2020-12-06 08:24:12 +00:00
# syntax = docker/dockerfile:1.2
2018-10-02 17:03:32 +00:00
2021-06-11 19:48:13 +00:00
ARG RUNC_VERSION = v1.0.0
2021-06-01 14:51:33 +00:00
ARG CONTAINERD_VERSION = v1.5.2
2021-03-12 06:20:23 +00:00
# containerd v1.4 for integration tests
2021-06-01 14:51:33 +00:00
ARG CONTAINERD_ALT_VERSION = v1.4.6
2018-10-02 17:03:32 +00:00
# available targets: buildkitd, buildkitd.oci_only, buildkitd.containerd_only
ARG BUILDKIT_TARGET = buildkitd
2020-01-24 07:00:30 +00:00
ARG REGISTRY_VERSION = 2 .7.1
2021-05-04 08:42:03 +00:00
ARG ROOTLESSKIT_VERSION = v0.14.2
2021-05-04 08:42:56 +00:00
ARG CNI_VERSION = v0.9.1
2020-01-24 07:00:30 +00:00
ARG SHADOW_VERSION = 4 .8.1
2021-05-04 08:46:26 +00:00
ARG STARGZ_SNAPSHOTTER_VERSION = v0.5.0
2018-10-02 17:03:32 +00:00
2021-06-16 01:48:08 +00:00
ARG ALPINE_VERSION = 3 .14
2020-11-18 01:40:47 +00:00
2018-10-02 17:03:32 +00:00
# git stage is used for checking out remote repository sources
2020-11-18 01:40:47 +00:00
FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS git
2020-11-18 07:49:54 +00:00
RUN apk add --no-cache git
2018-10-02 17:03:32 +00:00
2021-03-24 02:21:32 +00:00
# xx is a helper for cross-compilation
2021-07-05 08:06:47 +00:00
FROM --platform=$BUILDPLATFORM tonistiigi/xx@sha256:1e96844fadaa2f9aea021b2b05299bc02fe4c39a92d8e735b93e8e2b15610128 AS xx
2018-10-02 17:03:32 +00:00
2021-03-24 02:32:23 +00:00
FROM --platform=$BUILDPLATFORM golang:1.16-alpine AS golatest
2021-06-01 13:51:15 +00:00
FROM golatest AS go-linux
2021-03-24 02:32:23 +00:00
FROM golatest AS go-darwin
FROM golatest AS go-windows-amd64
FROM golatest AS go-windows-386
FROM golatest AS go-windows-arm
2021-06-17 22:41:14 +00:00
FROM --platform=$BUILDPLATFORM golang:1.17beta1-alpine AS go-windows-arm64
2021-03-24 02:32:23 +00:00
FROM go-windows-${TARGETARCH} AS go-windows
2018-10-02 17:03:32 +00:00
# gobuild is base stage for compiling go/cgo
2021-03-24 02:32:23 +00:00
FROM go-${TARGETOS} AS gobuild-base
2021-03-24 02:21:32 +00:00
RUN apk add --no-cache file bash clang lld pkgconfig git make
COPY --from= xx / /
2018-10-02 17:03:32 +00:00
# runc source
FROM git AS runc-src
ARG RUNC_VERSION
WORKDIR /usr/src
2018-11-15 02:39:39 +00:00
RUN git clone https://github.com/opencontainers/runc.git runc \
2019-08-08 00:50:00 +00:00
&& cd runc && git checkout -q " $RUNC_VERSION "
2018-10-02 17:03:32 +00:00
# build runc binary
FROM gobuild-base AS runc
WORKDIR $GOPATH/src/github.com/opencontainers/runc
ARG TARGETPLATFORM
2021-03-24 02:21:32 +00:00
# gcc is only installed for libgcc
# lld has issues building static binaries for ppc so prefer ld for it
2021-06-01 13:51:15 +00:00
RUN set -e; xx-apk add musl-dev gcc libseccomp-dev libseccomp-static; \
