2022-07-02 11:01:57 -04:00
|
|
|
# syntax=docker/dockerfile:1
|
2013-09-06 22:58:05 -04:00
|
|
|
|
2019-04-05 20:20:06 -04:00
|
|
|
ARG CROSS="false"
|
2020-02-10 12:55:16 -05:00
|
|
|
ARG SYSTEMD="false"
|
update golang to 1.18.4
go1.18.4 (released 2022-07-12) includes security fixes to the compress/gzip,
encoding/gob, encoding/xml, go/parser, io/fs, net/http, and path/filepath
packages, as well as bug fixes to the compiler, the go command, the linker,
the runtime, and the runtime/metrics package. See the Go 1.18.4 milestone on the
issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.18.4+label%3ACherryPickApproved
This update addresses:
CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631,
CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, and CVE-2022-32148.
Full diff: https://github.com/golang/go/compare/go1.18.3...go1.18.4
From the security announcement;
https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
We have just released Go versions 1.18.4 and 1.17.12, minor point releases. These
minor releases include 9 security fixes following the security policy:
- net/http: improper sanitization of Transfer-Encoding header
The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
a "chunked" encoding. This could potentially allow for request smuggling, but
only if combined with an intermediate server that also improperly failed to
reject the header as invalid.
This is CVE-2022-1705 and https://go.dev/issue/53188.
- When `httputil.ReverseProxy.ServeHTTP` was called with a `Request.Header` map
containing a nil value for the X-Forwarded-For header, ReverseProxy would set
the client IP as the value of the X-Forwarded-For header, contrary to its
documentation. In the more usual case where a Director function set the
X-Forwarded-For header value to nil, ReverseProxy would leave the header
unmodified as expected.
This is https://go.dev/issue/53423 and CVE-2022-32148.
Thanks to Christian Mehlmauer for reporting this issue.
- compress/gzip: stack exhaustion in Reader.Read
Calling Reader.Read on an archive containing a large number of concatenated
0-length compressed files can cause a panic due to stack exhaustion.
This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.
- encoding/xml: stack exhaustion in Unmarshal
Calling Unmarshal on a XML document into a Go struct which has a nested field
that uses the any field tag can cause a panic due to stack exhaustion.
This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.
- encoding/xml: stack exhaustion in Decoder.Skip
Calling Decoder.Skip when parsing a deeply nested XML document can cause a
panic due to stack exhaustion. The Go Security team discovered this issue, and
it was independently reported by Juho Nurminen of Mattermost.
This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.
- encoding/gob: stack exhaustion in Decoder.Decode
Calling Decoder.Decode on a message which contains deeply nested structures
can cause a panic due to stack exhaustion.
This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.
- path/filepath: stack exhaustion in Glob
Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.
- io/fs: stack exhaustion in Glob
Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.
This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.
- go/parser: stack exhaustion in all Parse* functions
Calling any of the Parse functions on Go source code which contains deeply
nested types or declarations can cause a panic due to stack exhaustion.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-13 04:42:27 -04:00
|
|
|
ARG GO_VERSION=1.18.4
|
2019-08-11 11:08:33 -04:00
|
|
|
ARG DEBIAN_FRONTEND=noninteractive
|
2021-02-24 00:05:38 -05:00
|
|
|
ARG VPNKIT_VERSION=0.5.0
|
2020-09-18 18:40:45 -04:00
|
|
|
|
2021-08-19 15:16:01 -04:00
|
|
|
ARG BASE_DEBIAN_DISTRO="bullseye"
|
2020-09-18 18:40:45 -04:00
|
|
|
ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
|
2019-04-05 20:20:06 -04:00
|
|
|
|
2020-03-30 10:27:59 -04:00
|
|
|
FROM ${GOLANG_IMAGE} AS base
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
|
2019-07-16 06:16:56 -04:00
|
|
|
ARG APT_MIRROR
|
|
|
|
|
RUN sed -ri "s/(httpredir|deb).debian.org/${APT_MIRROR:-deb.debian.org}/g" /etc/apt/sources.list \
|
|
|
|
|
&& sed -ri "s/(security).debian.org/${APT_MIRROR:-security.debian.org}/g" /etc/apt/sources.list
|
2019-09-11 03:36:53 -04:00
|
|
|
ENV GO111MODULE=off
|
2016-11-20 17:14:51 -05:00
|
|
|
|
2017-09-29 17:09:14 -04:00
|
|
|
FROM base AS criu
|
2019-08-11 11:08:33 -04:00
|
|
|
ARG DEBIAN_FRONTEND
|
2021-09-27 07:34:41 -04:00
|
|
|
ADD --chmod=0644 https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_11/Release.key /etc/apt/trusted.gpg.d/criu.gpg.asc
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-criu-aptlib,target=/var/lib/apt \
|
2019-10-05 16:41:27 -04:00
|
|
|
--mount=type=cache,sharing=locked,id=moby-criu-aptcache,target=/var/cache/apt \
|
2021-09-27 07:34:41 -04:00
|
|
|
echo 'deb https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_11/ /' > /etc/apt/sources.list.d/criu.list \
