O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Die Evolution von Container Image Builds

Containerisierte Anwendungen sind zu einem wesentlichen Bestandteil unseres täglichen Lebens geworden. Wir bauen diese mehrmals täglich, sowohl innerhalb unserer CI-Pipelines als auch lokal zu Debugging- und Testzwecken. Vor einigen Jahren konnten wir hierzu nur auf "docker build" zurückgreifen. Inzwischen gibt es jedoch viele alternative Projekte, die verschiedene Funktionen und Vorteile bieten.

Nico führt Sie in diesem Vortrag in die Evolution der Container-Builds ein. Sie erhalten Einblicke in Werkzeuge wie BuildKit, buildx, Kaniko, buildah, img und weitere. Neben den Unterschieden werden Sie auch die Vor- und Nachteile der einzelnen Tools kennenlernen.

Nach diesem Vortrag wissen Sie alles, was Sie benötigen, um Ihre Container Builds auf die nächsten Level zu heben.

  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Die Evolution von Container Image Builds

  1. 1. Die Evolution von Container Image Builds Container Deep Dive, December 2020
  2. 2. Nico Meisenzahl • Senior Cloud & DevOps Consultant at white duck • GitLab Hero, Microsoft MVP & Docker Community Leader • Container, Kubernetes, Cloud-Native & DevOps © white duck GmbH 2020 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
  3. 3. Agenda • Container history at a glance • docker build & dockerd • Container build – the choice is ours • Docker Hub limits © white duck GmbH 2020
  4. 4. Linux Container history © white duck GmbH 2020 Namespaces got introduced chroot got introduced (Linux) 2002 Googles uses cgroups at scale (with Borg) 2003 January – cgroups get merged into Linux Kernel August – LXC 1.0 release 2008 Docker hits the scene 2013 June – Docker 1.0 release June – Kubernetes announced November – LXD announced December – rkt announced 2014 June – Open Container Initiative (OCI) defined a common container standard July – Kubernetes 1.0 release July – CNCF founded 2015 April – Docker 1.1 with OCI support based on containerd December – containerd as separate project 2016 October – CIO-O 1.0 released December – Kata Containers project launched 2017 May – gVisor 1.0 released 2018
  5. 5. Issues with docker build (in CI/CD) • requires the whole Docker Engine • heavy-weight • depends on Docker daemon • Docker Docker daemon requires root • rootless introduced in 19.03, still an experimental feature (GA with 20.10) • hard to containerize © white duck GmbH 2020
  6. 6. Issues with docker build (pre 20.10) • inefficient layer caching (no centralized layer caching) • no concurrency in multi-stage builds • no compiler caching • no secret injection © white duck GmbH 2020
  7. 7. How do we fix this? The choice is ours © white duck GmbH 2020 and many more …
  8. 8. BuildKit • open-source project by moby • https://github.com/moby/buildkit • used by multiple open-source projects • advantages • automatic garbage collection • concurrent dependency resolution and layer builds • efficient caching (compiler, layer) • build cache import/export • secret injection • supports multi-arch via QEMU • … © white duck GmbH 2020 https://www.xenonstack.com/blog/docker-buildkit/
  9. 9. Docker with BuildKit • GA & enabled by default with 20.10 • opt-in for BuildKit with Docker 18.09 and higher • export DOCKER_BUILDKIT=1 • { "features": { "buildkit": true } } > /etc/docker/daemon.json • full BuildKit capabilities with buildx • https://github.com/docker/buildx • binary included with Docker 19.03 and higher © white duck GmbH 2020
  10. 10. BuildKit standalone • contains of • a CLI buildkit • a daemon buildkitd • Daemon can be executed as non-root • supports containerized builds • can be used ”daemonless” • containerized with ephemeral daemon © white duck GmbH 2020
  11. 11. More details on BuildKit © white duck GmbH 2020
  12. 12. buildah • open-source project introduced by Red Hat • https://github.com/containers/buildah • rootless and daemonless • CLI only • Dockerfile support • buildad bud • can also run container • for debugging purpose • use podman for long running containers © white duck GmbH 2020
  13. 13. More details on Buildah © white duck GmbH 2020
  14. 14. Kaniko • open-source project by Google • https://github.com/GoogleContainerTools/kaniko • designed to build container images, inside a container or Kubernetes • gcr.io/kaniko-project/executor • image builds without the need of any privileges or dependencies • speed up your builds with caching • FROM via volume mount • layers via registry © white duck GmbH 2020
  15. 15. img • open-source project started by Jess Frazelle • https://github.com/genuinetools/img • daemonless and unprivileged • based on BuildKit • Docker-like CLI • can also be executed within a Container • a bit inactive since 2018 © white duck GmbH 2020
  16. 16. k3c • open-source project by Rancher • https://github.com/rancher/k3c • pretty new project, experimental! • “k3c, similar old school docker, is packaged as a single binary…” • allows to run and build container. full stop. • based on Container Runtime Interface (CRI), containerd and BuildKit © white duck GmbH 2020
  17. 17. Docker rate-limiting (since Nov 2nd) • Free plan • anonymous users: 100 pulls per 6 hours (Source IP) • authenticated users: 200 pulls per 6 hours • Pro/Team plan – unlimited • free opt-in for OSS projects (unlimited pulls) • was introduced slowly • starting with 6000 pull per 6 hours • final limits are active since Nov 18 © white duck GmbH 2020
  18. 18. Solutions • authenticate or opt-in for Pro/Team • docker login, imagePullSecrets, … • configure a registry mirror • run your own • https://docs.docker.com/registry/recipes/mirror/ • use GitLab Dependency Proxy • https://docs.gitlab.com/ee/user/packages/dependency_proxy/ • use mirror.gcr.io • https://cloud.google.com/container-registry/docs/pulling-cached-images © white duck GmbH 2020
  19. 19. Solutions • Docker • authenticate via login • define registry mirror • Kaniko • use --registry-mirror to define registry mirror • Buildah • authenticate via login • rewrite default registry via registries.conf • Img • authenticate via login © white duck GmbH 2020
  20. 20. Questions? Slides: https://www.slideshare.net/nmeisenzahl Nico Meisenzahl (Senior Cloud & DevOps Consultant) Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org © white duck GmbH 2020

×