You can build images in an ACS cluster for common container scenarios. ACS provides a feature-verification image built on the community-standard buildah tool. This image lets you create new container images and push them to an image repository.
Prerequisites
When you build images in an ACS cluster, the primary network requirements involve pulling and pushing images. Before you begin, ensure that:
The pod can connect to the base image repository to pull images.
The pod can connect to the target image repository to push images.
Basic feature verification
The verification pod uses the buildah base image to build a basic image from a Dockerfile in non-privileged mode. The pod then pushes the image to the repository specified in an environment variable. The pod's standard output log shows the executed commands. If the pod completes without errors, your environment is ready. You can then build images with buildah in the cluster and add your business logic.
The image used in this example, registry-cn-hangzhou.ack.aliyuncs.com/ack-demo/buildah:v1.40.1, is built from the community image quay.io/buildah/stable:latest. To use the latest community version, you can use the latest release or build from source code.
By default, buildah does not reuse intermediate layers from the image build process. To enable layer reuse, use the buildah build --layers command.Step 1: Create the verification pod
Use the following Dockerfile to build the sample image.
FROM registry.cn-hangzhou.aliyuncs.com/eci_open/nginx:latest RUN echo 'hello acs'Use the following YAML file to create a pod in your ACS cluster. This pod will build and push the image. Modify the environment variables (env) in the YAML file as needed.
Environment variable key
Description
LOGIN_USERNAME
The username to log on to the target repository.
LOGIN_PASSWORD
The password to log on to the target repository.
TARGET_REPO
The full address of the target image repository. Include the namespace, repository name, and tag. For example:
registry.cn-hangzhou.aliyuncs.com/yourRepoNS/yourRepoName:testTag.TARGET_HOSTNAME
The domain name of the target repository. For example:
registry.cn-hangzhou.aliyuncs.com.IMAGE_NAME
The local image name for the buildah build. This does not affect the image build or push. Use lowercase English letters. For example:
buildahtestimage.CPU scenario
kind: Pod apiVersion: v1 metadata: name: buildah-demo-pod labels: alibabacloud.com/compute-qos: default alibabacloud.com/compute-class: general-purpose spec: restartPolicy: Never containers: - name: builder image: registry-cn-hangzhou.ack.aliyuncs.com/ack-demo/buildah:v1.40.1 command: - sh - -c - | echo "=== build and push ===" echo "buildah info" buildah info echo "[step 1] create Dockerfile... " echo -e "FROM registry.cn-hangzhou.aliyuncs.com/eci_open/nginx:latest\nRUN echo 'hello acs'" > Dockerfile cat Dockerfile echo "" echo "[step 2] start build (IMAGE_NAME=${IMAGE_NAME})..." if buildah build -t "${IMAGE_NAME}" .; then echo "√ build success!" buildah images else echo "× build failed" exit 1 fi echo "" echo "[step 3] login repo (HOST=${TARGET_HOSTNAME})..." if buildah login -u "${LOGIN_USERNAME}" -p "${LOGIN_PASSWORD}" "${TARGET_HOSTNAME}"; then echo "√ login success" else echo "× login failed" exit 1 fi echo "" echo "[step 4] push repo (TARGET=${TARGET_REPO})..." if buildah push "${IMAGE_NAME}" docker://"${TARGET_REPO}"; then echo "√ push success" echo "the repo is :${TARGET_REPO}" else echo "× push failed!" exit 1 fi echo "=== end ===" env: - name: LOGIN_USERNAME value: "TODO:targetRepoLoginUsername" - name: LOGIN_PASSWORD value: "TODO:targetRepoLoginPassword" - name: TARGET_REPO value: "registry.cn-hangzhou.aliyuncs.com/yourRepoNS/yourRepoName:testTag" - name: TARGET_HOSTNAME value: "registry.cn-hangzhou.aliyuncs.com" - name: IMAGE_NAME value: "buildahtestimage" # The image name must be in lowercase English letters. imagePullPolicy: Always resources: limits: cpu: "1" memory: "2Gi" requests: cpu: "1" memory: "2Gi"GPU scenario
