A Concourse task for building OCI
images. Currently uses
buildkit for building.
A stretch goal of this is to support running without privileged: true, though
it currently still requires it.
The task implementation is available as an image on Docker Hub at
concourse/oci-build-task.
(This image is built from Dockerfile using the oci-build task
itself.)
This task implementation started as a spike to explore patterns around reusable tasks to hopefully lead to a proper RFC. Until that RFC is written and implemented, configuration is still done by way of providing your own task config as follows:
First, your task needs to point to the oci-build-task image:
image_resource:
type: registry-image
source:
repository: concourse/oci-build-taskAny of the following optional parameters may be specified. These are all exposed as environment variables to the task, therefore only string values are allowed. This is a pain point with re-usable tasks that will ideally be resolved by prototypes.
-
CONTEXT(default.): the path to the directory to provide as the context for the build. -
DOCKERFILE(default$CONTEXT/Dockerfile): the path to theDockerfileto build. -
BUILDKIT_SSHyour ssh key location that is mounted in yourDockerfile. This is generally used for pulling dependencies from private repositories.For Example. In your
Dockerfile, you can mount a key asRUN --mount=type=ssh,id=github_ssh_key pip install -U -r ./hats/requirements-test.txtThen in your Concourse YAML configuration:
params: BUILDKIT_SSH: github_ssh_key=<PATH-TO-YOUR-KEY>Read more about ssh mount here.
-
BUILD_ARG_*: params prefixed withBUILD_ARG_will be provided as build args. For exampleBUILD_ARG_foo=bar, will set thefoobuild arg asbar. -
BUILD_ARGS_FILE(default empty): path to a file containing build args. By default the task will assume each line is in the formfoo=bar, one per line. Empty lines are skipped. If the file ends inymloryamlit will be parsed as a YAML file. The YAML file can only contain string keys and values.Example simple file contents:
[email protected] HOW_MANY_THINGS=1 DO_THING=falseExample YAML file contents:
EMAIL: [email protected] HOW_MANY_THINGS: "1" DO_THING: "false" MULTI_LINE_ARG: | thing1 thing2
-
BUILDKIT_SECRET_*: files with extra secrets which are made available via--mount=type=secret,id=.... See New Docker Build secret information for more information on build secrets.For example, running with
BUILDKIT_SECRET_config=my-repo/configwill allow you to do the following...RUN --mount=type=secret,id=config cat /run/secrets/config -
BUILDKIT_SECRETTEXT_*: literal text of extra secrets to be made available via the same mechanism described for$BUILDKIT_SECRET_*above. The difference is that this is easier to use with credential managers:BUILDKIT_SECRETTEXT_mysecret=(( mysecret ))puts the content that(( mysecret ))expands to in/run/secrets/mysecret. -
IMAGE_ARG_*: params prefixed withIMAGE_ARG_*point to image tarballs (i.e.docker saveformat) or path to images in OCI layout format, to preload so that they do not have to be fetched during the build. An image reference will be provided as the given build arg name. For example,IMAGE_ARG_base_image=ubuntu/image.tarwill setbase_imageto a local image reference for usingubuntu/image.tar.This must be accepted as an argument for use; for example:
ARG base_image FROM ${base_image} -
IMAGE_PLATFORM: Specify the target platform(s) to build the image for. For exampleIMAGE_PLATFORM=linux/arm64,linux/amd64will build the image for the Linux OS and architecturesarm64andamd64. By default, images will be built for the current worker's platform that the task is running on. If multiple platforms are specified,OUTPUT_OCIwill be set totrueautomatically, resulting in the output being a directory instead of a tarball. -
LABEL_*: params prefixed withLABEL_will be set as image labels. For exampleLABEL_foo=bar, will set thefoolabel tobar. -
LABELS_FILE(default empty): path to a file containing labels in the formfoo=bar, one per line. Empty lines are skipped. -
TARGET(default empty): a target build stage to build, as named with theFROM … AS <NAME>syntax in yourDockerfile. -
TARGET_FILE(default empty): path to a file containing the name of the target build stage to build. -
ADDITIONAL_TARGETS(default empty): a comma-separated (,) list of additional target build stages to build. -
REGISTRY_MIRRORS(default empty): a comma-separated (,) list of registry mirrors to use fordocker.io. If you need to specify authentication details then consider usingBUILDKIT_EXTRA_CONFIGinstead. -
UNPACK_ROOTFS(defaultfalse): unpack the image as Concourse's image format (rootfs/,metadata.json) for use with theimagetask step option. -
OUTPUT_OCI(defaultfalse): outputs an OCI image, allowing for multi-arch image builds when settingIMAGE_PLATFORMto multiple platforms. The image output will be a directory (image/image) in OCI Image Layout format when this flag is set to true. -
BUILDKIT_ADD_HOSTS(default empty): extra host definitions forbuildkitto properly resolve custom hostnames. The value is as comma-separated (,) list of key-value pairs (using syntaxhostname=ip-address), each defining an IP address for resolving some custom hostname. -
BUILDKIT_EXTRA_CONFIG(default empty): a string written verbatim to builkit's TOML config file. See buildkitd.toml.
