As a Developer I want to be able to build Windows Containers with BuildKit
bplasmeijer opened this issue ยท 134 comments
The windows BuildKit is only supported on Linux
It is possible to use buildx (which uses buildkit) if there are no RUN commands in the docker file:
docker buildx create --name img-builder --use
docker buildx build --no-cache --pull --push \
--platform "windows/amd64" -t $imagetag -f $dockerfile .
docker buildx rm img-builderARG nanoserverTag="mcr.microsoft.com/windows/nanoserver:1809-amd64"
# othertags list: curl -L https://mcr.microsoft.com/v2/windows/nanoserver/tags/list
FROM ${nanoserverTag}
COPY some.exe "/Windows/System32/some.exe"It would be interesting to see if could use some windows emulator connected to Binfmt_misc as QEMU is used for other architectures
There is an issue logged on BuildKit repo moby/buildkit#616
@jsturtevant If you wanted to go down that path, I believe Wine can be used with binfmt_misc, although I'm not sure how well that would work with namespaces since there's a WineServer and configuration directory to create, and you probably don't want that in the final image...
It would be easier to prototype that on a raw Linux box than via the Linux support in Docker on Windows, I think.
This issue has been open for 30 days with no updates.
@immuzz, please provide an update or close this issue.
Current status of my work on moby/buildkit#616 is that it's stalled waiting on a pile of 4 containerd PRs to be reviewed and advanced. The top of the stack is containerd/containerd#4419, but there's some outstanding design questions on the top two PRs regarding HCS behaviours, see microsoft/hcsshim#853, but the bottom two are just pending containerd maintainer review to merge or rework as appropriate.
And after that, will come fixing path-related issues in the BuildKit LLB layer, for which I'd only scratched the surface of in moby/buildkit#1621, exploring the solution space, and which needs to be reworked per maintainer feedback.
This issue has been open for 30 days with no updates.
@immuzz, please provide an update or close this issue.
Status unchanged, still waiting on merging or feedback on containerd support for Windows container creation/export/mount support, and then continuing the work on BuildKit itself, starting from moby/buildkit#1621
This issue has been open for 30 days with no updates.
@immuzz, please provide an update or close this issue.
This issue has been open for 30 days with no updates.
@immuzz, please provide an update or close this issue.
Still working through containerd PRs per above. One of four has landed, and one needs to be rewritten or at least iterated upon further. I've also opened PR on hcsshim again to remove some duplication of code with the containerd PRs.
That said, Docker is looking at supporting containerd on Windows for 21.x (moby/moby#41455), which might mean we get BuildKit on Docker+containerd even without that containerd PR stack, as the parts I was trying to implement in containerd (WCOW layer management) are provided by Docker when Docker uses containerd, as far as I know.
I haven't looked closely at how BuildKit integrates with Docker though, it's possible it'll still need fixes in containerd, and either way, BuildKit itself has higher-level issues to be resolved, e.g., moby/buildkit#1621.
This issue has been open for 30 days with no updates.
@immuzz, please provide an update or close this issue.
Not much has changed since December. The containerd PRs are now in a reasonable state, two are ready-to-go and one (containerd/containerd#4419) is functional but possibly needs some discussion about the test suite changes, and depends on a hcsshim feature PR (microsoft/hcsshim#901).
Some recent testing suggests that that hcsshim PR might have issues with Windows 10 20H2 that don't appear on Windows Server LTSC2019, but I haven't definitely proved that as I have only tested the latter via CI pipelines so far. Edit: Still using CI pipelines, I confirmed that the PR works on RS5 on AppVeyor (VS 2019 image), but fails on my personal Windows 10 20H2 box, suggesting that some part of the reverse engineering used to build that PR was incorrect or incomplete.
@weijuans-msft can you provide clarity here as part of your effort to provide containerd parity with Docker developer experience.
This issue has been open for 30 days with no updates.
@weijuans-msft, please provide an update or close this issue.
Compared to January, I've identified and have a fix for the issue that microsoft/hcsshim#901 shows on Windows 10 20H2, but that PR is still pending merge, and then the fix will be up for PR.
The containerd PRs (containerd/containerd#4399, containerd/containerd#4415, and containerd/containerd#4419) should all be in a reasonable state to flow through, although the latter depends on microsoft/hcsshim#901, often triggers a now-known containerd issue (containerd/containerd#4924) in its test suite, and also frequently triggers an unknown (hcsshim?) issue that I've yet been unable to replicate outside containerd.
