Quick start¶
Tip
For Kubernetes deployments, see the Kubernetes examples.
BuildKit is composed of the buildkitd daemon and the buildctl client.
While the buildctl client is available for Linux, macOS, and Windows, the
buildkitd daemon is only available for Linux currently.
The buildkitd daemon requires the following components to be installed:
- runc or crun
- containerd (if you want to use containerd worker)
The latest binaries of BuildKit are available here for Linux, macOS, and Windows.
Homebrew package (unofficial) is available for macOS:
brew install buildkit
To build BuildKit from source, see the Contributing page.
Starting the buildkitd daemon¶
You need to run buildkitd as the root user on the host.
sudo buildkitd
To run buildkitd as a non-root user, see the rootless mode guide.
The buildkitd daemon supports two worker backends: OCI (runc) and containerd.
By default, the OCI (runc) worker is used. You can set --oci-worker=false --containerd-worker=true
to use the containerd worker.
We are open to adding more backends.
Systemd socket activation¶
To start the buildkitd daemon using systemd socket activiation, you can install the buildkit systemd unit files.
On Systemd based systems, you can communicate with the daemon via Systemd socket activation,
use buildkitd --addr fd://.
Tip
You can find examples of using Systemd socket activation with BuildKit and Systemd in ./examples/systemd.
Expose BuildKit as a TCP service¶
The buildkitd daemon listens gRPC API on /run/buildkit/buildkitd.sock by
default, but you can also use TCP sockets.
It is highly recommended to create TLS certificates for both the daemon and the
client (mTLS). Enabling TCP without mTLS is dangerous because the executor
containers (aka Dockerfile RUN containers) can call BuildKit API as well.
buildkitd \
--addr tcp://0.0.0.0:1234 \
--tlscacert /path/to/ca.pem \
--tlscert /path/to/cert.pem \
--tlskey /path/to/key.pem
buildctl \
--addr tcp://example.com:1234 \
--tlscacert /path/to/ca.pem \
--tlscert /path/to/clientcert.pem \
--tlskey /path/to/clientkey.pem \
build ...
Load balancing¶
buildctl build can be called against randomly load balanced the buildkitd daemon.
Tip
If you have multiple BuildKit daemon instances, but you don't want to use registry for sharing cache across the cluster, consider client-side load balancing using consistent hashing.
See Consistent hashing example for more info.
Exploring LLB¶
BuildKit builds are based on a binary intermediate format called LLB that is used for defining the dependency graph for processes running part of your build. tl;dr: LLB is to Dockerfile what LLVM IR is to C.
- Marshaled as Protobuf messages
- Concurrently executable
- Efficiently cacheable
- Vendor-neutral (i.e. non-Dockerfile languages can be easily implemented)
See solver/pb/ops.proto
for the format definition, and see our examples for LLB
applications.
Currently, the following high-level languages has been implemented for LLB:
- Dockerfile (See Dockerfile frontend docs)
- Buildpacks
- Mockerfile
- Gockerfile
- bldr (Pkgfile)
- HLB
- Earthfile (Earthly)
- Cargo Wharf (Rust)
- Nix
- (open a PR to add your own language)