Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support builds using base images on IPFS (nerdctl build --ipfs) #525

Merged
merged 1 commit into from
Nov 18, 2021

Conversation

ktock
Copy link
Member

@ktock ktock commented Nov 17, 2021

#465

This adds the ability to build images using base images on IPFS.
Now nerdctl can build, ship and run containers on IPFS, without registries.

To complete this patch, moby/buildkit@bb2e7ce needs to be relesed in BuildKit.
Currently this PR uses binaries built in a forked repo https://github.com/ktock/buildkit/releases/tag/v0.9.x-20211117.3 .
Released as v0.9.3 https://github.com/moby/buildkit/releases/tag/v0.9.3

Dockerfile

In Dockerfile, instead of ipfs:// prefix, you need to use the following image reference to point to an image on IPFS.

localhost:5050/ipfs/<CID>

Example Dockerfile:

FROM localhost:5050/ipfs/bafkreicq4dg6nkef5ju422ptedcwfz6kcvpvvhuqeykfrwq5krazf3muze
RUN echo hello > /hello

build

--ipfs options is required.

> nerdctl build --ipfs -t hello .
[+] Building 5.3s (6/6) FINISHED
 => [internal] load build definition from Dockerfile                                                                                              0.0s
 => => transferring dockerfile: 146B                                                                                                              0.0s
 => [internal] load .dockerignore                                                                                                                 0.0s
 => => transferring context: 2B                                                                                                                   0.0s
 => [internal] load metadata for localhost:5050/ipfs/bafkreicq4dg6nkef5ju422ptedcwfz6kcvpvvhuqeykfrwq5krazf3muze:latest                           0.1s
 => [1/2] FROM localhost:5050/ipfs/bafkreicq4dg6nkef5ju422ptedcwfz6kcvpvvhuqeykfrwq5krazf3muze@sha256:28bfa1fc6d491d3bee91bab451cab29c747e72917e  3.8s
 => => resolve localhost:5050/ipfs/bafkreicq4dg6nkef5ju422ptedcwfz6kcvpvvhuqeykfrwq5krazf3muze@sha256:28bfa1fc6d491d3bee91bab451cab29c747e72917e  0.0s
 => => sha256:7b1a6ab2e44dbac178598dabe7cff59bd67233dba0b27e4fbd1f9d4b3c877a54 28.57MB / 28.57MB                                                  2.1s
 => => extracting sha256:7b1a6ab2e44dbac178598dabe7cff59bd67233dba0b27e4fbd1f9d4b3c877a54                                                         1.7s
 => [2/2] RUN echo hello > /hello                                                                                                                 0.6s
 => exporting to oci image format                                                                                                                 0.6s
 => => exporting layers                                                                                                                           0.1s
 => => exporting manifest sha256:b96d490d134221ab121af91a42b13195dd8c5bf941012d7bfe07eabcf5259eda                                                 0.0s
 => => exporting config sha256:bd706574eab19009585b98826b06e63cf6eacf8d7193504dae75caa760332ca2                                                   0.0s
 => => sending tarball                                                                                                                            0.5s
unpacking docker.io/library/hello:latest (sha256:b96d490d134221ab121af91a42b13195dd8c5bf941012d7bfe07eabcf5259eda)...done
> nerdctl run --rm -it hello cat /hello
hello

compose

Compose also supports --ipfs option.

nerdctl compose up --build --ipfs
nerdctl compose build --ipfs

Details about localhost:5050/ipfs/<CID>

As of now, BuildKit doesn't support ipfs:// prefix. So nerdctl achieves builds on IPFS by having a read-only local registry backed by IPFS. This registry converts registry API requests to IPFS operations. IPFS-agnostic tools can pull images from IPFS via this registry.

When you specify --ipfs option to nerdctl bulid, it automatically starts the registry backed by the IPFS repo of the current $IPFS_PATH. By default, nerdctl exposes the registry at localhost:5050. You can change the address and can manually restart the registry using nerdctl ipfs registry up and nerdctl ipfs registry down.

The following example changes the registry API address to localhost:5555 instead of localhost:5050.

nerdctl ipfs registry down
nerdctl ipfs registry up --registry-address=localhost:5555

You'll also need to restart the registry when you change $IPFS_PATH to use.


@ktock ktock changed the title Support builds using based images on IPFS (nerdctl build --ipfs) Support builds using base images on IPFS (nerdctl build --ipfs) Nov 17, 2021
@AkihiroSuda
Copy link
Member

AkihiroSuda commented Nov 17, 2021

Maybe this flag should be like --listen-ipfs-proxy=localhost:5050.

```
nerdctl ipfs registry down
nerdctl ipfs registry up --registry-address=localhost:5555
```
Copy link
Member

@AkihiroSuda AkihiroSuda Nov 17, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should recommend this tool for Kubernetes users too, until we can get kube-apiserver and CRI to support IPFS image refs

@AkihiroSuda AkihiroSuda added this to the v0.14.0 milestone Nov 17, 2021
Use: "serve",
Short: "serve read-only registry backed by IPFS",
RunE: ipfsRegistryServeAction,
Hidden: true,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason to hide this?

}

// runRegistryAsContainer runs "nerdctl ipfs registry serve" as a container with --net=host.
// This function bind mounts nerdctl binary to a directory and runs that directory as the rootfs.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn’t work when the nerdctl binary is dynamically linked.
In such case this command should print a human-readable error that recommends to use the serve command directly

@ktock ktock force-pushed the ipfs-build branch 2 times, most recently from 248b51c to 43ea0c5 Compare November 18, 2021 05:13
@ktock ktock marked this pull request as ready for review November 18, 2021 05:16
pkg/ipfs/registry.go Outdated Show resolved Hide resolved
README.md Outdated

Flags:
- :nerd_face: `--ipfs-address`: Multiaddr of IPFS API (default is pulled from `$IPFS_PATH/api` file. If `$IPFS_PATH` env var is not present, it defaults to `~/.ipfs`).
- :nerd_face: `--listen-registry-port`: Listening port on localhost (default `5050`).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we make this like --listen-registry=localhost:5050 so that we can specify non-localhost address too?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

@ktock ktock force-pushed the ipfs-build branch 2 times, most recently from 017fbb6 to 97968ca Compare November 18, 2021 07:48
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
Copy link
Member

@AkihiroSuda AkihiroSuda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants