notation
buildkit
Our great sponsors
notation | buildkit | |
---|---|---|
7 | 53 | |
289 | 7,669 | |
6.6% | 1.9% | |
8.9 | 9.8 | |
6 days ago | 4 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
notation
-
Securing CI/CD Images with Cosign and OPA
Notary v2: The evolution to Notary v2 brought improvements in signature portability and integration with third-party key management solutions. However, it does not provide a certificate authority, leaving public key discovery for open-source image verification as an unresolved issue.
-
Automating Kubernetes Deployments with FluxCD for Patched and Signed Container Images
Notation
-
Level-up Container Security: 4 Open-Source Tools for Secure Software Supply Chain
Notation is another command-line too that lets you digitally sign artifacts. And those signatures essentaily become the stamps of approval for the different things in your software supply chain. For example, container images.
- notaryproject/notation: Notation is a project to add signatures as standard items in the registry ecosystem, and to build a set of simple tooling for signing and verifying these signatures. Based on Notary V2 standard.
-
Getting Started with Notary
Notary is the CNCF project name and is often referenced when referring to the process of signing digital artifacts, but Notation is the command line tool that does the heavy lifting. Run the following commands to install Notation.
- Dagger: a new way to build CI/CD pipelines
-
Making the Internet more secure one signed container at a time
It should be interoperable, that's the goal. I proposed some idea for nv2 here: https://github.com/notaryproject/nv2/issues/39 and here: https://github.com/notaryproject/nv2/issues/40 too.
buildkit
- ARM vs x86 em Docker
-
The worst thing about Jenkins is that it works
> We are uding docker-in-docker at the moment
You can also run a "less privileged" container with all the features of Docker by using rootless buildkit in Kubernetes. Here are some examples:
https://github.com/moby/buildkit/tree/master/examples/kubern...
https://github.com/moby/buildkit/blob/master/examples/kubern...
It's also possible to run dedicated buildkitd workers and connect to them remotely.
-
Show HN: Dockerfile Explorer
- BuildOp evaluates its input as additional LLB operations to add to the graph to allow for dynamic build graphs (also unused in the Dockerfile frontend)
With the Dockerfile Explorer, we run the Dockerfile frontend[1] that BuildKit uses inside of WASM to parse and produce the LLB output locally in your browser. We then embed the Monaco Editor so that you can change your Dockerfile to see how it impacts the LLB output that BuildKit will use to build your Docker image.
You can see a quick video and read more details on how it all works here: https://depot.dev/blog/dockerfile-explorer.
We'd love any feedback or ideas folks would like around this type of tool!
[0] https://github.com/moby/buildkit#exploring-llb
- macOS Containers v0.0.1
-
Jenkins Agents On Kubernetes
Now since Kubernetes works off of containerd I'll be taking a different approach on handling container builds by using nerdctl and the buildkit that comes bundled with it. I'll do this on the amd64 control plane node since it's beefier than my Raspberry Pi workers for handling builds and build related services. Go ahead and download and unpack the latest nerdctl release as of writing (make sure to check the release page in case there's a new one):
-
Frequent Docker BuildKit cache misses with w/ multi-stage and docker-container
There's a 2-year-old moby/buildkit GitHub issue about frequent build cache misses when using the BuildKit docker-container driver and multi-stage builds. Anyone else in this sub run into this problem and/or have reasonable workarounds? It seems like something that should come up pretty often.
-
A Panic in BuildKit: an Open Source Journey
A couple months ago I encountered a bug in buildkit - when enabling OpenTelemetry tracing, we got occasional panics. With a bit of investigation, we found the cause, fixed and tested in our fork and internal deployments, and pushed to upstream.
-
Is it possible to copy files from a manifest in Dockerfile?
I do some search in the internet and there seems to be no good solution, so I just create a feature request: https://github.com/moby/buildkit/issues/3859
-
Cicada - CI/CD platform written with Rust
Yeah, only Linux containers at the moment, BuildKit is the way we are constructing pipelines and doing caching. Split on if we will support non-linux hosts, but definitely want to find a good solution to not doing Docker-in-Docker.
-
Better support of Docker layer caching in Cargo
Relevant issues are https://github.com/moby/buildkit/issues/3011 and https://github.com/moby/buildkit/issues/1512.
What are some alternatives?
cosign - Code signing and transparency for containers and binaries
buildah - A tool that facilitates building OCI images.
net-monitor - The sample net-monitor software, used as samples in Notary v2 (https://github.com/notaryproject/notaryproject)
kaniko - Build Container Images In Kubernetes
ratify - Artifact Ratification Framework
jib - 🏗 Build container images for your Java applications.
grafeas - Artifact Metadata API
buildx - Docker CLI plugin for extended build capabilities with BuildKit
secure-supply-chain-on-aks - Learn how to use open-source tools to secure your container deployments on Azure Kubernetes Service.
podman - Podman: A tool for managing OCI containers and pods.
distribution - distribution with reference types
nerdctl - contaiNERD CTL - Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, ...