moby/Dockerfile.e2e

ARG GO_VERSION=1.20.4

FROM golang:${GO_VERSION}-alpine AS base
ENV GO111MODULE=off
RUN apk --no-cache add \
    bash \
    build-base \
    curl \
    lvm2-dev \
    jq

RUN mkdir -p /build/
RUN mkdir -p /go/src/github.com/docker/docker/
WORKDIR /go/src/github.com/docker/docker/

FROM base AS frozen-images
# Get useful and necessary Hub images so we can "docker load" locally instead of pulling
COPY contrib/download-frozen-image-v2.sh /
RUN /download-frozen-image-v2.sh /build \
        busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
        busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
        debian:bullseye-slim@sha256:dacf278785a4daa9de07596ec739dbc07131e189942772210709c5c0777e8437 \
        hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \
        arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1
# See also frozenImages in "testutil/environment/protect.go" (which needs to be updated when adding images to this list)

FROM base AS dockercli
COPY hack/dockerfile/install/install.sh ./install.sh
COPY hack/dockerfile/install/dockercli.installer ./
RUN PREFIX=/build ./install.sh dockercli

# TestDockerCLIBuildSuite dependency
FROM base AS contrib
COPY contrib/syscall-test           /build/syscall-test
COPY contrib/httpserver/Dockerfile  /build/httpserver/Dockerfile
COPY contrib/httpserver             contrib/httpserver
RUN CGO_ENABLED=0 go build -buildmode=pie -o /build/httpserver/httpserver github.com/docker/docker/contrib/httpserver

# Build the integration tests and copy the resulting binaries to /build/tests
FROM base AS builder

# Set tag and add sources
COPY . .
# Copy test sources tests that use assert can print errors
RUN mkdir -p /build${PWD} && find integration integration-cli -name \*_test.go -exec cp --parents '{}' /build${PWD} \;
# Build and install test binaries
ARG DOCKER_GITCOMMIT=undefined
RUN hack/make.sh build-integration-test-binary
RUN mkdir -p /build/tests && find . -name test.main -exec cp --parents '{}' /build/tests \;

## Generate testing image
FROM alpine:3.10 as runner

ENV DOCKER_REMOTE_DAEMON=1
ENV DOCKER_INTEGRATION_DAEMON_DEST=/
ENTRYPOINT ["/scripts/run.sh"]

# Add an unprivileged user to be used for tests which need it
RUN addgroup docker && adduser -D -G docker unprivilegeduser -s /bin/ash

# GNU tar is used for generating the emptyfs image
RUN apk --no-cache add \
    bash \
    ca-certificates \
    g++ \
    git \
    inetutils-ping \
    iptables \
    libcap2-bin \
    pigz \
    tar \
    xz

COPY hack/test/e2e-run.sh       /scripts/run.sh
COPY hack/make/.ensure-emptyfs  /scripts/ensure-emptyfs.sh

COPY integration/testdata       /tests/integration/testdata
COPY integration/build/testdata /tests/integration/build/testdata
COPY integration-cli/fixtures   /tests/integration-cli/fixtures

