aevea / action-kaniko Goto Github PK

View Code? Open in Web Editor NEW

118.0 118.0 55.0 37 KB

Build and push docker images using Kaniko and GitHub actions

Dockerfile 15.81% Shell 76.36% Makefile 7.83%

action-kaniko's People

Contributors

Stargazers

Watchers

action-kaniko's Issues

reporoducible not found

I encounter error with Github CI from ghcr registry:

Auth does not work with docker-login action.

I use the following to auth to GCR:

    - name: Login to GCR
      uses: docker/login-action@v2
      with:
        registry: gcr.io
        username: oauth2accesstoken
        password: ${{ steps.auth.outputs.access_token }}

This works fine in combination with

    - name: Build container
      uses: docker/build-push-action@v3
      with:
        push: true
        tags: ${{ steps.meta.outputs.tags }}

However, it doesn't work with kaniko, as that requires a username/password.

I'm using federated authentication, so I don't generate any passwords at all in this setup.

Feature Request: --reproducible flag and skip Push on Unchanged Digest

I have a monorepo with multiple docker images and I would like to publish an image only if the digest of the image is not present in the registry, regardless of the tag. I'm using fluxcd and right now because a tag is pushed on every push to master, all the pods are being restarted.

Kaniko supports the reproducible flag, this action now supports it through the extra_args, I suggest to make it a first-class variable.

Anyway, I suggest the option skipUnchangedDigest to the build-push-action and when set to true the action will skip the push if the digest already present.

Bazel build supports this with skipUnchangedDigest flag to the container_push rule, code is here:
https://github.com/bazelbuild/rules_docker/blob/06c5419265e84baf168ba4d3982f45fe1fe312b4/container/go/cmd/pusher/pusher.go#L132
https://github.com/bazelbuild/rules_docker/blob/06c5419265e84baf168ba4d3982f45fe1fe312b4/container/go/cmd/pusher/pusher.go#L163

I will be happy to try and contribute those, however, I'm not sure how to implement the skipUnchangedDigest. Pointers are welcome.

Build context

My repo contains multiple image files. I specify the Dockerfile with:

build_file: conda/Dockerfile

but the context is still set to the root of the repo.

Could you add an option to set the context dir?

It would be great to have image tag in outputs

I use this action in my workflow.

After successfully building the image I want to update the image tag in the kubernetes specs.
It would be much easier and cleaner if I could use outputs from build step to reference the new image

Fails when running with selfhosted runners

docker container fails to build complaining of bad address

  #9 [stage-1 2/4] RUN wget -O /kaniko/jq     https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux64 &&     chmod +x /kaniko/jq &&     wget -O /kaniko/reg     https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 &&     chmod +x /kaniko/reg &&     wget -O /crane.tar.gz     https://github.com/google/go-containerregistry/releases/download/v0.17.0/go-containerregistry_Linux_x86_64.tar.gz &&     tar -xvzf /crane.tar.gz crane -C /kaniko &&     rm /crane.tar.gz
  #9 0.157 wget: bad address 'github.com'
  #9 ERROR: process "/busybox/sh -c wget -O /kaniko/jq     https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux64 &&     chmod +x /kaniko/jq &&     wget -O /kaniko/reg     https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 &&     chmod +x /kaniko/reg &&     wget -O /crane.tar.gz     https://github.com/google/go-containerregistry/releases/download/v0.17.0/go-containerregistry_Linux_x86_64.tar.gz &&     tar -xvzf /crane.tar.gz crane -C /kaniko &&     rm /crane.tar.gz" did not complete successfully: exit code: 1
  ------
   > [stage-1 2/4] RUN wget -O /kaniko/jq     https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux64 &&     chmod +x /kaniko/jq &&     wget -O /kaniko/reg     https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 &&     chmod +x /kaniko/reg &&     wget -O /crane.tar.gz     https://github.com/google/go-containerregistry/releases/download/v0.17.0/go-containerregistry_Linux_x86_64.tar.gz &&     tar -xvzf /crane.tar.gz crane -C /kaniko &&     rm /crane.tar.gz:
  0.157 wget: bad address 'github.com'
  ------

Tag not getting applied to container image when pushed to repository

When I set the "tag" flag to "${GITHUB_RUN_NUMBER}", the tag that is getting applied is either "main" or "master".

