在GitHub操作中使用停靠/生成推送操作在本地生成对接者图像

Question

我的项目中有几个Dockerfile。一种是构建basic映像，它包含一些业务级别的抽象。其他人正在构建基于basic映像的服务。

因此，在我服务的Dockerfiles中，我有如下所示

FROM my-project/base
# Adding some custom logic around basic stuff

我使用GitHub操作作为我的CI/CD工具。起初，我有一步要把码头安装到我的工人，然后运行如下：

- name: Build base image
  working-directory: business
  run: docker build -t my-project/base .

- name: Build and push service
  working-directory: service
  run: |
    docker build -t my-ecr-repo/service .
    docker push my-ecr-repo/service

但后来我找到了码头/构建推送操作，并决定在我的管道中使用它：

- name: Build business-layer container
  uses: docker/build-push-action@v2
  with:
    load: true
    tags: my-project/base
    context: business
    file: business/Dockerfile

- name: Build service
  uses: docker/build-push-action@v2
  with:
    push: true
    tags: my-ecr-repo/service
    context: service
    file: service/Dockerfile

就目前而言，第二步试图下载docker.io/my-project/base，，但显然无法下载，因为我从不按基本映像：

ERROR: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

问题是：构建图像的正确方法是什么，这样就可以通过以下本地构建步骤来访问它？

PS:我不想把我的裸体basic图片推到任何地方。

Answer 1

我相信你需要在你的基本图像和最终图像中设置load: true。这将更改使用本地停靠引擎处理图像的行为。我相信，如果你这样做的话，你需要单独推动一下，例如：

- name: Build business-layer container
  uses: docker/build-push-action@v2
  with:
    load: true
    tags: my-project/base
    context: business
    file: business/Dockerfile

- name: Build service
  uses: docker/build-push-action@v2
  with:
    load: true
    tags: my-ecr-repo/service
    context: service
    file: service/Dockerfile

- name: push service
  run: |
    docker push my-ecr-repo/service

另一种选择是使用本地注册表。这具有支持多平台构建的优点。但是，您将希望使用基本映像从load切换到push，并且我会将基本映像作为构建arg传递，以便更容易地处理Github操作之外的用例，例如：

jobs:
  local-registry:
    runs-on: ubuntu-latest
    services:
      registry:
        image: registry:2
        ports:
          - 5000:5000
    steps:
      - name: Login to DockerHub
        uses: docker/login-action@v1 
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      # qemu should only be needed for multi-platform images
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
        with:
          driver-opts: network=host
      - name: Build business-layer container
        uses: docker/build-push-action@v2
        with:
          push: true
          tags: localhost:5000/my-project/base
          context: business
          file: business/Dockerfile
      - name: Build service
        uses: docker/build-push-action@v2
        with:
          push: true
          tags: my-ecr-repo/service
          context: service
          file: service/Dockerfile
          build-args: |
            BASE_IMAGE=localhost:5000/my-project/base

然后，Dockerfile将允许将基本映像指定为构建arg：

ARG BASE_IMAGE=my-project/base
FROM ${BASE_IMAGE}
# ...

Answer 2

github操作docker/setup-buildx-action@v1默认为驱动程序docker-container 如文件所示。

这意味着默认情况下，构建将在容器中运行，因此图像在操作之外是不可用的。

解决方案是将驱动程序设置为docker

     ...

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
        with:
          driver: docker # defaults to "docker-containerized"

      - name: Build business-layer container
        uses: docker/build-push-action@v2
        with:
          # using "load: true" forces the docker driver
          # not necessary here, because we set it before
          #load: true
          tags: my-project/base:latest
          context: business
          file: business/Dockerfile

      - name: Build service
        uses: docker/build-push-action@v2
        with:
          # using "push: true" will lead to error:
          # Error: buildx call failed with: auto-push is currently not implemented for docker driver
          # so you will have to follow the solution outlined here:
          # https://github.com/docker/build-push-action/issues/100#issuecomment-715352826
          # and push the image manually following the build
          #push: true
          tags: my-ecr-repo/service:latest
          context: service
          file: service/Dockerfile

      # list all images, you will see my-ecr-repo/service and my-project/base
      - name: Look up images
        run: docker image ls

      # push the image manually, see above comment
      - name: Push image
        run: docker push my-ecr-repo/service:latest

     ...

Answer 3

无论出于什么原因，当我使用load: true时，使用build-push-action并不有效(在第一次使用时应该需要它，但是尝试在这两种情况下都添加它们)。我需要在第一次构建时使用cache-from和cache-to，这样我就不能更改默认的“停靠容器”驱动程序。

最后为我工作的是只对第一次构建使用该操作，并使用run命令执行第二次构建。

类似于：

- name: Build business-layer container
  uses: docker/build-push-action@v2
  with:
    load: true
    tags: my-project/base
    context: business
    file: business/Dockerfile

- name: Build service
  run:
    docker build \
      --file service/Dockerfile \
      --tag my-ecr-repo/service \
      service

- name: push service
  run: |
    docker push my-ecr-repo/service