fbpixel

Build container images, inside a container

Tommaso Doninelli}
Tommaso Doninelli
Share:

How to build a Docker container image in…a docker container!

Containers are eating the world (cit.), and nowadays it is common to run CI/CD and build server (someone told Jenkins?) in a container.

As part of our workflow, we had to build a docker image and deploy it in a test environment, eventually promoting it to production. In this port we build a Docker image inside another, unprivileged container!

TL;DR

We’ll use Kaniko, a tool from the Google Container Toolkit to build a docker image from a Docker container.

These are the steps to build an image and push it to AWS ECR:

  1. save the building context in an AWS S3 bucket, with our Dockerfile and all the required external files;
  2. run a container configured to build and push the image to AWS ECR
  3. publish the image to a private registry (we’ll use AWS ECR, but all major registries are supported)

To run these steps you need the AWS CLI installed and configured

Kaniko build docker images inside acontainer in Kubernetes
Kaniko is a tool to build docker images inside a container, even in Kubernetes

Create a build context

A build context is a tarball with all the files we need to build our image, including the Dockerfile. Lets create a folder, put the Dockerfile and a test file and copy it in an AWS S3 bucket.

Create an empty folder and put there your Dockerfile and any additional files:

1
2
3
4
5
6
7
8
9
10
11
$ ls ./workspace
.... Dockerfile
.... hello.world

$ cat Dockerfile
FROM ubuntu:18.04
COPY hello.world /


$ cat hello.world
Ciao, Mondo!

Create the tarball and push to an AWS S# bucket

1
2
tar -C workspace -zcvf context.tar.gz .
aws s3 cp ./context.tar.gz s3://<bucket>/<path>/

Build and publish the image

Kaniko comes with support for GCR, Docker config.json and Amazon ECR, but configuring another credential helper should allow pushing to a different registry. We provide an image already configured to push to AWS ECR, hakunacloud/kaniko-aws-ecr

To build and push the image, run this container: -e AWS_REGION=eu-central-1 -e AWS_ACCESS_KEY=AKIAJDIA3R4X3JQZPUZA -e AWS_SECRET_KEY=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

1
2
3
4
5
6
7
8
9
10
beekube run \
        --name kaniko-build \
        --restart no \
        -e AWS_REGION=eu-central-1 -e AWS_ACCESS_KEY=AKIAxxxx -e AWS_SECRET_KEY=yyyyyyy \
        hakunacloud/kaniko-aws-ecr:latest " \
            --dockerfile=./Dockerfile \
            --destination '<aws id>.dkr.ecr.<region>.amazonaws.com/<repo>:<version>' \
            --context s3://<bucket>>/<path>/context.tar.gz \
            --cache='false' \
            --verbosity debug "         

Le’ts break down the command

  • -e AWS_REGION=eu-central-1 -e AWS_ACCESS_KEY=AKIAxxxx -e AWS_SECRET_KEY=yyyyyyy: set the region and the credentials to access the S3 bucket and the ECR registry;
  • --dockerfile=./Dockerfile: the Dockerfile path relative to the build context tarball;
  • --destination '<aws id>.dkr.ecr.<region>.amazonaws.com/<repo>:<version>': the ECR registry;
  • --context s3://<bucket>>/<path>/context.tar.gz: the build context to download

Your image should be available in few minutes!

Using a local docker version

HakunaCloud is you managed container as a service platform. You can build any docker image by simply replacing docker with beekube. If you want to run the image using your local docker service, simply run:

1
2
3
4
5
6
7
8
9
10
docker run \
        --name kaniko-build \
        --restart no \
        -e AWS_REGION=eu-central-1 -e AWS_ACCESS_KEY=AKIAxxxx -e AWS_SECRET_KEY=yyyyyyy \
        hakunacloud/kaniko-aws-ecr:latest " \
            --dockerfile=./Dockerfile \
            --destination '<aws id>.dkr.ecr.<region>.amazonaws.com/<repo>:<version>' \
            --context s3://<bucket>>/<path>/context.tar.gz \
            --cache='false' \
            --verbosity debug "         

Tommaso Doninelli

CEO @ HakunaCloud

10 years as CTO, former Software Engineer at Amazon AWS, Cloud Solution Architect with projects in US, Europe and United Arab Emirates.

"I am a DevOps and automation advocate; you can test, deploy, analyze and improve even your grandma recipes. "