diff --git a/Dockerfile b/Dockerfile index ccff8fb..a4d9c09 100644 --- a/Dockerfile +++ b/Dockerfile @@ -76,6 +76,16 @@ RUN cp /usr/share/ca-certificates/mozilla/* /cit/ssl/certs/ FROM quay.io/buildah/stable:${BUILDAH_VERSION} +# Configure for rootless container execution +RUN touch /etc/subgid /etc/subuid \ + && chmod g=u /etc/subgid /etc/subuid /etc/passwd \ + && echo build:10000:65536 > /etc/subuid \ + && echo build:10000:65536 > /etc/subgid + +# Configure Buildah storage driver +RUN mkdir -p /home/build/.config/containers \ + && (echo '[storage]';echo 'driver = "vfs"') > /home/build/.config/containers/storage.conf + #COPY --from=busybox:1.37.0-musl /bin /busybox ## Declare /busybox as a volume to get it automatically in the path to ignore #VOLUME /busybox @@ -86,6 +96,11 @@ VOLUME /container-image-tools COPY --from=skopeo /go/github.com/containers/skopeo/default-policy.json /etc/containers/policy.json +# Buildah configuration for rootless execution +ENV BUILDAH_ISOLATION=chroot +ENV BUILDAH_FORMAT=docker +ENV STORAGE_DRIVER=vfs + ENV PATH=/usr/local/bin:/usr/bin:/container-image-tools/bin ENV DOCKER_CONFIG=/container-image-tools/.docker/ ENV SSL_CERT_DIR=/container-image-tools/ssl/certs diff --git a/README.md b/README.md index 29aae73..4aae71d 100644 --- a/README.md +++ b/README.md @@ -1,34 +1,38 @@ # cookielab/container-image-tools This container image contains tools for building and managing container images. -Container is based on scratch but contains minimal shell tools from busybox. +Container is based on the official Buildah image with additional credential helpers and tools. ## Tools -- [Busybox](https://hub.docker.com/_/busybox?tab=description) - [buildah](https://github.com/containers/buildah/) - [Manifest Tool](https://github.com/estesp/manifest-tool) - [Skopeo](https://github.com/containers/skopeo) - Credential Helpers - [ENV](https://github.com/isometry/docker-credential-env) for Docker Hub, GitLab Container Registry etc. - [AWS ECR](https://github.com/awslabs/amazon-ecr-credential-helper) - - [Google Clous GCR](https://github.com/GoogleCloudPlatform/docker-credential-gcr) + - [Google Cloud GCR](https://github.com/GoogleCloudPlatform/docker-credential-gcr) ## Usage -Build container image and push it to GitLab Registru. +Build container image and push it to GitLab Registry. ```shell export DOCKER_registry_gitlab_com_USR="${CI_REGISTRY_USER}" export DOCKER_registry_gitlab_com_PSW="${CI_REGISTRY_PASSWORD}" -# TODO: buildah example + +# Build image with buildah +buildah build -t "${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}" . + +# Push image to registry +buildah push "${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}" ``` -As you can see we don't need to create any _docker config.json_ file. But wes use power of Creds Helpers. +As you can see we don't need to create any _docker config.json_ file. But we use power of Creds Helpers. In this case ENV Cred Helper. -If you want to build multiarch images with kaniko you need to build separate image on HW with that arch. -And than join them with manifest. +If you want to build multiarch images with buildah you need to build separate image on HW with that arch. +And then join them with manifest. ```yaml include: @@ -42,11 +46,27 @@ variables: build: extends: .multiarch script: - # TODO: replace with buildah example - - kaniko --build-arg TARGETARCH="${TARGETARCH}" --destination "${REGISTRY_IMAGE}-${TARGETARCH}" + - buildah build --build-arg TARGETARCH="${TARGETARCH}" -t "${REGISTRY_IMAGE}-${TARGETARCH}" . + - buildah push "${REGISTRY_IMAGE}-${TARGETARCH}" build-multiarch: extends: .manifest needs: - build ``` + +### GitLab CI/CD Example + +Complete example for building and pushing container images with buildah: + +```yaml +build: + stage: build + image: cookielab/container-image-tools:latest + variables: + DOCKER_registry_gitlab_com_USR: "${CI_REGISTRY_USER}" + DOCKER_registry_gitlab_com_PSW: "${CI_REGISTRY_PASSWORD}" + script: + - buildah build -t "${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}" . + - buildah push "${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}" +```