New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(docker): multi-platform docker builds #54
Conversation
38ca65b
to
31758fb
Compare
c7ec0af
to
25f9c5b
Compare
This is a pretty crude approach which: * detects if docker build --push --platform=X,Y is used * if so breaks it into: * docker build --load for each platform * docker push for each platform * docker manifest create * docker manifest push As docker manifest is an experimental feature it is guarded so that if anything fails, docker fallback is used And it is truly an experimental feature. For example it does not honor any of the buildx/docker daemon configs for things like insecure registries so we do our best to fallback in those cases by passing --insecure flag which is not ideal but does not seem to be any way around it. In addition this: * ensures `CHALK_ID` is the same for all platform builds * ensures `METADATA_ID` is different for each platform by forcing `DOCKER_PLATFORM` to be part of the chalk * falls-back to docker build on docker push failures when buildx is being used (see code comment for context)
* updating tests/README.md how to setup docker locally * adding tests entrypoint to configure buildx for tests
25f9c5b
to
cd3defc
Compare
docker manifest create seems to be experimental command and it has quirks related to insecure registry whereas imagetools seems work much better out of the box so switching to it instead
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's all clean and straightforward.
Very nicely done.
@@ -500,7 +500,7 @@ proc addBuildCmdMetadataToMark(ctx: DockerInvocation) = | |||
dict.setIfNeeded("DOCKER_CHALK_ADDED_TO_DOCKERFILE", | |||
ctx.addedInstructions.join("\n")) | |||
|
|||
proc prepareToBuild*(state: DockerInvocation) = | |||
proc prepareToBuild(state: DockerInvocation) = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't like the Nim visibility rules; I tend to err on the side of making everything visible, because the errors can be obtuse sometimes when you actually need cross module visibility. So I wouldn't change these, but 🤷
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
they werent used anywhere but I think we can keep things private just to avoid potential naming conflicts
pending TODOs for PR:
will need separate ticket as thats not trivial to handle all casesdocker push
has different config thanbuildx
. when using buildx, we should always--push
withbuildx
Issue
https://github.com/crashappsec/chalk-internal/issues/826
Description
This is a pretty crude approach which:
In addition this:
CHALK_ID
is the same for all platform buildsMETADATA_ID
is different for each platformby forcing
DOCKER_PLATFORM
to be part of the chalkwhen buildx is being used (see code comment for context)
Testing
While tests are being worked on I used: