RFC: Support Dockerfiles #173
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,223 @@ | ||
| # Meta | ||
| [meta]: #meta | ||
| - Name: Support Dockerfiles | ||
| - Start Date: 2021-06-30 | ||
| - Author(s): sclevine | ||
| - RFC Pull Request: (leave blank) | ||
| - CNB Pull Request: (leave blank) | ||
| - CNB Issue: (leave blank) | ||
| - Supersedes: [RFC0069](https://github.com/buildpacks/rfcs/blob/main/text/0069-stack-buildpacks.md), [RFC#167](https://github.com/buildpacks/rfcs/pull/167) | ||
| - Depends on: [RFC#172](https://github.com/buildpacks/rfcs/pull/172) | ||
|
|
||
| # Summary | ||
| [summary]: #summary | ||
|
|
||
| This RFC introduces functionality for customizing base images, as an alternative to stackpacks ([RFC0069](https://github.com/buildpacks/rfcs/blob/main/text/0069-stack-buildpacks.md)). | ||
|
|
||
| # Motivation | ||
| [motivation]: #motivation | ||
|
|
||
| [RFC0069](https://github.com/buildpacks/rfcs/blob/main/text/0069-stack-buildpacks.md) introduces complexity by defining an API that allows buildpacks to modify base images. To avoid this complexity, we could rely on generated Dockerfiles for base image manipulation. This would simplify the original proposal by, e.g., only requiring a copy of the extension on the build-time base image. | ||
|
|
||
| # What it is | ||
| [what-it-is]: #what-it-is | ||
|
|
||
| This RFC proposes that we replace stackpacks with dynamically-generated build-time and runtime Dockerfiles that act as pre-build base image extensions. | ||
| These extensions would participate in detection and execute before the buildpack build process. | ||
|
|
||
| For a given application, a build that uses extensions could be optimized by creating a more narrowly-scoped builder that does not contain extensions. | ||
|
|
||
| # How it Works | ||
| [how-it-works]: #how-it-works | ||
|
|
||
| Note: kaniko, buildah, BuildKit, or the original Docker daemon may be used to apply Dockerfiles at the platform's discretion. The order of operations would be something like the following: | ||
| * `analyze` | ||
| * `detect` - after standard detection detect will also run extensions' bin/generate, output Dockerfiles are written to a volume | ||
| * `extend` - applies run.Dockerfiles to run image (could run in parallel with builder image extension) | ||
| * `extend` - applies build.Dockerfiles to builder image | ||
| * `restore` | ||
| * `build` | ||
| * `export` | ||
|
|
||
| When Dockerfiles are used to update the run image, care should be taken to ensure registry access prior to the `build` phase, to avoid long builds that fail due to incorrect credentials. | ||
|
|
||
| ### Dynamically-applied Dockerfiles | ||
|
|
||
| A builder image may include any number of "extensions" directories in `/cnb/extensions/`. | ||
|
|
||
| Extensions are similar to buildpacks: they have two executables: `./bin/detect` and `./bin/generate`. The interface for these executables is similar to a buildpack's `./bin/detect` and `./bin/build`. | ||
| However, instead of a `buildpack.toml` file, extensions have a `extension.toml` file: | ||
| ```toml | ||
| api = "<buildpack API version>" | ||
|
|
||
| [extension] | ||
| id = "<extension ID>" | ||
| name = "<extension name>" | ||
| version = "<extension version>" | ||
| homepage = "<extension homepage>" | ||
| description = "<extension description>" | ||
| keywords = [ "<string>" ] | ||
|
|
||
| [[extension.licenses]] | ||
| type = "<string>" | ||
| uri = "<uri>" | ||
| ``` | ||
|
|
||
| Extensions may be packaged and examined similar to buildpacks, but with analogous `pack extension` subcommands. | ||
|
|
||
| Other pack CLI commands, such as `pack builder create`, will be extended to include support for extensions. | ||
|
|
||
| Unlike buildpacks, | ||
| - Extensions must not be included in a meta-buildpacks | ||
| - Extensions must not have `order`/`group` definitions in `extension.toml` | ||
natalieparellano marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| Extensions participate in the buildpack detection process, with the same UID, GID, and interface for `./bin/detect`. | ||
| However, | ||
| - `./bin/detect` is optional for extensions, and they are assumed to pass detection when it is not present. Just like with buildpacks, a `./bin/detect` that exits with a 0 exit code passes detection, and fails otherwise. | ||
| - If an extension is missing `./bin/detect`, the extension root `./detect` directory is treated as a pre-populated output directory (i.e., extensions can include a static build plan). | ||
| - Extensions may only output `provides` entries to the build plan. They must not output `requires`. | ||
natalieparellano marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| - Extensions are not included in `order` definitions (e.g., in `builder.toml`); instead, a separate `order-extensions` table should be used. The `order-extensions` table will be prepended to each group in the provided `order` (as if `order-extensions` were a composite buildpack). | ||
| - Extensions are always `optional`. | ||
|
|
||
| Extensions generate Dockerfiles before the regular buildpack build phase. | ||
| To generate these Dockerfiles, the lifecycle executes the extension's `./bin/generate` executable with the same UID, GID, and interface as regular buildpacks. | ||
| However, | ||
| - Extensions `./bin/generate` must not write to the app directory. | ||
| - Extensions `<layers>` directory is replaced by an `<output>` directory. | ||
| - If an extension is missing `./bin/generate`, the extension root `./generate` directory is treated as a pre-populated `<output>` directory. | ||
|
|
||
| After `./bin/generate` executes, the `<output>` directory may contain | ||
| - `build.toml`, | ||
| - With an `args` table array with `name` and `value` fields that are provided as build args to `build.Dockerfile` | ||
| - `run.toml`, | ||
| - With an `args` table array with `name` and `value` fields that are provided as build args to `run.Dockerfile` | ||
| - Either or both of `build.Dockerfile` and `run.Dockerfile` | ||
|
|
||
| Support for other instruction formats, e.g., LLB JSON files, could be added in the future. | ||
|
|
||
| `build.Dockerfile` and `run.Dockerfile`target the builder image or runtime base image, respectively. | ||
|
|
||
| If no Dockerfiles are present, `./bin/generate` may still consume build plan entries. Unlike buildpacks, extensions must consume all entries in the provided plan (they cannot designate any entries as "unmet"). | ||
|
|
||
| Dockerfiles are applied to their corresponding base images after all extensions are executed and before any regular buildpacks are executed. | ||
| Dockerfiles are applied in the order determined during buildpack detection. When multiple Dockerfiles are applied, the intermediate image generated from the application of the current Dockerfile will be provided as the `base_image` ARG to the next Dockerfile. Dockerfiles that target the run image (only) may ignore the provided `base_image` (e.g., `FROM some-other-image`). Dockerfiles that change the runtime base image may still use `COPY --from=${base_image}`. | ||
|
|
||
| All Dockerfiles are provided with `base_image` and `build_id` args. | ||
sclevine marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| The `base_image` arg allows the Dockerfile to reference the original base image. | ||
| The `build_id` arg allows the Dockerfile to invalidate the cache after a certain layer and should be defaulted to `0`. The executor of the Dockerfile will provide the `build_id` as a UUID (this eliminates the need to track this variable). | ||
| When the `$build_id` arg is referenced in a `RUN` instruction, all subsequent layers will be rebuilt on the next build (as the value will change). | ||
|
|
||
| Build args specified in `build.toml` are provided to `build.Dockerfile` (when applied to the build-time base image). | ||
| Build args specified in `run.toml` are provided to `run.Dockerfile` (when applied to the runtime base image). | ||
|
|
||
| A runtime base image may indicate that it preserves ABI compatibility by adding the label `io.buildpacks.rebasable=true`. In the case of builder-specified Dockerfiles, `io.buildpacks.rebasable=false` is set automatically on the base image before a runtime Dockerfile is applied and must be explicitly set to `true` if desired. If multiple Dockerfiles are applied, all must set `io.buildpacks.rebasable=true` for the final value to be `true`. Rebasing an app without this label set to `true` requires passing a new `--force` flag to `pack rebase`. When the run image is extended and `io.buildpacks.rebasable=true`, the `extend` phase will communicate to the `export` phase the top layer of the run image (prior to extension) so that the exporter can set the appropriate value of `io.buildpacks.lifecycle.metadata` `runImage.topLayer`. | ||
