By Xian Wei
In the cloud native era, container images are the basic carrier for distribution of all applications. In addition to Docker Hub as a popular image repository, various cloud vendors also provide function-rich image repository services, such as Alibaba Cloud's Container Registry (ACR), and Google's Container Registry (GCR). Being able to build container images has become the basic practical ability that all developers must master.
Whether the developer chooses to use Docker locally to build basic images, or uses a CI/CD service (such as Jenkins), in essence, the process of "pull -> build -> push" must be followed to build, distribute, and synchronize images.
This article introduces a new practice of building simple images for developers. Based on Alibaba Cloud Serverless Kubernetes Container Service, container images can be built automatically and at a low cost, which helps developers understand how to use Serverless to run CI/CD and automate tasks.
Building a container image requires computing resources. When developers use Docker to pull/build/push locally, the computing resources are local development machines. If developers deploy Jenkins or GitLab Runner services in traditional Kubernetes clusters, the computing resources also need to run continuously. However, building a container image is basically a highly dynamic action, which is often triggered by timing or conditions. Therefore, maintaining a fixed computing resource pool for dynamic building operations is not cost effective.
Serverless Kubernetes is different from the traditional node-based k8s cluster. A Serverless cluster will only result in a charge when a pod is running. This means that users only need to pay when building images, and after the build ends, the billing stops. Therefore, the cost is significantly reduced compared with that of the traditional k8s cluster or ECS deployment.
In a Serverless Kubernetes cluster, pods do not have the privileged permission, and cannot access Docker daemon on the host. Therefore, they cannot use the Docker-in-Docker solution to build images. So, how can we build an image without relying on the Docker on the host in a Kubernetes cluster? Obviously, this is a common requirement, and the community also has a recommended solution: Kaniko.
Kaniko works similarly to the "docker build" command, but does not rely on Docker daemon. It resolves and builds each Dockerfile layer in the pod, which allows the pod to complete the pull/build/push of the image without the privileged permission.
Let's use Serverless Kubernetes and Kaniko to implement a simple image building experiment, that is, to regularly synchronize images to the domestic ACR.
Log on to the Container Service Console to create a Serverless cluster in 5s. (If it is a foreign source image repository, you can choose the US West region)
You can log on to CloudShell, and run the following command.
#docker login registry.cn-hangzhou.aliyuncs.com
...
#kubectl create secret generic regsecret --from-file=/root/.docker/config.json
...On the console, select a template to create the following scheduled task, to synchronize the busybox image to ACR hourly.
apiVersion: v1
kind: ConfigMap
metadata:
name: dockerfile-cm
data:
Dockerfile: |
FROM busybox:latest
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: kaniko-builder
spec:
schedule: "*/60 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: builder
image: gcr.io/kaniko-project/executor:latest
imagePullPolicy: Always
args:
- "--dockerfile=/configs/Dockerfile"
- "--destination=registry.cn-hangzhou.aliyuncs.com/jovizhangwei/busybox:latest"
volumeMounts:
- name: dockerfile
readOnly: true
mountPath: "/configs/"
- name: secrets
readOnly: true
mountPath: "/root/.docker/"
volumes:
- name: dockerfile
configMap:
name: dockerfile-cm
- name: secrets
secret:
secretName: regsecret
restartPolicy: OnFailureAfter the job is executed, you can view ACR Image Repository to confirm that the image has been synchronized.
You can customize the template file as needed, such as modifying the image to be synchronized, and adding a build step. You can also set the resource limit of the pod (such as, VCPU 0.25/0.5/1) to complete the synchronization task at minimal computing cost.
From the example above, we can see that, based on the pay-as-you-go feature of Serverless Kubernetes, some scheduled and CI/CD tasks can be run at very low cost without maintaining a fixed computing resource pool. It is also applicable to other scenarios, such as stress testing, data computing, and workflow processing.
Happy Hacking!
GPU Sharing Scheduler Extender Now Supports Fine-Grained Kubernetes Clusters
How to Use NAS Persistent Volumes Dynamically in a Kubernetes Cluster
169 posts | 31 followers
FollowHaemi Kim - October 20, 2021
Alibaba Container Service - July 16, 2019
Alibaba Container Service - February 7, 2020
Alibaba Cloud Native Community - December 29, 2023
Alibaba Developer - April 26, 2022
Alibaba Clouder - July 15, 2020
169 posts | 31 followers
Follow
Container Service for Kubernetes
Alibaba Cloud Container Service for Kubernetes is a fully managed cloud container management service that supports native Kubernetes and integrates with other Alibaba Cloud products.
Learn More
ACK One
Provides a control plane to allow users to manage Kubernetes clusters that run based on different infrastructure resources
Learn More
Robotic Process Automation (RPA)
Robotic Process Automation (RPA) allows you to automate repetitive tasks and integrate business rules and decisions into processes.
Learn More
Cloud-Native Applications Management Solution
Accelerate and secure the development, deployment, and management of containerized applications cost-effectively.
Learn MoreMore Posts by Alibaba Container Service