SlideShare a Scribd company logo

How to Improve Your Image Builds Using Advance Docker Build

Docker, Inc.
Docker, Inc.

The document presents an overview of BuildKit, a build engine for Docker, highlighting its features such as multi-stage builds, improved build caching, build secrets management, and SSH agent forwarding. It details the advantages of using BuildKit over legacy build engines, including performance improvements and the ability to manage dependencies more efficiently. The document also includes demo instructions and practical use cases for transitioning to BuildKit in various development scenarios.

Technology
1 of 29
Downloaded 39 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Most read
17
Most read
18
19
20
21
22
23
24
Most read
25
26
27
28
29
Improve Your Image Builds Using BuildKit Nicholas Dille, Haufe.Group Docker Captain & Microsoft MVP @nicholasdille
Nicholas Dille Husband, father, ops, automator since 2003 since 2009 since 2010 since 2017 since 2016 Blogger Speaker Microsoft MVP Docker Captain Haufe.Group
Agenda BuildKit? Multi-stage builds Build cache Build secrets SSH Caching directories Using BuildKit without Docker Demo slides
Build engines Legacy build engine Default when running docker build Has been around since the early days BuildKit powered build engine Based on Enabled by environment variable: Faster and more exible than the legacy build engine Moby BuildKit export DOCKER_BUILDKIT=1
Multi Stage Builds Multiple FROM sections in Dockerfile Last section represents nal image Copy les between stages Build intermediate images using --target name Prerequisites: Docker 17.09 FROM openjdk:8-jdk AS builder #... FROM openjdk:8-jre COPY --from=builder ... #...
Multi Stage Builds - Separation Separate build and runtime environments Build environment Runtime environment Compilers (e.g. javac) Runtime (e.g. java) Build dependencies Execution dependencies Build tools (e.g. make) - Large image Smaller attack surface This also works in the legacy builder
Demo: Multi Stage Builds - Separation Multi-stage with legacy build system: Multi-stage with BuildKit: docker build --tag hello-world-java:multi . DOCKER_BUILDKIT=1 docker build --tag hello-world-java:multi .
build1 build2 final Built first Built afterwards Multi Stage Builds - Concurrency Stages can be built in parallel when using BuildKit build1 and build2 are built at the same time Concurrency is determined based on the dependency graph FROM alpine AS build1 RUN touch /opt/binary1 FROM alpine AS build2 RUN touch /opt/binary2 FROM alpine AS final COPY --from=build1 /opt/binary1 /opt/ COPY --from=build2 /opt/binary2 /opt/
Demo: Multi Stage Builds - Concurrency Stages have a delay of 10 seconds Build sequentially using the legacy build engine: Build in parallel using BuildKit: Sequential build will take ~20 seconds Parallel build ~10 seconds time docker build . DOCKER_BUILDKIT=1 docker build .
Classic Build Cache Warming How it works Builds may not run on the same host Pull an image to warm the cache Internal build cache is ignored when using --cache-from Prerequisites Added in Docker 1.13 Image must be present locally docker pull myimage:1 docker build --cache-from myimage:1 --tag myimage:2
Demo: Classic Build Cache Warming Build and push image: Reset Docker: Pull image: Build with cache from local image: Internal build cache is used when image does not exist docker build --tag localhost:5000/hello-world-java . docker push localhost:5000/hello-world-java docker system prune --all docker pull localhost:5000/hello-world-java docker build --cache-from localhost:5000/hello-world-java .
BuildKit Cache Warming How it works Use remote images to warm the cache Image layers will be downloaded as needed Same syntax using --cache-from Prerequisites Cache information must be embedded during build Docker 19.03
Demo: BuildKit Cache Warming Build image with cache information: Build with remote cache: export DOCKER_BUILDKIT=1 docker build --tag localhost:5000/test:1 --build-arg BUILDKIT_INLINE_CACHE=1 . docker push localhost:5000/test:1 docker system prune --all docker build --cache-from localhost:5000/test:1 .
Demo: BuildKit Cache Internals Check manifest for cache information: curl -s -H "Accept: application/vnd.docker.distribution.manifest.v2+j localhost:5000/v2/test/manifests/1 | jq --raw-output '.config.digest' | while read CONFIG_DIGEST; do curl -s -H "Accept: application/vnd.docker.container.image.v1 localhost:5000/v2/test/blobs/${CONFIG_DIGEST} | jq --raw-output '."moby.buildkit.cache.v0"' | base64 -d | jq; done
Build Secrets Do not provide secrets using environment variables ENV burns variables into image Build arguments (ARG/--build-arg) are only one option BuildKit to the rescue Mount using tmpfs Temporary les in /run/secrets/ Introduced in Docker 18.09 secrets
Demo: Build Secrets Use experimental syntax in Dockerfile: Build image with secret from mysite.key: # syntax=docker/dockerfile:experimental FROM alpine RUN --mount=type=secret,id=mysite.key ls -l /run/secrets export DOCKER_BUILDKIT=1 docker build --secret id=mysite.key,src=./mysite.key --progress plain .
SSH Agent Forwarding Do not copy secrets into image layers Bad example: Layers contain SSH key as well as host and user information BuildKit to the rescue Forward the socket Introduced in Docker 18.09 FROM ubuntu COPY id_rsa /root/.ssh/ RUN scp user@somewhere:/tmp/data . RUN rm /root/.ssh/id_rsa SSH agent
Demo: SSH Agent Forwarding BuildKit forwards the SSH agent socket Prepare SSH agent: Forward into build: Compare local and build: ssh-keygen -f id_rsa_test -N '' eval $(ssh-agent -s) ssh-add id_rsa_test ssh-add -l export DOCKER_BUILDKIT=1 docker build --ssh default --progress plain . ssh-add -l
Demo: SSH Agent Forwarding without BuildKit Mount existing SSH agent socket Create environment variable Prepare SSH agent: Forward into build: ssh-keygen -f id_rsa_test eval $(ssh-agent -s) ssh-add id_rsa_test ssh-add -l docker run -it --rm --mount type=bind,src=${SSH_AUTH_SOCK},dst=${SSH_AUTH_SOCK} --env SSH_AUTH_SOCK alpine-ssh
Persisting Cache Directories Modern software development relies on countless dependencies Filling caches takes time BuildKit to the rescue can be persisted Syntax is similar to mounting secrets Cache directories # syntax = docker/dockerfile:experimental FROM ubuntu RUN --mount=type=cache,target=/tmp/cache ls -l /tmp/cache
Demo: Persisting Cache Directories Enable BuildKit: Run build: Run build: export DOCKER_BUILDKIT=1 docker build --progress plain --file Dockerfile.cache-warm . docker build --progress plain --file Dockerfile.cache-check .
Using BuildKit BuildKit can be used in multiple ways Uses a client/server architecture (daemon and CLI) Locally Containerized Rootless Docker X X experimental Daemon/CLI Demo X X Daemonless X Demo X Daemonless is just a wrapper for daemon/CLI Build container images without access to Docker
Demo: BuildKit locally Run BuildKit locally Requires daemon and CLI Run BuildKit daemon locally: Run build against daemon: sudo buildkitd 2>&1 >/tmp/buildkit.log & buildctl build --frontend dockerfile.v0 --local context=. --local dockerfile=.
Demo: BuildKit daemonless containerized Run a containerized BuildKit daemon on-demand: docker run -it --privileged --volume $PWD:/src --workdir /src --entrypoint buildctl-daemonless.sh moby/buildkit build --frontend dockerfile.v0 --local context=. --local dockerfile=.
Transition to BuildKit Sometime it is desirable to change context and Docker le What you are doing today How to do this using BuildKit Remember: Context is the path which is packed and sent to the daemon $ docker build > --file Dockerfile > . $ buildctl build > --frontend dockerfile.v0 > --local dockerfile=. > --local context=.
Transition to BuildKit Publish an image in a registry Docker has taught us to build and push container images: BuildKit can directly upload to an image registry: Read more about docker build --tag my_image_name . docker push my_image_name buildctl build --frontend dockerfile.v0 --local dockerfile=. --local context=. --output type=image,name=my_image_name,push=true pushing to image registries
Transition to BuildKit Pass build arguments to customize the image build The Docker way The BuildKit way docker build --build-arg name=value . buildctl build --frontend dockerfile.v0 --local dockerfile=. --local context=. --opt build-arg:name=value
Transition to BuildKit Use an existing image as build cache Docker is able to use an local image BuildKit can use an image in a registry... ...and download helpful layers docker build --cache-from my_image_name --tag my_image_name . buildctl build --frontend dockerfile.v0 --local dockerfile=. --local context=. --output type=image,name=my_image_name,push=true --export-cache type=inline --import-cache type=registry,ref=my_image_name
Summary BuildKit brings new features to image building Multi stage builds Protect secrets using mounts and SSH forwarding Improve performance by persisting cache directories Works with and without Docker Thanks for joining! , , (see QR code for slides and demos) (see for slides sources) Tibor Vass Tonis Tiigi Akihiro Suda here

