genuinetools / img Goto Github PK

View Code? Open in Web Editor NEW

3.9K 51.0 231.0 35.92 MB

Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder.

Home Page: https://blog.jessfraz.com/post/building-container-images-securely-on-kubernetes/

License: MIT License

Makefile 6.15% Go 80.30% C 10.19% Shell 1.75% Dockerfile 1.62%

docker buildkit runc rootless containers cli linux opencontainers

img's Introduction

img

Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder.

img is more cache-efficient than Docker and can also execute multiple build stages concurrently, as it internally uses BuildKit's DAG solver.

The commands/UX are the same as docker {build,tag,push,pull,login,logout,save} so all you have to do is replace docker with img in your scripts, command line, and/or life.

Table of Contents

Goals - Upstream Patches - Benchmarks
Installation
Usage
How It Works
Contributing
Acknowledgements

Goals

This a glorified cli tool built on top of buildkit. The goal of this project is to be able to build container images as an unprivileged user.

Running unprivileged allows companies who use LDAP and other login mechanisms to use img without needing root. This is very important in HPC environments and academia as well.

Currently this works out of the box on a Linux machine if you install via the directions covered in installing from binaries. This installation will ensure you have the correct version of img and also runc.

Upstream Patches

The ultimate goal is to also have this work inside a container. There are patches being made to container runtimes and Kubernetes to make this possible. For the on-going work toward getting patches into container runtimes and Kubernetes, see:

The patches for runc has been merged into the upstream since ecd55a4135e0a26de884ce436442914f945b1e76 (May 30, 2018). The upstream BuildKit can also run in rootless mode since 65b526438b86a17cf35042011051ce15c8bfb92a (June 1, 2018).

You might also be interested in reading:

Benchmarks

If you are curious about benchmarks comparing various container builders, check out @AkihiroSuda's buildbench results.

Installation

You need to have newuidmap installed. On Ubuntu, newuidmap is provided by the uidmap package.

You also need to have seccomp installed. On Ubuntu, seccomp is provided by the libseccomp-dev package.

runc will be installed on start from an embedded binary if it is not already available locally. If you would like to disable the embedded runc you can use BUILDTAGS="seccomp noembed" while building from source with make. Or the environment variable IMG_DISABLE_EMBEDDED_RUNC=1 on execution of the img binary.

NOTE: These steps work only for Linux. Compile and run in a container (explained below) if you're on Windows or MacOS.

Binaries

For installation instructions from binaries please visit the Releases Page.

From Source

$ mkdir -p $GOPATH/src/github.com/genuinetools
$ git clone https://github.com/genuinetools/img $GOPATH/src/github.com/genuinetools/img
$ cd !$
$ make
$ sudo make install

# For packagers if you would like to disable the embedded `runc`, please use:
$ make BUILDTAGS="seccomp noembed"

Alpine Linux

There is an APKBUILD.

$ apk add img

Arch Linux

There is an AUR build.

# Use whichever AUR helper you prefer
$ yay -S img

# Or build from the source PKGBUILD
$ git clone https://aur.archlinux.org/packages/img.git
$ cd img
$ makepkg -si

Gentoo

There is an ebuild.

$ sudo emerge -a app-emulation/img

Running with Docker

Docker image r.j3ss.co/img is configured to be executed as an unprivileged user with UID 1000 and it does not need --privileged since img v0.5.11.

$ docker run --rm -it \
    --name img \
    --volume $(pwd):/home/user/src:ro \ # for the build context and dockerfile, can be read-only since we won't modify it
    --workdir /home/user/src \ # set the builder working directory
    --volume "${HOME}/.docker:/root/.docker:ro" \ # for credentials to push to docker hub or a registry
    --security-opt seccomp=unconfined --security-opt apparmor=unconfined \ # required by runc
    r.j3ss.co/img build -t user/myimage .

To enable PID namespace isolation (which disallows build containers to kill(2) the img process), you need to specify --privileged so that build containers can mount /proc with unshared PID namespaces. Note that even with --privileged, img works as an unprivileged user with UID 1000.

See docker/cli patch for how to allow mounting /proc without --privileged.

Running with Kubernetes

Since img v0.5.11, you don't need to specify any securityContext for running img as a Kubernetes container.

However the following security annotations are needed:

container.apparmor.security.beta.kubernetes.io/img: unconfined
container.seccomp.security.alpha.kubernetes.io/img: unconfined

To enable PID namespace isolation, you need to set securityContext.procMount to Unmasked (or simply set securityContext.privileged to true). securityContext.procMount is available since Kubernetes 1.12 with Docker 18.06/containerd 1.2/CRI-O 1.12.

Usage

Make sure you have user namespace support enabled. On some distros (Debian and Arch Linux) this requires running echo 1 > /proc/sys/kernel/unprivileged_userns_clone.

$ img -h
img -  Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder

Usage: img [OPTIONS] COMMAND [ARG...]

Flags:
  -b, --backend string   backend for snapshots ([auto native overlayfs fuse-overlayfs]) (default "auto")
  -d, --debug            enable debug logging
  -h, --help             help for img
  -s, --state string     directory to hold the global state (default "/home/user/.local/share/img")
  -v, --version          Print version information and quit

Commands:
  build       Build an image from a Dockerfile
  du          Show image disk usage.
  help        Help about any command
  login       Log in to a Docker registry.
  logout      Log out from a Docker registry.
  ls          List images and digests.
  prune       Prune and clean up the build cache.
  pull        Pull an image or a repository from a registry.
  push        Push an image or a repository to a registry.
  rm          Remove one or more images.
  save        Save an image to a tar archive (streamed to STDOUT by default).
  tag         Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE.
  unpack      Unpack an image to a rootfs directory.
  version     Show the version information.

Use "img [command] --help" for more information about a command.

Build an Image

$ img build -h
build -  Build an image from a Dockerfile

Usage: img build [OPTIONS] PATH

Flags:
      --build-arg list    Set build-time variables
      --cache-from list   Buildkit import-cache or Buildx cache-from specification
      --cache-to list     Buildx cache-to specification
  -f, --file string       Name of the Dockerfile (Default is 'PATH/Dockerfile')
  -h, --help              help for build
      --label list        Set metadata for an image
      --no-cache          Do not use cache when building the image
      --no-console        Use non-console progress UI
  -o, --output string     BuildKit output specification (e.g. type=tar,dest=build.tar)
      --platform list     Set platforms for which the image should be built
  -t, --tag list          Name and optionally a tag in the 'name:tag' format
      --target string     Set the target build stage to build

Global Flags:
  -b, --backend string   backend for snapshots ([auto native overlayfs fuse-overlayfs]) (default "auto")
  -d, --debug            enable debug logging
  -s, --state string     directory to hold the global state (default "/home/user/.local/share/img")

Use just like you would docker build.

