dockerfile 构建缓存权限问题
[英]dockerfile build cache permission issue
问题描述
I'm building a container using a binary like this:
我正在使用这样的二进制文件构建一个容器:
Basically the container will run an executable go program.基本上,容器将运行一个可执行的 go 程序。
FROM myrepo/ubi8/go-toolset:latest AS build
COPY --chown=1001:0 . /build
RUN cd /build && \
go env -w GO111MODULE=auto && \
go build
#---------------------------------------------------------------
FROM myrepo/ubi8/ubi-minimal:latest AS runtime
RUN microdnf update -y --nodocs && microdnf clean all && \
microdnf install go -y && \
microdnf install cronie -y && \
groupadd -g 1000 usercontainer && adduser -u 1000 -g usercontainer usercontainer && chmod 755 /home/usercontainer && \
microdnf clean all
ENV XDG_CACHE_HOME=/home/usercontainer/.cache
COPY executable.go /tmp/executable.go
RUN chmod 0555 /tmp/executable.go
USER usercontainer
WORKDIR /home/usercontainer
However, when running the container in Jenkins I'm getting this error:但是,在 Jenkins 中运行容器时,出现此错误:
failed to initialize build cache at /.cache/go-build: mkdir /.cache: permission denied
When running the container manually in a kubernetes deployment I'm not getting any issue but Jenkins is throwing this error and I can see the pod in CrashLoopBackOff and the container is showing the previous permissions issue.在 kubernetes 部署中手动运行容器时,我没有遇到任何问题,但 Jenkins 抛出此错误,我可以在 CrashLoopBackOff 中看到 pod,并且容器显示之前的权限问题。
Also, I'm not sure if I'm building the container correctly.另外,我不确定我是否正确构建了容器。 Maybe I need to include the executable go program in the binary and later create the runtime?也许我需要在二进制文件中包含可执行的 go 程序,然后再创建运行时?
Any clear example would be appreciated.任何明确的例子将不胜感激。
1 个解决方案
解决方案1
1 已采纳 2022-06-21 11:06:30
Go is a compiled language, which means that you don't actually need the go tool to run a Go program. Go 是一种编译语言,这意味着您实际上并不需要go工具来运行 Go 程序。 In a Docker context, a typical setup is to use a multi-stage build to compile an application, and then copy the built application into a final image that runs it.在 Docker 上下文中,典型的设置是使用多阶段构建来编译应用程序,然后将构建的应用程序复制到运行它的最终映像中。 The final image doesn't need the Go toolchain or the source code, just the compiled binary.最终的图像不需要 Go 工具链或源代码,只需要编译的二进制文件。
I might rewrite the final stage as:我可能会将最后阶段重写为:
FROM myrepo/ubi8/go-toolset:latest AS build
# ... as you have it now ...
FROM myrepo/ubi8/ubi-minimal:latest AS runtime
# Do not install `go` in this sequence
RUN microdnf update -y --nodocs &&
microdnf install cronie -y && \
microdnf clean all
# Create a non-root user, but not a home directory;
# specific uid/gid doesn't matter
RUN adduser --system usercontainer
# Get the built binary out of the first container
# and put it somewhere in $PATH
COPY --from=build /build/build /usr/local/bin/myapp
# Switch to a non-root user and explain how to run the container
USER usercontainer
CMD ["myapp"]
This sequence doesn't use go run or use any go command in the final image, which hopefully gets around the issue of needing a $HOME/.cache directory.此序列不使用go run或在最终映像中使用任何go命令,这有望解决需要$HOME/.cache目录的问题。 (It will also give you a smaller container and faster startup time.) (它还将为您提供更小的容器和更快的启动时间。)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.