forked from moby/buildkit
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
330 lines (289 loc) · 14.6 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
# syntax=docker/dockerfile-upstream:master
ARG RUNC_VERSION=1.1.0-0ubuntu1~20.04.2
ARG CONTAINERD_VERSION=v1.6.18
# containerd v1.5 for integration tests
ARG CONTAINERD_ALT_VERSION_15=v1.5.9
ARG REGISTRY_VERSION=2.8.0
# ARG ROOTLESSKIT_VERSION=v1.0.1
ARG ROOTLESSKIT_VERSION=0.14.6
ARG CNI_VERSION=v1.1.1
ARG STARGZ_SNAPSHOTTER_VERSION=v0.13.0
ARG NERDCTL_VERSION=v1.0.0
ARG DNSNAME_VERSION=v1.3.1
ARG NYDUS_VERSION=v2.1.0
ARG UBUNTU_VERSION=20.04
# ubuntu base for buildkit image
# TODO: remove this when ubuntu image supports riscv64 again
FROM amd64/ubuntu:${UBUNTU_VERSION} AS ubuntu-amd64
FROM arm32v7/ubuntu:${UBUNTU_VERSION} AS ubuntu-arm
FROM arm64v8/ubuntu:${UBUNTU_VERSION} AS ubuntu-arm64
FROM s390x/ubuntu:${UBUNTU_VERSION} AS ubuntu-s390x
FROM ppc64le/ubuntu:${UBUNTU_VERSION} AS ubuntu-ppc64le
FROM riscv64/ubuntu:${UBUNTU_VERSION} AS ubuntu-riscv64
FROM ubuntu-$TARGETARCH AS ubuntubase
# xx is a helper for cross-compilation
FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.2.1 AS xx
# go base image
# use Ubuntu instead of Golang cause xx-apt only works in Debian sid
# and Golang is only based on stable versions of Debian
# https://github.com/tonistiigi/xx/blob/3d00d096c8bf894ec29bae5caa5aea81d9c187a5/base/xx-apt#L41
# And it can't be <jammy otherwise the Golang version will be too old
FROM --platform=$BUILDPLATFORM ubuntu:jammy AS golatest
ARG GO_VERSION
RUN apt update && apt install -y golang=2:1.18~0ubuntu2 git wget make
ENV GOPATH "/go"
# git stage is used for checking out remote repository sources
FROM --platform=$BUILDPLATFORM ubuntu:${UBUNTU_VERSION} AS git
RUN apt update && apt install -y git
# gobuild is base stage for compiling go/cgo
FROM golatest AS gobuild-base
COPY --link --from=xx / /
# runc source
#FROM git AS runc-src
#ARG RUNC_VERSION
#WORKDIR /usr/src
#RUN git clone https://github.com/opencontainers/runc.git runc \
# && cd runc && git checkout -q "$RUNC_VERSION"
# build runc binary
#FROM gobuild-base AS runc
#WORKDIR $GOPATH/src/github.com/opencontainers/runc
#ARG TARGETPLATFORM
## gcc is only installed for libgcc
#RUN set -e; xx-apt install -y libseccomp-dev dpkg-dev gcc
#RUN --mount=from=runc-src,src=/usr/src/runc,target=. --mount=target=/root/.cache,type=cache \
# CGO_ENABLED=1 xx-go build -mod=vendor -ldflags '-extldflags -static' -tags 'apparmor seccomp netgo cgo static_build osusergo' -o /usr/bin/runc ./ && \
# xx-verify --static /usr/bin/runc
# dnsname CNI plugin for testing
FROM gobuild-base AS dnsname
ARG DNSNAME_VERSION
WORKDIR /go/dnsname
RUN git clone https://github.com/containers/dnsname.git . \
&& git checkout -q "$DNSNAME_VERSION"
RUN --mount=target=/root/.cache,type=cache \
set -e; make binaries; mv bin/dnsname /usr/bin/dnsname
FROM gobuild-base AS buildkit-base
WORKDIR /src
ENV GOFLAGS=-mod=vendor
# scan the version/revision info
FROM buildkit-base AS buildkit-version
# TODO: PKG should be inferred from go modules
RUN --mount=target=. \
PKG=github.com/canonical/buildkit VERSION=$(git describe --match 'v[0-9]*' --dirty='.m' --always --tags) REVISION=$(git rev-parse HEAD)$(if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi); \
echo "-X ${PKG}/version.Version=${VERSION} -X ${PKG}/version.Revision=${REVISION} -X ${PKG}/version.Package=${PKG}" | tee /tmp/.ldflags; \
echo -n "${VERSION}" | tee /tmp/.version;
# build buildctl binary
FROM buildkit-base AS buildctl
ENV CGO_ENABLED=0
ARG TARGETPLATFORM
RUN --mount=target=. --mount=target=/root/.cache,type=cache \
--mount=target=/go/pkg/mod,type=cache \
--mount=source=/tmp/.ldflags,target=/tmp/.ldflags,from=buildkit-version \
xx-go build -ldflags "$(cat /tmp/.ldflags)" -o /usr/bin/buildctl ./cmd/buildctl && \
xx-verify --static /usr/bin/buildctl
# build buildkitd binary
FROM buildkit-base AS buildkitd
# BUILDKITD_TAGS defines additional Go build tags for compiling buildkitd
ARG BUILDKITD_TAGS
ARG TARGETPLATFORM
RUN --mount=target=. --mount=target=/root/.cache,type=cache \
--mount=target=/go/pkg/mod,type=cache \
--mount=source=/tmp/.ldflags,target=/tmp/.ldflags,from=buildkit-version \
CGO_ENABLED=0 xx-go build -ldflags "$(cat /tmp/.ldflags) -extldflags '-static'" -tags "osusergo netgo static_build seccomp ${BUILDKITD_TAGS}" -o /usr/bin/buildkitd ./cmd/buildkitd && \
xx-verify --static /usr/bin/buildkitd
FROM scratch AS binaries-linux-helper
#COPY --link --from=runc /usr/bin/runc /buildkit-runc
# built from https://github.com/tonistiigi/binfmt/releases/tag/buildkit%2Fv7.1.0-30
COPY --link --from=tonistiigi/binfmt:buildkit-v7.1.0-30@sha256:45dd57b4ba2f24e2354f71f1e4e51f073cb7a28fd848ce6f5f2a7701142a6bf0 / /
FROM binaries-linux-helper AS binaries-linux
COPY --link --from=buildctl /usr/bin/buildctl /
COPY --link --from=buildkitd /usr/bin/buildkitd /
# FROM scratch AS binaries-darwin
# COPY --link --from=buildctl /usr/bin/buildctl /
# FROM scratch AS binaries-windows
# COPY --link --from=buildctl /usr/bin/buildctl /buildctl.exe
FROM binaries-$TARGETOS AS binaries
# enable scanning for this stage
ARG BUILDKIT_SBOM_SCAN_STAGE=true
FROM --platform=$BUILDPLATFORM ubuntu:${UBUNTU_VERSION} AS releaser
RUN apt update && apt install -y tar gzip
WORKDIR /work
ARG TARGETPLATFORM
RUN --mount=from=binaries \
--mount=source=/tmp/.version,target=/tmp/.version,from=buildkit-version \
mkdir -p /out && tar czvf "/out/buildkit-$(cat /tmp/.version).$(echo $TARGETPLATFORM | sed 's/\//-/g').tar.gz" --mtime='2015-10-21 00:00Z' --sort=name --transform 's/^./bin/' .
