go-containerregistry VS skopeo

I also explored another module, go-containerregistry, in order to build images without root privileges. The approach is completely different, and we can manipulate each component of the container image separately. This can present an advantage, if you're looking for a way to fine tune things.

Use crane ls in a different job to check the tags in the registry. Create an artifact from its output that you evaluate in your kaniko job to check if the build should run or not.

Multi-arch builds are easy to "transfer" IMHO

crane cp docker.io/openfaas/gateway:0.10.0 ghcr.io/openfaas/gateway:0.10.0

If you've not used it yet - do take a look. Crane doesn't pull the images into a local Docker library for re-tagging and re-pushing.

https://github.com/google/go-containerregistry/blob/main/cmd...

crane - tool to copy images from one repo to another - https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md

pretty sure the crane being referred by alex is this one: https://github.com/google/go-containerregistry/tree/main/cmd/crane

https://github.com/google/go-containerregistry/tree/main/cmd...

It was recommended in this article:

This is one of my absolute favorite topics. Pardon me while I rant and self-promote :D

Dockerfiles are great for flexibility, and have been a critical contributor to the adoption of Docker containers. It's very easy to take a base image, add a thing to it, and publish your version.

Unfortunately Dockerfiles are also full of gotchas and opaque cargo-culted best practices to avoid them. Being an open-ended execution environment, it's basically impossible to tell even during the build what's being added to the image, which has downstream implications for anybody trying to get an SBOM from the image for example.

Instead, I contribute to a number of tools to build and manage images without Dockerfiles. Each of them are less featureful than Dockerfiles, but being more constrained in what they can do, you can get a lot more visibility into what they're doing, since they're not able to do "whatever the user wants".

1. https://github.com/google/go-containerregistry is a Go module to interact with images in the registry and in tarballs and layouts, in the local docker daemon. You can append layers, squash layers, modify metadata, etc.

2. crane is a CLI that uses the above (in the same repo) to make many of the same modifications from the commandline. `crane append` for instance adds a layer containing some contents to an image, entirely in the registry, without even pulling the base image.

3. ko (https://ko.build) is a tool to build Go applications into images without Dockerfiles or Docker at all. It runs `go build`, appends that binary on top of a base image, and pushes it directly to the registry. It generates an SBOM declaring what Go modules went into the app it put into the image, since that's all it can do.

4. apko (https://apko.dev) is a tool to assemble an image from pre-built apks, without Docker. It's capable of producing "distroless" images easily with config in YAML. It generates an SBOM declaring exactly what apks it put in the image, since that's all it can do.

Bazel's rules_docker is another contender in the space, and GCP's distroless images use it to place Debian .debs into an image. Apko is its spiritual successor, and uses YAML instead of Bazel's own config language, which makes it a lot easier to adopt and use (IMO), with all of the same benefits.

I'm excited to see more folks realizing that Dockerfiles aren't always necessary, and can sometimes make your life harder. I'm extra excited to see more tools and tutorials digging into the details of how container images work, and preaching the gospel that they can be built and modified using existing tooling and relatively simple libraries. Excellent article!

Look at using tools like skopeo or crane

Pretty much any tool works: docker, podman, kaniko, crane(if you're brave), ko... list goes on.

I decided to go searching for an alternative means to pull a docker image. In my search I discovered Skopeo, an alternative method to download Docker images that proved to be surprisingly effective. It not only downloaded the image faster, it also allowed me to save my image in a tar file, which means you can pull an image on one system and share that image to another system, loading it easily to docker instance on that system. This can be very beneficial if you have multiple systems and don't want to download an image multiple times.

But I'd suggest looking into if it's solved by other tools already, like regclient/regclient and their regsync features or something like containers/skopeo.

Have a use case where we have a CLI (built with cobra) for our dev teams which can execute common tasks. One of those tasks we want to implement is to copy docker images from the internet to our internal registry. A tool such as skopeo can do this and much more. Instead of essentially re-writing the functionality directly into our CLI we'd like to embed it. This would also negate the need for the dev teams to manage multiple CLI tools.

Self hoisting here, I put this together to make it easier to generate single (extra) layer docker images without needing a docker agent, capabilities, chroot, etc: https://github.com/andrewbaxter/dinker

Caveat: it doesn't work on Fly.io. They seem to be having some issue with OCI manifests: https://github.com/containers/skopeo/issues/1881 . They're also having issues with new docker versions pushing from CI: https://community.fly.io/t/deploying-to-fly-via-github-actio... ... the timing of this post seems weird.

FWIW the article says

> create a Docker image, also known as an OCI image

I don't think this is quite right. From my investigation, Docker and OCI images are basically content addressed trees, starting with a root manifest that points to other files and their hashes (root -> images -> layers -> layer configs + files). The OCI manifests and configs are separate to Docker manifests and configs and basically Docker will support both side by side.

skopeo is another tool worth looking into. we've started deploying amd and arm nodes into our k8s clusters, and this tool was incredibly easy to build around for getting multi-arch images into our container registry.

I would use skopeo, the tool is quite handy for working with remote images. https://github.com/containers/skopeo

Using distroless images not only reduces the size of the container image it also reduces the surface attack. The need for container image signing is because even with the distroless images there is a chance of facing some security threats such as receiving a malicious image. We can use cosign or skopeo for container signing and verifying. You can read more about securing containers with Cosign and Distroless Images in this blog.

Look at using tools like skopeo or crane

You could try some commandline tool like skopeo to fetch the image tags regularly and do some shell magic to notify you on any change you want

This is what Podman, an open-source daemonless and rootless container engine, was developed with in mind. Podman runs using the runC container runtime process, directly on the Linux kernel, and launches containers and pods as child processes. In addition, it was developed for the Docker developer, with most commands and syntax seamlessly mirroring Docker's. Buildah, an image builder, and Skopeo, the image utility tool, are both complimentary to Podman as well, and extend the range of operations able to be performed.