配置 BuildKit
目录
如果您创建一个docker-container或kubernetesbuilder 与 Buildx 一起使用,您可以
通过传递--config旗自
这docker buildx create命令。
注册表镜像
您可以定义用于构建的注册表镜像。这样做会重定向
BuildKit 从不同的主机名拉取镜像。以下步骤举例说明了
定义镜像docker.io(Docker Hub) 到mirror.gcr.io.
在
/etc/buildkitd.toml包含以下内容:debug = true [registry."docker.io"] mirrors = ["mirror.gcr.io"]注意
debug = true在 BuildKit 守护进程中打开调试请求,该守护进程会记录 显示镜像正在使用时的消息。创建一个
docker-containerbuilder 中:$ docker buildx create --use --bootstrap \ --name mybuilder \ --driver docker-container \ --config /etc/buildkitd.toml构建镜像:
docker buildx build --load . -f - <<EOF FROM alpine RUN echo "hello world" EOF
此构建器的 BuildKit 日志现在显示它使用 GCR 镜像。你
可以通过响应消息包含x-goog-*HTTP 协议
头。
$ docker logs buildx_buildkit_mybuilder0
...
time="2022-02-06T17:47:48Z" level=debug msg="do request" request.header.accept="application/vnd.docker.container.image.v1+json, */*" request.header.user-agent=containerd/1.5.8+unknown request.method=GET spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
time="2022-02-06T17:47:48Z" level=debug msg="fetch response received" response.header.accept-ranges=bytes response.header.age=1356 response.header.alt-svc="h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"" response.header.cache-control="public, max-age=3600" response.header.content-length=1469 response.header.content-type=application/octet-stream response.header.date="Sun, 06 Feb 2022 17:25:17 GMT" response.header.etag="\"774380abda8f4eae9a149e5d5d3efc83\"" response.header.expires="Sun, 06 Feb 2022 18:25:17 GMT" response.header.last-modified="Wed, 24 Nov 2021 21:07:57 GMT" response.header.server=UploadServer response.header.x-goog-generation=1637788077652182 response.header.x-goog-hash="crc32c=V3DSrg==" response.header.x-goog-hash.1="md5=d0OAq9qPTq6aFJ5dXT78gw==" response.header.x-goog-metageneration=1 response.header.x-goog-storage-class=STANDARD response.header.x-goog-stored-content-encoding=identity response.header.x-goog-stored-content-length=1469 response.header.x-guploader-uploadid=ADPycduqQipVAXc3tzXmTzKQ2gTT6CV736B2J628smtD1iDytEyiYCgvvdD8zz9BT1J1sASUq9pW_ctUyC4B-v2jvhIxnZTlKg response.status="200 OK" spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
time="2022-02-06T17:47:48Z" level=debug msg="fetch response received" response.header.accept-ranges=bytes response.header.age=760 response.header.alt-svc="h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"" response.header.cache-control="public, max-age=3600" response.header.content-length=1471 response.header.content-type=application/octet-stream response.header.date="Sun, 06 Feb 2022 17:35:13 GMT" response.header.etag="\"35d688bd15327daafcdb4d4395e616a8\"" response.header.expires="Sun, 06 Feb 2022 18:35:13 GMT" response.header.last-modified="Wed, 24 Nov 2021 21:07:12 GMT" response.header.server=UploadServer response.header.x-goog-generation=1637788032100793 response.header.x-goog-hash="crc32c=aWgRjA==" response.header.x-goog-hash.1="md5=NdaIvRUyfar8201DleYWqA==" response.header.x-goog-metageneration=1 response.header.x-goog-storage-class=STANDARD response.header.x-goog-stored-content-encoding=identity response.header.x-goog-stored-content-length=1471 response.header.x-guploader-uploadid=ADPycdtR-gJYwC7yHquIkJWFFG8FovDySvtmRnZBqlO3yVDanBXh_VqKYt400yhuf0XbQ3ZMB9IZV2vlcyHezn_Pu3a1SMMtiw response.status="200 OK" spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
time="2022-02-06T17:47:48Z" level=debug msg=fetch spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
time="2022-02-06T17:47:48Z" level=debug msg=fetch spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
time="2022-02-06T17:47:48Z" level=debug msg=fetch spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
time="2022-02-06T17:47:48Z" level=debug msg=fetch spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
time="2022-02-06T17:47:48Z" level=debug msg="do request" request.header.accept="application/vnd.docker.image.rootfs.diff.tar.gzip, */*" request.header.user-agent=containerd/1.5.8+unknown request.method=GET spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