For more information about the
alibabacloud.com/gpu-model-seriesconfiguration, see GPU families supported by ACS.In GPU scenarios, AI container images are often large. We recommend that you change the storage driver to `overlay`. To do so, you must mount
/var/lib/containers/storageas a separate file system that supports `overlay`. We recommend using `emptyDir` to configure/var/lib/containers/storageto support `overlay`.kind: Pod apiVersion: v1 metadata: name: buildah-demo-pod labels: # Specify the compute-class as gpu. alibabacloud.com/compute-class: gpu alibabacloud.com/gpu-model-series: <A GPU family supported by ACS, such as GU8TF> alibabacloud.com/compute-qos: default spec: restartPolicy: Never volumes: - emptyDir: {} name: buildah containers: - name: builder image: registry-cn-hangzhou.ack.aliyuncs.com/ack-demo/buildah:v1.40.1 command: - sh - -c - | echo "=== build and push ===" echo "buildah info" buildah info echo "[step 1] create Dockerfile... " echo -e "FROM registry.cn-hangzhou.aliyuncs.com/eci_open/nginx:latest\nRUN echo 'hello acs'" > Dockerfile cat Dockerfile echo "" echo "[step 2] start build (IMAGE_NAME=${IMAGE_NAME})..." if buildah build -t "${IMAGE_NAME}" .; then echo "√ build success!" buildah images else echo "× build failed" exit 1 fi echo "" echo "[step 3] login repo (HOST=${TARGET_HOSTNAME})..." if buildah login -u "${LOGIN_USERNAME}" -p "${LOGIN_PASSWORD}" "${TARGET_HOSTNAME}"; then echo "√ login success" else echo "× login failed" exit 1 fi echo "" echo "[step 4] push repo (TARGET=${TARGET_REPO})..." if buildah push "${IMAGE_NAME}" docker://"${TARGET_REPO}"; then echo "√ push success" echo "the repo is :${TARGET_REPO}" else echo "× push failed!" exit 1 fi echo "=== end ===" env: - name: LOGIN_USERNAME value: "TODO:targetRepoLoginUsername" - name: LOGIN_PASSWORD value: "TODO:targetRepoLoginPassword" - name: TARGET_REPO value: "registry.cn-hangzhou.aliyuncs.com/yourRepoNS/yourRepoName:testTag" - name: TARGET_HOSTNAME value: "registry.cn-hangzhou.aliyuncs.com" - name: IMAGE_NAME value: "buildahtestimage" imagePullPolicy: Always volumeMounts: - mountPath: /var/lib/containers/storage name: buildah resources: limits: cpu: "1" memory: "2Gi" nvidia.com/gpu: 1 requests: cpu: "1" memory: "2Gi" nvidia.com/gpu: 1
Step 2: Verify the build result
View the container build logs. If the output contains
push success, the image was successfully built and pushed.kubectl logs buildah-demo-podExpected output:
=== build and push === [step 1] create Dockerfile... FROM registry.cn-hangzhou.aliyuncs.com/eci_open/nginx:latest RUN echo 'hello acs' ... [step 4] push repo (TARGET=registry.cn-hangzhou.aliyuncs.com/yourRepoNS/yourRepoName:testTag)... Getting image source signatures ... Writing manifest to image destination √ push success the repo is :registry.cn-hangzhou.aliyuncs.com/yourRepoNS/yourRepoName:testTag === end ===
Accelerate image builds with external storage
If you build container images from a Dockerfile and want to reuse the base image content, you can avoid downloading the content for each build. You can use external storage as a backend cache for buildah. To accelerate the build process, mount this storage when you start the image build container.
The following example uses a CPU pod to demonstrate accelerated image building. For GPU instances, only the L20 family supports disks. For other GPU families, you must use shared storage, such as NAS.
When you use a disk as backend storage, note that it cannot be attached to multiple pods at the same time.
