Building Container Images the Modern Way - Adrian Mouat, Chainguard
![CNCF [Cloud Native Computing Foundation]](http://yt3.ggpht.com/txe66EjpkDQQlx_4jDV0yA0PPsww0rqQrFhMpDqagLWN2-EUBBO65IuIyy5tEFVmpI4_RRduzXc=s48-c-k-c0x00ffffff-no-rj)
Вставка
- Опубліковано 21 бер 2024
- Don't miss out! Join us at our next Flagship Conference: KubeCon + CloudNativeCon North America in Salt Lake City from November 12 - 15, 2024. Connect with our current graduated, incubating, and sandbox projects as the community gathers to further the education and advancement of cloud native computing. Learn more at kubecon.io
Building Container Images the Modern Way - Adrian Mouat, Chainguard
Are you still building images like it's 2015? This talk will get you up-to-speed with modern build technology and techniques and building images in seconds rather than minutes. This can make an enormous difference in CI/CD where a small improvement can reduce costs and speed up delivery. We'll start by taking a look at what an OCI container image is, before delving into the different options for assembling them. After understanding why things are the way they are, we'll dive into some of the options for achieving vastly faster build times and smaller images. We'll also look at supply chain concerns such as SLSA, SBOMs and attestations. We'll explore buildkit, buildpacks, Dagger, ko, Apko, Rockcraft and Nix amongst other technologies. Come along and learn how to move beyond the plain Dockerfile! - Наука та технологія
That's a great review! A couple of additional comments/ideas on that topic:
- Bazel is incredibly complex, and I've been told multiple times (by folks using it) that maintaining a non-trivial Bazel build could easily require a full time expert, and that it would be very difficult to turn it into a self-service thing (i.e. even small trivial changes often require the intervention of the expert). As a datapoint, Kubernetes itself used to be built with Bazel, but the Bazel build infrastructure was removed because the Kubernetes maintainers couldn't maintain it anymore.
- the good old "docker build" actually uses newer BuildKit features. For instance, stuff like "RUN --mount=type=cache,path=/var/cache/apt ..." lets you have persistent cache across builds, that doesn't end up in the final image. That's just one example, there are many other hidden gems (that we typically don't find in tutorials that have been written literally a decade ago :))
Thanks @jpetazzo! And good point about docker build
A fantastic overview, thank you for making it! Sad that werf is missing, though. It uses buildah under the hood to build images, yet brings lots of great features on top of it (such as distributed cache, making it a self-hosted substitute for Docker Build Cloud or Dagger Cloud) and aims to cover other CI/CD steps as well.
Bazel had a very dedicated doc-writer to write such an extensive help function xD
Nix and Bazel are both great solutions for building container images - especially if you have more complex requirements.
Either your project is trivial (single, statically linked Go binary) which allows you to package it up nicely with any tool under the sun (including Dockerfiles) reproducibly, or you need a real build system and will not be happy with Ko.
02:51 Image Builder Goals
05:32 Distroless Multistage Docker Build
08:08 KO (golang)
13:31 Bazel (summary)
17:13 Apko (summary)
18:33 Canonical Chiselled Containers
21:26 Buildpacks
24:18 Buildkit and Dagger
28:42 Nix
30:47 OK, So What Do You Recommend?
sha256 is different always whenever you recreate a new tar due to timestamps metadata and different sorting of files.
I'm pretty sure you can control both of that in bazel, I just couldn't figure out how
someone , please help me to identify the zsh theme ? :D
The theme is Spaceship
10:03 10:30 i am out