From fe22c13b758fd6986606105680ba533d460d097f Mon Sep 17 00:00:00 2001 From: Nicholas Dille Date: Wed, 2 Dec 2020 16:51:03 +0100 Subject: [PATCH] Fixes and update after workshop --- 020_advanced/030_layers/layers.demo | 11 ++- 020_advanced/030_layers/slides.template.md | 16 +++-- 020_advanced/030_layers/tagging.demo | 4 +- .../100_pod_with_docker/docker-compose.yaml | 13 ++++ .../04_build/slides.template.md | 7 ++ 020_advanced/160_dockerfile/order/Dockerfile | 5 +- .../160_dockerfile/reusability/Dockerfile | 2 +- .../160_dockerfile/slides.template.md | 4 +- .../slides.template.md | 8 +-- .../buildkit/cache/slides.template.md | 2 +- 110_ecosystem/buildkit/overview.template.md | 2 + .../buildkit/rootless/slides.template.md | 70 +++++++++---------- .../buildkit/secrets/slides.template.md | 2 +- 110_ecosystem/buildkit/transition.template.md | 52 +++++++------- .../buildkit/usage/buildkit.template.md | 22 +++--- .../reverse_proxy/docker-compose.yml | 2 + ...tainerConf-WorkshopContainersAdvanced.html | 2 +- 17 files changed, 132 insertions(+), 92 deletions(-) create mode 100644 020_advanced/100_pod_with_docker/docker-compose.yaml create mode 100644 020_advanced/110_troubleshooting/04_build/slides.template.md diff --git a/020_advanced/030_layers/layers.demo b/020_advanced/030_layers/layers.demo index 0ae14532..9e08ecab 100644 --- a/020_advanced/030_layers/layers.demo +++ b/020_advanced/030_layers/layers.demo @@ -8,6 +8,9 @@ docker push localhost:5000/hello-world-java # Check layers docker history hello-world-java +# Analyze layers +dive hello-world-java + # Fetch image manifest curl http://localhost:5000/v2/hello-world-java/manifests/latest \ --silent \ @@ -15,7 +18,13 @@ curl http://localhost:5000/v2/hello-world-java/manifests/latest \ | jq # Fetch image configuration -curl http://localhost:5000/v2/hello-world-java/manifests/latest \ +DIGEST=$( + curl http://localhost:5000/v2/hello-world-java/manifests/latest \ + --silent \ + --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ + | jq --raw-output '.config.digest' +) +curl http://localhost:5000/v2/hello-world-java/blobs/${DIGEST} \ --silent \ --header "Accept: application/vnd.docker.container.image.v1+json" \ | jq diff --git a/020_advanced/030_layers/slides.template.md b/020_advanced/030_layers/slides.template.md index 3cda5bf3..e95cf2a0 100644 --- a/020_advanced/030_layers/slides.template.md +++ b/020_advanced/030_layers/slides.template.md @@ -64,34 +64,38 @@ Upload image to local registry + + +https://github.com/wagoodman/dive + -- ## Demo: Image Manifest - + -- ## Demo: Image Configuration - + -- ## Demo: Download image layer - - + + -- ## Demo: Verifying a layer - - + + --- ## Registries diff --git a/020_advanced/030_layers/tagging.demo b/020_advanced/030_layers/tagging.demo index db6bd3bd..a01aadac 100644 --- a/020_advanced/030_layers/tagging.demo +++ b/020_advanced/030_layers/tagging.demo @@ -4,7 +4,7 @@ MANIFEST=$( curl http://localhost:5000/v2/hello-world-java/manifests/latest \ --silent \ - --header "Accept: application/vnd.docker.distribution.manifest.v2+json" + --header "Accept: application/vnd.docker.distribution.manifest.v2+json" ) # Upload manifest to new path @@ -14,4 +14,4 @@ curl http://localhost:5000/v2/hello-world-java/manifests/new \ --data "${MANIFEST}" # Test new tag -docker pull localhost:5000/v2/hello-world-java/manifests/new \ No newline at end of file +docker pull localhost:5000/hello-world-java:new \ No newline at end of file diff --git a/020_advanced/100_pod_with_docker/docker-compose.yaml b/020_advanced/100_pod_with_docker/docker-compose.yaml new file mode 100644 index 00000000..e808a398 --- /dev/null +++ b/020_advanced/100_pod_with_docker/docker-compose.yaml @@ -0,0 +1,13 @@ +version: "3.3" +services: + pod: + image: alpine + command: [ "sh", "-c", "while