I run multiple GitLab CI jobs that use Kaniko to build Docker images and push them to my private GitLab registry. My GitLab Runners use the Docker executor with privileged = false, and this setup has worked perfectly.
Here is my config.toml with the relevant information for my question
[[runners]] executor = "docker" [runners.docker] image = "alpine:latest" privileged = false My original, working GitLab C/I configuration is:
.kaniko_auth: &kaniko_auth - mkdir -p /kaniko/.docker - > echo '{ "auths": { "'"$CI_REGISTRY"'": { "auth": "'"$(echo -n "$CI_REGISTRY_USER:$CI_REGISTRY_PASSWORD" | base64)"'" }, "registre.private.com/private/private": { "auth": "'"$(echo -n "$CI_REGISTRY_USER:$CI_REGISTRY_PASSWORD" | base64)"'" } } }' > /kaniko/.docker/config.json .kaniko: image: name: gcr.io/kaniko-project/executor:debug entrypoint: [""] before_script: *kaniko_auth I then, include this file into my .gitlab-ci.yml file and use it like this:
# Extract from my .gitlab-ci.yml build_Golden_Complete: stage: build_docker extends: .kaniko parallel: matrix: - IMAGE_NAME: complete DOCKERFILE_PATH: ./ci_cd/DockerfileComplete - IMAGE_NAME: golden DOCKERFILE_PATH: ./ci_cd/DockerfileGolden script: - > /kaniko/executor --use-new-run --context "$CODE_DIRECTORY/" --dockerfile "$DOCKERFILE_PATH" --destination "$CONTAINER_IMAGE_BUILD:$SOME_TAG-$IMAGE_NAME" --build-arg "SRC_IMAGE=$SRC_IMAGE" --cache=true Recently, I upgraded one of my Dockerfiles and now need to use the #syntax=docker/dockerfile:labs directive for some features
But I've discovered that the gcr.io/kaniko-project/executor:debug image does not support this newer syntax, because this is no longer maintained. While Google archived the original Kaniko project, Chainguard maintains a fork. However, their actively updated images are behind their paywall or requires an account.
Then, I explored alternatives like Buildah and BuildKit, but they fail because they require system calls that are blocked by Docker's default seccomp profile.
Adding security_opt = ["seccomp:unconfined"] in my config.toml for my workers would probably do the trick but I don't want that, I want a solution that works like kaniko with a modern support for Dockerfile syntax.
For BuildKit I tried the official GitLab documentation on the matter which is
build-rootless: image: name: moby/buildkit:rootless entrypoint: [""] stage: build variables: BUILDKITD_FLAGS: --oci-worker-no-process-sandbox before_script: - mkdir -p ~/.docker - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > ~/.docker/config.json script: - | buildctl-daemonless.sh build \ --frontend dockerfile.v0 \ --local context=. \ --local dockerfile=. \ --output type=image,name=$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA,push=true When I run this, I end up with
could not connect to unix:///run/user/1000/buildkit/buildkitd.sock after 10 trials ========== log ========== [rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted Then, I tried Buildah, also ending up with a denied unshare syscall.
Error during unshare(CLONE_NEWUSER): Operation not permitted So, is there a free, actively maintained tool or a specific version of Kaniko that can build Docker images using modern Dockerfile syntax while running in a standard, non-privileged GitLab CI Docker executor, without requiring me to disable the default seccomp profile?
Note: Adding security_opt = ["seccomp:unconfined"] in the runner config didn’t work for moby/buildkit:rootless. I ended up creating a special runner with privileged = true, which works, but this is not a long-term solution and only serves to unblock me for now.
error building image: parsing dockerfile: dockerfile parse error on line 60: unknown flag: --parents. However, from what I can tell, the repo is actively updated, so maybe this will be supported in a future update.