# Building images with kaniko and GitLab CI/CD > 原文:[https://docs.gitlab.com/ee/ci/docker/using_kaniko.html](https://docs.gitlab.com/ee/ci/docker/using_kaniko.html) * [Requirements](#requirements) * [Building a Docker image with kaniko](#building-a-docker-image-with-kaniko) * [Using a registry with a custom certificate](#using-a-registry-with-a-custom-certificate) * [Video walkthrough of a working example](#video-walkthrough-of-a-working-example) # Building images with kaniko and GitLab CI/CD[](#building-images-with-kaniko-and-gitlab-cicd "Permalink") 在 GitLab 11.2 中[引入](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/45512) . 需要 GitLab Runner 11.2 及更高版本. [kaniko](https://github.com/GoogleContainerTools/kaniko)是从容器或 Kubernetes 集群内部的 Dockerfile 构建容器映像的工具. kaniko 使用[Docker-in-Docker 构建](using_docker_build.html#use-docker-in-docker-workflow-with-docker-executor)方法解决了两个问题: * Docker-in-Docker 需要[特权模式](https://s0docs0docker0com.icopy.site/engine/reference/run/)才能运行,这是一个重大的安全问题. * Docker-in-Docker 通常会导致性能下降,并且可能会非常慢. ## Requirements[](#requirements "Permalink") 为了在 GitLab 中使用 kaniko,需要使用以下执行程序之一的[GitLab Runner](https://docs.gitlab.com/runner/) : * [Kubernetes](https://docs.gitlab.com/runner/executors/kubernetes.html). * [Docker](https://docs.gitlab.com/runner/executors/docker.html). * [Docker Machine](https://docs.gitlab.com/runner/executors/docker_machine.html). ## Building a Docker image with kaniko[](#building-a-docker-image-with-kaniko "Permalink") 使用 kaniko 和 GitLab CI / CD 构建映像时,应注意一些重要细节: * 推荐使用 kaniko 调试映像( `gcr.io/kaniko-project/executor:debug` ),因为它具有外壳,并且该映像与 GitLab CI / CD 一起使用时需要外壳. * 入口点将需要被[覆盖](using_docker_images.html#overriding-the-entrypoint-of-an-image) ,否则构建脚本将无法运行. * 需要使用所需容器注册表的身份验证信息创建一个 Docker `config.json`文件. In the following example, kaniko is used to: 1. 构建一个 Docker 镜像 2. 然后将其推送到[GitLab 容器注册表](../../user/packages/container_registry/index.html) . 仅当按下标签时作业才会运行. 使用从 GitLab CI / CD 提供的[环境变量中](../variables/README.html#predefined-environment-variables)获取的所需 GitLab 容器注册表凭据在`/kaniko/.docker`下创建一个`config.json`文件. 在最后一步中,kaniko 使用项目根目录下的`Dockerfile` ,构建 Docker 映像并将其推送到项目的 Container Registry,同时使用 Git 标签对其进行标记: ``` build: stage: build image: name: gcr.io/kaniko-project/executor:debug entrypoint: [""] script: - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG only: - tags ``` ## Using a registry with a custom certificate[](#using-a-registry-with-a-custom-certificate "Permalink") 尝试推送到使用由自定义 CA 签名的证书的 Docker 注册表时,您可能会遇到以下错误: ``` $ /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --no-push INFO[0000] Downloading base image registry.gitlab.example.com/group/docker-image error building image: getting stage builder for stage 0: Get https://registry.gitlab.example.com/v2/: x509: certificate signed by unknown authority ``` 可以通过将您的 CA 证书添加到 kaniko 证书存储区来解决: ``` before_script: - mkdir -p /kaniko/.docker - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json - | echo "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----" >> /kaniko/ssl/certs/additional-ca-cert-bundle.crt ``` ## Video walkthrough of a working example[](#video-walkthrough-of-a-working-example "Permalink") [在 GitLab](https://www.youtube.com/watch?v=d96ybcELpFs)视频[上使用 Kaniko](https://www.youtube.com/watch?v=d96ybcELpFs)的[最低权限容器构建](https://www.youtube.com/watch?v=d96ybcELpFs)是对[Kaniko Docker Build](https://gitlab.com/guided-explorations/containers/kaniko-docker-build) Guided Exploration 项目管道的演练. 经过测试: * [GitLab.com Shared Runners](../../user/gitlab_com/index.html#shared-runners) * [The Kubernetes Runner executor](https://docs.gitlab.com/runner/executors/kubernetes.html) 可以将示例复制到您自己的组或实例中进行测试. 项目页面上提供了有关演示其他 GitLab CI 模式的更多详细信息.