forked from bottlerocket-os/bottlerocket-admin-container
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile
142 lines (110 loc) · 4.61 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
################################################################################
# Base image for all builds
FROM public.ecr.aws/amazonlinux/amazonlinux:2 as builder-base
RUN yum group install -y "Development Tools"
RUN useradd builder
################################################################################
# Statically linked, more recent version of bash
FROM builder-base as builder-static
RUN yum install -y glibc-static
ARG musl_version=1.2.3
ARG bash_version=5.1.16
WORKDIR /opt/build
COPY ./sdk-fetch ./
WORKDIR /opt/build
COPY ./hashes/musl ./hashes
RUN \
./sdk-fetch hashes && \
tar -xf musl-${musl_version}.tar.gz && \
rm musl-${musl_version}.tar.gz hashes
WORKDIR /opt/build/musl-${musl_version}
RUN ./configure --enable-static && make -j$(nproc) && make install
WORKDIR /opt/build
COPY ./hashes/bash ./hashes
RUN \
./sdk-fetch hashes && \
tar -xf bash-${bash_version}.tar.gz && \
rm bash-${bash_version}.tar.gz hashes
WORKDIR /opt/build/bash-${bash_version}
RUN CC=""/usr/local/musl/bin/musl-gcc CFLAGS="-Os -DHAVE_DLOPEN=0" \
./configure \
--enable-static-link \
--without-bash-malloc \
|| { cat config.log; exit 1; }
RUN make -j`nproc`
RUN cp bash /opt/bash
RUN mkdir -p /usr/share/licenses/bash && \
cp -p COPYING /usr/share/licenses/bash
################################################################################
# Rebuild of Amazon Linux 2's systemd v219 with downstream patches
FROM builder-base AS builder-systemd
RUN yum install -y yum-utils rpm-build
RUN yum-builddep -y systemd
USER builder
WORKDIR /home/builder
RUN yumdownloader --source systemd
RUN rpm -Uv systemd-219-*.src.rpm
WORKDIR /home/builder/rpmbuild/SOURCES
COPY systemd-patches/*.patch ./
WORKDIR /home/builder/rpmbuild/SPECS
# Recreate the spec file from three parts: everything up until the last upstream
# patch, downstream patches, everything else.
RUN last_patch=$(awk '/^Patch[0-9]+/ { line = NR } END { print line }' systemd.spec); \
head -n${last_patch} systemd.spec >systemd.mod.spec; \
{ \
echo ;\
echo '# Bottlerocket Patches'; \
echo 'Patch9500: 9500-cgroup-util-extract-cgroup-hierarchy-base-path-into-.patch'; \
echo 'Patch9501: 9501-cgroup-util-accept-cgroup-hierarchy-base-as-option.patch'; \
echo 'Patch9502: 9502-core-move-initialization-of-.slice-and-init.scope-in.patch'; \
echo 'Patch9503: 9503-core-drop-.slice-from-shipped-units.patch'; \
echo ; \
} >>systemd.mod.spec; \
tail -n+$((last_patch + 1)) systemd.spec >>systemd.mod.spec; \
mv systemd.mod.spec systemd.spec
RUN rpmbuild --bb systemd.spec
################################################################################
# Actual admin container image
FROM public.ecr.aws/amazonlinux/amazonlinux:2
ARG IMAGE_VERSION
# Make the container image version a mandatory build argument
RUN test -n "$IMAGE_VERSION"
LABEL "org.opencontainers.image.version"="$IMAGE_VERSION"
# Install the custom systemd build in the same transaction as all original
# packages to save space. For example, openssh-server pulls in systemd. This
# dependency is best satisfied by the downstream build. Reinstalling it later
# would result in also carrying around the original systemd in the final image
# where it would remain forever hidden and unused in a lower layer.
RUN --mount=type=bind,from=builder-systemd,source=/home/builder/rpmbuild/RPMS,target=/tmp/systemd-rpms \
yum update -y \
&& yum install -y \
/tmp/systemd-rpms/*/systemd-{219,libs}*.rpm \
ec2-instance-connect \
jq \
openssh-server \
openssl \
procps-ng \
shadow-utils \
sudo \
util-linux \
&& yum clean all
# Delete SELinux config file to prevent relabeling with contexts provided by the container's image
RUN rm -rf /etc/selinux/config
COPY --from=builder-static /opt/bash /opt/bin/
COPY --from=builder-static /usr/share/licenses/bash /usr/share/licenses/bash
RUN rm -f /etc/motd /etc/issue
COPY --chown=root:root motd /etc/
COPY --chown=root:root units /etc/systemd/user/
ARG CUSTOM_PS1='[\u@admin]\$ '
RUN echo "PS1='$CUSTOM_PS1'" > "/etc/profile.d/bottlerocket-ps1.sh" \
&& echo "PS1='$CUSTOM_PS1'" >> "/root/.bashrc" \
&& echo "cat /etc/motd" >> "/root/.bashrc"
COPY --chmod=755 start_admin.sh /usr/sbin/
COPY ./sshd_config /etc/ssh/
COPY --chmod=755 ./sheltie /usr/bin/
RUN groupadd -g 274 api
# Reduces issues related to logger and our implementation of systemd. This is
# necessary for scripts logging to logger, such as in EC2 Instance Connect.
RUN ln -sf /usr/bin/true /usr/bin/logger
CMD ["/usr/sbin/start_admin.sh"]
ENTRYPOINT ["/bin/bash", "-c"]