Step 1: Prepare storage
You can use any method to populate an external storage medium with the base image (base layer) that you want to cache and share. This step provides an example of how to cache the alinux3 image (alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:230602.1) from an ACR repository to a disk. For more information, see Use a dynamically provisioned disk volume.
Use the following YAML file to prepare disk storage in the ACS cluster. The example uses the `Immediate` mode for verification.
allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: alicloud-disk-essd parameters: fstype: ext4 performanceLevel: PL1 type: cloud_essd provisioner: diskplugin.csi.alibabacloud.com reclaimPolicy: Delete volumeBindingMode: Immediate --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: disk-pvc spec: accessModes: - ReadWriteOncePod volumeMode: Filesystem resources: requests: storage: 20Gi storageClassName: alicloud-disk-essdRun the following command to check the status of the PersistentVolumeClaim (PVC).
kubectl get pvc disk-pvcExpected output:
# The following output indicates that the disk is ready. NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE disk-pvc Bound d-bp13vgtpxxphort***** 20Gi RWOP alicloud-disk-essd <unset> 40s
Step 2: Create the pod
Use the following Dockerfile to build the sample image.
FROM alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:230602.1 CMD ["tail","-f","/dev/null"]Use the following YAML file to create a pod that pulls the sample image.
kind: Pod apiVersion: v1 metadata: name: filler-pod labels: alibabacloud.com/compute-qos: default alibabacloud.com/compute-class: general-purpose spec: containers: - name: builder image: registry-cn-hangzhou.ack.aliyuncs.com/ack-demo/buildah:v1.40.1 command: ["buildah", "pull", "alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:230602.1"] imagePullPolicy: Always resources: limits: cpu: "1" memory: "1Gi" requests: cpu: "1" memory: "1Gi" volumeMounts: - name: disk mountPath: "/var/lib/containers/storage" restartPolicy: Never volumes: - name: disk persistentVolumeClaim: claimName: disk-pvcRun the following command to check the cache.
kubectl logs filler-podExpected output:
# The expected output indicates that the image data is cached on the disk. Trying to pull alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:230602.1... Getting image source signatures Copying blob sha256:b078a9c0307ee7852fadced3640fe9851edfc9e0d9d4d8a0ae30542d51846d1b Copying blob sha256:006534dfe5bbb72ff9a9a84fa20e675c49dbec8e4c7e2b02b977d1bdb5af3fd4
Step 3: Verify the cache
Use the following YAML file to create a new pod.
kind: Pod apiVersion: v1 metadata: name: builder-pod labels: alibabacloud.com/compute-qos: default alibabacloud.com/compute-class: general-purpose spec: containers: - name: builder image: registry-cn-hangzhou.ack.aliyuncs.com/ack-demo/buildah:v1.40.1 command: ["buildah", "bud", "-t", "registry.cn-hangzhou.aliyuncs.com/acsimage/buildah:resultImage", "."] imagePullPolicy: Always resources: limits: cpu: "1" memory: "1Gi" requests: cpu: "1" memory: "1Gi" volumeMounts: - name: disk mountPath: "/var/lib/containers/storage" restartPolicy: Never volumes: - name: disk persistentVolumeClaim: claimName: disk-pvcRun the following command to verify that the cache is working.
kubectl logs builder-podExpected output:
# The expected output indicates that the image cache on the disk was reused and the base image was not pulled again. STEP 1/2: FROM alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:230602.1 STEP 2/2: CMD ["tail","-f","/dev/null"] COMMIT registry.cn-hangzhou.aliyuncs.com/acsimage/buildah:resultImage Getting image source signatures Copying blob sha256:933412459c628636b34d7952531f5f6e62f9bc190529d1a15872df9e635b90c0 ... Writing manifest to image destination --> c0fb82a0eb9d Successfully tagged registry.cn-hangzhou.aliyuncs.com/acsimage/buildah:resultImage c0fb82a0eb9d8be7c543ccc097d929b5f47ffd916a848d13fbdbff88f976c6b2