It's possible that the Docker/containerd integration for Windows (moby/moby#41455 is the best place to track that) will mean some or all of those PRs stop being critical-path for BuildKit on Windows, and then the BuildKit-local platform issues (i.e. filesystem handling and similar) can be addressed.
@TBBle great work here! I changed this to "In Progress" as I am seeing you and lots of others in the moby and containerd community working on this. Thank you.
This issue has been open for 30 days with no updates.
@weijuans-msft, please provide an update or close this issue.
This issue has been open for 30 days with no updates.
@weijuans-msft, please provide an update or close this issue.
This issue has been open for 30 days with no updates.
@weijuans-msft, please provide an update or close this issue.
Without this, is there any good way to handle build-time secrets for Windows containers?
One kind-of heavy-weight option, used by ue4-docker, is running a service outside the container that exposes the secret, and have the container image build pull that secret over the network connection.
You can see ue4-docker's implementation of the external host and a Git Credential Helper to query it, including a generated token to provide the bare-minimum protection.
A significant cost to this approach is that the token ends up in the image as a build-arg, so layer caching is confounded; I don't know if the same thing happens when using BuildKit secret mounts, but I assume not.
In ue4-docker's case, the container builds are done under control of the script, so the credential endpoint is served by the script, rather than being left running all the time, which make this approach more feasible than it would be for just a Dockerfile being distributed for use with docker build.
This issue has been open for 30 days with no updates.
@weijuans-msft, please provide an update or close this issue.
I'd love to assist, as I really need this feature to speed up the process of building Docker Windows images.
Is there any way to build stages in parallel in Windows without using BuildKit?
This issue has been open for 30 days with no updates.
@weijuans-msft, please provide an update or close this issue.
This issue has been open for 30 days with no updates.
@weijuans-msft, please provide an update or close this issue.
Can somebody please freeze this issue? ๐
I don't know if we can freeze issues. If anyone knows, let me know :).
I could use help to be enlightened on the benefit or the pain points this can address. I see these so far in this thread:
- containerd parity
- Run Linux and Windows container side by side
- Can use secrets
What else?
How does this help in your or your company's modernization effort? Is this really Developer centric or it can add value to your DevOps in production?
We would like this so that eventually docker buildx bake support can be added so that we can define one hcl file with all our image builds declaratively configuring things like image tags and args, along with parallel builds out of the box. We use this on linux right now and it works really well.
What else?
Off the top of my head, I'd bring up:
-
BuildKit automatically parallelizes multi-stage builds for you. It's probably my favorite feature. See:
https://www.gasparevitta.com/posts/advanced-docker-multistage-parallel-build-buildkit/ -
If you manage a container build farm or CI system with many workers, BuildKit makes it easy to share Docker build caches across several machines, which can speed up similar builds across them. See:
https://link.medium.com/VYWZJPwnVkb -
Other projects exclusively dependant on BuildKit would finally support Windows, like the wonderful "Earthly", sort of Makefile Dockerfile hybrid built upon the BuildKit core APIs. See:
https://earthly.dev
(Only for Linux containers at this time due to the missing Windows BuildKit support.)
If I think of more I'll extend this list. ๐ค
I'd like to add:
- passing secrets in as build args
I remembered another big useful feature: Buildkit has "build-time mounts" support.
Everyone knows about --mount=type=secret to access secret files without baking them in the image layers, but did you know Buildkit also offers:
--mount=type=bindto bindmount non-sensitive stuff at build time temporarily that that is outside of your build context.--mount=type=cacheto make a cache path survive between runs, speeding up your builds. You can use this to cache Go packages, pip build caches, Rust crate caches, apt-get caches and so on!- Mounting secrets is one thing, but if you're just using them for SSH access don't do that and use
--mount=type=sshwhich lets you do SSH agent forwarding for a singular RUN statement, making SSH connections magically work at build time without having to bake in your keys or mount them via secret mounts.
Not being able to pass secrets into the Windows container build is painful - for us it means copying down files to the container build host (since that requires a secret) and then having docker slowly discover the container build context and copy the files into the container during the container build (double I/O).
It would be much better to be able to just download the files inside the container as part of the container build.
This issue has been open for 30 days with no updates.
@weijuans-msft, please provide an update or close this issue.
This issue has been open for 30 days with no updates.
@weijuans-msft, please provide an update or close this issue.
This issue has been open for 30 days with no updates.
