Google Cloud Image Builder

Building container images with Google Cloud Build

The Google Cloud image builder is an image builder flavor provided by the ZenML gcp integration that uses Google Cloud Build to build container images.

When to use it

You should use the Google Cloud image builder if:

How to deploy it

Would you like to skip ahead and deploy a full ZenML cloud stack already, including the Google Cloud image builder? Check out the in-browser stack deployment wizard, the stack registration wizard, or the ZenML GCP Terraform module for a shortcut on how to deploy & register this stack component.

In order to use the ZenML Google Cloud image builder you need to enable Google Cloud Build relevant APIs on the Google Cloud project.

How to use it

To use the Google Cloud image builder, we need:

  • The ZenML gcp integration installed. If you haven't done so, run:

    zenml integration install gcp
  • A GCP Artifact Store where the build context will be uploaded, so Google Cloud Build can access it.

  • A GCP container registry where the built image will be pushed.

  • Optionally, the GCP project ID in which you want to run the build and a service account with the needed permissions to run the build. If not provided, then the project ID and credentials will be inferred from the environment.

  • Optionally, you can change:

    • the Docker image used by Google Cloud Build to execute the steps to build and push the Docker image. By default, the builder image will be 'gcr.io/cloud-builders/docker'.

    • The network to which the container used to build the ZenML pipeline Docker image will be attached. More information: Cloud build network.

    • The build timeout for the build, and for the blocking operation waiting for the build to finish. More information: Build Timeout.

We can register the image builder and use it in our active stack:

zenml image-builder register <IMAGE_BUILDER_NAME> \
    --flavor=gcp \
    --cloud_builder_image=<BUILDER_IMAGE_NAME> \
    --network=<DOCKER_NETWORK> \
    --build_timeout=<BUILD_TIMEOUT_IN_SECONDS>

# Register and activate a stack with the new image builder
zenml stack register <STACK_NAME> -i <IMAGE_BUILDER_NAME> ... --set

You also need to set up authentication required to access the Cloud Build GCP services.

Authentication Methods

Integrating and using a GCP Image Builder in your pipelines is not possible without employing some form of authentication. If you're looking for a quick way to get started locally, you can use the Local Authentication method. However, the recommended way to authenticate to the GCP cloud platform is through a GCP Service Connector. This is particularly useful if you are configuring ZenML stacks that combine the GCP Image Builder with other remote stack components also running in GCP.

This method uses the implicit GCP authentication available in the environment where the ZenML code is running. On your local machine, this is the quickest way to configure a GCP Image Builder. You don't need to supply credentials explicitly when you register the GCP Image Builder, as it leverages the local credentials and configuration that the Google Cloud CLI stores on your local machine. However, you will need to install and set up the Google Cloud CLI on your machine as a prerequisite, as covered in the Google Cloud documentation , before you register the GCP Image Builder.

Stacks using the GCP Image Builder set up with local authentication are not portable across environments. To make ZenML pipelines fully portable, it is recommended to use a GCP Service Connector to authenticate your GCP Image Builder to the GCP cloud platform.

Caveats

As described in this Google Cloud Build documentation page, Google Cloud Build uses containers to execute the build steps which are automatically attached to a network called cloudbuild that provides some Application Default Credentials (ADC), that allow the container to be authenticated and therefore use other GCP services.

By default, the GCP Image Builder is executing the build command of the ZenML Pipeline Docker image with the option --network=cloudbuild, so the ADC provided by the cloudbuild network can also be used in the build. This is useful if you want to install a private dependency from a GCP Artifact Registry, but you will also need to use a custom base parent image with the keyrings.google-artifactregistry-auth installed, so pip can connect and authenticate in the private artifact registry to download the dependency.

FROM zenmldocker/zenml:latest

RUN pip install keyrings.google-artifactregistry-auth

The above Dockerfile uses zenmldocker/zenml:latest as a base image, but is recommended to change the tag to specify the ZenML version and Python version like 0.33.0-py3.10.

Last updated