If a question you have is not answered below, please submit an issue.
But, I'm not a Java developer.
How do I run the image I built?
Where is bash?
What image format does Jib use?
Why is my image created 48+ years ago?
Where is the application in the container filesystem?
Can I learn more about container images?
How-Tos
How do I set parameters for my image at runtime?
Can I define a custom entrypoint?
I want to containerize a JAR.
I need to RUN commands like apt-get
.
Can I ADD a custom directory to the image?
I need to add files generated during the build process to a custom directory on the image.
Can I build to a local Docker daemon?
How do I enable debugging?
What would a Dockerfile for a Jib-built image look like?
How can I inspect the image Jib built?
I would like to run my application with a javaagent.
How can I tag my image with a timestamp?
Common Problems
How can I diagnose problems pulling or pushing from remote registries?
What should I do when the registry responds with Forbidden or DENIED?
What should I do when the registry responds with UNAUTHORIZED?
How do I configure a proxy?
How can I examine network traffic?
How do I view debug logs for Jib?
I am seeing ImagePullBackoff
on my pods.
See rules_docker for a similar existing container image build tool for the Bazel build system. The tool can build images for languages such as Python, NodeJS, Java, Scala, Groovy, C, Go, Rust, and D.
If you built your image directly to the Docker daemon using jib:dockerBuild
(Maven) or jibDockerBuild
(Gradle), you simply need to use docker run <image name>
.
If you built your image to a registry using jib:build
(Maven) or jib
(Gradle), you will need to pull the image using docker pull <image name>
before using docker run
.
To run your image on Kubernetes, you can use kubectl:
kubectl run jib-deployment --image=<image name>
For more information, see steps 4-6 of the Kubernetes Engine deployment tutorial.
By default, Jib uses distroless/java
as the base image. Distroless images contain only runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution. Check out the distroless project for more information about distroless images.
If you would like to include a shell for debugging, set the base image to gcr.io/distroless/java:debug
instead. The shell will be located at /busybox/sh
. Note that :debug
images are not recommended for production use.
Configuring a base image in Maven
In jib-maven-plugin
, you can use the gcr.io/distroless/java:debug
base image by adding the following configuration:
<configuration>
<from>
<image>gcr.io/distroless/java:debug</image>
</from>
</configuration>
Configuring a base image in Gradle
In jib-gradle-plugin
, you can use the gcr.io/distroless/java:debug
base image by adding the following configuration:
jib.from.image = 'gcr.io/distroless/java:debug'
You can then run the image in shell form with Docker: docker run -it --entrypoint /busybox/sh <image name>
Jib currently builds into the Docker V2.2 image format or OCI image format.
See Extended Usage for the <container><format>
configuration.
See Extended Usage for the container.format
configuration.
For reproducibility purposes, Jib sets the creation time of the container images to the Unix epoch (00:00:00, January 1st, 1970 in UTC). If you would like to use a different timestamp, set the jib.container.creationTime
/ <container><creationTime>
parameter to an ISO 8601 date-time. You may also use the value USE_CURRENT TIMESTAMP
to set the creation time to the actual build time, but this sacrifices reproducibility since the timestamp will change with every build.
Setting `creationTime` parameter
<configuration>
<container>
<creationTime>2019-07-15T10:15:30+09:00</creationTime>
</container>
</configuration>
jib.container.creationTime = '2019-07-15T10:15:30+09:00'
Note that the modification time of the files in the built image put by Jib will still be 1 second past the epoch. The file modification time can be configured using <container><filesModificationTime>
(Maven) or jib.container.filesModificationTime
(Gradle).
Reproducible means that given the same inputs, a build should produce the same outputs. Container images are uniquely identified by a digest (or a hash) of the image contents and image metadata. Tools and infrastructure such the Docker daemon, Docker Hub, registries, Kubernetes, etc) treat images with different digests as being different.
To ensure that a Jib build is reproducible — that the rebuilt container image has the same digest — Jib adds files and directories in a consistent order, and sets consistent creation- and modification-times and permissions for all files and directories. Jib also ensures that the image metadata is recorded in a consistent order, and that the container image has a consistent creation time. To ensure consistent times, files and directories are recorded as having a creation and modification time of 1 second past the Unix Epoch (1970-01-01 00:00:01.000 UTC), and the container image is recorded as being created on the Unix Epoch. Setting container.useCurrentTimestamp=true
and then rebuilding an image will produce a different timestamp for the image creation time, and so the container images will have different digests and appear to be different.
For more details see reproducible-builds.org.
Jib packages your Java application into the following paths on the image:
/app/libs/
contains all the dependency artifacts/app/resources/
contains all the resource files/app/classes/
contains all the classes files- the contents of the extra directory (default
src/main/jib
) are placed relative to the container's root directory (/
)
If you'd like to learn more about container images, @coollog has a guide: Build Containers the Hard Way, which takes a deep dive into everything involved in getting your code into a container and onto a container registry.
