moby/Dockerfile.simple

# docker build -t docker:simple -f Dockerfile.simple .
# docker run --rm docker:simple hack/make.sh dynbinary
# docker run --rm --privileged docker:simple hack/dind hack/make.sh test-unit
# docker run --rm --privileged -v /var/lib/docker docker:simple hack/dind hack/make.sh dynbinary test-integration

# This represents the bare minimum required to build and test Docker.

ARG GO_VERSION=1.20.6

ARG BASE_DEBIAN_DISTRO="bullseye"
ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"

FROM ${GOLANG_IMAGE}
ENV GO111MODULE=off

# allow replacing debian mirror
ARG APT_MIRROR
RUN test -n "$APT_MIRROR" && sed -ri "s#(httpredir|deb|security).debian.org#${APT_MIRROR}#g" /etc/apt/sources.list || true

# Compile and runtime deps
# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
		build-essential \
		curl \
		cmake \
		git \
		libapparmor-dev \
		libdevmapper-dev \
		libseccomp-dev \
		ca-certificates \
		e2fsprogs \
		iptables \
		pkg-config \
		pigz \
		procps \
		xfsprogs \
		xz-utils \
		\
		vim-common \
	&& rm -rf /var/lib/apt/lists/*

# Install runc, containerd, tini and docker-proxy
# Please edit hack/dockerfile/install/<name>.installer to update them.
COPY hack/dockerfile/install hack/dockerfile/install
RUN for i in runc containerd tini proxy dockercli; \
		do hack/dockerfile/install/install.sh $i; \
	done
ENV PATH=/usr/local/cli:$PATH

ENV AUTO_GOPATH 1
WORKDIR /usr/src/docker
COPY . /usr/src/docker
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00			`# docker build -t docker:simple -f Dockerfile.simple .`
			`# docker run --rm docker:simple hack/make.sh dynbinary`
Update Dockerfile.simple to include aufs-tools This also updates the comments at the top of the file to note that `-v /var/lib/docker` should be supplied for running `test-integration-cli` and that `hack/dind` is actually also required for `test-unit`. Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-03-10 00:24:49 +00:00			`# docker run --rm --privileged docker:simple hack/dind hack/make.sh test-unit`
Remove test-integration-cli and references to it. Signed-off-by: Daniel Nephin <dnephin@docker.com> 2017-06-17 00:18:44 +00:00			`# docker run --rm --privileged -v /var/lib/docker docker:simple hack/dind hack/make.sh dynbinary test-integration`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00
			`# This represents the bare minimum required to build and test Docker.`

update go to go1.20.6 go1.20.6 (released 2023-07-11) includes a security fix to the net/http package, as well as bug fixes to the compiler, cgo, the cover tool, the go command, the runtime, and the crypto/ecdsa, go/build, go/printer, net/mail, and text/template packages. See the Go 1.20.6 milestone on our issue tracker for details. https://github.com/golang/go/issues?q=milestone%3AGo1.20.6+label%3ACherryPickApproved Full diff: https://github.com/golang/go/compare/go1.20.5...go1.20.6 These minor releases include 1 security fixes following the security policy: net/http: insufficient sanitization of Host header The HTTP/1 client did not fully validate the contents of the Host header. A maliciously crafted Host header could inject additional headers or entire requests. The HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value. Thanks to Bartek Nowotarski for reporting this issue. Includes security fixes for [CVE-2023-29406 ][1] and Go issue https://go.dev/issue/60374 [1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-07-12 12:30:01 +00:00			`ARG GO_VERSION=1.20.6`
Dockerfile: use GO_VERSION build-arg for overriding Go version This allows overriding the version of Go without making modifications in the source code, which can be useful to test against multiple versions. For example: make GO_VERSION=1.13beta1 shell Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-07-17 11:59:16 +00:00
Dockerfile: update to debian bullseye Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-08-19 19:16:01 +00:00			`ARG BASE_DEBIAN_DISTRO="bullseye"`
			`ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"`

			`FROM ${GOLANG_IMAGE}`
Dockerfile: set GO111MODULE=off Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-09-11 07:36:53 +00:00			`ENV GO111MODULE=off`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00
Dockerfile(.simple): align APT_MIRROR support Use a non-slash escape sequence to support mirrors with a path component, and do not unconditionally replace the mirror in Dockerfile.simple. Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com> 2023-07-17 15:49:31 +00:00			`# allow replacing debian mirror`
			`ARG APT_MIRROR`
			`RUN test -n "$APT_MIRROR" && sed -ri "s#(httpredir\|deb\|security).debian.org#${APT_MIRROR}#g" /etc/apt/sources.list \|\| true`
allow replacing httpredir or deb mirror in jessie Signed-off-by: Andrew Hsu <andrewhsu@docker.com> 2016-11-20 22:14:51 +00:00
Capitalizes the first letter in notes of dockerfile Signed-off-by: YuPengZTE <yu.peng36@zte.com.cn> 2016-09-22 02:15:18 +00:00			`# Compile and runtime deps`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00			`# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies`
			`# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies`
			`RUN apt-get update && apt-get install -y --no-install-recommends \`
Update Dockerfile.simple so that it can be successfuly built * build-essential is needed by `make` * libapparmor-dev is needed by runc * seccomp is needed by runc * Go is neeeded by runc Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-03-25 04:19:13 +00:00			`build-essential \`
Fail explicitly if curl is missing in contrib/download-frozen-image.sh Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-03-18 05:08:17 +00:00			`curl \`
Replace grimes with tini There is no reason to duplicate efforts and tini is well built and better than grimes. It is a much stronger option for the default init and @krallin has done a great job maintaining it and helping make changes so that it will work with Docker. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2016-11-03 16:47:50 +00:00			`cmake \`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00			`git \`
Update Dockerfile.simple so that it can be successfuly built * build-essential is needed by `make` * libapparmor-dev is needed by runc * seccomp is needed by runc * Go is neeeded by runc Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-03-25 04:19:13 +00:00			`libapparmor-dev \`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00			`libdevmapper-dev \`
Dockerfile: use seccomp provided by stretch Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2017-09-25 10:03:37 +00:00			`libseccomp-dev \`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00			`ca-certificates \`
			`e2fsprogs \`
			`iptables \`
Add required pkg-config for Dockerfile.simple This fix tries to address the issue raised in 35980 where pkg-config was missing and was causing Dockerfile.simple build to fail. ``` $ docker build -t docker:simple -f Dockerfile.simple . .......... CGO_ENABLED=1 go build -tags "seccomp apparmor selinux netgo cgo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit="b2567b37d7b75eb4cf325b77297b140ea686ce8f" -X main.version=1.0.0-rc4+dev " -o runc . pkg-config: exec: "pkg-config": executable file not found in $PATH make: *** [static] Error 2 Makefile:42: recipe for target 'static' failed The command '/bin/sh -c /tmp/install-binaries.sh runc containerd tini proxy dockercli' returned a non-zero code: 2 ``` This fix fixes 35980. Signed-off-by: Yong Tang <yong.tang.github@outlook.com> 2018-01-11 18:02:08 +00:00			`pkg-config \`
Make image (layer) downloads faster by using pigz The Golang built-in gzip library is serialized, and fairly slow at decompressing. It also only decompresses on demand, versus pipelining decompression. This change switches to using the pigz external command for gzip decompression, as opposed to using the built-in golang one. This code is not vendored, but will be used if it autodetected as part of the OS. This also switches to using context, versus a manually managed channel to manage cancellations, and synchronization. There is a little bit of weirdness around manually having to cancel in the error cases. Signed-off-by: Sargun Dhillon <sargun@sargun.me> 2018-01-16 18:49:18 +00:00			`pigz \`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00			`procps \`
Include xfsprogs in build environment. devmapper uses xfs by default now. So include xfsprogs in build environment. Also update docs to reflect the new default. Signed-off-by: Anusha Ragunathan <anusha@docker.com> 2015-11-11 22:29:02 +00:00			`xfsprogs \`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00			`xz-utils \`
			`\`
Replace grimes with tini There is no reason to duplicate efforts and tini is well built and better than grimes. It is a much stronger option for the default init and @krallin has done a great job maintaining it and helping make changes so that it will work with Docker. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2016-11-03 16:47:50 +00:00			`vim-common \`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00			`&& rm -rf /var/lib/apt/lists/*`

Replace grimes with tini There is no reason to duplicate efforts and tini is well built and better than grimes. It is a much stronger option for the default init and @krallin has done a great job maintaining it and helping make changes so that it will work with Docker. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2016-11-03 16:47:50 +00:00			`# Install runc, containerd, tini and docker-proxy`
Split binary installers/commit scripts Originally I worked on this for the multi-stage build Dockerfile changes. Decided to split this out as we are still waiting for multi-stage to be available on CI and rebasing these is pretty annoying. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2018-02-16 18:51:30 +00:00			`# Please edit hack/dockerfile/install/<name>.installer to update them.`
			`COPY hack/dockerfile/install hack/dockerfile/install`
			`RUN for i in runc containerd tini proxy dockercli; \`
			`do hack/dockerfile/install/install.sh $i; \`
			`done`
Remove cmd/docker and other directories in cli/ in accordance with the new Moby project scope Starting with this commit, integration tests should no longer rely on the docker cli, they should be API tests instead. For the existing tests the scripts will use a frozen version of the docker cli with a DOCKER_API_VERSION frozen to 1.30, which should ensure that the CI remains green at all times. To help contributors develop and test manually with a modified docker cli, this commit also adds a DOCKER_CLI_PATH environment variable to the Makefile. This allows to set the path of a custom cli that will be available inside the development container and used to run the integration tests. Signed-off-by: Arnaud Porterie (icecrime) <arnaud.porterie@docker.com> Signed-off-by: Tibor Vass <tibor@docker.com> 2017-04-17 23:18:46 +00:00			`ENV PATH=/usr/local/cli:$PATH`
Add init process for zombie fighting This adds a small C binary for fighting zombies. It is mounted under `/dev/init` and is prepended to the args specified by the user. You enable it via a daemon flag, `dockerd --init`, as it is disable by default for backwards compat. You can also override the daemon option or specify this on a per container basis with `docker run --init=true\|false`. You can test this by running a process like this as the pid 1 in a container and see the extra zombie that appears in the container as it is running. ```c int main(int argc, char ** argv) { pid_t pid = fork(); if (pid == 0) { pid = fork(); if (pid == 0) { exit(0); } sleep(3); exit(0); } printf("got pid %d and exited\n", pid); sleep(20); } ``` Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2016-06-27 21:38:47 +00:00
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00			`ENV AUTO_GOPATH 1`
			`WORKDIR /usr/src/docker`
			`COPY . /usr/src/docker`