2021-03-24 02:21:32 +00:00
[ " $( xx-info arch) " != "ppc64le" ] || XX_CC_PREFER_LINKER = ld xx-clang --setup-target-triple
2018-10-02 17:03:32 +00:00
RUN --mount= from = runc-src,src= /usr/src/runc,target= . --mount= target = /root/.cache,type= cache \
2021-03-24 02:21:32 +00:00
CGO_ENABLED = 1 xx-go build -mod= vendor -ldflags '-extldflags -static' -tags 'apparmor seccomp netgo cgo static_build osusergo' -o /usr/bin/runc ./ && \
xx-verify --static /usr/bin/runc
2018-10-02 17:03:32 +00:00
FROM gobuild-base AS buildkit-base
2019-01-26 06:29:13 +00:00
WORKDIR /src
ENV GOFLAGS = -mod= vendor
2018-10-02 17:03:32 +00:00
# scan the version/revision info
FROM buildkit-base AS buildkit-version
2019-01-26 06:29:13 +00:00
# TODO: PKG should be inferred from go modules
2018-10-11 05:39:18 +00:00
RUN --mount= target = . \
2018-10-11 06:46:34 +00:00
PKG = github.com/moby/buildkit VERSION = $( git describe --match 'v[0-9]*' --dirty= '.m' --always --tags) REVISION = $( git rev-parse HEAD) $( if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi ) ; \
2018-10-02 17:03:32 +00:00
echo " -X ${ PKG } /version.Version= ${ VERSION } -X ${ PKG } /version.Revision= ${ REVISION } -X ${ PKG } /version.Package= ${ PKG } " | tee /tmp/.ldflags; \
echo -n " ${ VERSION } " | tee /tmp/.version;
2019-09-09 13:47:18 +00:00
# build buildctl binary
2018-10-02 17:03:32 +00:00
FROM buildkit-base AS buildctl
ENV CGO_ENABLED = 0
ARG TARGETPLATFORM
RUN --mount= target = . --mount= target = /root/.cache,type= cache \
2019-01-26 06:29:13 +00:00
--mount= target = /go/pkg/mod,type= cache \
2018-10-02 17:03:32 +00:00
--mount= source = /tmp/.ldflags,target= /tmp/.ldflags,from= buildkit-version \
2021-03-24 02:21:32 +00:00
xx-go build -ldflags " $( cat /tmp/.ldflags) " -o /usr/bin/buildctl ./cmd/buildctl && \
xx-verify --static /usr/bin/buildctl
2018-10-02 17:03:32 +00:00
# build buildkitd binary
FROM buildkit-base AS buildkitd
2019-04-16 11:41:06 +00:00
ARG BUILDKITD_TAGS
2021-03-24 02:21:32 +00:00
ARG TARGETPLATFORM
2018-10-02 17:03:32 +00:00
RUN --mount= target = . --mount= target = /root/.cache,type= cache \
2019-01-26 06:29:13 +00:00
--mount= target = /go/pkg/mod,type= cache \
2018-10-02 17:03:32 +00:00
--mount= source = /tmp/.ldflags,target= /tmp/.ldflags,from= buildkit-version \
2021-03-24 02:21:32 +00:00
CGO_ENABLED = 0 xx-go build -ldflags " $( cat /tmp/.ldflags) -extldflags '-static' " -tags " osusergo netgo static_build seccomp ${ BUILDKITD_TAGS } " -o /usr/bin/buildkitd ./cmd/buildkitd && \
xx-verify --static /usr/bin/buildkitd
2018-10-02 17:03:32 +00:00
2019-08-08 00:50:00 +00:00
FROM scratch AS binaries-linux-helper
2018-10-02 17:03:32 +00:00
COPY --from= runc /usr/bin/runc /buildkit-runc
