docs: user guides
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>pull/953/head
parent
2bcf3524e5
commit
f1a8f54c83
@ -0,0 +1,48 @@
|
|||||||
|
# CI/CD
|
||||||
|
|
||||||
|
## GitHub Actions
|
||||||
|
|
||||||
|
Docker provides a [GitHub Action that will build and push your image](https://github.com/docker/build-push-action/#about)
|
||||||
|
using Buildx. Here is a simple workflow:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
name: ci
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- 'main'
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
docker:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
-
|
||||||
|
name: Set up QEMU
|
||||||
|
uses: docker/setup-qemu-action@v1
|
||||||
|
-
|
||||||
|
name: Set up Docker Buildx
|
||||||
|
uses: docker/setup-buildx-action@v1
|
||||||
|
-
|
||||||
|
name: Login to DockerHub
|
||||||
|
uses: docker/login-action@v1
|
||||||
|
with:
|
||||||
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
||||||
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
||||||
|
-
|
||||||
|
name: Build and push
|
||||||
|
uses: docker/build-push-action@v2
|
||||||
|
with:
|
||||||
|
push: true
|
||||||
|
tags: user/app:latest
|
||||||
|
```
|
||||||
|
|
||||||
|
In this example we are also using 3 other actions:
|
||||||
|
|
||||||
|
* [`setup-buildx`](https://github.com/docker/setup-buildx-action) action will create and boot a builder using by
|
||||||
|
default the `docker-container` [builder driver](../reference/buildx_create.md#driver).
|
||||||
|
This is **not required but recommended** using it to be able to build multi-platform images, export cache, etc.
|
||||||
|
* [`setup-qemu`](https://github.com/docker/setup-qemu-action) action can be useful if you want
|
||||||
|
to add emulation support with QEMU to be able to build against more platforms.
|
||||||
|
* [`login`](https://github.com/docker/login-action) action will take care to log
|
||||||
|
in against a Docker registry.
|
@ -0,0 +1,23 @@
|
|||||||
|
# CNI networking
|
||||||
|
|
||||||
|
It can be useful to use a bridge network for your builder if for example you
|
||||||
|
encounter a network port contention during multiple builds. If you're using
|
||||||
|
the BuildKit image, CNI is not yet available in it, but you can create
|
||||||
|
[a custom BuildKit image with CNI support](https://github.com/moby/buildkit/blob/master/docs/cni-networking.md).
|
||||||
|
|
||||||
|
Now build this image:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker buildx build --tag buildkit-cni:local --load .
|
||||||
|
```
|
||||||
|
|
||||||
|
Then [create a `docker-container` builder](../reference/buildx_create.md) that
|
||||||
|
will use this image:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker buildx create --use \
|
||||||
|
--name mybuilder \
|
||||||
|
--driver docker-container \
|
||||||
|
--driver-opt "image=buildkit-cni:local" \
|
||||||
|
--buildkitd-flags "--oci-worker-net=cni"
|
||||||
|
```
|
@ -0,0 +1,48 @@
|
|||||||
|
# Using a custom network
|
||||||
|
|
||||||
|
[Create a network](https://docs.docker.com/engine/reference/commandline/network_create/)
|
||||||
|
named `foonet`:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker network create foonet
|
||||||
|
```
|
||||||
|
|
||||||
|
[Create a `docker-container` builder](../reference/buildx_create.md) named
|
||||||
|
`mybuilder` that will use this network:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker buildx create --use \
|
||||||
|
--name mybuilder \
|
||||||
|
--driver docker-container \
|
||||||
|
--driver-opt "network=foonet"
|
||||||
|
```
|
||||||
|
|
||||||
|
Boot and [inspect `mybuilder`](../reference/buildx_inspect.md):
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker buildx inspect --bootstrap
|
||||||
|
```
|
||||||
|
|
||||||
|
[Inspect the builder container](https://docs.docker.com/engine/reference/commandline/inspect/)
|
||||||
|
and see what network is being used:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker inspect buildx_buildkit_mybuilder0 --format={{.NetworkSettings.Networks}}
|
||||||
|
map[foonet:0xc00018c0c0]