For the default distroless/java
base image, you can use the JAVA_TOOL_OPTIONS
environment variable (note that other JRE images may require using other environment variables):
Using Docker: docker run -e "JAVA_TOOL_OPTIONS=<JVM flags>" <image name>
Using Kubernetes:
apiVersion: v1
kind: Pod
spec:
containers:
- name: <name>
image: <image name>
env:
- name: JAVA_TOOL_OPTIONS
value: <JVM flags>
Using Docker: docker run -e "NAME=VALUE" <image name>
Using Kubernetes:
apiVersion: v1
kind: Pod
spec:
containers:
- name: <name>
image: <image name>
env:
- name: NAME
value: VALUE
Using Docker: docker run <image name> <arg1> <arg2> <arg3>
Using Kubernetes:
apiVersion: v1
kind: Pod
spec:
containers:
- name: <name>
image: <image name>
args:
- <arg1>
- <arg2>
- <arg3>
For more information, see the JAVA_TOOL_OPTIONS
environment variable, the docker run -e
reference, and defining environment variables for a container in Kubernetes.
Normally, the plugin sets a default entrypoint for java applications, or lets you configure a custom entrypoint using the container.entrypoint
configuration parameter. You can also override the default/configured entrypoint by defining a custom entrypoint when running the container. See docker run --entrypoint
reference for running the image with Docker and overriding the entrypoint command, or see Define a Command and Arguments for a Container for running the image in a Kubernetes Pod and overriding the entrypoint command.
The intention of Jib is to add individual class files, resources, and dependency JARs into the container instead of putting a JAR. This lets Jib choose an opinionated, optimal layout for the application on the container image, which also allows it to skip the extra JAR-packaging step.
However, you can set <containerizingMode>packaged
(Maven) or jib.containerizingMode = 'packaged'
(Gradle) to containerize a JAR, but note that your application will always be run via java -cp ... your.MainClass
(even if it is an executable JAR). Some disadvantages:
- You need to run the JAR-packaging step (
mvn package
in Maven or thejar
task in Gradle). - Reduced granularity in building and caching: if any of your Java source files or resource files are updated, not only the JAR has to be rebuilt, but the entire layer containing the JAR in the image has to be recreated and pushed to the destination.
- If it is a fat or shaded JAR embedding all dependency JARs, you are duplicating the dependency JARs in the image. Worse, it results in far more reduced granularity in building and caching, as dependency JARs can be huge and all of them need to be pushed repeatedly even if they do not change.
Note that for runnable JARs/WARs, currently Jib does not natively support creating an image that runs a JAR (or WAR) through java -jar runnable.jar
(although it is not impossible to configure Jib to do so at the expense of more complex project setup.)
Running commands like apt-get
slows down the container build process. We do not recommend or support running commands as part of the build.
However, if you need to run commands, you can build a custom image and configure Jib to use it as the base image.
Base image configuration examples
In jib-maven-plugin
, you can then use this custom base image by adding the following configuration:
<configuration>
<from>
<image>custom-base-image</image>
</from>
</configuration>
In jib-gradle-plugin
, you can then use this custom base image by adding the following configuration:
jib.from.image = 'custom-base-image'
We currently support adding a custom directory with an incubating feature called extra directories. This feature may change in later versions. If your application needs to use custom files, place them into the src/main/jib
folder. Files placed here will be added to the filesystem of the container. For example, src/main/jib/foo/bar
would add /foo/bar
into the container filesystem.
If the current extra directories design doesn't meet your needs (e.g. you need to set up the extra files directory with files generated during the build process), you can use additional goals/tasks to create the extra directory as part of your build.
File copying examples
In Maven, you can use the maven-resources-plugin
to copy files to your extra directory. For example, if you generate files in target/generated/files
and want to add them to /my/files
on the container, you can add the following to your pom.xml
:
<plugins>
...
<plugin>
<artifact>jib-maven-plugin</artifact>
...
<configuration>
<extraDirectory>${project.basedir}/target/extra-directory/</extraDirectory>
</configuration>
</plugin>
...
<plugin>
<artifact>maven-resources-plugin</artifact>
<version>3.1.0</version>
<configuration>
<outputDirectory>${project.basedir}/target/extra-directory/my/files</outputDirectory>
<resources>
<resource>
<directory>${project.basedir}/target/generated/files</directory>
</resource>
</resources>
</configuration>
</plugin>
...
