Skip to content

Commit

Permalink
docs: revamp quick start (#482)
Browse files Browse the repository at this point in the history 
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
  • Loading branch information
@sozercan
sozercan committed Jan 23, 2024
1 parent 4708cce commit fc6b96b
Show file tree
Hide file tree
Showing 8 changed files with 206 additions and 214 deletions.
65 changes: 65 additions & 0 deletions website/docs/custom-address.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
---
title: Custom buildkit addresses
---

You may need to specify a custom address using the `--addr` flag. Here are the supported formats:

- `unix:///path/to/buildkit.sock` - Connect to buildkit over unix socket.
- `tcp://$BUILDKIT_ADDR:$PORT` - Connect to buildkit over TCP. (not recommended for security reasons)
- `docker://<docker connection spec>` - Connect to docker, currently only unix sockets are supported, e.g. `docker://unix:///var/run/docker.sock` (or just `docker://`).
- `docker-container://my-buildkit-container` - Connect to a buildkitd running in a docker container.
- `buildx://my-builder` - Connect to a buildx builder (or `buildx://` for the currently selected builder). *Note: only container-backed buildx instances are currently supported*
- `nerdctl-container://my-container-name` - Similar to `docker-container` but uses `nerdctl`.
- `podman-container://my-container-name` - Similar to `docker-container` but uses `podman`.
- `ssh://myhost` - Connect to a buildkit instance over SSH. Format of the host spec should mimic the SSH command.
- `kubepod://mypod` - Connect to buildkit running in a Kubernetes pod. Can also specify kubectl context and pod namespace (`kubepod://mypod?context=foo&namespace=notdefault`).

## Buildkit Connection Examples

### Option 1: Connect using defaults
```bash
copa patch -i docker.io/library/nginx:1.21.6 -r nginx.1.21.6.json -t 1.21.6-patched
```

### Option 2: Connect to buildx

```bash
docker buildx create --name demo
copa patch -i docker.io/library/nginx:1.21.6 -r nginx.1.21.6.json -t 1.21.6-patched --addr buildx://demo
```

### Option 3: Buildkit in a container

```bash
export BUILDKIT_VERSION=v0.12.4
docker run \
--detach \
--rm \
--privileged \
--name buildkitd \
--entrypoint buildkitd \
"moby/buildkit:$BUILDKIT_VERSION"

copa patch -i docker.io/library/nginx:1.21.6 -r nginx.1.21.6.json -t 1.21.6-patched --addr docker-container://buildkitd
```

### Option 4: Buildkit over TCP
```bash
export BUILDKIT_VERSION=v0.12.4
export BUILDKIT_PORT=8888
docker run \
--detach \
--rm \
--privileged \
-p 127.0.0.1:$BUILDKIT_PORT:$BUILDKIT_PORT/tcp \
--name buildkitd \
--entrypoint buildkitd \
"moby/buildkit:$BUILDKIT_VERSION" \
--addr tcp://0.0.0.0:$BUILDKIT_PORT

copa patch \
-i docker.io/library/nginx:1.21.6 \
-r nginx.1.21.6.json \
-t 1.21.6-patched \
-a tcp://0.0.0.0:$BUILDKIT_PORT
```
8 changes: 6 additions & 2 deletions website/docs/installation.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,16 @@ brew install copa
You can download the latest and previous versions of `copa` from the [GitHub releases page](https://github.com/project-copacetic/copacetic/releases).

## Development Setup
The following instructions are for **Ubuntu 22.04** with the dependency versions supported as part of the [dev container](./contributing.md/#visual-studio-code-development-container) environment we use for builds and tests. For other distributions and OS, refer to the appropriate installation instructions for each of the components instead.