More Related Content

What's hot (20)

PPTX
Intro to docker
Abderrahmane Mechri
 
PDF
Docker
Mokhless Hachicha
 
PDF
Midi technique - présentation docker
Olivier Eeckhoutte
 
PDF
DevOps avec Ansible et Docker
Stephane Manciot
 
PDF
Introduction to Docker Compose
Ajeet Singh Raina
 
PDF
Docker란 무엇인가? : Docker 기본 사용법
pyrasis
 
PPTX
Docker introduction
dotCloud
 
PPTX
Docker best Practices
jeetendra mandal
 
PPTX
Docker Networking Overview
Sreenivas Makam
 
PPTX
Docker Basics
DuckDuckGo
 
PDF
Kubernetes in Docker
Docker, Inc.
 
PDF
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
 
PPTX
Docker Basic to Advance
Paras Jain
 
PDF
Docker swarm
Alberto Guimarães Viana
 
PDF
A la découverte de kubernetes
Julien Maitrehenry
 
PDF
Introduction to Docker - VIT Campus
Ajeet Singh Raina
 
PDF
Kubernetes (k8s).pdf
Jaouad Assabbour
 
PDF
Kubernetes - introduction
Sparkbit
 
PPTX
Getting started with Docker
Ravindu Fernando
 
PDF
Dockerfile
Jeffrey Ellin
 
Intro to docker
Abderrahmane Mechri
 
Docker
Mokhless Hachicha
 
Midi technique - présentation docker
Olivier Eeckhoutte
 
DevOps avec Ansible et Docker
Stephane Manciot
 
Introduction to Docker Compose
Ajeet Singh Raina
 
Docker란 무엇인가? : Docker 기본 사용법
pyrasis
 
Docker introduction
dotCloud
 
Docker best Practices
jeetendra mandal
 
Docker Networking Overview
Sreenivas Makam
 
Docker Basics
DuckDuckGo
 
Kubernetes in Docker
Docker, Inc.
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
 
Docker Basic to Advance
Paras Jain
 
Docker swarm
Alberto Guimarães Viana
 
A la découverte de kubernetes
Julien Maitrehenry
 
Introduction to Docker - VIT Campus
Ajeet Singh Raina
 
Kubernetes (k8s).pdf
Jaouad Assabbour
 
Kubernetes - introduction
Sparkbit
 
Getting started with Docker
Ravindu Fernando
 
Dockerfile
Jeffrey Ellin
 

Similar to How to Improve Your Image Builds Using Advance Docker Build (20)

PPTX
Develop with docker 2014 aug
Vincent De Smet
 
PDF
Docker Containers: Developer’s experience and building robust developer envir...
Future Cloud Summit
 
PPTX
Into to Docker (Central PA Java User Group - 8/14/2017)
Mike Melusky
 
PPTX
How to _docker
Abdur Rab Marjan
 
PDF
Learning Docker with Thomas
Thomas Tong, FRM, PMP
 
PDF
Docker & FieldAware
Jakub Jarosz
 
PDF
Deployment Automation with Docker
Egor Pushkin
 
PDF
Clouds and Tools: Cheat Sheets & Infographics
Thomas Poetter
 
POTX
Deploying .net core apps to Docker - dotnetConf Local Bengaluru
Swaminathan Vetri
 
PPTX
Java microservicesdockerdockerhubusecase2
Subramanyam Vemala
 
PDF
Serverless containers … with source-to-image
Josef Adersberger
 
PDF
Serverless Container with Source2Image
QAware GmbH
 
PDF
Docker in Action
Alper Kanat
 
PPTX
Learn docker in 90 minutes
Larry Cai
 
PPTX
Running Docker in Development & Production (DevSum 2015)
Ben Hall
 
PPTX
Docking with Docker
University of Alabama at Birmingham
 
PPTX
Academy PRO: Docker. Part 2
Binary Studio
 
PPTX
Academy PRO: Docker. Lecture 2
Binary Studio
 
PDF
Continuous Delivery of Cloud Applications with Docker Containers and IBM Bluemix
Florian Georg
 
PDF
桃園市教育局Docker技術入門與實作
Philip Zheng
 
Develop with docker 2014 aug
Vincent De Smet
 
Docker Containers: Developer’s experience and building robust developer envir...
Future Cloud Summit
 
