Die Evolution von Container Image Builds

1. Die Evolution von Container Image Builds Container Deep Dive, December 2020

2. Nico Meisenzahl • Senior Cloud & DevOps Consultant at white duck • GitLab Hero, Microsoft MVP & Docker Community Leader • Container, Kubernetes, Cloud-Native & DevOps © white duck GmbH 2020 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org

3. Agenda • Container history at a glance • docker build & dockerd • Container build – the choice is ours • Docker Hub limits © white duck GmbH 2020

4. Linux Container history © white duck GmbH 2020 Namespaces got introduced chroot got introduced (Linux) 2002 Googles uses cgroups at scale (with Borg) 2003 January – cgroups get merged into Linux Kernel August – LXC 1.0 release 2008 Docker hits the scene 2013 June – Docker 1.0 release June – Kubernetes announced November – LXD announced December – rkt announced 2014 June – Open Container Initiative (OCI) defined a common container standard July – Kubernetes 1.0 release July – CNCF founded 2015 April – Docker 1.1 with OCI support based on containerd December – containerd as separate project 2016 October – CIO-O 1.0 released December – Kata Containers project launched 2017 May – gVisor 1.0 released 2018

5. Issues with docker build (in CI/CD) • requires the whole Docker Engine • heavy-weight • depends on Docker daemon • Docker Docker daemon requires root • rootless introduced in 19.03, still an experimental feature (GA with 20.10) • hard to containerize © white duck GmbH 2020

6. Issues with docker build (pre 20.10) • inefficient layer caching (no centralized layer caching) • no concurrency in multi-stage builds • no compiler caching • no secret injection © white duck GmbH 2020

7. How do we fix this? The choice is ours © white duck GmbH 2020 and many more …

8. BuildKit • open-source project by moby • https://github.com/moby/buildkit • used by multiple open-source projects • advantages • automatic garbage collection • concurrent dependency resolution and layer builds • efficient caching (compiler, layer) • build cache import/export • secret injection • supports multi-arch via QEMU • … © white duck GmbH 2020 https://www.xenonstack.com/blog/docker-buildkit/

9. Docker with BuildKit • GA & enabled by default with 20.10 • opt-in for BuildKit with Docker 18.09 and higher • export DOCKER_BUILDKIT=1 • { "features": { "buildkit": true } } > /etc/docker/daemon.json • full BuildKit capabilities with buildx • https://github.com/docker/buildx • binary included with Docker 19.03 and higher © white duck GmbH 2020

10. BuildKit standalone • contains of • a CLI buildkit • a daemon buildkitd • Daemon can be executed as non-root • supports containerized builds • can be used ”daemonless” • containerized with ephemeral daemon © white duck GmbH 2020

11. More details on BuildKit © white duck GmbH 2020

12. buildah • open-source project introduced by Red Hat • https://github.com/containers/buildah • rootless and daemonless • CLI only • Dockerfile support • buildad bud • can also run container • for debugging purpose • use podman for long running containers © white duck GmbH 2020

13. More details on Buildah © white duck GmbH 2020

14. Kaniko • open-source project by Google • https://github.com/GoogleContainerTools/kaniko • designed to build container images, inside a container or Kubernetes • gcr.io/kaniko-project/executor • image builds without the need of any privileges or dependencies • speed up your builds with caching • FROM via volume mount • layers via registry © white duck GmbH 2020

15. img • open-source project started by Jess Frazelle • https://github.com/genuinetools/img • daemonless and unprivileged • based on BuildKit • Docker-like CLI • can also be executed within a Container • a bit inactive since 2018 © white duck GmbH 2020

16. k3c • open-source project by Rancher • https://github.com/rancher/k3c • pretty new project, experimental! • “k3c, similar old school docker, is packaged as a single binary…” • allows to run and build container. full stop. • based on Container Runtime Interface (CRI), containerd and BuildKit © white duck GmbH 2020

17. Docker rate-limiting (since Nov 2nd) • Free plan • anonymous users: 100 pulls per 6 hours (Source IP) • authenticated users: 200 pulls per 6 hours • Pro/Team plan – unlimited • free opt-in for OSS projects (unlimited pulls) • was introduced slowly • starting with 6000 pull per 6 hours • final limits are active since Nov 18 © white duck GmbH 2020

18. Solutions • authenticate or opt-in for Pro/Team • docker login, imagePullSecrets, … • configure a registry mirror • run your own • https://docs.docker.com/registry/recipes/mirror/ • use GitLab Dependency Proxy • https://docs.gitlab.com/ee/user/packages/dependency_proxy/ • use mirror.gcr.io • https://cloud.google.com/container-registry/docs/pulling-cached-images © white duck GmbH 2020

19. Solutions • Docker • authenticate via login • define registry mirror • Kaniko • use --registry-mirror to define registry mirror • Buildah • authenticate via login • rewrite default registry via registries.conf • Img • authenticate via login © white duck GmbH 2020

20. Questions? Slides: https://www.slideshare.net/nmeisenzahl Nico Meisenzahl (Senior Cloud & DevOps Consultant) Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org © white duck GmbH 2020