使用 docker 命令直接进行构建
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
echo -n yangzun:123456 | base64
eWFuZ3p1bjoxMjM0NTY=
cat >> config.json << EOF
{
"auths": {
"https://idocker.io/v2/": {
"auth": "eWFuZ3p1bjoxMjM0NTY="
}
}
}
EOF
[root@node1 kaniko]# ls -lh
总用量 4.0K
-rw-r--r-- 1 root root 87 6月 15 10:00 config.json
echo -e 'FROM alpine \nRUN echo "created from standard input"' > Dockerfile | tar -cf - Dockerfile | gzip -9 | docker run --rm \
--interactive \
-v $(pwd):/workspace \
-v $(pwd)/config.json:/kaniko/.docker/config.json:ro idocker.io/kaniko-project/executor:v1.6.0 \
--context tar://stdin \
--destination=idocker.io/kaniko-build:v1.0.0 \
--skip-tls-verify
|
基于 kubernetes 中 pod 构建镜像
创建 localPV
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
cat <<EOF | kubectl apply -f -
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: local-storage
provisioner: kubernetes.io/no-provisioner
volumeBindingMode: Immediate # Immediate or WaitForFirstConsumer
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kaniko-pv
spec:
storageClassName: local
capacity:
storage: 10Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
local:
path: /data/kaniko/data/
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- node3
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kaniko-pvc
spec:
storageClassName: local
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
EOF
|
将之前创建的 config.json & dockerfile 创建为 secret 资源对象
1
2
3
4
5
6
7
|
kubectl create secret generic kaniko-secret --from-file=./config.json
kubectl create secret generic kaniko-build-dockerfile --from-file=./Dockerfile
kubectl create secret generic kaniko-secret \
--from-file=config.json=./config.json \
--from-file=Dockerfile=./Dockerfile
|
pod 资源清单
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: kaniko
spec:
containers:
- name: kaniko
image: idocker.io/kaniko-project/executor:v1.6.0
args:
- "--dockerfile=/kaniko/.docker/Dockerfile"
- "--context=dir://workspace"
- "--destination=idocker.io/kaniko-build:v1.0.1"
- "--skip-tls-verify"
volumeMounts:
- name: docker-secret
readOnly: true
mountPath: /kaniko/.docker
- name: dockerfile-storage
mountPath: /workspace
restartPolicy: Never
volumes:
- name: dockerfile-storage
persistentVolumeClaim:
claimName: kaniko-pvc
- name: docker-secret
secret:
secretName: kaniko-secret
EOF
|
基于 python 项目进行实战构建
Dockerfile 所需文件的准备
1
2
3
4
5
6
7
8
9
|
cd /data/kaniko/data
git init
git remote add origin https://github.com/cdryzun/python-dockerfile-build.git
git pull https://github.com/cdryzun/python-dockerfile-build.git master
git pull
git branch --set-upstream-to=origin/master master
# rm -rf .git # 删除无用隐藏文件
|
使用 pod 进行构建
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
kubectl delete po kaniko # 删除之前测试 pod
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: kaniko
spec:
containers:
- name: kaniko
image: idocker.io/kaniko-project/executor:v1.6.0
args:
- "--dockerfile=/workspace/Dockerfile"
- "--context=/workspace/"
- "--destination=idocker.io/python-demo:v1.0.1"
- "--skip-tls-verify"
volumeMounts:
- name: docker-secret
readOnly: true
mountPath: /kaniko/.docker
- name: dockerfile-storage
mountPath: /workspace
restartPolicy: Never
volumes:
- name: dockerfile-storage
persistentVolumeClaim:
claimName: kaniko-pvc
- name: docker-secret
secret:
secretName: kaniko-secret
EOF
|
测试构建的容器
1
2
3
4
|
docker run -it --name test -d --rm -p 18080:8080 idocker.io/python-demo:v1.0.1
curl 127.0.0.1:18080
Hello World
|
请求监听端口,可以看到容器正常进行了输出,表示容器正常可以正常使用。
参考文档
https://github.com/GoogleContainerTools/kaniko
https://www.baeldung.com/ops/kaniko
ToDo