$ img build -t r.j3ss.co/img .
Building r.j3ss.co/img:latest
Setting up the rootfs... this may take a bit.
[+] Building 44.7s (16/16) FINISHED                                                        
 => local://dockerfile (Dockerfile)                                                   0.0s
 => => transferring dockerfile: 1.15kB                                                0.0s
 => local://context (.dockerignore)                                                   0.0s
 => => transferring context: 02B                                                      0.0s
 => CACHED docker-image://docker.io/tonistiigi/copy:v0.1.1@sha256:854cee92ccab4c6d63  0.0s
 => => resolve docker.io/tonistiigi/copy:v0.1.1@sha256:854cee92ccab4c6d63183d147389e  0.0s
 => CACHED docker-image://docker.io/library/alpine@sha256:e1871801d30885a610511c867d  0.0s
 => => resolve docker.io/library/alpine@sha256:e1871801d30885a610511c867de0d6baca7ed  0.0s
 => docker-image://docker.io/library/golang:1.10-alpine@sha256:98c1f3458b21f50ac2e58  5.5s
 => => resolve docker.io/library/golang:1.10-alpine@sha256:98c1f3458b21f50ac2e5896d1  0.0s
 => => sha256:866414f805391b58973d4e3d76e5d32ae51baecb1c93762c9751b9d6c5 126B / 126B  0.0s
 => => sha256:ae8dbf6f23bf1c326de78fc780c6a870bf11eb86b45a7dc567 308.02kB / 308.02kB  0.0s
 => => sha256:44ccce322b34208317d748e998212cd677c16f1a58c2ff5e59578c 3.86kB / 3.86kB  0.0s
 => => sha256:0d01df27c53e651ecfa5c689dafb8c63c759761a757cc37e30eccc5e3a 153B / 153B  0.0s
 => => sha256:ff3a5c916c92643ff77519ffa742d3ec61b7f591b6b7504599d95a 2.07MB / 2.07MB  0.0s
 => => sha256:4be696a8d726150ed9636ea7156edcaa9ba8293df1aae49f9e 113.26MB / 113.26MB  0.0s
 => => sha256:98c1f3458b21f50ac2e5896d14a644eadb3adcae5afdceac0cc9c2 2.04kB / 2.04kB  0.0s
 => => sha256:bb31085d5c5db578edf3d4e5541cfb949b713bb7018bbac4dfd407 1.36kB / 1.36kB  0.0s
 => => unpacking docker.io/library/golang:1.10-alpine@sha256:98c1f3458b21f50ac2e5896  5.4s
 => local://context                                                                   0.8s
 => => transferring context: 116.83MB                                                 0.8s
 => /bin/sh -c apk add --no-cache  bash  build-base  gcc  git  libseccomp-dev  linux  3.8s
 => copy /src-0 go/src/github.com/genuinetools/img/                                   1.5s
 => /bin/sh -c go get -u github.com/jteeuwen/go-bindata/...                           7.3s
 => /bin/sh -c make static && mv img /usr/bin/img                                    15.2s
 => /bin/sh -c git clone https://github.com/opencontainers/runc.git "$GOPATH/src/git  7.6s
 => /bin/sh -c apk add --no-cache  bash  git  shadow  shadow-uidmap  strace           2.3s
 => copy /src-0/img usr/bin/img                                                       0.5s
 => copy /src-0/runc usr/bin/runc                                                     0.4s
 => /bin/sh -c useradd --create-home --home-dir $HOME user  && chown -R user:user $H  0.4s
 => exporting to image                                                                1.5s
 => => exporting layers                                                               1.4s
 => => exporting manifest sha256:03e034afb839fe6399a271efc972da823b1b6297ea792ec94fa  0.0s
 => => exporting config sha256:92d033f9575176046db41f4f1feacc0602c8f2811f59d59f8e7b6  0.0s
 => => naming to r.j3ss.co/img:latest                                                 0.0s
Successfully built r.j3ss.co/img:latest

Cross Platform

img and the underlying buildkit library support building containers for arbitrary platforms (OS and architecture combinations). In img this can be achieved using the --platform option, but note that using the RUN command during a build requires installing support for the desired platform, and any FROM images used must exist for the target platform as well.

Some common platforms include:

linux/amd64
linux/arm64
linux/arm/v7
linux/arm/v6
linux/s390x
linux/ppc64le
darwin/amd64
windows/amd64

If you use multiple --platform options for the same build, they will be included into a manifest and should work for the different platforms built for.

The most common way to get RUN working in cross-platform builds is to install an emulator such as QEMU on the host system (static bindings are recommended to avoid shared library loading issues). To properly use the emulator inside the build environment, the kernel binfmt_misc parameters must be set with the following flags: OCF. You can check the settings in /proc to ensure they are set correctly.

$ cat /proc/sys/fs/binfmt_misc/qemu-arm | grep flags
flags: OCF

On Debian/Ubuntu the above should be available with the qemu-user-static package >= 1:2.12+dfsg-3

NOTE: cross-OS builds are slightly more complicated to get RUN commands working, but follow from the same principle.

Exporter Types

img can also use buildkit's exporter types directly to output the resulting image to a Docker-type bundle or a rootfs tar without saving the image itself locally. Builds will still benefit from caching.

The output type and destination are specified with the --output flag. The list of valid output specifications includes:

flag	description
`-o type=tar,dest=rootfs.tar`	export rootfs of target image to a tar archive
`-o type=tar`	output a rootfs tar to stdout, for use in piped commands
`-o type=docker,dest=image.tar`	save a Docker-type bundle of the image
`-o type=oci,dest=image.tar`	save an OCI-type bundle of the image
`-o type=local,dest=rootfs/`	export the target image to this directory
`-o type=image,name=r.j3ss.co/img`	build and tag an image and store it locally

When used in conjunction with a Dockerfile which has a final FROM scratch stage and only copies files of interest from earlier stages with COPY --from=..., this can be utilized to output arbitrary build artifacts for example.

List Image Layers

$ img ls -h
ls -  List images and digests.

Usage: img ls [OPTIONS]

Flags:
  -f, --filter list   Filter output based on conditions provided
  -h, --help          help for ls

Global Flags:
  -b, --backend string   backend for snapshots ([auto native overlayfs fuse-overlayfs]) (default "auto")
  -d, --debug            enable debug logging
  -s, --state string     directory to hold the global state (default "/home/user/.local/share/img")

$ img ls
NAME                    SIZE            CREATED AT      UPDATED AT      DIGEST
jess/img:latest         1.534KiB        9 seconds ago   9 seconds ago   sha256:27d862ac32022946d61afbb91ddfc6a1fa2341a78a0da11ff9595a85f651d51e
jess/thing:latest       591B            30 minutes ago  30 minutes ago  sha256:d664b4e9b9cd8b3067e122ef68180e95dd4494fd4cb01d05632b6e77ce19118e

Pull an Image

If you need to use self-signed certs with your registry, see Using Self-Signed Certs with a Registry.