COPY --from=frozen-images /build/ /docker-frozen-images
COPY --from=dockercli     /build/ /usr/bin/
COPY --from=contrib       /build/ /tests/contrib/
COPY --from=builder       /build/ /
update go to go1.20.4 go1.20.4 (released 2023-05-02) includes three security fixes to the html/template package, as well as bug fixes to the compiler, the runtime, and the crypto/subtle, crypto/tls, net/http, and syscall packages. See the Go 1.20.4 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.20.4+label%3ACherryPickApproved release notes: https://go.dev/doc/devel/release#go1.20.4 full diff: https://github.com/golang/go/compare/go1.20.3...go1.20.4 from the announcement: > These minor releases include 3 security fixes following the security policy: > > - html/template: improper sanitization of CSS values > > Angle brackets (`<>`) were not considered dangerous characters when inserted > into CSS contexts. Templates containing multiple actions separated by a '/' > character could result in unexpectedly closing the CSS context and allowing > for injection of unexpected HMTL, if executed with untrusted input. > > Thanks to Juho Nurminen of Mattermost for reporting this issue. > > This is CVE-2023-24539 and Go issue https://go.dev/issue/59720. > > - html/template: improper handling of JavaScript whitespace > > Not all valid JavaScript whitespace characters were considered to be > whitespace. Templates containing whitespace characters outside of the character > set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain > actions may not be properly sanitized during execution. > > Thanks to Juho Nurminen of Mattermost for reporting this issue. > > This is CVE-2023-24540 and Go issue https://go.dev/issue/59721. > > - html/template: improper handling of empty HTML attributes > > Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") > executed with empty input could result in output that would have unexpected > results when parsed due to HTML normalization rules. This may allow injection > of arbitrary attributes into tags. > > Thanks to Juho Nurminen of Mattermost for reporting this issue. > > This is CVE-2023-29400 and Go issue https://go.dev/issue/59722. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-05-03 18:42:33 +00:00			`ARG GO_VERSION=1.20.4`
Dockerfile: use GO_VERSION build-arg for overriding Go version This allows overriding the version of Go without making modifications in the source code, which can be useful to test against multiple versions. For example: make GO_VERSION=1.13beta1 shell Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-07-17 11:59:16 +00:00
			`FROM golang:${GO_VERSION}-alpine AS base`
Dockerfile: set GO111MODULE=off Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-09-11 07:36:53 +00:00			`ENV GO111MODULE=off`
Dockerfile.e2e: simplify apk calls As of Alpine Linux 3.3 (or 3.2?) there exists a new --no-cache option for apk. It allows users to install packages with an index that is updated and used on-the-fly and not cached locally. This avoids the need to use --update and remove /var/cache/apk/* when done installing packages. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2018-10-03 00:57:42 +00:00			`RUN apk --no-cache add \`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00			`bash \`
			`build-base \`
			`curl \`
			`lvm2-dev \`
Dockerfile.e2e: simplify apk calls As of Alpine Linux 3.3 (or 3.2?) there exists a new --no-cache option for apk. It allows users to install packages with an index that is updated and used on-the-fly and not cached locally. This avoids the need to use --update and remove /var/cache/apk/* when done installing packages. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2018-10-03 00:57:42 +00:00			`jq`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00
Dockerfile.e2e: move frozen-images to a separate stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:15:03 +00:00			`RUN mkdir -p /build/`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00			`RUN mkdir -p /go/src/github.com/docker/docker/`
			`WORKDIR /go/src/github.com/docker/docker/`

Dockerfile.e2e: move frozen-images to a separate stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:15:03 +00:00			`FROM base AS frozen-images`
			`# Get useful and necessary Hub images so we can "docker load" locally instead of pulling`
			`COPY contrib/download-frozen-image-v2.sh /`
			`RUN /download-frozen-image-v2.sh /build \`
Dockerfile: frozen images: update to bullseye, remove buildpack-dep Update the frozen images to also be based on Debian bullseye. Using the "slim" variant (which looks to have all we're currently using), and remove the buildpack-dep frozen image. The buildpack-dep image is quite large, and it looks like we only use it to compile some C binaries, which should work fine on a regular debian image; docker build -t debian:bullseye-slim-gcc -<<EOF FROM debian:bullseye-slim RUN apt-get update && apt-get install -y gcc libc6-dev --no-install-recommends EOF docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE debian bullseye-slim-gcc 1851750242af About a minute ago 255MB buildpack-deps bullseye fe8fece98de2 2 days ago 834MB Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-08-19 21:40:38 +00:00			`busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \`
			`busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \`
			`debian:bullseye-slim@sha256:dacf278785a4daa9de07596ec739dbc07131e189942772210709c5c0777e8437 \`
			`hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \`
			`arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1`
Move use of debian:buster frozen image to debian:bullseye Signed-off-by: Eric Mountain <eric.mountain@datadoghq.com> 2020-12-16 13:53:49 +00:00			`# See also frozenImages in "testutil/environment/protect.go" (which needs to be updated when adding images to this list)`
Dockerfile.e2e: move frozen-images to a separate stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:15:03 +00:00
Dockerfile.e2e: move dockercli to a separate build-stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:24:33 +00:00			`FROM base AS dockercli`
			`COPY hack/dockerfile/install/install.sh ./install.sh`
Dockerfile.e2e: remove redundant INSTALL_BINARY_NAME It's only used in a single place, so may as well just hard-code it Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2022-07-02 15:00:34 +00:00			`COPY hack/dockerfile/install/dockercli.installer ./`
			`RUN PREFIX=/build ./install.sh dockercli`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00
ci(integration-cli): dynamically split tests in matrix Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com> 2022-06-16 20:47:36 +00:00			`# TestDockerCLIBuildSuite dependency`
Dockerfile.e2e: move "contrib" to a separate build-stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:26:10 +00:00			`FROM base AS contrib`
			`COPY contrib/syscall-test /build/syscall-test`
			`COPY contrib/httpserver/Dockerfile /build/httpserver/Dockerfile`
			`COPY contrib/httpserver contrib/httpserver`
			`RUN CGO_ENABLED=0 go build -buildmode=pie -o /build/httpserver/httpserver github.com/docker/docker/contrib/httpserver`

