6-3 nerdctl 和 buildkitd 构建容器镜像
更新时间:2023年3月
文章目录
-
- BuildKit 简介
- 安装部署
-
- 部署 nerdctl
- 部署 BuildKit
- 配置
- 示例 - 使用 nerdctl 和 BuildKit 构建镜像
BuildKit 简介
官方 github 地址:moby/buildkit: concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit (github.com)
文档:BuildKit (docker.com)
BuildKit 由 buildkitd 守护进程和 buildctl 客户端组成,虽然 buildctl 客户端可用于 Linux、macOS 和 Windows,但 buildkitd 守护进程目前仅适用于 Linux
buildkitd 守护程序依赖以下组件:
- runc 或 crun
- containerd
安装部署
部署 nerdctl
# 下载
$ curl -LO https://github.com/containerd/nerdctl/releases/download/v1.2.1/nerdctl-1.2.1-linux-amd64.tar.gz
# 解压
$ tar Cxzvf /usr/local/bin/ nerdctl-1.2.1-linux-amd64.tar.gz
部署 BuildKit
下载解压
# 下载
$ wget https://github.com/moby/buildkit/releases/download/v0.11.5/buildkit-v0.11.5.linux-amd64.tar.gz
# 解压
$ tar -zxvf buildkit-v0.11.5.linux-amd64.tar.gz -C /usr/local
#
$ ll /usr/local/bin/build*
-rwxr-xr-x 1 root root 27080076 Oct 21 2015 /usr/local/bin/buildctl
-rwxr-xr-x 1 root root 52016425 Oct 21 2015 /usr/local/bin/buildkitd
-rwxr-xr-x 1 root root 8688768 Oct 21 2015 /usr/local/bin/buildkit-qemu-aarch64
-rwxr-xr-x 1 root root 6836824 Oct 21 2015 /usr/local/bin/buildkit-qemu-arm
-rwxr-xr-x 1 root root 5855872 Oct 21 2015 /usr/local/bin/buildkit-qemu-i386
-rwxr-xr-x 1 root root 6237008 Oct 21 2015 /usr/local/bin/buildkit-qemu-mips64
-rwxr-xr-x 1 root root 6228848 Oct 21 2015 /usr/local/bin/buildkit-qemu-mips64el
-rwxr-xr-x 1 root root 6622056 Oct 21 2015 /usr/local/bin/buildkit-qemu-ppc64le
-rwxr-xr-x 1 root root 6633120 Oct 21 2015 /usr/local/bin/buildkit-qemu-riscv64
-rwxr-xr-x 1 root root 5805792 Oct 21 2015 /usr/local/bin/buildkit-qemu-s390x
-rwxr-xr-x 1 root root 13243136 Oct 21 2015 /usr/local/bin/buildkit-runc
配置 socket 文件
参考官方 github 中的 example:buildkit/buildkit.socket at master · moby/buildkit (github.com)
$ vim /lib/systemd/system/buildkit.socket
[Unit]
Description=BuildKit
Documentation=https://github.com/moby/buildkit
[Socket]
ListenStream=%t/buildkit/buildkitd.sock
SocketMode=0660
[Install]
WantedBy=sockets.target
配置 service 文件
参考官方 github 中的 example:buildkit/buildkit.service at master · moby/buildkit (github.com)
buildkitd 支持的选项可以通过 buildkitd --help 命令获取
$ vim /lib/systemd/system/buildkit.service
[Unit]
Description=BuildKit
Requires=buildkit.socket
After=buildkit.socket
Documentation=https://github.com/moby/buildkit
[Service]
Type=notify
ExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true
[Install]
WantedBy=multi-user.target
启动 buildkitd
$ systemctl daemon-reload
$ systemctl enable --now buildkit
# 检查 buildkit 状态
$ systemctl status buildkit
配置
buildkitd 配置
默认配置文件为:/etc/buildkit/buildkitd.toml,配置详情可以参考:buildkit/buildkitd.toml.md。本文仅使用最简单的功能,不进行配置
nerdctl 配置证书
仓库证书配置参考:nerdctl/registry.md
其余配置可以参考:nerdctl/config.md‘
复制证书
$ mkdir -p /etc/containerd/certs.d/harbor.skynemo.cn/
$ scp 192.168.111.171:/etc/pki/tls/ca.crt /etc/containerd/certs.d/harbor.skynemo.cn/
在 nerdctl 配置 CA 证书
$ mkdir -p /etc/containerd/certs.d/harbor.skynemo.cn/
$ vim /etc/containerd/certs.d/harbor.skynemo.cn/hosts.toml
