Google Cloud Image Builder
Building container images with Google Cloud Build
Last updated
Was this helpful?
Building container images with Google Cloud Build
Last updated
Was this helpful?
The Google Cloud image builder is an flavor provided by the ZenML gcp integration that uses to build container images.
You should use the Google Cloud image builder if:
you're unable to install or use on your client machine.
you're already using GCP.
your stack is mainly composed of other Google Cloud components such as the or the .
In order to use the ZenML Google Cloud image builder you need to enable Google Cloud Build relevant APIs on the Google Cloud project.
To use the Google Cloud image builder, we need:
The ZenML gcp integration installed. If you haven't done so, run:
A where the build context will be uploaded, so Google Cloud Build can access it.
A where the built image will be pushed.
Optionally, the GCP project ID in which you want to run the build and a service account with the needed permissions to run the build. If not provided, then the project ID and credentials will be inferred from the environment.
Optionally, you can change:
the Docker image used by Google Cloud Build to execute the steps to build and push the Docker image. By default, the builder image will be 'gcr.io/cloud-builders/docker'.
The network to which the container used to build the ZenML pipeline Docker image will be attached. More information: .
The build timeout for the build, and for the blocking operation waiting for the build to finish. More information: .
We can register the image builder and use it in our active stack:
The above Dockerfile uses zenmldocker/zenml:latest as a base image, but is recommended to change the tag to specify the ZenML version and Python version like 0.33.0-py3.10.
You also need to set up required to access the Cloud Build GCP services.
Integrating and using a GCP Image Builder in your pipelines is not possible without employing some form of authentication. If you're looking for a quick way to get started locally, you can use the Local Authentication method. However, the recommended way to authenticate to the GCP cloud platform is through . This is particularly useful if you are configuring ZenML stacks that combine the GCP Image Builder with other remote stack components also running in GCP.
This method uses the implicit GCP authentication available in the environment where the ZenML code is running. On your local machine, this is the quickest way to configure a GCP Image Builder. You don't need to supply credentials explicitly when you register the GCP Image Builder, as it leverages the local credentials and configuration that the Google Cloud CLI stores on your local machine. However, you will need to install and set up the Google Cloud CLI on your machine as a prerequisite, as covered in , before you register the GCP Image Builder.
Stacks using the GCP Image Builder set up with local authentication are not portable across environments. To make ZenML pipelines fully portable, it is recommended to use to authenticate your GCP Image Builder to the GCP cloud platform.
To set up the GCP Image Builder to authenticate to GCP and access the GCP Cloud Build services, it is recommended to leverage the many features provided by such as auto-configuration, best security practices regarding long-lived credentials and reusing the same credentials across multiple stack components.
A non-interactive CLI example that leverages on your local machine to auto-configure a GCP Service Connector for the GCP Cloud Build service:
Note: Please remember to grant the entity associated with your GCP credentials permissions to access the Cloud Build API and to run Cloud Builder jobs (e.g. the ). The GCP Service Connector supports with different levels of security and convenience. You should pick the one that best fits your use case.
When you register the GCP Image Builder, you can , save it to a local file and then reference it in the Image Builder configuration.
For this method, you need to , and grant it privileges to access the Cloud Build API and to run Cloud Builder jobs (e.g. the .
As described in this , Google Cloud Build uses containers to execute the build steps which are automatically attached to a network called cloudbuild that provides some Application Default Credentials (ADC), that allow the container to be authenticated and therefore use other GCP services.
By default, the GCP Image Builder is executing the build command of the ZenML Pipeline Docker image with the option --network=cloudbuild, so the ADC provided by the cloudbuild network can also be used in the build. This is useful if you want to install a private dependency from a GCP Artifact Registry, but you will also need to use a with the installed, so pip can connect and authenticate in the private artifact registry to download the dependency.