FROM scratch AS release
COPY --link --from=releaser /out/ /
FROM ubuntubase AS buildkit-export
ARG RUNC_VERSION
SHELL ["/bin/bash", "-oeux", "pipefail", "-c"]
# TODO: get fuse* from Artifactory once available
RUN --mount=type=secret,required=true,id=ARTIFACTORY_APT_AUTH_CONF,mode=600,target=/etc/apt/auth.conf.d/artifactory.conf \
--mount=type=secret,required=true,id=ARTIFACTORY_BASE64_GPG \
mv /etc/apt/sources.list /etc/apt/sources.list.backup \
&& ls /etc/apt/auth.conf.d \
&& cat /run/secrets/ARTIFACTORY_BASE64_GPG | base64 -d > /etc/apt/trusted.gpg.d/artifactory.gpg \
&& echo "deb [signed-by=/etc/apt/trusted.gpg.d/artifactory.gpg] https://canonical.jfrog.io/artifactory/soss-deb-stable/ focal main" > /etc/apt/sources.list \
&& apt update -o Acquire::https::Verify-Peer=false \
&& DEBIAN_FRONTEND=noninteractive apt install -y ca-certificates -o Acquire::https::Verify-Peer=false \
&& apt update \
&& DEBIAN_FRONTEND=noninteractive apt install -y fuse3 git openssh-server pigz xz-utils runc=${RUNC_VERSION} \
&& mv /etc/apt/sources.list.backup /etc/apt/sources.list \
&& rm /etc/apt/trusted.gpg.d/artifactory.gpg \
&& rm -rf /var/lib/apt/lists/*
COPY --link examples/buildctl-daemonless/buildctl-daemonless.sh /usr/bin/
VOLUME /var/lib/buildkit
FROM git AS containerd-src
WORKDIR /usr/src
RUN git clone https://github.com/containerd/containerd.git containerd
FROM gobuild-base AS containerd-base
WORKDIR /go/src/github.com/containerd/containerd
ARG TARGETPLATFORM
ENV CGO_ENABLED=1 BUILDTAGS=no_btrfs GO111MODULE=off
RUN xx-apt install -y musl-dev gcc && xx-go --wrap
FROM containerd-base AS containerd
ARG CONTAINERD_VERSION
RUN --mount=from=containerd-src,src=/usr/src/containerd,readwrite --mount=target=/root/.cache,type=cache \
git fetch origin \
&& git checkout -q "$CONTAINERD_VERSION" \
&& make bin/containerd \
&& make bin/containerd-shim-runc-v2 \
&& make bin/ctr \
&& mv bin /out
# containerd v1.5 for integration tests
FROM containerd-base as containerd-alt-15
ARG CONTAINERD_ALT_VERSION_15
RUN --mount=from=containerd-src,src=/usr/src/containerd,readwrite --mount=target=/root/.cache,type=cache \
git fetch origin \
&& git checkout -q "$CONTAINERD_ALT_VERSION_15" \
&& make bin/containerd \
&& make bin/containerd-shim-runc-v2 \
&& mv bin /out
ARG REGISTRY_VERSION
FROM registry:$REGISTRY_VERSION AS registry
FROM gobuild-base AS rootlesskit
ARG ROOTLESSKIT_VERSION
COPY canonical_utils/artifactory /opt/utils
WORKDIR /opt/utils
RUN apt install -y python3 python3-pip && \
pip install -r requirements.txt
WORKDIR /go/src/github.com/rootless-containers/rootlesskit
RUN --mount=type=secret,id=ARTIFACTORY_ACCESS_TOKEN \
--mount=type=secret,id=ARTIFACTORY_URL \
/opt/utils/fetch_from_artifactory.py --artifactory-url-file /run/secrets/ARTIFACTORY_URL \
--artifact-path "jammy-rootlesskit-backport/pool/r/rootlesskit/rootlesskit_${ROOTLESSKIT_VERSION}.orig.tar.gz" \
--token-file /run/secrets/ARTIFACTORY_ACCESS_TOKEN --output-file rootlesskit.tar.gz
# RUN git clone https://github.com/rootless-containers/rootlesskit.git /go/src/github.com/rootless-containers/rootlesskit
ARG TARGETPLATFORM
RUN --mount=target=/root/.cache,type=cache \
tar -xvf rootlesskit.tar.gz -C . --strip-components=1 && \
# git checkout -q "$ROOTLESSKIT_VERSION" && \
CGO_ENABLED=0 xx-go build -o /rootlesskit ./cmd/rootlesskit && \
xx-verify --static /rootlesskit
FROM gobuild-base AS stargz-snapshotter
ARG STARGZ_SNAPSHOTTER_VERSION
RUN git clone https://github.com/containerd/stargz-snapshotter.git /go/src/github.com/containerd/stargz-snapshotter
WORKDIR /go/src/github.com/containerd/stargz-snapshotter
