Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support BuildKit #2230

Open
chris-crone opened this issue Jan 15, 2019 · 38 comments
Open

Support BuildKit #2230

chris-crone opened this issue Jan 15, 2019 · 38 comments

Comments

@chris-crone
Copy link
Member

Currently the Python SDK performs builds using the older build infrastructure. It would be good to support BuildKit so that users of the SDK can benefit from its various advantages.

@chris-crone
Copy link
Member Author

chris-crone commented Jan 15, 2019

The current known blocker for this is we need a Python implementation of the fssync gRPC service (a service which runs on the session but on the client side) and that service is distinctly non-trivial to implement.

@chris-crone
Copy link
Member Author

chris-crone commented Jan 15, 2019

Request for build secret support: #2174

@haizaar

This comment has been minimized.

@chris-crone

This comment has been minimized.

@AkihiroSuda
Copy link

The current known blocker for this is we need a Python implementation of the fssync gRPC service (a service which runs on the session but on the client side) and that service is distinctly non-trivial to implement.

In addition to fssync, there are auth, content, secrets, and sshforward client-side services.

As @mipearson commented in moby/buildkit#685 , docker-py should just invoke docker build CLI.

@tonistiigi
Copy link
Member

My recommendation is to create a helper binary that compose can call as a quick practical solution. Note that fssync is optional for BuildKit, the Docker API can still receive tarballs fine and build them with BuildKit. It's less optimal but you still get the other benefits. But if you want secrets/ssh support then you do need either a helper or reimplement the grpc provider.

@AkihiroSuda
Copy link

Do we need a helper binary other than existing docker CLI?

@tonistiigi
Copy link
Member

There are some things that might be interesting for compose that can be done in Go library and not in CLI atm. Like doing multiple requests in parallel with a shared session.

@mipearson
Copy link

Is there a possible future where most docker-compose things are done via a helper binary rather than via docker-py?

I seem to be having a very bad run of hitting docker-py specific issues lately :(

@tedivm
Copy link

tedivm commented Apr 2, 2019

Is this something people are working on? It sounds like a direction hasn't really even been picked yet.

@pmcanseco
Copy link

I have chosen to work around the lack of buildkit support by just calling the docker-cli in my projects. It works pretty well for me.

os.environ["DOCKER_BUILDKIT"] = 1
docker_build_command = 'docker build {} {}'
                       .format('--tag {} --target {} --rm=true --no-cache={} '
                               .format(tag, target, True),
                               path)
raw_build_result = subprocess.check_output(docker_build_command, 
                                           shell=True, stderr=subprocess.STDOUT,
                                           timeout=240)

@haizaar
Copy link

haizaar commented Apr 3, 2019

I have chosen to work around the lack of buildkit support by just calling the docker-cli in my projects.

Same here.

@tedivm
Copy link

tedivm commented Apr 3, 2019

I think that's what we're all doing, but it means that docker-compose is basically a nonentity at this point, and frankly docker-compose is much easier to use when setting up test environments. It's really unfortunate that such a useful tool is no longer usable due to this issue, and that there doesn't seem to be any timeline for resolving it (at this point I'm assuming docker compose will only get buildkit functionality when it becomes the default option).

@AkihiroSuda
Copy link

There is an exec-based PR for docker-compose: docker/compose#6584

@adriantorrie
Copy link

There is an exec-based PR for docker-compose: docker/compose#6584

That PR has now been closed, and a new one opened: docker/compose#6865

@abdennour
Copy link

Any deadline to release this feature and make it GA ? I am switching back to docker build which is very bad.

@FernandoMiguel
Copy link

for all the folks here
have you seen https://github.com/docker/buildx ?
I successfully replaced docker-compose build with it
here's an example https://github.com/FernandoMiguel/BuildKit/blob/556808da7543cdb46f73853876c087628b6221dc/.github/workflows/build.yml#L137

@hrw
Copy link

hrw commented Sep 26, 2019

Any update?

@AkihiroSuda
Copy link

docker/compose#6865 got merged

I suggest closing this issue

@hrw
Copy link

hrw commented Sep 27, 2019

How docker/compose is connected to docker/docker-py?

@AkihiroSuda
Copy link

docker/compose is the most widely known consumer of docker/docker-py.
Other python projects should follow docker/compose (i.e. execute docker build command)

@hrw
Copy link

hrw commented Sep 27, 2019

Then what the point of whole 'docker-py' if all projects have to switch to use Docker cli?

