build-push-action VS buildkit

We use the docker/build-push-action to build the application image. In addition to setting the correct tag, the image build step must also provide a label matching your service name. Because the image should be pushed to your container registry, we set push: true, and because we want ludicrous build speed we instruct the build step to utilize the GitHub Actions cache.

name: Lint and Dockerize the app on: push: branches: [master] pull_request: branches: [master] env: # Use docker.io for Docker Hub if empty REGISTRY: docker.io # github.repository as / IMAGE_NAME: ${{ github.repository }} jobs: build: runs-on: ubuntu-latest permissions: contents: read packages: write steps: - name: Checkout repository uses: actions/checkout@v2 - name: Set up Google Cloud uses: google-github-actions/[email protected] with: project_id: ${{ secrets.GCP_PROJECT_ID }} service_account_key: ${{ secrets.GCP_SA_KEY }} # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} # if: github.event_name != 'pull_request' uses: docker/login-action@v1 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} # Extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action #- name: Extract Docker metadata # id: meta # uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 # with: # images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - name: Build and push Docker image uses: docker/build-push-action@v2 with: context: ./ tags: ${{ secrets.DOCKER_USERNAME }}/magga:latest push: true file: ./Dockerfile - name: Image digest run: echo

docker/build-push-action@v4 to build and push Docker images with Buildx.

Hmmm interesting question... I use the following in my yaml: yaml - name: Build and push uses: https://github.com/docker/build-push-action@v2 can't you just use like: yaml - name: NTFY uses: https://github.com/dawidd6/action-send-mail@v3 and use the actions explained in the links?

Docker made some decent actions free to use like this one to build and push docker images to registries.

name: Docker Image Publish on: push: branches: [ "main" ] # Publish semver tags as releases. tags: [ 'v*.*.*' ] pull_request: branches: [ "main" ] env: # Use docker.io for Docker Hub if empty REGISTRY: ghcr.io # github.repository as / IMAGE_NAME: ${{ github.repository }} jobs: build: runs-on: ubuntu-latest permissions: contents: read packages: write # This is used to complete the identity challenge # with sigstore/fulcio when running outside of PRs. id-token: write steps: - name: Checkout repository uses: actions/checkout@v3 # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 with: cosign-release: 'v1.11.0' # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx uses: docker/setup-buildx-action@v2 # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} if: github.event_name != 'pull_request' uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} # Extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push uses: docker/build-push-action@v4 with: context: "{{defaultContext}}:src" push: ${{ github.event_name != 'pull_request' }} # Don't push on PR tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max

Build and push Docker image: We will use the docker/build-push-action action to build and push the Docker image to Docker Hub. We will use the following inputs:

I previously tried to use Docker `docker/setup-qemu-action@v2` and `docker/setup-buildx-action@v2` for this purpose (see that example https://github.com/docker/build-push-action#git-context). Thanks to buildkit, platform switching works transparently. However, building on ARM via QEMU on GitHub Actions is terribly slow (something like 5 times more), which is hard to accept. Therefore, full of hope, I am waiting for GitHub Actions to make cloud runners available on ARM, because it is a blocker for the implementation of Graviton on the AWS environment for us.

For a while, the blocker in GitHub Actions for providing ARM support was that Azure doesn't have ARM support. In this way, the Azure cloud offering may determine the habits of AWS consumers.

Build and push an image in CI. This extends #2 by pushing the image to a container registry. DockerHub is the default registry in Docker, but isn't the only registry. You could use GitHub's Container Registry as well. We (Docker) have supported GitHub Actions with lots of documentation to help out. You could then extend the pipeline to actually deploy your updated image too.

> We are uding docker-in-docker at the moment

You can also run a "less privileged" container with all the features of Docker by using rootless buildkit in Kubernetes. Here are some examples:

https://github.com/moby/buildkit/tree/master/examples/kubern...

https://github.com/moby/buildkit/blob/master/examples/kubern...

It's also possible to run dedicated buildkitd workers and connect to them remotely.

- BuildOp evaluates its input as additional LLB operations to add to the graph to allow for dynamic build graphs (also unused in the Dockerfile frontend)

With the Dockerfile Explorer, we run the Dockerfile frontend[1] that BuildKit uses inside of WASM to parse and produce the LLB output locally in your browser. We then embed the Monaco Editor so that you can change your Dockerfile to see how it impacts the LLB output that BuildKit will use to build your Docker image.

You can see a quick video and read more details on how it all works here: https://depot.dev/blog/dockerfile-explorer.

We'd love any feedback or ideas folks would like around this type of tool!

[0] https://github.com/moby/buildkit#exploring-llb

Now since Kubernetes works off of containerd I'll be taking a different approach on handling container builds by using nerdctl and the buildkit that comes bundled with it. I'll do this on the amd64 control plane node since it's beefier than my Raspberry Pi workers for handling builds and build related services. Go ahead and download and unpack the latest nerdctl release as of writing (make sure to check the release page in case there's a new one):

There's a 2-year-old moby/buildkit GitHub issue about frequent build cache misses when using the BuildKit docker-container driver and multi-stage builds. Anyone else in this sub run into this problem and/or have reasonable workarounds? It seems like something that should come up pretty often.

A couple months ago I encountered a bug in buildkit - when enabling OpenTelemetry tracing, we got occasional panics. With a bit of investigation, we found the cause, fixed and tested in our fork and internal deployments, and pushed to upstream.

I do some search in the internet and there seems to be no good solution, so I just create a feature request: https://github.com/moby/buildkit/issues/3859

Yeah, only Linux containers at the moment, BuildKit is the way we are constructing pipelines and doing caching. Split on if we will support non-linux hosts, but definitely want to find a good solution to not doing Docker-in-Docker.

Relevant issues are https://github.com/moby/buildkit/issues/3011 and https://github.com/moby/buildkit/issues/1512.