ARG TARGETPLATFORM
RUN --mount=target=/root/.cache,type=cache \
git checkout -q "$STARGZ_SNAPSHOTTER_VERSION" && \
xx-go --wrap && \
mkdir /out && CGO_ENABLED=0 PREFIX=/out/ make && \
xx-verify --static /out/containerd-stargz-grpc && \
xx-verify --static /out/ctr-remote
FROM gobuild-base AS nydus
ARG NYDUS_VERSION
ARG TARGETOS
ARG TARGETARCH
SHELL ["/bin/bash", "-c"]
RUN wget https://github.com/dragonflyoss/image-service/releases/download/$NYDUS_VERSION/nydus-static-$NYDUS_VERSION-$TARGETOS-$TARGETARCH.tgz
RUN mkdir -p /out/nydus-static && tar xzvf nydus-static-$NYDUS_VERSION-$TARGETOS-$TARGETARCH.tgz -C /out
FROM buildkit-export AS buildkit-linux
COPY --link --from=binaries / /usr/bin/
ENTRYPOINT ["buildkitd"]
# FROM binaries AS buildkit-darwin
# FROM binaries AS buildkit-windows
# # this is not in binaries-windows because it is not intended for release yet, just CI
# COPY --link --from=buildkitd /usr/bin/buildkitd /buildkitd.exe
FROM --platform=$BUILDPLATFORM ubuntu:${UBUNTU_VERSION} AS cni-plugins
RUN apt update && apt install -y curl tar
ARG CNI_VERSION
ARG TARGETOS
ARG TARGETARCH
WORKDIR /opt/cni/bin
RUN curl -Ls https://github.com/containernetworking/plugins/releases/download/$CNI_VERSION/cni-plugins-$TARGETOS-$TARGETARCH-$CNI_VERSION.tgz | tar xzv
COPY --link --from=dnsname /usr/bin/dnsname /opt/cni/bin/
FROM buildkit-base AS integration-tests-base
ENV BUILDKIT_INTEGRATION_ROOTLESS_IDPAIR="1000:1000"
ARG NERDCTL_VERSION
# Installing runc from the archives in here, cause for Focal it is also v1.1.4
RUN xx-apt install -y sudo uidmap vim iptables dnsmasq fuse curl runc=1.1.4-0ubuntu1~22.04.3 \
# rootlesskit \
&& useradd --create-home --home-dir /home/user --uid 1000 -s /bin/sh user \
&& echo "XDG_RUNTIME_DIR=/run/user/1000; export XDG_RUNTIME_DIR" >> /home/user/.profile \
&& mkdir -m 0700 -p /run/user/1000 \
&& chown -R user /run/user/1000 /home/user \
&& ln -s /sbin/iptables-legacy /usr/bin/iptables \
&& xx-go --wrap \
&& curl -Ls https://raw.githubusercontent.com/containerd/nerdctl/$NERDCTL_VERSION/extras/rootless/containerd-rootless.sh > /usr/bin/containerd-rootless.sh \
&& chmod 0755 /usr/bin/containerd-rootless.sh
# The entrypoint script is needed for enabling nested cgroup v2 (https://github.com/moby/buildkit/issues/3265#issuecomment-1309631736)
RUN curl -Ls https://raw.githubusercontent.com/moby/moby/v20.10.21/hack/dind > /docker-entrypoint.sh \
&& chmod 0755 /docker-entrypoint.sh
ENTRYPOINT ["/docker-entrypoint.sh"]
# musl is needed to directly use the registry binary that is built on alpine
ENV BUILDKIT_INTEGRATION_CONTAINERD_EXTRA="containerd-1.5=/opt/containerd-alt-15/bin"
ENV BUILDKIT_INTEGRATION_SNAPSHOTTER=stargz
ENV CGO_ENABLED=0
COPY --link --from=nydus /out/nydus-static/* /usr/bin/
COPY --link --from=stargz-snapshotter /out/* /usr/bin/
#COPY --link --from=rootlesskit /rootlesskit /usr/bin/
COPY --link --from=containerd-alt-15 /out/containerd* /opt/containerd-alt-15/bin/
COPY --link --from=registry /bin/registry /usr/bin/
#COPY --link --from=runc /usr/bin/runc /usr/bin/
COPY --link --from=containerd /out/containerd* /usr/bin/
COPY --link --from=cni-plugins /opt/cni/bin/bridge /opt/cni/bin/host-local /opt/cni/bin/loopback /opt/cni/bin/firewall /opt/cni/bin/dnsname /opt/cni/bin/
COPY --link hack/fixtures/cni.json /etc/buildkit/cni.json
COPY --link hack/fixtures/dns-cni.conflist /etc/buildkit/dns-cni.conflist
COPY --link --from=binaries / /usr/bin/
# integration-tests prepares an image suitable for running all tests
FROM integration-tests-base AS integration-tests
COPY . .
