moby--moby/Dockerfile.simple

# docker build -t docker:simple -f Dockerfile.simple .
# docker run --rm docker:simple hack/make.sh dynbinary
# docker run --rm --privileged docker:simple hack/dind hack/make.sh test-unit
# docker run --rm --privileged -v /var/lib/docker docker:simple hack/dind hack/make.sh dynbinary test-integration

# This represents the bare minimum required to build and test Docker.

ARG GO_VERSION=1.17.3

ARG BASE_DEBIAN_DISTRO="bullseye"
ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"

FROM ${GOLANG_IMAGE}
ENV GO111MODULE=off

# allow replacing httpredir or deb mirror
ARG APT_MIRROR=deb.debian.org
RUN sed -ri "s/(httpredir|deb).debian.org/$APT_MIRROR/g" /etc/apt/sources.list

# Compile and runtime deps
# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
		build-essential \
		curl \
		cmake \
		gcc \
		git \
		libapparmor-dev \
		libbtrfs-dev \
		libdevmapper-dev \
		libseccomp-dev \
		ca-certificates \
		e2fsprogs \
		iptables \
		pkg-config \
		pigz \
		procps \
		xfsprogs \
		xz-utils \
		\
		vim-common \
	&& rm -rf /var/lib/apt/lists/*

# Install runc, containerd, tini and docker-proxy
# Please edit hack/dockerfile/install/<name>.installer to update them.
COPY hack/dockerfile/install hack/dockerfile/install
RUN for i in runc containerd tini proxy dockercli; \
		do hack/dockerfile/install/install.sh $i; \
	done
ENV PATH=/usr/local/cli:$PATH

ENV AUTO_GOPATH 1
WORKDIR /usr/src/docker
COPY . /usr/src/docker
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-27 22:37:25 -07:00			`# docker build -t docker:simple -f Dockerfile.simple .`
			`# docker run --rm docker:simple hack/make.sh dynbinary`
Update Dockerfile.simple to include aufs-tools This also updates the comments at the top of the file to note that `-v /var/lib/docker` should be supplied for running `test-integration-cli` and that `hack/dind` is actually also required for `test-unit`. Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-03-09 18:24:49 -06:00			`# docker run --rm --privileged docker:simple hack/dind hack/make.sh test-unit`
Remove test-integration-cli and references to it. Signed-off-by: Daniel Nephin <dnephin@docker.com> 2017-06-16 17:18:44 -07:00			`# docker run --rm --privileged -v /var/lib/docker docker:simple hack/dind hack/make.sh dynbinary test-integration`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-27 22:37:25 -07:00
			`# This represents the bare minimum required to build and test Docker.`

Update Go to 1.17.3 go1.17.3 (released 2021-11-04) includes security fixes to the archive/zip and debug/macho packages, as well as bug fixes to the compiler, linker, runtime, the go command, the misc/wasm directory, and to the net/http and syscall packages. See the Go 1.17.3 milestone on our issue tracker for details. From the announcement e-mail: [security] Go 1.17.3 and Go 1.16.10 are released We have just released Go versions 1.17.3 and 1.16.10, minor point releases. These minor releases include two security fixes following the security policy: - archive/zip: don't panic on (*Reader).Open Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made to panic by an attacker providing either a crafted ZIP archive containing completely invalid names or an empty filename argument. Thank you to Colin Arnott, SiteHost and Noah Santschi-Cooney, Sourcegraph Code Intelligence Team for reporting this issue. This is CVE-2021-41772 and Go issue golang.org/issue/48085. - debug/macho: invalid dynamic symbol table command can cause panic Malformed binaries parsed using Open or OpenFat can cause a panic when calling ImportedSymbols, due to an out-of-bounds slice operation. Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for reporting this issue. This is CVE-2021-41771 and Go issue golang.org/issue/48990. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-11-05 10:55:40 +01:00			`ARG GO_VERSION=1.17.3`
Dockerfile: use GO_VERSION build-arg for overriding Go version This allows overriding the version of Go without making modifications in the source code, which can be useful to test against multiple versions. For example: make GO_VERSION=1.13beta1 shell Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-07-17 13:59:16 +02:00
Dockerfile: update to debian bullseye Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-08-19 21:16:01 +02:00			`ARG BASE_DEBIAN_DISTRO="bullseye"`
			`ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"`

			`FROM ${GOLANG_IMAGE}`
Dockerfile: set GO111MODULE=off Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-09-11 09:36:53 +02:00			`ENV GO111MODULE=off`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-27 22:37:25 -07:00
allow replacing httpredir or deb mirror in jessie Signed-off-by: Andrew Hsu <andrewhsu@docker.com> 2016-11-20 14:14:51 -08:00			`# allow replacing httpredir or deb mirror`
			`ARG APT_MIRROR=deb.debian.org`
			`RUN sed -ri "s/(httpredir\|deb).debian.org/$APT_MIRROR/g" /etc/apt/sources.list`

Capitalizes the first letter in notes of dockerfile Signed-off-by: YuPengZTE <yu.peng36@zte.com.cn> 2016-09-22 10:15:18 +08:00			`# Compile and runtime deps`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-27 22:37:25 -07:00			`# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies`
			`# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies`
			`RUN apt-get update && apt-get install -y --no-install-recommends \`
Update Dockerfile.simple so that it can be successfuly built * build-essential is needed by `make` * libapparmor-dev is needed by runc * seccomp is needed by runc * Go is neeeded by runc Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-03-25 13:19:13 +09:00			`build-essential \`
Fail explicitly if curl is missing in contrib/download-frozen-image.sh Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-03-17 23:08:17 -06:00			`curl \`
Replace grimes with tini There is no reason to duplicate efforts and tini is well built and better than grimes. It is a much stronger option for the default init and @krallin has done a great job maintaining it and helping make changes so that it will work with Docker. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2016-11-03 09:47:50 -07:00			`cmake \`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-27 22:37:25 -07:00			`gcc \`
			`git \`
Update Dockerfile.simple so that it can be successfuly built * build-essential is needed by `make` * libapparmor-dev is needed by runc * seccomp is needed by runc * Go is neeeded by runc Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2016-03-25 13:19:13 +09:00			`libapparmor-dev \`
Dockerfile.simple: Fix compile docker binary error with btrfs Use the image build from Dockerfile.simple to build docker binary failed with not find <brtfs/ioctl.h>, we need to install libbtrfs-dev to fix this. ``` Building: bundles/dynbinary-daemon/dockerd-dev GOOS="" GOARCH="" GOARM="" .gopath/src/github.com/docker/docker/daemon/graphdriver/btrfs/btrfs.go:8:10: fatal error: btrfs/ioctl.h: No such file or directory #include <btrfs/ioctl.h> ``` Signed-off-by: Lei Jitang <leijitang@outlook.com> 2021-02-03 21:07:10 +00:00			`libbtrfs-dev \`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-27 22:37:25 -07:00			`libdevmapper-dev \`
Dockerfile: use seccomp provided by stretch Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2017-09-25 10:03:37 +00:00			`libseccomp-dev \`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-27 22:37:25 -07:00			`ca-certificates \`
			`e2fsprogs \`
			`iptables \`
Add required pkg-config for Dockerfile.simple This fix tries to address the issue raised in 35980 where pkg-config was missing and was causing Dockerfile.simple build to fail. ``` $ docker build -t docker:simple -f Dockerfile.simple . .......... CGO_ENABLED=1 go build -tags "seccomp apparmor selinux netgo cgo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit="b2567b37d7b75eb4cf325b77297b140ea686ce8f" -X main.version=1.0.0-rc4+dev " -o runc . pkg-config: exec: "pkg-config": executable file not found in $PATH make: *** [static] Error 2 Makefile:42: recipe for target 'static' failed The command '/bin/sh -c /tmp/install-binaries.sh runc containerd tini proxy dockercli' returned a non-zero code: 2 ``` This fix fixes 35980. Signed-off-by: Yong Tang <yong.tang.github@outlook.com> 2018-01-11 18:02:08 +00:00			`pkg-config \`
Make image (layer) downloads faster by using pigz The Golang built-in gzip library is serialized, and fairly slow at decompressing. It also only decompresses on demand, versus pipelining decompression. This change switches to using the pigz external command for gzip decompression, as opposed to using the built-in golang one. This code is not vendored, but will be used if it autodetected as part of the OS. This also switches to using context, versus a manually managed channel to manage cancellations, and synchronization. There is a little bit of weirdness around manually having to cancel in the error cases. Signed-off-by: Sargun Dhillon <sargun@sargun.me> 2018-01-16 10:49:18 -08:00			`pigz \`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-27 22:37:25 -07:00			`procps \`
Include xfsprogs in build environment. devmapper uses xfs by default now. So include xfsprogs in build environment. Also update docs to reflect the new default. Signed-off-by: Anusha Ragunathan <anusha@docker.com> 2015-11-11 14:29:02 -08:00			`xfsprogs \`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-27 22:37:25 -07:00			`xz-utils \`
			`\`
Replace grimes with tini There is no reason to duplicate efforts and tini is well built and better than grimes. It is a much stronger option for the default init and @krallin has done a great job maintaining it and helping make changes so that it will work with Docker. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2016-11-03 09:47:50 -07:00			`vim-common \`
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-27 22:37:25 -07:00			`&& rm -rf /var/lib/apt/lists/*`

Replace grimes with tini There is no reason to duplicate efforts and tini is well built and better than grimes. It is a much stronger option for the default init and @krallin has done a great job maintaining it and helping make changes so that it will work with Docker. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2016-11-03 09:47:50 -07:00			`# Install runc, containerd, tini and docker-proxy`
Split binary installers/commit scripts Originally I worked on this for the multi-stage build Dockerfile changes. Decided to split this out as we are still waiting for multi-stage to be available on CI and rebasing these is pretty annoying. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2018-02-16 13:51:30 -05:00			`# Please edit hack/dockerfile/install/<name>.installer to update them.`
			`COPY hack/dockerfile/install hack/dockerfile/install`
			`RUN for i in runc containerd tini proxy dockercli; \`
			`do hack/dockerfile/install/install.sh $i; \`
			`done`
Remove cmd/docker and other directories in cli/ in accordance with the new Moby project scope Starting with this commit, integration tests should no longer rely on the docker cli, they should be API tests instead. For the existing tests the scripts will use a frozen version of the docker cli with a DOCKER_API_VERSION frozen to 1.30, which should ensure that the CI remains green at all times. To help contributors develop and test manually with a modified docker cli, this commit also adds a DOCKER_CLI_PATH environment variable to the Makefile. This allows to set the path of a custom cli that will be available inside the development container and used to run the integration tests. Signed-off-by: Arnaud Porterie (icecrime) <arnaud.porterie@docker.com> Signed-off-by: Tibor Vass <tibor@docker.com> 2017-04-17 18:18:46 -05:00			`ENV PATH=/usr/local/cli:$PATH`
Add init process for zombie fighting This adds a small C binary for fighting zombies. It is mounted under `/dev/init` and is prepended to the args specified by the user. You enable it via a daemon flag, `dockerd --init`, as it is disable by default for backwards compat. You can also override the daemon option or specify this on a per container basis with `docker run --init=true\|false`. You can test this by running a process like this as the pid 1 in a container and see the extra zombie that appears in the container as it is running. ```c int main(int argc, char ** argv) { pid_t pid = fork(); if (pid == 0) { pid = fork(); if (pid == 0) { exit(0); } sleep(3); exit(0); } printf("got pid %d and exited\n", pid); sleep(20); } ``` Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2016-06-27 14:38:47 -07:00
Add secondary "simple" Dockerfile This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions. With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain. This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well. Assumptions existing tests make that currently fail: - `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005 :tada:) - `unprivilegeduser` exists as a user in `/etc/passwd` Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com> 2015-02-27 22:37:25 -07:00			`ENV AUTO_GOPATH 1`
			`WORKDIR /usr/src/docker`
			`COPY . /usr/src/docker`