			`# Build the integration tests and copy the resulting binaries to /build/tests`
Dockerfile.e2e: move dockercli to a separate build-stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:24:33 +00:00			`FROM base AS builder`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00
Fixes for dnephin review Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-12 12:53:20 +00:00			`# Set tag and add sources`
Dockerfile.e2e: re-order steps for caching Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:20:24 +00:00			`COPY . .`
Dockerfile.e2e: copy test sources Package "gotest.tools/assert" uses source introspection to print more info in case of assertion failure. When source code is not available, it prints an error instead. In other words, before this commit: > --- SKIP: TestCgroupDriverSystemdMemoryLimit (0.00s) > cgroupdriver_systemd_test.go:32: failed to parse source file: /go/src/github.com/docker/docker/integration/system/cgroupdriver_systemd_test.go: open /go/src/github.com/docker/docker/integration/system/cgroupdriver_systemd_test.go: no such file or directory > cgroupdriver_systemd_test.go:32: and after: > --- SKIP: TestCgroupDriverSystemdMemoryLimit (0.09s) > cgroupdriver_systemd_test.go:32: !hasSystemd() This increases the resulting image size by about 2 MB on my system (from 758 to 760 MB). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2019-04-27 04:38:55 +00:00			`# Copy test sources tests that use assert can print errors`
			`RUN mkdir -p /build${PWD} && find integration integration-cli -name \*_test.go -exec cp --parents '{}' /build${PWD} \;`
			`# Build and install test binaries`
Dockerfile.e2e: fix DOCKER_GITCOMMIT handling 1. There is no need to persist DOCKER_GITCOMMIT, as it's not needed for runtime, only for build. So, remove ENV. 2. In case $GITCOMMIT is not defined during build time (and it happens if .git directory is not present), we still need to have some value set, so set it to `undefined`. Otherwise we'll have something like > => ERROR [builder 2/3] RUN hack/make.sh build-integration-test-binary > ------ > > [builder 2/3] RUN hack/make.sh build-integration-test-binary: > #32 0.488 > #32 0.505 error: .git directory missing and DOCKER_GITCOMMIT not specified > #32 0.505 Please either build with the .git directory accessible, or specify the > #32 0.505 exact (--short) commit hash you are building using DOCKER_GITCOMMIT for > #32 0.505 future accountability in diagnosing build issues. Thanks! Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2019-04-30 07:22:22 +00:00			`ARG DOCKER_GITCOMMIT=undefined`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00			`RUN hack/make.sh build-integration-test-binary`
Dockerfile.e2e: copy test sources Package "gotest.tools/assert" uses source introspection to print more info in case of assertion failure. When source code is not available, it prints an error instead. In other words, before this commit: > --- SKIP: TestCgroupDriverSystemdMemoryLimit (0.00s) > cgroupdriver_systemd_test.go:32: failed to parse source file: /go/src/github.com/docker/docker/integration/system/cgroupdriver_systemd_test.go: open /go/src/github.com/docker/docker/integration/system/cgroupdriver_systemd_test.go: no such file or directory > cgroupdriver_systemd_test.go:32: and after: > --- SKIP: TestCgroupDriverSystemdMemoryLimit (0.09s) > cgroupdriver_systemd_test.go:32: !hasSystemd() This increases the resulting image size by about 2 MB on my system (from 758 to 760 MB). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2019-04-27 04:38:55 +00:00			`RUN mkdir -p /build/tests && find . -name test.main -exec cp --parents '{}' /build/tests \;`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00
Dockerfile.e2e: move frozen-images to a separate stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:15:03 +00:00			`## Generate testing image`
Update to using alpine 3.10 Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> 2019-06-23 17:39:20 +00:00			`FROM alpine:3.10 as runner`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00
Dockerfile.e2e: re-order steps for caching Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:20:24 +00:00			`ENV DOCKER_REMOTE_DAEMON=1`
			`ENV DOCKER_INTEGRATION_DAEMON_DEST=/`
			`ENTRYPOINT ["/scripts/run.sh"]`

			`# Add an unprivileged user to be used for tests which need it`
			`RUN addgroup docker && adduser -D -G docker unprivilegeduser -s /bin/ash`

Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00			`# GNU tar is used for generating the emptyfs image`
Dockerfile.e2e: simplify apk calls As of Alpine Linux 3.3 (or 3.2?) there exists a new --no-cache option for apk. It allows users to install packages with an index that is updated and used on-the-fly and not cached locally. This avoids the need to use --update and remove /var/cache/apk/* when done installing packages. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2018-10-03 00:57:42 +00:00			`RUN apk --no-cache add \`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00			`bash \`
			`ca-certificates \`
			`g++ \`
			`git \`
Dockerfile: update to debian bullseye Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-08-19 19:16:01 +00:00			`inetutils-ping \`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00			`iptables \`
Dockerfile: update to debian bullseye Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-08-19 19:16:01 +00:00			`libcap2-bin \`
Make image (layer) downloads faster by using pigz The Golang built-in gzip library is serialized, and fairly slow at decompressing. It also only decompresses on demand, versus pipelining decompression. This change switches to using the pigz external command for gzip decompression, as opposed to using the built-in golang one. This code is not vendored, but will be used if it autodetected as part of the OS. This also switches to using context, versus a manually managed channel to manage cancellations, and synchronization. There is a little bit of weirdness around manually having to cancel in the error cases. Signed-off-by: Sargun Dhillon <sargun@sargun.me> 2018-01-16 18:49:18 +00:00			`pigz \`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00			`tar \`
Dockerfile.e2e: simplify apk calls As of Alpine Linux 3.3 (or 3.2?) there exists a new --no-cache option for apk. It allows users to install packages with an index that is updated and used on-the-fly and not cached locally. This avoids the need to use --update and remove /var/cache/apk/* when done installing packages. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2018-10-03 00:57:42 +00:00			`xz`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00
Dockerfile.e2e: re-order steps for caching Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:20:24 +00:00			`COPY hack/test/e2e-run.sh /scripts/run.sh`
			`COPY hack/make/.ensure-emptyfs /scripts/ensure-emptyfs.sh`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00
Dockerfile.e2e fix TestBuildPreserveOwnership The Dockerfile missed some fixtures, which caused this test fail when running from this image. I also noticed some other fixtures missing in integration-cli, where the image had symlinks to some certificates, but the original files were not included; ``` \|-- integration-cli \|-- fixtures \| \|-- auth \| \| `-- docker-credential-shell-test \| \|-- credentialspecs \| \| `-- valid.json \| \|-- https \| \| \|-- ca.pem -> ../../../integration/testdata/https/ca.pem \| \| \|-- client-cert.pem -> ../../../integration/testdata/https/client-cert.pem \| \| \|-- client-key.pem -> ../../../integration/testdata/https/client-key.pem \| \| \|-- client-rogue-cert.pem \| \| \|-- client-rogue-key.pem \| \| \|-- server-cert.pem -> ../../../integration/testdata/https/server-cert.pem \| \| \|-- server-key.pem -> ../../../integration/testdata/https/server-key.pem \| \| \|-- server-rogue-cert.pem \| \| `-- server-rogue-key.pem ``` Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:02:22 +00:00			`COPY integration/testdata /tests/integration/testdata`
			`COPY integration/build/testdata /tests/integration/build/testdata`
			`COPY integration-cli/fixtures /tests/integration-cli/fixtures`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00
Dockerfile.e2e: move frozen-images to a separate stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:15:03 +00:00			`COPY --from=frozen-images /build/ /docker-frozen-images`
Dockerfile.e2e: move dockercli to a separate build-stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:24:33 +00:00			`COPY --from=dockercli /build/ /usr/bin/`
Dockerfile.e2e: move "contrib" to a separate build-stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:26:10 +00:00			`COPY --from=contrib /build/ /tests/contrib/`
Dockerfile.e2e: copy test sources Package "gotest.tools/assert" uses source introspection to print more info in case of assertion failure. When source code is not available, it prints an error instead. In other words, before this commit: > --- SKIP: TestCgroupDriverSystemdMemoryLimit (0.00s) > cgroupdriver_systemd_test.go:32: failed to parse source file: /go/src/github.com/docker/docker/integration/system/cgroupdriver_systemd_test.go: open /go/src/github.com/docker/docker/integration/system/cgroupdriver_systemd_test.go: no such file or directory > cgroupdriver_systemd_test.go:32: and after: > --- SKIP: TestCgroupDriverSystemdMemoryLimit (0.09s) > cgroupdriver_systemd_test.go:32: !hasSystemd() This increases the resulting image size by about 2 MB on my system (from 758 to 760 MB). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2019-04-27 04:38:55 +00:00			`COPY --from=builder /build/ /`