|
|
||
| #### Example: App-specified Dockerfile Extension | ||
|
|
||
| This example extension would allow an app to provide runtime and build-time base image extensions as "run.Dockerfile" and "build.Dockerfile." | ||
| The app developer can decide whether the extensions are rebasable. | ||
|
|
||
| ##### `/cnb/ext/com.example.appext/bin/generate` | ||
| ``` | ||
| #!/bin/sh | ||
| [ -f build.Dockerfile ] && cp build.Dockerfile "$1/" | ||
natalieparellano marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| [ -f run.Dockerfile ] && cp run.Dockerfile "$1/" | ||
| ``` | ||
|
Comment on lines
+120
to
+125
Member
There was a problem hiding this comment. Given we are allowing static Dockerfiles in the case where there is no
Member
There was a problem hiding this comment. I believe this example is copying the Dockerfiles from the app directory to the output directory |
||
|
|
||
| #### Example: RPM Dockerfile Extension (app-based) | ||
|
|
||
| This example extension would allow a builder to install RPMs for each language runtime, based on the app directory. | ||
|
|
||
| Note: The Dockerfiles referenced must disable rebasing, and build times will be slower compared to buildpack-provided runtimes. | ||
natalieparellano marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| ##### `/cnb/ext/com.example.rpmext/bin/generate` | ||
| ``` | ||
| #!/bin/sh | ||
| [ -f Gemfile.lock ] && cp "$CNB_BUILDPACK_DIR/Dockerfile-ruby" "$1/build.Dockerfile" | ||
| [ -f package.json ] && cp "$CNB_BUILDPACK_DIR/Dockerfile-node" "$1/build.Dockerfile" | ||
| ``` | ||
|
|
||
| ### Dockerfiles for Base Images | ||
|
|
||
| The same Dockerfile format may be used to create new base images or modify existing base images outside of the app build process (e.g., before creating a builder). Any specified labels override existing values. | ||
|
|
||
| The project will provide tooling that can be used to scan the extended run image. For more information, see https://github.com/buildpacks/rfcs/pull/195. | ||
|
|
||
| ### Example Dockerfiles | ||
|
|
||
| Dockerfile used to create a runtime base image: | ||
|
|
||
| ``` | ||
| ARG base_image | ||
| FROM ${base_image} | ||
| ARG build_id=0 | ||
sclevine marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| LABEL io.buildpacks.image.distro=ubuntu | ||
| LABEL io.buildpacks.image.version=18.04 | ||
| LABEL io.buildpacks.rebasable=true | ||
sclevine marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| ENV CNB_USER_ID=1234 | ||
| ENV CNB_GROUP_ID=1235 | ||
|
|
||
| RUN groupadd cnb --gid ${CNB_GROUP_ID} && \ | ||
| useradd --uid ${CNB_USER_ID} --gid ${CNB_GROUP_ID} -m -s /bin/bash cnb | ||
|
|
||
| USER ${CNB_USER_ID}:${CNB_GROUP_ID} | ||
| ``` | ||
|
|
||
| `run.Dockerfile` that always installs the latest version of curl: | ||
| ``` | ||
| ARG base_image | ||
| FROM ${base_image} | ||
| ARG build_id=0 | ||
|
|
||
| RUN echo ${build_id} | ||
|
|
||
| RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/* | ||
| ``` | ||
| (note: this Dockerfile disables rebasing, as OS package installation is not rebasable) | ||
|
|
||
| `run.Dockerfile` that installs a special package to /opt: | ||
| ``` | ||
| ARG base_image | ||
| FROM ${base_image} | ||
| ARG build_id=0 | ||
|
|
||
| LABEL io.buildpacks.rebasable=true | ||
|
|
||
| RUN curl -L https://example.com/mypkg-install | sh # installs to /opt | ||
| ``` | ||
| (note: rebasing is explicitly allowed because only a single directory in /opt is created) | ||
|
|
||
|
|
||
| # Drawbacks | ||
| [drawbacks]: #drawbacks | ||
|
Member
There was a problem hiding this comment. It's unfortunate that this proposal introduces a new concept (hooks) that a builder-image maintainer needs to learn; especially when this and #172 begin to simplify and remove some concepts. I also
Contributor
There was a problem hiding this comment.
This is subjective, can you qualify this statement with some details or an example? I would argue that you find the concept of a "hook" (or pre/post script, before/after, wrapper, etc..) in tons of places in the computer world. The general concept is something many sys-admins and dev's have probably already seen. I agree it adds some complexity because to use a hook, you need to understand the expected output format & what information you have available to generate your output (as well as basic scripting). At the same time, it's optional. You don't need any hooks to generate a builder, so a builder-builder doesn't really need to know this unless they are trying to do more customizations, which you could say is a more advanced task. My $0.02 only, but it seems like the ratio of complexity added versus additional functionality for users is quite reasonable.
Member
There was a problem hiding this comment. Here is what I believe makes it not intuitive:
These are not very difficult things to learn, but it's yet another thing to learn (which is a shame given that we're looking to remove things like the stack and mixin to make buildpacks easier to grok). By comparison to your examples, a pre/post script usually stems from the same construct as the thing it's wrapping around (another executable). Similarly, the pre/post proposal for project.toml adds buildpacks before/after buildpacks. These things are all homogenous. But here, we have a concept that introduces a new mechanism into the existing "order". So now we have heterogeneous things running in some order. I think that's what makes it difficult to reason about.
Contributor
There was a problem hiding this comment. OK, so there seem to be some specifics in the RFC that you think need to be clarified (I agree with some of these btw). IMHO, that seems like something that can be addressed and not a fundamental flaw in the way this is working. Is that your thought as well? I will have to respectfully disagree on the "hook" as a concept though. There's is a fairly basic lifecycle that buildpacks flow through, you're talking about being able to inject some actions at a couple of points in that lifecycle. This happens all the time in software, they even created AOP to formalize the concept. It happens in software systems as well, the venerable HTTP Servlet Filter in the Java world is an example. As long as we document and have a picture of the lifecycle & indicate where the hooks execute (which is why I agree we need to clarify that point), then we should be fine. I also strongly believe the complexity we are adding is more than worth it with the functionality this is adding & the number of problems this can solve.
Member
There was a problem hiding this comment.
I don't consider this a substitute for a tight set of constructs where people don't need to read and learn about them for each thing they need to do.
Contributor
There was a problem hiding this comment. Sure. No disagreement there. Learning nothing is simpler than having to learn something, even if it's simple. What I'm left trying to understand is this. If your bullet list of concerns were addressed then would the complexity that this RFC adds be OK? or is it your opinion that this RFC is fundamentally too complex and not something we should add?
Member
There was a problem hiding this comment. No, I'm generally in favor of this RFC. I'm only trying to push us to find an abstraction over the hook mechanism that makes it's easier for users to understand (especially buildpack authors and builder-image owners). There was a problem hiding this comment. I'm also in favour of this RFC. Nevertheless, It is still very hard (as reported too by Joe) to understand different very important points such as :
Remark: That should be great to have a simple text workflow explaining how hooks will be integrated within the existing buildpacks phases (e.g: DETECTION --> ANALYSIS --> BUILD --> EXPORT ==> DETECTION --> ANALYSIS --> HOOK --> BUILD --> EXPORT)
Member
Author
There was a problem hiding this comment.
These are covered in the RFC. Can you be more specific about what details you feel are missing?
Do you mean stored as in cached? Caching strategy would be up to the platform to decide.
The Dockerfile would run as root on the base image and produce a new image. No other changes to file permissions would occur.
As specified, buildpacks could create Dockerfiles in their ARGV[1] directory. They could copy them from the app directory, as described in the example, but that's not built-in to the API.