There are no required inputs - your task should just list each artifact it
needs as an input. Typically this is in close correlation with $CONTEXT:
params:
CONTEXT: my-image
inputs:
- name: my-imageShould your build be dependent on multiple inputs, you may want to leave
CONTEXT as its default (.) and set an explicit path to the DOCKERFILE:
params:
DOCKERFILE: my-repo/Dockerfile
inputs:
- name: my-repo
- name: some-dependencyIt might also make sense to place one input under another, like so:
params:
CONTEXT: my-repo
inputs:
- name: my-repo
- name: some-dependency
path: my-repo/some-dependencyOr, to fully rely on the default behavior and use path to wire up the context
accordingly, you could set your primary context as path: . and set up any
additional inputs underneath:
inputs:
- name: my-repo
path: .
- name: some-dependencyA single output named image may be configured:
outputs:
- name: imageUse output_mapping to map this output to a different name in your build plan.
This approach should be used if you're building multiple images in parallel so that
they can have distinct names.
The output will contain the following files:
-
image.tar: the OCI image tarball. This tarball can be uploaded to a registry using the Registry Image resource. Only present ifOUTPUT_OCIisfalse, which is the default. -
image/: a directory containing the OCI image(s) in OCI Image Layout format. Only present ifOUTPUT_OCIistrue. -
digest: the digest of the OCI config. This file can be used to tag the image after it has been loaded withdocker load, like so:docker load -i image/image.tar docker tag $(cat image/digest) my-name
If $UNPACK_ROOTFS is configured, the following additional entries will be
created:
-
rootfs/*: the unpacked contents of the image's filesystem. -
metadata.json: a JSON file containing the image's env and user configuration.
This is a Concourse-specific format to support using the newly built image for
a subsequent task by pointing the task step's image
option to the output,
like so:
plan:
- task: build-image
params:
UNPACK_ROOTFS: true
output_mapping: {image: my-built-image}
- task: use-image
image: my-built-image(The output_mapping here is just for clarity; alternatively you could just
set image: image.)
Note: at some point Concourse will likely standardize on OCI instead.
Caching can be enabled by caching the cache path on the task:
caches:
- path: cacheThis only caches the build layers that Buildkit makes and will only be hit if the same worker is used between one build and the next.
NOTE: the contents of --mount=type=cache directories are not cached, see #87
Your task should run the build executable:
run:
path: buildThe docker-image resource was previously used for building and pushing a
Docker image to a registry in one fell swoop.
The oci-build task, in contrast, only supports building images - it does not
support pushing or even tagging the image. It can be used to build an image and
use it for a subsequent task image without pushing it to a registry, by
configuring $UNPACK_ROOTFS.
In order to push the newly built image, you can use a resource like the
registry-image
resource like so:
resources:
- name: my-image-src
type: git
source:
uri: https://github.com/...
- name: my-image
type: registry-image
source:
repository: my-user/my-repo
jobs:
- name: build-and-push
plan:
# fetch repository source (containing Dockerfile)
- get: my-image-src
# build using `oci-build` task
#
# note: this task config could be pushed into `my-image-src` and loaded using
# `file:` instead
- task: build
privileged: true
config:
platform: linux
image_resource:
type: registry-image
source:
repository: concourse/oci-build-task
inputs:
- name: my-image-src
path: .
outputs:
- name: image
run:
path: build
# push using `registry-image` resource
- put: my-image
params: {image: image/image.tar}This repo contains an example.yml, which builds the image for the task
itself:
fly -t dev execute -c example.yml -i context=. -o image=. -p
docker load -i image.tarThat -p at the end is not a typo; it runs the task with elevated privileges.
Assuming your custom CA cert is passed in as an input to the oci-build task, you can use a task config like this to load your custom CA certificate:
platform: linux
inputs:
- name: certs
path: /var/certs #Absolute path only works on Concourse >=7.5.0
#..other inputs
outputs:
- name: image
params:
BUILDKIT_EXTRA_CONFIG: |
[registry."my-registry.com"]
ca=["/var/certs/my-ca.pem"]
run:
path: build