Building Docker Images without Docker

DZone 's Guide to

Building Docker Images without Docker

If you want to find out how you can build Dockerfiles without Docker itself, then this post is for you.

· Cloud Zone ·
Free Resource

Kaniko is a project launched by Google that allows building Dockerfiles without Docker or the Docker daemon.

Kaniko can be used inside Kubernetes to build a Docker image and push it to a registry, supporting Docker registry, Google Container Registry, and AWS ECR, as well as any other registry supported by Docker credential helpers.

This solution is still not safe, as containers run as root, but it is way better than mounting the Docker socket and launching containers in the host. For one, there are no leaked resources or containers running outside the scheduler.

To launch Kaniko from Jenkins in Kubernetes, you just need an agent template that uses a customized Kaniko image (just to have cat and nohup) and a Kubernetes secret with the image registry credentials, as shown in this example pipeline.

UPDATED: some changes needed for the latest Kaniko

 * This pipeline will build and deploy a Docker image with Kaniko
 * https://github.com/GoogleContainerTools/kaniko
 * without needing a Docker host
 * You need to create a jenkins-docker-cfg secret with your docker config
 * as described in
 * https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-in-the-cluster-that-holds-your-authorization-token

def label = "kaniko-${UUID.randomUUID().toString()}"

podTemplate(name: 'kaniko', label: label, yaml: """
kind: Pod
  name: kaniko
  - name: kaniko
    image: gcr.io/kaniko-project/executor:debug
    imagePullPolicy: Always
    - /busybox/cat
    tty: true
      - name: jenkins-docker-cfg
        mountPath: /root
  - name: jenkins-docker-cfg
      - secret:
          name: regcred
            - key: .dockerconfigjson
              path: .docker/config.json
  ) {

  node(label) {
    stage('Build with Kaniko') {
      git 'https://github.com/jenkinsci/docker-jnlp-slave.git'
      container(name: 'kaniko', shell: '/busybox/sh') {
          sh '''#!/busybox/sh
          /kaniko/executor -f `pwd`/Dockerfile -c `pwd` --insecure-skip-tls-verify --destination=mydockerregistry:5000/myorg/myimage


  • No need to mount Docker socket or have Docker binary
  • No stray containers running outside of the scheduler


  • Still not secure
  • Does not support the full Dockerfile syntax yet

Skaffold also has support for Kaniko, and can be used in your Jenkins X pipelines, which use Skaffold to abstract the image building.

aws ,cloud ,devops ,docker ,dockerfile ,google ,how-to ,kubernetes

Published at DZone with permission of Carlos Sanchez , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}