IBM Cloud Docs
Building container images

Building container images

Continuous Delivery will be discontinued in the following regions on 12 February 2027: au-syd, ca-mon, ca-tor, eu-es, jp-osa, us-east. Code Risk Analyzer and DevOps Insights will also be deprecated in all regions on that date. However, if a region has no active usage of these features, the features in that region may be discontinued earlier and stop accepting new instances. Learn more

You can use either Classic pipelines or Tekton pipelines to build container images.

Classic pipelines

You can use Classic pipelines to build container images by using the Container Registry job type. This job type provides context to access the IBM Cloud® Container Registry, and uses the Buildkit command from the job's build script. Several of the toolchain templates use this script to build container images.

The cr build command is deprecated. To migrate your existing build container image job from the cr build command to the Buildkit command, edit your stage properties and select your build container image job. Replace the line that sources build_image.sh with source <(curl -sSL "https://raw.githubusercontent.com/open-toolchain/commons/master/scripts/build_image_buildkit.sh"). When you switch to use this script, you must provide a new IBM_CLOUD_API_KEY secret environment variable for the corresponding stage. This API key must have access to the namespace in which the image is built. If the IBM_CLOUD_API_KEY secret environment variable is not provided, 401 errors appear in the logs.

Tekton pipelines

The Continuous Delivery service includes several Tekton tasks that you can reference within your pipelines to build container images. These tasks are stored in the Open Toolchain Tekton Catalog:

  • icr-containerize: Builds and pushes an image to the IBM Cloud® Container Registry. This task depends on Buildkit to build the container image.

  • icr-execute-in-dind: Runs Docker commands such as build and inspect, against a Docker engine that is running as a sidecar container. Then, it pushes the resulting image to the IBM Cloud® Container Registry.

  • icr-execute-in-dind-cluster: Runs Docker commands such as build and inspect, against a Docker engine that is running in a Kubernetes cluster. If a Docker DinD isn't available on the build cluster, a new one is deployed. Then, it pushes the resulting image to the IBM Cloud® Container Registry.

The cr build command is deprecated. If you use this command, or reference it from the icr-cr-build task, you can migrate to the icr-containerize, icr-execute-in-dind, or icr-execute-in-dind-cluster Tekton tasks to build container images.