feat: support bento image build engines: buildkit and buildkit-rootless

Author: yetone

controllers/resources/bentorequest_controller.go

@@ -35,6 +35,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
+	"k8s.io/utils/pointer"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -618,6 +619,26 @@ func hash(text string) string {
 	return hex.EncodeToString(hasher.Sum(nil))
 }
 
+type BentoImageBuildEngine string
+
+const (
+	BentoImageBuildEngineKaniko           BentoImageBuildEngine = "kaniko"
+	BentoImageBuildEngineBuildkit         BentoImageBuildEngine = "buildkit"
+	BentoImageBuildEngineBuildkitRootless BentoImageBuildEngine = "buildkit-rootless"
+)
+
+const (
+	EnvBentoImageBuildEngine = "BENTO_IMAGE_BUILD_ENGINE"
+)
+
+func getBentoImageBuildEngine() BentoImageBuildEngine {
+	engine := os.Getenv(EnvBentoImageBuildEngine)
+	if engine == "" {
+		return BentoImageBuildEngineKaniko
+	}
+	return BentoImageBuildEngine(engine)
+}
+
 func MakeSureDockerConfigJSONSecret(ctx context.Context, kubeCli *kubernetes.Clientset, namespace string, dockerRegistryConf *commonconfig.DockerRegistryConfig) (dockerConfigJSONSecret *corev1.Secret, err error) {
 	if dockerRegistryConf.Username == "" {
 		return
@@ -1097,6 +1118,10 @@ func (r *BentoRequestReconciler) generateImageBuilderPod(ctx context.Context, op
 	internalImages := commonconfig.GetInternalImages()
 	logrus.Infof("Image builder is using the images %v", *internalImages)
 
+	buildEngine := getBentoImageBuildEngine()
+
+	privileged := buildEngine != BentoImageBuildEngineBuildkitRootless
+
 	bentoDownloadCommandTemplate, err := template.New("downloadCommand").Parse(`
 set -e
 
@@ -1114,6 +1139,10 @@ echo "Extracting bento tar file..."
 tar -xvf /tmp/downloaded.tar
 echo "Removing bento tar file..."
 rm /tmp/downloaded.tar
+{{if not .Privileged}}
+echo "Changing directory permission..."
+chown -R 1000:1000 /workspace
+{{end}}
 echo "Done"
 	`)
 
@@ -1129,6 +1158,7 @@ echo "Done"
 		"BentoDownloadHeader": bentoDownloadHeader,
 		"BentoRepositoryName": bentoRepositoryName,
 		"BentoVersion":        bentoVersion,
+		"Privileged":          privileged,
 	})
 	if err != nil {
 		err = errors.Wrap(err, "failed to execute download command template")
@@ -1272,6 +1302,10 @@ tar -xvf /tmp/downloaded.tar
 echo -n '{{.ModelVersion}}' > {{.ModelRepositoryDirPath}}/latest
 echo "Removing model tar file..."
 rm /tmp/downloaded.tar
+{{if not .Privileged}}
+echo "Changing directory permission..."
+chown -R 1000:1000 /workspace
+{{end}}
 echo "Done"
 `)).Execute(&modelDownloadCommandOutput, map[string]interface{}{
 			"ModelDirPath":           modelDirPath,
@@ -1280,6 +1314,7 @@ echo "Done"
 			"ModelRepositoryDirPath": modelRepositoryDirPath,
 			"ModelRepositoryName":    modelRepositoryName,
 			"ModelVersion":           modelVersion,
+			"Privileged":             privileged,
 		})
 		if err != nil {
 			err = errors.Wrap(err, "failed to generate download command")
@@ -1400,6 +1435,14 @@ echo "Done"
 		})
 	}
 
+	if !privileged {
+		envs = append(envs, corev1.EnvVar{
+			Name:  "BUILDKITD_FLAGS",
+			Value: "--oci-worker-no-process-sandbox",
+		})
+	}
+
+	kubeAnnotations := make(map[string]string)
 	var command []string
 	args := []string{
 		"--context=/workspace/buildcontext",
@@ -1408,10 +1451,60 @@ echo "Done"
 		fmt.Sprintf("--insecure=%v", dockerRegistryInsecure),
 		fmt.Sprintf("--destination=%s", inClusterImageName),
 	}
+	var builderImage string
+	switch buildEngine {
+	case BentoImageBuildEngineKaniko:
+		builderImage = internalImages.Kaniko
+	case BentoImageBuildEngineBuildkit:
+		builderImage = internalImages.Buildkit
+	case BentoImageBuildEngineBuildkitRootless:
+		builderImage = internalImages.BuildkitRootless
+	default:
+		err = errors.Errorf("unknown bento image build engine %s", buildEngine)
+		return
+	}
+
+	isBuildkit := buildEngine == BentoImageBuildEngineBuildkit || buildEngine == BentoImageBuildEngineBuildkitRootless
+
+	if isBuildkit {
+		command = []string{"buildctl-daemonless.sh"}
+		args = []string{
+			"build",
+			"--frontend",
+			"dockerfile.v0",
+			"--local",
+			"context=/workspace/buildcontext",
+			"--local",
+			fmt.Sprintf("dockerfile=%s", filepath.Dir(dockerFilePath)),
+			"--output",
+			fmt.Sprintf("type=image,name=%s,push=true,registry.insecure=%v", inClusterImageName, dockerRegistryInsecure),
+		}
+	}
+
+	var builderContainerSecurityContext *corev1.SecurityContext
+
+	if buildEngine == BentoImageBuildEngineBuildkit {
+		builderContainerSecurityContext = &corev1.SecurityContext{
+			Privileged: pointer.BoolPtr(true),
+		}
+	} else if buildEngine == BentoImageBuildEngineBuildkitRootless {
+		kubeAnnotations["container.apparmor.security.beta.kubernetes.io/builder"] = "unconfined"
+		builderContainerSecurityContext = &corev1.SecurityContext{
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: corev1.SeccompProfileTypeUnconfined,
+			},
+			RunAsUser:  pointer.Int64Ptr(1000),
+			RunAsGroup: pointer.Int64Ptr(1000),
+		}
+	}
 
 	// add build args to pass via --build-arg
 	for _, buildArg := range buildArgs {
-		args = append(args, fmt.Sprintf("--build-arg=%s", buildArg))
+		if isBuildkit {
+			args = append(args, "--opt", fmt.Sprintf("build-arg:%s", buildArg))
+		} else {
+			args = append(args, fmt.Sprintf("--build-arg=%s", buildArg))
+		}
 	}
 	// add other arguments to builder
 	args = append(args, builderArgs...)
@@ -1480,14 +1573,16 @@ echo "Done"
 				},
 			})
 
-			args = append(args, fmt.Sprintf("--build-arg=%s=$(%s)", key, envName))
+			if isBuildkit {
+				args = append(args, "--opt", fmt.Sprintf("build-arg:%s=$(%s)", key, envName))
+			} else {
+				args = append(args, fmt.Sprintf("--build-arg=%s=$(%s)", key, envName))
+			}
 		}
 	} else {
 		r.Recorder.Eventf(opt.BentoRequest, corev1.EventTypeNormal, "GenerateImageBuilderPod", "Secret %s is not found in namespace %s", buildArgsSecretName, configNamespace)
 	}
 
-	builderImage := internalImages.Kaniko
-
 	container := corev1.Container{
 		Name:            "builder",
 		Image:           builderImage,
@@ -1498,6 +1593,7 @@ echo "Done"
 		Env:             envs,
 		TTY:             true,
 		Stdin:           true,
+		SecurityContext: builderContainerSecurityContext,
 	}
 
 	if opt.BentoRequest.Spec.ImageBuilderContainerResources != nil {
@@ -1506,9 +1602,10 @@ echo "Done"
 
 	pod = &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      kubeName,
-			Namespace: opt.BentoRequest.Namespace,
-			Labels:    kubeLabels,
+			Name:        kubeName,
+			Namespace:   opt.BentoRequest.Namespace,
+			Labels:      kubeLabels,
+			Annotations: kubeAnnotations,
 		},
 		Spec: corev1.PodSpec{
 			RestartPolicy:  corev1.RestartPolicyNever,

go.mod

@@ -4,7 +4,7 @@ go 1.18
 
 require (
 	github.com/aws/aws-sdk-go v1.44.152
-	github.com/bentoml/yatai-common v0.0.0-20221204065908-975ef2e3714e
+	github.com/bentoml/yatai-common v0.0.0-20230108151027-0a54d02e79b1
 	github.com/bentoml/yatai-schemas v0.0.0-20221123041958-d3ff9b721451
 	github.com/huandu/xstrings v1.3.2
 	github.com/iancoleman/strcase v0.2.0
@@ -98,7 +98,7 @@ require (
 	k8s.io/gengo v0.0.0-20211129171323-c02415ce4185 // indirect
 	k8s.io/klog/v2 v2.70.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect
-	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect
+	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed
 	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect

go.sum

@@ -77,8 +77,8 @@ github.com/aws/aws-sdk-go v1.44.152 h1:L9aaepO8wHB67gwuGD8VgIYH/cmQDxieCt7FeLa0+
 github.com/aws/aws-sdk-go v1.44.152/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
-github.com/bentoml/yatai-common v0.0.0-20221204065908-975ef2e3714e h1:et8vRFRG2CgnFUElqpXVrerB1DkV2DcpmFWpzAGAvqo=
-github.com/bentoml/yatai-common v0.0.0-20221204065908-975ef2e3714e/go.mod h1:pox0XYk/bVUwKkadn0XwWHEbJmxSEeN3+HwGA4a8uOQ=
+github.com/bentoml/yatai-common v0.0.0-20230108151027-0a54d02e79b1 h1:VgN2DLopHoMaEVOiD8J4bZO0L1BGXLRSmNSs7GkfbHo=
+github.com/bentoml/yatai-common v0.0.0-20230108151027-0a54d02e79b1/go.mod h1:pox0XYk/bVUwKkadn0XwWHEbJmxSEeN3+HwGA4a8uOQ=
 github.com/bentoml/yatai-schemas v0.0.0-20221123041958-d3ff9b721451 h1:FNxCbN61Ev8ea6BXzlfmRUT5CYNmqlOv8zDRGs8ufVE=
 github.com/bentoml/yatai-schemas v0.0.0-20221123041958-d3ff9b721451/go.mod h1:q7tt064G8YIiAwQabKyVaKEdSIHYDQA9Oyt+kyCsflU=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=

helm/yatai-image-builder/templates/secret-env.yaml

@@ -30,8 +30,12 @@ stringData:
 
   INTERNAL_IMAGES_BENTO_DOWNLOADER: {{ .Values.internalImages.bentoDownloader | quote }}
   INTERNAL_IMAGES_KANIKO: {{ .Values.internalImages.kaniko | quote }}
+  INTERNAL_IMAGES_BUILDKIT: {{ .Values.internalImages.buildkit | quote }}
+  INTERNAL_IMAGES_BUILDKIT_ROOTLESS: {{ .Values.internalImages.buildkitRootless | quote }}
 
   {{- if .Values.dockerRegistry.useAWSECRWithIAMRole }}
   AWS_ECR_WITH_IAM_ROLE: "true"
   AWS_ECR_REGION: {{ .Values.dockerRegistry.awsECRRegion | quote }}
   {{- end }}
+
+  BENTO_IMAGE_BUILD_ENGINE: {{ .Values.bentoImageBuildEngine | quote }}

helm/yatai-image-builder/values.yaml

@@ -98,3 +98,7 @@ aws:
 internalImages:
   bentoDownloader: quay.io/bentoml/bento-downloader:0.0.1
   kaniko: quay.io/bentoml/kaniko:1.9.1
+  buildkit: quay.io/bentoml/buildkit:master
+  buildkitRootless: quay.io/bentoml/buildkit:master-rootless
+
+bentoImageBuildEngine: kaniko # options: kaniko, buildkit, buildkit-rootless

scripts/quick-install-yatai-image-builder.sh

@@ -225,7 +225,8 @@ if [ "${USE_LOCAL_HELM_CHART}" = "true" ]; then
     --set dockerRegistry.bentoRepositoryName=${DOCKER_REGISTRY_BENTO_REPOSITORY_NAME} \
     --set aws.accessKeyID=${AWS_ACCESS_KEY_ID} \
     --set aws.secretAccessKeyExistingSecretName=${AWS_SECRET_ACCESS_KEY_EXISTING_SECRET_NAME} \
-    --set aws.secretAccessKeyExistingSecretKey=${AWS_SECRET_ACCESS_KEY_EXISTING_SECRET_KEY}
+    --set aws.secretAccessKeyExistingSecretKey=${AWS_SECRET_ACCESS_KEY_EXISTING_SECRET_KEY} \
+    --set bentoImageBuildEngine=buildkit-rootless
 else
   helm_repo_name=bentoml
   helm_repo_url=https://bentoml.github.io/helm-charts