2021-07-06 19:26:21 +00:00
# built from https://github.com/tonistiigi/binfmt/releases/tag/buildkit%2Fv6.0.0-15
COPY --from= tonistiigi/binfmt:buildkit@sha256:81a03e6630e9c39df109bf24ae8c807881c4fd1703084827d855f8093cc7ab7a / /
2019-08-08 00:50:00 +00:00
FROM binaries-linux-helper AS binaries-linux
2018-10-02 17:03:32 +00:00
COPY --from= buildctl /usr/bin/buildctl /
COPY --from= buildkitd /usr/bin/buildkitd /
FROM scratch AS binaries-darwin
COPY --from= buildctl /usr/bin/buildctl /
FROM scratch AS binaries-windows
COPY --from= buildctl /usr/bin/buildctl /buildctl.exe
FROM binaries-$TARGETOS AS binaries
2020-11-18 01:40:47 +00:00
FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS releaser
2018-10-02 17:03:32 +00:00
RUN apk add --no-cache tar gzip
WORKDIR /work
ARG TARGETPLATFORM
RUN --mount= from = binaries \
--mount= source = /tmp/.version,target= /tmp/.version,from= buildkit-version \
mkdir -p /out && tar czvf " /out/buildkit- $( cat /tmp/.version) . $( echo $TARGETPLATFORM | sed 's/\//-/g' ) .tar.gz " --mtime= '2015-10-21 00:00Z' --sort= name --transform 's/^./bin/' .
FROM scratch AS release
COPY --from= releaser /out/ /
2021-07-05 08:06:47 +00:00
# tonistiigi/alpine supports riscv64
FROM tonistiigi/alpine:${ALPINE_VERSION} AS buildkit-export
2021-05-26 00:14:40 +00:00
RUN apk add --no-cache fuse3 git openssh pigz xz \
2021-06-17 23:53:33 +00:00
&& ln -s fusermount3 /usr/bin/fusermount
2019-05-26 02:59:17 +00:00
COPY examples/buildctl-daemonless/buildctl-daemonless.sh /usr/bin/
2018-10-02 17:03:32 +00:00
VOLUME /var/lib/buildkit
FROM git AS containerd-src
ARG CONTAINERD_VERSION
2020-07-29 01:13:15 +00:00
ARG CONTAINERD_ALT_VERSION
2018-10-02 17:03:32 +00:00
WORKDIR /usr/src
RUN git clone https://github.com/containerd/containerd.git containerd
FROM gobuild-base AS containerd-base
WORKDIR /go/src/github.com/containerd/containerd
2021-03-24 02:21:32 +00:00
ARG TARGETPLATFORM
ENV CGO_ENABLED = 1 BUILDTAGS = no_btrfs
RUN xx-apk add musl-dev gcc && xx-go --wrap
2018-10-02 17:03:32 +00:00
FROM containerd-base AS containerd
ARG CONTAINERD_VERSION
RUN --mount= from = containerd-src,src= /usr/src/containerd,readwrite --mount= target = /root/.cache,type= cache \
git fetch origin \
&& git checkout -q " $CONTAINERD_VERSION " \
&& make bin/containerd \
2020-01-06 12:17:55 +00:00
&& make bin/containerd-shim-runc-v2 \
2018-10-02 17:03:32 +00:00
&& make bin/ctr \
&& mv bin /out
2021-03-12 06:20:23 +00:00
# containerd v1.4 for integration tests
2020-07-29 01:13:15 +00:00
FROM containerd-base as containerd-alt
ARG CONTAINERD_ALT_VERSION
2021-06-01 13:51:15 +00:00
ARG GO111MODULE = off
2018-10-02 17:03:32 +00:00
RUN --mount= from = containerd-src,src= /usr/src/containerd,readwrite --mount= target = /root/.cache,type= cache \
git fetch origin \
2020-07-29 01:13:15 +00:00
&& git checkout -q " $CONTAINERD_ALT_VERSION " \
2018-10-02 17:03:32 +00:00
&& make bin/containerd \
2020-07-29 01:13:15 +00:00
&& make bin/containerd-shim-runc-v2 \
2018-10-02 17:03:32 +00:00
&& mv bin /out
2020-01-24 07:00:30 +00:00
ARG REGISTRY_VERSION
FROM registry:$REGISTRY_VERSION AS registry
2018-10-02 17:03:32 +00:00
FROM gobuild-base AS rootlesskit
ARG ROOTLESSKIT_VERSION
RUN git clone https://github.com/rootless-containers/rootlesskit.git /go/src/github.com/rootless-containers/rootlesskit
WORKDIR /go/src/github.com/rootless-containers/rootlesskit
ARG TARGETPLATFORM
RUN --mount= target = /root/.cache,type= cache \
git checkout -q " $ROOTLESSKIT_VERSION " && \
2021-03-24 02:21:32 +00:00
CGO_ENABLED = 0 xx-go build -o /rootlesskit ./cmd/rootlesskit && \
xx-verify --static /rootlesskit
2018-10-02 17:03:32 +00:00
2020-08-24 06:40:04 +00:00
FROM gobuild-base AS stargz-snapshotter
2020-09-03 05:40:57 +00:00
ARG STARGZ_SNAPSHOTTER_VERSION
2020-08-24 06:40:04 +00:00
RUN git clone https://github.com/containerd/stargz-snapshotter.git /go/src/github.com/containerd/stargz-snapshotter
WORKDIR /go/src/github.com/containerd/stargz-snapshotter
2021-03-24 02:21:32 +00:00
ARG TARGETPLATFORM
2020-09-22 09:08:40 +00:00
RUN --mount= target = /root/.cache,type= cache \
git checkout -q " $STARGZ_SNAPSHOTTER_VERSION " && \
2021-03-24 02:21:32 +00:00
xx-go --wrap && \
2020-08-24 06:40:04 +00:00
mkdir /out && CGO_ENABLED = 0 PREFIX = /out/ make && \
2021-03-24 02:21:32 +00:00
xx-verify --static /out/containerd-stargz-grpc && \
xx-verify --static /out/ctr-remote
2020-08-24 06:40:04 +00:00
2018-10-02 17:03:32 +00:00
# Copy together all binaries needed for oci worker mode
FROM buildkit-export AS buildkit-buildkitd.oci_only
COPY --from= buildkitd.oci_only /usr/bin/buildkitd.oci_only /usr/bin/
COPY --from= buildctl /usr/bin/buildctl /usr/bin/
ENTRYPOINT [ "buildkitd.oci_only" ]
# Copy together all binaries for containerd worker mode
FROM buildkit-export AS buildkit-buildkitd.containerd_only
COPY --from= buildkitd.containerd_only /usr/bin/buildkitd.containerd_only /usr/bin/
COPY --from= buildctl /usr/bin/buildctl /usr/bin/
ENTRYPOINT [ "buildkitd.containerd_only" ]
# Copy together all binaries for oci+containerd mode
2019-01-30 23:38:06 +00:00
FROM buildkit-export AS buildkit-buildkitd-linux
2018-10-02 17:03:32 +00:00
COPY --from= binaries / /usr/bin/
ENTRYPOINT [ "buildkitd" ]
2019-01-30 23:38:06 +00:00
FROM binaries AS buildkit-buildkitd-darwin
2019-06-25 21:40:49 +00:00
2019-01-30 23:38:06 +00:00
FROM binaries AS buildkit-buildkitd-windows
2019-06-25 21:40:49 +00:00
# this is not in binaries-windows because it is not intended for release yet, just CI
COPY --from= buildkitd /usr/bin/buildkitd /buildkitd.exe
2019-01-30 23:38:06 +00:00
FROM buildkit-buildkitd-$TARGETOS AS buildkit-buildkitd
2020-11-18 01:40:47 +00:00
FROM alpine:${ALPINE_VERSION} AS containerd-runtime
2018-10-02 17:03:32 +00:00
COPY --from= runc /usr/bin/runc /usr/bin/
COPY --from= containerd /out/containerd* /usr/bin/
COPY --from= containerd /out/ctr /usr/bin/
VOLUME /var/lib/containerd
VOLUME /run/containerd
ENTRYPOINT [ "containerd" ]
2020-11-18 01:40:47 +00:00
FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS cni-plugins
2019-07-10 21:42:30 +00:00
RUN apk add --no-cache curl
2020-01-24 07:00:30 +00:00
ARG CNI_VERSION
2019-07-10 21:42:30 +00:00
ARG TARGETOS
ARG TARGETARCH
WORKDIR /opt/cni/bin
RUN curl -Ls https://github.com/containernetworking/plugins/releases/download/$CNI_VERSION /cni-plugins-$TARGETOS -$TARGETARCH -$CNI_VERSION .tgz | tar xzv
2019-08-08 00:50:00 +00:00
FROM buildkit-base AS integration-tests-base
2018-10-02 17:03:32 +00:00
ENV BUILDKIT_INTEGRATION_ROOTLESS_IDPAIR = "1000:1000"
2021-03-24 02:21:32 +00:00
RUN apk add --no-cache shadow shadow-uidmap sudo vim iptables fuse \
2018-10-02 17:03:32 +00:00
&& useradd --create-home --home-dir /home/user --uid 1000 -s /bin/sh user \
&& echo "XDG_RUNTIME_DIR=/run/user/1000; export XDG_RUNTIME_DIR" >> /home/user/.profile \
&& mkdir -m 0700 -p /run/user/1000 \
2019-07-22 21:53:35 +00:00
&& chown -R user /run/user/1000 /home/user \
2021-03-24 02:21:32 +00:00
&& ln -s /sbin/iptables-legacy /usr/bin/iptables \
&& xx-go --wrap
2019-08-08 00:50:00 +00:00
# musl is needed to directly use the registry binary that is built on alpine
2021-03-12 06:20:23 +00:00
ENV BUILDKIT_INTEGRATION_CONTAINERD_EXTRA = "containerd-1.4=/opt/containerd-alt/bin"
2020-09-03 05:40:57 +00:00
ENV BUILDKIT_INTEGRATION_SNAPSHOTTER = stargz
2021-03-24 02:21:32 +00:00
ENV CGO_ENABLED = 0
2020-08-24 06:40:04 +00:00
COPY --from= stargz-snapshotter /out/* /usr/bin/
2018-10-02 17:03:32 +00:00
COPY --from= rootlesskit /rootlesskit /usr/bin/
2020-07-29 01:13:15 +00:00
COPY --from= containerd-alt /out/containerd* /opt/containerd-alt/bin/
2018-10-02 17:03:32 +00:00
COPY --from= registry /bin/registry /usr/bin
COPY --from= runc /usr/bin/runc /usr/bin
COPY --from= containerd /out/containerd* /usr/bin/
2019-07-10 23:55:04 +00:00
COPY --from= cni-plugins /opt/cni/bin/bridge /opt/cni/bin/host-local /opt/cni/bin/loopback /opt/cni/bin/
2019-07-10 21:42:30 +00:00
COPY hack/fixtures/cni.json /etc/buildkit/cni.json
2018-10-02 17:03:32 +00:00
COPY --from= binaries / /usr/bin/
2019-08-08 00:50:00 +00:00
FROM integration-tests-base AS integration-tests
2018-10-02 17:03:32 +00:00
COPY . .
