Brings in a change from upstream to resolve ports to well-known values when comparing Host values to decide whether or not to send the Bearer Authorization header when pushing an image.
Upstream issue is https://github.com/google/go-containerregistry/issues/472.
This changes allow to use kaniko-warmer multiple times without unnecessary docker image downloads.
To check image presence in cache directory I'm using existing cache function that is used by kaniko-executor.
I've considered building separate function to only check image presence, but it will have pretty much the same code.
Questionable decision is to embed CacheOptions type to KanikoOptions and WarmerOptions. Probably this should be resolved by creating interface providing needed options and implement it both mentioned structs. But I've struggled to get a meaningfull name to it.
To replicate previous behaviour of downloading regardless of cache state I've added --force(-f) option.
This changes provides crucial speed-up when downloading images from remote registry is slow.
Closes#722
When a Dockerfile command requires using the TakeSnapshotFS function,
the resulting layer has a random ordering of files. This causes the
layer to have a non-deterministic hash defeating the reproducible flag.
Issue #710 appears to document this issue as well.
To fix, always sort the list of files to be added in scanFullFilesystem.
This avoids trying to sort the file list during execution, and takes
almost no time to complete.
Resolves#607
* Deleted a duplicate Gopkg.lock block for github.com/otiai10/copy to
prevent `dep ensure` from deleting it from vendor/
* Searched for breaking changes. Only found ones for
remote.Delete/List/Write/WriteIndex. Searched for those and fixed
* Noticed that NewInsecureRegistry was deprecated and replaced it
* Revert "Change cache key calculation to be more reproducible. (#525)"
This reverts commit 1ffae47fdd.
* Add logging of composition key back
* Do not include build args in cache key
This should be save, given that the commands will have the args included
when the cache key gets built.
This flag, when set, takes a file in the container and writes the image digest to it. This can be used to extract the exact digest of the built image by surrounding tooling without having to parse the logs from Kaniko, for example by pointing the file to a mounted volume or to a file used durint exit status, such as with Kubernetes' [Termination message policy](https://kubernetes.io/docs/tasks/debug-application-cluster/determine-reason-pod-failure/)]
When the flag is not set, the digest is not written to file and the executor behaves as before. The digest is also written to file in case of a tarball or a `--no-push`.
Closes#654
Latest BuildKit/img no longer necessarily requires procMount to be unmasked, by
not unsharing PID namespaces.
The current drawback of BuildKit/img compared to kaniko is that BuildKit/img
requires seccomp and AppArmor to be disabled so as to create nested containers.
https://github.com/moby/buildkit/pull/768https://github.com/genuinetools/img/pull/221
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
* Add parent directories of adding files
* Add integration Dockerfile to test parent directory permissions
* Remove unnecessary helper method
* Use a file on the internet for integration Dockerfile
When using Kaniko with certain build systems, such as GitLab CI, it is necessary to use the 'debug' image and override the entrypoint, so that an arbitrary build script can be executed within the container. Unfortunately, the 'warmer' binary is not available in the 'debug' image, making it impossible to perform a base image cache warmup using such build systems.
This patch addresses this by ensuring that the 'out/warmer' target is made in the initial stage, and that all 'out' files are copied to '/kaniko' in the final stage.
This change calculates the exact files and directories needed between
stages used in the COPY command. Instead of saving the entire
stage as a tarball, we now save only the necessary files.
The main reason is to include the fixes from
https://github.com/google/go-containerregistry/pull/401. This should
fix the build+push to quay.io (with v2 schema enabled) cases.
Signed-off-by: Vincent Demeester <vdemeest@redhat.com>
- We were validating usernames/groupnames existed in etc/passwd. Docker does not do this
- We were incorrectly caching USER commands. This was fixed automatically by fixing the first part.
Luke Wood
v.rul
Taylor Barrella
Tejal Desai
Роман Небалуев
priyawadhwa
Carlos Alexandro Becker
Matthew Dawson
Andreas Bergmeier
Takeaki Matsumoto
tralexa
Kartik Verma
Andreas Bergmeier
Nao YONASHIRO
Gijs
Johannes 'fish' Ziemke
Jake Shadle
Thao-Nguyen Do
Akihiro Suda
Balint Pato
Johan Hernandez
Dirk Gustke
Fred Cox
dlorenc
Daisuke Taniwaki
Jason Hall
Warren Seymour
Vincent Demeester