# An example of ~/.config/containerd/certs.d/harbor.skynemo.cn/hosts.toml
# (The path is "/etc/containerd/certs.d/harbor.skynemo.cn/hosts.toml" for rootful)
server = "https://harbor.skynemo.cn"
[host."https://harbor.skynemo.cn"]
ca = "/etc/containerd/certs.d/harbor.skynemo.cn/ca.crt"
配置 hosts 解析
$ echo "192.168.111.171 harbor.skynemo.cn" > /etc/hosts
登录 harbor
$ nerdctl login harbor.skynemo.cn -u'admin' -p'Harbor12345'
WARN[0000] WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING: Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
示例 - 使用 nerdctl 和 BuildKit 构建镜像
创建测试 Dockerfile
$ mkdir -p ./demo && cd ./demo
# 测试部署前端项目 https://github.com/lin-xin/vue-manage-system.git
$ vim Dockerfile
# 一阶段:git 下载项目
FROM bitnami/git:latest as git
MAINTAINER nemo "[email protected]"
WORKDIR "/"
RUN ["git", "clone", "https://github.com/lin-xin/vue-manage-system.git"]
# 二阶段:nodejs 生成静态文件
FROM node:16.20.0-bullseye-slim as node
MAINTAINER nemo "[email protected]"
WORKDIR "/"
COPY --from=git /vue-manage-system /vue-manage-system
WORKDIR /vue-manage-system
RUN npm install && \
npm run build
# 三阶段:部署静态文件到 nginx
FROM nginx:1.22.1
MAINTAINER nemo "[email protected]"
WORKDIR "/usr/share/nginx/html"
COPY --from=node /vue-manage-system/dist/ ./
构建镜像
# 构建。因为 Dockerfile 中有 git clone,每次下载的代码可能不一样,不使用缓存
$ nerdctl build --no-cache -t harbor.skynemo.cn/demo/vue-manage-system:latest .
# 查看镜像
$ nerdctl images
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
harbor.skynemo.cn/demo/vue-manage-system latest 96ef3d9308f5 9 seconds ago linux/amd64 149.4 MiB 55.1 MiB
上传镜像
$ nerdctl push harbor.skynemo.cn/demo/vue-manage-system:latest
INFO[0000] pushing as a reduced-platform image (application/vnd.docker.distribution.manifest.v2+json, sha256:96ef3d9308f5f5512bab05e8f45fc914c3bc399cd30676eef85e2218fd348e13)
manifest-sha256:96ef3d9308f5f5512bab05e8f45fc914c3bc399cd30676eef85e2218fd348e13: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:c11fdfdaac920690f3f251d7a64ae40c65b2319ec885a5ed264b25a4a469005b: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 1.2 s total: 9.8 Ki (8.2 KiB/s)
harbor 查看镜像
运行容器
# 先删除本地镜像以测试下载镜像
$ nerdctl rmi harbor.skynemo.cn/demo/vue-manage-system:latest
# 下载镜像
$ nerdctl pull harbor.skynemo.cn/demo/vue-manage-system:latest
# 运行容器,注:需要本地有 cni 插件
$ nerdctl run --rm -p 9999:80 harbor.skynemo.cn/demo/vue-manage-system:latest
访问检查运行情况
$ curl 192.168.111.184:9999
<!DOCTYPE html>
<html lang="">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>vue-manage-system</title>
<link rel="stylesheet" href="https://at.alicdn.com/t/font_830376_qzecyukz0s.css">
<script type="module" crossorigin src="./assets/index.ead66cac.js"></script>
<link rel="stylesheet" href="./assets/index.cd89bea1.css">
</head>
<body>
<noscript>
<strong>We're sorry but <%= htmlWebpackPlugin.options.title %> doesn't work properly without JavaScript enabled.
Please enable it to continue.</strong>
</noscript>
<div id="app"></div>
<!-- built files will be auto injected -->
</body>
</html>