@weijuans-msft, please provide an update or close this issue.
This issue has been open for 30 days with no updates.
@weijuans-msft, please provide an update or close this issue.
What do you expect from Microsoft here? You want them to write and submit patches that add Windows support to BuildKit? Why they would do it? Looking at how microsoft/hcsshim#901 is stuck waiting for approval for around a year, it would be more effective to remove Microsoft from dependency chain of this feature.
What do you expect from Microsoft here? You want them to write and submit patches that add Windows support to BuildKit? Why they would do it?
@slonopotamus because of the huge differences in how windows containers and linux containers work. I dought that anyone else has enough knowledge about the internals to do it...
Hi all, in effort to reduce spam of the beloved msftbot asking for status ten times over, I am going to freeze conversation on this issue (hoping it pauses the bot spam in the process). Given this issue has over 80 emoji reactions, we hear you loud and clear this is something you as developers would like to see. If and when we have a concrete update to share on our investments in this area, we will reply here and unfreeze the issue.
FYI @Muzz
This issue has been open for 30 days with no updates.
@immuzz, please provide an update or close this issue.
Checking the latest status
Current status on my end:
- microsoft/hcsshim#901 has cleared its legal concerns, but needs some updating and the rest of its tests written. (Which hopefully will reproduce the issue I've seen in containerd with this code, so I can fix it)
- containerd/containerd#4419 is the last containerd PR in the series of PRs that should fulfill BuildKit's requirements to function on WCOW. However, it still has a snapshotter test suite failure (on LTSC2019), and a bunch of stuff in there is somewhat hacky and needs to be unhacked.
- Then someone can come back to moby/buildkit#616 and work through whatever's bitrotted in BuildKit since I got (hacky, incomplete, and rather faulty) WCOW support working years ago.
I do plan to continue trying to get this working, but I'm not going to be able to do much for the next month or two at least, due to personal-life things, e.g., moving home.
I don't know how BuildKit integrates into docker buildx, so it's possible that some of the above could be shortcut by the upcoming Docker 22.06 release's support for containerd on Windows. However I suspect that at the very least microsoft/hcsshim#901 would need to be completed and integrated into Docker's storage system; possibly it'd also need containerd/containerd#4419 since parts of that are directly compiled into BuildKit.
I dump again into the deep here. where are we with containerd and building windows containers with podman, nerdctl?
cc: @jsturtevant
nerdctl uses build kit. Buildkit support is still in progress, you can see the relevant PRs in #34 (comment).
I am not sure how podman builds containers.
@TBBle any update from your side?
I am checking myself now.
Nothing from me personally since September 3rd, I'm still on sabbatical. One or two other people have been pushing at the same and related PRs in my absence, but I can't report any measurable progress here.
Nothing from me personally since September 3rd, I'm still on sabbatical. One or two other people have been pushing at the same and related PRs in my absence, but I can't report any measurable progress here.
Thanks, keep enjoying your ooo.
@Juarezhm will be on point to drive this from the Microsoft side. @TBBle and @gabriel-samfira appreciate your help here. :)
I'll specifically tag for visibility/credit @gabriel-samfira who's been kicking the tyres and improving the various PRs I mentioned above (as well as other parts of the WCOW/BuildKit work), as I've just noticed they're not mentinoed on this ticket that I can see. (But may be subscribed already, I can't tell.)
@TBBle thanks for the tag! A couple of more PRs will be proposed this week to related projects and buildkit itself. The goal is to have buildkit running on windows soon.
@TBBle thanks for the tag! A couple of more PRs will be proposed this week to related projects and buildkit itself. The goal is to have buildkit running on windows soon.
awesome news!
This issue has been open for 30 days with no updates.
@Juarezhm, please provide an update or close this issue.
Just a quick update. All of the different moving parts needed to get this supported, have been proposed in the various projects involved. I'm just ironing out the rough edges in the various PRs and getting everything in a state that can be merged. Quick demo of the WiP build (ran on a linux machine, against a remote buildkitd running on Windows):
Just a quick update. All of the different moving parts needed to get this supported, have been proposed in the various projects involved. I'm just ironing out the rough edges in the various PRs and getting everything in a state that can be merged. Quick demo of the WiP build (ran on a linux machine, against a remote
buildkitdrunning on Windows):
So exciting!!!
@gabriel-samfira -- good stuff! looking forward to your update on this. Also let me know if any help is needed to fast-track.