$ img pull -h
pull -  Pull an image or a repository from a registry.

Usage: img pull [OPTIONS] NAME[:TAG|@DIGEST]

Flags:
  -h, --help   help for pull

Global Flags:
  -b, --backend string   backend for snapshots ([auto native overlayfs fuse-overlayfs]) (default "auto")
  -d, --debug            enable debug logging
  -s, --state string     directory to hold the global state (default "/home/user/.local/share/img")

$ img pull r.j3ss.co/stress
Pulling r.j3ss.co/stress:latest...
Snapshot ref: sha256:2bb7a0a5f074ffe898b1ef64b3761e7f5062c3bdfe9947960e6db48a998ae1d6
Size: 365.9KiB

Push an Image

If you need to use self-signed certs with your registry, see Using Self-Signed Certs with a Registry.

$ img push -h
push -  Push an image or a repository to a registry.

Usage: img push [OPTIONS] NAME[:TAG]

Flags:
  -h, --help                help for push
      --insecure-registry   Push to insecure registry

Global Flags:
  -b, --backend string   backend for snapshots ([auto native overlayfs fuse-overlayfs]) (default "auto")
  -d, --debug            enable debug logging
  -s, --state string     directory to hold the global state (default "/home/user/.local/share/img")

$ img push jess/thing
Pushing jess/thing:latest...
Successfully pushed jess/thing:latest

Tag an Image

$ img tag -h
tag -  Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE.

Usage: img tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]

Flags:
  -h, --help   help for tag

Global Flags:
  -b, --backend string   backend for snapshots ([auto native overlayfs fuse-overlayfs]) (default "auto")
  -d, --debug            enable debug logging
  -s, --state string     directory to hold the global state (default "/home/user/.local/share/img")

$ img tag jess/thing jess/otherthing
Successfully tagged jess/thing as jess/otherthing

Export an Image to Docker

$ img save -h
save -  Save an image to a tar archive (streamed to STDOUT by default).

Usage: img save [OPTIONS] IMAGE [IMAGE...]

Flags:
      --format string   image output format (docker|oci) (default "docker")
  -h, --help            help for save
  -o, --output string   write to a file, instead of STDOUT

Global Flags:
  -b, --backend string   backend for snapshots ([auto native overlayfs fuse-overlayfs]) (default "auto")
  -d, --debug            enable debug logging
  -s, --state string     directory to hold the global state (default "/home/user/.local/share/img")

$ img save jess/thing | docker load
6c3d70c8619c: Loading layer [==================================================>]  9.927MB/9.927MB                                      
7e336c441b5e: Loading layer [==================================================>]  5.287MB/5.287MB                                      
533fecff21a8: Loading layer [==================================================>]   2.56MB/2.56MB                                       
3db7019eac28: Loading layer [==================================================>]  1.679kB/1.679kB                                      
Loaded image: jess/thing

Unpack an Image to a rootfs

$ img unpack -h
unpack -  Unpack an image to a rootfs directory.

Usage: img unpack [OPTIONS] IMAGE

Flags:
  -h, --help            help for unpack
  -o, --output string   Directory to unpack the rootfs to. (defaults to rootfs/ in the current working directory)

Global Flags:
  -b, --backend string   backend for snapshots ([auto native overlayfs fuse-overlayfs]) (default "auto")
  -d, --debug            enable debug logging
  -s, --state string     directory to hold the global state (default "/home/user/.local/share/img")

$ img unpack busybox
Successfully unpacked rootfs for busybox to: /home/user/rootfs

Remove an Image

$ img rm -h
rm -  Remove one or more images.

Usage: img rm [OPTIONS] IMAGE [IMAGE...]

Flags:
  -h, --help   help for rm

Global Flags:
  -b, --backend string   backend for snapshots ([auto native overlayfs fuse-overlayfs]) (default "auto")
  -d, --debug            enable debug logging
  -s, --state string     directory to hold the global state (default "/home/user/.local/share/img")

Disk Usage

$ img du -h
du -  Show image disk usage.

Usage: img du [OPTIONS]

Flags:
  -f, --filter list   Filter output based on conditions provided
  -h, --help          help for du

Global Flags:
  -b, --backend string   backend for snapshots ([auto native overlayfs fuse-overlayfs]) (default "auto")
  -d, --debug            enable debug logging
  -s, --state string     directory to hold the global state (default "/home/user/.local/share/img")

$ img du 
ID                                                                      RECLAIMABLE     SIZE            DESCRIPTION
sha256:d9a48086f223d28a838263a6c04705c8009fab1dd67cc82c0ee821545de3bf7c true            911.8KiB        pulled from docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
7ia86xm2e4hzn2u947iqh9ph2                                               true            203.2MiB        mount /dest from exec copy /src-0 /dest/go/src/github.com/genuinetools/img
...
sha256:9f131fba0383a6aaf25ecd78bd5f37003e41a4385d7f38c3b0cde352ad7676da true            958.6KiB        pulled from docker.io/library/golang:alpine@sha256:a0045fbb52a7ef318937e84cf7ad3301b4d2ba6cecc2d01804f428a1e39d1dfc
sha256:c4151b5a5de5b7e272b2b6a3a4518c980d6e7f580f39c85370330a1bff5821f1 true            472.3KiB        pulled from docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
sha256:ae4ecac23119cc920f9e44847334815d32bdf82f6678069d8a8be103c1ee2891 true            148.9MiB        pulled from docker.io/library/debian:buster@sha256:a7789365b226786a0cb9e0f142c515f9f2ede7164a6f6be4a1dc4bfe19d5ec9c
bkrjrzv3nvp7lvzd5cw9vzut7*                                              true            4.879KiB        local source for dockerfile
sha256:db193011cbfc238d622d65c4099750758df83d74571e8d7498392b17df381207 true            467.2MiB        pulled from docker.io/library/golang:alpine@sha256:a0045fbb52a7ef318937e84cf7ad3301b4d2ba6cecc2d01804f428a1e39d1dfc
wn4m5i5swdcjvt1ud5bvtr75h*                                              true            4.204KiB        local source for dockerfile
Reclaimable:    1.08GiB
Total:          1.08GiB

Prune and Cleanup the Build Cache

$ img prune -h
prune -  Prune and clean up the build cache.