</plugins>
The copy-resources
goal will run automatically before compile, so if you are copying files from your build output to the extra directory, you will need to either set the life-cycle phase to post-compile
or later, or run the goal manually:
mvn compile resources:copy-resources jib:build
The same can be accomplished in Gradle by using a Copy
task. In your build.gradle
:
jib.extraDirectory = file('build/extra-directory')
task setupExtraDir(type: Copy) {
from file('build/generated/files')
into file('build/extra-directory/my/files')
}
tasks.jib.dependsOn setupExtraDir
The files will be copied to your extra directory when you run the jib
task.
There are several ways of doing this:
- Use
jib:dockerBuild
for Maven orjibDockerBuild
for Gradle to build directly to your local Docker daemon. - Use
jib:buildTar
for Maven orjibBuildTar
for Gradle to build the image to a tarball, then usedocker load --input
to load the image into Docker (the tarball built with these commands will be located intarget/jib-image.tar
for Maven andbuild/jib-image.tar
for Gradle by default). docker pull
the image built with Jib to have it available in your local Docker daemon.- Alternatively, instead of using a Docker daemon, you can run a local container registry, such as Docker registry or other repository managers, and point Jib to push to the local registry.
If using the distroless/java
base image, then use the JAVA_TOOL_OPTIONS
to pass along debugging configuration arguments. For example, to have the remote VM accept local debug connections on port 5005, but not suspend:
-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=localhost:5005
Then connect your debugger to port 5005 on your local host. You can port-forward the container port to a localhost port for easy access.
Using Docker: docker run -p 5005:5005 <image>
Using Kubernetes: kubectl port-forward <pod name> 5005:5005
Beware: in Java 8 and earlier, specifying only a port meant that the JDWP socket was open to all incoming connections which is insecure. It is recommended to limit the debug port to localhost.
You can run your container with a javaagent by placing it somewhere in the src/main/jib
directory to add it to the container's filesystem, then pointing to it using Jib's container.jvmFlags
configuration.
<configuration>
<container>
<jvmFlags>
<jvmFlag>-javaagent:/myfolder/agent.jar</jvmFlag>
</jvmFlags>
</container>
</configuration>
jib.container.jvmFlags = ['-javaagent:/myfolder/agent.jar']
See also Can I ADD a custom directory to the image?
To tag the image with a simple timestamp, add the following to your pom.xml
:
<properties>
<maven.build.timestamp.format>yyyyMMdd-HHmmssSSS</maven.build.timestamp.format>
</properties>
Then in the jib-maven-plugin
configuration, set the tag
to:
<configuration>
<to>
<image>my-image-name:${maven.build.timestamp}</image>
</to>
</configuration>
You can then use the same timestamp to reference the image in other plugins.
To tag the image with a timestamp, simply set the timestamp as the tag for to.image
in your jib
configuration. For example:
jib.to.image = 'gcr.io/my-gcp-project/my-app:' + System.nanoTime()
A Dockerfile that performs a Jib-like build is shown below:
# Jib uses distroless java as the default base image
FROM gcr.io/distroless/java:latest
# Multiple copy statements are used to break the app into layers, allowing for faster rebuilds after small changes
COPY dependencyJars /app/libs
COPY snapshotDependencyJars /app/libs
COPY resources /app/resources
COPY classFiles /app/classes
# Jib's extra directory ("src/main/jib" by default) is used to add extra, non-classpath files
COPY src/main/jib /
# Jib's default entrypoint when container.entrypoint is not set
ENTRYPOINT ["java", jib.container.jvmFlags, "-cp", "/app/resources:/app/classes:/app/libs/*", jib.container.mainClass]
CMD [jib.container.args]
When unset, Jib will infer the value for jib.container.mainClass
.
Some plugins, such as the Docker Prepare Gradle Plugin, will even automatically generate a Docker context for your project, including a Dockerfile.
To inspect the image that is produced from the build using Docker, you can use commands such as docker inspect your/image:tag
to view the image configuration, or you can also download the image using docker save
to manually inspect the container image. Other tools, such as dive, provide nicer UI to inspect the image.
There are a few reasons why Jib may be unable to connect to a remote registry, including:
- Registry reports FORBIDDEN. See What should I do when the registry responds with Forbidden or DENIED?
- Registry reports UNAUTHORIZED. See What should I do when the registry responds with UNAUTHORIZED?
- Access requires a proxy. See How do I configure a proxy? for details.
- The registry does not support HTTPS. We do not pass authentication details on non-HTTPS connections, though this can be overridden with the
sendCredentialsOverHttp
system property, but it is not recommend (version 0.9.9). - The registry's SSL certificates have expired or are not trusted. We have a separate document on handling registries that use self-signed certificates, which may also apply if the SSL certificate is signed by an untrusted Certificate Authority. Jib supports an
allowInsecureRegistries
flag to ignore SSL certificate validation, but it is not recommend (version 0.9.9). - The registry does not support the Docker Image Format V2 Schema 2 (sometimes referred to as v2-2). This problem is usually shown by failures wth
INVALID_MANIFEST
errors. Some registries can be configured to support V2-2 such as Artifactory and OpenShift. Other registries, such as Quay.io/Quay Enterprise, are in the process of adding support.
