2022-07-02 15:01:57 +00:00
|
|
|
# syntax=docker/dockerfile:1
|
2013-09-07 02:58:05 +00:00
|
|
|
|
update go to go1.20.5
go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and
runtime packages, as well as bug fixes to the compiler, the go command, the
runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone
on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved
full diff: https://github.com/golang/go/compare/go1.20.4...go1.20.5
These minor releases include 3 security fixes following the security policy:
- cmd/go: cgo code injection
The go command may generate unexpected code at build time when using cgo. This
may result in unexpected behavior when running a go program which uses cgo.
This may occur when running an untrusted module which contains directories with
newline characters in their names. Modules which are retrieved using the go command,
i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e.
GO111MODULE=off, may be affected).
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.
- runtime: unexpected behavior of setuid/setgid binaries
The Go runtime didn't act any differently when a binary had the setuid/setgid
bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
I/O file descriptors closed, opening any files could result in unexpected
content being read/written with elevated prilieges. Similarly if a setuid/setgid
program was terminated, either via panic or signal, it could leak the contents
of its registers.
Thanks to Vincent Dehors from Synacktiv for reporting this issue.
This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.
- cmd/go: improper sanitization of LDFLAGS
The go command may execute arbitrary code at build time when using cgo. This may
occur when running "go get" on a malicious module, or when running any other
command which builds untrusted code. This is can by triggered by linker flags,
specified via a "#cgo LDFLAGS" directive.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-14 10:47:05 +00:00
|
|
|
ARG GO_VERSION=1.20.5
|
2022-11-19 01:36:13 +00:00
|
|
|
ARG BASE_DEBIAN_DISTRO="bullseye"
|
|
|
|
ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
|
2023-04-11 09:22:53 +00:00
|
|
|
ARG XX_VERSION=1.2.1
|
2022-11-19 01:36:13 +00:00
|
|
|
|
|
|
|
ARG VPNKIT_VERSION=0.5.0
|
2023-04-19 12:48:47 +00:00
|
|
|
|
|
|
|
ARG DOCKERCLI_REPOSITORY="https://github.com/docker/cli.git"
|
|
|
|
ARG DOCKERCLI_VERSION=v24.0.2
|
|
|
|
# cli version used for integration-cli tests
|
|
|
|
ARG DOCKERCLI_INTEGRATION_REPOSITORY="https://github.com/docker/cli.git"
|
|
|
|
ARG DOCKERCLI_INTEGRATION_VERSION=v17.06.2-ce
|
2023-06-20 10:33:24 +00:00
|
|
|
ARG BUILDX_VERSION=0.11.0
|
2023-07-11 20:40:08 +00:00
|
|
|
ARG COMPOSE_VERSION=v2.20.0
|
2022-11-19 01:36:13 +00:00
|
|
|
|
2020-02-10 17:55:16 +00:00
|
|
|
ARG SYSTEMD="false"
|
2019-08-11 15:08:33 +00:00
|
|
|
ARG DEBIAN_FRONTEND=noninteractive
|
2022-12-04 01:32:45 +00:00
|
|
|
ARG DOCKER_STATIC=1
|
2020-09-18 22:40:45 +00:00
|
|
|
|
2022-11-19 01:36:13 +00:00
|
|
|
# cross compilation helper
|
|
|
|
FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
|
2019-04-06 00:20:06 +00:00
|
|
|
|
2022-11-19 01:36:28 +00:00
|
|
|
# dummy stage to make sure the image is built for deps that don't support some
|
|
|
|
# architectures
|
|
|
|
FROM --platform=$BUILDPLATFORM busybox AS build-dummy
|
|
|
|
RUN mkdir -p /build
|
|
|
|
FROM scratch AS binary-dummy
|
|
|
|
COPY --from=build-dummy /build /build
|
|
|
|
|
2022-11-19 01:36:13 +00:00
|
|
|
# base
|
|
|
|
FROM --platform=$BUILDPLATFORM ${GOLANG_IMAGE} AS base
|
|
|
|
COPY --from=xx / /
|
2019-05-22 23:49:55 +00:00
|
|
|
RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
|
2019-07-16 10:16:56 +00:00
|
|
|
ARG APT_MIRROR
|
2023-01-03 19:01:12 +00:00
|
|
|
RUN test -n "$APT_MIRROR" && sed -ri "s/(httpredir|deb|security).debian.org/${APT_MIRROR}/g" /etc/apt/sources.list || true
|
2022-11-19 01:36:13 +00:00
|
|
|
ARG DEBIAN_FRONTEND
|
|
|
|
RUN apt-get update && apt-get install --no-install-recommends -y file
|
2019-09-11 07:36:53 +00:00
|
|
|
ENV GO111MODULE=off
|
2016-11-20 22:14:51 +00:00
|
|
|
|
2017-09-29 21:09:14 +00:00
|
|
|
FROM base AS criu
|
2019-08-11 15:08:33 +00:00
|
|
|
ARG DEBIAN_FRONTEND
|
2021-09-27 11:34:41 +00:00
|
|
|
ADD --chmod=0644 https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_11/Release.key /etc/apt/trusted.gpg.d/criu.gpg.asc
|
2019-05-22 23:49:55 +00:00
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-criu-aptlib,target=/var/lib/apt \
|
2019-10-05 20:41:27 +00:00
|
|
|
--mount=type=cache,sharing=locked,id=moby-criu-aptcache,target=/var/cache/apt \
|
2021-09-27 11:34:41 +00:00
|
|
|
echo 'deb https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_11/ /' > /etc/apt/sources.list.d/criu.list \
|
2020-12-02 01:02:42 +00:00
|
|
|
&& apt-get update \
|
|
|
|
&& apt-get install -y --no-install-recommends criu \
|
|
|
|
&& install -D /usr/sbin/criu /build/criu
|
2017-09-29 21:09:14 +00:00
|
|
|
|
2022-11-19 14:46:35 +00:00
|
|
|
# registry
|
|
|
|
FROM base AS registry-src
|
|
|
|
WORKDIR /usr/src/registry
|
|
|
|
RUN git init . && git remote add origin "https://github.com/distribution/distribution.git"
|
|
|
|
|
2018-02-27 08:20:55 +00:00
|
|
|
FROM base AS registry
|
2020-01-10 13:07:01 +00:00
|
|
|
WORKDIR /go/src/github.com/docker/distribution
|
2021-09-24 14:47:18 +00:00
|
|
|
# REGISTRY_VERSION specifies the version of the registry to build and install
|
2021-08-23 11:57:40 +00:00
|
|
|
# from the https://github.com/docker/distribution repository. This version of
|
|
|
|
# the registry is used to test both schema 1 and schema 2 manifests. Generally,
|
|
|
|
# the version specified here should match a current release.
|
2021-09-24 14:47:18 +00:00
|
|
|
ARG REGISTRY_VERSION=v2.3.0
|
2022-03-01 06:26:35 +00:00
|
|
|
# REGISTRY_VERSION_SCHEMA1 specifies the version of the registry to build and
|
2021-08-23 11:57:40 +00:00
|
|
|
# install from the https://github.com/docker/distribution repository. This is
|
|
|
|
# an older (pre v2.3.0) version of the registry that only supports schema1
|
|
|
|
# manifests. This version of the registry is not working on arm64, so installation
|
|
|
|
# is skipped on that architecture.
|
2021-09-24 14:47:18 +00:00
|
|
|
ARG REGISTRY_VERSION_SCHEMA1=v2.1.0
|
2022-11-19 14:46:35 +00:00
|
|
|
ARG TARGETPLATFORM
|
|
|
|
RUN --mount=from=registry-src,src=/usr/src/registry,rw \
|
|
|
|
--mount=type=cache,target=/root/.cache/go-build,id=registry-build-$TARGETPLATFORM \
|
2019-10-05 20:41:27 +00:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2022-11-19 14:46:35 +00:00
|
|
|
--mount=type=tmpfs,target=/go/src <<EOT
|
|
|
|
set -ex
|
|
|
|
git fetch -q --depth 1 origin "${REGISTRY_VERSION}" +refs/tags/*:refs/tags/*
|
|
|
|
git checkout -q FETCH_HEAD
|
|
|
|
export GOPATH="/go/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH"
|
|
|
|
CGO_ENABLED=0 xx-go build -o /build/registry-v2 -v ./cmd/registry
|
|
|
|
xx-verify /build/registry-v2
|
|
|
|
case $TARGETPLATFORM in
|
|
|
|
linux/amd64|linux/arm/v7|linux/ppc64le|linux/s390x)
|
|
|
|
git fetch -q --depth 1 origin "${REGISTRY_VERSION_SCHEMA1}" +refs/tags/*:refs/tags/*
|
|
|
|
git checkout -q FETCH_HEAD
|
|
|
|
CGO_ENABLED=0 xx-go build -o /build/registry-v2-schema1 -v ./cmd/registry
|
|
|
|
xx-verify /build/registry-v2-schema1
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
EOT
|
2015-01-21 03:40:19 +00:00
|
|
|
|
2022-11-26 15:37:23 +00:00
|
|
|
# go-swagger
|
|
|
|
FROM base AS swagger-src
|
|
|
|
WORKDIR /usr/src/swagger
|
|
|
|
# Currently uses a fork from https://github.com/kolyshkin/go-swagger/tree/golang-1.13-fix
|
|
|
|
# TODO: move to under moby/ or fix upstream go-swagger to work for us.
|
|
|
|
RUN git init . && git remote add origin "https://github.com/kolyshkin/go-swagger.git"
|
2021-08-23 11:57:40 +00:00
|
|
|
# GO_SWAGGER_COMMIT specifies the version of the go-swagger binary to build and
|
|
|
|
# install. Go-swagger is used in CI for validating swagger.yaml in hack/validate/swagger-gen
|
2022-11-26 15:37:23 +00:00
|
|
|
ARG GO_SWAGGER_COMMIT=c56166c036004ba7a3a321e5951ba472b9ae298c
|
|
|
|
RUN git fetch -q --depth 1 origin "${GO_SWAGGER_COMMIT}" && git checkout -q FETCH_HEAD
|
|
|
|
|
|
|
|
FROM base AS swagger
|
|
|
|
WORKDIR /go/src/github.com/go-swagger/go-swagger
|
|
|
|
ARG TARGETPLATFORM
|
|
|
|
RUN --mount=from=swagger-src,src=/usr/src/swagger,rw \
|
|
|
|
--mount=type=cache,target=/root/.cache/go-build,id=swagger-build-$TARGETPLATFORM \
|
2019-10-05 20:41:27 +00:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2022-11-26 15:37:23 +00:00
|
|
|
--mount=type=tmpfs,target=/go/src/ <<EOT
|
|
|
|
set -e
|
|
|
|
xx-go build -o /build/swagger ./cmd/swagger
|
|
|
|
xx-verify /build/swagger
|
|
|
|
EOT
|
2016-11-03 17:15:27 +00:00
|
|
|
|
2022-09-08 14:13:41 +00:00
|
|
|
# frozen-images
|
|
|
|
# See also frozenImages in "testutil/environment/protect.go" (which needs to
|
|
|
|
# be updated when adding images to this list)
|
2020-09-18 22:40:45 +00:00
|
|
|
FROM debian:${BASE_DEBIAN_DISTRO} AS frozen-images
|
2019-08-11 15:08:33 +00:00
|
|
|
ARG DEBIAN_FRONTEND
|
2019-05-22 23:49:55 +00:00
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-frozen-images-aptlib,target=/var/lib/apt \
|
2019-10-05 20:41:27 +00:00
|
|
|
--mount=type=cache,sharing=locked,id=moby-frozen-images-aptcache,target=/var/cache/apt \
|
|
|
|
apt-get update && apt-get install -y --no-install-recommends \
|
|
|
|
ca-certificates \
|
2020-09-18 22:40:45 +00:00
|
|
|
curl \
|
2019-10-05 20:41:27 +00:00
|
|
|
jq
|
2015-03-07 01:12:41 +00:00
|
|
|
# Get useful and necessary Hub images so we can "docker load" locally instead of pulling
|
2017-09-29 21:09:14 +00:00
|
|
|
COPY contrib/download-frozen-image-v2.sh /
|
2020-09-29 22:39:49 +00:00
|
|
|
ARG TARGETARCH
|
2022-09-08 14:13:41 +00:00
|
|
|
ARG TARGETVARIANT
|
2018-04-13 18:45:57 +00:00
|
|
|
RUN /download-frozen-image-v2.sh /build \
|
2020-06-30 03:06:03 +00:00
|
|
|
busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
|
|
|
|
busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \
|
2021-08-19 21:40:38 +00:00
|
|
|
debian:bullseye-slim@sha256:dacf278785a4daa9de07596ec739dbc07131e189942772210709c5c0777e8437 \
|
2020-10-15 23:01:17 +00:00
|
|
|
hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \
|
|
|
|
arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1
|
2015-02-28 05:53:36 +00:00
|
|
|
|
2022-11-26 15:41:16 +00:00
|
|
|
# delve
|
|
|
|
FROM base AS delve-src
|
|
|
|
WORKDIR /usr/src/delve
|
|
|
|
RUN git init . && git remote add origin "https://github.com/go-delve/delve.git"
|
2022-02-20 18:21:10 +00:00
|
|
|
# DELVE_VERSION specifies the version of the Delve debugger binary
|
|
|
|
# from the https://github.com/go-delve/delve repository.
|
|
|
|
# It can be used to run Docker with a possibility of
|
|
|
|
# attaching debugger to it.
|
2023-03-24 16:44:10 +00:00
|
|
|
ARG DELVE_VERSION=v1.20.1
|
2022-11-26 15:41:16 +00:00
|
|
|
RUN git fetch -q --depth 1 origin "${DELVE_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
|
|
|
|
|
|
|
|
FROM base AS delve-build
|
|
|
|
WORKDIR /usr/src/delve
|
|
|
|
ARG TARGETPLATFORM
|
|
|
|
RUN --mount=from=delve-src,src=/usr/src/delve,rw \
|
|
|
|
--mount=type=cache,target=/root/.cache/go-build,id=delve-build-$TARGETPLATFORM \
|
|
|
|
--mount=type=cache,target=/go/pkg/mod <<EOT
|
|
|
|
set -e
|
|
|
|
GO111MODULE=on xx-go build -o /build/dlv ./cmd/dlv
|
|
|
|
xx-verify /build/dlv
|
|
|
|
EOT
|
|
|
|
|
|
|
|
# delve is currently only supported on linux/amd64 and linux/arm64;
|
2022-07-02 13:39:02 +00:00
|
|
|
# https://github.com/go-delve/delve/blob/v1.8.1/pkg/proc/native/support_sentinel.go#L1-L6
|
2022-11-26 15:41:16 +00:00
|
|
|
FROM binary-dummy AS delve-windows
|
|
|
|
FROM binary-dummy AS delve-linux-arm
|
|
|
|
FROM binary-dummy AS delve-linux-ppc64le
|
|
|
|
FROM binary-dummy AS delve-linux-s390x
|
|
|
|
FROM delve-build AS delve-linux-amd64
|
|
|
|
FROM delve-build AS delve-linux-arm64
|
|
|
|
FROM delve-linux-${TARGETARCH} AS delve-linux
|
|
|
|
FROM delve-${TARGETOS} AS delve
|
2022-02-20 18:21:10 +00:00
|
|
|
|
validate/toml: switch to github.com/pelletier/go-toml
The github.com/BurntSushi/toml project is no longer maintained,
and containerd is switching to this project instead, so start
moving our code as well.
This patch only changes the binary used during validation (tbh,
we could probably remove this validation step, but leaving that
for now).
I manually verified that the hack/verify/toml still works by adding a commit
that makes the MAINTAINERS file invalid;
diff --git a/MAINTAINERS b/MAINTAINERS
index b739e7e20c..81ababd8de 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -23,7 +23,7 @@
# a subsystem, they are responsible for doing so and holding the
# subsystem maintainers accountable. If ownership is unclear, they are the de facto owners.
- people = [
+ people =
"akihirosuda",
"anusha",
"coolljt0725",
Running `hack/verify/toml` was able to detect the broken format;
hack/validate/toml
(27, 4): keys cannot contain , characterThese files are not valid TOML:
- MAINTAINERS
Please reformat the above files as valid TOML
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-02 14:02:34 +00:00
|
|
|
FROM base AS tomll
|
2021-08-23 11:57:40 +00:00
|
|
|
# GOTOML_VERSION specifies the version of the tomll binary to build and install
|
|
|
|
# from the https://github.com/pelletier/go-toml repository. This binary is used
|
|
|
|
# in CI in the hack/validate/toml script.
|
|
|
|
#
|
|
|
|
# When updating this version, consider updating the github.com/pelletier/go-toml
|
2021-12-15 19:35:04 +00:00
|
|
|
# dependency in vendor.mod accordingly.
|
2021-08-23 11:57:40 +00:00
|
|
|
ARG GOTOML_VERSION=v1.8.1
|
2019-05-22 23:49:55 +00:00
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
2019-10-05 20:41:27 +00:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2021-08-23 11:57:40 +00:00
|
|
|
GOBIN=/build/ GO111MODULE=on go install "github.com/pelletier/go-toml/cmd/tomll@${GOTOML_VERSION}" \
|
|
|
|
&& /build/tomll --help
|
2017-09-29 21:09:14 +00:00
|
|
|
|
2022-04-14 17:52:23 +00:00
|
|
|
FROM base AS gowinres
|
|
|
|
# GOWINRES_VERSION defines go-winres tool version
|
2022-11-17 16:32:06 +00:00
|
|
|
ARG GOWINRES_VERSION=v0.3.0
|
2022-04-14 17:52:23 +00:00
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
|
|
|
GOBIN=/build/ GO111MODULE=on go install "github.com/tc-hib/go-winres@${GOWINRES_VERSION}" \
|
|
|
|
&& /build/go-winres --help
|
|
|
|
|
2022-11-26 02:22:30 +00:00
|
|
|
# containerd
|
|
|
|
FROM base AS containerd-src
|
|
|
|
WORKDIR /usr/src/containerd
|
|
|
|
RUN git init . && git remote add origin "https://github.com/containerd/containerd.git"
|
|
|
|
# CONTAINERD_VERSION is used to build containerd binaries, and used for the
|
|
|
|
# integration tests. The distributed docker .deb and .rpm packages depend on a
|
|
|
|
# separate (containerd.io) package, which may be a different version as is
|
|
|
|
# specified here. The containerd golang package is also pinned in vendor.mod.
|
|
|
|
# When updating the binary version you may also need to update the vendor
|
|
|
|
# version to pick up bug fixes or new APIs, however, usually the Go packages
|
|
|
|
# are built from a commit from the master branch.
|
2023-05-15 11:52:50 +00:00
|
|
|
ARG CONTAINERD_VERSION=v1.7.1
|
2022-11-26 02:22:30 +00:00
|
|
|
RUN git fetch -q --depth 1 origin "${CONTAINERD_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
|
|
|
|
|
|
|
|
FROM base AS containerd-build
|
|
|
|
WORKDIR /go/src/github.com/containerd/containerd
|
2019-08-11 15:08:33 +00:00
|
|
|
ARG DEBIAN_FRONTEND
|
2022-11-26 02:22:30 +00:00
|
|
|
ARG TARGETPLATFORM
|
2019-05-22 23:49:55 +00:00
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-containerd-aptlib,target=/var/lib/apt \
|
2019-10-05 20:41:27 +00:00
|
|
|
--mount=type=cache,sharing=locked,id=moby-containerd-aptcache,target=/var/cache/apt \
|
2022-11-26 02:22:30 +00:00
|
|
|
apt-get update && xx-apt-get install -y --no-install-recommends \
|
|
|
|
gcc libbtrfs-dev libsecret-1-dev
|
|
|
|
ARG DOCKER_STATIC
|
|
|
|
RUN --mount=from=containerd-src,src=/usr/src/containerd,rw \
|
|
|
|
--mount=type=cache,target=/root/.cache/go-build,id=containerd-build-$TARGETPLATFORM <<EOT
|
|
|
|
set -e
|
|
|
|
export CC=$(xx-info)-gcc
|
|
|
|
export CGO_ENABLED=$([ "$DOCKER_STATIC" = "1" ] && echo "0" || echo "1")
|
|
|
|
xx-go --wrap
|
|
|
|
make $([ "$DOCKER_STATIC" = "1" ] && echo "STATIC=1") binaries
|
|
|
|
xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") bin/containerd
|
|
|
|
xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") bin/containerd-shim-runc-v2
|
|
|
|
xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") bin/ctr
|
|
|
|
mkdir /build
|
|
|
|
mv bin/containerd bin/containerd-shim-runc-v2 bin/ctr /build
|
|
|
|
EOT
|
|
|
|
|
|
|
|
FROM containerd-build AS containerd-linux
|
|
|
|
FROM binary-dummy AS containerd-windows
|
|
|
|
FROM containerd-${TARGETOS} AS containerd
|
2017-09-29 21:09:14 +00:00
|
|
|
|
2019-08-05 10:32:43 +00:00
|
|
|
FROM base AS golangci_lint
|
2023-02-22 18:55:55 +00:00
|
|
|
ARG GOLANGCI_LINT_VERSION=v1.51.2
|
2019-05-22 23:49:55 +00:00
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
2019-10-05 20:41:27 +00:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2021-08-23 11:57:40 +00:00
|
|
|
GOBIN=/build/ GO111MODULE=on go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \
|
|
|
|
&& /build/golangci-lint --version
|
2017-09-29 21:09:14 +00:00
|
|
|
|
2019-07-31 00:07:30 +00:00
|
|
|
FROM base AS gotestsum
|
2022-11-17 16:05:20 +00:00
|
|
|
ARG GOTESTSUM_VERSION=v1.8.2
|
2019-05-22 23:49:55 +00:00
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
2019-10-05 20:41:27 +00:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2021-08-23 11:57:40 +00:00
|
|
|
GOBIN=/build/ GO111MODULE=on go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \
|
|
|
|
&& /build/gotestsum --version
|
2019-07-31 00:07:30 +00:00
|
|
|
|
2020-02-29 15:31:43 +00:00
|
|
|
FROM base AS shfmt
|
2023-03-07 14:32:18 +00:00
|
|
|
ARG SHFMT_VERSION=v3.6.0
|
2020-02-29 15:31:43 +00:00
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2021-08-23 11:57:40 +00:00
|
|
|
GOBIN=/build/ GO111MODULE=on go install "mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION}" \
|
|
|
|
&& /build/shfmt --version
|
2020-02-29 15:31:43 +00:00
|
|
|
|
2022-11-19 13:47:26 +00:00
|
|
|
FROM base AS dockercli
|
|
|
|
WORKDIR /go/src/github.com/docker/cli
|
2023-04-19 12:48:47 +00:00
|
|
|
COPY hack/dockerfile/cli.sh /download-or-build-cli.sh
|
|
|
|
ARG DOCKERCLI_REPOSITORY
|
2022-11-19 13:47:26 +00:00
|
|
|
ARG DOCKERCLI_VERSION
|
|
|
|
ARG TARGETPLATFORM
|
Dockerfile: make cli stages more resilient against unclean termination
The Dockerfile in this repository performs many stages in parallel. If any of
those stages fails to build (which could be due to networking congestion),
other stages are also (forcibly?) terminated, which can cause an unclean
shutdown.
In some case, this can cause `git` to be terminated, leaving a `.lock` file
behind in the cache mount. Retrying the build now will fail, and the only
workaround is to clean the build-cache (which causes many stages to be
built again, potentially triggering the problem again).
> [dockercli-integration 3/3] RUN --mount=type=cache,id=dockercli-integration-git-linux/arm64/v8,target=./.git --mount=type=cache,target=/root/.cache/go-build,id=dockercli-integration-build-linux/arm64/v8 /download-or-build-cli.sh v17.06.2-ce https://github.com/docker/cli.git /build:
#0 1.575 fatal: Unable to create '/go/src/github.com/docker/cli/.git/shallow.lock': File exists.
#0 1.575
#0 1.575 Another git process seems to be running in this repository, e.g.
#0 1.575 an editor opened by 'git commit'. Please make sure all processes
#0 1.575 are terminated then try again. If it still fails, a git process
#0 1.575 may have crashed in this repository earlier:
#0 1.575 remove the file manually to continue.
This patch:
- Updates the Dockerfile to remove `.lock` files (`shallow.lock`, `index.lock`)
that may have been left behind from previous builds. I put this code in the
Dockerfile itself (not the script), as the script may be used in other
situations outside of the Dockerfile (for which we cannot guarantee no other
git session is active).
- Adds a `docker --version` step to the stage; this is mostly to verify the
build was successful (and to be consistent with other stages).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-16 12:10:24 +00:00
|
|
|
RUN --mount=type=cache,id=dockercli-git-$TARGETPLATFORM,sharing=locked,target=./.git \
|
2023-04-19 12:48:47 +00:00
|
|
|
--mount=type=cache,target=/root/.cache/go-build,id=dockercli-build-$TARGETPLATFORM \
|
Dockerfile: make cli stages more resilient against unclean termination
The Dockerfile in this repository performs many stages in parallel. If any of
those stages fails to build (which could be due to networking congestion),
other stages are also (forcibly?) terminated, which can cause an unclean
shutdown.
In some case, this can cause `git` to be terminated, leaving a `.lock` file
behind in the cache mount. Retrying the build now will fail, and the only
workaround is to clean the build-cache (which causes many stages to be
built again, potentially triggering the problem again).
> [dockercli-integration 3/3] RUN --mount=type=cache,id=dockercli-integration-git-linux/arm64/v8,target=./.git --mount=type=cache,target=/root/.cache/go-build,id=dockercli-integration-build-linux/arm64/v8 /download-or-build-cli.sh v17.06.2-ce https://github.com/docker/cli.git /build:
#0 1.575 fatal: Unable to create '/go/src/github.com/docker/cli/.git/shallow.lock': File exists.
#0 1.575
#0 1.575 Another git process seems to be running in this repository, e.g.
#0 1.575 an editor opened by 'git commit'. Please make sure all processes
#0 1.575 are terminated then try again. If it still fails, a git process
#0 1.575 may have crashed in this repository earlier:
#0 1.575 remove the file manually to continue.
This patch:
- Updates the Dockerfile to remove `.lock` files (`shallow.lock`, `index.lock`)
that may have been left behind from previous builds. I put this code in the
Dockerfile itself (not the script), as the script may be used in other
situations outside of the Dockerfile (for which we cannot guarantee no other
git session is active).
- Adds a `docker --version` step to the stage; this is mostly to verify the
build was successful (and to be consistent with other stages).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-16 12:10:24 +00:00
|
|
|
rm -f ./.git/*.lock \
|
|
|
|
&& /download-or-build-cli.sh ${DOCKERCLI_VERSION} ${DOCKERCLI_REPOSITORY} /build \
|
|
|
|
&& /build/docker --version
|
2023-04-19 12:48:47 +00:00
|
|
|
|
|
|
|
FROM base AS dockercli-integration
|
|
|
|
WORKDIR /go/src/github.com/docker/cli
|
|
|
|
COPY hack/dockerfile/cli.sh /download-or-build-cli.sh
|
|
|
|
ARG DOCKERCLI_INTEGRATION_REPOSITORY
|
|
|
|
ARG DOCKERCLI_INTEGRATION_VERSION
|
|
|
|
ARG TARGETPLATFORM
|
Dockerfile: make cli stages more resilient against unclean termination
The Dockerfile in this repository performs many stages in parallel. If any of
those stages fails to build (which could be due to networking congestion),
other stages are also (forcibly?) terminated, which can cause an unclean
shutdown.
In some case, this can cause `git` to be terminated, leaving a `.lock` file
behind in the cache mount. Retrying the build now will fail, and the only
workaround is to clean the build-cache (which causes many stages to be
built again, potentially triggering the problem again).
> [dockercli-integration 3/3] RUN --mount=type=cache,id=dockercli-integration-git-linux/arm64/v8,target=./.git --mount=type=cache,target=/root/.cache/go-build,id=dockercli-integration-build-linux/arm64/v8 /download-or-build-cli.sh v17.06.2-ce https://github.com/docker/cli.git /build:
#0 1.575 fatal: Unable to create '/go/src/github.com/docker/cli/.git/shallow.lock': File exists.
#0 1.575
#0 1.575 Another git process seems to be running in this repository, e.g.
#0 1.575 an editor opened by 'git commit'. Please make sure all processes
#0 1.575 are terminated then try again. If it still fails, a git process
#0 1.575 may have crashed in this repository earlier:
#0 1.575 remove the file manually to continue.
This patch:
- Updates the Dockerfile to remove `.lock` files (`shallow.lock`, `index.lock`)
that may have been left behind from previous builds. I put this code in the
Dockerfile itself (not the script), as the script may be used in other
situations outside of the Dockerfile (for which we cannot guarantee no other
git session is active).
- Adds a `docker --version` step to the stage; this is mostly to verify the
build was successful (and to be consistent with other stages).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-16 12:10:24 +00:00
|
|
|
RUN --mount=type=cache,id=dockercli-integration-git-$TARGETPLATFORM,sharing=locked,target=./.git \
|
2023-04-19 12:48:47 +00:00
|
|
|
--mount=type=cache,target=/root/.cache/go-build,id=dockercli-integration-build-$TARGETPLATFORM \
|
Dockerfile: make cli stages more resilient against unclean termination
The Dockerfile in this repository performs many stages in parallel. If any of
those stages fails to build (which could be due to networking congestion),
other stages are also (forcibly?) terminated, which can cause an unclean
shutdown.
In some case, this can cause `git` to be terminated, leaving a `.lock` file
behind in the cache mount. Retrying the build now will fail, and the only
workaround is to clean the build-cache (which causes many stages to be
built again, potentially triggering the problem again).
> [dockercli-integration 3/3] RUN --mount=type=cache,id=dockercli-integration-git-linux/arm64/v8,target=./.git --mount=type=cache,target=/root/.cache/go-build,id=dockercli-integration-build-linux/arm64/v8 /download-or-build-cli.sh v17.06.2-ce https://github.com/docker/cli.git /build:
#0 1.575 fatal: Unable to create '/go/src/github.com/docker/cli/.git/shallow.lock': File exists.
#0 1.575
#0 1.575 Another git process seems to be running in this repository, e.g.
#0 1.575 an editor opened by 'git commit'. Please make sure all processes
#0 1.575 are terminated then try again. If it still fails, a git process
#0 1.575 may have crashed in this repository earlier:
#0 1.575 remove the file manually to continue.
This patch:
- Updates the Dockerfile to remove `.lock` files (`shallow.lock`, `index.lock`)
that may have been left behind from previous builds. I put this code in the
Dockerfile itself (not the script), as the script may be used in other
situations outside of the Dockerfile (for which we cannot guarantee no other
git session is active).
- Adds a `docker --version` step to the stage; this is mostly to verify the
build was successful (and to be consistent with other stages).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-16 12:10:24 +00:00
|
|
|
rm -f ./.git/*.lock \
|
|
|
|
&& /download-or-build-cli.sh ${DOCKERCLI_INTEGRATION_VERSION} ${DOCKERCLI_INTEGRATION_REPOSITORY} /build \
|
|
|
|
&& /build/docker --version
|
2017-09-29 21:09:14 +00:00
|
|
|
|
2022-11-19 01:22:09 +00:00
|
|
|
# runc
|
|
|
|
FROM base AS runc-src
|
|
|
|
WORKDIR /usr/src/runc
|
|
|
|
RUN git init . && git remote add origin "https://github.com/opencontainers/runc.git"
|
|
|
|
# RUNC_VERSION should match the version that is used by the containerd version
|
|
|
|
# that is used. If you need to update runc, open a pull request in the containerd
|
|
|
|
# project first, and update both after that is merged. When updating RUNC_VERSION,
|
|
|
|
# consider updating runc in vendor.mod accordingly.
|
2023-04-27 10:17:14 +00:00
|
|
|
ARG RUNC_VERSION=v1.1.7
|
2022-11-19 01:22:09 +00:00
|
|
|
RUN git fetch -q --depth 1 origin "${RUNC_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
|
|
|
|
|
|
|
|
FROM base AS runc-build
|
|
|
|
WORKDIR /go/src/github.com/opencontainers/runc
|
|
|
|
ARG DEBIAN_FRONTEND
|
|
|
|
ARG TARGETPLATFORM
|
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-runc-aptlib,target=/var/lib/apt \
|
|
|
|
--mount=type=cache,sharing=locked,id=moby-runc-aptcache,target=/var/cache/apt \
|
|
|
|
apt-get update && xx-apt-get install -y --no-install-recommends \
|
|
|
|
dpkg-dev gcc libc6-dev libseccomp-dev
|
|
|
|
ARG DOCKER_STATIC
|
|
|
|
RUN --mount=from=runc-src,src=/usr/src/runc,rw \
|
|
|
|
--mount=type=cache,target=/root/.cache/go-build,id=runc-build-$TARGETPLATFORM <<EOT
|
|
|
|
set -e
|
|
|
|
xx-go --wrap
|
|
|
|
CGO_ENABLED=1 make "$([ "$DOCKER_STATIC" = "1" ] && echo "static" || echo "runc")"
|
|
|
|
xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") runc
|
|
|
|
mkdir /build
|
|
|
|
mv runc /build/
|
|
|
|
EOT
|
|
|
|
|
|
|
|
FROM runc-build AS runc-linux
|
|
|
|
FROM binary-dummy AS runc-windows
|
|
|
|
FROM runc-${TARGETOS} AS runc
|
2017-09-29 21:09:14 +00:00
|
|
|
|
2022-11-19 01:33:28 +00:00
|
|
|
# tini
|
|
|
|
FROM base AS tini-src
|
|
|
|
WORKDIR /usr/src/tini
|
|
|
|
RUN git init . && git remote add origin "https://github.com/krallin/tini.git"
|
|
|
|
# TINI_VERSION specifies the version of tini (docker-init) to build. This
|
|
|
|
# binary is used when starting containers with the `--init` option.
|
|
|
|
ARG TINI_VERSION=v0.19.0
|
|
|
|
RUN git fetch -q --depth 1 origin "${TINI_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
|
|
|
|
|
|
|
|
FROM base AS tini-build
|
|
|
|
WORKDIR /go/src/github.com/krallin/tini
|
2019-08-11 15:08:33 +00:00
|
|
|
ARG DEBIAN_FRONTEND
|
2019-05-22 23:49:55 +00:00
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-tini-aptlib,target=/var/lib/apt \
|
2019-10-05 20:41:27 +00:00
|
|
|
--mount=type=cache,sharing=locked,id=moby-tini-aptcache,target=/var/cache/apt \
|
2022-11-19 01:33:28 +00:00
|
|
|
apt-get update && apt-get install -y --no-install-recommends cmake
|
|
|
|
ARG TARGETPLATFORM
|
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-tini-aptlib,target=/var/lib/apt \
|
|
|
|
--mount=type=cache,sharing=locked,id=moby-tini-aptcache,target=/var/cache/apt \
|
|
|
|
xx-apt-get install -y --no-install-recommends \
|
|
|
|
gcc libc6-dev
|
|
|
|
RUN --mount=from=tini-src,src=/usr/src/tini,rw \
|
|
|
|
--mount=type=cache,target=/root/.cache/go-build,id=tini-build-$TARGETPLATFORM <<EOT
|
|
|
|
set -e
|
|
|
|
CC=$(xx-info)-gcc cmake .
|
|
|
|
make tini-static
|
|
|
|
xx-verify --static tini-static
|
|
|
|
mkdir /build
|
|
|
|
mv tini-static /build/docker-init
|
|
|
|
EOT
|
|
|
|
|
|
|
|
FROM tini-build AS tini-linux
|
|
|
|
FROM binary-dummy AS tini-windows
|
|
|
|
FROM tini-${TARGETOS} AS tini
|
2017-09-29 21:09:14 +00:00
|
|
|
|
2022-11-19 02:27:58 +00:00
|
|
|
# rootlesskit
|
|
|
|
FROM base AS rootlesskit-src
|
|
|
|
WORKDIR /usr/src/rootlesskit
|
|
|
|
RUN git init . && git remote add origin "https://github.com/rootless-containers/rootlesskit.git"
|
|
|
|
# When updating, also update rootlesskit commit in vendor.mod accordingly.
|
|
|
|
ARG ROOTLESSKIT_VERSION=v1.1.0
|
|
|
|
RUN git fetch -q --depth 1 origin "${ROOTLESSKIT_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
|
|
|
|
|
|
|
|
FROM base AS rootlesskit-build
|
|
|
|
WORKDIR /go/src/github.com/rootless-containers/rootlesskit
|
|
|
|
ARG DEBIAN_FRONTEND
|
|
|
|
ARG TARGETPLATFORM
|
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-rootlesskit-aptlib,target=/var/lib/apt \
|
|
|
|
--mount=type=cache,sharing=locked,id=moby-rootlesskit-aptcache,target=/var/cache/apt \
|
|
|
|
apt-get update && xx-apt-get install -y --no-install-recommends \
|
|
|
|
gcc libc6-dev
|
|
|
|
ENV GO111MODULE=on
|
|
|
|
ARG DOCKER_STATIC
|
|
|
|
RUN --mount=from=rootlesskit-src,src=/usr/src/rootlesskit,rw \
|
2019-10-05 20:41:27 +00:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2022-11-19 02:27:58 +00:00
|
|
|
--mount=type=cache,target=/root/.cache/go-build,id=rootlesskit-build-$TARGETPLATFORM <<EOT
|
|
|
|
set -e
|
|
|
|
export CGO_ENABLED=$([ "$DOCKER_STATIC" = "1" ] && echo "0" || echo "1")
|
|
|
|
xx-go build -o /build/rootlesskit -ldflags="$([ "$DOCKER_STATIC" != "1" ] && echo "-linkmode=external")" ./cmd/rootlesskit
|
|
|
|
xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") /build/rootlesskit
|
|
|
|
xx-go build -o /build/rootlesskit-docker-proxy -ldflags="$([ "$DOCKER_STATIC" != "1" ] && echo "-linkmode=external")" ./cmd/rootlesskit-docker-proxy
|
|
|
|
xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") /build/rootlesskit-docker-proxy
|
|
|
|
EOT
|
|
|
|
COPY ./contrib/dockerd-rootless.sh /build/
|
|
|
|
COPY ./contrib/dockerd-rootless-setuptool.sh /build/
|
|
|
|
|
|
|
|
FROM rootlesskit-build AS rootlesskit-linux
|
|
|
|
FROM binary-dummy AS rootlesskit-windows
|
|
|
|
FROM rootlesskit-${TARGETOS} AS rootlesskit
|
2017-09-29 21:09:14 +00:00
|
|
|
|
2022-06-10 21:19:40 +00:00
|
|
|
FROM base AS crun
|
|
|
|
ARG CRUN_VERSION=1.4.5
|
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-crun-aptlib,target=/var/lib/apt \
|
|
|
|
--mount=type=cache,sharing=locked,id=moby-crun-aptcache,target=/var/cache/apt \
|
|
|
|
apt-get update && apt-get install -y --no-install-recommends \
|
|
|
|
autoconf \
|
|
|
|
automake \
|
|
|
|
build-essential \
|
|
|
|
libcap-dev \
|
|
|
|
libprotobuf-c-dev \
|
|
|
|
libseccomp-dev \
|
|
|
|
libsystemd-dev \
|
|
|
|
libtool \
|
|
|
|
libudev-dev \
|
|
|
|
libyajl-dev \
|
|
|
|
python3 \
|
|
|
|
;
|
|
|
|
RUN --mount=type=tmpfs,target=/tmp/crun-build \
|
|
|
|
git clone https://github.com/containers/crun.git /tmp/crun-build && \
|
|
|
|
cd /tmp/crun-build && \
|
|
|
|
git checkout -q "${CRUN_VERSION}" && \
|
|
|
|
./autogen.sh && \
|
|
|
|
./configure --bindir=/build && \
|
|
|
|
make -j install
|
|
|
|
|
2022-11-17 23:23:20 +00:00
|
|
|
# vpnkit
|
|
|
|
# use dummy scratch stage to avoid build to fail for unsupported platforms
|
|
|
|
FROM scratch AS vpnkit-windows
|
|
|
|
FROM scratch AS vpnkit-linux-386
|
|
|
|
FROM scratch AS vpnkit-linux-arm
|
|
|
|
FROM scratch AS vpnkit-linux-ppc64le
|
|
|
|
FROM scratch AS vpnkit-linux-riscv64
|
|
|
|
FROM scratch AS vpnkit-linux-s390x
|
|
|
|
FROM djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-linux-amd64
|
|
|
|
FROM djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-linux-arm64
|
|
|
|
FROM vpnkit-linux-${TARGETARCH} AS vpnkit-linux
|
|
|
|
FROM vpnkit-${TARGETOS} AS vpnkit
|
2019-10-05 20:46:49 +00:00
|
|
|
|
2022-11-26 15:33:32 +00:00
|
|
|
# containerutility
|
|
|
|
FROM base AS containerutil-src
|
|
|
|
WORKDIR /usr/src/containerutil
|
|
|
|
RUN git init . && git remote add origin "https://github.com/docker-archive/windows-container-utility.git"
|
|
|
|
ARG CONTAINERUTILITY_VERSION=aa1ba87e99b68e0113bd27ec26c60b88f9d4ccd9
|
|
|
|
RUN git fetch -q --depth 1 origin "${CONTAINERUTILITY_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
|
|
|
|
|
|
|
|
FROM base AS containerutil-build
|
|
|
|
WORKDIR /usr/src/containerutil
|
|
|
|
ARG TARGETPLATFORM
|
|
|
|
RUN xx-apt-get install -y --no-install-recommends gcc g++ libc6-dev
|
|
|
|
RUN --mount=from=containerutil-src,src=/usr/src/containerutil,rw \
|
|
|
|
--mount=type=cache,target=/root/.cache/go-build,id=containerutil-build-$TARGETPLATFORM <<EOT