|
||||||
|
```
|
||||||
|
|
||||||
|
## What's `buildx_buildkit_mybuilder0`?
|
||||||
|
|
||||||
|
`buildx_buildkit_mybuilder0` is the container name. It can be broken down like this:
|
||||||
|
|
||||||
|
* `buildx_buildkit_` is a hardcoded prefix
|
||||||
|
* `mybuilder0` is the name of the node (defaults to builder name + position in the list of nodes)
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker buildx ls
|
||||||
|
NAME/NODE DRIVER/ENDPOINT STATUS PLATFORMS
|
||||||
|
mybuilder * docker-container
|
||||||
|
mybuilder0 unix:///var/run/docker.sock running linux/amd64, linux/arm64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/mips64le, linux/mips64, linux/arm/v7, linux/arm/v6
|
||||||
|
default docker
|
||||||
|
default default running linux/amd64, linux/arm64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/arm/v7, linux/arm/v6
|
||||||
|
```
|
@ -0,0 +1,63 @@
|
|||||||
|
# Using a custom registry configuration
|
||||||
|
|
||||||
|
If you [create a `docker-container` or `kubernetes` builder](../reference/buildx_create.md) and
|
||||||
|
have specified certificates for registries in the [BuildKit daemon configuration](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md),
|
||||||
|
the files will be copied into the container under `/etc/buildkit/certs` and
|
||||||
|
configuration will be updated to reflect that.
|
||||||
|
|
||||||
|
Take the following `buildkitd.toml` configuration that will be used for
|
||||||
|
pushing an image to this registry using self-signed certificates:
|
||||||
|
|
||||||
|
```toml"
|
||||||
|
debug = true
|
||||||
|
[registry."myregistry.com"]
|
||||||
|
ca=["/etc/certs/myregistry.pem"]
|
||||||
|
[[registry."myregistry.com".keypair]]
|
||||||
|
key="/etc/certs/myregistry_key.pem"
|
||||||
|
cert="/etc/certs/myregistry_cert.pem"
|
||||||
|
```
|
||||||
|
> `/etc/buildkitd.toml`
|
||||||
|
|
||||||
|
Here we have configured a self-signed certificate for `myregistry.com` registry.
|
||||||
|
|
||||||
|
Now [create a `docker-container` builder](../reference/buildx_create.md)
|
||||||
|
that will use this BuildKit configuration:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker buildx create --use \
|
||||||
|
--name mybuilder \
|
||||||
|
--driver docker-container \
|
||||||
|
--config /etc/buildkitd.toml
|
||||||
|
```
|
||||||
|
|
||||||
|
Inspecting the builder container, you can see that buildkitd configuration
|
||||||
|
has changed:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker exec -it buildx_buildkit_mybuilder0 cat /etc/buildkit/buildkitd.toml
|
||||||
|
```
|
||||||
|
```toml
|
||||||
|
debug = true
|
||||||
|
|
||||||
|
[registry]
|
||||||
|
|
||||||
|
[registry."myregistry.com"]
|
||||||
|
ca = ["/etc/buildkit/certs/myregistry.com/myregistry.pem"]
|
||||||
|
|
||||||
|
[[registry."myregistry.com".keypair]]
|
||||||
|
cert = "/etc/buildkit/certs/myregistry.com/myregistry_cert.pem"
|
||||||
|
key = "/etc/buildkit/certs/myregistry.com/myregistry_key.pem"
|
||||||
|
```
|
||||||
|
|
||||||
|
And certificates copied inside the container:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker exec -it buildx_buildkit_mybuilder0 ls /etc/buildkit/certs/myregistry.com/
|
||||||
|
myregistry.pem myregistry_cert.pem myregistry_key.pem
|
||||||
|
```
|
||||||
|
|
||||||
|
Now you should be able to push to the registry with this builder:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker buildx build --push --tag myregistry.com/myimage:latest .
|
||||||
|
```
|
@ -0,0 +1,31 @@
|
|||||||
|
# OpenTelemetry support
|
||||||
|
|
||||||
|
To capture the trace to [Jaeger](https://github.com/jaegertracing/jaeger), set
|
||||||
|
`JAEGER_TRACE` environment variable to the collection address using a `driver-opt`.