Your comment suggest "abandon all hope, forget about docker-py, use cli directly'.

@chris-crone
Copy link
Member Author

Hi @hrw,

We'd gladly accept PRs for this and would help where possible. Note that this is tricky because of the issue mentioned above.

For Compose, the decision was taken to use the Docker CLI for build as it's unlikely someone will have Compose but not the CLI.

@aguckenber-chwy
Copy link

BTW our group needs this as well. Mainly we need the --secret support to docker buildx which new buildkits provide.

@shpml
Copy link

shpml commented Jun 16, 2023

BuildKit is the default builder for users on Docker Desktop, and Docker Engine as of version 23.0. Is there any update on this feature request?

mirekdlugosz added a commit to quipucords/quipucords that referenced this issue Sep 27, 2023
Docker introduced BuildKit in 2017, and made it default on Linux in
2023. BuildKit requires completely new API during client-server
communication. docker-py Python bindings is communicating with server
directly, and has not been made aware of this new API - see
docker/docker-py#2230 .

To fix DISCOVERY-435, we wanted to use build-time secrets. This feature
requires BuildKit, and therefore is not available in pytest unit tests
that use docker-py library.

To workaround this problem, we use DOCKER_HOST variable pointing to
podman socket file. Podman is compatible with old Docker API, but still
supports some of newer build features provided by BuildKit. This way we
can use build-time secrets while still using old API.

Podman will be used only if podman is installed and socket file exists.
Developers without podman should not need to change their system,
although they will notice failures in `make test-integration`.
mirekdlugosz added a commit to quipucords/quipucords that referenced this issue Sep 28, 2023
Docker introduced BuildKit in 2017, and made it default on Linux in
2023. BuildKit requires completely new API during client-server
communication. docker-py Python bindings is communicating with server
directly, and has not been made aware of this new API - see
docker/docker-py#2230 .

To fix DISCOVERY-435, we wanted to use build-time secrets. This feature
requires BuildKit, and therefore is not available in pytest unit tests
that use docker-py library.

To workaround this problem, we use DOCKER_HOST variable pointing to
podman socket file. Podman is compatible with old Docker API, but still
supports some of newer build features provided by BuildKit. This way we
can use build-time secrets while still using old API.

Podman will be used only if podman is installed and socket file exists.
Developers without podman should not need to change their system,
although they will notice failures in `make test-integration`.
mirekdlugosz added a commit to quipucords/quipucords that referenced this issue Sep 29, 2023
Docker introduced BuildKit in 2017, and made it default on Linux in
2023. BuildKit requires completely new API during client-server
communication. docker-py Python bindings is communicating with server
directly, and has not been made aware of this new API - see
docker/docker-py#2230 .

To fix DISCOVERY-435, we wanted to use build-time secrets. This feature
requires BuildKit, and therefore is not available in pytest unit tests
that use docker-py library.

To workaround this problem, we use DOCKER_HOST variable pointing to
podman socket file. Podman is compatible with old Docker API, but still
supports some of newer build features provided by BuildKit. This way we
can use build-time secrets while still using old API.

Podman will be used only if podman is installed and socket file exists.
Developers without podman should not need to change their system,
although they will notice failures in `make test-integration`.
mirekdlugosz added a commit to quipucords/quipucords that referenced this issue Oct 2, 2023
Docker introduced BuildKit in 2017, and made it default on Linux in
2023. BuildKit requires completely new API during client-server
communication. docker-py Python bindings is communicating with server
directly, and has not been made aware of this new API - see
docker/docker-py#2230 .

To fix DISCOVERY-435, we wanted to use build-time secrets. This feature
requires BuildKit, and therefore is not available in pytest unit tests
that use docker-py library.

To workaround this problem, we use DOCKER_HOST variable pointing to
podman socket file. Podman is compatible with old Docker API, but still
supports some of newer build features provided by BuildKit. This way we
can use build-time secrets while still using old API.

Podman will be used only if podman is installed and socket file exists.
Developers without podman should not need to change their system,
although they will notice failures in `make test-integration`.
mirekdlugosz added a commit to quipucords/quipucords that referenced this issue Oct 2, 2023
Docker introduced BuildKit in 2017, and made it default on Linux in
2023. BuildKit requires completely new API during client-server
communication. docker-py Python bindings is communicating with server
directly, and has not been made aware of this new API - see
docker/docker-py#2230 .