Usage: img prune [OPTIONS]

Flags:
  -h, --help   help for prune

Global Flags:
  -b, --backend string   backend for snapshots ([auto native overlayfs fuse-overlayfs]) (default "auto")
  -d, --debug            enable debug logging
  -s, --state string     directory to hold the global state (default "/home/user/.local/share/img")

$ img prune
ID                                                                      RECLAIMABLE     SIZE            DESCRIPTION
j1yil8bdz35eyxp0m17tggknd                                               true            5.08KiB         local source for dockerfile
je23wfyz2apii1au38occ8zag                                               true            52.95MiB        mount / from exec /bin/sh -c useradd --create-home...
sha256:74906c0186257f2897c5fba99e1ea87eb8b2ee0bb03b611f5e866232bfbf6739 true            2.238MiB        pulled from docker.io/tonistiigi/copy:v0.1.1@sha25...
vr2pvhmrt1sjs8n7jodesrvnz*                                              true            572.6MiB        mount / from exec /bin/sh -c git clone https://git...
afn0clz11yphlv6g8golv59c8                                               true            4KiB            local source for context
qx5yql370piuscuczutrnansv*                                              true            692.4MiB        mount / from exec /bin/sh -c make static && mv img...
uxocruvniojl1jqlm8gs3ds1e*                                              true            113.8MiB        local source for context
sha256:0b9cfed6a170b357c528cd9dfc104d8b404d08d84152b38e98c60f50d2ae718b true            1.449MiB        pulled from docker.io/tonistiigi/copy:v0.1.1@sha25...
vz0716utmnlmya1vhkojyxd4o                                               true            55.39MiB        mount /dest from exec copy /src-0/runc usr/bin/run...
a0om6hwulbf9gd2jfgmxsyaoa                                               true            646.5MiB        mount / from exec /bin/sh -c go get -u github.com/...
ys8y9ixi3didtbpvwbxuptdfq                                               true            641.2MiB        mount /dest from exec copy /src-0 go/src/github.co...
sha256:f64a552a56ce93b6e389328602f2cd830280fd543ade026905e69895b5696b7a true            1.234MiB        pulled from docker.io/tonistiigi/copy:v0.1.1@sha25...
05wxxnq6yu5nssn3bojsz2mii                                               true            52.4MiB         mount /dest from exec copy /src-0/img usr/bin/img
wlrp1nxsa37cixf127bh6w2sv                                               true            35.11MiB        mount / from exec /bin/sh -c apk add --no-cache  b...
wy0173xa6rkoq49tf9g092r4z                                               true            527.4MiB        mount / from exec /bin/sh -c apk add --no-cache  b...
Reclaimed:      4.148GiB
Total:          4.148GiB

Login to a Registry

If you need to use self-signed certs with your registry, see Using Self-Signed Certs with a Registry.

$ img login -h
login -  Log in to a Docker registry.

Usage: img login [OPTIONS] [SERVER]

Flags:
  -h, --help              help for login
  -p, --password string   Password
      --password-stdin    Take the password from stdin
  -u, --username string   Username

Global Flags:
  -b, --backend string   backend for snapshots ([auto native overlayfs fuse-overlayfs]) (default "auto")
  -d, --debug            enable debug logging
  -s, --state string     directory to hold the global state (default "/home/user/.local/share/img")

Logout from a Registry

$ img logout -h
logout -  Log out from a Docker registry.

Usage: img logout [SERVER]

Flags:
  -h, --help   help for logout

Global Flags:
  -b, --backend string   backend for snapshots ([auto native overlayfs fuse-overlayfs]) (default "auto")
  -d, --debug            enable debug logging
  -s, --state string     directory to hold the global state (default "/home/user/.local/share/img")

Using Self-Signed Certs with a Registry

We do not allow users to pass all the custom certificate flags on commands because it is unnecessarily messy and can be handled through Linux itself. Which we believe is a better user experience than having to pass three different flags just to communicate with a registry using self-signed or private certificates.

Below are instructions on adding a self-signed or private certificate to your trusted ca-certificates on Linux.

Make sure you have the package ca-certificates installed.

Copy the public half of your CA certificate (the one user to sign the CSR) into the CA certificate directory (as root):

$ cp cacert.pem /usr/share/ca-certificates

Rebuild the directory with your certificate included, run as root:

# On debian, this will bring up a menu.
# Select the ask option, scroll to the certificate you are adding,
# 	mark it for inclusion, and select ok.
$ dpkg-reconfigure ca-certificates

# On other distros...
$ update-ca-certificates

How It Works

Unprivileged Mounting

To mount a filesystem without root accsess, img automatically invokes newuidmap(1)/newgidmap(1) SUID binaries to prepare SUBUIDs/SUBGIDs, which is typically required by apt.

Make sure you have sufficient entries (typically >=65536) in your /etc/subuid and /etc/subgid.

High Level

Low Level

Snapshotter Backends

auto (default)

The auto backend selects a backend based on what the current system supports, preferring overlayfs, then fuse-overlayfs, then native.

native

The native backend creates image layers by simply copying files. copy_file_range(2) is used when available.

overlayfs

The overlayfs backend uses the kernel's native overlayfs support. It requires a kernel patch from Ubuntu to be unprivileged, see #22.

fuse-overlayfs

The fuse-overlayfs backend provides overlay support without any kernel patches. It requires a Linux kernel >= 4.18 and for fuse-overlayfs to be installed.

Contributing

Please do! This is a new project and can use some love <3. Check out the issues.

The local directories are mostly re-implementations of buildkit interfaces to be unprivileged.

Acknowledgements

A lot of this is based on the work of moby/buildkit. Thanks @tonistiigi and @AkihiroSuda!

img's People

Contributors

Stargazers

Watchers

Forkers

bacongobbler squillace mailtruck dmcgowan tikyau akihirosuda dockerexpert 1fora11 spacefan jessestuart paultag ryancox lachie83 swiftdiaries openthings markjacksonfishing lypht jungho dooman87 scottrigby ronnylt 40a jadoonf maazghani k8sutils cloudxtreme ey- cgoss unkaktus dullgiulio mikalv medberry apatil sparty02 jotacamou cckuok curx dschep westonsteimel isaacd9 northtyphoon yuimai guilhermebr ashwoods cxz mdedonno1337 hardentoo frezbo zanjs noeljackson vagruchi tomsweeneyredhat sasg plasticine pgavlin karlmutch tcarrio appcoreopc pwfoo hades32 yugongpeng danderson codeblockio dublado kernelpanicaus hharnisc h2non phr0ze rroller mrueg justinazoff giuseppe smnbbrv azurecloudmonk limoges svenwiltink kkoojjyy seilorjunior nbourikas lazy404 rstyd kidmam etsangsplk jayh5 orisano influx6 glerchundi ekristen fuweid sedwards b438boss hamelsmu kekoav awesomegolang tmahesh hoffmannthomas lutostag nooproblem dolanor-galaxy databus23

img's Issues

Document dependencies

I had to install a few dependencies on Ubuntu in order for the compiled binary to work. Not sure where the best place in the readme is, or else I'd make this a PR.

Dependencies

img depends on newuidmap and execv. To install these on Ubuntu run sudo apt install setpriv uidmap

add login command

Proposal: embed our forked runc to `img` binary (or download it on first run)

Plan A: embed runc binary to img binary
Plan B: download runc binary on first run

add list command

Building from a local image fails

To repro:

docker tag ubuntu:16.04 base-ubuntu
Make a Dockerfile containing only FROM base-ubuntu
img build -t output .