Hi @profnandaa !
At this point I'm just waiting in the review queue for the PRs already opened in the various projects and following the usual process. Things are progressing well. A list of the current PRs needed to get Windows support enabled (sorted by priority in which they need to merge) is as follows:
- microsoft/go-winio#274
- microsoft/hcsshim#1637
- containerd/containerd#8043
- moby/buildkit#3322
- moby/buildkit#3517
- moby/buildkit#3518
- moby/buildkit#3544
- moby/buildkit#3545
Some of these may be split up into more PRs to make things easier to review. Some are marked as draft as their dependencies need to merge first before they can build.
Hi @profnandaa !
At this point I'm just waiting in the review queue for the PRs already opened in the various projects and following the usual process. Things are progressing well. A list of the current PRs needed to get Windows support enabled (sorted by priority in which they need to merge) is as follows:
- microsoft/go-winio#274
- microsoft/hcsshim#1637
- containerd/containerd#8043
- moby/buildkit#3322
- moby/buildkit#3517
- moby/buildkit#3518
- moby/buildkit#3544
- moby/buildkit#3545
Some of these may be split up into more PRs to make things easier to review. Some are marked as draft as their dependencies need to merge first before they can build.
Awesome ๐
This issue has been open for 30 days with no updates.
@Juarezhm, please provide an update or close this issue.
This issue has been open for 30 days with no updates.
@Juarezhm, please provide an update or close this issue.
Still in motion...
To clarify, would this allow us to utilize BuildKit on Linux and build Windows images with the --platform=win/amd64 flag ? Also allow us to utilize remote driver builds with BuildKit daemon? Sorry if I misunderstood the scope.
Hi @gaui
The scope is to enable buildkitd to run natively on Windows and build Windows container images. You will also be able to use it remotely from any system where you have a compatible client available (ie: buildctl).
@gabriel-samfira Is there any place to watch for the release other than this issue?
@gaui Once the PRs opened by me on the buildkit project are reviewed and merge, this support should be in. You can view them here:
https://github.com/moby/buildkit/pulls/gabriel-samfira
Some PRs may be split in smaller PRs.
The current PRs are in various stages of review. Some are draft as dependencies need to merge first, some need to be rebased but that will only happen once their dependencies merge, some are awaiting further reviews. A number of them have merged already in buildkit and the various other projects that buildkit depends on. Most notably, in containerd.
Currently waiting for reviews.
I suspect for a lot of users, we can't fully resolve this issue until platform support flows through into buildx and any related Dockerd plumbing, given that the original issue was quoting from the Docker documentation. Although that should hopefully be easy-to-deliver plumbing compared to what's already been landed, and particularly, easier to do end-to-end iteration and wider testing with, compared to the lower-level components.
I suspect for a lot of users, we can't fully resolve this issue until platform support flows through into buildx and any related Dockerd plumbing, given that the original issue was quoting from the Docker documentation. Although that should hopefully be easy-to-deliver plumbing compared to what's already been landed, and particularly, easier to do end-to-end iteration and wider testing with, compared to the lower-level components.
Yes. Once we get support (tests included) into buildkit, enabling it in the various frontends/plumbing should be a lot easier. Even without enablement in buildx or docker, it could still be used via buildctl until we merge the needed PRs in the rest of the projects.
The end goal is to have proper enablement in all the current projects.
Do you have any timelines you can share @gabriel-samfira?
@fady-azmy-msft Sadly, no. It depends on the availability the buildkit folks have to review the PRs. Right now I believe they are busy finalizing the next release of buildx. I am hoping that after that happens, they can spare some more time to review the above mentioned PRs.
One of the (larger) PRs is slated for the 0.12 release of buildkit. So, fingers crossed.
A short update (to mostly keep @microsoft-github-policy-service happy):
- The needed containerd functionality was backported to the stable 1.7 branch and released. The updated dependency was merged in buildkit as well (moby/buildkit#3782)
- The above merge unblocked moby/buildkit#3783
- The moby/buildkit#3322 PR was split in 3:
- Two of the three were merged
As a side note, once moby/buildkit#3783 and moby/buildkit#3908 merge, a very basic Dockerfile can be built on Windows (example here: moby/buildkit#3783 (comment)). Any Dockerfile that does not involve the executor (RUN) or determining if a user exists (WORKDIR, USER, ADD --chown=, etc).
I am updating the executor PRs and will push them as soon as their dependencies merge (moby/buildkit#3783 and moby/buildkit#3908).
