一个小图像,似乎工作正常:

# Built above example with docker build . -t kaniko-alpine
# And ran container with docker run -it kaniko-alpine sh
echo "FROM alpine" > Dockerfile
echo "RUN echo hello" >> Dockerfile
echo "COPY Dockerfile Dockerfile" >> Dockerfile

executor version
executor -c . --no-push

# Output like:
#
# Kaniko version :  v1.6.0
#
# INFO[0000] Retrieving image manifest alpine             
# INFO[0000] Retrieving image alpine from registry index.docker.io 
# INFO[0000] GET KEYCHAIN                                 
# [...] 
# INFO[0001] RUN echo hello                               
# INFO[0001] Taking snapshot of full filesystem...        
# INFO[0001] cmd: /bin/sh                                 
# INFO[0001] args: [-c echo hello]                        
# INFO[0001] Running: [/bin/sh -c echo hello]             
# [...]

请注意,不推荐在官方镜像之外使用 Kaniko 二进制文件,即使它仍然可以正常工作:

kaniko 旨在作为图像运行:gcr.io/kaniko-project/executor. 我们不建议在另一个映像中运行 kaniko 执行程序二进制文件,因为它可能不起作用。

于 2021-09-20T08:16:33.573 回答