The output is:

Building docker.io/library/output:latest
Setting up the rootfs... this may take a bit.
INFO[0000] resolving docker.io/library/base-ubuntu:latest
solving failed: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

[CoreOS] failed to set xattr "security.selinux"

I'm trying to build a container image (privileged) with HEAD from today, which results in the following error:

$ docker run --privileged --rm  -it -v $(pwd)/:/app -w /app foo.bar/tools/img:4555214 build .
Building :latest
Setting up the rootfs... this may take a bit.
INFO[0000] resolving docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
INFO[0000] resolving foo.bar/base/openjre:stable@sha256:82c9b96a039c57e5c9ac22b842de2ab91325d74b8f579c2724ad9e83372d9765
INFO[0000] resolving foo.bar/build/gradle:v2.14.1-8u151-jdk-alpine3.7@sha256:5f24ce66c3995c18ed1b91f3eba5344ab489ad1bd676b8a44580d9a8a123d379
INFO[0002] unpacking docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
solving failed: failed to prepare extraction snapshot "extract-755639425-kXql sha256:c4151b5a5de5b7e272b2b6a3a4518c980d6e7f580f39c85370330a1bff5821f1": copying of parent failed: failed to copy xattrs: failed to set xattr "security.selinux" on /tmp/img/runc/naive/snapshots/snapshots/new-590228964/bin/copy: operation not supported

core@ip-10-43-129-95 ~ $ docker info
Containers: 26
 Running: 25
 Paused: 0
 Stopped: 1
Images: 12
Server Version: 17.09.1-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 06b9cb35161009dcb7123345749fef02f7cea8e0
runc version: 3f2f8b84a77f73d38244dd690525642a72156c64
init version: v0.13.2 (expected: 949e6facb77383876aeff8a6944dde66b3089574)
Security Options:
 seccomp
  Profile: default
 selinux
Kernel Version: 4.14.16-coreos
Operating System: Container Linux by CoreOS 1632.2.1 (Ladybug)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.792GiB
Name: ip-10-43-129-95.eu-central-1.compute.internal
ID: KQRT:YD45:RZMK:2UAQ:SKEM:6OIZ:RLCT:Q64P:KQNQ:M5XQ:BNL7:U7B3
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

selinux is permissive on the VM

core@ip-10-43-129-95 ~ $ sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mcs
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

If I don't mount the directory, but clone from within the img-container, the error is somewhat different:

$ docker run --privileged --rm  -it --entrypoint sh foo.bar/tools/img:4555214 
/ # git clone https://foo.bar/demo.git
Cloning into 'demo'...
remote: Counting objects: 1476, done.
remote: Compressing objects: 100% (592/592), done.
remote: Total 1476 (delta 487), reused 1334 (delta 375)
Receiving objects: 100% (1476/1476), 216.86 KiB | 9.43 MiB/s, done.
Resolving deltas: 100% (487/487), done.
/ # cd demo/
/demo # img build .
Building :latest
Setting up the rootfs... this may take a bit.
INFO[0000] resolving docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e 
INFO[0000] resolving foo.bar/base/openjre:stable@sha256:82c9b96a039c57e5c9ac22b842de2ab91325d74b8f579c2724ad9e83372d9765 
INFO[0000] resolving foo.bar/build/gradle:v2.14.1-8u151-jdk-alpine3.7@sha256:5f24ce66c3995c18ed1b91f3eba5344ab489ad1bd676b8a44580d9a8a123d379 
INFO[0002] unpacking foo.bar/base/openjre:stable@sha256:82c9b96a039c57e5c9ac22b842de2ab91325d74b8f579c2724ad9e83372d9765 
INFO[0002] unpacking docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e 
INFO[0002] Apply failure, attempting cleanup             error="mount callback failed on /tmp/containerd-mount849212772: context canceled" key="extract-434175501-XUXU sha256:cd7100a72410606589a54b932cabd804a17f9ae5b42a1882bd56d263e02b6215"
WARN[0003] Extraction snapshot "extract-434175501-XUXU sha256:cd7100a72410606589a54b932cabd804a17f9ae5b42a1882bd56d263e02b6215" removal failed  error="context canceled"
solving failed: failed to prepare extraction snapshot "extract-576675886-sWxZ sha256:c4151b5a5de5b7e272b2b6a3a4518c980d6e7f580f39c85370330a1bff5821f1": copying of parent failed: failed to copy xattrs: failed to set xattr "security.selinux" on /tmp/img/runc/naive/snapshots/snapshots/new-452528669/bin/copy: operation not supported

"solving failed" while building in Docker

When doing an img build on Docker (with the example from the README), I get a rando "solving failed" error. For what it's worth, I'm on WSL.

/mnt/c/projects/customer
❯ uname -r && lsb_release -a && ls Dockerfile
3.4.0+
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.5 LTS
Release:        14.04
Codename:       trusty
Dockerfile

/mnt/c/projects/customer
❯ docker run --rm -it \
    --name img \
    --volume /tmp/state:/root/.img \
    --volume $(pwd):/src \
    --workdir /src \
    --privileged \
    --volume "${HOME}/.docker:/root/.docker:ro" \
    jess/img build -t user/myimage .
Building user/myimage:latest
Setting up the rootfs... this may take a bit.
solving failed: open /tmp/buildkit-mount580779614/Dockerfile: no such file or directory

[PRoot]: carry some patches

see: https://github.com/AkihiroSuda/runrootless

and xattrs for rootless

[FUSE]: implement applying a diff without mounts

Should be like this https://github.com/containerd/containerd/blob/master/diff/apply/apply.go#L56

except minus mount.WithTempMount

make docker credential actually work

Using umoci as a backend?

I was wondering if you were interested in using umoci as a backend, so that you don't have to use the "dodgy" FUSE backend or overlayfs (which requires either root or an Ubuntu kernel + user namespaces). umoci unpack --rootless works on effectively everything I've tried it on. You can take a look at https://github.com/cyphar/orca-build (which is a rootless image builder I wrote quite a long time ago) to see how it works in practice.

(Also, as an aside, now that we have img and orca-builder and Akihiro's PRoot plans and BuildKit and ..., maybe we should start consolidating some of these projects at some point? Re-implementing Dockerfiles isn't something that should be burning 5+ projects worth of development time IMHO.)

A couple of small build issues

On version 7d0952d of img,

dep ensure failed with

grouped write of manifest, lock and vendor: error while writing out vendor tree: failed to write dep tree: failed to export github.com/moby/buildkit: fatal: Not a valid object name all-changes

If I switched that all-changes to master, dep ensure succeeded.

