Has anyone tried to create tekton task on building a docker slim?
Asked
Active
Viewed 221 times
1 Answers
1
Turns out we can re-use the "dind-sidecar" sample from the tekton pipelines repository: https://github.com/tektoncd/pipeline/blob/main/examples/v1alpha1/taskruns/dind-sidecar.yaml
I got it working using the following:
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: docker-build-dockerslim
spec:
params:
- default: docker.io/dslim/docker-slim:latest
description: The location of the kaniko builder image.
name: builderimage
type: string
- default: docker.io/docker:stable
description: The location of the Docker builder image.
name: pushimage
type: string
- default: "registry.default.svc.cluster.local:5000"
description: When using an insecure (for push/pull to a non-TLS registry), we should set its name here. Don't set an empty string, remove option from task or set it to a dummy value if not required.
name: insecure
type: string
- default: docker.io/docker:dind
description: The location of the Docker in Docker image.
name: dindimage
type: string
- default: Dockerfile
description: The name of the Dockerfile
name: dockerfile
type: string
- default: .
description: Parent directory for your Dockerfile.
name: dockerroot
type: string
resources:
inputs:
- name: source
type: git
outputs:
- name: image
type: image
steps:
- args:
- --state-path
- /dslim-state
- --in-container
- build
- --http-probe=false
- --dockerfile
- $(inputs.params.dockerfile)
- --dockerfile-context
- $(inputs.params.dockerroot)
- $(outputs.resources.image.url)
env:
- name: DOCKER_HOST
value: tcp://127.0.0.1:2376
- name: DOCKER_TLS_VERIFY
value: '1'
- name: DOCKER_CERT_PATH
value: /certs/client
image: $(inputs.params.builderimage)
name: build
resources: {}
securityContext:
privileged: true
volumeMounts:
- mountPath: /dslim-state
name: state
- mountPath: /certs/client
name: dind-certs
workingDir: /workspace/source
- command:
- /bin/sh
- -c
- |
SLIM_IMAGE=$(docker images | awk '/docker-slim.*[0-9]*\.slim/{print $1;exit 0;}')
docker tag "$SLIM_IMAGE" $(outputs.resources.image.url)
docker push $(outputs.resources.image.url)
name: push
image: $(params.pushimage)
env:
- name: DOCKER_HOST
value: tcp://127.0.0.1:2376
- name: DOCKER_TLS_VERIFY
value: '1'
- name: DOCKER_CERT_PATH
value: /certs/client
volumeMounts:
- mountPath: /certs/client
name: dind-certs
sidecars:
- args:
- --storage-driver=vfs
- --userland-proxy=false
- --debug
- --insecure-registry=$(inputs.params.insecure)
env:
- name: DOCKER_TLS_CERTDIR
value: /certs
image: $(inputs.params.dindimage)
name: dind
readinessProbe:
periodSeconds: 1
exec:
command:
- ls
- /certs/client/ca.pem
resources: {}
securityContext:
privileged: true
volumeMounts:
- mountPath: /certs/client
name: dind-certs
volumes:
- name: dind-certs
emptyDir: {}
- emptyDir: {}
name: state
For some reason, the resulting images doesn't appear with the name I expected it to. Also tried setting a "--target" argument, though neither this nor the default "last-arg-is-image-name" behavior they document in their readme seems to work ( https://github.com/docker-slim/docker-slim ).
However I did find, listing images, the following:
docker-slim-tmp-fat-image.12.20211205135050.slim latest 0037ff15e1f5 2 seconds ago 13.8MB
docker-slim-empty-image latest 9dfd57fb50a8 35 seconds ago 0B
docker-slim-tmp-fat-image.12.20211205135050 latest 9ad36dd5e3f3 39 seconds ago 211MB
<Dockerfiles-FROM-image> master f11e63190556 3 months ago 211MB
Thus, I do some "docker images | awk ..." then "docker tag xxx.slim the-target-name-I-wanted", before my "docker push".
Resulting image is indeed smaller. I'ld to test this with other images, and make sure it doesn't introduce any regression, ... still, that's interesting.
SYN
- 4,476
- 1
- 20
- 22
-
submitted a PR to tektonhub catalog: https://github.com/tektoncd/catalog/pull/876 – SYN Dec 05 '21 at 15:10