You can build and push docker/oci images without the need to execute a docker daemon (and requiring privileged containers) thanks to tools like kaniko and buildah
Using Kaniko
Basic image build
A basic task for building images using kaniko is this. Add --no-push
if you don't want to push the image. This doesn't take care of registry authentication. See below for an example with registry authentication.
yaml
tasks:
# kaniko image doesn't have the git command installed
- name: checkout code
runtime:
containers:
- image: alpine/git
steps:
- clone:
- save_to_workspace:
contents:
- source_dir: .
dest_dir: .
paths:
- '**'
- name: build docker image
runtime:
containers:
- image: gcr.io/kaniko-project/executor:debug
shell: /busybox/sh
steps:
- restore_workspace:
dest_dir: .
#- run: /kaniko/executor --no-push
- run: /kaniko/executor --destination registry/image
depends:
- checkout code
With authentication
For more information refer to the kaniko doc. Kaniko document some ways to authenticate to gcr and aws registries and its images already include a credential helper for amazon ecr.
At the end you should create a docker config.json config file with the required auth data:
yaml
tasks:
# kaniko image doesn't have the git command installed
- name: checkout code
runtime:
containers:
- image: alpine/git
steps:
- clone:
- save_to_workspace:
contents:
- source_dir: .
dest_dir: .
paths:
- '**'
- name: build docker image
runtime:
containers:
- image: gcr.io/kaniko-project/executor:debug
environment:
DOCKERAUTH:
from_variable: dockerauth
shell: /busybox/sh
steps:
- restore_workspace:
dest_dir: .
- run:
name: generate docker config
command: |
cat << EOF > /kaniko/.docker/config.json
{
"auths": {
"https://index.docker.io/v1/": { "auth" : "$DOCKERAUTH" }
}
}
EOF
- run: /kaniko/executor --destination registry/image
depends:
- checkout code
Using Buildah
TODO