To fix DISCOVERY-435, we wanted to use build-time secrets. This feature
requires BuildKit, and therefore is not available in pytest unit tests
that use docker-py library.

To workaround this problem, we use DOCKER_HOST variable pointing to
podman socket file. Podman is compatible with old Docker API, but still
supports some of newer build features provided by BuildKit. This way we
can use build-time secrets while still using old API.

Podman will be used only if podman is installed and socket file exists.
Developers without podman should not need to change their system,
although they will notice failures in `make test-integration`.
@ashpreetbedi
Copy link

Any idea if this is on the priority list?

@naufalafif
Copy link

this lib/sdk uses docker engine API & currently there's no specific argument for it. other way to do it is by making buildkit as default builder. refer https://docs.docker.com/build/buildkit/#getting-started

@lessismordaunt
Copy link

lessismordaunt commented Apr 24, 2024

The current known blocker for this is we need a Python implementation of the fssync gRPC service (a service which runs on the session but on the client side) and that service is distinctly non-trivial to implement.

Is a pure-Python implementation strictly mandatory? Can we not depend on the Go implementation of this service while maintaining the spirit of Docker-Py? It seems low-level enough. What about using https://github.com/go-python/gopy for the binding layer?

BuildKit is pretty mandatory these days and I'd rather not revert to subprocess calls.

@beardedfoo
Copy link

Bump: I'm really shocked to see this in 2024:

  File "/usr/local/lib/python3.12/site-packages/docker/models/images.py", line 304, in build
    raise BuildError(chunk['error'], result_stream)
docker.errors.BuildError: the --chmod option requires BuildKit. Refer to https://docs.docker.com/go/buildkit/ to learn how to build images with BuildKit enabled

TL;DR: It is not possible to build a modern Dockerfile using docker-py.

It's time to choose any option, not a convenient or nicely designed option, and fix this.

@acederberg
Copy link

Will this ever be fixed? The docker cli insists that I not use DOCKER_BUILDKIT=0 since builds without buildkit will be deprecated. This is shown with the following command

DOCKER_BUILDKIT=0 docker build .

which outputs

DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
            BuildKit is currently disabled; enable it by removing the DOCKER_BUILDKIT=0
            environment-variable.

So when buildkit is removed this library be broken - Or am I mistaken?

@tkrah
Copy link

tkrah commented May 29, 2024

Is there an upstream reference about this deprecation somewhere with a plan / dates when this is going to happen (the official docs just says it's deprecated but no further dates are given when it will break)?

E.g. the docker-java API does also not support buildkit and a lot of projects use that one too .... That will break many users / consumers if non buildkit support will be removed.

@ilons
Copy link

ilons commented May 30, 2024

Is there an upstream reference about this deprecation somewhere with a plan / dates when this is going to happen (the official docs just says it's deprecated but no further dates are given when it will break)?

As I understand it, the "legacy builder" was deprecated in docker cli 23.0 and have not yet gotten a set release when it will be removed. Given that 23.0 was released in february 2023 and are still supported, I would expect the 26.x release to be supported for at least another year.

Regardless, there is a sense of urgency to start the work adding buildkit support to this library if it wants to survive.

acederberg added a commit to acederberg/captura-deploy that referenced this issue May 30, 2024
Halting progress on this until docker/docker-py#2230 is closed.
@coleary-hyperscience
Copy link

I have chosen to work around the lack of buildkit support by just calling the docker-cli in my projects. It works pretty well for me.

os.environ["DOCKER_BUILDKIT"] = 1
docker_build_command = 'docker build {} {}'
                       .format('--tag {} --target {} --rm=true --no-cache={} '
                               .format(tag, target, True),
                               path)
raw_build_result = subprocess.check_output(docker_build_command, 
                                           shell=True, stderr=subprocess.STDOUT,
                                           timeout=240)

Is the recommended immediate workaround to add docker build secrets still this?

acederberg added a commit to acederberg/captura-deploy that referenced this issue Oct 17, 2024
Halting progress on this until docker/docker-py#2230 is closed.
@ginolegigot
Copy link

ginolegigot commented Nov 18, 2024

Notably, writing Apache Airflow dags, if we do not wish to use docker operator for GCP service account impersonation issues, we could use docker python sdk, but buildkit is really missing especially for secrets, for secured build

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests