> The current recommendation is rules_oci, which takes the opposite approach: use only off‑the‑shelf tools...<p>I'm the author of one of those off the shelf tools, and the rules_oci decision here always struck me as a bit unusual. OCI is a relatively easy spec with a number of libraries that implement it. Instead of creating a custom build command that leveraged those libraries to be an efficient build tool, they found commands that could be leveraged even if image building wasn't their design.<p>It looks like rules_img is taking that other path with their own build command based on the go-containerregistry library. I wish them all the best with their effort.<p>That said, if all you need to do is add a layer to an existing base, there are tools like crane [0] and regctl [1] that do that today.<p>The reason other build tools typically pull the base image first is to support "RUN" build steps that execute a command inside of a container and store the filesystem changes in a new layer. If that functionality is ever added to rules_img, I expect it to have the same performance as other build tools.<p>[0]: <a href="https://github.com/google/go-containerregistry/blob/main/cmd/crane/recipes.md#bundle-directory-contents-into-an-image" rel="nofollow">https://github.com/google/go-containerregistry/blob/main/cmd...</a><p>[1]: <a href="https://regclient.org/cli/regctl/image/mod/" rel="nofollow">https://regclient.org/cli/regctl/image/mod/</a>
My experience is that anything involving Bazel is slow, bloated, and complicated, hammers your disk, copies your files ten times over, and balloons your disk usage without ever collecting the garbage. A lot of essential features are missing so you realistically have to build a lot of custom rules if not outright additional tooling on top.<p>I'm not too surprised that out of the box docker images exhibit more of this. While it's good they're fixing it, it feels like maybe some of the core concepts cause pretty systematic issues anytime you try to do anything beyond the basic feature set...
For some more depth into the "bloat" of bazel, I like this reference: <a href="https://fzakaria.com/2024/02/27/hermetic-but-at-what-cost" rel="nofollow">https://fzakaria.com/2024/02/27/hermetic-but-at-what-cost</a>
To be clear, when you say “they’re fixing this”…the Bazel maintainers have nothing to do with this.<p>Bazel is a general purpose tool like Make. But with caching and sandboxing and different syntax.<p>Make is no less focused on Docker than Bazel is.<p>Unlike Make however, Bazel does make it easy to share rule sets.<p>But you don’t need to use other people’s Bazel rule sets any more than you need to use other people’s Make recipes.<p>This author has a clever way to minimize needing to touch layers at all.
rules_oci (and bunch of rules_* under bazelbuild / bazel-contrib org on GitHub) is Bazel recommeded rule sets.<p>I don't agree with your parent comment about Bazel, but your comment is not fair too. Bazel tries to be better build tool so it took on responsibility on registry / rules_* and get critics for it is a fair game.<p>The "bloated Bazel" blame is not fair too, but I think somewhat understandable. If you ever going to only do JavaScript, bun or other package manager is enough and "lighter-weight". Same goes to uv + Python bundle. Bazel only shines if you are dealing with your C++ mess and even there, people prefer CMake for reasons beyond me.
I'm struggling with the caching right now. I'm trying to switch from the Github actions to just running stuff in containers, and it works. Except for caching.<p>Buildkit from Docker is just a pure bullshit design. Instead of the elegant layer-based system, there's now two daemons that fling around TAR files. And for no real reason that I can discern. But the worst thing is that the caching is just plain broken.
Buildkit can be very efficient at caching, but you need to design your image build around it. Once any step encounters a cache miss, all remaining steps will too.<p>I'd also avoid loading the result back into the docker daemon unless you really need it there. Buildkit can output directly to a registry, or an OCI Layout, each of which will maintain the image digest and support multi-platform images (admittedly, those problems go away with the containerd storage changes happening, but it's still an additional export/import that can be skipped).<p>All that said, I think caching is often the wrong goal. Personally, I want reproducible builds, and those should bypass any cache to verify each step always has the same output. Also, when saving the cache, every build caches every step, even if they aren't used in future builds. As a result, for my own projects, the net result of adding a cache could be slower builds.<p>Instead of catching the image build steps, I think where we should be spending a lot more effort is in creating local proxies of upstream dependencies, removing the network overhead of pulling dependencies on every build. Compute intensive build steps would still be slow, but a significant number of image builds could be sped up with a proxy at the CI server level without tuning builds individually.
> Buildkit can be very efficient at caching, but you need to design your image build around it.<p>Well, that's what I've been trying to do. And failing, because it simply doesn't work.<p>> I'd also avoid loading the result back into the docker daemon unless you really need it there.<p>I need Docker to provide me a reproducible environment to run lints, inspections, UI tests and so on. These images are quite massive. And because caching in Docker is broken, they were getting rebuilt every time we did a push.<p>Well. I switched to Podman and podman-compose. Now they do get cached, and the build time is within ~1 min with the help of the GHA cache.<p>And yes, my deployment builds are produced without any caching.
I went down this rabbit hole before, you have to ignore all the recommended approaches. The real solution is to have a build server with a global Docker install and a script to prune cache when the disk usage goes above a certain percentage. Cache is local and instant. Pushing and pulling cache images is an insane solution.
The layers are tar files, I’m confused what behavior you actually want that isn’t supported.
The original Docker (and the current Podman) created each layer as an overlay filesystem. So each layer was essentially an ephemeral container. If a build failed, you could actually just run the last successful layer with a shell and see what's wrong.<p>More importantly, the layers were represented as directories on the host system. So when you wanted to run something in the final container, Docker just needed to reassemble it.<p>Buildkit has broken all of it. Now building is done, essentially, in a separate system, the "docker buildx" command talks with it over a socket. It transmits the context, and gets the result back as an OCI image that it then needs to unpack.<p>This is an entirely useless step. It also breaks caching all the time. If you build two images that differ only slightly, the host still gets two full OCI artifacts, even if two containers share most of the layers.<p>It looks like their Bazel infrastructure optimized it by moving caching down to the file level.
Buildkit didn't break anything here except that it each individual build step is no longer exposed as a runnable image in docker.
That was unfortunate, but you can actually have buildkit run a command in that filesystem these days, and buildx now even exposes a DAP interface.<p>Buldkit is far more efficient than the old model.
Buildkit is still a separate system, unlike the old builder. So you get that extra step of importing the result back.<p>And since it's a separate system, there are also these strange limitations. For example, I can't just cache pre-built images in an NFS directory and then just push them into the Buildkit context. There's simply no command for it. Buildkit can only pull them from a registry.<p>> Buldkit is far more efficient than the old model.<p>I've yet to see it work faster than podman+buildah. And it's also just plain buggy. Caching for multi-stage and/or parallel builds has been broken since the beginning. The Docker team just ignores it and closes the bugs:
<a href="https://github.com/moby/buildkit/issues/1981" rel="nofollow">https://github.com/moby/buildkit/issues/1981</a>
<a href="https://github.com/moby/buildkit/issues/2274" rel="nofollow">https://github.com/moby/buildkit/issues/2274</a>
<a href="https://github.com/moby/buildkit/issues/2279" rel="nofollow">https://github.com/moby/buildkit/issues/2279</a><p>I understand why. I tried to debug it, and simply getting it running under a debugger is an adventure.<p>So far, I found that switching to podman+podman-compose is a better solution. At least my brain is good enough to understand them completely, and contribute fixes if needed.
Huh?<p>Each layer is a tarball.<p>So build your tarballs (concurrently!), and then add some metadata to make an image.<p>From your comment elsewhere it seems maybe you are expecting the docker build paradigm of running a container and snapshotting it at various stages.<p>That is messy and has a number of limitations — not the least of which is cross-compilation. Reproducibility being another. But in any case, that definitely not what these rules are trying to do.
I don't quite understand how it handles running binaries then. For example, I want to do `bash -c "ls -la /"`. How would it run this command? It needs to assemble the filesystem at this point in the build process.<p>I guess the answer for Bazel is "don't do this"? Docker handles cross-compilation by using emulators, btw.
> “don’t do this”<p>Yes. The Bazel way use to produce binaries, files, directories, and then create an image “directly” from these.<p>Much as you would create a JAR or ZIP or DEB.<p>This is (1) fast (2) small and (3) more importantly reproducible. Bazel users want their builds to produce artifacts that are exactly the same, for a number of reasons. Size is also nice…do you really need ls and dozens of other executables in your containerized service?<p>Most Docker users don’t care about reproducibility. They’ll apt-get install and get one version today and another version tomorrow.<p>Good? Bad? That’s a value judgement. But Bazel users have fundamentally different objectives.<p>> emulators<p>Yeah emulators is the Docker solution for producing images of different architectures.<p>Since Bazel doesn’t run commands as a running container, it skips that consideration entirely.
Funny that the article only obliquely references the compression issues. The OCI users that I have seen are using gzip due to inertia, while zstd layers have been supported for a while and are radically faster.
This is smart.<p>Container layers are so large that moving them around is heavy.<p>So defer that part for the non-hermetic push/load parts of the process, while retaining heremticity/reproducibility.<p>You can sort of think of it like the IO monad in Haskell…defer it all until the impure end.
Uhhh what? Isn’t the whole point of Bazel that it’s a monorepo with all dependencies so you don’t need effing docker just to build or run a bloody computer program?<p>It drives me absolute batshit insane that modern systems are incapable of either building or running computer programs without docker. Everyone should profoundly embarrassed and ashamed by this.<p>I’m a charlatan VR and gamedev that primarily uses Windows. But my deeply unpopular opinion is that windows is a significantly better dev environment and runtime environment because it doesn’t require all this Docker garbage. I swear that building and running programs does not actually have to be that complicated!! Linux userspace got pretty much everything related to dependencies and packages very very very wrong.<p>I am greatly pleased and amused that the most reliable API for gaming in Linux is Win32 via Proton. That should be a clear signal that Linux userspace has gone off the rails.
You’re converging a lot of ground here! The article is about <i>producing</i> container images for deployment, and have no relation to Bazels building stuff for you - if you’re not deploying as containers, you don’t need this?<p>On Linux vs Win32 flame warring: can you be more specific? What specifically is very very wrong with Linux packaging and dependency resolution?
Awful AI images everywhere. Can we not help ourselves?