This issue has been open for 30 days with no updates.
@Juarezhm, please provide an update or close this issue.
This issue has been open for 30 days with no updates.
@Juarezhm, please provide an update or close this issue.
It does look like all the PR's has been merged, so I don't see a reason for this to be closed (even though the bot wants to) ๐
It does look like all the PR's has been merged, so I don't see a reason for this to be closed (even though the bot wants to) ๐
There are a few more that need to merge. Namely the executor branch and the branch implementing readUser() described here: #34 (comment)
Both these branches need to be rebased and possibly split into multiple smaller branches. What has merged yesterday, was the file path handling PR which normalizes and converts paths based on OS. Buildkit should no longer fail to parse paths that contain drive letters, will be able to handle paths in dockerfiles that contain backslashes and will properly normalize the WORKDIR on Windows.
The executor is needed to actually build useful images.
This issue has been open for 30 days with no updates.
@Juarezhm, please provide an update or close this issue.
This issue has been open for 30 days with no updates.
@Juarezhm, please provide an update or close this issue.
Does it close the ticket, if nothing happens?
No, it just spams you until you give up any hope and unsubscribe.
Work on this was paused for a bit, but has now resumed. I am rebasing the existing 2 PRs now:
With those merged, we should have the ability to build useful Dockerfiles. After that we'll need to enable integration tests on Windows to ensure nothing breaks in the future.
Sorry for the delay on this.
Quick update (mostly to keep @microsoft-github-policy-service happy) : One of the last two PRs in this series has merged. Only one remains.
If anyone is feeling brave enough, I wrote a gist with install instructions here: https://gist.github.com/gabriel-samfira/44092adae911fa625c33c829ac39d736
This will only run on ltsc2019 and ltsc2022. You will need a fresh install.
Note, until the last branch merges, any operation that requires user resolution, will fail. This means WORKDIR, ADD (with the --chown flag set - works without it).
Edit: NOTE: This will install the master branch of buildkit.
@gabriel-samfira Will this enable us to run buildkitd in a container with privileged access and use that container to build other Windows images?
Hi @alexproca !
In theory, it should work in a host process container. I have not tested that scenario yet, though. The goals in order are:
- get something useful to work (we are here)
- enable integration tests and augment existing CI pipelines to run tests on Windows
- make the necessary ecosystem changes to take advantage of the new functionality (buildx, nerdctl, etc)
- smooth out rough edges across the board (enable missing functionality like mounting SSH sockets, secrets, etc)
- packaging
Of course, anyone can attempt to run it in a host process container and package it if they wish. In theory, as long as it can access the containerd named pipe (which a host process container should be able to do), it will work.
The final branch in this series has merged. The master branch of buildkit can now build windows images, using Windows Server SKUs.
Side question about this huge amout of work.
Does it means it's now possible to build a windows image from a linux OS as an example ?
Is it possible to build a windows ltsc2022 by running on windows 10 or server 2019 ?
No. You can only build Windows containers on Windows.
But with Buildkit becoming available for Windows it should be possible to build LTSC2022 on LTSC2019/Windows 10, when using a remote builder in a LTSC2022 HyperV-VM, right?
Does it means it's now possible to build a windows image from a linux OS as an example ?
You will be able to set up a remote buildkitd daemon and connect to it from a linux machine. This demo of a WiP was run from a linux machine: #34 (comment)
Is it possible to build a windows ltsc2022 by running on windows 10 or server 2019 ?
I believe you should be able to build Windows Server 2019 images on a ltsc2022, but not the other way around. I have not tested this scenario yet. Work was focused on getting something working at all. I will have to check. There have been efforts to make Windows containers a bit more forward compatible (run newer versions of Windows containers on older hosts), but that work started with ltsc2022. @fady-azmy-msft correct me if I'm wrong. There is also some platform matcher work in containerd meant to address some of the rough edges (CC: @aznashwan)
Great ! Thank you for that answers.
So we still need a "runner" in the same OS (which makes sense), but at least we can make a remote connection, and eventualy host that runner on HyperV or VirtualBox with a minimal installation of windows.
For the versions compatibility I would be curious about what you find. The fact to build a version >= from a specific windows version can be more or less complex, expecialy when a new major version is published but you don't necessarly want / have time to upgrade all your runners first.
But I guess there is a technical reason behind...
