By Xian Wei
In the cloud native era, container images are the basic carrier for distribution of all applications. In addition to Docker Hub as a popular image repository, various cloud vendors also provide function-rich image repository services, such as Alibaba Cloud's Container Registry (ACR), and Google's Container Registry (GCR). Being able to build container images has become the basic practical ability that all developers must master.
Whether the developer chooses to use Docker locally to build basic images, or uses a CI/CD service (such as Jenkins), in essence, the process of "pull -> build -> push" must be followed to build, distribute, and synchronize images.
This article introduces a new practice of building simple images for developers. Based on Alibaba Cloud Serverless Kubernetes Container Service, container images can be built automatically and at a low cost, which helps developers understand how to use Serverless to run CI/CD and automate tasks.
Building a container image requires computing resources. When developers use Docker to pull/build/push locally, the computing resources are local development machines. If developers deploy Jenkins or GitLab Runner services in traditional Kubernetes clusters, the computing resources also need to run continuously. However, building a container image is basically a highly dynamic action, which is often triggered by timing or conditions. Therefore, maintaining a fixed computing resource pool for dynamic building operations is not cost effective.
Serverless Kubernetes is different from the traditional node-based k8s cluster. A Serverless cluster will only result in a charge when a pod is running. This means that users only need to pay when building images, and after the build ends, the billing stops. Therefore, the cost is significantly reduced compared with that of the traditional k8s cluster or ECS deployment.
In a Serverless Kubernetes cluster, pods do not have the privileged permission, and cannot access Docker daemon on the host. Therefore, they cannot use the Docker-in-Docker solution to build images. So, how can we build an image without relying on the Docker on the host in a Kubernetes cluster? Obviously, this is a common requirement, and the community also has a recommended solution: Kaniko.
Kaniko works similarly to the "docker build" command, but does not rely on Docker daemon. It resolves and builds each Dockerfile layer in the pod, which allows the pod to complete the pull/build/push of the image without the privileged permission.
Let's use Serverless Kubernetes and Kaniko to implement a simple image building experiment, that is, to regularly synchronize images to the domestic ACR.
Log on to the Container Service Console to create a Serverless cluster in 5s. (If it is a foreign source image repository, you can choose the US West region)
You can log on to CloudShell, and run the following command.
#docker login registry.cn-hangzhou.aliyuncs.com ... #kubectl create secret generic regsecret --from-file=/root/.docker/config.json ...
On the console, select a template to create the following scheduled task, to synchronize the busybox image to ACR hourly.
apiVersion: v1 kind: ConfigMap metadata: name: dockerfile-cm data: Dockerfile: | FROM busybox:latest --- apiVersion: batch/v1beta1 kind: CronJob metadata: name: kaniko-builder spec: schedule: "*/60 * * * *" jobTemplate: spec: template: spec: containers: - name: builder image: gcr.io/kaniko-project/executor:latest imagePullPolicy: Always args: - "--dockerfile=/configs/Dockerfile" - "--destination=registry.cn-hangzhou.aliyuncs.com/jovizhangwei/busybox:latest" volumeMounts: - name: dockerfile readOnly: true mountPath: "/configs/" - name: secrets readOnly: true mountPath: "/root/.docker/" volumes: - name: dockerfile configMap: name: dockerfile-cm - name: secrets secret: secretName: regsecret restartPolicy: OnFailure
After the job is executed, you can view ACR Image Repository to confirm that the image has been synchronized.
You can customize the template file as needed, such as modifying the image to be synchronized, and adding a build step. You can also set the resource limit of the pod (such as, VCPU 0.25/0.5/1) to complete the synchronization task at minimal computing cost.
From the example above, we can see that, based on the pay-as-you-go feature of Serverless Kubernetes, some scheduled and CI/CD tasks can be run at very low cost without maintaining a fixed computing resource pool. It is also applicable to other scenarios, such as stress testing, data computing, and workflow processing.
Alibaba Container Service - July 16, 2019
Alibaba Container Service - February 7, 2020
Alibaba Clouder - July 15, 2020
Alibaba Container Service - October 21, 2019
Alibaba Container Service - August 25, 2020
Alibaba Clouder - September 3, 2020
Alibaba Cloud Container Service for Kubernetes is a fully managed cloud container management service that supports native Kubernetes and integrates with other Alibaba Cloud products.Learn More
Accelerate and secure the development, deployment, and management of containerized applications cost-effectively.Learn More
A secure image hosting platform providing containerized image lifecycle managementLearn More
Self-driving Database Platform: Self-repair, Self-optimization, and Self-securityLearn More
More Posts by Alibaba Container Service