Build args

I would like to switch to this action (currently using https://github.com/docker/build-push-action) for the skip push feature but I am missing two features:

Build args: https://github.com/docker/build-push-action#build_args
Auto tagging with version number or branch name or latest: https://github.com/docker/build-push-action#tag_with_ref

action is not compatible with docker/build-push-action

I think making them compatible will increase the usage of this action.

build-push-action has repository option vs image option on action-kanino.
dockerfile vs build_file
build_args is missing (comma separated)
tags is missing (comma separated)

@aexvir if you would like I can make a pull request to make them (more) compatible. However, it will probably break the current options.

Detecting if skip_unchanged_digest triggered

Hi,

I've just started using action-kaniko and have enabled skip_unchanged_digest. This works as expected and doesn't push a new image if the digests match.

I then have some extra steps that run after action-kaniko which relate to deploying the new image - but I don't want these to run if no new image was created.

Is there a way to tell if action-kaniko has pushed an image or not once it has completed? I could query the registry and look for new images but I wasn't sure if there was a simpler option.

Thanks!

ECR push permission issues

Hello , i have this GH action workflow set.

`
- name: (SHARED) Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1

- name: Get short SHA
  id: slug
  run: |
    echo "COMMIT=$(echo ${{ github.event.pull_request.base.sha }} | cut -c1-7)" >> $GITHUB_ENV
    echo "EKS_SERVICE=nginx" >> $GITHUB_ENV
    echo "ECR_PASSWORD=${{ steps.login-ecr.outputs.docker_password_425300134585_dkr_ecr_us_west_1_amazonaws_com }}" >> $GITHUB_ENV
    echo "${{ steps.login-ecr.outputs.docker_username_425300134585_dkr_ecr_us_west_1_amazonaws_com }}"
            
- name: Kaniko build
  uses: aevea/action-kaniko@master
  with:
    image: 425300134585.dkr.ecr.us-west-1.amazonaws.com/${{env.EKS_SERVICE}}
    registry: 425300134585.dkr.ecr.us-west-1.amazonaws.com
    tag: latest
    build_file: Dockerfile
    path: Nginx
    password: ${{env.ECR_PASSWORD}} #${{ steps.login-ecr.outputs.docker_password_425300134585_dkr_ecr_us_west_1_amazonaws_com }}
    username: "AWS" #${{ steps.login-ecr.outputs.docker_username_425300134585_dkr_ecr_us_west_1_amazonaws_com }}
    #cache: false

I want to build my Dockerfile thats on Nginx/Dockerfile path , and push it to 425300134585.dkr.ecr.us-west-1.amazonaws.com/nginx:latest

and i have this error

error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "***.dkr.ecr.***.amazonaws.com/***.dkr.ecr.***.amazonaws.com/nginx:latest": Post "https://***.dkr.ecr.***.amazonaws.com/v2/***.dkr.ecr.***.amazonaws.com/nginx/blobs/uploads/": EOF

Thoughts ? i know that i have the correct push permissions because im using the same ecr login process with docker fine .

Docker Pull Rate Exceeded

When pulling alpine image to use for certs, Docker pull rate is being exceeded if your company runs self-hosted runners and has more than 100 builds per 6 hours. Passing the Docker credentials to the action resolves this, but it doesn't let you push your image to another location.

Potential fix:

Remove alpine image as certs now come as part of the kaniko executor and aren't needed from alpine image. https://github.com/GoogleContainerTools/kaniko/blob/main/deploy/Dockerfile - Line 59 adds ca-certificates & Line 69 copies them

There is no longer a need to grab the certs.