So we still need a "runner" in the same OS (which makes sense), but at least we can make a remote connection, and eventualy host that runner on HyperV or VirtualBox with a minimal installation of windows.
Would be fantastic if you could share your knowledge here and/or code if you planing to test this out. This could make building images far easier on local machines.
If you're getting the error: failed to solve: failed to load cache key: no match for platform in manifest: not found message with the latest master branch, that is most likely from the containerd platform matcher mentioned earlier.
We'll have a look at it as soon as possible. In the meantime, an ugly hack is to use the hash of the image from within the manifest:
FROM mcr.microsoft.com/windows/nanoserver:ltsc2022@sha256:2bd9f83d70574aa718364abce9973b364347460ed21ac00a31e42e3b3c815824You can inspect the manifest with:
docker manifest inspect mcr.microsoft.com/windows/nanoserver:ltsc2022
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"manifests": [
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 429,
"digest": "sha256:2bd9f83d70574aa718364abce9973b364347460ed21ac00a31e42e3b3c815824",
"platform": {
"architecture": "amd64",
"os": "windows",
"os.version": "10.0.20348.2031"
}
}
]
}@gabriel-samfira -- another option is to specify the arch tag (-amd64) for the exact manifest:
FROM mcr.microsoft.com/windows/nanoserver:ltsc2022-amd64
I'm currently testing the new changes on Server2019.
So far what I've determined, the above issue not withstanding:
- You can build ltsc2022 images on Windows 11 (and Server 2022)
- You can't build down-level images, i.e. ltsc2019 on Windows 11 and Server 2022, you end up with
ERROR: no match for platform in manifest: not found
https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-2022%2Cwindows-11
you can use process isolation only when OS version and container version matching (Windows 11 supports Windows Server 2022 images), you can use hyper-v isolation (which have limitations, not everything what working in process isolation working there) to run images of older versions on newer OS, you cannot run newer images on older OS
If you want to try out HyperV Isolation, BuildKit master branch (as of moby/buildkit#4364) can pass through the necessary options from its own buildkit.toml config file. I haven't tested this, but it may be as simple as passing the SandboxIsolation=1 flag, similar to what containerd/cri does:
[worker.containerd.runtime.options]
SandboxIsolation = "1"
ScaleCpuLimitsToSandbox = trueAssuming I have my TOML syntax correct here.
Note that you'll definitely need to pick a non-index FROM, as even in containerd, platform matcher specialisation for HyperV Isolation is not a solved issue.
For the record, this is also how one changes the debug level of the shim, or customises things like the number of CPUs or amount of RAM in the HyperV isolation case. The latter is something that was never hooked up in Docker, so chalk that up as another win for BuildKit. ^_^ (There's a bunch more possible adjustable flags available by container and VM annotations, but I don't immediately see a way to pass them through from BuildKit. Runtime options support was itself only added to BuildKit in September, and so adding annotation support should be reasonable doable.)
As far as Windows 11 hosts go, until we get Stable ABI support in the BuildKit platform matcher, when you look at a Windows base image tag list on either MCR or DockerHub, it indicates which ones are manifest lists ("multiarch" on DockerHub, even though they mostly contain only one arch right now) and which are just images. For now, appending -amd64 to the manifest lists seems like a pretty consistent way to get the specific image.
Thank you very much for the great work you are doing.
Is it possible to run buildkit in a container on Kubernetes (Windows Nodes) to build Windows images?
We use this setup for linux containers:
image: moby/buildkit:v0.12.3-rootless
volumeMounts:
- name: work
mountPath: /work
- name: docker-config
mountPath: /.docker
command:
- buildctl-daemonless.sh
args:
- build
- --frontend
- dockerfile.v0
- --local
- context=.
- --local
- dockerfile=./{{inputs.parameters.path}}
- --output
- type=image,name=myacr.azurecr.io/{{inputs.parameters.image}}:{{inputs.parameters.tag}},push=true
env:
- name: BUILDKITD_FLAGS
value: --oci-worker-no-process-sandbox
- name: DOCKER_CONFIG
value: /.docker
I don't think anyone's tried putting BuildKit for Windows in a container. If it is possible, it'll almost certainly require a host-process container (the Windows equivalent of 'privileged') as I don't think we can support "rootless" behaviour on Windows.
Our current intent is to get BuildKit's integration tests working uncontainerised first.
(Also, the platform matching issue has been resolved, so the only major issue I'm tracking now is the PATH being wrong on non-nanoserver base images.)