|
2020-12-01 20:02:42 -05:00
|
|
|
&& apt-get update \
|
|
|
|
|
&& apt-get install -y --no-install-recommends criu \
|
|
|
|
|
&& install -D /usr/sbin/criu /build/criu
|
2017-09-29 17:09:14 -04:00
|
|
|
|
2018-02-27 03:20:55 -05:00
|
|
|
FROM base AS registry
|
2020-01-10 08:07:01 -05:00
|
|
|
WORKDIR /go/src/github.com/docker/distribution
|
2021-08-23 07:57:40 -04:00
|
|
|
|
2021-09-24 10:47:18 -04:00
|
|
|
# REGISTRY_VERSION specifies the version of the registry to build and install
|
2021-08-23 07:57:40 -04:00
|
|
|
# from the https://github.com/docker/distribution repository. This version of
|
|
|
|
|
# the registry is used to test both schema 1 and schema 2 manifests. Generally,
|
|
|
|
|
# the version specified here should match a current release.
|
2021-09-24 10:47:18 -04:00
|
|
|
ARG REGISTRY_VERSION=v2.3.0
|
2021-08-23 07:57:40 -04:00
|
|
|
|
2022-03-01 01:26:35 -05:00
|
|
|
# REGISTRY_VERSION_SCHEMA1 specifies the version of the registry to build and
|
2021-08-23 07:57:40 -04:00
|
|
|
# install from the https://github.com/docker/distribution repository. This is
|
|
|
|
|
# an older (pre v2.3.0) version of the registry that only supports schema1
|
|
|
|
|
# manifests. This version of the registry is not working on arm64, so installation
|
|
|
|
|
# is skipped on that architecture.
|
2021-09-24 10:47:18 -04:00
|
|
|
ARG REGISTRY_VERSION_SCHEMA1=v2.1.0
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
2019-10-05 16:41:27 -04:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2020-01-10 08:07:01 -05:00
|
|
|
--mount=type=tmpfs,target=/go/src/ \
|
2019-10-05 16:41:27 -04:00
|
|
|
set -x \
|
2020-01-10 08:07:01 -05:00
|
|
|
&& git clone https://github.com/docker/distribution.git . \
|
2021-09-24 10:47:18 -04:00
|
|
|
&& git checkout -q "$REGISTRY_VERSION" \
|
2020-01-10 08:07:01 -05:00
|
|
|
&& GOPATH="/go/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \
|
2019-10-05 16:41:27 -04:00
|
|
|
go build -buildmode=pie -o /build/registry-v2 github.com/docker/distribution/cmd/registry \
|
|
|
|
|
&& case $(dpkg --print-architecture) in \
|
2020-01-10 08:32:46 -05:00
|
|
|
amd64|armhf|ppc64*|s390x) \
|
2021-09-24 10:47:18 -04:00
|
|
|
git checkout -q "$REGISTRY_VERSION_SCHEMA1"; \
|
2020-01-10 08:07:01 -05:00
|
|
|
GOPATH="/go/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH"; \
|
2019-10-05 16:41:27 -04:00
|
|
|
go build -buildmode=pie -o /build/registry-v2-schema1 github.com/docker/distribution/cmd/registry; \