Expected results: Download is only from ghcr.io for the executor and no need for the alpine download

Add support for sending Images to multiple repositories

Currently, we are able to push image to only one registry, it would be great to have possibility to utilise --destination flag and be able to push the image to multiple registries during triggering the build once.

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

dockerfile

Dockerfile

gcr.io/kaniko-project/executor v1.22.0-debug

github-actions

.github/workflows/pr.yml

actions/checkout v4

aevea/commitsar sha256:e4aed72de9a00b990a53c678ad51fbe9bd04e127a617d10beab0ef0204b1dfa0

.github/workflows/push.yml

.github/workflows/release.yml

actions/checkout v4

aevea/release-notary sha256:690915bf87458fd8eb1e1ff0be34b33377f920eda3f38b96c62ecbf897c831f4

Check this box to trigger a request for Renovate to run again on this repository

External registry fails

+ export 'REGISTRY=***'
+ export 'IMAGE=***/obmondo/dockerfiles/jammy-generic-build'
+ echo refs/pull/5/head
+ sed -E 's/refs\/(heads|tags)\///g'
+ sed -e 's/\//-/g'
+ export 'TAG=1.0.0'
+ export 'TAG=1.0.0'
+ export 'TAG=1.0.0'
+ export 'USERNAME=asdad'
+ export 'PASSWORD=***'

The registry env never gets a real value, not sure why, even when I have give a static string in my workflow.

to test this, did a fork and change directly on the entrypoint script and now it works
I'm not sure where is the problem here.
some help would be nice

How to specify "Kaniko executor image" to this action?

Hi,

We are no longer able to push images created by this action to "JForg Artifactory". We see following error while pushing the images:
error pushing image: failed to push to destination my-dockerv2-virtual.jfrog.io/my-dockerv2-virtual.jfrog.io/my-app:0.0.34: PUT https://my-dockerv2-virtual.jfrog.io/v2/my-dockerv2-virtual.jfrog.io/my-app/manifests/0.0.34: MANIFEST_INVALID: manifest invalid; map[description:Circuit Breaker Threshold Reached, Breaking Operation. see log output for manifest details.]

We tried using the year old tag for this action, changed github-runner OS to ubuntu 18.x, disabling the cache but none of those are helping. All actions were working fine about 3 weeks ago. The only change I am seeing around the time we started seeing this issue is the new release of the "Kaniko executor" (https://github.com/GoogleContainerTools/kaniko/blob/main/CHANGELOG.md).

Any help you could provide on this would be great!

Thank you!

Bhavesh.

extra_args example

It would be nice to provide examples of extra_args usage approaches

How to do specify ghcr.io image at repo root?

I have a repo myorg/myrepo and want to push an image ghcr.io/myorg/myrepo:1.0.0.

However, specifying registry: ghcr.io and image: "" yields an error, since the resulting image is tagged with ghcr.io/myorg/myrepo/:1.0.0.

Setting a value for image will only append that to the repo name, e.g. image: "myrepo" yields the tag ghcr.io/myorg/myrepo/myrepo:1.0.0.

Is there a way to not set an image name, and keep it as repo root, specifically for ghcr?

Kaniko executor broken, outdated root certificates

This action has stopped working because in the Dockerfile, an outdated executor is being used (at least this is my working hypothesis)

I tested v1.16.0 and found this to be working, but I don't know enough about the project to say whether this is a safe upgrade.

Repro:

docker run --rm -it --entrypoint sh gcr.io/kaniko-project/executor:v1.9.1-debug
/workspace # wget -O /kaniko/jq     https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
Connecting to github.com (140.82.121.4:443)
wget: note: TLS certificate validation not implemented
wget: TLS error from peer (alert code 80): 80
wget: error getting response: Connection reset by peer

docker image not found

Hi folks,
we're using action-kaniko on some workflows, but recently one stopped working with the following message:

$/usr/bin/docker run --name a62b0ab75364e68e47cc90d5aa9e43fcc042_cf3c0a --label 39a62b (...)

Unable to find image '39a62b:0ab75364e68e47cc90d5aa9e43fcc042' locally
docker: Error response from daemon: pull access denied for 39a62b, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
See 'docker run --help'.

before that, in github actions, we're running the following step:

/usr/bin/docker build -t [3](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:2:3)9a62b:0ab7536[4](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:2:4)e68e47cc90d[5](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:2:5)aa9e43fcc042 -f "/home/debian/actions-runner/_work/_actions/aevea/action-kaniko/master/Dockerfile" "/home/debian/actions-runner/_work/_actions/aevea/action-kaniko/master"
  WARNING: No output specified with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load
  #1 [internal] load build definition from Dockerfile
  #1 transferring dockerfile: 931B 0.0s done
  #1 DONE 0.1s
  
  #2 [internal] load .dockerignore
  #2 transferring context: [6](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:2:6)3B 0.0s done
  #2 DONE 0.0s
  
  #3 [internal] load metadata for docker.io/library/alpine:latest
  #3 DONE 0.4s
  
  #4 [internal] load metadata for gcr.io/kaniko-project/executor:v1.9.1-debug
  #4 DONE 0.3s
  
  #5 [stage-1 1/4] FROM gcr.io/kaniko-project/executor:v1.9.1-debug@sha256:ac169[7](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:2:7)23b2076f9d5[8](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:2:8)04f4bc05c[9](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:2:9)8397e286da6fdcdd5a09fdc179f06ccb3be1
  #5 resolve gcr.io/kaniko-project/executor:v1.9.1-debug@sha256:ac169723b2076f9d5804f4bc05c98397e286da6fdcdd5a09fdc179f06ccb3be1 0.0s done
  #5 DONE 0.0s
  
  #6 [certs 1/2] FROM docker.io/library/alpine@sha256:69665d02cb32192e52e07644d76bc6f25abeb54[10](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:2:10)edc1c7a81a10ba3f0efb90a
  #6 resolve docker.io/library/alpine@sha256:69665d02cb32192e52e07644d76bc6f25abeb5410edc1c7a81a10ba3f0efb90a 0.0s done
  #6 DONE 0.0s
  
  #7 [internal] load build context
  #7 transferring context: 35B done
  #7 DONE 0.0s
  
  #8 [certs 2/2] RUN apk --update add ca-certificates
  #8 CACHED
  
  #9 [stage-1 2/4] RUN wget -O /kaniko/jq     https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 &&     chmod +x /kaniko/jq &&     wget -O /kaniko/reg     https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 &&     chmod +x /kaniko/reg &&     wget -O /crane.tar.gz     https://github.com/google/go-containerregistry/releases/download/v0.8.0/go-containerregistry_Linux_x86_64.tar.gz &&     tar -xvzf /crane.tar.gz crane -C /kaniko &&     rm /crane.tar.gz
  #9 CACHED
  
  #10 [stage-1 3/4] COPY entrypoint.sh /
  #10 CACHED
  
  #[11](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:2:11) [stage-[1](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:3:1) 4/4] COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
  #[1](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:4:1)1 CACHED

Does anyone have any clue about what's going on here?

Thanks!

Cache does not work with ghcr.io tries to push to docker.io

When I try and use cache with ghcr.io it sends a warning and doesn't cache the build

WARN[0212] error uploading layer to cache: failed to push to destination cache-image:: HEAD https://index.docker.io/v2/library/cache-image/blobs/: unexpected status code 401 Unauthorized (HEAD responses have no body, use GET for details)

env:
  # Use docker.io for Docker Hub if empty
  REGISTRY: ghcr.io
  # github.repository as <account>/<repo>
  IMAGE_NAME: ${{ github.repository }}
jobs:
  build:
    name: Build with Kaniko
    runs-on: self-hosted
    steps:
      - id: image_name
        name: image_name
        uses: ASzc/change-string-case-action@v1
        with:
          string: ${{ github.repository }}
      - uses: actions/checkout@master
      - name: Kaniko build
        uses: aevea/action-kaniko@master
        with:
          registry: ${{ env.REGISTRY }}
          image: ${{ steps.image_name.outputs.lowercase }}
          password: ${{ secrets.GITHUB_TOKEN }}
          cache: true
          cache_registry: cache-image
          tag: develop
          build_file: docker/Dockerfile