true; do sleep 5; done" ] + dind: + image: docker:stable-dind + command: [ "dockerd", "--host", "tcp://127.0.0.1:2375" ] + privileged: true + network_mode: service:pod + registry: + image: registry:2 + network_mode: service:pod \ No newline at end of file diff --git a/020_advanced/110_troubleshooting/04_build/slides.template.md b/020_advanced/110_troubleshooting/04_build/slides.template.md new file mode 100644 index 00000000..26fe260f --- /dev/null +++ b/020_advanced/110_troubleshooting/04_build/slides.template.md @@ -0,0 +1,7 @@ +## Troubleshooting image builds + +XXX after failed image build + +XXX find last intermediate image (` ---> xxxxxxxxxxxx`) + +XXX inspect intermediate image: `docker run -it xxxxxxxxxxxx /bin/sh` diff --git a/020_advanced/160_dockerfile/order/Dockerfile b/020_advanced/160_dockerfile/order/Dockerfile index eff7e028..5302a761 100644 --- a/020_advanced/160_dockerfile/order/Dockerfile +++ b/020_advanced/160_dockerfile/order/Dockerfile @@ -6,9 +6,10 @@ RUN apt-get update \ ca-certificates WORKDIR /src -COPY . . - +COPY go.* . #package.json, gemfile, pom.xml RUN go mod download + +COPY . . RUN go build -o hello . \ && cp hello / diff --git a/020_advanced/160_dockerfile/reusability/Dockerfile b/020_advanced/160_dockerfile/reusability/Dockerfile index 73fa37e9..98dc3078 100644 --- a/020_advanced/160_dockerfile/reusability/Dockerfile +++ b/020_advanced/160_dockerfile/reusability/Dockerfile @@ -9,7 +9,7 @@ WORKDIR /src COPY go.* . RUN go mod download -FROM deps +FROM deps AS builder COPY . . RUN go build -o hello . \ && cp hello / diff --git a/020_advanced/160_dockerfile/slides.template.md b/020_advanced/160_dockerfile/slides.template.md index 39cded0a..4d6ca587 100644 --- a/020_advanced/160_dockerfile/slides.template.md +++ b/020_advanced/160_dockerfile/slides.template.md @@ -84,6 +84,8 @@ Use image build for isolation Write build output to host +https://github.com/chris-crone/containerized-go-dev + -- ## Container with build tooling 1/5 @@ -131,7 +133,7 @@ Use the same sources ```Dockerfile FROM base AS build -RUN --mount=target=. \\ +RUN --mount=target=. \ go build . ``` diff --git a/060_security/03_privileged_containers/slides.template.md b/060_security/03_privileged_containers/slides.template.md index 9224a243..370f6bec 100644 --- a/060_security/03_privileged_containers/slides.template.md +++ b/060_security/03_privileged_containers/slides.template.md @@ -5,10 +5,10 @@ If able to start containers, just leave the isolation: ```bash -docker run -it \\ - --privileged \\ - --pid=host \\ - alpine \\ +docker run -it \ + --privileged \ + --pid=host \ + alpine \ nsenter -t 1 -m -u -n -i sh ``` diff --git a/110_ecosystem/buildkit/cache/slides.template.md b/110_ecosystem/buildkit/cache/slides.template.md index efded1ec..89c28d2a 100644 --- a/110_ecosystem/buildkit/cache/slides.template.md +++ b/110_ecosystem/buildkit/cache/slides.template.md @@ -13,7 +13,7 @@ Syntax is similar to mounting secrets ```plaintext # syntax = docker/dockerfile:experimental FROM ubuntu -RUN --mount=type=cache,target=/tmp/cache \\ +RUN --mount=type=cache,target=/tmp/cache \ ls -l /tmp/cache ``` diff --git a/110_ecosystem/buildkit/overview.template.md b/110_ecosystem/buildkit/overview.template.md index d2de0179..708d7087 100644 --- a/110_ecosystem/buildkit/overview.template.md +++ b/110_ecosystem/buildkit/overview.template.md @@ -27,3 +27,5 @@ Remote build cache Builds secrets Unprivileged execution + +XXX docker-compose: 1.25.1 (`COMPOSE_DOCKER_CLI_BUILD=1 DOCKER_BUILDKIT=1 docker-compose build`) diff --git a/110_ecosystem/buildkit/rootless/slides.template.md b/110_ecosystem/buildkit/rootless/slides.template.md index eb189054..eb537c0d 100644 --- a/110_ecosystem/buildkit/rootless/slides.template.md +++ b/110_ecosystem/buildkit/rootless/slides.template.md @@ -60,10 +60,10 @@ rootlesskit buildkitd Run the build ```plaintext -buildctl \\ - --addr unix:///run/user/$UID/buildkit/buildkitd.sock build \\ - --frontend dockerfile.v0 \\ - --local context=. \\ +buildctl \ + --addr unix:///run/user/$UID/buildkit/buildkitd.sock build \ + --frontend dockerfile.v0 \ + --local context=. \ --local dockerfile=. ``` @@ -82,29 +82,29 @@ buildctl \\ Run the daemon in user context with a port publishing ```plaintext -docker run --name buildkitd \\ - --detach \\ - --security-opt apparmor=unconfined \\ - --security-opt seccomp=unconfined \\ - --publish 127.0.0.1:1234:1234 \\ - moby/buildkit:rootless \\ - --oci-worker-no-process-sandbox \\ +docker run --name buildkitd \ + --detach \ + --security-opt apparmor=unconfined \ + --security-opt seccomp=unconfined \ + --publish 127.0.0.1:1234:1234 \ + moby/buildkit:rootless \ + --oci-worker-no-process-sandbox \ --addr tcp://0.0.0.0:1234 ``` Run a build ```plaintext -docker run --interactive --tty \\ - --network container:buildkitd \\ - --volume $PWD:/src \\ - --workdir /src \\ - --entrypoint buildctl \\ - moby/buildkit \\ - --addr tcp://127.0.0.1:1234 \\ - build \\ - --frontend dockerfile.v0 \\ - --local context=. \\ +docker run --interactive --tty \ + --network container:buildkitd \ + --volume $PWD:/src \ + --workdir /src \ + --entrypoint buildctl \ + moby/buildkit \ + --addr tcp://127.0.0.1:1234 \ + build \ + --frontend dockerfile.v0 \ + --local context=. \ --local dockerfile=. ``` @@ -115,10 +115,10 @@ docker run --interactive --tty \\ Run a build by running the daemon on-demand ```plaintext -export BUILDKITD_FLAGS=--oci-worker-no-process-sandbox \\ -buildctl-daemonless.sh build \\ - --frontend dockerfile.v0 \\ - --local context=. \\ +export BUILDKITD_FLAGS=--oci-worker-no-process-sandbox \ +buildctl-daemonless.sh build \ + --frontend dockerfile.v0 \ + --local context=. \ --local dockerfile=. ``` @@ -129,15 +129,15 @@ buildctl-daemonless.sh build \\ Run a containerized build with the daemon on-demand ```plaintext -docker run -it \\ - --security-opt apparmor=unconfined \\ - --security-opt seccomp=unconfined \\ - --env BUILDKITD_FLAGS=--oci-worker-no-process-sandbox \\ - --volume $PWD:/src \\ - --workdir /src \\ - --entrypoint buildctl-daemonless.sh \\ - moby/buildkit build \\ - --frontend dockerfile.v0 \\ - --local context=. \\ +docker run -it \ + --security-opt apparmor=unconfined \ + --security-opt seccomp=unconfined \ + --env BUILDKITD_FLAGS=--oci-worker-no-process-sandbox \ + --volume $PWD:/src \ + --workdir /src \ + --entrypoint buildctl-daemonless.sh \ + moby/buildkit build \ + --frontend dockerfile.v0 \ + --local context=. \ --local dockerfile=. ``` diff --git a/110_ecosystem/buildkit/secrets/slides.template.md b/110_ecosystem/buildkit/secrets/slides.template.md index 1f1a2cac..3238e3d7 100644 --- a/110_ecosystem/buildkit/secrets/slides.template.md +++ b/110_ecosystem/buildkit/secrets/slides.template.md @@ -23,7 +23,7 @@ Use experimental syntax in `Dockerfile`: ```plaintext # syntax=docker/dockerfile:experimental FROM alpine -RUN --mount=type=secret,id=mysite.key \\ +RUN --mount=type=secret,id=mysite.key \ ls -l /run/secrets ``` diff --git a/110_ecosystem/buildkit/transition.template.md b/110_ecosystem/buildkit/transition.template.md index d86526ac..ca9e0d5f 100644 --- a/110_ecosystem/buildkit/transition.template.md +++ b/110_ecosystem/buildkit/transition.template.md @@ -5,17 +5,17 @@ Sometime it is desirable to change context and Dockerfile What you are doing today ```plaintext -$ docker build \\ -> --file Dockerfile \\ +$ docker build \ +> --file Dockerfile \ > . ``` How to do this using BuildKit ```plaintext -$ buildctl build \\ -> --frontend dockerfile.v0 \\ -> --local dockerfile=. \\ +$ buildctl build \ +> --frontend dockerfile.v0 \ +> --local dockerfile=. \ > --local context=. ``` @@ -30,8 +30,8 @@ Publish an image in a registry Docker has taught us to build and push container images: ```plaintext -docker build \\ - --tag my_image_name \\ +docker build \ + --tag my_image_name \ . docker push my_image_name ``` @@ -39,10 +39,10 @@ docker push my_image_name BuildKit can directly upload to an image registry: ```plaintext -buildctl build \\ - --frontend dockerfile.v0 \\ - --local dockerfile=. \\ - --local context=. \\ +buildctl build \ + --frontend dockerfile.v0 \ + --local dockerfile=. \ + --local context=. \ --output type=image,name=my_image_name,push=true ``` @@ -57,18 +57,18 @@ Pass build arguments to customize the image build The Docker way ```plaintext -docker build \\ - --build-arg name=value \\ +docker build \ + --build-arg name=value \ . ``` The BuildKit way ```plaintext -buildctl build \\ - --frontend dockerfile.v0 \\ - --local dockerfile=. \\ - --local context=. \\ +buildctl build \ + --frontend dockerfile.v0 \ + --local dockerfile=. \ + --local context=. \ --opt build-arg:name=value ``` @@ -81,9 +81,9 @@ Use an existing image as build cache Docker is able to use an local image ```plaintext -docker build \\ - --cache-from my_image_name \\ - --tag my_image_name \\ +docker build \ + --cache-from my_image_name \ + --tag my_image_name \ . ``` @@ -92,11 +92,11 @@ BuildKit can use an image in a registry... ...and download helpful layers ```plaintext -buildctl build \\ - --frontend dockerfile.v0 \\ - --local dockerfile=. \\ - --local context=. \\ - --output type=image,name=my_image_name,push=true \\ - --export-cache type=inline \\ +buildctl build \ + --frontend dockerfile.v0 \ + --local dockerfile=. \ + --local context=. \ + --output type=image,name=my_image_name,push=true \ + --export-cache type=inline \ --import-cache type=registry,ref=my_image_name ``` diff --git a/110_ecosystem/buildkit/usage/buildkit.template.md b/110_ecosystem/buildkit/usage/buildkit.template.md index 557d9032..a5c2dffd 100644 --- a/110_ecosystem/buildkit/usage/buildkit.template.md +++ b/110_ecosystem/buildkit/usage/buildkit.template.md @@ -34,22 +34,22 @@ Let a script take care of running the daemon on-demand Run a build locally ```plaintext -buildctl-daemonless.sh build \\ - --frontend dockerfile.v0 \\ - --local context=. \\ +buildctl-daemonless.sh build \ + --frontend dockerfile.v0 \ + --local context=. \ --local dockerfile=. ``` Run a build containerized ```plaintext -docker run -it \\ - --privileged \\ - --volume $PWD:/src \\ - --workdir /src \\ - --entrypoint buildctl-daemonless.sh \\ - moby/buildkit build \\ - --frontend dockerfile.v0 \\ - --local context=. \\ +docker run -it \ + --privileged \ + --volume $PWD:/src \ + --workdir /src \ + --entrypoint buildctl-daemonless.sh \ + moby/buildkit build \ + --frontend dockerfile.v0 \ + --local context=. \ --local dockerfile=. ``` diff --git a/110_ecosystem/reverse_proxy/docker-compose.yml b/110_ecosystem/reverse_proxy/docker-compose.yml index 5eeee1e7..fd1f41b4 100644 --- a/110_ecosystem/reverse_proxy/docker-compose.yml +++ b/110_ecosystem/reverse_proxy/docker-compose.yml @@ -35,6 +35,8 @@ services: registry: image: registry:2 + ports: + - "127.0.0.1:5000:5000" labels: traefik.enable: "true" traefik.http.services.registry.loadbalancer.server.port: 5000 diff --git a/2020-12-02-ContainerConf-WorkshopContainersAdvanced.html b/2020-12-02-ContainerConf-WorkshopContainersAdvanced.html index 493db376..92d7fb5f 100644 --- a/2020-12-02-ContainerConf-WorkshopContainersAdvanced.html +++ b/2020-12-02-ContainerConf-WorkshopContainersAdvanced.html @@ -103,7 +103,7 @@ BuildKit in Kubernetes is Builder-as-a-Service ;-) - Privileged containers are a thread to your environment + Privileged containers are a threat to your environment Reverse proxies provide access to your services