|
|
|
|
|
;; \
|
2020-01-10 08:07:01 -05:00
|
|
|
esac
|
2015-01-20 22:40:19 -05:00
|
|
|
|
2018-02-27 03:20:55 -05:00
|
|
|
FROM base AS swagger
|
2020-01-10 08:07:01 -05:00
|
|
|
WORKDIR $GOPATH/src/github.com/go-swagger/go-swagger
|
2021-08-23 07:57:40 -04:00
|
|
|
|
|
|
|
|
# GO_SWAGGER_COMMIT specifies the version of the go-swagger binary to build and
|
|
|
|
|
# install. Go-swagger is used in CI for validating swagger.yaml in hack/validate/swagger-gen
|
|
|
|
|
#
|
|
|
|
|
# Currently uses a fork from https://github.com/kolyshkin/go-swagger/tree/golang-1.13-fix,
|
2019-10-03 21:57:29 -04:00
|
|
|
# TODO: move to under moby/ or fix upstream go-swagger to work for us.
|
2021-07-02 09:00:47 -04:00
|
|
|
ENV GO_SWAGGER_COMMIT c56166c036004ba7a3a321e5951ba472b9ae298c
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
2019-10-05 16:41:27 -04:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2020-01-10 08:07:01 -05:00
|
|
|
--mount=type=tmpfs,target=/go/src/ \
|
2019-10-05 16:41:27 -04:00
|
|
|
set -x \
|
2020-01-10 08:07:01 -05:00
|
|
|
&& git clone https://github.com/kolyshkin/go-swagger.git . \
|
|
|
|
|
&& git checkout -q "$GO_SWAGGER_COMMIT" \
|
|
|
|
|
&& go build -o /build/swagger github.com/go-swagger/go-swagger/cmd/swagger
|
2016-11-03 13:15:27 -04:00
|
|
|
|
2020-09-18 18:40:45 -04:00
|
|
|
FROM debian:${BASE_DEBIAN_DISTRO} AS frozen-images
|
2019-08-11 11:08:33 -04:00
|
|
|
ARG DEBIAN_FRONTEND
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-frozen-images-aptlib,target=/var/lib/apt \
|
2019-10-05 16:41:27 -04:00
|
|
|
--mount=type=cache,sharing=locked,id=moby-frozen-images-aptcache,target=/var/cache/apt \
|
|
|
|
|
apt-get update && apt-get install -y --no-install-recommends \
|
|
|
|
|
ca-certificates \
|
2020-09-18 18:40:45 -04:00
|
|
|
curl \
|
2019-10-05 16:41:27 -04:00
|
|
|
jq
|
2015-03-06 20:12:41 -05:00
|
|
|
# Get useful and necessary Hub images so we can "docker load" locally instead of pulling
|
2017-09-29 17:09:14 -04:00
|
|
|
COPY contrib/download-frozen-image-v2.sh /
|
2020-09-29 18:39:49 -04:00
|
|
|
ARG TARGETARCH
|
2018-04-13 14:45:57 -04:00
|
|
|
RUN /download-frozen-image-v2.sh /build \
|
2020-06-29 23:06:03 -04:00
|
|
|
busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
|
|
|
|
|
busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \
|
2021-08-19 17:40:38 -04:00
|
|
|
debian:bullseye-slim@sha256:dacf278785a4daa9de07596ec739dbc07131e189942772210709c5c0777e8437 \
|
2020-10-15 19:01:17 -04:00
|
|
|
hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \
|
|
|
|
|
arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1
|
2020-12-02 04:11:57 -05:00
|
|
|
# See also frozenImages in "testutil/environment/protect.go" (which needs to be updated when adding images to this list)
|
2015-02-28 00:53:36 -05:00
|
|
|
|
2019-04-16 19:31:49 -04:00
|
|
|
FROM base AS cross-false
|
2017-09-29 17:09:14 -04:00
|
|
|
|
2019-10-08 13:54:39 -04:00
|
|
|
FROM --platform=linux/amd64 base AS cross-true
|
2019-08-11 11:08:33 -04:00
|
|
|
ARG DEBIAN_FRONTEND
|
2019-04-05 20:20:06 -04:00
|
|
|
RUN dpkg --add-architecture arm64
|
|
|
|
|
RUN dpkg --add-architecture armel
|
2019-10-05 16:56:32 -04:00
|
|
|
RUN dpkg --add-architecture armhf
|
2021-06-15 04:49:04 -04:00
|
|
|
RUN dpkg --add-architecture ppc64el
|
2021-06-14 05:06:42 -04:00
|
|
|
RUN dpkg --add-architecture s390x
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \
|
2019-10-05 16:41:27 -04:00
|
|
|
--mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \
|
|
|
|
|
apt-get update && apt-get install -y --no-install-recommends \
|
2019-10-05 16:56:32 -04:00
|
|
|
crossbuild-essential-arm64 \
|
|
|
|
|
crossbuild-essential-armel \
|
2021-06-15 04:49:04 -04:00
|
|
|
crossbuild-essential-armhf \
|
2021-06-14 05:06:42 -04:00
|
|
|
crossbuild-essential-ppc64el \
|
|
|
|
|
crossbuild-essential-s390x
|
2019-04-16 19:31:49 -04:00
|
|
|
|
2021-08-23 07:57:40 -04:00
|
|
|
FROM cross-${CROSS} AS dev-base
|
2019-04-16 19:31:49 -04:00
|
|
|
|
|
|
|
|
FROM dev-base AS runtime-dev-cross-false
|
2019-08-11 11:08:33 -04:00
|
|
|
ARG DEBIAN_FRONTEND
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-cross-false-aptlib,target=/var/lib/apt \
|
2019-10-05 16:41:27 -04:00
|
|
|
--mount=type=cache,sharing=locked,id=moby-cross-false-aptcache,target=/var/cache/apt \
