How To Build and Publish a Container Image
In this blog post we are going to show how to build and publish container images using the oci-build task and registry-image resource. This post assumes you understand how to build container images with Dockerfile’s and publish to Docker Hub or another image registry using the docker cli.
If you just want to see the pipeline, scroll to the bottom or click here. What follows is a detailed explanation of what each part of the pipeline does.
First we need a Dockerfile. You can store this in your own repo or reference the github.com/concourse/examples repo. The rest of this post assumes you use the examples repo. All files in this blog post can be found in the examples repo.
The Dockerfile
We are going to use a very basic Dockerfile so we can focus on building the Concourse pipeline.
FROM busybox
RUN echo "I'm simple!"
COPY ./stranger /stranger
RUN cat /stranger
Defining Pipeline Resources
Now we can start building out our pipeline. Let’s declare our resources first. We will need one resource to pull in the repo where our Dockerfile is located, and a second resource pointing to where we want to push the built container image to.
There are some variables in this file that we will fill out later.
resources:
# The repo with our Dockerfile
- name: concourse-examples
type: git
icon: github
source:
uri: https://github.com/concourse/examples.git
branch: master
# Where we will push the image to
- name: simple-image
type: registry-image
icon: docker
source:
repository: ((image-repo-name))/simple-image
username: ((registry-username))
password: ((registry-password))
Create a Job
Next we will create a job that will build and push our container image.
jobs:
- name: build-and-push
Retrieve the Dockerfile
The first step in the job plan will be to retrieve the repo where our Dockerfile is.
jobs:
- name: build-and-push
plan:
- get: concourse-examples
Build the Container Image
The second step in our job will build the container image.
To build the container image we are going to use the oci-build-task. The oci-build-task is a container image that is meant to be used in a Concourse task to build other container images. Check out the README in the repo for more details on how to configure and use the oci-build-task in more complex build scenarios.
Let’s add a task to our job plan and give it a name.
jobs:
- name: build-and-push
plan:
- get: concourse-examples
- task: build-task-image
All configuration of the oci-build-task is done through a task config. Viewing the README from the repo we can see that the task needs to be run as a privileged task on a linux worker.
jobs:
- name: build-and-push
plan:
- get: concourse-examples
- task: build-task-image
privileged: true
config:
platform: linux
To use the oci-build-task container image we specify the image_resource that the task should use.
jobs:
- name: build-and-push
plan:
- get: concourse-examples
- task: build-task-image
privileged: true
config:
platform: linux
image_resource:
type: registry-image
source:
repository: vito/oci-build-task
Next we will add concourse-examples as an input to the build task to ensure the artifact from the get step (where our Dockerfile is fetched) is mounted in our build-task-image step.
jobs:
- name: build-and-push
plan:
- get: concourse-examples
- task: build-task-image
privileged: true
config:
platform: linux
image_resource:
type: registry-image
source:
repository: vito/oci-build-task
inputs:
- name: concourse-examples
The oci-build-task outputs the built container image in a directory called image. Let’s add image as an output artifact of our task so we can publish it in a later step.
jobs:
- name: build-and-push
plan:
- get: concourse-examples
- task: build-task-image
privileged: true
config:
platform: linux
image_resource:
type: registry-image
source:
repository: vito/oci-build-task
inputs:
- name: concourse-examples
outputs:
- name: image
Next we need to tell the oci-build-task what the build context of our Dockerfile is. The README goes over a few other methods of creating your build context. We are going to use the simplest use-case. By specifying CONTEXT the oci-build-task assumes a Dockerfile and its build context are in the same directory.
jobs:
- name: build-and-push
plan:
- get: concourse-examples
- task: build-task-image
privileged: true
config:
platform: linux
image_resource:
type: registry-image
source:
repository: vito/oci-build-task
inputs:
- name: concourse-examples
outputs:
- name: image
params:
CONTEXT: concourse-examples/Dockerfiles/simple
The last step is specifying what our build-task-image should execute. The oci-build-task container image has a binary named build located in its PATH in the /usr/bin directory. We’ll tell our task to execute that binary, which will build our container image.
jobs:
- name: build-and-push
plan:
- get: concourse-examples
- task: build-task-image
privileged: true
config:
platform: linux
image_resource:
type: registry-image
source:
repository: vito/oci-build-task
inputs:
- name: concourse-examples
outputs:
- name: image
run:
path: build
params:
CONTEXT: concourse-examples/Dockerfiles/simple
At this point in our job the container image is built! The oci-build-task has saved the container image as a tarball named image.tar in the image artifact specified in the task outputs. This tar file is the same output you would get if you built the container image using Docker and then did docker save.
Publish the Container Image
Now let’s push the container image to an image registry! For this example we’re pushing to Docker Hub using the registry-image resource. You can use the registry-image resource to push to any image registry, private or public. Check out the README.md for more details on using the resource.
To push the container image add a put step to our job plan and tell the regstry-image resource where the tarball of the container image is.
The put step will push the container image using the information defined in the resource’s source, when we defined the pipeline’s resources.
This is where you’ll need to replace the three variables found under resource_types. You can define them statically using fly’s --var flag when setting the pipeline. (In production make sure to use a credential management system to store your secrets!)
jobs:
- name: build-and-push
plan:
- get: concourse-examples
- task: build-task-image
privileged: true
config:
platform: linux
image_resource:
type: registry-image
source:
repository: vito/oci-build-task
inputs:
- name: concourse-examples
outputs:
- name: image
params:
CONTEXT: concourse-examples/Dockerfiles/simple
run:
path: build
- put: simple-image
params:
image: image/image.tar
The Entire Pipeline
Putting all the pieces together, here is our pipeline that builds and pushes (publishes) a container image.
resources:
# The repo with our Dockerfile
- name: concourse-examples
type: git
icon: github
source:
uri: https://github.com/concourse/examples.git
branch: master
# Where we will push the image
- name: simple-image
type: registry-image
icon: docker
source:
repository: ((image-repo-name))/simple-image
username: ((registry-username))
password: ((registry-password))
jobs:
- name: build-and-push
plan:
- get: concourse-examples
- task: build-task-image
privileged: true
config:
platform: linux
image_resource:
type: registry-image
source:
repository: vito/oci-build-task
inputs:
- name: concourse-examples
outputs:
- name: image
params:
CONTEXT: concourse-examples/Dockerfiles/simple
run:
path: build
- put: simple-image
params:
image: image/image.tar
You can set the pipeline with the following fly command, updating the variable values with real values the pipeline can use. The behaviour is similar to docker push:
fly -t <target> set-pipeline -p build-and-push-image \
-c ./examples/pipelines/build-and-push-simple-image.yml \
--var image-repo-name=<repo-name> \
--var registry-username=<user> \
--var registry-password=<password>
Further Readings
Understanding what the build context is is important when building container images. You can read Dockerfile Best Practices for more details about build contexts.
The inputs section of the oci-build-task’s README has examples on how to create a build context with multiple inputs and other complex build scenarios.
Read the README’s in the oci-build-task and registry-image resource to learn more about their other configuration options.
If you had trouble following how the artifacts get passed between the steps of a job then read our other blog post about task inputs and outputs.