Building images with kaniko and GitLab CI/CD · Gitlab 中文文檔

# Building images with kaniko and GitLab CI/CD > 原文：[https://docs.gitlab.com/ee/ci/docker/using_kaniko.html](https://docs.gitlab.com/ee/ci/docker/using_kaniko.html) * [Requirements](#requirements) * [Building a Docker image with kaniko](#building-a-docker-image-with-kaniko) * [Using a registry with a custom certificate](#using-a-registry-with-a-custom-certificate) * [Video walkthrough of a working example](#video-walkthrough-of-a-working-example) # Building images with kaniko and GitLab CI/CD[](#building-images-with-kaniko-and-gitlab-cicd "Permalink") 在 GitLab 11.2 中[引入](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/45512) . 需要 GitLab Runner 11.2 及更高版本. [kaniko](https://github.com/GoogleContainerTools/kaniko)是從容器或 Kubernetes 集群內部的 Dockerfile 構建容器映像的工具. kaniko 使用[Docker-in-Docker 構建](using_docker_build.html#use-docker-in-docker-workflow-with-docker-executor)方法解決了兩個問題： * Docker-in-Docker 需要[特權模式](https://s0docs0docker0com.icopy.site/engine/reference/run/)才能運行，這是一個重大的安全問題. * Docker-in-Docker 通常會導致性能下降，并且可能會非常慢. ## Requirements[](#requirements "Permalink") 為了在 GitLab 中使用 kaniko，需要使用以下執行程序之一的[GitLab Runner](https://docs.gitlab.com/runner/) ： * [Kubernetes](https://docs.gitlab.com/runner/executors/kubernetes.html). * [Docker](https://docs.gitlab.com/runner/executors/docker.html). * [Docker Machine](https://docs.gitlab.com/runner/executors/docker_machine.html). ## Building a Docker image with kaniko[](#building-a-docker-image-with-kaniko "Permalink") 使用 kaniko 和 GitLab CI / CD 構建映像時，應注意一些重要細節： * 推薦使用 kaniko 調試映像（ `gcr.io/kaniko-project/executor:debug` ），因為它具有外殼，并且該映像與 GitLab CI / CD 一起使用時需要外殼. * 入口點將需要被[覆蓋](using_docker_images.html#overriding-the-entrypoint-of-an-image) ，否則構建腳本將無法運行. * 需要使用所需容器注冊表的身份驗證信息創建一個 Docker `config.json`文件. In the following example, kaniko is used to: 1. 構建一個 Docker 鏡像 2. 然后將其推送到[GitLab 容器注冊表](../../user/packages/container_registry/index.html) . 僅當按下標簽時作業才會運行. 使用從 GitLab CI / CD 提供的[環境變量中](../variables/README.html#predefined-environment-variables)獲取的所需 GitLab 容器注冊表憑據在`/kaniko/.docker`下創建一個`config.json`文件. 在最后一步中，kaniko 使用項目根目錄下的`Dockerfile` ，構建 Docker 映像并將其推送到項目的 Container Registry，同時使用 Git 標簽對其進行標記： ``` build: stage: build image: name: gcr.io/kaniko-project/executor:debug entrypoint: [""] script: - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG only: - tags ``` ## Using a registry with a custom certificate[](#using-a-registry-with-a-custom-certificate "Permalink") 嘗試推送到使用由自定義 CA 簽名的證書的 Docker 注冊表時，您可能會遇到以下錯誤： ``` $ /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --no-push INFO[0000] Downloading base image registry.gitlab.example.com/group/docker-image error building image: getting stage builder for stage 0: Get https://registry.gitlab.example.com/v2/: x509: certificate signed by unknown authority ``` 可以通過將您的 CA 證書添加到 kaniko 證書存儲區來解決： ``` before_script: - mkdir -p /kaniko/.docker - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json - | echo "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----" >> /kaniko/ssl/certs/additional-ca-cert-bundle.crt ``` ## Video walkthrough of a working example[](#video-walkthrough-of-a-working-example "Permalink") [在 GitLab](https://www.youtube.com/watch?v=d96ybcELpFs)視頻[上使用 Kaniko](https://www.youtube.com/watch?v=d96ybcELpFs)的[最低權限容器構建](https://www.youtube.com/watch?v=d96ybcELpFs)是對[Kaniko Docker Build](https://gitlab.com/guided-explorations/containers/kaniko-docker-build) Guided Exploration 項目管道的演練. 經過測試： * [GitLab.com Shared Runners](../../user/gitlab_com/index.html#shared-runners) * [The Kubernetes Runner executor](https://docs.gitlab.com/runner/executors/kubernetes.html) 可以將示例復制到您自己的組或實例中進行測試. 項目頁面上提供了有關演示其他 GitLab CI 模式的更多詳細信息.