Experimental BuildKit support

[tonistiigi]

This PR adds experimental support for using moby/buildkit as a backend for docker build. #32925 #34227

The support is only enabled in the experimental daemon, and user needs to opt-in in docker/cli to start using it.

# in daemon
dockerd -D --experimental

# in Docker CLI
export DOCKER_BUILDKIT=1
docker build .

Docker CLI branch with BuildKit support enabled is in https://github.com/tonistiigi/docker-cli/tree/experimental-buildkit

In the API, version field allows switching between different build backends.

This enables lots of new capabilities, including parallel build steps and requests, skipping unused stages, efficient incremental builds, build context file detection, remote cache support, graceful cancellation, build cache issues, etc. It also enables using experimental Dockerfile features without requiring to update Moby by using the BuildKit frontend images.

The technical side of this integration is a temporary (and somewhat limited) solution as BuildKit is based on containerd storage and that has not been integrated into Moby yet. The current solution provides adapters to some components to provide compatibility between things like containerd snapshots and Moby layerstore/storage drivers or image store. When containerd storage support lands in Moby, all these adapters should be removed entirely, and BuildKit can use containerd directly. This temporary solution allows us to get feedback before we feel comfortable to move it out of experimental.

The tests will not currently use BuildKit in the PR as it requires opt-in and a new CLI binary. We have run the tests manually. Some of them need to be reworked for output change or a side-effect removal. We will continue addressing some of the test results that we are still investigating.

Known issues (some of them will not make it into 18.06 release):

• no automatic GC (manual system df and system prune work)
• pulling schema1 images during build
• automatic path detection in dockerfile doesn't detect unused symlinks
• resource limitation and --net options: execution completely bypasses the daemon, net is host.
• windows support (depending on containerd runtime integration)
• --pull (currently existing images in image store always take precedence)
• USER doesn't set additional groups
• --iidfile is not enabled in CLI
• No way to export remote build cache. Build cache exported with standalone BuildKit can be imported with --cache-from.

@tiborvass @AkihiroSuda

depends on #36895

[AkihiroSuda]

Can we split this to a separate package that wraps Moby graphdriver as a containerd snapshotter?

cc @dmcgowan

[tonistiigi]

Currently, the issue is that containerd mounts are stateless while some graphdrives can't produce stateless mounts. @dmcgowan has a plan for that for Moby integration that is somewhat similar to the buildkit/snapshot.Mountable abstraction.

[AkihiroSuda]

Can we dedupe writer.go with https://github.com/moby/buildkit/blob/master/exporter/containerimage/writer.go via some util pkg?

[tonistiigi]

The reason I couldn't use it directly was that buildkit uses the blobsum-diffid pairs here while Moby doesn't yet have an understanding of managing layer blobs. But with a careful refactor, some parts of it can definitely be shared.

[AkihiroSuda]

Nit: can we just use strings rather than numbers? e.g. legacy and buildkit

[tiborvass]

@AkihiroSuda I don't like the word legacy (which is what it was initially). With all the respect I have for buildkit, with time everything becomes legacy and eventually you'll have to differentiate between legacy legacy and legacy. This problem is solved with versions, so I believe it's a better tradeoff this way. Happy to hear your concerns though.

[AkihiroSuda]

Could you add godoc?

[vdemeester]

On high level, definitely Design LGTM 😻

In this PR it seems it's not possible to choose a different frontend yet right ? if yes, is it something we plan to allow before going out of experimental ?
I see the gateway.v0 frontend is there so it seems it's already possible to use custom images as frontend (which is awesome 💓) but I'm not sure how to specify it from the API standpoint.

Also, should we open a PR in docker/cli to discuss the cli design in parallel ; and also easily have a docker binary built to make manual testing easier (without having to clone and build the cli)

[tonistiigi]

In this PR it seems it's not possible to choose a different frontend yet right ? if yes, is it something we plan to allow before going out of experimental ? I see the gateway.v0 frontend is there so it seems it's already possible to use custom images as frontend (which is awesome 💓) but I'm not sure how to specify it from the API standpoint.

Custom Dockerfile implementations can be used with a Dockerfile directive moby/buildkit#384 but generic frontends (or raw LLB) is not currently enabled in HTTP API. As this would be a new feature, it probably makes sense to do discuss/PR that separately. It may definitely happen in experimental is maintainers agree.

Also, should we open a PR in docker/cli to discuss the cli design in parallel ; and also easily have a docker binary built to make manual testing easier (without having to clone and build the cli)

There's still some cleanup stuff that needs to happen there. You can expect a PR early next week.

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@0c4ed4e). Click here to learn what that means.
The diff coverage is 2.77%.

@@            Coverage Diff            @@
##             master   #37151   +/-   ##
=========================================
  Coverage          ?   35.33%           
=========================================
  Files             ?      609           
  Lines             ?    45000           
  Branches          ?        0           
=========================================
  Hits              ?    15901           
  Misses            ?    26947           
  Partials          ?     2152

[cpuguy83]

Design LGTM

[thaJeztah]

Is this something we can upstream? I didn't see a pull request; https://github.com/hashicorp/go-immutable-radix/pulls (looks like its this change; tonistiigi/go-immutable-radix@826af9c)

[tonistiigi]

Not sure if they are interested and the project isn't very active. I can make a proper fork if needed (although we use this project for swarmkit as well). There is no functionality divergence, just an extra method that is only used by buildkit.

[thaJeztah]

We could try if they accept the PR, then we'd be set (unless we think we'll be adding more features and a fork would help)

[tonistiigi]

Ok, I'll make sure to do that and replace if it gets merged

[thaJeztah]

This is using UNLICENSE; looks like that could have some implications (but IANAL); https://softwareengineering.stackexchange.com/a/147120, docopt/docopt.rs#1

[tonistiigi]

removed

[AkihiroSuda]

LGTM if the regression is fixed now.

[tiborvass]

@AkihiroSuda yes, regression was on docker CLI.

[vdemeester]

LGTM 🦁

[tiborvass]

CI for powerpc and s390x are known to have issues /cc @andrewhsu @seemethere.

[lowenna]

This has broken master on Windows:

PS C:\> dockerd
INFO[2018-06-13T09:04:23.208583500-07:00] Windows default isolation mode: process
INFO[2018-06-13T09:04:23.294671100-07:00] Loading containers: start.
INFO[2018-06-13T09:04:23.298646300-07:00] Restoring existing overlay networks from HNS into docker
INFO[2018-06-13T09:04:23.399254200-07:00] Loading containers: done.
INFO[2018-06-13T09:04:23.402261600-07:00] Docker daemon                                 commit=692df4699c graphdriver(s)=windowsfilter version=0.0.0-dev
INFO[2018-06-13T09:04:23.405258500-07:00] Daemon has completed initialization
failed to find git binary: exec: "git": executable file not found in %PATH%
PS C:\>

[tiborvass]

@jhowardmsft Thanks. Sorry about that. Windows CI was green :(

[lowenna]

@tiborvass Yes, the CI servers have (and need) git installed :/