Using a tag AND latest brokes the workflow

Summary

When using the action with tag_with_latest: true and tag: toto, the action seems to produce a multi-line output. The action is then considered as failed even thought it's not with the following message :

Error: Unable to process file command 'output' successfully.
Error: Invalid format 'myprivateregistry myimage:latest@sha256:d8d07c55b7ba2d51bc07971c1ae68c632cf13c651a7d0ad5453b395364c2d6fc'

The action works fine if only one tag is produced.

Version

at least 0.11.0 and 0.12.0.

v0.5.0 broken due to error in entrypoint.sh

The error is:

INFO[0078] SHELL ["/bin/bash", "--login", "-c"]         
INFO[0078] No files changed in this command, skipping snapshotting. 
INFO[0078] ENTRYPOINT ["/entrypoint.sh"]                
INFO[0078] No files changed in this command, skipping snapshotting. 
INFO[0114] Skipping push to container registry due to --no-push flag 
/entrypoint.sh: line 93: syntax error: unexpected end of file (expecting "fi")

The registry is gcr.io and I use elgohr/[email protected] to get username and password.

File not found: 'docker' error

I tried to build a docker image and sent it to ACR registry (secrets to ACR stored in previous action step), but when comes to Kaniko builder the error occurs:

Build container for action use: '/home/runner/_work/_actions/aevea/action-kaniko/v0.6.0/Dockerfile'.
Error: File not found: 'docker'

error is the same no matter what "path" parameter I will use (I tried docker/base, ./docker and also /mnt/gh_actions/DevOps/DevOps/docker, which is place where I have my Dockerfile).
code of the step is like this:

jobs:  
  docker:
    runs-on: [self-hosted-DevOps-master-centos]
    needs: [build-cm-package]
    steps:

    - name: Kaniko builder
      uses: aevea/[email protected]
      with:     
        path: ${{ env.docker_repository_folder }}/base
        build_file: base/Dockerfile
        registry: ${{ env.REGISTRY_LOGIN_SERVER }}
        image: kaniko_test
        username: ${{ secrets.ACR_DEV_USERNAME }}
        password: ${{ secrets.ACR_DEV_USERNAME_PASSWORD }}
        cache: true
        cache_registry: aevea/cache

any hint what is wrong?

make sure v0.6.1 is displayed as latest version in the github marketplace

Hi,

Thank you for providing this action.

Could you please make sure v0.6.1 is displayed as latest version in the github marketplace. Currently the marketplace refers to v0.6.0 as latest which has the bug that the image can't be build.

Cheers,
Felix

[Question] https://github.com/marketplace/actions/kaniko-action

Does this project overlap entirely with https://github.com/marketplace/actions/kaniko-action or are there differences readers/users should be aware of? We are just starting out using GitHub Actions (replacing GitLab CI).

Kaniko is being run outside of a container

Hey! We are experiencing an issue when using the action from @master:

WARN[0000] kaniko is being run outside of a container. This can have dangerous effects on your system 
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "docker.pkg.github.com/[some repo]:latest": POST https://docker.pkg.github.com/v2/[some repo]/blobs/uploads/: unexpected status code 404 Not Found: 404 page not found

Do you think it might be related to the latest releases?

aevea / action-kaniko Goto Github PK

action-kaniko's People

Contributors

Stargazers

Watchers

Forkers

action-kaniko's Issues

Detected dependencies

Summary

Version

Recommend Projects

Recommend Topics

Recommend Org