ENV BUILDKIT_RUN_NETWORK_INTEGRATION_TESTS=1 BUILDKIT_CNI_INIT_LOCK_PATH=/run/buildkit_cni_bridge.lock
FROM integration-tests AS dev-env
VOLUME /var/lib/buildkit
# Rootless mode.
FROM ubuntubase AS rootless
SHELL ["/bin/bash", "-oeux", "pipefail", "-c"]
# TODO: get fuse* from Artifactory once available
RUN --mount=type=secret,required=true,id=ARTIFACTORY_APT_AUTH_CONF,mode=600,target=/etc/apt/auth.conf.d/artifactory.conf \
--mount=type=secret,required=true,id=ARTIFACTORY_BASE64_GPG \
mv /etc/apt/sources.list /etc/apt/sources.list.backup \
&& ls /etc/apt/auth.conf.d \
&& cat /run/secrets/ARTIFACTORY_BASE64_GPG | base64 -d > /etc/apt/trusted.gpg.d/artifactory.gpg \
&& echo "deb [signed-by=/etc/apt/trusted.gpg.d/artifactory.gpg] https://canonical.jfrog.io/artifactory/soss-deb-stable/ focal main" > /etc/apt/sources.list \
&& apt update -o Acquire::https::Verify-Peer=false \
&& DEBIAN_FRONTEND=noninteractive apt install -y ca-certificates -o Acquire::https::Verify-Peer=false \
&& apt update \
&& DEBIAN_FRONTEND=noninteractive apt install -y fuse3 fuse-overlayfs git openssh-server pigz uidmap xz-utils \
&& mv /etc/apt/sources.list.backup /etc/apt/sources.list \
&& rm /etc/apt/trusted.gpg.d/artifactory.gpg \
&& rm -rf /var/lib/apt/lists/*
RUN adduser --disabled-password --gecos "" -uid 1000 user \
&& mkdir -p /run/user/1000 /home/user/.local/tmp /home/user/.local/share/buildkit \
&& chown -R user /run/user/1000 /home/user \
&& echo user:100000:65536 | tee /etc/subuid | tee /etc/subgid
COPY --link --from=rootlesskit /rootlesskit /usr/bin/
# Let's install rootlesskit from the Jammy backport PPA
COPY --link --from=binaries / /usr/bin/
COPY --link examples/buildctl-daemonless/buildctl-daemonless.sh /usr/bin/
# Kubernetes runAsNonRoot requires USER to be numeric
USER 1000:1000
ENV HOME /home/user
ENV USER user
ENV XDG_RUNTIME_DIR=/run/user/1000
ENV TMPDIR=/home/user/.local/tmp
ENV BUILDKIT_HOST=unix:///run/user/1000/buildkit/buildkitd.sock
VOLUME /home/user/.local/share/buildkit
ENTRYPOINT ["rootlesskit", "buildkitd"]
# buildkit builds the buildkit container image
FROM buildkit-$TARGETOS AS buildkit