This is a guest post by Docker Captain Nicholas Dille, a blogger, speaker and author with 15 years of experience in virtualization and automation. He works as a DevOps Engineer at Haufe Group, a digital media company located in Freiburg, Germany. He is also a Microsoft Most Valuable Professional.
In this virtual meetup, I share how to improve image builds using the features in BuildKit. BuildKit is an alternative builder with great features like caching, concurrency and the ability to separate your image build into multiple stages – which is useful for separating the build environment from the runtime environment.
The default builder in Docker is the legacy builder. This is recommended for use when you need support for Windows. However, in nearly every other case, using BuildKit is recommended because of the fast build time, ability to use custom BuildKit front-ends, building stages in parallel and other features.
Catch the full replay below and view the slides to learn:
- Build cache in BuildKit – instead of relying on a locally present image, buildkit will pull the appropriate layers of the previous image from a registry.
- How BuildKit helps prevent disclosure of credentials by allowing files to be mounted into the build process. They are kept in memory and are not written to the image layers.
- How BuildKit supports access to remote systems through SSH by mounting the SSH agent socket into the build without adding the SSH private key to the image.
- How to use the CLI plugin buildx to cross-build images for different platforms.
- How using the new “docker context,” the CLI is able to manage connection to multiple instances of the Docker engine. Note that it supported SSH remoting to Docker Engine.
- And finally, a tip that extends beyond image builds: When troubleshooting a running container, a debugging container can be started sharing the network and PID namespace. This allows debugging without changing the misbehaving container.
I also covered a few tools that I use in my workflow, namely:
- goss, which allows images to be tested to match a configuration expressed in YAML. It comes with a nice wrapper called `dgoss` to use it with Docker easily. And it even provides a health endpoint to integrate into your image
- trivy, an OS tool from AquaSecurity that scans images for known vulnerabilities in the OS as well as well-known package managers.
And finally, answered some of your questions:
Why not use BuildKit by default?
If your workflow involves building images often, then we recommend that you do set BuildKit as the default builder. Here is how to enable BuildKit by default in the docker daemon config.
Does docker-compose work with BuildKit?
Support for BuildKit was added in docker-compose 1.25.0 which can be enabled by setting DOCKER_BUILDKIT=1 and COMPOSE_DOCKER_CLI_BUILD=1.
What are the benefits of using BuildKit?
In addition to the features presented, BuildKit also improves build performance in many cases.
When would I use BuildKit Secrets? (A special thank you to Captain Brandon Mitchell for answering this question)
BuildKit secrets are a good way to use a secret at build time, without saving the secret in the image. Think of it as pulling a private git repo without saving your ssh key to the image. For runtime, it’s often different compose files to support compose vs swarm mode, each mounting the secret a different way, i.e. a volume vs. swarm secret.
How do I enable BuildKit for Jenkins Docker build plugin?
The only reference to BuildKit I was able to find refers to adding support in the Docker Pipeline plugin.
Does BuildKit share the build cache with the legacy builder?
No, the caches are separate.
What are your thoughts on having the testing step as a stage in a multi-stage build?
The test step can be a separate stage in the build. If the test step requires a special tool to be installed, it can be a second final stage. If your multi-stage build increases in complexity, take a look at CI/CD tools.
How does pulling the previous image save time over just doing the build? The download can be significantly faster than redoing all the work.
Is the created image still “identical” or is there any real difference in the final image artifact?
The legacy builder, as well as BuildKit, produces identical (or rather equivalent) images.
Will Docker inspect show that the image was built using BuildKit?
Do you know any combination of debugging with docker images/containers (I use the following technologies: python and Django and Pycharm)?
No. Anyone have any advice here?
Is Docker BuildKit supported with maven Dockerfile plugin?
If the question is referring to Spotify’s Dockerfile Maven plugin (which is unmaintained), the answer is no. Other plugins may be able to use BuildKit when providing the environment variable DOCKER_BUILDKIT=1. Instead of changing the way the client works, you could configure the daemon to use BuildKit by default (see first question above).
What do you think about CRI-O?
I think that containerd has gained more visibility and has been adopted by many cloud providers as the runtime in Kubernetes offerings. But I have no experience myself with CRI-O.