There seems to be an undocumented minimum Go version required. make build with Go v1.8.3 failed with:

go build -tags "seccomp" -ldflags "-w -X github.com/genuinetools/img/version.GITCOMMIT=7e0cd67-dirty -X github.com/genuinetools/img/version.VERSION=v0.3.0" -o img .
# github.com/genuinetools/img/vendor/github.com/dmcgowan/go-tar
vendor/github.com/dmcgowan/go-tar/stat_unix.go:24: undefined: sync.Map
# github.com/genuinetools/img/vendor/github.com/moby/buildkit/client/llb
vendor/github.com/moby/buildkit/client/llb/marshal.go:37: syntax error: unexpected = in type declaration
make: *** [img] Error 2

With Go v1.10, it succeeded.

lchown failures on `img pull` when running on k8s

This may be an issue with my setup so all bets are off...

My setup:

Ubuntu 16.04 cluster set up via kubeadm (via Heptio AWS quickstart)[https://aws.amazon.com/quickstart/architecture/heptio-kubernetes/]
echo 1 > /proc/sys/kernel/unprivileged_userns_clone run on each node (not sure if it is necessary).

YAML file for workload:

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: img
  name: img
  annotations:
    container.apparmor.security.beta.kubernetes.io/img: unconfined
spec:
  containers:
  - image: r.j3ss.co/img
    imagePullPolicy: IfNotPresent
    name: img
    resources: {}
    command:
    - sleep
    - "600"
  restartPolicy: Never

Then:

workstation$ kubectl exec -t -i img -- ash
container# unshare -m -U --map-root-user
ns# img pull alpine
Pulling alpine...
INFO[0000] resolving docker.io/library/alpine:latest
INFO[0001] unpacking docker.io/library/alpine:latest
INFO[0001] Apply failure, attempting cleanup             error="mount callback failed on /tmp/containerd-mount735446913: lchown /tmp/containerd-mount735446913/etc/shadow: invalid argument" key="extract-337652914-e-vv sha256:cd7100a72410606589a54b932cabd804a17f9ae5b42a1882bd56d263e02b6215"
failed to extract layer sha256:cd7100a72410606589a54b932cabd804a17f9ae5b42a1882bd56d263e02b6215: mount callback failed on /tmp/containerd-mount735446913: lchown /tmp/containerd-mount735446913/etc/shadow: invalid argument

I haven't had time to debug further.

[FUSE]: server hangs after a successful build for eternity

probably a deadlock, easy to reproduce

automatic push after build

solving failed: invalid filename when using path to dockerfile

I am used to build an image which Dockerfile is in a subfolder like images/bla/Dockerfile.
This is possible with docker by:

docker build -f images/bla/Dockerfile .

which makes the whole project available as context but still keeps the root directory save.

Doing the same with img results into:
img build -f images/bla/Dockerfile .
solving failed: invalid filename: images/bla/Dockerfile

Implement command to remove images

At the moment there are none. Probably it should be rmi because of docker but img rmi sounds stupid.

img pull does not use default docker registry

The README states that img is a drop-in replacement for docker (at least for the mentioned subcommands), but the following doesn’t work (whereas the docker variant does):

% img pull stapelberg/ci2
Pulling stapelberg/ci2:latest...
INFO[0000] resolving stapelberg/ci2:latest              
failed to do request: Head https://stapelberg/v2/ci2/manifests/latest: dial tcp: lookup stapelberg on 10.0.0.1:53: no such host

Proposal: Add option to save to dump image to rootfs

First of all I have to say I love this tool and want to use.

Problem:
I would love to use the tool to bootstrap a container os with my own CRI (nixing the need for docker to pull images). When I use docker to download my CRI image I need to untar it before I can runc the image. Would you be apposed to me adding an option to the save command to dump the image into a "rootfs" folder?

Solution:
Add option "-u" to img save command that dumps an image to a specified root folder.

Or something else?

I realize this is more of a convenience thing than anything else, but it would be nice.

make root dir, snapshot dirs increment

Authentication to Azure ACR fails using admin user

Using built binaries for version v0.3.0, img login would succeed but any following operation (pull, push, etc) fails with the following error.
snapshotting the image failed: failed to fetch oauth token: unexpected status: 400 Bad Request

I was facing a similar issue using skopeo and found that the issue is with the upstream 'containers/image' dependency. see anchore/anchore-engine#18 for details.

Is it possible that the issue with img is related? anyone else having the same issue with Azure ACR?

multiple tags

Hi I'm wondering how can I add tags to an image similar to the docker tag command?

Thanks and this is awesome !

add pull command

Error on img build. Copy command failing

I am testing img and creating the following image: https://github.com/Azure/blackbelt-aks-hackfest/tree/master/app/db Just mongodb with added datafiles.

This is Unbuntu 16.04.3 and I built locally from source.

I run the command: img build -t chzbrgr71/rating-db .

Output:

Building docker.io/chzbrgr71/rating-db:latest
Setting up the rootfs... this may take a bit.
INFO[0001] resolving docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
INFO[0001] resolving docker.io/library/mongo:3.6.1-jessie@sha256:f734d0fbaecefa95e269f8902525a69151cd3626da88cafa5a277d623e4d7c24
INFO[0010] unpacking docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
INFO[0011] unpacking docker.io/library/mongo:3.6.1-jessie@sha256:f734d0fbaecefa95e269f8902525a69151cd3626da88cafa5a277d623e4d7c24
solving failed: executor failed running [copy /src-0/heroes.json /dest/heroes.json]: operation not permitted

git clone onto a case-insensitive file system is problematic

There are name collisions that confuse git ( VERSION and version/ for example ). Active development will happen on Linux of course, but for casual clones to browse source on MacOS this can be confusing since it shows files as deleted immediately after a clone.

[pull]: when you pull an image it should be added to the image store

then you can view it in ls

Proposal: use slirp with unprivileged userns

(demo: https://github.com/AkihiroSuda/runrootless/tree/master/misc/vde)

Slirp is slow and exposing container ports is troublesome, but I think it is ok for image building.

