From 3da6215db4e43803d990069f3189554e14074be2 Mon Sep 17 00:00:00 2001 From: Priya Wadhwa Date: Mon, 7 May 2018 15:02:00 -0700 Subject: [PATCH] Create debug image with busybox shell --- README.md | 8 ++++++-- deploy/Dockerfile_debug | 19 +++++++++++++++---- deploy/executor-release.yaml | 15 ++++++++++++++- 3 files changed, 35 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index dfbd11a5b..8eb99d52f 100644 --- a/README.md +++ b/README.md @@ -151,9 +151,13 @@ kaniko comes with support for GCR, but configuring another credential helper sho ### Debug Image -We provide `gcr.io/kaniko-project/executor:debug` as a a version of the executor image based off a Debian image. -This provides a shell and can be useful for debugging. +The kaniko executor image is based off of scratch and doesn't contain a shell. +We provide `gcr.io/kaniko-project/executor:debug`, a debug image which consists of the kaniko executor image along with a busybox shell to enter. +You can launch the debug image with a shell entrypoint: +```shell +docker run -it --entrypoint=/busybox/sh gcr.io/kaniko-project/executor:debug +``` ## Security kaniko by itself **does not** make it safe to run untrusted builds inside your cluster, or anywhere else. diff --git a/deploy/Dockerfile_debug b/deploy/Dockerfile_debug index 29ecbeef9..82c985a4a 100644 --- a/deploy/Dockerfile_debug +++ b/deploy/Dockerfile_debug @@ -12,14 +12,25 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Builds the executor from debian +# Builds the static Go image to execute in a Kubernetes job -FROM gcr.io/google-appengine/debian9:latest -COPY out/executor /kaniko/executor +FROM golang:1.10 +WORKDIR /go/src/github.com/GoogleContainerTools/kaniko +COPY . . +RUN make +WORKDIR /usr/local/bin +ADD https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v1.4.3-static/docker-credential-gcr_linux_amd64-1.4.3.tar.gz . +RUN tar -xvzf /usr/local/bin/docker-credential-gcr_linux_amd64-1.4.3.tar.gz + +FROM scratch +COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/executor /kaniko/executor +COPY --from=0 /usr/local/bin/docker-credential-gcr /usr/local/bin/docker-credential-gcr COPY files/ca-certificates.crt /kaniko/ssl/certs/ -COPY files/docker-credential-gcr /usr/local/bin/ COPY files/config.json /root/.docker/ +ADD files/busybox.tar / RUN ["docker-credential-gcr", "config", "--token-source=env"] ENV HOME /root +ENV USER /root +ENV PATH /usr/local/bin ENV SSL_CERT_DIR=/kaniko/ssl/certs ENTRYPOINT ["/kaniko/executor"] diff --git a/deploy/executor-release.yaml b/deploy/executor-release.yaml index b2a2d2e69..434a43e6f 100644 --- a/deploy/executor-release.yaml +++ b/deploy/executor-release.yaml @@ -3,4 +3,17 @@ steps: - name: "gcr.io/cloud-builders/docker" args: ["build", "-f", "deploy/Dockerfile", "-t", "gcr.io/kaniko-project/executor:${COMMIT_SHA}", "."] -images: ["gcr.io/kaniko-project/executor:${COMMIT_SHA}"] + # Then, we want to clone the distroless repo and build busybox.tar + - name: "gcr.io/cloud-builders/git" + args: ["clone", "https://github.com/GoogleContainerTools/distroless.git"] + - name: "gcr.io/cloud-builders/bazel" + args: ["build", "busybox:busybox_tar"] + dir: distroless + - name: ubuntu + args: ["mv", "distroless/bazel-genfiles/busybox/busybox.tar", "files/busybox.tar"] + # Then, we want to build the kaniko:debug image with the busybox shell + - name: "gcr.io/cloud-builders/docker" + args: ["build", "-f", "deploy/Dockerfile_debug", + "-t", "gcr.io/kaniko-project/executor:debug-${COMMIT_SHA}", "."] +images: ["gcr.io/kaniko-project/executor:${COMMIT_SHA}", + "gcr.io/kaniko-project/executor:debug-${COMMIT_SHA}"]