|
|
|
|
set -e
|
|
|
|
CC="$(xx-info)-gcc" CXX="$(xx-info)-g++" make
|
|
|
|
xx-verify --static containerutility.exe
|
|
|
|
mkdir /build
|
|
|
|
mv containerutility.exe /build/
|
|
|
|
EOT
|
|
|
|
|
|
|
|
FROM binary-dummy AS containerutil-linux
|
|
|
|
FROM containerutil-build AS containerutil-windows-amd64
|
|
|
|
FROM containerutil-windows-${TARGETARCH} AS containerutil-windows
|
|
|
|
FROM containerutil-${TARGETOS} AS containerutil
|
2023-02-01 13:17:36 +00:00
|
|
|
FROM docker/buildx-bin:${BUILDX_VERSION} as buildx
|
2023-07-11 20:40:08 +00:00
|
|
|
FROM docker/compose-bin:${COMPOSE_VERSION} as compose
|
2022-11-26 15:33:32 +00:00
|
|
|
|
2023-01-01 16:47:17 +00:00
|
|
|
FROM base AS dev-systemd-false
|
2023-05-31 09:52:18 +00:00
|
|
|
COPY --link --from=frozen-images /build/ /docker-frozen-images
|
|
|
|
COPY --link --from=swagger /build/ /usr/local/bin/
|
|
|
|
COPY --link --from=delve /build/ /usr/local/bin/
|
|
|
|
COPY --link --from=tomll /build/ /usr/local/bin/
|
|
|
|
COPY --link --from=gowinres /build/ /usr/local/bin/
|
|
|
|
COPY --link --from=tini /build/ /usr/local/bin/
|
|
|
|
COPY --link --from=registry /build/ /usr/local/bin/
|
2023-05-23 10:56:02 +00:00
|
|
|
|
|
|
|
# Skip the CRIU stage for now, as the opensuse package repository is sometimes
|
|
|
|
# unstable, and we're currently not using it in CI.
|
|
|
|
#
|
|
|
|
# FIXME(thaJeztah): re-enable this stage when https://github.com/moby/moby/issues/38963 is resolved (see https://github.com/moby/moby/pull/38984)
|
2023-05-31 09:52:18 +00:00
|
|
|
# COPY --link --from=criu /build/ /usr/local/bin/
|
|
|
|
COPY --link --from=gotestsum /build/ /usr/local/bin/
|
|
|
|
COPY --link --from=golangci_lint /build/ /usr/local/bin/
|
|
|
|
COPY --link --from=shfmt /build/ /usr/local/bin/
|
|
|
|
COPY --link --from=runc /build/ /usr/local/bin/
|
|
|
|
COPY --link --from=containerd /build/ /usr/local/bin/
|
|
|
|
COPY --link --from=rootlesskit /build/ /usr/local/bin/
|
|
|
|
COPY --link --from=vpnkit / /usr/local/bin/
|
|
|
|
COPY --link --from=containerutil /build/ /usr/local/bin/
|
|
|
|
COPY --link --from=crun /build/ /usr/local/bin/
|
|
|
|
COPY --link hack/dockerfile/etc/docker/ /etc/docker/
|
2023-02-01 13:17:36 +00:00
|
|
|
COPY --link --from=buildx /buildx /usr/local/libexec/docker/cli-plugins/docker-buildx
|
2023-07-11 20:40:08 +00:00
|
|
|
COPY --link --from=compose /docker-compose /usr/libexec/docker/cli-plugins/docker-compose
|
2023-02-01 13:17:36 +00:00
|
|
|
|
2023-01-01 16:47:17 +00:00
|
|
|
ENV PATH=/usr/local/cli:$PATH
|
2023-04-19 12:48:47 +00:00
|
|
|
ENV TEST_CLIENT_BINARY=/usr/local/cli-integration/docker
|
2023-02-01 12:54:14 +00:00
|
|
|
ENV CONTAINERD_ADDRESS=/run/docker/containerd/containerd.sock
|
|
|
|
ENV CONTAINERD_NAMESPACE=moby
|
2023-01-01 16:47:17 +00:00
|
|
|
WORKDIR /go/src/github.com/docker/docker
|
|
|
|
VOLUME /var/lib/docker
|
|
|
|
VOLUME /home/unprivilegeduser/.local/share/docker
|
|
|
|
# Wrap all commands in the "docker-in-docker" script to allow nested containers
|
|
|
|
ENTRYPOINT ["hack/dind"]
|
|
|
|
|
|
|
|
FROM dev-systemd-false AS dev-systemd-true
|
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
|
|
|
|
--mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
|
|
|
|
apt-get update && apt-get install -y --no-install-recommends \
|
|
|
|
dbus \
|
|
|
|
dbus-user-session \
|
|
|
|
systemd \
|
|
|
|
systemd-sysv
|
|
|
|
ENTRYPOINT ["hack/dind-systemd"]
|
|
|
|
|
2022-12-26 16:55:57 +00:00
|
|
|
FROM dev-systemd-${SYSTEMD} AS dev-base
|
2019-08-11 15:08:33 +00:00
|
|
|
ARG DEBIAN_FRONTEND
|
2017-09-29 21:09:14 +00:00
|
|
|
RUN groupadd -r docker
|
2020-02-18 09:43:56 +00:00
|
|
|
RUN useradd --create-home --gid docker unprivilegeduser \
|
|
|
|
&& mkdir -p /home/unprivilegeduser/.local/share/docker \
|
|
|
|
&& chown -R unprivilegeduser /home/unprivilegeduser
|
2018-06-29 10:39:36 +00:00
|
|
|
# Let us use a .bashrc file
|
|
|
|
RUN ln -sfv /go/src/github.com/docker/docker/.bashrc ~/.bashrc
|
2017-06-24 21:51:06 +00:00
|
|
|
# Activate bash completion and include Docker's completion if mounted with DOCKER_BASH_COMPLETION_PATH
|
|
|
|
RUN echo "source /usr/share/bash-completion/bash_completion" >> /etc/bash.bashrc
|
2017-06-23 16:05:38 +00:00
|
|
|
RUN ln -s /usr/local/completion/bash/docker /etc/bash_completion.d/docker
|
2017-09-29 21:09:14 +00:00
|
|
|
RUN ldconfig
|
2023-02-06 14:22:09 +00:00
|
|
|
# Set dev environment as safe git directory to prevent "dubious ownership" errors
|
|
|
|
# when bind-mounting the source into the dev-container. See https://github.com/moby/moby/pull/44930
|
|
|
|
RUN git config --global --add safe.directory $GOPATH/src/github.com/docker/docker
|
2017-09-29 21:09:14 +00:00
|
|
|
# This should only install packages that are specifically needed for the dev environment and nothing else
|
|
|
|
# Do you really need to add another package here? Can it be done in a different build stage?
|
2019-05-22 23:49:55 +00:00
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
|
2019-10-05 20:41:27 +00:00
|
|
|
--mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
|
|
|
|
apt-get update && apt-get install -y --no-install-recommends \
|
|
|
|
apparmor \
|
|
|
|
bash-completion \
|
2019-10-05 20:56:32 +00:00
|
|
|
bzip2 \
|
2021-08-19 19:16:01 +00:00
|
|
|
inetutils-ping \
|
|
|
|
iproute2 \
|
2019-10-05 20:41:27 +00:00
|
|
|
iptables \
|
|
|
|
jq \
|
|
|
|
libcap2-bin \
|
2019-10-05 20:56:32 +00:00
|
|
|
libnet1 \
|
|
|
|
libnl-3-200 \
|
|
|
|
libprotobuf-c1 \
|
2022-06-10 21:19:40 +00:00
|
|
|
libyajl2 \
|
2019-10-05 20:41:27 +00:00
|
|
|
net-tools \
|
2020-07-15 11:45:41 +00:00
|
|
|
patch \
|
2019-10-05 20:41:27 +00:00
|
|
|
pigz \
|
|
|
|
python3-pip \
|
|
|
|
python3-setuptools \
|
|
|
|
python3-wheel \
|
2020-02-18 09:43:56 +00:00
|
|
|
sudo \
|
2022-02-02 21:39:35 +00:00
|
|
|
systemd-journal-remote \
|
2019-10-05 20:41:27 +00:00
|
|
|
thin-provisioning-tools \
|
2020-02-18 09:43:56 +00:00
|
|
|
uidmap \
|
2019-10-05 20:41:27 +00:00
|
|
|
vim \
|
|
|
|
vim-common \
|
|
|
|
xfsprogs \
|
|
|
|
xz-utils \
|
2020-12-08 09:56:32 +00:00
|
|
|
zip \
|
|
|
|
zstd
|
2020-02-25 23:31:07 +00:00
|
|
|
# Switch to use iptables instead of nftables (to match the CI hosts)
|
|
|
|
# TODO use some kind of runtime auto-detection instead if/when nftables is supported (https://github.com/moby/moby/issues/26824)
|
2019-07-22 15:22:13 +00:00
|
|
|
RUN update-alternatives --set iptables /usr/sbin/iptables-legacy || true \
|
|
|
|
&& update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || true \
|
|
|
|
&& update-alternatives --set arptables /usr/sbin/arptables-legacy || true
|
2022-08-26 07:21:29 +00:00
|
|
|
ARG YAMLLINT_VERSION=1.27.1
|
|
|
|
RUN pip3 install yamllint==${YAMLLINT_VERSION}
|
2020-02-10 17:55:16 +00:00
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
|
|
|
|
--mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
|
2023-01-01 16:47:17 +00:00
|
|
|
apt-get update && apt-get install --no-install-recommends -y \
|
|
|
|
gcc \
|
|
|
|
pkg-config \
|
|
|
|
dpkg-dev \
|
|
|
|
libapparmor-dev \
|
|
|
|
libdevmapper-dev \
|
|
|
|
libseccomp-dev \
|
|
|
|
libsecret-1-dev \
|
|
|
|
libsystemd-dev \
|
|
|
|
libudev-dev
|
2023-06-05 14:32:24 +00:00
|
|
|
COPY --link --from=dockercli /build/ /usr/local/cli
|
|
|
|
COPY --link --from=dockercli-integration /build/ /usr/local/cli-integration
|
2020-03-06 06:36:54 +00:00
|
|
|
|
2023-01-01 16:47:17 +00:00
|
|
|
FROM base AS build
|
|
|
|
COPY --from=gowinres /build/ /usr/local/bin/
|
|
|
|
WORKDIR /go/src/github.com/docker/docker
|
|
|
|
ENV GO111MODULE=off
|
|
|
|
ENV CGO_ENABLED=1
|
|
|
|
ARG DEBIAN_FRONTEND
|
2023-01-18 17:41:16 +00:00
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-build-aptlib,target=/var/lib/apt \
|
|
|
|
--mount=type=cache,sharing=locked,id=moby-build-aptcache,target=/var/cache/apt \
|
|
|
|
apt-get update && apt-get install --no-install-recommends -y \
|
|
|
|
clang \
|
|
|
|
lld \
|
|
|
|
llvm
|
2023-01-01 16:47:17 +00:00
|
|
|
ARG TARGETPLATFORM
|
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-build-aptlib,target=/var/lib/apt \
|
|
|
|
--mount=type=cache,sharing=locked,id=moby-build-aptcache,target=/var/cache/apt \
|
|
|
|
xx-apt-get install --no-install-recommends -y \
|
2023-01-12 19:32:42 +00:00
|
|
|
dpkg-dev \
|
2023-01-01 16:47:17 +00:00
|
|
|
gcc \
|
|
|
|
libapparmor-dev \
|
|
|
|
libc6-dev \
|
|
|
|
libdevmapper-dev \
|
|
|
|
libseccomp-dev \
|
|
|
|
libsecret-1-dev \
|
|
|
|
libsystemd-dev \
|
|
|
|
libudev-dev
|
|
|
|
ARG DOCKER_BUILDTAGS
|
|
|
|
ARG DOCKER_DEBUG
|
2019-05-22 23:49:55 +00:00
|
|
|
ARG DOCKER_GITCOMMIT=HEAD
|
2023-01-01 16:47:17 +00:00
|
|
|
ARG DOCKER_LDFLAGS
|
|
|
|
ARG DOCKER_STATIC
|
2019-10-16 17:09:10 +00:00
|
|
|
ARG VERSION
|
|
|
|
ARG PLATFORM
|
|
|
|
ARG PRODUCT
|
|
|
|
ARG DEFAULT_PRODUCT_LICENSE
|
2022-04-14 17:52:23 +00:00
|
|
|
ARG PACKAGER_NAME
|
2023-01-01 16:47:17 +00:00
|
|
|
# PREFIX overrides DEST dir in make.sh script otherwise it fails because of
|
|
|
|
# read only mount in current work dir
|
|
|
|
ENV PREFIX=/tmp
|
2023-01-18 17:41:16 +00:00
|
|
|
RUN <<EOT
|
|
|
|
# in bullseye arm64 target does not link with lld so configure it to use ld instead
|
2023-01-19 15:34:34 +00:00
|
|
|
if [ "$(xx-info arch)" = "arm64" ]; then
|
2023-01-18 17:41:16 +00:00
|
|
|
XX_CC_PREFER_LINKER=ld xx-clang --setup-target-triple
|
|
|
|
fi
|
|
|
|
EOT
|
2023-04-11 00:31:23 +00:00
|
|
|
RUN --mount=type=bind,target=.,rw \
|
2022-04-14 17:52:23 +00:00
|
|
|
--mount=type=tmpfs,target=cli/winresources/dockerd \
|
|
|
|
--mount=type=tmpfs,target=cli/winresources/docker-proxy \
|
2023-01-01 16:47:17 +00:00
|
|
|
--mount=type=cache,target=/root/.cache/go-build,id=moby-build-$TARGETPLATFORM <<EOT
|
|
|
|
set -e
|
|
|
|
target=$([ "$DOCKER_STATIC" = "1" ] && echo "binary" || echo "dynbinary")
|
|
|
|
xx-go --wrap
|
2023-01-12 19:32:42 +00:00
|
|
|
PKG_CONFIG=$(xx-go env PKG_CONFIG) ./hack/make.sh $target
|
2022-12-27 01:45:43 +00:00
|
|
|
xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") /tmp/bundles/${target}-daemon/dockerd$([ "$(xx-info os)" = "windows" ] && echo ".exe")
|
|
|
|
xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") /tmp/bundles/${target}-daemon/docker-proxy$([ "$(xx-info os)" = "windows" ] && echo ".exe")
|
2023-01-01 16:47:17 +00:00
|
|
|
mkdir /build
|
|
|
|
mv /tmp/bundles/${target}-daemon/* /build/
|
|
|
|
EOT
|
2019-05-22 23:49:55 +00:00
|
|
|
|
2023-01-01 16:47:17 +00:00
|
|
|
# usage:
|
|
|
|
# > docker buildx bake binary
|
|
|
|
# > DOCKER_STATIC=0 docker buildx bake binary
|
|
|
|
# or
|
|
|
|
# > make binary
|
|
|
|
# > make dynbinary
|
2019-05-22 23:49:55 +00:00
|
|
|
FROM scratch AS binary
|
2023-01-01 16:47:17 +00:00
|
|
|
COPY --from=build /build/ /
|
2018-12-14 01:26:10 +00:00
|
|
|
|
2022-12-29 14:35:55 +00:00
|
|
|
# usage:
|
|
|
|
# > docker buildx bake all
|
|
|
|
FROM scratch AS all
|
2023-05-31 09:52:18 +00:00
|
|
|
COPY --link --from=tini /build/ /
|
|
|
|
COPY --link --from=runc /build/ /
|
|
|
|
COPY --link --from=containerd /build/ /
|
|
|
|
COPY --link --from=rootlesskit /build/ /
|
|
|
|
COPY --link --from=containerutil /build/ /
|
|
|
|
COPY --link --from=vpnkit / /
|
|
|
|
COPY --link --from=build /build /
|
2022-12-29 14:35:55 +00:00
|
|
|
|
2023-01-18 10:40:37 +00:00
|
|
|
# smoke tests
|
|
|
|
# usage:
|
|
|
|
# > docker buildx bake binary-smoketest
|
|
|
|
FROM --platform=$TARGETPLATFORM base AS smoketest
|
|
|
|
WORKDIR /usr/local/bin
|
|
|
|
COPY --from=build /build .
|
|
|
|
RUN <<EOT
|
|
|
|
set -ex
|
|
|
|
file dockerd
|
|
|
|
dockerd --version
|
|
|
|
file docker-proxy
|
|
|
|
docker-proxy --version
|
|
|
|
EOT
|
|
|
|
|
2023-01-01 16:47:17 +00:00
|
|
|
# usage:
|
|
|
|
# > make shell
|
|
|
|
# > SYSTEMD=true make shell
|
2022-12-26 16:55:57 +00:00
|
|
|
FROM dev-base AS dev
|
2023-06-01 20:14:38 +00:00
|
|
|
COPY --link . .
|