Bazel docker容器镜像不复制文件

Question

我正在尝试模拟theRUN step，您可以在Bazel docker container image rule中使用如下所示的docker文件，但是由于container_image规则没有复制功能，所以我尝试使用可用的功能。

RUN GRPC_HEALTH_PROBE_VERSION=v0.3.1 && \
    wget -qO/bin/grpc_health_probe https://github.com/grpc-ecosystem/grpc-health-probe/releases/download/${GRPC_HEALTH_PROBE_VERSION}/grpc_health_probe-linux-amd64 && \
    chmod +x /bin/grpc_health_probe

  go_image(
      name = "go_auth_image",
      embed = [":go-auth_lib"],
      visibility = ["//visibility:public"],
  )

  container_image(
      name = "go_auth_api",
      visibility = ["//visibility:public"],
      base = ":go_auth_image",
      ports = ["5001", "5002"],
      files = ["grpc_health_probe-linux-amd64"],
      symlinks = {
          "grpc_health_prob-linux-amd64": "/bin/grpc_health_probe",
      },
      cmd = [
          "apk add --no-cache git",
          "chmod +x /bin/grpc_health_probe",
      ],
  )

注意：file_map似乎不是container_image的参数

当我将这个镜像部署到k8s时，镜像运行得很好，但是在描述pod时，活动探测器(如下所述)失败了。

          livenessProbe:
            exec:
              command: ["/bin/grpc_health_probe", "-addr=:5002"]
            initialDelaySeconds: 5
            periodSeconds: 30
            timeoutSeconds: 2
            successThreshold: 1
            failureThreshold: 3

  Warning  Unhealthy  6m42s                  kubelet            Liveness probe errored: rpc error: code = Unknown desc = failed to exec in container: failed to start exec "b6c89b7ec907e572f80be59e8d4b5cad6535a3479d67a3563a09e0d1d2f7ca03": OCI runtime exec failed: exec failed: container_linux.go:370: starting container process caused: exec: "/bin/grpc_health_probe": stat /bin/grpc_health_probe: no such file or directory: unknown

用Bazel设置这个探针的正确方法是什么(我已经确认这在Dockerfile设置中有效)

Answer 1

container_run_and_commit是最接近RUN的等价物。类似这样的东西是直接等效的：

load("@io_bazel_rules_docker//docker/util:run.bzl", "container_run_and_commit")

GRPC_HEALTH_PROBE_VERSION = "v0.3.1"

container_run_and_commit(
    name = "install_stuff",
    image = ":go_auth_image.tar",
    commands = [
        "wget -qO/bin/grpc_health_probe https://github.com/grpc-ecosystem/grpc-health-probe/releases/download/%s/grpc_health_probe-linux-amd64" % GRPC_HEALTH_PROBE_VERSION,
        "chmod +x /bin/grpc_health_probe",
    ],
)


container_image(
    name = "go_auth_api",
    visibility = ["//visibility:public"],
    base = ":install_stuff",
    ... # everything else you're doing with container_image
)

它运行命令a构建一个新映像，然后使用container_image向结果中添加内容。

然而，使用bazel进行更多的构建将更好地利用bazel的缓存，并且更具可重复性。我想这就是您对grpc_health_probe-linux-amd64源文件所做的事情。这种方法看起来像这样：

load("@io_bazel_rules_docker//docker/util:run.bzl", "container_run_and_commit")

container_image(
    name = "add_stuff",
    base = ":go_auth_image",
    ports = ["5001", "5002"],
    files = ["grpc_health_probe-linux-amd64"],
    symlinks = {
        "grpc_health_prob-linux-amd64": "/bin/grpc_health_probe",
    },
)

container_run_and_commit(
    name = "go_auth_api",
    visibility = ["//visibility:public"],
    image = ":add_stuff.tar",
    commands = [
        "apk add --no-cache git",
        "chmod +x /bin/grpc_health_probe",
    ],
)