|
|
|
|
|
apt-get update && apt-get install -y --no-install-recommends \
|
2019-11-05 15:11:49 -05:00
|
|
|
binutils-mingw-w64 \
|
|
|
|
|
g++-mingw-w64-x86-64 \
|
2019-10-05 16:41:27 -04:00
|
|
|
libapparmor-dev \
|
2019-07-17 08:37:56 -04:00
|
|
|
libbtrfs-dev \
|
2019-11-05 15:11:49 -05:00
|
|
|
libdevmapper-dev \
|
2021-08-19 15:16:01 -04:00
|
|
|
libseccomp-dev \
|
2019-11-05 15:11:49 -05:00
|
|
|
libsystemd-dev \
|
|
|
|
|
libudev-dev
|
2019-05-22 19:49:55 -04:00
|
|
|
|
2019-11-05 15:11:49 -05:00
|
|
|
FROM --platform=linux/amd64 runtime-dev-cross-false AS runtime-dev-cross-true
|
2019-08-11 11:08:33 -04:00
|
|
|
ARG DEBIAN_FRONTEND
|
2019-04-05 20:20:06 -04:00
|
|
|
# These crossbuild packages rely on gcc-<arch>, but this doesn't want to install
|
2022-03-01 01:26:35 -05:00
|
|
|
# on non-amd64 systems, so other architectures cannot crossbuild amd64.
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \
|
2019-10-05 16:41:27 -04:00
|
|
|
--mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \
|
|
|
|
|
apt-get update && apt-get install -y --no-install-recommends \
|
|
|
|
|
libapparmor-dev:arm64 \
|
|
|
|
|
libapparmor-dev:armel \
|
2021-06-15 04:49:04 -04:00
|
|
|
libapparmor-dev:armhf \
|
2021-06-14 05:06:42 -04:00
|
|
|
libapparmor-dev:ppc64el \
|
2021-08-19 15:32:18 -04:00
|
|
|
libapparmor-dev:s390x \
|
|
|
|
|
libseccomp-dev:arm64 \
|
|
|
|
|
libseccomp-dev:armel \
|
|
|
|
|
libseccomp-dev:armhf \
|
|
|
|
|
libseccomp-dev:ppc64el \
|
|
|
|
|
libseccomp-dev:s390x
|
2019-05-22 19:49:55 -04:00
|
|
|
|
2019-04-05 20:20:06 -04:00
|
|
|
FROM runtime-dev-cross-${CROSS} AS runtime-dev
|
2017-09-29 17:09:14 -04:00
|
|
|
|
2022-02-20 13:21:10 -05:00
|
|
|
FROM base AS delve
|
|
|
|
|
# DELVE_VERSION specifies the version of the Delve debugger binary
|
|
|
|
|
# from the https://github.com/go-delve/delve repository.
|
|
|
|
|
# It can be used to run Docker with a possibility of
|
|
|
|
|
# attaching debugger to it.
|
|
|
|
|
#
|
|
|
|
|
ARG DELVE_VERSION=v1.8.1
|
2022-07-02 09:39:02 -04:00
|
|
|
# Delve on Linux is currently only supported on amd64 and arm64;
|
|
|
|
|
# https://github.com/go-delve/delve/blob/v1.8.1/pkg/proc/native/support_sentinel.go#L1-L6
|
2022-02-20 13:21:10 -05:00
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
|
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2022-07-02 09:39:02 -04:00
|
|
|
case $(dpkg --print-architecture) in \
|
|
|
|
|
amd64|arm64) \
|
|
|
|
|
GOBIN=/build/ GO111MODULE=on go install "github.com/go-delve/delve/cmd/dlv@${DELVE_VERSION}" \
|
|
|
|
|
&& /build/dlv --help \
|
|
|
|
|
;; \
|
|
|
|
|
*) \
|
|
|
|
|
mkdir -p /build/ \
|
|
|
|
|
;; \
|
|
|
|
|
esac
|
2022-02-20 13:21:10 -05:00
|
|
|
|
validate/toml: switch to github.com/pelletier/go-toml
The github.com/BurntSushi/toml project is no longer maintained,
and containerd is switching to this project instead, so start
moving our code as well.
This patch only changes the binary used during validation (tbh,
we could probably remove this validation step, but leaving that
for now).
I manually verified that the hack/verify/toml still works by adding a commit
that makes the MAINTAINERS file invalid;
diff --git a/MAINTAINERS b/MAINTAINERS
index b739e7e20c..81ababd8de 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -23,7 +23,7 @@
# a subsystem, they are responsible for doing so and holding the
# subsystem maintainers accountable. If ownership is unclear, they are the de facto owners.
- people = [
+ people =
"akihirosuda",
"anusha",
"coolljt0725",
Running `hack/verify/toml` was able to detect the broken format;
hack/validate/toml
(27, 4): keys cannot contain , characterThese files are not valid TOML:
- MAINTAINERS
Please reformat the above files as valid TOML
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-02 10:02:34 -04:00
|
|
|
FROM base AS tomll
|
2021-08-23 07:57:40 -04:00
|
|
|
# GOTOML_VERSION specifies the version of the tomll binary to build and install
|
|
|
|
|
# from the https://github.com/pelletier/go-toml repository. This binary is used
|
|
|
|
|
# in CI in the hack/validate/toml script.
|
|
|
|
|
#
|
|
|
|
|
# When updating this version, consider updating the github.com/pelletier/go-toml
|
2021-12-15 14:35:04 -05:00
|
|
|
# dependency in vendor.mod accordingly.
|
2021-08-23 07:57:40 -04:00
|
|
|
ARG GOTOML_VERSION=v1.8.1
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
2019-10-05 16:41:27 -04:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2021-08-23 07:57:40 -04:00
|
|
|
GOBIN=/build/ GO111MODULE=on go install "github.com/pelletier/go-toml/cmd/tomll@${GOTOML_VERSION}" \
|
|
|
|
|
&& /build/tomll --help
|
2017-09-29 17:09:14 -04:00
|
|
|
|
2022-04-14 13:52:23 -04:00
|
|
|
FROM base AS gowinres
|
|
|
|
|
# GOWINRES_VERSION defines go-winres tool version
|
|
|
|
|
ARG GOWINRES_VERSION=v0.2.3
|
|
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
|
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
|
|
|
|
GOBIN=/build/ GO111MODULE=on go install "github.com/tc-hib/go-winres@${GOWINRES_VERSION}" \
