Merge pull request #44123 from linux-on-ibm-z/20.10-CI
[20.10] Dockerfile: switch to bullseye, add missing libseccomp-dev, remove build pack
This commit is contained in:
commit
cc3aa33f54
12 changed files with 49 additions and 42 deletions
36
Dockerfile
36
Dockerfile
|
@ -1,4 +1,4 @@
|
|||
# syntax=docker/dockerfile:1.2
|
||||
# syntax=docker/dockerfile:1
|
||||
|
||||
ARG CROSS="false"
|
||||
ARG SYSTEMD="false"
|
||||
|
@ -8,7 +8,7 @@ ARG DEBIAN_FRONTEND=noninteractive
|
|||
ARG VPNKIT_VERSION=0.5.0
|
||||
ARG DOCKER_BUILDTAGS="apparmor seccomp"
|
||||
|
||||
ARG BASE_DEBIAN_DISTRO="buster"
|
||||
ARG BASE_DEBIAN_DISTRO="bullseye"
|
||||
ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
|
||||
|
||||
FROM ${GOLANG_IMAGE} AS base
|
||||
|
@ -31,7 +31,7 @@ RUN --mount=type=cache,sharing=locked,id=moby-criu-aptlib,target=/var/lib/apt \
|
|||
libprotobuf-dev \
|
||||
protobuf-c-compiler \
|
||||
protobuf-compiler \
|
||||
python-protobuf
|
||||
python3-protobuf
|
||||
|
||||
# Install CRIU for checkpoint/restore support
|
||||
ARG CRIU_VERSION=3.14
|
||||
|
@ -93,10 +93,9 @@ RUN --mount=type=cache,sharing=locked,id=moby-frozen-images-aptlib,target=/var/l
|
|||
COPY contrib/download-frozen-image-v2.sh /
|
||||
ARG TARGETARCH
|
||||
RUN /download-frozen-image-v2.sh /build \
|
||||
buildpack-deps:buster@sha256:d0abb4b1e5c664828b93e8b6ac84d10bce45ee469999bef88304be04a2709491 \
|
||||
busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
|
||||
busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \
|
||||
debian:bullseye@sha256:7190e972ab16aefea4d758ebe42a293f4e5c5be63595f4d03a5b9bf6839a4344 \
|
||||
debian:bullseye-slim@sha256:dacf278785a4daa9de07596ec739dbc07131e189942772210709c5c0777e8437 \
|
||||
hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \
|
||||
arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1
|
||||
# See also frozenImages in "testutil/environment/protect.go" (which needs to be updated when adding images to this list)
|
||||
|
@ -108,18 +107,21 @@ ARG DEBIAN_FRONTEND
|
|||
RUN dpkg --add-architecture arm64
|
||||
RUN dpkg --add-architecture armel
|
||||
RUN dpkg --add-architecture armhf
|
||||
RUN dpkg --add-architecture ppc64el
|
||||
RUN dpkg --add-architecture s390x
|
||||
RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \
|
||||
--mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \
|
||||
apt-get update && apt-get install -y --no-install-recommends \
|
||||
crossbuild-essential-arm64 \
|
||||
crossbuild-essential-armel \
|
||||
crossbuild-essential-armhf
|
||||
crossbuild-essential-armhf \
|
||||
crossbuild-essential-ppc64el \
|
||||
crossbuild-essential-s390x
|
||||
|
||||
FROM cross-${CROSS} as dev-base
|
||||
|
||||
FROM dev-base AS runtime-dev-cross-false
|
||||
ARG DEBIAN_FRONTEND
|
||||
RUN echo 'deb http://deb.debian.org/debian buster-backports main' > /etc/apt/sources.list.d/backports.list
|
||||
RUN --mount=type=cache,sharing=locked,id=moby-cross-false-aptlib,target=/var/lib/apt \
|
||||
--mount=type=cache,sharing=locked,id=moby-cross-false-aptcache,target=/var/cache/apt \
|
||||
apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
@ -128,26 +130,27 @@ RUN --mount=type=cache,sharing=locked,id=moby-cross-false-aptlib,target=/var/lib