time="2022-02-06T17:47:48Z" level=debug msg="fetch response received" response.header.accept-ranges=bytes response.header.age=1356 response.header.alt-svc="h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"" response.header.cache-control="public, max-age=3600" response.header.content-length=2818413 response.header.content-type=application/octet-stream response.header.date="Sun, 06 Feb 2022 17:25:17 GMT" response.header.etag="\"1d55e7be5a77c4a908ad11bc33ebea1c\"" response.header.expires="Sun, 06 Feb 2022 18:25:17 GMT" response.header.last-modified="Wed, 24 Nov 2021 21:07:06 GMT" response.header.server=UploadServer response.header.x-goog-generation=1637788026431708 response.header.x-goog-hash="crc32c=ZojF+g==" response.header.x-goog-hash.1="md5=HVXnvlp3xKkIrRG8M+vqHA==" response.header.x-goog-metageneration=1 response.header.x-goog-storage-class=STANDARD response.header.x-goog-stored-content-encoding=identity response.header.x-goog-stored-content-length=2818413 response.header.x-guploader-uploadid=ADPycdsebqxiTBJqZ0bv9zBigjFxgQydD2ESZSkKchpE0ILlN9Ibko3C5r4fJTJ4UR9ddp-UBd-2v_4eRpZ8Yo2llW_j4k8WhQ response.status="200 OK" spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
...设置注册表证书
如果您在 BuildKit 配置中指定注册表证书,则守护程序
将文件复制到 Container 的/etc/buildkit/certs.以下内容
步骤显示向 BuildKit 添加自签名注册表证书
配置。
将以下配置添加到
/etc/buildkitd.toml:# /etc/buildkitd.toml debug = true [registry."myregistry.com"] ca=["/etc/certs/myregistry.pem"] [[registry."myregistry.com".keypair]] key="/etc/certs/myregistry_key.pem" cert="/etc/certs/myregistry_cert.pem"这会告诉构建器将镜像推送到
myregistry.com注册表使用 指定位置 (/etc/certs).创建一个
docker-containerbuilder 中:$ docker buildx create --use --bootstrap \ --name mybuilder \ --driver docker-container \ --config /etc/buildkitd.toml检查生成器的配置文件 (
/etc/buildkit/buildkitd.toml)、它 显示证书配置现已在生成器中配置。$ docker exec -it buildx_buildkit_mybuilder0 cat /etc/buildkit/buildkitd.tomldebug = true [registry] [registry."myregistry.com"] ca = ["/etc/buildkit/certs/myregistry.com/myregistry.pem"] [[registry."myregistry.com".keypair]] cert = "/etc/buildkit/certs/myregistry.com/myregistry_cert.pem" key = "/etc/buildkit/certs/myregistry.com/myregistry_key.pem"验证证书是否在容器内:
$ docker exec -it buildx_buildkit_mybuilder0 ls /etc/buildkit/certs/myregistry.com/ myregistry.pem myregistry_cert.pem myregistry_key.pem
现在,您可以使用此构建器推送到注册表,它将进行身份验证 使用证书:
$ docker buildx build --push --tag myregistry.com/myimage:latest .
CNI 联网
构建器的 CNI 网络对于处理网络端口很有用 并发构建期间的争用。CNI 在默认 BuildKit 镜像中尚不可用。但是你可以创建自己的镜像 包括 CNI 支持。
以下 Dockerfile 示例显示了支持 CNI 的自定义 BuildKit 镜像。 它以 BuildKit 中用于集成测试的 CNI 配置为例。请随意包含您自己的 CNI 配置。
# syntax=docker/dockerfile:1
ARG BUILDKIT_VERSION=v0.16.0
ARG CNI_VERSION=v1.0.1
FROM --platform=$BUILDPLATFORM alpine AS cni-plugins
RUN apk add --no-cache curl
ARG CNI_VERSION
ARG TARGETOS
ARG TARGETARCH
WORKDIR /opt/cni/bin
RUN curl -Ls https://github.com/containernetworking/plugins/releases/download/$CNI_VERSION/cni-plugins-$TARGETOS-$TARGETARCH-$CNI_VERSION.tgz | tar xzv
FROM moby/buildkit:${BUILDKIT_VERSION}
ARG BUILDKIT_VERSION
RUN apk add --no-cache iptables
COPY --from=cni-plugins /opt/cni/bin /opt/cni/bin
ADD https://raw.githubusercontent.com/moby/buildkit/${BUILDKIT_VERSION}/hack/fixtures/cni.json /etc/buildkit/cni.json现在,您可以构建此镜像,并使用这--driver-opt image选择:
$ docker buildx build --tag buildkit-cni:local --load .
$ docker buildx create --use --bootstrap \
--name mybuilder \
--driver docker-container \
--driver-opt "image=buildkit-cni:local" \
--buildkitd-flags "--oci-worker-net=cni"
资源限制
最大并行度
您可以限制 BuildKit 求解器的并行度,这特别有用
对于低功率机器,使用 BuildKit 配置,同时使用--config标志.
# /etc/buildkitd.toml
[worker.oci]
max-parallelism = 4现在您可以创建一个docker-container建筑工人,它将使用此 BuildKit 配置来限制并行度。
$ docker buildx create --use \
--name mybuilder \
--driver docker-container \
--config /etc/buildkitd.toml
TCP 连接限制
TCP 连接限制每个注册表 4 个同时连接 拉取和推送镜像,外加一个专用于元数据的额外连接 请求。此连接限制可防止您的构建在 拉取镜像。专用元数据连接有助于减少整体构建 时间。
更多信息:moby/buildkit#2259