|
|
|
|
|
&& /build/go-winres --help
|
|
|
|
|
|
2019-04-16 19:31:49 -04:00
|
|
|
FROM dev-base AS containerd
|
2019-08-11 11:08:33 -04:00
|
|
|
ARG DEBIAN_FRONTEND
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-containerd-aptlib,target=/var/lib/apt \
|
2019-10-05 16:41:27 -04:00
|
|
|
--mount=type=cache,sharing=locked,id=moby-containerd-aptcache,target=/var/cache/apt \
|
|
|
|
|
apt-get update && apt-get install -y --no-install-recommends \
|
2019-07-17 08:37:56 -04:00
|
|
|
libbtrfs-dev
|
2021-07-26 08:48:52 -04:00
|
|
|
ARG CONTAINERD_VERSION
|
2021-08-23 07:57:40 -04:00
|
|
|
COPY /hack/dockerfile/install/install.sh /hack/dockerfile/install/containerd.installer /
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
2019-10-05 16:41:27 -04:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2021-08-23 07:57:40 -04:00
|
|
|
PREFIX=/build /install.sh containerd
|
2017-09-29 17:09:14 -04:00
|
|
|
|
2019-08-05 06:32:43 -04:00
|
|
|
FROM base AS golangci_lint
|
2022-07-02 13:20:06 -04:00
|
|
|
ARG GOLANGCI_LINT_VERSION=v1.46.2
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
2019-10-05 16:41:27 -04:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2021-08-23 07:57:40 -04:00
|
|
|
GOBIN=/build/ GO111MODULE=on go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \
|
|
|
|
|
&& /build/golangci-lint --version
|
2017-09-29 17:09:14 -04:00
|
|
|
|
2019-07-30 20:07:30 -04:00
|
|
|
FROM base AS gotestsum
|
2022-05-27 11:59:58 -04:00
|
|
|
ARG GOTESTSUM_VERSION=v1.8.1
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
2019-10-05 16:41:27 -04:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2021-08-23 07:57:40 -04:00
|
|
|
GOBIN=/build/ GO111MODULE=on go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \
|
|
|
|
|
&& /build/gotestsum --version
|
2019-07-30 20:07:30 -04:00
|
|
|
|
2020-02-29 10:31:43 -05:00
|
|
|
FROM base AS shfmt
|
2021-08-23 07:57:40 -04:00
|
|
|
ARG SHFMT_VERSION=v3.0.2
|
2020-02-29 10:31:43 -05:00
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
|
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2021-08-23 07:57:40 -04:00
|
|
|
GOBIN=/build/ GO111MODULE=on go install "mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION}" \
|
|
|
|
|
&& /build/shfmt --version
|
2020-02-29 10:31:43 -05:00
|
|
|
|
2019-04-16 19:31:49 -04:00
|
|
|
FROM dev-base AS dockercli
|
2019-09-12 16:22:56 -04:00
|
|
|
ARG DOCKERCLI_CHANNEL
|
|
|
|
|
ARG DOCKERCLI_VERSION
|
2021-08-23 07:57:40 -04:00
|
|
|
COPY /hack/dockerfile/install/install.sh /hack/dockerfile/install/dockercli.installer /
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
2019-10-05 16:41:27 -04:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2021-08-23 07:57:40 -04:00
|
|
|
PREFIX=/build /install.sh dockercli
|
2017-09-29 17:09:14 -04:00
|
|
|
|
|
|
|
|
FROM runtime-dev AS runc
|
2021-07-26 08:48:52 -04:00
|
|
|
ARG RUNC_VERSION
|
2019-09-12 16:22:56 -04:00
|
|
|
ARG RUNC_BUILDTAGS
|
2021-08-23 07:57:40 -04:00
|
|
|
COPY /hack/dockerfile/install/install.sh /hack/dockerfile/install/runc.installer /
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
2019-10-05 16:41:27 -04:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2021-08-23 07:57:40 -04:00
|
|
|
PREFIX=/build /install.sh runc
|
2017-09-29 17:09:14 -04:00
|
|
|
|
2019-04-16 19:31:49 -04:00
|
|
|
FROM dev-base AS tini
|
2019-08-11 11:08:33 -04:00
|
|
|
ARG DEBIAN_FRONTEND
|
2021-07-26 08:48:52 -04:00
|
|
|
ARG TINI_VERSION
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-tini-aptlib,target=/var/lib/apt \
|
2019-10-05 16:41:27 -04:00
|
|
|
--mount=type=cache,sharing=locked,id=moby-tini-aptcache,target=/var/cache/apt \
|
|
|
|
|
apt-get update && apt-get install -y --no-install-recommends \
|
|
|
|
|
cmake \
|
|
|
|
|
vim-common
|
2021-08-23 07:57:40 -04:00
|
|
|
COPY /hack/dockerfile/install/install.sh /hack/dockerfile/install/tini.installer /
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
2019-10-05 16:41:27 -04:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2021-08-23 07:57:40 -04:00
|
|
|
PREFIX=/build /install.sh tini
|
2017-09-29 17:09:14 -04:00
|
|
|
|
2019-04-16 19:31:49 -04:00
|
|
|
FROM dev-base AS rootlesskit
|
2021-07-26 08:48:52 -04:00
|
|
|
ARG ROOTLESSKIT_VERSION
|
2021-08-23 07:57:40 -04:00
|
|
|
ARG PREFIX=/build
|
|
|
|
|
COPY /hack/dockerfile/install/install.sh /hack/dockerfile/install/rootlesskit.installer /
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
2019-10-05 16:41:27 -04:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2021-08-23 07:57:40 -04:00
|
|
|
/install.sh rootlesskit \
|
|
|
|
|
&& "${PREFIX}"/rootlesskit --version \
|
|
|
|
|
&& "${PREFIX}"/rootlesskit-docker-proxy --help
|
2018-10-15 03:52:53 -04:00
|
|
|
COPY ./contrib/dockerd-rootless.sh /build
|
2020-05-11 09:12:50 -04:00
|
|
|
COPY ./contrib/dockerd-rootless-setuptool.sh /build
|
2017-09-29 17:09:14 -04:00
|
|
|
|
2022-06-10 17:19:40 -04:00
|
|
|
FROM base AS crun
|
|
|
|
|
ARG CRUN_VERSION=1.4.5
|
|
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-crun-aptlib,target=/var/lib/apt \
|
|
|
|
|
--mount=type=cache,sharing=locked,id=moby-crun-aptcache,target=/var/cache/apt \
|
|
|
|
|
apt-get update && apt-get install -y --no-install-recommends \
|
|
|
|
|
autoconf \
|
|
|
|
|
automake \
|
|
|
|
|
build-essential \
|
|
|
|
|
libcap-dev \
|
|
|
|
|
libprotobuf-c-dev \
|
|
|
|
|
libseccomp-dev \
|
|
|
|
|
libsystemd-dev \
|
|
|
|
|
libtool \
|
|
|
|
|
libudev-dev \
|
|
|
|
|
libyajl-dev \
|
|
|
|
|
python3 \
|
|
|
|
|
;
|
|
|
|
|
RUN --mount=type=tmpfs,target=/tmp/crun-build \
|
|
|
|
|
git clone https://github.com/containers/crun.git /tmp/crun-build && \
|
|
|
|
|
cd /tmp/crun-build && \
|
|
|
|
|
git checkout -q "${CRUN_VERSION}" && \
|
|
|
|
|
./autogen.sh && \
|
|
|
|
|
./configure --bindir=/build && \
|
|
|
|
|
make -j install
|
|
|
|
|
|
2021-02-24 00:05:38 -05:00
|
|
|
FROM --platform=amd64 djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-amd64
|
|
|
|
|
|
|
|
|
|
FROM --platform=arm64 djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-arm64
|
|
|
|
|
|
|
|
|
|
FROM scratch AS vpnkit
|
|
|
|
|
COPY --from=vpnkit-amd64 /vpnkit /build/vpnkit.x86_64
|
|
|
|
|
COPY --from=vpnkit-arm64 /vpnkit /build/vpnkit.aarch64
|
2019-10-05 16:46:49 -04:00
|
|
|
|
2017-09-29 17:09:14 -04:00
|
|
|
# TODO: Some of this is only really needed for testing, it would be nice to split this up
|
2020-02-10 12:55:16 -05:00
|
|
|
FROM runtime-dev AS dev-systemd-false
|
2019-08-11 11:08:33 -04:00
|
|
|
ARG DEBIAN_FRONTEND
|
2017-09-29 17:09:14 -04:00
|
|
|
RUN groupadd -r docker
|
2020-02-18 04:43:56 -05:00
|
|
|
RUN useradd --create-home --gid docker unprivilegeduser \
|
|
|
|
|
&& mkdir -p /home/unprivilegeduser/.local/share/docker \
|
|
|
|
|
&& chown -R unprivilegeduser /home/unprivilegeduser
|
2018-06-29 06:39:36 -04:00
|
|
|
# Let us use a .bashrc file
|
|
|
|
|
RUN ln -sfv /go/src/github.com/docker/docker/.bashrc ~/.bashrc
|
2017-06-24 17:51:06 -04:00
|
|
|
# Activate bash completion and include Docker's completion if mounted with DOCKER_BASH_COMPLETION_PATH
|
|
|
|
|
RUN echo "source /usr/share/bash-completion/bash_completion" >> /etc/bash.bashrc
|
2017-06-23 12:05:38 -04:00
|
|
|
RUN ln -s /usr/local/completion/bash/docker /etc/bash_completion.d/docker
|
2017-09-29 17:09:14 -04:00
|
|
|
RUN ldconfig
|
|
|
|
|
# This should only install packages that are specifically needed for the dev environment and nothing else
|
|
|
|
|
# Do you really need to add another package here? Can it be done in a different build stage?
|
2019-05-22 19:49:55 -04:00
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
|
2019-10-05 16:41:27 -04:00
|
|
|
--mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
|
|
|
|
|
apt-get update && apt-get install -y --no-install-recommends \
|
|
|
|
|
apparmor \
|
|
|
|
|
bash-completion \
|
2019-10-05 16:56:32 -04:00
|
|
|
bzip2 \
|
2021-08-19 15:16:01 -04:00
|
|
|
inetutils-ping \
|
|
|
|
|
iproute2 \
|
2019-10-05 16:41:27 -04:00
|
|
|
iptables \
|
|
|
|
|
jq \
|
|
|
|
|
libcap2-bin \
|
2019-10-05 16:56:32 -04:00
|
|
|
libnet1 \
|
|
|
|
|
libnl-3-200 \
|
|
|
|
|
libprotobuf-c1 \
|
2022-06-10 17:19:40 -04:00
|
|
|
libyajl2 \
|
2019-10-05 16:41:27 -04:00
|
|
|
net-tools \
|
2020-07-15 07:45:41 -04:00
|
|
|
patch \
|
2019-10-05 16:41:27 -04:00
|
|
|
pigz \
|
|
|
|
|
python3-pip \
|
|
|
|
|
python3-setuptools \
|
|
|
|
|
python3-wheel \
|
2020-02-18 04:43:56 -05:00
|
|
|
sudo \
|
2019-10-05 16:41:27 -04:00
|
|
|
thin-provisioning-tools \
|
2020-02-18 04:43:56 -05:00
|
|
|
uidmap \
|
2019-10-05 16:41:27 -04:00
|
|
|
vim \
|
|
|
|
|
vim-common \
|
|
|
|
|
xfsprogs \
|
|
|
|
|
xz-utils \
|
2020-12-08 04:56:32 -05:00
|
|
|
zip \
|
|
|
|
|
zstd
|
2019-05-22 19:49:55 -04:00
|
|
|
|
2019-07-30 19:59:02 -04:00
|
|
|
|
2020-02-25 18:31:07 -05:00
|
|
|
# Switch to use iptables instead of nftables (to match the CI hosts)
|
|
|
|
|
# TODO use some kind of runtime auto-detection instead if/when nftables is supported (https://github.com/moby/moby/issues/26824)
|
2019-07-22 11:22:13 -04:00
|
|
|
RUN update-alternatives --set iptables /usr/sbin/iptables-legacy || true \
|
|
|
|
|
&& update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || true \
|
|
|
|
|
&& update-alternatives --set arptables /usr/sbin/arptables-legacy || true
|
|
|
|
|
|
2021-04-15 15:29:20 -04:00
|
|
|
RUN pip3 install yamllint==1.26.1
|
2019-07-30 19:59:02 -04:00
|
|
|
|
2019-10-05 17:10:32 -04:00
|
|
|
COPY --from=dockercli /build/ /usr/local/cli
|
2018-04-13 14:45:57 -04:00
|
|
|
COPY --from=frozen-images /build/ /docker-frozen-images
|
2019-10-05 17:10:32 -04:00
|
|
|
COPY --from=swagger /build/ /usr/local/bin/
|
2022-02-20 13:21:10 -05:00
|
|
|
COPY --from=delve /build/ /usr/local/bin/
|
validate/toml: switch to github.com/pelletier/go-toml
The github.com/BurntSushi/toml project is no longer maintained,
and containerd is switching to this project instead, so start
moving our code as well.
This patch only changes the binary used during validation (tbh,
we could probably remove this validation step, but leaving that
for now).
I manually verified that the hack/verify/toml still works by adding a commit
that makes the MAINTAINERS file invalid;
diff --git a/MAINTAINERS b/MAINTAINERS
index b739e7e20c..81ababd8de 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -23,7 +23,7 @@
# a subsystem, they are responsible for doing so and holding the
# subsystem maintainers accountable. If ownership is unclear, they are the de facto owners.
- people = [
+ people =
"akihirosuda",
"anusha",
"coolljt0725",
Running `hack/verify/toml` was able to detect the broken format;
hack/validate/toml
(27, 4): keys cannot contain , characterThese files are not valid TOML:
- MAINTAINERS
Please reformat the above files as valid TOML
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-02 10:02:34 -04:00
|
|
|
COPY --from=tomll /build/ /usr/local/bin/
|
2022-04-14 13:52:23 -04:00
|
|
|
COPY --from=gowinres /build/ /usr/local/bin/
|
2019-10-05 17:10:32 -04:00
|
|
|
COPY --from=tini /build/ /usr/local/bin/
|
|
|
|
|
COPY --from=registry /build/ /usr/local/bin/
|
2020-12-01 20:02:42 -05:00
|
|
|
COPY --from=criu /build/ /usr/local/bin/
|
2019-10-05 17:10:32 -04:00
|
|
|
COPY --from=gotestsum /build/ /usr/local/bin/
|
2019-10-05 16:59:51 -04:00
|
|
|
COPY --from=golangci_lint /build/ /usr/local/bin/
|
2020-02-29 10:31:43 -05:00
|
|
|
COPY --from=shfmt /build/ /usr/local/bin/
|
2019-10-05 17:10:32 -04:00
|
|
|
COPY --from=runc /build/ /usr/local/bin/
|
|
|
|
|
COPY --from=containerd /build/ /usr/local/bin/
|
|
|
|
|
COPY --from=rootlesskit /build/ /usr/local/bin/
|
2021-02-24 00:05:38 -05:00
|
|
|
COPY --from=vpnkit /build/ /usr/local/bin/
|
2022-06-10 17:19:40 -04:00
|
|
|
COPY --from=crun /build/ /usr/local/bin/
|
|
|
|
|
COPY hack/dockerfile/etc/docker/ /etc/docker/
|
2017-09-29 17:09:14 -04:00
|
|
|
ENV PATH=/usr/local/cli:$PATH
|
2019-11-05 15:11:49 -05:00
|
|
|
ARG DOCKER_BUILDTAGS
|
|
|
|
|
ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}"
|
2017-09-29 17:09:14 -04:00
|
|
|
WORKDIR /go/src/github.com/docker/docker
|
|
|
|
|
VOLUME /var/lib/docker
|
2020-02-18 04:43:56 -05:00
|
|
|
VOLUME /home/unprivilegeduser/.local/share/docker
|
2017-09-29 17:09:14 -04:00
|
|
|
# Wrap all commands in the "docker-in-docker" script to allow nested containers
|
|
|
|
|
ENTRYPOINT ["hack/dind"]
|
2019-10-08 14:17:15 -04:00
|
|
|
|
2020-02-10 12:55:16 -05:00
|
|
|
FROM dev-systemd-false AS dev-systemd-true
|
|
|
|
|
RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
|
|
|
|
|
--mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
|
|
|
|
|
apt-get update && apt-get install -y --no-install-recommends \
|
|
|
|
|
dbus \
|
|
|
|
|
dbus-user-session \
|
|
|
|
|
systemd \
|
|
|
|
|
systemd-sysv
|
|
|
|
|
RUN mkdir -p hack \
|
|
|
|
|
&& curl -o hack/dind-systemd https://raw.githubusercontent.com/AkihiroSuda/containerized-systemd/b70bac0daeea120456764248164c21684ade7d0d/docker-entrypoint.sh \
|
|
|
|
|
&& chmod +x hack/dind-systemd
|
|
|
|
|
ENTRYPOINT ["hack/dind-systemd"]
|
|
|
|
|
|
2020-03-06 01:36:54 -05:00
|
|
|
FROM dev-systemd-${SYSTEMD} AS dev
|
|
|
|
|
|
2019-11-05 16:41:04 -05:00