|
||||||
|
|
||||||
|
First create a Jaeger container:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker run -d --name jaeger -p "6831:6831/udp" -p "16686:16686" jaegertracing/all-in-one
|
||||||
|
```
|
||||||
|
|
||||||
|
Then [create a `docker-container` builder](../reference/buildx_create.md)
|
||||||
|
that will use the Jaeger instance via the `JAEGER_TRACE` env var:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker buildx create --use \
|
||||||
|
--name mybuilder \
|
||||||
|
--driver docker-container \
|
||||||
|
--driver-opt "network=host" \
|
||||||
|
--driver-opt "env.JAEGER_TRACE=localhost:6831"
|
||||||
|
```
|
||||||
|
|
||||||
|
Boot and [inspect `mybuilder`](../reference/buildx_inspect.md):
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker buildx inspect --bootstrap
|
||||||
|
```
|
||||||
|
|
||||||
|
Buildx commands should be traced at `http://127.0.0.1:16686/`:
|
||||||
|
|
||||||
|
![](https://user-images.githubusercontent.com/1951866/124468052-ef085400-dd98-11eb-84ab-7ac8e261dd52.png)
|
@ -0,0 +1,60 @@
|
|||||||
|
# Registry mirror
|
||||||
|
|
||||||
|
You can define a registry mirror to use for your builds by providing a [BuildKit daemon configuration](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md)
|
||||||
|
while creating a builder with the [`--config` flags](../reference/buildx_create.md#config).
|
||||||
|
|
||||||
|
```toml
|
||||||
|
debug = true
|
||||||
|
[registry."docker.io"]
|
||||||
|
mirrors = ["mirror.gcr.io"]
|
||||||
|
```
|
||||||
|
> `/etc/buildkitd.toml`
|
||||||
|
|
||||||
|
> :information_source: `debug = true` has been added to be able to debug requests
|
||||||
|
in the BuildKit daemon and see if the mirror is effectively used.
|
||||||
|
|
||||||
|
Then [create a `docker-container` builder](../reference/buildx_create.md)
|
||||||
|
that will use this BuildKit configuration:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker buildx create --use \
|
||||||
|
--name mybuilder \
|
||||||
|
--driver docker-container \
|
||||||
|
--config /etc/buildkitd.toml
|
||||||
|
```
|
||||||
|
|
||||||
|
Boot and [inspect `mybuilder`](../reference/buildx_inspect.md):
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker buildx inspect --bootstrap
|
||||||
|
```
|
||||||
|
|
||||||
|
Build an image:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker buildx build --load . -f-<<EOF
|
||||||
|
FROM alpine
|
||||||
|
RUN echo "hello world"
|
||||||
|
EOF
|
||||||
|
```
|
||||||
|
|
||||||
|
Now let's check the BuildKit logs in the builder container:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker logs buildx_buildkit_mybuilder0
|
||||||
|
```
|
||||||
|
```text
|
||||||
|
...
|
||||||
|
time="2022-02-06T17:47:48Z" level=debug msg="do request" request.header.accept="application/vnd.docker.container.image.v1+json, */*" request.header.user-agent=containerd/1.5.8+unknown request.method=GET spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
|
||||||
|
time="2022-02-06T17:47:48Z" level=debug msg="fetch response received" response.header.accept-ranges=bytes response.header.age=1356 response.header.alt-svc="h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"" response.header.cache-control="public, max-age=3600" response.header.content-length=1469 response.header.content-type=application/octet-stream response.header.date="Sun, 06 Feb 2022 17:25:17 GMT" response.header.etag="\"774380abda8f4eae9a149e5d5d3efc83\"" response.header.expires="Sun, 06 Feb 2022 18:25:17 GMT" response.header.last-modified="Wed, 24 Nov 2021 21:07:57 GMT" response.header.server=UploadServer response.header.x-goog-generation=1637788077652182 response.header.x-goog-hash="crc32c=V3DSrg==" response.header.x-goog-hash.1="md5=d0OAq9qPTq6aFJ5dXT78gw==" response.header.x-goog-metageneration=1 response.header.x-goog-storage-class=STANDARD response.header.x-goog-stored-content-encoding=identity response.header.x-goog-stored-content-length=1469 response.header.x-guploader-uploadid=ADPycduqQipVAXc3tzXmTzKQ2gTT6CV736B2J628smtD1iDytEyiYCgvvdD8zz9BT1J1sASUq9pW_ctUyC4B-v2jvhIxnZTlKg response.status="200 OK" spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
|
||||||
|
time="2022-02-06T17:47:48Z" level=debug msg="fetch response received" response.header.accept-ranges=bytes response.header.age=760 response.header.alt-svc="h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"" response.header.cache-control="public, max-age=3600" response.header.content-length=1471 response.header.content-type=application/octet-stream response.header.date="Sun, 06 Feb 2022 17:35:13 GMT" response.header.etag="\"35d688bd15327daafcdb4d4395e616a8\"" response.header.expires="Sun, 06 Feb 2022 18:35:13 GMT" response.header.last-modified="Wed, 24 Nov 2021 21:07:12 GMT" response.header.server=UploadServer response.header.x-goog-generation=1637788032100793 response.header.x-goog-hash="crc32c=aWgRjA==" response.header.x-goog-hash.1="md5=NdaIvRUyfar8201DleYWqA==" response.header.x-goog-metageneration=1 response.header.x-goog-storage-class=STANDARD response.header.x-goog-stored-content-encoding=identity response.header.x-goog-stored-content-length=1471 response.header.x-guploader-uploadid=ADPycdtR-gJYwC7yHquIkJWFFG8FovDySvtmRnZBqlO3yVDanBXh_VqKYt400yhuf0XbQ3ZMB9IZV2vlcyHezn_Pu3a1SMMtiw response.status="200 OK" spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
|
||||||
|
time="2022-02-06T17:47:48Z" level=debug msg=fetch spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
|
||||||
|
time="2022-02-06T17:47:48Z" level=debug msg=fetch spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
|
||||||
|
time="2022-02-06T17:47:48Z" level=debug msg=fetch spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
|
||||||
|
time="2022-02-06T17:47:48Z" level=debug msg=fetch spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
|
||||||
|
time="2022-02-06T17:47:48Z" level=debug msg="do request" request.header.accept="application/vnd.docker.image.rootfs.diff.tar.gzip, */*" request.header.user-agent=containerd/1.5.8+unknown request.method=GET spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
|
||||||
|
time="2022-02-06T17:47:48Z" level=debug msg="fetch response received" response.header.accept-ranges=bytes response.header.age=1356 response.header.alt-svc="h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"" response.header.cache-control="public, max-age=3600" response.header.content-length=2818413 response.header.content-type=application/octet-stream response.header.date="Sun, 06 Feb 2022 17:25:17 GMT" response.header.etag="\"1d55e7be5a77c4a908ad11bc33ebea1c\"" response.header.expires="Sun, 06 Feb 2022 18:25:17 GMT" response.header.last-modified="Wed, 24 Nov 2021 21:07:06 GMT" response.header.server=UploadServer response.header.x-goog-generation=1637788026431708 response.header.x-goog-hash="crc32c=ZojF+g==" response.header.x-goog-hash.1="md5=HVXnvlp3xKkIrRG8M+vqHA==" response.header.x-goog-metageneration=1 response.header.x-goog-storage-class=STANDARD response.header.x-goog-stored-content-encoding=identity response.header.x-goog-stored-content-length=2818413 response.header.x-guploader-uploadid=ADPycdsebqxiTBJqZ0bv9zBigjFxgQydD2ESZSkKchpE0ILlN9Ibko3C5r4fJTJ4UR9ddp-UBd-2v_4eRpZ8Yo2llW_j4k8WhQ response.status="200 OK" spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
|
As you can see, requests come from the GCR registry mirror (`response.header.x-goog*`).
|
@ -0,0 +1,33 @@
|
|||||||
|
# Resource limiting
|
||||||
|
|
||||||
|
## Max parallelism
|
||||||
|
|
||||||
|
You can limit the parallelism of the BuildKit solver, which is particularly useful
|
||||||
|
for low-powered machines, using a [BuildKit daemon configuration](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md)
|
||||||
|
while creating a builder with the [`--config` flags](../reference/buildx_create.md#config).
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[worker.oci]
|
||||||
|
max-parallelism = 4
|
||||||
|
```
|
||||||
|
> `/etc/buildkitd.toml`
|
||||||
|
|
||||||
|
Now you can [create a `docker-container` builder](../reference/buildx_create.md)
|
||||||
|
that will use this BuildKit configuration to limit parallelism.
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ docker buildx create --use \
|
||||||
|
--name mybuilder \
|
||||||
|
--driver docker-container \
|
||||||
|
--config /etc/buildkitd.toml
|
||||||
|
```
|
||||||
|
|
||||||
|
## Limit on TCP connections
|
||||||
|
|
||||||
|
We are also now limiting TCP connections to **4 per registry** with an additional
|
||||||
|
connection not used for layer pulls and pushes. This limitation will be able to
|
||||||
|
manage TCP connection per host to avoid your build being stuck while pulling
|
||||||
|
images. The additional connection is used for metadata requests
|
||||||
|
(image config retrieval) to enhance the overall build time.
|
||||||
|
|
||||||
|
More info: [moby/buildkit#2259](https://github.com/moby/buildkit/pull/2259)
|
Loading…
Reference in New Issue