|
|||
libapparmor-dev \
|
||||
libbtrfs-dev \
|
||||
libdevmapper-dev \
|
||||
libseccomp-dev/buster-backports \
|
||||
libseccomp-dev \
|
||||
libsystemd-dev \
|
||||
libudev-dev
|
||||
|
||||
FROM --platform=linux/amd64 runtime-dev-cross-false AS runtime-dev-cross-true
|
||||
ARG DEBIAN_FRONTEND
|
||||
# These crossbuild packages rely on gcc-<arch>, but this doesn't want to install
|
||||
# on non-amd64 systems.
|
||||
# Additionally, the crossbuild-amd64 is currently only on debian:buster, so
|
||||
# other architectures cannnot crossbuild amd64.
|
||||
RUN echo 'deb http://deb.debian.org/debian buster-backports main' > /etc/apt/sources.list.d/backports.list
|
||||
# on non-amd64 systems, so other architectures cannot crossbuild amd64.
|
||||
RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \
|
||||
--mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \
|
||||
apt-get update && apt-get install -y --no-install-recommends \
|
||||
libapparmor-dev:arm64 \
|
||||
libapparmor-dev:armel \
|
||||
libapparmor-dev:armhf \
|
||||
libseccomp-dev:arm64/buster-backports \
|
||||
libseccomp-dev:armel/buster-backports \
|
||||
libseccomp-dev:armhf/buster-backports
|
||||
libapparmor-dev:ppc64el \
|
||||
libapparmor-dev:s390x \
|
||||
libseccomp-dev:arm64 \
|
||||
libseccomp-dev:armel \
|
||||
libseccomp-dev:armhf \
|
||||
libseccomp-dev:ppc64el \
|
||||
libseccomp-dev:s390x
|
||||
|
||||
FROM runtime-dev-cross-${CROSS} AS runtime-dev
|
||||
|
||||
|
@ -270,9 +273,10 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
|
|||
--mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
|
||||
apt-get update && apt-get install -y --no-install-recommends \
|
||||
apparmor \
|
||||
aufs-tools \
|
||||
bash-completion \
|
||||
bzip2 \
|
||||
inetutils-ping \
|
||||
iproute2 \
|
||||
iptables \
|
||||
jq \
|
||||
libcap2-bin \
|
||||
|
|
|
@ -18,10 +18,10 @@ FROM base AS frozen-images
|
|||
# Get useful and necessary Hub images so we can "docker load" locally instead of pulling
|
||||
COPY contrib/download-frozen-image-v2.sh /
|
||||
RUN /download-frozen-image-v2.sh /build \
|
||||
buildpack-deps:buster@sha256:d0abb4b1e5c664828b93e8b6ac84d10bce45ee469999bef88304be04a2709491 \
|
||||
busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
|
||||
busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
|
||||
busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \
|
||||
debian:bullseye@sha256:7190e972ab16aefea4d758ebe42a293f4e5c5be63595f4d03a5b9bf6839a4344 \
|
||||
debian:bullseye-slim@sha256:dacf278785a4daa9de07596ec739dbc07131e189942772210709c5c0777e8437 \
|
||||
hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9
|
||||
# See also frozenImages in "testutil/environment/protect.go" (which needs to be updated when adding images to this list)
|
||||
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
FROM buildpack-deps:buster
|
||||
FROM debian:bullseye-slim
|
||||
RUN apt-get update && apt-get install -y gcc libc6-dev --no-install-recommends
|
||||
|
||||
COPY . /usr/src/
|
||||
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
FROM buildpack-deps:buster
|
||||
FROM debian:bullseye-slim
|
||||
RUN apt-get update && apt-get install -y gcc libc6-dev --no-install-recommends
|
||||
|
||||
COPY . /usr/src/
|
||||
|
||||
|
|
|
@ -1788,7 +1788,7 @@ func (s *DockerDaemonSuite) TestDaemonNoSpaceLeftOnDeviceError(c *testing.T) {
|
|||
defer s.d.Stop(c)
|
||||
|
||||
// pull a repository large enough to overfill the mounted filesystem
|
||||
pullOut, err := s.d.Cmd("pull", "debian:bullseye")
|
||||
pullOut, err := s.d.Cmd("pull", "debian:bullseye-slim")
|
||||
assert.Assert(c, err != nil, pullOut)
|
||||
assert.Assert(c, strings.Contains(pullOut, "no space left on device"))
|
||||
}
|
||||
|
|
|
@ -1575,7 +1575,7 @@ func (s *DockerSuite) TestEmbeddedDNSInvalidInput(c *testing.T) {
|
|||
dockerCmd(c, "network", "create", "-d", "bridge", "nw1")
|
||||
|
||||
// Sending garbage to embedded DNS shouldn't crash the daemon
|
||||
dockerCmd(c, "run", "-i", "--net=nw1", "--name=c1", "debian:bullseye", "bash", "-c", "echo InvalidQuery > /dev/udp/127.0.0.11/53")
|
||||
dockerCmd(c, "run", "-i", "--net=nw1", "--name=c1", "debian:bullseye-slim", "bash", "-c", "echo InvalidQuery > /dev/udp/127.0.0.11/53")
|
||||
}
|
||||
|
||||
func (s *DockerSuite) TestDockerNetworkConnectFailsNoInspectChange(c *testing.T) {
|
||||
|
|
|
@ -2925,7 +2925,7 @@ func (s *DockerSuite) TestRunUnshareProc(c *testing.T) {
|
|||
|
||||
go func() {
|
||||
name := "acidburn"
|
||||
out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp=unconfined", "debian:bullseye", "unshare", "-p", "-m", "-f", "-r", "--mount-proc=/proc", "mount")
|
||||
out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp=unconfined", "debian:bullseye-slim", "unshare", "-p", "-m", "-f", "-r", "--mount-proc=/proc", "mount")
|
||||
if err == nil ||
|
||||
!(strings.Contains(strings.ToLower(out), "permission denied") ||
|
||||
strings.Contains(strings.ToLower(out), "operation not permitted")) {
|
||||
|
@ -2937,7 +2937,7 @@ func (s *DockerSuite) TestRunUnshareProc(c *testing.T) {
|
|||
|
||||
go func() {
|
||||
name := "cereal"
|
||||
out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp=unconfined", "debian:bullseye", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
|
||||
out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp=unconfined", "debian:bullseye-slim", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
|
||||
if err == nil ||
|
||||
!(strings.Contains(strings.ToLower(out), "mount: cannot mount none") ||
|
||||
strings.Contains(strings.ToLower(out), "permission denied") ||
|
||||
|
@ -2951,7 +2951,7 @@ func (s *DockerSuite) TestRunUnshareProc(c *testing.T) {
|
|||
/* Ensure still fails if running privileged with the default policy */
|
||||
go func() {
|
||||
name := "crashoverride"
|
||||
out, _, err := dockerCmdWithError("run", "--privileged", "--security-opt", "seccomp=unconfined", "--security-opt", "apparmor=docker-default", "--name", name, "debian:bullseye", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
|
||||
out, _, err := dockerCmdWithError("run", "--privileged", "--security-opt", "seccomp=unconfined", "--security-opt", "apparmor=docker-default", "--name", name, "debian:bullseye-slim", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
|
||||
if err == nil ||
|
||||
!(strings.Contains(strings.ToLower(out), "mount: cannot mount none") ||
|
||||
strings.Contains(strings.ToLower(out), "permission denied") ||
|
||||
|
|
|
@ -847,12 +847,12 @@ func (s *DockerSuite) TestRunTmpfsMountsWithOptions(c *testing.T) {
|
|||
assert.Assert(c, strings.Contains(out, option))
|
||||
}
|
||||
|
||||
// We use debian:bullseye as there is no findmnt in busybox. Also the output will be in the format of
|
||||
// We use debian:bullseye-slim as there is no findmnt in busybox. Also the output will be in the format of
|
||||
// TARGET PROPAGATION
|
||||
// /tmp shared
|
||||
// so we only capture `shared` here.
|
||||
expectedOptions = []string{"shared"}
|
||||
out, _ = dockerCmd(c, "run", "--tmpfs", "/tmp:shared", "debian:bullseye", "findmnt", "-o", "TARGET,PROPAGATION", "/tmp")
|
||||
out, _ = dockerCmd(c, "run", "--tmpfs", "/tmp:shared", "debian:bullseye-slim", "findmnt", "-o", "TARGET,PROPAGATION", "/tmp")
|
||||
for _, option := range expectedOptions {
|
||||
assert.Assert(c, strings.Contains(out, option))
|
||||
}
|
||||
|
@ -888,7 +888,7 @@ func (s *DockerSuite) TestRunSysctls(c *testing.T) {
|
|||
})
|
||||
}
|
||||
|
||||
// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp=/tmp/profile.json debian:bullseye unshare' exits with operation not permitted.
|
||||
// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp=/tmp/profile.json debian:bullseye-slim unshare' exits with operation not permitted.
|
||||
func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *testing.T) {
|
||||
testRequires(c, testEnv.IsLocalDaemon, seccompEnabled, NotArm, Apparmor)
|
||||
jsonData := `{
|
||||
|
@ -911,7 +911,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *testing.T) {
|
|||
}
|
||||
icmd.RunCommand(dockerBinary, "run", "--security-opt", "apparmor=unconfined",
|
||||
"--security-opt", "seccomp="+tmpFile.Name(),
|
||||
"debian:bullseye", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc").Assert(c, icmd.Expected{
|
||||
"debian:bullseye-slim", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc").Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "Operation not permitted",
|
||||
})
|
||||
|
@ -951,7 +951,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyChmod(c *testing.T) {
|
|||
})
|
||||
}
|
||||
|
||||
// TestRunSeccompProfileDenyUnshareUserns checks that 'docker run debian:bullseye unshare --map-root-user --user sh -c whoami' with a specific profile to
|
||||
// TestRunSeccompProfileDenyUnshareUserns checks that 'docker run debian:bullseye-slim unshare --map-root-user --user sh -c whoami' with a specific profile to
|
||||
// deny unshare of a userns exits with operation not permitted.
|
||||
func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *testing.T) {
|
||||
testRequires(c, testEnv.IsLocalDaemon, seccompEnabled, NotArm, Apparmor)
|
||||
|
@ -983,7 +983,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *testing.T) {
|
|||
}
|
||||
icmd.RunCommand(dockerBinary, "run",
|
||||
"--security-opt", "apparmor=unconfined", "--security-opt", "seccomp="+tmpFile.Name(),
|
||||
"debian:bullseye", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami").Assert(c, icmd.Expected{
|
||||
"debian:bullseye-slim", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami").Assert(c, icmd.Expected{
|
||||
ExitCode: 1,
|
||||
Err: "Operation not permitted",
|
||||
})
|
||||
|
@ -1035,12 +1035,12 @@ func (s *DockerSuite) TestRunSeccompProfileAllow32Bit(c *testing.T) {
|
|||
icmd.RunCommand(dockerBinary, "run", "syscall-test", "exit32-test").Assert(c, icmd.Success)
|
||||
}
|
||||
|
||||
// TestRunSeccompAllowSetrlimit checks that 'docker run debian:bullseye ulimit -v 1048510' succeeds.
|
||||
// TestRunSeccompAllowSetrlimit checks that 'docker run debian:bullseye-slim ulimit -v 1048510' succeeds.
|
||||
func (s *DockerSuite) TestRunSeccompAllowSetrlimit(c *testing.T) {
|
||||
testRequires(c, testEnv.IsLocalDaemon, seccompEnabled)
|
||||
|
||||
// ulimit uses setrlimit, so we want to make sure we don't break it
|
||||
icmd.RunCommand(dockerBinary, "run", "debian:bullseye", "bash", "-c", "ulimit -v 1048510").Assert(c, icmd.Success)
|
||||
icmd.RunCommand(dockerBinary, "run", "debian:bullseye-slim", "bash", "-c", "ulimit -v 1048510").Assert(c, icmd.Success)
|
||||
}
|
||||
|
||||
func (s *DockerSuite) TestRunSeccompDefaultProfileAcct(c *testing.T) {
|
||||
|
@ -1336,7 +1336,7 @@ func (s *DockerSuite) TestRunApparmorProcDirectory(c *testing.T) {
|
|||
func (s *DockerSuite) TestRunSeccompWithDefaultProfile(c *testing.T) {
|
||||
testRequires(c, testEnv.IsLocalDaemon, seccompEnabled)
|
||||
|
||||
out, _, err := dockerCmdWithError("run", "--security-opt", "seccomp=../profiles/seccomp/default.json", "debian:bullseye", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami")