### Prequisitives
- [Go](https://go.dev/doc/install)
- [Docker](https://docs.docker.com/engine/install/)
- [Trivy](https://aquasecurity.github.io/trivy/latest/getting-started/installation/) (optional as a scanner)

```bash
git clone https://github.com/project-copacetic/copacetic
cd copacetic
make
# OPTIONAL: install copa to a pathed folder
sudo mv dist/linux_amd64/release/copa /usr/local/bin/
```
```
135 changes: 30 additions & 105 deletions website/docs/quick-start.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,10 @@ This sample illustrates how to patch containers using vulnerability reports with

## Prerequisites

* An Ubuntu 22.04 VM configured through the [setup instructions](./installation.md). This includes:
* Linux or macOS configured through the [setup instructions](./installation.md). This includes:
* `copa` tool [built & pathed](./installation.md).
* [buildkit](https://github.com/moby/buildkit/#quick-start) daemon installed & pathed. [Examples](#buildkit-connection-examples)
* The `docker` daemon runs a buildkit service in-process. If you are using this for your buildkit instance, Docker must have the
[containerd image store feature](https://docs.docker.com/storage/containerd/) enabled.
* The `docker` daemon runs a buildkit service in-process. If you are using this for your buildkit instance, Docker must have the [containerd image store feature](https://docs.docker.com/storage/containerd/) enabled.
* If you are using a buildx instance, or using buildkitd directly, there is no need to enable the containerd image store. However, only images in a remote registry can be patched using these methods.
* [docker](https://docs.docker.com/desktop/linux/install/#generic-installation-steps) daemon running and CLI installed & pathed.
* [trivy CLI](https://aquasecurity.github.io/trivy/latest/getting-started/installation/) installed & pathed.
Expand All @@ -28,78 +27,21 @@ This sample illustrates how to patch containers using vulnerability reports with

```bash
trivy image --vuln-type os --ignore-unfixed docker.io/library/nginx:1.21.6
```

2. To patch the image, use the Trivy report and specify a buildkit instance to connect to:

By default copa will attempt to auto-connect to an instance in order:
1. Default docker buildkit endpoint (requires at least docker v24.0 with [containerd snapshotter](https://docs.docker.com/storage/containerd/#enable-containerd-image-store-on-docker-engine) support enabled)
1. Default docker buildkit endpoint (requires at least docker v24.0 with [containerd image store](https://docs.docker.com/storage/containerd/#enable-containerd-image-store-on-docker-engine) support enabled)
2. Currently selected buildx builder (see: `docker buildx --help`)
3. buildkit daemon at the default address `/run/buildkit/buildkitd.sock`

If an instance doesn't exist or that instance doesn't support all the features copa needs the next will be attempted.
You may need to specify a custom address using the `--addr` flag. Here are the supported formats:

- `unix:///path/to/buildkit.sock` - Connect to buildkit over unix socket.
- `tcp://$BUILDKIT_ADDR:$PORT` - Connect to buildkit over TCP. (not recommended for security reasons)
- `docker://<docker connection spec>` - Connect to docker, currently only unix sockets are supported, e.g. `docker://unix:///var/run/docker.sock` (or just `docker://`).
- `docker-container://my-buildkit-container` - Connect to a buildkitd running in a docker container.
- `buildx://my-builder` - Connect to a buildx builder (or `buildx://` for the currently selected builder). *Note: only container-backed buildx instances are currently supported*
- `nerdctl-container://my-container-name` - Similar to `docker-container` but uses `nerdctl`.
- `podman-container://my-container-name` - Similar to `docker-container` but uses `podman`.
- `ssh://myhost` - Connect to a buildkit instance over SSH. Format of the host spec should mimic the SSH command.
- `kubepod://mypod` - Connect to buildkit running in a Kubernetes pod. Can also specify kubectl context and pod namespace (`kubepod://mypod?context=foo&namespace=notdefault`).

#### Buildkit Connection Examples

Example: Connect using defaults:
```bash
copa patch -i docker.io/library/nginx:1.21.6 -r nginx.1.21.6.json -t 1.21.6-patched
```

Example: Connect to buildx
```
docker buildx create --name demo
copa patch -i docker.io/library/nginx:1.21.6 -r nginx.1.21.6.json -t 1.21.6-patched --addr buildx://demo
```

Example: Buildkit in a container
```
export BUILDKIT_VERSION=v0.12.0
docker run \
--detach \
--rm \
--privileged \
--name buildkitd \
--entrypoint buildkitd \
"moby/buildkit:$BUILDKIT_VERSION"
copa patch -i docker.io/library/nginx:1.21.6 -r nginx.1.21.6.json -t 1.21.6-patched --addr docker-container://buildkitd
```

Example: Buildkit over TCP
```
export BUILDKIT_VERSION=v0.12.0
export BUILDKIT_PORT=8888
docker run \
--detach \
--rm \
--privileged \
-p 127.0.0.1:$BUILDKIT_PORT:$BUILDKIT_PORT/tcp \
--name buildkitd \
--entrypoint buildkitd \
"moby/buildkit:$BUILDKIT_VERSION" \
--addr tcp://0.0.0.0:$BUILDKIT_PORT
copa patch \
-i docker.io/library/nginx:1.21.6 \
-r nginx.1.21.6.json \
-t 1.21.6-patched \
-a tcp://0.0.0.0:$BUILDKIT_PORT
```
If an instance doesn't exist or that instance doesn't support all the features copa needs the next will be attempted. Please see [custom buildkit addresses](custom-address.md) for more information.

In either case, `copa` is non-destructive and exports a new image with the specified `1.21.6-patched` label to the local Docker daemon.
In any of these cases, `copa` is non-destructive and exports a new image with the specified `1.21.6-patched` label to the local Docker daemon.

:::note
If you're running this sample against an image from a private registry instead,ensure that the credentials are configured in the default Docker config.json before running `copa patch`, for example, via `sudo docker login -u <user> -p <password> <registry>`.
If you're running this sample against an image from a private registry instead,ensure that the credentials are configured in the default Docker config.json before running `copa patch`, for example, via `docker login -u <user> -p <password> <registry>`.
:::

:::note
Expand All @@ -116,23 +58,23 @@ This sample illustrates how to patch containers using vulnerability reports with