Member
There was a problem hiding this comment.
I think you mean hooks? |
||
|
|
||
| - Involves breaking changes. | ||
|
|
||
| # Alternatives | ||
| [alternatives]: #alternatives | ||
|
|
||
| - Stackpacks | ||
| - Previous versions of this RFC that don't interact with the buildpack API. | ||
|
|
||
| # Unresolved Questions | ||
| [unresolved-questions]: #unresolved-questions | ||
sclevine marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| - Should we allow base images to provide build plan entries so that extensions aren't required to satisfy buildpacks? Opinion: Not yet, no-op extension can be used for now. | ||
|
|
||
|
Contributor
There was a problem hiding this comment. Does this weaken the security stance of buildpacks? (My opinion: yes) You can literally do anything in a Dockerfile. I feel like stack packs, while maybe not the answer, did put more controls around what you could do. The stack packs were buildpacks, so presumably (IDK exactly as it wasn't implemented), an Operations team could control which stack packs are available to their users, thereby limiting what their users could install or modify to some degree. There's also a stronger guarantee that a stack pack would produce a legitimate BOM, since Operations teams can control what stack packs are available (and audit them). With this proposal, someone could make a Dockerfile that installs something malicious and set
Member
There was a problem hiding this comment.
I don't have any answers here, but this seems like a fairly important point to linger on.
Member
There was a problem hiding this comment. I think this concern is pretty well addressed by including the hooks on the builder. If the app-specified Dockerfile hook (above example) is not present, then the developer cannot provide a Dockerfile. And I suppose that trusting hook authors to provide a valid BOM is the same as trusting buildpack authors to provide a valid BOM. In the case of the app-specified Dockerfile, the hook author could apply some label to the image so that consumers would know to approach the BOM with some suspicion. I wonder if there's value in having that spec'd ('io.buildpacks.extended'?). It's just a thought.
Contributor
There was a problem hiding this comment. I like the idea of a label to easily identify images that have had any hooks executed.
Member
There was a problem hiding this comment. Also There was a problem hiding this comment.
@natalieparellano I don't really understand how this helps. By the time it is invoked, the hook author could have replaced
Member
There was a problem hiding this comment. @samj1912 and I have recently been discussing having the platform inject
Contributor
There was a problem hiding this comment.
How would that work? I don't think a mount would work, since the hook could discover and overwrite it. Since the hook could do anything, I'm not even sure running a program like That said - these hooks are likely authored and for sure approved/distributed by the stack author. Just because
Member
There was a problem hiding this comment.
That's basically what we're proposing - please see https://github.com/buildpacks/rfcs/pull/173/files#r794608075 for the download I got from @samj1912 and @sclevine . |
||
| # Spec. Changes (OPTIONAL) | ||
| [spec-changes]: #spec-changes | ||
|
|
||
| This RFC requires extensive changes to all specifications. | ||
jkutner marked this conversation as resolved.
Show resolved
Hide resolved
natalieparellano marked this conversation as resolved.
Show resolved
Hide resolved
sclevine marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| To deliver incremental value and gather feedback as we implement this large feature, a phased implementation is proposed: | ||
| * Phase 1: run.Dockerfiles can be used to switch the runtime base image | ||
| * Phase 2: build.Dockerfiles can be used to extend the build time base image | ||
| * 2a: `pack` applies the build.Dockerfiles | ||
| * 2b: the lifecycle applies the build.Dockerfiles using kaniko | ||
| * Phase 3: run.Dockerfiles can be used to extend the runtime base image | ||
| * 3a: `pack` applies the run.Dockerfiles | ||
| * 3b: the lifecycle applies the run.Dockerfiles using kaniko | ||
|
|
||
| https://github.com/buildpacks/spec/pull/307 and https://github.com/buildpacks/spec/pull/308 describe the spec changes needed for phase 1. https://github.com/buildpacks/spec/pull/298 approximately describes the spec changes needed for all phases. | ||
Uh oh!
There was an error while loading. Please reload this page.