配置 BuildKit
目錄
如果您使用 Buildx 建立 `docker-container` 或 `kubernetes` 構建器,您可以透過將 `--buildkitd-config` 標誌傳遞給 `docker buildx create` 命令來應用自定義 BuildKit 配置。
Registry 映象
您可以定義一個 registry 映象以用於您的構建。這樣做會將 BuildKit 重定向到從不同的主機名拉取映象。以下步驟演示瞭如何為 `docker.io` (Docker Hub) 定義一個映象到 `mirror.gcr.io`。
在 `/etc/buildkitd.toml` 建立一個 TOML 檔案,內容如下:
debug = true [registry."docker.io"] mirrors = ["mirror.gcr.io"]注意`debug = true` 會開啟 BuildKit 守護程序中的除錯請求,它會記錄一條訊息,顯示何時使用了映象。
建立一個使用此 BuildKit 配置的 `docker-container` 構建器
$ docker buildx create --use --bootstrap \ --name mybuilder \ --driver docker-container \ --buildkitd-config /etc/buildkitd.toml構建映象
docker buildx build --load . -f - <<EOF FROM alpine RUN echo "hello world" EOF
此構建器的 BuildKit 日誌現在顯示它使用了 GCR 映象。您可以從響應訊息包含 `x-goog-*` HTTP 標頭這一事實來判斷。
$ docker logs buildx_buildkit_mybuilder0
...
time="2022-02-06T17:47:48Z" level=debug msg="do request" request.header.accept="application/vnd.docker.container.image.v1+json, */*" request.header.user-agent=containerd/1.5.8+unknown request.method=GET spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
time="2022-02-06T17:47:48Z" level=debug msg="fetch response received" response.header.accept-ranges=bytes response.header.age=1356 response.header.alt-svc="h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"" response.header.cache-control="public, max-age=3600" response.header.content-length=1469 response.header.content-type=application/octet-stream response.header.date="Sun, 06 Feb 2022 17:25:17 GMT" response.header.etag="\"774380abda8f4eae9a149e5d5d3efc83\"" response.header.expires="Sun, 06 Feb 2022 18:25:17 GMT" response.header.last-modified="Wed, 24 Nov 2021 21:07:57 GMT" response.header.server=UploadServer response.header.x-goog-generation=1637788077652182 response.header.x-goog-hash="crc32c=V3DSrg==" response.header.x-goog-hash.1="md5=d0OAq9qPTq6aFJ5dXT78gw==" response.header.x-goog-metageneration=1 response.header.x-goog-storage-class=STANDARD response.header.x-goog-stored-content-encoding=identity response.header.x-goog-stored-content-length=1469 response.header.x-guploader-uploadid=ADPycduqQipVAXc3tzXmTzKQ2gTT6CV736B2J628smtD1iDytEyiYCgvvdD8zz9BT1J1sASUq9pW_ctUyC4B-v2jvhIxnZTlKg response.status="200 OK" spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
time="2022-02-06T17:47:48Z" level=debug msg="fetch response received" response.header.accept-ranges=bytes response.header.age=760 response.header.alt-svc="h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"" response.header.cache-control="public, max-age=3600" response.header.content-length=1471 response.header.content-type=application/octet-stream response.header.date="Sun, 06 Feb 2022 17:35:13 GMT" response.header.etag="\"35d688bd15327daafcdb4d4395e616a8\"" response.header.expires="Sun, 06 Feb 2022 18:35:13 GMT" response.header.last-modified="Wed, 24 Nov 2021 21:07:12 GMT" response.header.server=UploadServer response.header.x-goog-generation=1637788032100793 response.header.x-goog-hash="crc32c=aWgRjA==" response.header.x-goog-hash.1="md5=NdaIvRUyfar8201DleYWqA==" response.header.x-goog-metageneration=1 response.header.x-goog-storage-class=STANDARD response.header.x-goog-stored-content-encoding=identity response.header.x-goog-stored-content-length=1471 response.header.x-guploader-uploadid=ADPycdtR-gJYwC7yHquIkJWFFG8FovDySvtmRnZBqlO3yVDanBXh_VqKYt400yhuf0XbQ3ZMB9IZV2vlcyHezn_Pu3a1SMMtiw response.status="200 OK" spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
time="2022-02-06T17:47:48Z" level=debug msg=fetch spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
time="2022-02-06T17:47:48Z" level=debug msg=fetch spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
time="2022-02-06T17:47:48Z" level=debug msg=fetch spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
time="2022-02-06T17:47:48Z" level=debug msg=fetch spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
time="2022-02-06T17:47:48Z" level=debug msg="do request" request.header.accept="application/vnd.docker.image.rootfs.diff.tar.gzip, */*" request.header.user-agent=containerd/1.5.8+unknown request.method=GET spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