If the registry returns 403 Forbidden
or "code":"DENIED"
, it often means Jib successfully authenticated using your credentials but the credentials do not have permissions to pull or push images. Make sure your account/role has the permissions to do the operation.
Depending on registry implementations, it is also possible that the registry actually meant you are not authenticated. See What should I do when the registry responds with UNAUTHORIZED? to ensure you have set up credentials correctly.
If the registry returns 401 Unauthorized
or "code":"UNAUTHORIZED"
, it is often due to credential misconfiguration. Examples:
- You did not configure auth information in the default places where Jib searches.
$HOME/.docker/config.json
, one of the configuration files for thedocker
command line tool. See configuration files document, credential store and credential helper sections, and this for how to configure auth. For example, you can dodocker login
to save auth inconfig.json
, but it is often recommended to configure a credential helper (also configurable inconfig.json
).- Some common credential helpers on
$PATH
(for example,docker-credential-osxkeychain
,docker-credential-ecr-login
, etc.) for well-known registries. - Jib configurations
- Configuring credential helpers:
<from/to><credHelper>
for Maven /from/to.credHelper
for Gradle - Specific credentials (not recommend):
<from/to><auth><username>/<password>
or insettings.xml
for Maven /from/to.auth.username/password
for Gradle - These parameters can also be set through properties: Maven / Gradle
- Configuring credential helpers:
$HOME/.docker/config.json
may also contain short-lived authorizations in theauths
block that may have expired. In the case of Google Container Registry, if you had previously usedgcloud docker
to configure these authorizations, you should remove these stale authorizations by editing yourconfig.json
and deleting lines fromauths
associated withgcr.io
(for example:"https://asia.gcr.io"
). You can then rungcloud auth configure-docker
to correctly configure thecredHelpers
block for more robust interactions with gcr.- Different auth configurations exist in multiple places, and Jib is not picking up the auth information you are working on.
- You configured a credential helper, but the helper is not on
$PATH
. This is especially common when running Jib inside IDE where the IDE binary is launched directly from an OS menu and does not have access to your shell's environment. - Configured credentials have access to the base image repository but not to the target image repository (or vice versa).
- Typos in username, password, image names, or registry names.
- You are using a private registry without HTTPS. See How can I diagnose problems pulling or pushing from remote registries?.
If you encounter issues interacting with a registry other than UNAUTHORIZED
, check "How can I diagnose problems pulling or pushing from remote registries?".
Jib currently requires configuring your build tool to use the appropriate Java networking properties (https.proxyHost
, https.proxyPort
, https.proxyUser
, https.proxyPassword
).
I am seeing ImagePullBackoff
on my pods (in minikube).
When you use your private image built with Jib in a Kubernetes cluster, the cluster needs to be configured with credentials to pull the image. This involves 1) creating a Secret, and 2) using the Secret as imagePullSecrets
.
kubectl create secret docker-registry registry-json-key \
--docker-server=<registry> \
--docker-username=<username> \
--docker-password=<password> \
--docker-email=<any valid email address>
kubectl patch serviceaccount default \
-p '{"imagePullSecrets":[{"name":"registry-json-key"}]}'
For example, if you are using GCR, the commands would look like (see Advanced Authentication Methods):
kubectl create secret docker-registry gcr-json-key \
--docker-server=https://gcr.io \
--docker-username=_json_key \
--docker-password="$(cat keyfile.json)" \
--docker-email=any@valid.com
kubectl patch serviceaccount default \
-p '{"imagePullSecrets":[{"name":"gcr-json-key"}]}'
See more at Using Google Container Registry (GCR) with Minikube.
It can be useful to examine network traffic to diagnose connectivity issues. Jib uses the Google HTTP client library to interact with registries which logs HTTP requests using the JVM-provided java.util.logging
facilities. It is very helpful to serialize Jib's actions using the jibSerialize
property.
To see the HTTP traffic, create a logging.properties
file with the following:
handlers = java.util.logging.ConsoleHandler
java.util.logging.ConsoleHandler.level=ALL
# CONFIG hides authentication data
# ALL includes authentication data
com.google.api.client.http.level=CONFIG
And then launch your build tool as follows:
mvn -Djava.util.logging.config.file=path/to/log.properties -DjibSerialize=true ...
or
gradle -Djava.util.logging.config.file=path/to/log.properties -DjibSerialize=true ...
Maven: use mvn -X -DjibSerialize=true
to enable more detailed logging and serialize Jib's actions.
Gradle: use grade --debug -DjibSerialize=true
to enable more detailed logging and serialize Jib's actions.