Apparently the docker-in-docker approach has some flaws including
needing privileged mode to run and being quite slow. An alternative
approach is to use Google's kaniko tool. It also works across
different gitlab executors.
Following the gitlab example code we drop all the direct docker calls
and usage of the script and make a direct call to kaniko and hope the
images are cacheable by others.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20230224180857.1050220-8-alex.bennee@linaro.org>
---
v2
- add danpb's --cache suggestions
---
.gitlab-ci.d/container-template.yml | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
diff --git a/.gitlab-ci.d/container-template.yml
b/.gitlab-ci.d/container-template.yml
index 519b8a9482..cd8e0a1ff6 100644
--- a/.gitlab-ci.d/container-template.yml
+++ b/.gitlab-ci.d/container-template.yml
@@ -1,21 +1,19 @@
.container_job_template:
extends: .base_job_template
- image: docker:stable
+ image:
+ name: gcr.io/kaniko-project/executor:v1.9.0-debug
+ entrypoint: [""]
stage: containers
- services:
- - docker:dind
before_script:
- export TAG="$CI_REGISTRY_IMAGE/qemu/$NAME:latest"
- export COMMON_TAG="$CI_REGISTRY/qemu-project/qemu/qemu/$NAME:latest"
- - apk add python3
- - docker info
- - docker login $CI_REGISTRY -u "$CI_REGISTRY_USER" -p
"$CI_REGISTRY_PASSWORD"
script:
- echo "TAG:$TAG"
- echo "COMMON_TAG:$COMMON_TAG"
- - docker build --tag "$TAG" --cache-from "$TAG" --cache-from "$COMMON_TAG"
- --build-arg BUILDKIT_INLINE_CACHE=1
- -f "tests/docker/dockerfiles/$NAME.docker" "."
- - docker push "$TAG"
- after_script:
- - docker logout
+ - /kaniko/executor
+ --reproducible
+ --context "${CI_PROJECT_DIR}"
+ --cache=true
+ --cache-repo "${COMMON_TAG}"
+ --dockerfile
"${CI_PROJECT_DIR}/tests/docker/dockerfiles/$NAME.docker"
+ --destination "${TAG}"