moby/Dockerfile.simple

# docker build -t docker:simple -f Dockerfile.simple .
# docker run --rm docker:simple hack/make.sh dynbinary
# docker run --rm --privileged docker:simple hack/dind hack/make.sh test-unit
# docker run --rm --privileged -v /var/lib/docker docker:simple hack/dind hack/make.sh dynbinary test-integration

# This represents the bare minimum required to build and test Docker.

ARG GO_VERSION=1.21.5

ARG BASE_DEBIAN_DISTRO="bookworm"
ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"

FROM ${GOLANG_IMAGE}
ENV GO111MODULE=off
ENV GOTOOLCHAIN=local

# Compile and runtime deps
# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
		build-essential \
		curl \
		cmake \
		git \
		libapparmor-dev \
		libseccomp-dev \
		ca-certificates \
		e2fsprogs \
		iptables \
		pkg-config \
		pigz \
		procps \
		xfsprogs \
		xz-utils \
		\
		vim-common \
	&& rm -rf /var/lib/apt/lists/*

# Install runc, containerd, tini and docker-proxy
# Please edit hack/dockerfile/install/<name>.installer to update them.
COPY hack/dockerfile/install hack/dockerfile/install
RUN for i in runc containerd tini proxy dockercli; \
		do hack/dockerfile/install/install.sh $i; \
	done
ENV PATH=/usr/local/cli:$PATH

ENV AUTO_GOPATH 1
WORKDIR /usr/src/docker
COPY . /usr/src/docker
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00			`# docker build -t docker:simple -f Dockerfile.simple .`
			`# docker run --rm docker:simple hack/make.sh dynbinary`
Update Dockerfile.simple to include aufs-tools This also updates the comments at the top of the file to note that `-v /var/lib/docker` should be supplied for running `test-integration-cli` and that `hack/dind` is actually also required for `test-unit`. Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-03-10 00:24:49 +00:00			`# docker run --rm --privileged docker:simple hack/dind hack/make.sh test-unit`
Remove test-integration-cli and references to it. Signed-off-by: Daniel Nephin <dnephin@docker.com> 2017-06-17 00:18:44 +00:00			`# docker run --rm --privileged -v /var/lib/docker docker:simple hack/dind hack/make.sh dynbinary test-integration`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00
			`# This represents the bare minimum required to build and test Docker.`

update to go1.21.5 go1.21.5 (released 2023-12-05) includes security fixes to the go command, and the net/http and path/filepath packages, as well as bug fixes to the compiler, the go command, the runtime, and the crypto/rand, net, os, and syscall packages. See the Go 1.21.5 milestone on our issue tracker for details: - https://github.com/golang/go/issues?q=milestone%3AGo1.21.5+label%3ACherryPickApproved - full diff: https://github.com/golang/go/compare/go1.21.4...go1.21.5 from the security mailing: [security] Go 1.21.5 and Go 1.20.12 are released Hello gophers, We have just released Go versions 1.21.5 and 1.20.12, minor point releases. These minor releases include 3 security fixes following the security policy: - net/http: limit chunked data overhead A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. Thanks to Bartek Nowotarski for reporting this issue. This is CVE-2023-39326 and Go issue https://go.dev/issue/64433. - cmd/go: go get may unexpectedly fallback to insecure git Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off). Thanks to David Leadbeater for reporting this issue. This is CVE-2023-45285 and Go issue https://go.dev/issue/63845. - path/filepath: retain trailing \ when cleaning paths like \\?\c:\ Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?\, resulting in filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among other effects). The previous behavior has been restored. This is an update to CVE-2023-45283 and Go issue https://go.dev/issue/64028. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-12-05 22:27:58 +00:00			`ARG GO_VERSION=1.21.5`
Dockerfile: use GO_VERSION build-arg for overriding Go version This allows overriding the version of Go without making modifications in the source code, which can be useful to test against multiple versions. For example: make GO_VERSION=1.13beta1 shell Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-07-17 11:59:16 +00:00
Dockerfile: update to Debian "bookworm" (current stable) Also switch yamllint to be installed from debian's packages, which are currently at v1.29.0. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-06-22 14:03:24 +00:00			`ARG BASE_DEBIAN_DISTRO="bookworm"`
Dockerfile: update to debian bullseye Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-08-19 19:16:01 +00:00			`ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"`