```bash
$ docker history docker.io/library/nginx:1.21.6-patched
IMAGE CREATED CREATED BY SIZE COMMENT
a372df41e06d 1 minute ago mount / from exec sh -c apt install --no-ins… 26.1MB buildkit.exporter.image.v0
<missing> 3 months ago CMD ["nginx" "-g" "daemon off;"] 0B buildkit.dockerfile.v0
<missing> 3 months ago STOPSIGNAL SIGQUIT 0B buildkit.dockerfile.v0
<missing> 3 months ago EXPOSE map[80/tcp:{}] 0B buildkit.dockerfile.v0
<missing> 3 months ago ENTRYPOINT ["/docker-entrypoint.sh"] 0B buildkit.dockerfile.v0
<missing> 3 months ago COPY 30-tune-worker-processes.sh /docker-ent… 4.61kB buildkit.dockerfile.v0
<missing> 3 months ago COPY 20-envsubst-on-templates.sh /docker-ent… 1.04kB buildkit.dockerfile.v0
<missing> 3 months ago COPY 10-listen-on-ipv6-by-default.sh /docker… 1.96kB buildkit.dockerfile.v0
<missing> 3 months ago COPY docker-entrypoint.sh / # buildkit 1.2kB buildkit.dockerfile.v0
<missing> 3 months ago RUN /bin/sh -c set -x && addgroup --syst61.1MB buildkit.dockerfile.v0
<missing> 3 months ago ENV PKG_RELEASE=1~bullseye 0B buildkit.dockerfile.v0
<missing> 3 months ago ENV NJS_VERSION=0.7.0 0B buildkit.dockerfile.v0
<missing> 3 months ago ENV NGINX_VERSION=1.20.2 0B buildkit.dockerfile.v0
<missing> 3 months ago LABEL maintainer=NGINX Docker Maintainers <d… 0B buildkit.dockerfile.v0
<missing> 4 months ago /bin/sh -c #(nop) CMD ["bash"] 0B
<missing> 4 months ago /bin/sh -c #(nop) ADD file:09675d11695f65c5580.4MB
IMAGE CREATED CREATED BY SIZE COMMENT
262dacfeb193 About a minute ago mount / from exec sh -c apt install --no-ins… 41.1MB buildkit.exporter.image.v0
<missing> 20 months ago /bin/sh -c #(nop) CMD ["nginx" "-g" "daemon… 0B
<missing> 20 months ago /bin/sh -c #(nop) STOPSIGNAL SIGQUIT 0B
<missing> 20 months ago /bin/sh -c #(nop) EXPOSE 80 0B
<missing> 20 months ago /bin/sh -c #(nop) ENTRYPOINT ["/docker-entr… 0B
<missing> 20 months ago /bin/sh -c #(nop) COPY file:09a214a3e07c919a… 16.4kB
<missing> 20 months ago /bin/sh -c #(nop) COPY file:0fd5fca330dcd6a7… 12.3kB
<missing> 20 months ago /bin/sh -c #(nop) COPY file:0b866ff3fc1ef5b0… 12.3kB
<missing> 20 months ago /bin/sh -c #(nop) COPY file:65504f71f5855ca0… 8.19kB
<missing> 20 months ago /bin/sh -c set -x && addgroup --system -64.5MB
<missing> 20 months ago /bin/sh -c #(nop) ENV PKG_RELEASE=1~bullseye 0B
<missing> 20 months ago /bin/sh -c #(nop) ENV NJS_VERSION=0.7.3 0B
<missing> 20 months ago /bin/sh -c #(nop) ENV NGINX_VERSION=1.21.6 0B
<missing> 20 months ago /bin/sh -c #(nop) LABEL maintainer=NGINX Do… 0B
<missing> 20 months ago /bin/sh -c #(nop) CMD ["bash"] 0B
<missing> 20 months ago /bin/sh -c #(nop) ADD file:134f25aec8adf83cb91.8MB
