Latest BuildKit/img no longer necessarily requires procMount to be unmasked, by
not unsharing PID namespaces.
The current drawback of BuildKit/img compared to kaniko is that BuildKit/img
requires seccomp and AppArmor to be disabled so as to create nested containers.
https://github.com/moby/buildkit/pull/768https://github.com/genuinetools/img/pull/221
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
* Add parent directories of adding files
* Add integration Dockerfile to test parent directory permissions
* Remove unnecessary helper method
* Use a file on the internet for integration Dockerfile
When using Kaniko with certain build systems, such as GitLab CI, it is necessary to use the 'debug' image and override the entrypoint, so that an arbitrary build script can be executed within the container. Unfortunately, the 'warmer' binary is not available in the 'debug' image, making it impossible to perform a base image cache warmup using such build systems.
This patch addresses this by ensuring that the 'out/warmer' target is made in the initial stage, and that all 'out' files are copied to '/kaniko' in the final stage.
This change calculates the exact files and directories needed between
stages used in the COPY command. Instead of saving the entire
stage as a tarball, we now save only the necessary files.
The main reason is to include the fixes from
https://github.com/google/go-containerregistry/pull/401. This should
fix the build+push to quay.io (with v2 schema enabled) cases.
Signed-off-by: Vincent Demeester <vdemeest@redhat.com>
- We were validating usernames/groupnames existed in etc/passwd. Docker does not do this
- We were incorrectly caching USER commands. This was fixed automatically by fixing the first part.
* Update go-containerregistry
Update go-containerregistry since it can now handle image names of the
format repo:tag@digest.
Should fix#535.
Thanks @ViceIce for the fix!
* update go-containerregistry again
The description of Buildah is a bit outdated, most importantly Buildah
does not require root privileges (anymore). Also provide a more
detailed description copied from github.com/containers/buildah.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Calculating a manifest from a v1.tarball is very expensive. We can
store those locally as well, and use them if they exist.
This should eventually be replaced with oci layout support once that exists
in ggcr.
and our snapshot optimizations.
If a previous base image has a volume, the directory is added to the
list of files to snapshot. That directory may not actually exist in the image.
* Set TarPath to empty when pushing a layer
* Fix issues with layer caching, noPush and tarPath.
- Layer caching should work even when tarPath is specified, so this
commit changes the value of tarPath to empty when caching layers.
- When an image is built with just the tarPath and noPush
is true, we should still create the tarBall (which wasn't happening
before this commit).
* Set no-push to false for cache layers
* Remove extra log
* go-imports fix
Thao-Nguyen Do
Akihiro Suda
Balint Pato
Johan Hernandez
Dirk Gustke
Kartik Verma
Johannes 'fish' Ziemke
Fred Cox
dlorenc
Daisuke Taniwaki
Jason Hall
Warren Seymour
Vincent Demeester
priyawadhwa
Anthony Weston
Valentin Rothberg
Fredrik Lönnegren
Shuhei Kitagawa
James Rawlings
Anurag Goel