Another idea is to use SUID binary as in lxc-user-net, but it is less secure.

modifying /etc/hosts or /etc/resolv.conf in build fails

While attempting to build some large-ish rather complex images, I encountered issues with modifying files in a parent image. This is a simplified repro:

# img version
img:
 version     : v0.2.3
 git hash    : d87fd73
 go version  : go1.10
 go compiler : gc
 platform    : linux/amd64

Dockerfile:

# cat parent/Dockerfile
FROM alpine:3.5
RUN touch /etc/hosts2
RUN touch /etc/hosts

Works with Docker:

# docker build -t parent:local parent
Sending build context to Docker daemon  2.048kB
Step 1/3 : FROM alpine:3.5
 ---> 6c6084ed97e5
Step 2/3 : RUN touch /etc/hosts2
 ---> Running in fa8e9856a390
 ---> be982136ee56
Removing intermediate container fa8e9856a390
Step 3/3 : RUN touch /etc/hosts
 ---> Running in 780c5673e180
 ---> 8ccb2f085b5d
Removing intermediate container 780c5673e180
Successfully built 8ccb2f085b5d
Successfully tagged parent:local

Doesn't work with img:

# img build -t parent:local parent
Building parent:local
Setting up the rootfs... this may take a bit.
INFO[0001] resolving docker.io/library/alpine:3.5@sha256:9148d069e50eee519ec45e5683e56a1c217b61a52ed90eb77bdce674cc212f1e
RUN [/bin/sh -c touch /etc/hosts2]
--->
<--- bc0sl9ywmszi31wmcv8k0ssln 0 <nil>
RUN [/bin/sh -c touch /etc/hosts]
--->
touch: /etc/hosts: Read-only file system
<--- khsm1r5bve0h0bqmkk1l5064j 1 <nil>
solving failed: executor failed running [/bin/sh -c touch /etc/hosts]: exit code 1

Build fails on a clean machine? namespace is required: failed precondition

On a clean VM (Ubuntu 16.04.2 LTS), attempting to build img itself using img. The build fails with the error namespace is required: failed precondition

$ img build -t jess/img .
Building jess/img:latest
Setting up the rootfs... this may take a bit.
INFO[0004] resolving docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
INFO[0004] resolving docker.io/library/alpine@sha256:7b848083f93822dd21b0a2f14a110bd99f6efb4b838d499df6d04a49d0debf8b
INFO[0004] resolving docker.io/library/golang:1.9-alpine@sha256:ab72eb6db0eda32d429becf8bb28f62081821cc1aa2d49430344083f87b1e6a2
solving failed: creating image docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e in image store failed: namespace is required: failed precondition

If I first manually pull the docker.io/tonistiigi/copy image then the build starts working

img pull docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
img build -t jess/img .Building jess/img:latest
Setting up the rootfs... this may take a bit.
INFO[0001] resolving docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
INFO[0001] resolving docker.io/library/alpine@sha256:7b848083f93822dd21b0a2f14a110bd99f6efb4b838d499df6d04a49d0debf8b
INFO[0001] resolving docker.io/library/golang:1.9-alpine@sha256:ab72eb6db0eda32d429becf8bb28f62081821cc1aa2d49430344083f87b1e6a2
INFO[0009] unpacking docker.io/library/alpine@sha256:7b848083f93822dd21b0a2f14a110bd99f6efb4b838d499df6d04a49d0debf8b
INFO[0009] unpacking docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
RUN [/bin/sh -c apk add --no-cache      bash    fuse    git     shadow  shadow-uidmap   strace]
--->

This seem to happen with 0.2 and 0.3

we should run img within userns with subuid/subgid (especially for `apt`)

This branch allows containers to use subuid/subgid (i.e. apt update works): https://github.com/jessfraz/img/compare/master...AkihiroSuda:allow-subuidgid.20180227?expand=1

However, img itself cannot "commit" the cache due to EPERM, as img
itself does not have access to files owned by its subusers (_apt).

  solving failed: failed to commit rt3w4yqk2tkibexmj15dtavb8: open /tmp/img/runc/naive/snapshots/snapshots/5/var/lib/apt/lists/partial: permission denied

So I suggest running img itself in userns with newuidmap/newgidmap.
(probably via reexec for better UX)

If we can run img itself in userns, we can also:

remove "mountless" code, which is not highly likely to be merged to upstream containerd/buildkit, and allow using Ubuntu-patched overlayfs again.
create netns (with SUID lxc-user-net or slirp) for better isolation, especially for
prohibiting containers from accessing "abstract" sockets on the host.

document how to have user namespace support enabled.

Hello

In the Readme there is

Make sure you have user namespace support enabled. On some distros (Debian and
Arch Linux) this requires running echo 1 > /proc/sys/kernel/unprivileged_ns_clone.

Is it possible to document how to do this?

make list show the image target name

separate push from build

[MacOS] fails due to volumes lacking extended file attributes (xattr)

Cool project! I was trying it out on MacOS and ran into the following issues.

The lack of extended file attributes from the volumes seems to cause the README's Running with docker snippet to fail on MacOS.

$ docker run --rm -it \
--name img \
--volume "${HOME}/tmp/imgstate:/tmp/img" \
--volume $(pwd):/src:ro \
--workdir /src \
--volume "${HOME}/.docker:/root/.docker:ro" \
--cap-add SYS_ADMIN \
--security-opt apparmor=unconfined \
--security-opt seccomp=unconfined \
--volume /sys/fs/cgroup:/sys/fs/cgroup \
r.j3ss.co/img build -t mrjensen/imgtest .
Building mrjensen/imgtest:latest
Setting up the rootfs... this may take a bit.
solving failed: failed to xattr Dockerfile: failed to xattr Dockerfile: operation not supported

The error above is returned from fsutil that uses continuity sysx to retrieve xattrs.

Building the same project with docker works as expected.

$ docker build -t imgtest .
Sending build context to Docker daemon  4.096kB
Step 1/6 : FROM golang:1.9.2
 ---> 138bd936fa29
Step 2/6 : ENV CGO_ENABLED=0
 ---> Using cache
 ---> 19cca4248b59
Step 3/6 : ENV GOOS=linux
 ---> Using cache
 ---> 1bd9908624e8
Step 4/6 : COPY main.go .
 ---> Using cache
 ---> 91b2032665a7
Step 5/6 : RUN go build -o /main ./main.go
 ---> Using cache
 ---> 5b095b1cf789
Step 6/6 : CMD ["/main"]
 ---> Using cache
 ---> 41e1310da98c
Successfully built 41e1310da98c
Successfully tagged imgtest:latest

Digging a little further, I replaced the xattrs with an empty map in fsutil (not a suggestion for a solution).

$ docker run --rm -it \
--name img \
--volume "${HOME}/tmp/imgstate:/tmp/img" \
--volume $(pwd):/src:ro \
--workdir /src \
--volume "${HOME}/.docker:/root/.docker:ro" \
--cap-add SYS_ADMIN \
--security-opt apparmor=unconfined \
--security-opt seccomp=unconfined \
--volume /sys/fs/cgroup:/sys/fs/cgroup \
img build -t mrjensen/imgtest .
Building mrjensen/imgtest:latest
Setting up the rootfs... this may take a bit.
INFO[0000] resolving docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
INFO[0000] resolving docker.io/library/golang:1.9.2
solving failed: error getting credentials - err: exec: "docker-credential-osxkeychain": executable file not found in $PATH, out: ``

Docker for Mac use the keychain to store login, but mounting another folder without :ro and performing a login should fix that.

Afterward getting the credentials up and running, copy fails caused by the continuity sysx.