它首先使用container_image添加内容，然后再运行命令。

此外，您可以不运行chmod +x，而是使用pkg_tar来打包file+symlink (它有一个symlinks属性，就像container_image一样)，然后设置mode = 0755。container_image.tars将获取tar文件并将其添加到图像中。通常，pkg_tar为构建文件提供了很大的灵活性，并且container_image直接将其功能的子集用于简单的用例。

container_image.cmd相当于Dockerfile中的CMD。它只是在容器使用时设置信息，在构建容器时不做任何事情。我觉得你根本不想把它用在这上面。

Answer 2

感谢@Brian-Silverman的帮助，我能够对我的所有问题进行分类，并获得了这个解决方案。

  go_image(
      name = "go_auth_image",
      embed = [":go-auth_lib"],
      visibility = ["//visibility:public"],
  )

  GRPC_HEALTH_PROBE_VERSION = "v0.4.5"


  container_run_and_commit_layer(
      name = "health_probe",
      image = "@grpc_health_image//image",
      commands = [
          "apk add --no-cache git",
          "wget -qO/bin/grpc_health_probe https://github.com/grpc-ecosystem/grpc-health-probe/releases/download/%s/grpc_health_probe-linux-amd64" % GRPC_HEALTH_PROBE_VERSION,
          "chmod +x /bin/grpc_health_probe",
      ],
  )

  container_image(
      name = "go_auth_api",
      base = ":go_auth_image",
      layers = [":health_probe",],
      visibility = ["//visibility:public"],
      ports = ["5001"],
  )

Answer 3

我已经回复了你的github问题，但为了提高可见性，我也在这里发布了答案:我会在Bazel中实现这一点，方法是在我想要的位置创建一个包含grpc_health_probe二进制文件的TAR，并将其添加到container_image规则的tars部分。我尽量避免使用RUN-like规则，因为它们引入了对docker工具链的依赖，并且不能保证它们是封闭的/可重现的。这里有一个悬而未决的问题：https://github.com/bazelbuild/rules_docker/issues/1961。

您可以将有问题的二进制文件声明为WORKSPACE (或由WORKSPACE调用的宏)中的依赖项，如下所示：

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_file")
GRPC_HEALTH_PROBE_VERSION = "v0.4.5"
GRPC_HEALTH_PROBE_SHA256 = "8699c46352d752d8f533cae72728b0e65663f399fc28fb9cd854b14ad5f85f44"
http_file(
    name = "grpc_health_probe_linux_amd64",
    executable = True,  # Here is your `chmod +x` from the `container_run_and_commit`
    sha256 = GRPC_HEALTH_PROBE_SHA256,
    downloaded_file_path = "grpc_health_probe",  # This is necessary to remove `-linux-amd64` from the end of the file name.
    urls = ["https://github.com/grpc-ecosystem/grpc-health-probe/releases/download/{}/grpc_health_probe-linux-amd64".format(GRPC_HEALTH_PROBE_VERSION)],
)

完成上述操作并包含rules_docker工具链配置后，您可以使用如下所示的构建文件将此二进制文件添加到容器镜像中：

load("@rules_pkg//:pkg.bzl", "pkg_tar")
load("@io_bazel_rules_docker//container:container.bzl", "container_image")

# This rule creates a TAR file containing the executable file
# /bin/grpc_health_probe.
pkg_tar(
    name = "health_probe_linux_amd64",
    srcs = ["@grpc_health_probe_linux_amd64//file"],
    package_dir = "/bin",  # specifying the path of the file
)

# Here, we add that health probe to our base image. In this case
# I've used the ubuntu image for a minimal example.
container_image(
    name = "health_probe_image",
    base = "YOUR_BASE_IMAGE_HERE",
    tars = [":health_probe_linux_amd64"],
)

Github回复：https://github.com/bazelbuild/rules_docker/issues/1943#issuecomment-998400122