time="2022-02-06T17:47:48Z" level=debug msg="fetch response received" response.header.accept-ranges=bytes response.header.age=1356 response.header.alt-svc="h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"" response.header.cache-control="public, max-age=3600" response.header.content-length=2818413 response.header.content-type=application/octet-stream response.header.date="Sun, 06 Feb 2022 17:25:17 GMT" response.header.etag="\"1d55e7be5a77c4a908ad11bc33ebea1c\"" response.header.expires="Sun, 06 Feb 2022 18:25:17 GMT" response.header.last-modified="Wed, 24 Nov 2021 21:07:06 GMT" response.header.server=UploadServer response.header.x-goog-generation=1637788026431708 response.header.x-goog-hash="crc32c=ZojF+g==" response.header.x-goog-hash.1="md5=HVXnvlp3xKkIrRG8M+vqHA==" response.header.x-goog-metageneration=1 response.header.x-goog-storage-class=STANDARD response.header.x-goog-stored-content-encoding=identity response.header.x-goog-stored-content-length=2818413 response.header.x-guploader-uploadid=ADPycdsebqxiTBJqZ0bv9zBigjFxgQydD2ESZSkKchpE0ILlN9Ibko3C5r4fJTJ4UR9ddp-UBd-2v_4eRpZ8Yo2llW_j4k8WhQ response.status="200 OK" spanID=9460e5b6e64cec91 traceID=b162d3040ddf86d6614e79c66a01a577
...設定 Registry 證書
如果您在 BuildKit 配置中指定了 registry 證書,守護程序會將檔案複製到容器的 `/etc/buildkit/certs` 下。以下步驟演示瞭如何向 BuildKit 配置新增自簽名 registry 證書。
將以下配置新增到 `/etc/buildkitd.toml`
# /etc/buildkitd.toml debug = true [registry."myregistry.com"] ca=["/etc/certs/myregistry.pem"] [[registry."myregistry.com".keypair]] key="/etc/certs/myregistry_key.pem" cert="/etc/certs/myregistry_cert.pem"這會告訴構建器使用指定位置(`/etc/certs`)中的證書將映象推送到 `myregistry.com` registry。
建立一個使用此配置的 `docker-container` 構建器
$ docker buildx create --use --bootstrap \ --name mybuilder \ --driver docker-container \ --buildkitd-config /etc/buildkitd.toml檢查構建器的配置檔案(`/etc/buildkit/buildkitd.toml`),它顯示證書配置現在已在構建器中配置。
$ docker exec -it buildx_buildkit_mybuilder0 cat /etc/buildkit/buildkitd.tomldebug = true [registry] [registry."myregistry.com"] ca = ["/etc/buildkit/certs/myregistry.com/myregistry.pem"] [[registry."myregistry.com".keypair]] cert = "/etc/buildkit/certs/myregistry.com/myregistry_cert.pem" key = "/etc/buildkit/certs/myregistry.com/myregistry_key.pem"驗證證書是否在容器內部
$ docker exec -it buildx_buildkit_mybuilder0 ls /etc/buildkit/certs/myregistry.com/ myregistry.pem myregistry_cert.pem myregistry_key.pem
現在您可以使用此構建器推送到 registry,它將使用證書進行身份驗證
$ docker buildx build --push --tag myregistry.com/myimage:latest .
CNI 網路
用於構建器的 CNI 網路對於處理併發構建期間的網路埠爭用非常有用。CNI 尚未在預設 BuildKit 映象中提供。但是,您可以建立自己的包含 CNI 支援的映象。
以下 Dockerfile 示例展示了一個帶有 CNI 支援的自定義 BuildKit 映象。它使用 BuildKit 中用於整合測試的 CNI 配置作為示例。您可以隨意包含自己的 CNI 配置。
# syntax=docker/dockerfile:1
ARG BUILDKIT_VERSION=v0.24.0
ARG CNI_VERSION=v1.0.1
FROM --platform=$BUILDPLATFORM alpine AS cni-plugins
RUN apk add --no-cache curl
ARG CNI_VERSION
ARG TARGETOS
ARG TARGETARCH
WORKDIR /opt/cni/bin
RUN curl -Ls https://github.com/containernetworking/plugins/releases/download/$CNI_VERSION/cni-plugins-$TARGETOS-$TARGETARCH-$CNI_VERSION.tgz | tar xzv
FROM moby/buildkit:${BUILDKIT_VERSION}
ARG BUILDKIT_VERSION
RUN apk add --no-cache iptables
COPY --from=cni-plugins /opt/cni/bin /opt/cni/bin
ADD https://raw.githubusercontent.com/moby/buildkit/${BUILDKIT_VERSION}/hack/fixtures/cni.json /etc/buildkit/cni.json現在您可以構建此映象,並使用 `--driver-opt image` 選項從中建立構建器例項
$ docker buildx build --tag buildkit-cni:local --load .
$ docker buildx create --use --bootstrap \
--name mybuilder \
--driver docker-container \
--driver-opt "image=buildkit-cni:local" \
--buildkitd-flags "--oci-worker-net=cni"
資源限制
最大並行度
您可以使用 BuildKit 配置,在建立構建器時使用 `--buildkitd-config` 標誌來限制 BuildKit 求解器的並行度,這對於低功耗機器特別有用。
# /etc/buildkitd.toml
[worker.oci]
max-parallelism = 4現在您可以建立一個 `docker-container` 構建器,該構建器將使用此 BuildKit 配置來限制並行度。
$ docker buildx create --use \
--name mybuilder \
--driver docker-container \
--buildkitd-config /etc/buildkitd.toml
TCP 連線限制
TCP 連線限制為每個 registry 4 個併發連線,用於拉取和推送映象,外加一個專用於元資料請求的額外連線。此連線限制可防止您的構建在拉取映象時卡住。專用的元資料連線有助於減少總體構建時間。
更多資訊:moby/buildkit#2259