|
||||
out, _, err := dockerCmdWithError("run", "--security-opt", "seccomp=../profiles/seccomp/default.json", "debian:bullseye-slim", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami")
|
||||
assert.ErrorContains(c, err, "", out)
|
||||
assert.Equal(c, strings.TrimSpace(out), "unshare: unshare failed: Operation not permitted")
|
||||
}
|
||||
|
|
|
@ -49,7 +49,7 @@ func ensureSyscallTest(c *testing.T) {
|
|||
|
||||
dockerFile := filepath.Join(tmp, "Dockerfile")
|
||||
content := []byte(`
|
||||
FROM debian:bullseye
|
||||
FROM debian:bullseye-slim
|
||||
COPY . /usr/bin/
|
||||
`)
|
||||
err = ioutil.WriteFile(dockerFile, content, 0600)
|
||||
|
@ -65,7 +65,7 @@ func ensureSyscallTest(c *testing.T) {
|
|||
}
|
||||
|
||||
func ensureSyscallTestBuild(c *testing.T) {
|
||||
err := load.FrozenImagesLinux(testEnv.APIClient(), "buildpack-deps:buster")
|
||||
err := load.FrozenImagesLinux(testEnv.APIClient(), "debian:bullseye-slim")
|
||||
assert.NilError(c, err)
|
||||
|
||||
var buildArgs []string
|
||||
|
@ -103,7 +103,7 @@ func ensureNNPTest(c *testing.T) {
|
|||
|
||||
dockerfile := filepath.Join(tmp, "Dockerfile")
|
||||
content := `
|
||||
FROM debian:bullseye
|
||||
FROM debian:bullseye-slim
|
||||
COPY . /usr/bin
|
||||
RUN chmod +s /usr/bin/nnp-test
|
||||
`
|
||||
|
@ -120,7 +120,7 @@ func ensureNNPTest(c *testing.T) {
|
|||
}
|
||||
|
||||
func ensureNNPTestBuild(c *testing.T) {
|
||||
err := load.FrozenImagesLinux(testEnv.APIClient(), "buildpack-deps:buster")
|
||||
err := load.FrozenImagesLinux(testEnv.APIClient(), "debian:bullseye-slim")
|
||||
assert.NilError(c, err)
|
||||
|
||||
var buildArgs []string
|
||||
|
|
|
@ -43,7 +43,7 @@ func TestBuildUserNamespaceValidateCapabilitiesAreV2(t *testing.T) {
|
|||
clientUserRemap := dUserRemap.NewClientT(t)
|
||||
defer clientUserRemap.Close()
|
||||
|
||||
err = load.FrozenImagesLinux(clientUserRemap, "debian:bullseye")
|
||||
err = load.FrozenImagesLinux(clientUserRemap, "debian:bullseye-slim")
|
||||
assert.NilError(t, err)
|
||||
|
||||
dUserRemapRunning := true
|
||||
|
@ -55,7 +55,8 @@ func TestBuildUserNamespaceValidateCapabilitiesAreV2(t *testing.T) {
|
|||
}()
|
||||
|
||||
dockerfile := `
|
||||
FROM debian:bullseye
|
||||
FROM debian:bullseye-slim
|
||||
RUN apt-get update && apt-get install -y libcap2-bin --no-install-recommends
|
||||
RUN setcap CAP_NET_BIND_SERVICE=+eip /bin/sleep
|
||||
`
|
||||
|
||||
|
|
|
@ -286,7 +286,7 @@ func TestTarUntarWithXattr(t *testing.T) {
|
|||
}
|
||||
out, err := exec.Command("getcap", filepath.Join(origin, "2")).CombinedOutput()
|
||||
assert.NilError(t, err, string(out))
|
||||
assert.Check(t, is.Contains(string(out), "= cap_block_suspend+ep"), "untar should have kept the 'security.capability' xattr")
|
||||
assert.Check(t, is.Contains(string(out), "cap_block_suspend=ep"), "untar should have kept the 'security.capability' xattr")
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ import (
|
|||
"gotest.tools/v3/assert"
|
||||
)
|
||||
|
||||
var frozenImages = []string{"busybox:latest", "busybox:glibc", "hello-world:frozen", "debian:bullseye"}
|
||||
var frozenImages = []string{"busybox:latest", "busybox:glibc", "hello-world:frozen", "debian:bullseye-slim"}
|
||||
|
||||
type protectedElements struct {
|
||||
containers map[string]struct{}
|
||||
|
|
Loading…
Reference in a new issue