Building Docker Images without Docker
If you want to find out how you can build Dockerfiles without Docker itself, then this post is for you.
Join the DZone community and get the full member experience.
Join For FreeKaniko is a project launched by Google that allows building Dockerfiles without Docker or the Docker daemon.
Kaniko can be used inside Kubernetes to build a Docker image and push it to a registry, supporting Docker registry, Google Container Registry, and AWS ECR, as well as any other registry supported by Docker credential helpers.
This solution is still not safe, as containers run as root, but it is way better than mounting the Docker socket and launching containers in the host. For one, there are no leaked resources or containers running outside the scheduler.
To launch Kaniko from Jenkins in Kubernetes, you just need an agent template that uses a customized Kaniko image (just to have cat and nohup) and a Kubernetes secret with the image registry credentials, as shown in this example pipeline.
UPDATED: some changes needed for the latest Kaniko
/**
* This pipeline will build and deploy a Docker image with Kaniko
* https://github.com/GoogleContainerTools/kaniko
* without needing a Docker host
*
* You need to create a jenkins-docker-cfg secret with your docker config
* as described in
* https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-in-the-cluster-that-holds-your-authorization-token
*/
def label = "kaniko-${UUID.randomUUID().toString()}"
podTemplate(name: 'kaniko', label: label, yaml: """
kind: Pod
metadata:
name: kaniko
spec:
containers:
- name: kaniko
image: gcr.io/kaniko-project/executor:debug
imagePullPolicy: Always
command:
- /busybox/cat
tty: true
volumeMounts:
- name: jenkins-docker-cfg
mountPath: /root
volumes:
- name: jenkins-docker-cfg
projected:
sources:
- secret:
name: regcred
items:
- key: .dockerconfigjson
path: .docker/config.json
"""
) {
node(label) {
stage('Build with Kaniko') {
git 'https://github.com/jenkinsci/docker-jnlp-slave.git'
container(name: 'kaniko', shell: '/busybox/sh') {
sh '''#!/busybox/sh
/kaniko/executor -f `pwd`/Dockerfile -c `pwd` --insecure-skip-tls-verify --destination=mydockerregistry:5000/myorg/myimage
'''
}
}
}
}
Pros:
- No need to mount Docker socket or have Docker binary
- No stray containers running outside of the scheduler
Cons:
- Still not secure
- Does not support the full Dockerfile syntax yet
Skaffold also has support for Kaniko, and can be used in your Jenkins X pipelines, which use Skaffold to abstract the image building.
Published at DZone with permission of Carlos Sanchez, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments