Merge pull request #1499 from AkihiroSuda/ditch-external-base

Dockerfile: ditch ROOTLESS_BASE_MODE=external
v0.8
Tõnis Tiigi 2020-05-19 16:44:04 -07:00 committed by GitHub
commit 83bda57e53
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 11 additions and 20 deletions

View File

@ -2,6 +2,7 @@ dist: bionic
sudo: required sudo: required
install: install:
- docker run --rm --privileged linuxkit/binfmt:v0.8
- docker run --name buildkit --rm -d --privileged -p 1234:1234 $REPO_SLUG_ORIGIN --debug --addr tcp://0.0.0.0:1234 --oci-worker-gc=false - docker run --name buildkit --rm -d --privileged -p 1234:1234 $REPO_SLUG_ORIGIN --debug --addr tcp://0.0.0.0:1234 --oci-worker-gc=false
- sudo docker cp buildkit:/usr/bin/buildctl /usr/bin/ - sudo docker cp buildkit:/usr/bin/buildctl /usr/bin/
- export BUILDKIT_HOST=tcp://0.0.0.0:1234 - export BUILDKIT_HOST=tcp://0.0.0.0:1234
@ -39,6 +40,9 @@ jobs:
name: "External Dockerfile tests" name: "External Dockerfile tests"
- script: RUNC_PLATFORMS=$PLATFORMS PLATFORMS="${PLATFORMS},darwin/amd64,windows/amd64" ./hack/cross - script: RUNC_PLATFORMS=$PLATFORMS PLATFORMS="${PLATFORMS},darwin/amd64,windows/amd64" ./hack/cross
name: "Cross" name: "Cross"
- script: ./hack/images local $REPO_SLUG_TARGET
name: "Build image"
if: type == cron
- stage: deploy - stage: deploy
script: skip script: skip
name: "Deploy" name: "Deploy"

View File

@ -8,7 +8,6 @@ ARG CONTAINERD_OLD_VERSION=v1.2.11
ARG BUILDKIT_TARGET=buildkitd ARG BUILDKIT_TARGET=buildkitd
ARG REGISTRY_VERSION=2.7.1 ARG REGISTRY_VERSION=2.7.1
ARG ROOTLESSKIT_VERSION=v0.9.1 ARG ROOTLESSKIT_VERSION=v0.9.1
ARG ROOTLESS_BASE_MODE=external
ARG CNI_VERSION=v0.8.5 ARG CNI_VERSION=v0.8.5
ARG SHADOW_VERSION=4.8.1 ARG SHADOW_VERSION=4.8.1
ARG FUSEOVERLAYFS_VERSION=v0.7.6 ARG FUSEOVERLAYFS_VERSION=v0.7.6
@ -260,23 +259,18 @@ VOLUME /var/lib/buildkit
# newuidmap & newgidmap binaries (shadow-uidmap 4.7-r1) shipped with alpine:3.11 cannot be executed without CAP_SYS_ADMIN, # newuidmap & newgidmap binaries (shadow-uidmap 4.7-r1) shipped with alpine:3.11 cannot be executed without CAP_SYS_ADMIN,
# because the binaries are built without libcap-dev. # because the binaries are built without libcap-dev.
# So we need to build the binaries with libcap enabled. # So we need to build the binaries with libcap enabled.
FROM --platform=$BUILDPLATFORM debian:10 AS idmap FROM alpine:3.11 AS idmap
RUN apt-get update && apt-get install --no-install-recommends -y automake autopoint bison ca-certificates curl file gettext git gcc libcap-dev libtool make RUN apk add --no-cache autoconf automake build-base byacc gettext gettext-dev gcc git libcap-dev libtool libxslt
RUN git clone https://github.com/shadow-maint/shadow.git /shadow RUN git clone https://github.com/shadow-maint/shadow.git /shadow
WORKDIR /shadow WORKDIR /shadow
ARG SHADOW_VERSION ARG SHADOW_VERSION
RUN git checkout $SHADOW_VERSION RUN git checkout $SHADOW_VERSION
ARG TARGETPLATFORM RUN ./autogen.sh --disable-nls --disable-man --without-audit --without-selinux --without-acl --without-attr --without-tcb --without-nscd \
RUN curl -o /cross.sh https://raw.githubusercontent.com/AkihiroSuda/tonistiigi-binfmt/c0f14b94cdb5b6de0afd1c4b5118891b1174fefc/binfmt/scripts/cross.sh && \
chmod +x /cross.sh && \
/cross.sh install gcc pkgconf libcap-dev | sh
RUN CC=$(/cross.sh cross-prefix)-gcc LD=$(/cross.sh cross-prefix)-ld ./autogen.sh --disable-nls --disable-man --without-audit --without-selinux --without-acl --without-attr --without-tcb --without-nscd \
&& make \ && make \
&& cp src/newuidmap src/newgidmap /usr/bin \ && cp src/newuidmap src/newgidmap /usr/bin
&& file /usr/bin/newuidmap | grep "statically linked" \
&& file /usr/bin/newgidmap | grep "statically linked"
FROM alpine:3.11 AS rootless-base-internal # Rootless mode.
FROM alpine:3.11 AS rootless
RUN apk add --no-cache fuse3 git xz RUN apk add --no-cache fuse3 git xz
COPY --from=idmap /usr/bin/newuidmap /usr/bin/newuidmap COPY --from=idmap /usr/bin/newuidmap /usr/bin/newuidmap
COPY --from=idmap /usr/bin/newgidmap /usr/bin/newgidmap COPY --from=idmap /usr/bin/newgidmap /usr/bin/newgidmap
@ -287,13 +281,6 @@ RUN chmod u+s /usr/bin/newuidmap /usr/bin/newgidmap \
&& mkdir -p /run/user/1000 /home/user/.local/tmp /home/user/.local/share/buildkit \ && mkdir -p /run/user/1000 /home/user/.local/tmp /home/user/.local/share/buildkit \
&& chown -R user /run/user/1000 /home/user \ && chown -R user /run/user/1000 /home/user \
&& echo user:100000:65536 | tee /etc/subuid | tee /etc/subgid && echo user:100000:65536 | tee /etc/subuid | tee /etc/subgid
# tonistiigi/buildkit:rootless-base is a pre-built multi-arch version of rootless-base-internal https://github.com/moby/buildkit/pull/1392#issuecomment-597478241 (Mar 11, 2020)
FROM tonistiigi/buildkit:rootless-base@sha256:4b15b62dadfec92ca6e6633b94ac8e24d2235c9c50c35a7b80e4e951e9f6f735 AS rootless-base-external
FROM rootless-base-$ROOTLESS_BASE_MODE AS rootless-base
# Rootless mode.
FROM rootless-base AS rootless
COPY --from=rootlesskit /rootlesskit /usr/bin/ COPY --from=rootlesskit /rootlesskit /usr/bin/
COPY --from=binaries / /usr/bin/ COPY --from=binaries / /usr/bin/
COPY examples/buildctl-daemonless/buildctl-daemonless.sh /usr/bin/ COPY examples/buildctl-daemonless/buildctl-daemonless.sh /usr/bin/

View File

@ -61,7 +61,7 @@ imageDocker() {
} }
image() { image() {
pushFlag="" pushFlag="push=false"
if [ "$PUSH" = "push" ]; then if [ "$PUSH" = "push" ]; then
pushFlag="push=true" pushFlag="push=true"
fi fi