Rebasing a container image from GCP Buildpacks #300
Replies: 1 comment 2 replies
-
Thanks @jama22 , this look like a great way to apply security updates! Interestingly, I can see that the rebase is done against the run image, which makes sense. In the main builder, the PHP runtime appears to be applying a compiled version of PHP to a generic base image from a tar.gz file, which would mean rebasing against the generic run image would update the underlying operating system, but not the PHP language runtime. It is not done this way for App Engine Standard - there is a run image specifically for PHP that already contains the PHP language runtime, presumably as some additional Docker layers on top of the generic run image and I'm guessing it's for this very reason - so you can update the language runtime with a rebase. Is there a reason the main builder is designed in a way that makes this impossible? |
Beta Was this translation helpful? Give feedback.
-
As some of you know, rebase is one of the more exciting features behing using CNBs. It allows you to swap out base images super quickly without having to rebuild the entire container image. This can be beneficial when you need to apply a security patch to a fleet of images.
source: Cloud Native buildpacks documentation on rebase
Some folks have asked (e.g. #169) how you would set up rebasing with GCP, so I decided to give it a shot as a Friday project
The Plan
The Runtimes team publishes new builders under
gcr.io/buildpacks/builder
. There are three tags worth looking at::latest
points tov1
, but will eventually move togoogle22
(see Ubuntu 22 builders now available for GCP Buildpacks #271)v1
an Ubuntu 18 based buildergoogle-22
an Ubuntu 22 based builderLimitations
gcr.io/buildpacks/builder
doesn't have a webhook or global push queue that we can tap into. Ideally I'd want to set up a trigger based off a webhook, but that might not be possibleApproach
cloudbuild.yaml
to configure our rebaseSteps
Set up Test Project on GitHub
For the sake of this demonstration, the complexity of this project doesn't actually matter. Just make sure you're using one of the supported languages. I grabbed a copy of the Python sample app from https://github.com/GoogleCloudPlatform/buildpack-samples/tree/master/sample-functions-framework-python
cloudbuild.yaml
Create a Cloud Build Trigger
Fire up the GCP Cloud Console web interface and load up the Cloud Build interface. From the sidebar, we're looking to bring up the Triggers menu
From there we're going to Create a Trigger in your preferred region
Fill in the important details:
main
, but you can use whatever branch you'd like/cloudbuild.yaml
I left the rest of the options to their defaults. Go ahead and CREATE the trigger
Create a
cloudbuild.yaml
Next we'll need to create a
cloudbuild.yaml
to live alongside your source code.In the first step, we're using
gcr.io/k8s-skaffold/pack
to run our rebase command againstgcr.io/buildpacks/google-22/run:latest
. With the--publish
flag we'll be pushing those changes back to our Artifact Registry bucket(Optional) In the second step, we're using 'gcr.io/google.com/cloudsdktool/cloud-sdk' to redeploy our app to Cloud Run.
cloudbuild.yaml
cloudbuild.yaml
to your repoTest it out
Going back to your Cloud Build Triggers page, you should now be able to manually invoke a rebase by click Run
Inspecting the build logs, you should see it rebase the image and redeploy to Cloud Run!
Setting up a timer
Following the instructions on Cloud Build's documentation, we can turn the manual trigger into a scheduled build that runs on your preferred cadence
Beta Was this translation helpful? Give feedback.
All reactions