The Image-Builder-Bob component in Gitpod is a CLI tool responsible for building and pushing workspace images during workspace startup. It operates within a headless workspace created by the image-builder-mk3 component and handles the building of custom Docker images based on user-defined Dockerfiles in .gitpod.yml. The component consists of two main parts: a build process that creates the images and a proxy that handles authentication for pushing the images to registries.
The primary purposes of the Image-Builder-Bob component are:
- Build custom workspace images from user-defined Dockerfiles
- Create base layers for workspace images
- Push built images to container registries
- Handle authentication for private container registries
- Provide a secure way to build images without exposing registry credentials
- Support the workspace prebuild process
- Enable customization of development environments
- Optimize image building with caching
- Facilitate the use of custom Docker configurations in workspaces
The Image-Builder-Bob component consists of several key parts:
- Bob Build: A command that builds the base layer and workspace image
- Bob Proxy: A proxy that authenticates image pushes to registries
- Builder Package: Core functionality for building images
- Proxy Package: Handles registry authentication and proxying
- Runc-Facade: A wrapper for the runc container runtime
The component operates in a headless workspace where:
bob proxyruns in ring1 (started by workspacekit) and receives credentials for pushing imagesbob buildruns as a workspace task and builds the images, pushing them tobob proxy
- Base Layer Building: Creates a base image from a custom Dockerfile specified in
.gitpod.yml - Workspace Image Building: Uses the base layer to create a workspace image
- Caching: Reuses previously built base images when available
- Buildkit Integration: Uses Buildkit for efficient image building
- Context Management: Handles the build context for Docker images
- Error Handling: Provides detailed error messages for build failures
- Logging: Writes build logs to
/workspace/.gitpod/bob.log
- Secure Credential Handling: Manages registry credentials securely
- Authentication Proxy: Proxies and authenticates image pushes
- Encryption: Supports encrypted authentication tokens
- Multiple Registry Support: Can authenticate with different registries
- Cloud Provider Integration: Supports authentication with cloud provider registries (AWS ECR, etc.)
The Image-Builder-Bob component is configured through environment variables:
BOB_TARGET_REF: Reference for the target imageBOB_BASE_REF: Reference for the base imageBOB_BUILD_BASE: Whether to build the base imageBOB_DOCKERFILE_PATH: Path to the DockerfileBOB_CONTEXT_DIR: Directory to use as build contextBOB_EXTERNAL_BUILDKITD: External Buildkit daemon to useBOB_LOCAL_CACHE_IMPORT: Local cache import configurationTHEIA_WORKSPACE_ROOT: Workspace root directory
BOB_BASELAYER_AUTH: Authentication for the base layer registryBOB_WSLAYER_AUTH: Authentication for the workspace layer registryBOB_AUTH_KEY: Key for decrypting authentication tokens
WORKSPACEKIT_BOBPROXY_BASEREF: Base image reference for the proxyWORKSPACEKIT_BOBPROXY_TARGETREF: Target image reference for the proxyWORKSPACEKIT_BOBPROXY_AUTH: Authentication for the proxyWORKSPACEKIT_BOBPROXY_ADDITIONALAUTH: Additional authentication for the proxy
BOB_BASE_REF=localhost:5000/source:latest BOB_TARGET_REF=localhost:5000/target:83 bob buildbob proxy --base-ref=localhost:5000/source:latest --target-ref=localhost:5000/target:83 --auth='{"username":"user","password":"pass"}'image-builder-mk3creates a headless workspacebob proxystarts in ring1 with registry credentialsbob buildruns as a workspace task- Base layer is built if needed (custom Dockerfile)
- Workspace image is built using the base layer
- Images are pushed through
bob proxyto the registry - Workspace starts using the built image
The Image-Builder-Bob component integrates with:
- Image-Builder-MK3: Creates the headless workspace where Bob runs
- Workspacekit: Starts
bob proxyin ring1 - Registry-Facade: The built images are later modified by registry-facade
- Container Registries: For pushing and pulling images
- Buildkit: For efficient image building
components/common-go: Common Go utilities
- Buildkit: For building container images
- Docker Registry: For storing built images
- Containerd: For container operations
- OCI Tools: For working with OCI images
The component implements several security measures:
- Credential Isolation: Registry credentials are only available to
bob proxy, not to user code - Encryption: Authentication tokens can be encrypted
- Proxy Authentication: All image pushes are authenticated through the proxy
- Rootless Building: Images are built without requiring root privileges
- Isolated Workspaces: Building happens in isolated headless workspaces
The build process consists of two main steps:
- Base Layer Building: If a custom Dockerfile is specified, a base image is built
- Workspace Image Building: Using crane to copy the image from the base layer
The base layer can be either a previously built custom Dockerfile or a public image. The built images do not include components like supervisor or the IDE, as these layers are added by registry-facade during image pull.
The proxy acts as an intermediary between bob build and the actual container registry:
- Receives image pushes from
bob buildon localhost - Authenticates with the target registry using provided credentials
- Forwards the image to the target registry
- Handles authentication for both base and target images
- Image-Builder-MK3: Orchestrates the image building process
- Registry-Facade: Adds additional layers to the built images
- Supervisor: Manages the workspace environment
- Workspacekit: Starts
bob proxyin ring1