Into to Docker (Central PA Java User Group - 8/14/2017)
Mike Melusky
 
How to _docker
Abdur Rab Marjan
 
Learning Docker with Thomas
Thomas Tong, FRM, PMP
 
Docker & FieldAware
Jakub Jarosz
 
Deployment Automation with Docker
Egor Pushkin
 
Clouds and Tools: Cheat Sheets & Infographics
Thomas Poetter
 
Deploying .net core apps to Docker - dotnetConf Local Bengaluru
Swaminathan Vetri
 
Java microservicesdockerdockerhubusecase2
Subramanyam Vemala
 
Serverless containers … with source-to-image
Josef Adersberger
 
Serverless Container with Source2Image
QAware GmbH
 
Docker in Action
Alper Kanat
 
Learn docker in 90 minutes
Larry Cai
 
Running Docker in Development & Production (DevSum 2015)
Ben Hall
 
Docking with Docker
University of Alabama at Birmingham
 
Academy PRO: Docker. Part 2
Binary Studio
 
Academy PRO: Docker. Lecture 2
Binary Studio
 
Continuous Delivery of Cloud Applications with Docker Containers and IBM Bluemix
Florian Georg
 
桃園市教育局Docker技術入門與實作
Philip Zheng
 
Ad

More from Docker, Inc. (20)

PDF
Containerize Your Game Server for the Best Multiplayer Experience
Docker, Inc.
 
PDF
Build & Deploy Multi-Container Applications to AWS
Docker, Inc.
 
PDF
Securing Your Containerized Applications with NGINX
Docker, Inc.
 
PDF
How To Build and Run Node Apps with Docker and Compose
Docker, Inc.
 
PDF
Hands-on Helm
Docker, Inc.
 
PDF
Distributed Deep Learning with Docker at Salesforce
Docker, Inc.
 
PDF
The First 10M Pulls: Building The Official Curl Image for Docker Hub
Docker, Inc.
 
PDF
Monitoring in a Microservices World
Docker, Inc.
 
PDF
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
Docker, Inc.
 
PDF
Predicting Space Weather with Docker
Docker, Inc.
 
PDF
Become a Docker Power User With Microsoft Visual Studio Code
Docker, Inc.
 
PDF
How to Use Mirroring and Caching to Optimize your Container Registry
Docker, Inc.
 
PDF
Monolithic to Microservices + Docker = SDLC on Steroids!
Docker, Inc.
 
PDF
Kubernetes at Datadog Scale
Docker, Inc.
 
PDF
Labels, Labels, Labels
Docker, Inc.
 
PDF
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Docker, Inc.
 
PDF
Build & Deploy Multi-Container Applications to AWS
Docker, Inc.
 
PDF
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
Docker, Inc.
 
PDF
Developing with Docker for the Arm Architecture
Docker, Inc.
 
PDF
Sharing is Caring: How to Begin Speaking at Conferences
Docker, Inc.
 
Containerize Your Game Server for the Best Multiplayer Experience
Docker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
Docker, Inc.
 
Securing Your Containerized Applications with NGINX
Docker, Inc.
 
How To Build and Run Node Apps with Docker and Compose
Docker, Inc.
 
Hands-on Helm
Docker, Inc.
 
Distributed Deep Learning with Docker at Salesforce
Docker, Inc.
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
Docker, Inc.
 
Monitoring in a Microservices World
Docker, Inc.
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
Docker, Inc.
 
Predicting Space Weather with Docker
Docker, Inc.
 
Become a Docker Power User With Microsoft Visual Studio Code
Docker, Inc.
 
How to Use Mirroring and Caching to Optimize your Container Registry
Docker, Inc.
 
Monolithic to Microservices + Docker = SDLC on Steroids!
Docker, Inc.
 
Kubernetes at Datadog Scale
Docker, Inc.
 
Labels, Labels, Labels
Docker, Inc.
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Docker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
Docker, Inc.
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
Docker, Inc.
 
Developing with Docker for the Arm Architecture
Docker, Inc.
 
Sharing is Caring: How to Begin Speaking at Conferences
Docker, Inc.
 
Ad

Recently uploaded (20)

PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PPTX
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PDF
IoT-Powered Industrial Transformation – Smart Manufacturing to Connected Heal...
Rejig Digital
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PDF
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
PDF
July Patch Tuesday
Ivanti
 
PPTX
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
IoT-Powered Industrial Transformation – Smart Manufacturing to Connected Heal...
Rejig Digital
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
July Patch Tuesday
Ivanti
 
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 

How to Improve Your Image Builds Using Advance Docker Build

  • 1. Improve Your Image Builds Using BuildKit Nicholas Dille, Haufe.Group Docker Captain & Microsoft MVP @nicholasdille
  • 2. Nicholas Dille Husband, father, ops, automator since 2003 since 2009 since 2010 since 2017 since 2016 Blogger Speaker Microsoft MVP Docker Captain Haufe.Group
  • 3. Agenda BuildKit? Multi-stage builds Build cache Build secrets SSH Caching directories Using BuildKit without Docker Demo slides
  • 4. Build engines Legacy build engine Default when running docker build Has been around since the early days BuildKit powered build engine Based on Enabled by environment variable: Faster and more exible than the legacy build engine Moby BuildKit export DOCKER_BUILDKIT=1
  • 5. Multi Stage Builds Multiple FROM sections in Dockerfile Last section represents nal image Copy les between stages Build intermediate images using --target name Prerequisites: Docker 17.09 FROM openjdk:8-jdk AS builder #... FROM openjdk:8-jre COPY --from=builder ... #...
  • 6. Multi Stage Builds - Separation Separate build and runtime environments Build environment Runtime environment Compilers (e.g. javac) Runtime (e.g. java) Build dependencies Execution dependencies Build tools (e.g. make) - Large image Smaller attack surface This also works in the legacy builder
  • 7. Demo: Multi Stage Builds - Separation Multi-stage with legacy build system: Multi-stage with BuildKit: docker build --tag hello-world-java:multi . DOCKER_BUILDKIT=1 docker build --tag hello-world-java:multi .
  • 8. build1 build2 final Built first Built afterwards Multi Stage Builds - Concurrency Stages can be built in parallel when using BuildKit build1 and build2 are built at the same time Concurrency is determined based on the dependency graph FROM alpine AS build1 RUN touch /opt/binary1 FROM alpine AS build2 RUN touch /opt/binary2 FROM alpine AS final COPY --from=build1 /opt/binary1 /opt/ COPY --from=build2 /opt/binary2 /opt/
  • 9. Demo: Multi Stage Builds - Concurrency Stages have a delay of 10 seconds Build sequentially using the legacy build engine: Build in parallel using BuildKit: Sequential build will take ~20 seconds Parallel build ~10 seconds time docker build . DOCKER_BUILDKIT=1 docker build .
  • 10. Classic Build Cache Warming How it works Builds may not run on the same host Pull an image to warm the cache Internal build cache is ignored when using --cache-from Prerequisites Added in Docker 1.13 Image must be present locally docker pull myimage:1 docker build --cache-from myimage:1 --tag myimage:2
  • 11. Demo: Classic Build Cache Warming Build and push image: Reset Docker: Pull image: Build with cache from local image: Internal build cache is used when image does not exist docker build --tag localhost:5000/hello-world-java . docker push localhost:5000/hello-world-java docker system prune --all docker pull localhost:5000/hello-world-java docker build --cache-from localhost:5000/hello-world-java .
  • 12. BuildKit Cache Warming How it works Use remote images to warm the cache Image layers will be downloaded as needed Same syntax using --cache-from Prerequisites Cache information must be embedded during build Docker 19.03
  • 13. Demo: BuildKit Cache Warming Build image with cache information: Build with remote cache: export DOCKER_BUILDKIT=1 docker build --tag localhost:5000/test:1 --build-arg BUILDKIT_INLINE_CACHE=1 . docker push localhost:5000/test:1 docker system prune --all docker build --cache-from localhost:5000/test:1 .
  • 14. Demo: BuildKit Cache Internals Check manifest for cache information: curl -s -H "Accept: application/vnd.docker.distribution.manifest.v2+j localhost:5000/v2/test/manifests/1 | jq --raw-output '.config.digest' | while read CONFIG_DIGEST; do curl -s -H "Accept: application/vnd.docker.container.image.v1 localhost:5000/v2/test/blobs/${CONFIG_DIGEST} | jq --raw-output '."moby.buildkit.cache.v0"' | base64 -d | jq; done
  • 15. Build Secrets Do not provide secrets using environment variables ENV burns variables into image Build arguments (ARG/--build-arg) are only one option BuildKit to the rescue Mount using tmpfs Temporary les in /run/secrets/ Introduced in Docker 18.09 secrets
  • 16. Demo: Build Secrets Use experimental syntax in Dockerfile: Build image with secret from mysite.key: # syntax=docker/dockerfile:experimental FROM alpine RUN --mount=type=secret,id=mysite.key ls -l /run/secrets export DOCKER_BUILDKIT=1 docker build --secret id=mysite.key,src=./mysite.key --progress plain .
  • 17. SSH Agent Forwarding Do not copy secrets into image layers Bad example: Layers contain SSH key as well as host and user information BuildKit to the rescue Forward the socket Introduced in Docker 18.09 FROM ubuntu COPY id_rsa /root/.ssh/ RUN scp user@somewhere:/tmp/data . RUN rm /root/.ssh/id_rsa SSH agent
  • 18. Demo: SSH Agent Forwarding BuildKit forwards the SSH agent socket Prepare SSH agent: Forward into build: Compare local and build: ssh-keygen -f id_rsa_test -N '' eval $(ssh-agent -s) ssh-add id_rsa_test ssh-add -l export DOCKER_BUILDKIT=1 docker build --ssh default --progress plain . ssh-add -l
  • 19. Demo: SSH Agent Forwarding without BuildKit Mount existing SSH agent socket Create environment variable Prepare SSH agent: Forward into build: ssh-keygen -f id_rsa_test eval $(ssh-agent -s) ssh-add id_rsa_test ssh-add -l docker run -it --rm --mount type=bind,src=${SSH_AUTH_SOCK},dst=${SSH_AUTH_SOCK} --env SSH_AUTH_SOCK alpine-ssh
  • 20. Persisting Cache Directories Modern software development relies on countless dependencies Filling caches takes time BuildKit to the rescue can be persisted Syntax is similar to mounting secrets Cache directories # syntax = docker/dockerfile:experimental FROM ubuntu RUN --mount=type=cache,target=/tmp/cache ls -l /tmp/cache
  • 21. Demo: Persisting Cache Directories Enable BuildKit: Run build: Run build: export DOCKER_BUILDKIT=1 docker build --progress plain --file Dockerfile.cache-warm . docker build --progress plain --file Dockerfile.cache-check .
  • 22. Using BuildKit BuildKit can be used in multiple ways Uses a client/server architecture (daemon and CLI) Locally Containerized Rootless Docker X X experimental Daemon/CLI Demo X X Daemonless X Demo X Daemonless is just a wrapper for daemon/CLI Build container images without access to Docker
  • 23. Demo: BuildKit locally Run BuildKit locally Requires daemon and CLI Run BuildKit daemon locally: Run build against daemon: sudo buildkitd 2>&1 >/tmp/buildkit.log & buildctl build --frontend dockerfile.v0 --local context=. --local dockerfile=.
  • 24. Demo: BuildKit daemonless containerized Run a containerized BuildKit daemon on-demand: docker run -it --privileged --volume $PWD:/src --workdir /src --entrypoint buildctl-daemonless.sh moby/buildkit build --frontend dockerfile.v0 --local context=. --local dockerfile=.
  • 25. Transition to BuildKit Sometime it is desirable to change context and Docker le What you are doing today How to do this using BuildKit Remember: Context is the path which is packed and sent to the daemon $ docker build > --file Dockerfile > . $ buildctl build > --frontend dockerfile.v0 > --local dockerfile=. > --local context=.
  • 26. Transition to BuildKit Publish an image in a registry Docker has taught us to build and push container images: BuildKit can directly upload to an image registry: Read more about docker build --tag my_image_name . docker push my_image_name buildctl build --frontend dockerfile.v0 --local dockerfile=. --local context=. --output type=image,name=my_image_name,push=true pushing to image registries
  • 27. Transition to BuildKit Pass build arguments to customize the image build The Docker way The BuildKit way docker build --build-arg name=value . buildctl build --frontend dockerfile.v0 --local dockerfile=. --local context=. --opt build-arg:name=value
  • 28. Transition to BuildKit Use an existing image as build cache Docker is able to use an local image BuildKit can use an image in a registry... ...and download helpful layers docker build --cache-from my_image_name --tag my_image_name . buildctl build --frontend dockerfile.v0 --local dockerfile=. --local context=. --output type=image,name=my_image_name,push=true --export-cache type=inline --import-cache type=registry,ref=my_image_name
  • 29. Summary BuildKit brings new features to image building Multi stage builds Protect secrets using mounts and SSH forwarding Improve performance by persisting cache directories Works with and without Docker Thanks for joining! , , (see QR code for slides and demos) (see for slides sources) Tibor Vass Tonis Tiigi Akihiro Suda here