|
|
|
FROM runtime-dev AS binary-base
|
2019-05-22 19:49:55 -04:00
|
|
|
ARG DOCKER_GITCOMMIT=HEAD
|
2019-10-16 13:09:10 -04:00
|
|
|
ENV DOCKER_GITCOMMIT=${DOCKER_GITCOMMIT}
|
|
|
|
|
ARG VERSION
|
|
|
|
|
ENV VERSION=${VERSION}
|
|
|
|
|
ARG PLATFORM
|
|
|
|
|
ENV PLATFORM=${PLATFORM}
|
|
|
|
|
ARG PRODUCT
|
|
|
|
|
ENV PRODUCT=${PRODUCT}
|
|
|
|
|
ARG DEFAULT_PRODUCT_LICENSE
|
|
|
|
|
ENV DEFAULT_PRODUCT_LICENSE=${DEFAULT_PRODUCT_LICENSE}
|
2022-04-14 13:52:23 -04:00
|
|
|
ARG PACKAGER_NAME
|
|
|
|
|
ENV PACKAGER_NAME=${PACKAGER_NAME}
|
2019-11-05 15:11:49 -05:00
|
|
|
ARG DOCKER_BUILDTAGS
|
|
|
|
|
ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}"
|
2019-11-05 16:41:04 -05:00
|
|
|
ENV PREFIX=/build
|
2019-11-05 15:11:49 -05:00
|
|
|
# TODO: This is here because hack/make.sh binary copies these extras binaries
|
|
|
|
|
# from $PATH into the bundles dir.
|
|
|
|
|
# It would be nice to handle this in a different way.
|
2022-04-14 13:52:23 -04:00
|
|
|
COPY --from=tini /build/ /usr/local/bin/
|
|
|
|
|
COPY --from=runc /build/ /usr/local/bin/
|
|
|
|
|
COPY --from=containerd /build/ /usr/local/bin/
|
|
|
|
|
COPY --from=rootlesskit /build/ /usr/local/bin/
|
|
|
|
|
COPY --from=vpnkit /build/ /usr/local/bin/
|
|
|
|
|
COPY --from=gowinres /build/ /usr/local/bin/
|
2019-11-05 16:41:04 -05:00
|
|
|
WORKDIR /go/src/github.com/docker/docker
|
2019-10-16 13:09:10 -04:00
|
|
|
|
|
|
|
|
FROM binary-base AS build-binary
|
2022-04-14 13:52:23 -04:00
|
|
|
RUN --mount=type=cache,target=/root/.cache \
|
|
|
|
|
--mount=type=bind,target=.,ro \
|
|
|
|
|
--mount=type=tmpfs,target=cli/winresources/dockerd \
|
|
|
|
|
--mount=type=tmpfs,target=cli/winresources/docker-proxy \
|
2019-10-05 16:41:27 -04:00
|
|
|
hack/make.sh binary
|
2019-05-22 19:49:55 -04:00
|
|
|
|
2019-10-16 13:09:10 -04:00
|
|
|
FROM binary-base AS build-dynbinary
|
2022-04-14 13:52:23 -04:00
|
|
|
RUN --mount=type=cache,target=/root/.cache \
|
|
|
|
|
--mount=type=bind,target=.,ro \
|
|
|
|
|
--mount=type=tmpfs,target=cli/winresources/dockerd \
|
|
|
|
|
--mount=type=tmpfs,target=cli/winresources/docker-proxy \
|
2019-10-05 16:41:27 -04:00
|
|
|
hack/make.sh dynbinary
|
2019-05-22 19:49:55 -04:00
|
|
|
|
2019-10-16 13:09:10 -04:00
|
|
|
FROM binary-base AS build-cross
|
|
|
|
|
ARG DOCKER_CROSSPLATFORMS
|
2022-04-14 13:52:23 -04:00
|
|
|
RUN --mount=type=cache,target=/root/.cache \
|
|
|
|
|
--mount=type=bind,target=.,ro \
|
|
|
|
|
--mount=type=tmpfs,target=cli/winresources/dockerd \
|
|
|
|
|
--mount=type=tmpfs,target=cli/winresources/docker-proxy \
|
2019-10-05 16:41:27 -04:00
|
|
|
hack/make.sh cross
|
2019-05-22 19:49:55 -04:00
|
|
|
|
|
|
|
|
FROM scratch AS binary
|
2019-11-05 16:41:04 -05:00
|
|
|
COPY --from=build-binary /build/bundles/ /
|
2019-05-22 19:49:55 -04:00
|
|
|
|
|
|
|
|
FROM scratch AS dynbinary
|
2019-12-30 16:20:11 -05:00
|
|
|
COPY --from=build-dynbinary /build/bundles/ /
|
2019-05-22 19:49:55 -04:00
|
|
|
|
|
|
|
|
FROM scratch AS cross
|
2019-12-30 16:20:11 -05:00
|
|
|
COPY --from=build-cross /build/bundles/ /
|
2018-12-13 20:26:10 -05:00
|
|
|
|
2020-03-06 01:36:54 -05:00
|
|
|
FROM dev AS final
|
2019-11-05 16:41:04 -05:00
|
|
|
COPY . /go/src/github.com/docker/docker
|