$ docker run --rm -it \
--name img \
--volume "${HOME}/tmp/imgstate:/tmp/img" \
--volume $(pwd):/src:ro \
--workdir /src \
--volume "${HOME}/tmp/docker:/root/.docker" \
--cap-add SYS_ADMIN \
--security-opt apparmor=unconfined \
--security-opt seccomp=unconfined \
--volume /sys/fs/cgroup:/sys/fs/cgroup \
img build -t mrjensen/imgtest .
Building mrjensen/imgtest:latest
Setting up the rootfs... this may take a bit.
INFO[0001] resolving docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
INFO[0001] resolving docker.io/library/golang:1.9.2@sha256:947826b5b6bc42f6f25c8fae9fe89d5e2bf18ac87264856742c3baebb150ea9f
INFO[0002] unpacking docker.io/tonistiigi/copy@sha256:476e0a67a1e4650c6adaf213269a2913deb7c52cbc77f954026f769d51e1a14e
solving failed: failed to prepare extraction snapshot "extract-814747650-Gj99 sha256:c4151b5a5de5b7e272b2b6a3a4518c980d6e7f580f39c85370330a1bff5821f1": copying of parent failed: failed to copy xattrs: failed to list xattrs on /tmp/img/runc/naive/snapshots/snapshots/4/bin/copy: operation not supported

[build]: support build context from stdin

[overlay]: enable no privileges

requires this Ubuntu kernel patch http://kernel.ubuntu.com/git/ubuntu/ubuntu-artful.git/commit/fs/overlayfs?h=Ubuntu-4.13.0-25.29&id=0a414bdc3d01f3b61ed86cfe3ce8b63a9240eba7

Multi-stage builds: COPY cannot directly reference external images

With docker image build, it is possible (yet undocumented, I think?) to specify e.g.

FROM scratch
COPY --from=consul:1.0.6 /bin/consul /bin/consul

With img, the build fails with

solving failed: stage consul:1.0.6 not found

To get the same functionality with img, I have to add a separate FROM line for it to work, like so:

FROM consul:1.0.6 AS consul
FROM scratch
COPY --from=consul /bin/consul /bin/consul

Some problem with prom/prometheus image pulling

Hello.

I've found some problem with prom/prometheus image pulling.

It fails with error:

$ sudo img pull prom/prometheus
Pulling prom/prometheus...
INFO[0000] resolving docker.io/prom/prometheus:latest
content digest sha256:aae7f9829bbbba8f98b3ebd4f2b5c47c09ed8f2e47a4f3022cae5aed546a4c3c: not found

And the same with grafana/grafana:
$ sudo img pull grafana/grafana
Pulling grafana/grafana...
INFO[0000] resolving docker.io/grafana/grafana:latest
content digest sha256:00e2e2ecc3e969d0766d6b9ed6139e8d9ae2d2c62a0a942953d2672636d8c022: not found

But with google/cadvisor and others all is ok:
$ sudo img pull google/cadvisor
Pulling google/cadvisor...
INFO[0000] resolving docker.io/google/cadvisor:latest
INFO[0002] unpacking docker.io/google/cadvisor:latest
Snapshot ref: sha256:81d2f700310845b28ec3fe27eb25a421824246bfb976c5736f0e24e06b088df3
Size: 66.99MiB

Versions:

$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS"

$ uname -a
Linux reddit-app 4.13.0-1011-gcp #15-Ubuntu SMP Mon Feb 12 16:29:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

$ runc --version
runc version 1.0.0-rc4
spec: 1.0.0

$ img version
img:
 version     : v0.2.4
 git hash    : e0622f7
 go version  : go1.9.4
 go compiler : gc
 platform    : linux/amd64

add tests

[unshare]: automatically unshare the mountns and userns before mounting

Currently you have to unshare -m -U to have unprivileged mounts and map your user id and such.

This should be done by the command before even starting.

typo "snaphotter"

in the README.md snaphotter should be afaict snapshotter.

[build]: support dockerfile from stdin

[buildkit]: move changes upstream

This is more a reminder to myself, mostly was to remove grpc and create a direct client

img build . results in an image with name `:latest`

Happy to take this on as my first feature!

Essentially, calling img build without -t results in an image with no name. The behaviour should be the same as docker.

Example:

><> cat Dockerfile 
FROM busybox
><> sudo img build .
Building :latest
Setting up the rootfs... this may take a bit.
INFO[0001] resolving docker.io/library/busybox@sha256:1669a6aa7350e1cdd28f972ddad5aceba2912f589f19a090ac75b7083da748db 
INFO[0001] exporting layers                             
INFO[0001] exporting manifest sha256:5d4c623608b70502543a1a6fb9bdd9af71d04944b765177531aee44e8da6621f 
INFO[0001] exporting config sha256:f19c6dac175d9d88f513773037c0e488bea06a10daae9fd639dfb15b6492c515 
INFO[0001] naming to :latest                            
Successfully built :latest
><> sudo img ls
NAME	SIZE	CREATED AT		UPDATED AT	DIGEST
:latest	426B	About a minute ago	3 seconds ago	sha256:5d4c623608b70502543a1a6fb9bdd9af71d04944b765177531aee44e8da6621f

make output from cli prettier

add support for build args

add better progress handling

Publish to Docker Hub?

Would you be willing to add the img image to your jessfraz space in Docker Hub?

Failure on copying files into the container. Golang unmarshal error

img version                       
img:
 version     : v0.3.0
 git hash    : f9fff83
 go version  : go1.10
 go compiler : gc
 platform    : linux/amd64

Line of my dockerfile that img is failing on.

COPY deploy.sh /deploy.sh
Error
RUN [copy /src-0 /dest/] ---> json: cannot unmarshal object into Go value of type []string <--- 9s7u262uf7w4pcee1wy9x6p01 1 <nil>

TODO: test img with runsc (gVisor)

I don't have time to try during KubeCon, but it would be worth trying running img with runsc.
Probably it should work in Docker/Kube without RawAccess patch, although it would be significantly slow as in runrootless (rootless-containers/runrootless#14)

genuinetools / img Goto Github PK

img's Introduction

img

Goals

Upstream Patches

Benchmarks

Installation

Binaries

From Source

Alpine Linux

Arch Linux

Gentoo

Running with Docker

Running with Kubernetes

Usage

Build an Image

Cross Platform

Exporter Types

List Image Layers

Pull an Image

Push an Image

Tag an Image

Export an Image to Docker

Unpack an Image to a rootfs

Remove an Image

Disk Usage

Prune and Cleanup the Build Cache

Login to a Registry

Logout from a Registry

Using Self-Signed Certs with a Registry

How It Works

Unprivileged Mounting

High Level

Low Level

Snapshotter Backends

auto (default)

native

overlayfs

fuse-overlayfs

Contributing

Acknowledgements

img's People

Contributors

Stargazers

Watchers

Forkers

img's Issues

Dependencies

Recommend Projects

Recommend Topics

Recommend Org