skopeo VS Bazel

I believe skopeo should allow you to: https://github.com/containers/skopeo

I decided to go searching for an alternative means to pull a docker image. In my search I discovered Skopeo, an alternative method to download Docker images that proved to be surprisingly effective. It not only downloaded the image faster, it also allowed me to save my image in a tar file, which means you can pull an image on one system and share that image to another system, loading it easily to docker instance on that system. This can be very beneficial if you have multiple systems and don't want to download an image multiple times.

But I'd suggest looking into if it's solved by other tools already, like regclient/regclient and their regsync features or something like containers/skopeo.

Have a use case where we have a CLI (built with cobra) for our dev teams which can execute common tasks. One of those tasks we want to implement is to copy docker images from the internet to our internal registry. A tool such as skopeo can do this and much more. Instead of essentially re-writing the functionality directly into our CLI we'd like to embed it. This would also negate the need for the dev teams to manage multiple CLI tools.

Self hoisting here, I put this together to make it easier to generate single (extra) layer docker images without needing a docker agent, capabilities, chroot, etc: https://github.com/andrewbaxter/dinker

Caveat: it doesn't work on Fly.io. They seem to be having some issue with OCI manifests: https://github.com/containers/skopeo/issues/1881 . They're also having issues with new docker versions pushing from CI: https://community.fly.io/t/deploying-to-fly-via-github-actio... ... the timing of this post seems weird.

FWIW the article says

> create a Docker image, also known as an OCI image

I don't think this is quite right. From my investigation, Docker and OCI images are basically content addressed trees, starting with a root manifest that points to other files and their hashes (root -> images -> layers -> layer configs + files). The OCI manifests and configs are separate to Docker manifests and configs and basically Docker will support both side by side.

skopeo is another tool worth looking into. we've started deploying amd and arm nodes into our k8s clusters, and this tool was incredibly easy to build around for getting multi-arch images into our container registry.

I would use skopeo, the tool is quite handy for working with remote images. https://github.com/containers/skopeo

Using distroless images not only reduces the size of the container image it also reduces the surface attack. The need for container image signing is because even with the distroless images there is a chance of facing some security threats such as receiving a malicious image. We can use cosign or skopeo for container signing and verifying. You can read more about securing containers with Cosign and Distroless Images in this blog.

Look at using tools like skopeo or crane

You could try some commandline tool like skopeo to fetch the image tags regularly and do some shell magic to notify you on any change you want

Agree regarding easiness of building rust (`cargo build`), extremely satisfying (git clone and cargo build...)

Does anyone have any comments on Bazel[1] because I'm kind of settling on using it whenever it's appropriate (c/c++)?..

[1] https://bazel.build/

Chicory seems like it'll be pretty useful. Java doesn't have easy access to the platform-specific security mechanisms (seccomp, etc) that are used by native tools to sandbox their plugins, so it's nice to have WebAssembly's well-designed security model in a pure-JVM library.

I've used it to experiment with using WebAssembly to extend the Bazel build system (which is written in Java). Currently there are several Bazel rulesets that need platform-specific helper binaries for things like parsing lock files or Cargo configs, and that's exactly the kind of logic that could happily move into a WebAssembly blob.

https://github.com/jmillikin/upstream__bazel/commits/repo-ru...

https://github.com/bazelbuild/bazel/discussions/23487

> Bazel also obviously uses the system compilers and headers. Nix does not.

Bazel allows hermetic toolchains, and uses it for most languages: Java, Python, Go, Rust, Node.js, etc. You can do the same for C++, but Bazel doesn't provide that out-of-the-box. [1]

Bazel sandboxing can restrict system access on Linux with --experimental_use_hermetic_linux_sandbox and --sandbox_add_mount_pair. [2]

Every "reproducible builds" discussion requires an understand of what is permitted to vary. E.g. Neither Nix nor Bazel attempts to make build products the same for x86 host environments vs ARM host environment. Bazel is less aggressive than Nix in that it does not (by default) attempt to make build products the same for different host C++ compilers.

[1] https://github.com/bazelbuild/bazel/discussions/18332

[2] https://bazel.build/reference/command-line-reference#flag--e...

You can say that for everything, after all of it's turing complete you can do anything.

But practically, the difference is intention, which drives design and ecosystem.

E.g: starlark is very oriented toward idenpotence and limiting side effects to get reproducible config data. By default they discourage reading files: https://github.com/bazelbuild/bazel/issues/13300

But rhai is not particularly oriented toward config, and the doc promotes an extension to read files: https://rhai.rs/book/lib/rhai-fs.html

The tutorials, stdlib, language design anf tooling will all reflect this.

At some point in the future it might be enabled by default

To achieve reproducibility, your build process must control for environmental differences like timestamps, file ordering, or machine-specific configurations. Tools like Bazel or Nixprovide deterministic build systems that lock down these variables. For instance, Bazel uses a content-addressable cache, meaning the same source code and dependencies always result in the same build outputs, even when run on different machines.

Despite following all the steps (on both Windows and Unix), I couldn't get the cmake build to succeed. After several hours of debugging, I decided to try another build method provided by the project, using bazel, which was much simpler.

Many big companies have built their own tools to reign in this complexity and make it easier and faster for developers to work on large, multi-language code bases. Meta has buck, Amazon has brazil, and Google has bazel. But from my experience, especially, with brazil, these tools also have some rough edges, so understanding how they work can go a long way.