			`FROM ${GOLANG_IMAGE}`
Dockerfile: set GO111MODULE=off Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-09-11 07:36:53 +00:00			`ENV GO111MODULE=off`
Dockerfile: use GOTOOLCHAIN=local Related discussion in https://github.com/docker-library/golang/issues/472 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-09-22 14:58:14 +00:00			`ENV GOTOOLCHAIN=local`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00
Capitalizes the first letter in notes of dockerfile Signed-off-by: YuPengZTE <yu.peng36@zte.com.cn> 2016-09-22 02:15:18 +00:00			`# Compile and runtime deps`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00			`# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies`
			`# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies`
			`RUN apt-get update && apt-get install -y --no-install-recommends \`
Update Dockerfile.simple so that it can be successfuly built * build-essential is needed by `make` * libapparmor-dev is needed by runc * seccomp is needed by runc * Go is neeeded by runc Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-03-25 04:19:13 +00:00			`build-essential \`
Fail explicitly if curl is missing in contrib/download-frozen-image.sh Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-03-18 05:08:17 +00:00			`curl \`
Replace grimes with tini There is no reason to duplicate efforts and tini is well built and better than grimes. It is a much stronger option for the default init and @krallin has done a great job maintaining it and helping make changes so that it will work with Docker. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2016-11-03 16:47:50 +00:00			`cmake \`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00			`git \`
Update Dockerfile.simple so that it can be successfuly built * build-essential is needed by `make` * libapparmor-dev is needed by runc * seccomp is needed by runc * Go is neeeded by runc Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-03-25 04:19:13 +00:00			`libapparmor-dev \`
Dockerfile: use seccomp provided by stretch Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2017-09-25 10:03:37 +00:00			`libseccomp-dev \`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00			`ca-certificates \`
			`e2fsprogs \`
			`iptables \`
Add required pkg-config for Dockerfile.simple This fix tries to address the issue raised in 35980 where pkg-config was missing and was causing Dockerfile.simple build to fail. ``` $ docker build -t docker:simple -f Dockerfile.simple . .......... CGO_ENABLED=1 go build -tags "seccomp apparmor selinux netgo cgo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit="b2567b37d7b75eb4cf325b77297b140ea686ce8f" -X main.version=1.0.0-rc4+dev " -o runc . pkg-config: exec: "pkg-config": executable file not found in $PATH make: *** [static] Error 2 Makefile:42: recipe for target 'static' failed The command '/bin/sh -c /tmp/install-binaries.sh runc containerd tini proxy dockercli' returned a non-zero code: 2 ``` This fix fixes 35980. Signed-off-by: Yong Tang <yong.tang.github@outlook.com> 2018-01-11 18:02:08 +00:00			`pkg-config \`
Make image (layer) downloads faster by using pigz The Golang built-in gzip library is serialized, and fairly slow at decompressing. It also only decompresses on demand, versus pipelining decompression. This change switches to using the pigz external command for gzip decompression, as opposed to using the built-in golang one. This code is not vendored, but will be used if it autodetected as part of the OS. This also switches to using context, versus a manually managed channel to manage cancellations, and synchronization. There is a little bit of weirdness around manually having to cancel in the error cases. Signed-off-by: Sargun Dhillon <sargun@sargun.me> 2018-01-16 18:49:18 +00:00			`pigz \`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00			`procps \`
Include xfsprogs in build environment. devmapper uses xfs by default now. So include xfsprogs in build environment. Also update docs to reflect the new default. Signed-off-by: Anusha Ragunathan <anusha@docker.com> 2015-11-11 22:29:02 +00:00			`xfsprogs \`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00			`xz-utils \`
			`\`
Replace grimes with tini There is no reason to duplicate efforts and tini is well built and better than grimes. It is a much stronger option for the default init and @krallin has done a great job maintaining it and helping make changes so that it will work with Docker. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2016-11-03 16:47:50 +00:00			`vim-common \`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00			`&& rm -rf /var/lib/apt/lists/*`

Replace grimes with tini There is no reason to duplicate efforts and tini is well built and better than grimes. It is a much stronger option for the default init and @krallin has done a great job maintaining it and helping make changes so that it will work with Docker. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2016-11-03 16:47:50 +00:00			`# Install runc, containerd, tini and docker-proxy`
Split binary installers/commit scripts Originally I worked on this for the multi-stage build Dockerfile changes. Decided to split this out as we are still waiting for multi-stage to be available on CI and rebasing these is pretty annoying. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2018-02-16 18:51:30 +00:00			`# Please edit hack/dockerfile/install/<name>.installer to update them.`
			`COPY hack/dockerfile/install hack/dockerfile/install`
			`RUN for i in runc containerd tini proxy dockercli; \`
			`do hack/dockerfile/install/install.sh $i; \`
			`done`
Remove cmd/docker and other directories in cli/ in accordance with the new Moby project scope Starting with this commit, integration tests should no longer rely on the docker cli, they should be API tests instead. For the existing tests the scripts will use a frozen version of the docker cli with a DOCKER_API_VERSION frozen to 1.30, which should ensure that the CI remains green at all times. To help contributors develop and test manually with a modified docker cli, this commit also adds a DOCKER_CLI_PATH environment variable to the Makefile. This allows to set the path of a custom cli that will be available inside the development container and used to run the integration tests. Signed-off-by: Arnaud Porterie (icecrime) <arnaud.porterie@docker.com> Signed-off-by: Tibor Vass <tibor@docker.com> 2017-04-17 23:18:46 +00:00			`ENV PATH=/usr/local/cli:$PATH`
Add init process for zombie fighting This adds a small C binary for fighting zombies. It is mounted under `/dev/init` and is prepended to the args specified by the user. You enable it via a daemon flag, `dockerd --init`, as it is disable by default for backwards compat. You can also override the daemon option or specify this on a per container basis with `docker run --init=true\|false`. You can test this by running a process like this as the pid 1 in a container and see the extra zombie that appears in the container as it is running. ```c int main(int argc, char ** argv) { pid_t pid = fork(); if (pid == 0) { pid = fork(); if (pid == 0) { exit(0); } sleep(3); exit(0); } printf("got pid %d and exited\n", pid); sleep(20); } ``` Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2016-06-27 21:38:47 +00:00
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-28 05:37:25 +00:00			`ENV AUTO_GOPATH 1`
			`WORKDIR /usr/src/docker`
			`COPY . /usr/src/docker`