Custom image builds with Buildah

With OKD 4.6, a docker socket will not be present on the host nodes. This means the mount docker socket option of a custom build is not guaranteed to provide an accessible docker socket for use within a custom build image.

If you require this capability in order to build and push images, add the Buildah tool your custom build image and use it to build and push the image within your custom build logic. The following is an example of how to run custom builds with Buildah.

Using the custom build strategy requires permissions that normal users do not have by default because it allows the user to execute arbitrary code inside a privileged container running on the cluster. This level of access can be used to compromise the cluster and therefore should be granted only to users who are trusted with administrative privileges on the cluster.

Prerequisites

Creating custom build artifacts

You must create the image you want to use as your custom build image.

Procedure

  1. Starting with an empty directory, create a file named Dockerfile with the following content:

    1. FROM registry.redhat.io/rhel8/buildah
    2. # In this example, `/tmp/build` contains the inputs that build when this
    3. # custom builder image is run. Normally the custom builder image fetches
    4. # this content from some location at build time, by using git clone as an example.
    5. ADD dockerfile.sample /tmp/input/Dockerfile
    6. ADD build.sh /usr/bin
    7. RUN chmod a+x /usr/bin/build.sh
    8. # /usr/bin/build.sh contains the actual custom build logic that will be run when
    9. # this custom builder image is run.
    10. ENTRYPOINT ["/usr/bin/build.sh"]
  2. In the same directory, create a file named dockerfile.sample. This file is included in the custom build image and defines the image that is produced by the custom build:

    1. FROM registry.access.redhat.com/ubi8/ubi
    2. RUN touch /tmp/build
  3. In the same directory, create a file named build.sh. This file contains the logic that is run when the custom build runs:

    ```

    !/bin/sh

    Note that in this case the build inputs are part of the custom builder image, but normally this

    is retrieved from an external source.

    cd /tmp/input

    OUTPUT_REGISTRY and OUTPUT_IMAGE are env variables provided by the custom

    build framework

    TAG=”${OUTPUT_REGISTRY}/${OUTPUT_IMAGE}”

  1. # performs the build of the new image defined by dockerfile.sample
  2. buildah --storage-driver vfs bud --isolation chroot -t ${TAG} .
  3. # buildah requires a slight modification to the push secret provided by the service
  4. # account in order to use it for pushing the image
  5. cp /var/run/secrets/openshift.io/push/.dockercfg /tmp
  6. (echo "{ \"auths\": " ; cat /var/run/secrets/openshift.io/push/.dockercfg ; echo "}") > /tmp/.dockercfg
  7. # push the new image to the target for the build
  8. buildah --storage-driver vfs push --tls-verify=false --authfile /tmp/.dockercfg ${TAG}
  9. ```

Build custom builder image

You can use OKD to build and push custom builder images to use in a custom strategy.

Prerequisites

  • Define all the inputs that will go into creating your new custom builder image.

Procedure

  1. Define a BuildConfig object that will build your custom builder image:

    1. $ oc new-build --binary --strategy=docker --name custom-builder-image
  2. From the directory in which you created your custom build image, run the build:

    1. $ oc start-build custom-builder-image --from-dir . -F

    After the build completes, your new custom builder image is available in your project in an image stream tag that is named custom-builder-image:latest.

Use custom builder image

You can define a BuildConfig object that uses the custom strategy in conjunction with your custom builder image to execute your custom build logic.

Prerequisites

  • Define all the required inputs for new custom builder image.

  • Build your custom builder image.

Procedure

  1. Create a file named buildconfig.yaml. This file defines the BuildConfig object that is created in your project and executed:

    1. kind: BuildConfig
    2. apiVersion: v1
    3. metadata:
    4. name: sample-custom-build
    5. labels:
    6. name: sample-custom-build
    7. annotations:
    8. template.alpha.openshift.io/wait-for-ready: 'true'
    9. spec:
    10. strategy:
    11. type: Custom
    12. customStrategy:
    13. forcePull: true
    14. from:
    15. kind: ImageStreamTag
    16. name: custom-builder-image:latest
    17. namespace: <yourproject> (1)
    18. output:
    19. to:
    20. kind: ImageStreamTag
    21. name: sample-custom:latest
    1Specify your project name.
  2. Create the BuildConfig:

    1. $ oc create -f buildconfig.yaml
  3. Create a file named imagestream.yaml. This file defines the image stream to which the build will push the image:

    1. kind: ImageStream
    2. apiVersion: v1
    3. metadata:
    4. name: sample-custom
    5. spec: {}
  4. Create the imagestream:

    1. $ oc create -f imagestream.yaml
  5. Run your custom build:

    1. $ oc start-build sample-custom-build -F

    When the build runs, it launches a pod running the custom builder image that was built earlier. The pod runs the build.sh logic that is defined as the entrypoint for the custom builder image. The build.sh logic invokes Buildah to build the dockerfile.sample that was embedded in the custom builder image, and then uses Buildah to push the new image to the sample-custom image stream.