kaniko-manual-build.md

Building docker images in an unprivileged container

This is a PoC only! Use official Kaniko docker image!

WARNING

DESTRUCTIVE!

Running Kaniko (built from the sources) erases the user from /etc/passwd upon execution. Likely to destroy the container too, depending on what's in the Dockerfile. There might be a better isolated way of running it, but I recommend using the official Kaniko container.

1. Get golang 1.20.4

apt purge golang-go
apt autoremove

rm -rf /usr/local/go

ARCH="amd64"
VERSION="1.20.4"
SHA256SUM="698ef3243972a51ddb4028e4a1ac63dc6d60821bf18e59a807e051fee0a385bd"

FILE="go${VERSION}.linux-${ARCH}.tar.gz"
URL="https://golang.org/dl/$FILE"

wget -c -O "$FILE" "$URL"

echo "${SHA256SUM} ${FILE}" | sha256sum -c && tar -xvz -C /usr/local -f "${FILE}"


# Update environment variables to include go
cat >> ~/.bashrc << 'EOF'
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export GO111MODULE=on
export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin
EOF

source ~/.bashrc

2. Get Kaniko 1.10.0

git clone --depth=1 -b v1.10.0 https://github.com/GoogleContainerTools/kaniko.git
cd kaniko
make
install out/executor /usr/local/bin/

3. Preconfigure Kaniko

mkdir -p /kaniko/.docker
chmod 0700 /kaniko /kaniko/.docker

That's all!

Now you can use it:

cd dirwithdockerfile/
executor --context=$PWD --dockerfile=Dockerfile --destination=myimage1:tag1 --no-push --tar-path=$PWD/image.tar

For Docker Hub push:

cat > /kaniko/.docker/config.json << EOF
{
    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "$(echo -n 'youruser:yourpassword' | base64)"
        }
    }
}
EOF

Refs.

• https://github.com/GoogleContainerTools/kaniko
• https://docs.gitlab.com/ee/ci/docker/using_kaniko.html