```

4. Run the container to verify that the image has no regressions:
Expand All @@ -147,29 +89,12 @@ This sample illustrates how to patch containers using vulnerability reports with
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2022/05/16 18:00:17 [notice] 1#1: using the "epoll" event method
2022/05/16 18:00:17 [notice] 1#1: nginx/1.20.2
2022/05/16 18:00:17 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
2022/05/16 18:00:17 [notice] 1#1: OS: Linux 5.10.102.1-microsoft-standard-WSL2
2022/05/16 18:00:17 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2022/05/16 18:00:17 [notice] 1#1: start worker processes
2022/05/16 18:00:17 [notice] 1#1: start worker process 31
2022/05/16 18:00:17 [notice] 1#1: start worker process 32
2022/05/16 18:00:17 [notice] 1#1: start worker process 33
2022/05/16 18:00:17 [notice] 1#1: start worker process 34
2022/05/16 18:00:17 [notice] 1#1: start worker process 35
2022/05/16 18:00:17 [notice] 1#1: start worker process 36
2022/05/16 18:00:17 [notice] 1#1: start worker process 37
2022/05/16 18:00:17 [notice] 1#1: start worker process 38
2022/05/16 18:00:17 [notice] 38#38: signal 28 (SIGWINCH) received
2022/05/16 18:00:17 [notice] 36#36: signal 28 (SIGWINCH) received
2022/05/16 18:00:17 [notice] 33#33: signal 28 (SIGWINCH) received
2022/05/16 18:00:17 [notice] 32#32: signal 28 (SIGWINCH) received
2022/05/16 18:00:17 [notice] 34#34: signal 28 (SIGWINCH) received
2022/05/16 18:00:17 [notice] 35#35: signal 28 (SIGWINCH) received
2022/05/16 18:00:17 [notice] 37#37: signal 28 (SIGWINCH) received
2022/05/16 18:00:17 [notice] 1#1: signal 28 (SIGWINCH) received
2022/05/16 18:00:17 [notice] 31#31: signal 28 (SIGWINCH) received
2024/01/22 23:32:54 [notice] 1#1: using the "epoll" event method
2024/01/22 23:32:54 [notice] 1#1: nginx/1.21.6
2024/01/22 23:32:54 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
2024/01/22 23:32:54 [notice] 1#1: OS: Linux 6.2.0-1018-azure
2024/01/22 23:32:54 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2024/01/22 23:32:54 [notice] 1#1: start worker processes
```
You can stop the container by opening a new shell instance and running: `docker stop nginx-test`
1 change: 1 addition & 0 deletions website/sidebars.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ const sidebars = {
'introduction',
'installation',
'quick-start',
'custom-address',
'output',
'troubleshooting',
'design',
Expand Down
67 changes: 67 additions & 0 deletions website/versioned_docs/version-v0.6.x/custom-address.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
---
title: Custom buildkit addresses
---

If you need to specify a custom address using the `--addr` flag. Here are the supported formats:

- `unix:///path/to/buildkit.sock` - Connect to buildkit over unix socket.
- `tcp://$BUILDKIT_ADDR:$PORT` - Connect to buildkit over TCP. (not recommended for security reasons)
- `docker://<docker connection spec>` - Connect to docker, currently only unix sockets are supported, e.g. `docker://unix:///var/run/docker.sock` (or just `docker://`).
- `docker-container://my-buildkit-container` - Connect to a buildkitd running in a docker container.
- `buildx://my-builder` - Connect to a buildx builder (or `buildx://` for the currently selected builder). *Note: only container-backed buildx instances are currently supported*
- `nerdctl-container://my-container-name` - Similar to `docker-container` but uses `nerdctl`.
- `podman-container://my-container-name` - Similar to `docker-container` but uses `podman`.
- `ssh://myhost` - Connect to a buildkit instance over SSH. Format of the host spec should mimic the SSH command.
- `kubepod://mypod` - Connect to buildkit running in a Kubernetes pod. Can also specify kubectl context and pod namespace (`kubepod://mypod?context=foo&namespace=notdefault`).

## Buildkit Connection Examples

### Option 1: Connect using defaults

```bash
copa patch -i docker.io/library/nginx:1.21.6 -r nginx.1.21.6.json -t 1.21.6-patched
```

### Option 2: Connect to buildx

```bash
docker buildx create --name demo
copa patch -i docker.io/library/nginx:1.21.6 -r nginx.1.21.6.json -t 1.21.6-patched --addr buildx://demo
```

### Option 3: Buildkit in a container

```bash
export BUILDKIT_VERSION=v0.12.4
docker run \
--detach \
--rm \
--privileged \
--name buildkitd \
--entrypoint buildkitd \
"moby/buildkit:$BUILDKIT_VERSION"

copa patch -i docker.io/library/nginx:1.21.6 -r nginx.1.21.6.json -t 1.21.6-patched --addr docker-container://buildkitd
```

### Option 4: Buildkit over TCP

```bash
export BUILDKIT_VERSION=v0.12.4
export BUILDKIT_PORT=8888
docker run \
--detach \
--rm \
--privileged \
-p 127.0.0.1:$BUILDKIT_PORT:$BUILDKIT_PORT/tcp \
--name buildkitd \
--entrypoint buildkitd \
"moby/buildkit:$BUILDKIT_VERSION" \
--addr tcp://0.0.0.0:$BUILDKIT_PORT

copa patch \
-i docker.io/library/nginx:1.21.6 \
-r nginx.1.21.6.json \
-t 1.21.6-patched \
-a tcp://0.0.0.0:$BUILDKIT_PORT
```
8 changes: 6 additions & 2 deletions website/versioned_docs/version-v0.6.x/installation.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,16 @@ brew install copa
You can download the latest and previous versions of `copa` from the [GitHub releases page](https://github.com/project-copacetic/copacetic/releases).

## Development Setup
The following instructions are for **Ubuntu 22.04** with the dependency versions supported as part of the [dev container](./contributing.md/#visual-studio-code-development-container) environment we use for builds and tests. For other distributions and OS, refer to the appropriate installation instructions for each of the components instead.

### Prequisitives
- [Go](https://go.dev/doc/install)
- [Docker](https://docs.docker.com/engine/install/)
- [Trivy](https://aquasecurity.github.io/trivy/latest/getting-started/installation/) (optional as a scanner)

```bash
git clone https://github.com/project-copacetic/copacetic
cd copacetic
make
# OPTIONAL: install copa to a pathed folder
sudo mv dist/linux_amd64/release/copa /usr/local/bin/
```
```

0 comments on commit fc6b96b

Please sign in to comment.