2019-07-11 23:47:45 +00:00
ENV BUILDKIT_RUN_NETWORK_INTEGRATION_TESTS = 1 BUILDKIT_CNI_INIT_LOCK_PATH = /run/buildkit_cni_bridge.lock
2018-10-02 17:03:32 +00:00
2019-07-10 21:42:30 +00:00
FROM integration-tests AS dev-env
VOLUME /var/lib/buildkit
2018-10-02 17:03:32 +00:00
2021-06-16 01:48:08 +00:00
# newuidmap & newgidmap binaries (shadow-uidmap 4.8.1-r0) shipped with alpine cannot be executed without CAP_SYS_ADMIN,
2020-01-24 07:00:30 +00:00
# because the binaries are built without libcap-dev.
# So we need to build the binaries with libcap enabled.
2021-06-16 01:48:08 +00:00
# TODO: ask the Alpine upstream to enable libcap: https://github.com/moby/buildkit/issues/2038
2021-03-24 02:21:32 +00:00
FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS idmap
RUN apk add --no-cache git autoconf automake clang lld gettext-dev libtool make byacc binutils
COPY --from= xx / /
2020-01-24 07:00:30 +00:00
ARG SHADOW_VERSION
2021-03-24 02:21:32 +00:00
RUN git clone https://github.com/shadow-maint/shadow.git /shadow && cd /shadow && git checkout $SHADOW_VERSION
WORKDIR /shadow
ARG TARGETPLATFORM
RUN xx-apk add --no-cache musl-dev gcc libcap-dev
RUN CC = $( xx-clang --print-target-triple) -clang ./autogen.sh --disable-nls --disable-man --without-audit --without-selinux --without-acl --without-attr --without-tcb --without-nscd --host $( xx-clang --print-target-triple) \
&& make -j $( nproc) \
&& xx-verify src/newuidmap src/newuidmap \
2020-05-19 02:56:29 +00:00
&& cp src/newuidmap src/newgidmap /usr/bin
2018-10-15 06:30:01 +00:00
2020-05-19 01:41:30 +00:00
# Rootless mode.
2021-07-05 08:06:47 +00:00
FROM tonistiigi/alpine:${ALPINE_VERSION} AS rootless
2021-06-16 01:48:08 +00:00
RUN apk add --no-cache fuse3 fuse-overlayfs git openssh pigz xz
2018-10-15 06:30:01 +00:00
COPY --from= idmap /usr/bin/newuidmap /usr/bin/newuidmap
COPY --from= idmap /usr/bin/newgidmap /usr/bin/newgidmap
2020-01-24 07:00:30 +00:00
# we could just set CAP_SETUID filecap rather than `chmod u+s`, but requires kernel >= 4.14
2018-10-15 06:30:01 +00:00
RUN chmod u+s /usr/bin/newuidmap /usr/bin/newgidmap \
&& adduser -D -u 1000 user \
2018-10-02 17:03:32 +00:00
&& mkdir -p /run/user/1000 /home/user/.local/tmp /home/user/.local/share/buildkit \
&& chown -R user /run/user/1000 /home/user \
2021-06-17 23:53:33 +00:00
&& echo user:100000:65536 | tee /etc/subuid | tee /etc/subgid
2018-10-02 17:03:32 +00:00
COPY --from= rootlesskit /rootlesskit /usr/bin/
COPY --from= binaries / /usr/bin/
2019-05-26 02:59:17 +00:00
COPY examples/buildctl-daemonless/buildctl-daemonless.sh /usr/bin/
2020-01-24 19:36:56 +00:00
# Kubernetes runAsNonRoot requires USER to be numeric
USER 1000:1000
2018-10-02 17:03:32 +00:00
ENV HOME /home/user
ENV USER user
ENV XDG_RUNTIME_DIR = /run/user/1000
ENV TMPDIR = /home/user/.local/tmp
2019-03-25 07:51:33 +00:00
ENV BUILDKIT_HOST = unix:///run/user/1000/buildkit/buildkitd.sock
2018-10-02 17:03:32 +00:00
VOLUME /home/user/.local/share/buildkit
ENTRYPOINT [ "rootlesskit" , "buildkitd" ]
FROM buildkit-${BUILDKIT_TARGET}