moby--moby/Dockerfile.e2e

ARG GO_VERSION=1.13.7

FROM golang:${GO_VERSION}-alpine AS base
ENV GO111MODULE=off
RUN apk --no-cache add \
    bash \
    btrfs-progs-dev \
    build-base \
    curl \
    lvm2-dev \
    jq

RUN mkdir -p /build/
RUN mkdir -p /go/src/github.com/docker/docker/
WORKDIR /go/src/github.com/docker/docker/

FROM base AS frozen-images
# Get useful and necessary Hub images so we can "docker load" locally instead of pulling
COPY contrib/download-frozen-image-v2.sh /
RUN /download-frozen-image-v2.sh /build \
	buildpack-deps:jessie@sha256:dd86dced7c9cd2a724e779730f0a53f93b7ef42228d4344b25ce9a42a1486251 \
	busybox:latest@sha256:bbc3a03235220b170ba48a157dd097dd1379299370e1ed99ce976df0355d24f0 \
	busybox:glibc@sha256:0b55a30394294ab23b9afd58fab94e61a923f5834fba7ddbae7f8e0c11ba85e6 \
	debian:jessie@sha256:287a20c5f73087ab406e6b364833e3fb7b3ae63ca0eb3486555dc27ed32c6e60 \
	hello-world:latest@sha256:be0cd392e45be79ffeffa6b05338b98ebb16c87b255f48e297ec7f98e123905c
# See also ensureFrozenImagesLinux() in "integration-cli/fixtures_linux_daemon_test.go" (which needs to be updated when adding images to this list)

FROM base AS dockercli
ENV INSTALL_BINARY_NAME=dockercli
COPY hack/dockerfile/install/install.sh ./install.sh
COPY hack/dockerfile/install/$INSTALL_BINARY_NAME.installer ./
RUN PREFIX=/build ./install.sh $INSTALL_BINARY_NAME

# Build DockerSuite.TestBuild* dependency
FROM base AS contrib
COPY contrib/syscall-test           /build/syscall-test
COPY contrib/httpserver/Dockerfile  /build/httpserver/Dockerfile
COPY contrib/httpserver             contrib/httpserver
RUN CGO_ENABLED=0 go build -buildmode=pie -o /build/httpserver/httpserver github.com/docker/docker/contrib/httpserver

# Build the integration tests and copy the resulting binaries to /build/tests
FROM base AS builder

# Set tag and add sources
COPY . .
# Copy test sources tests that use assert can print errors
RUN mkdir -p /build${PWD} && find integration integration-cli -name \*_test.go -exec cp --parents '{}' /build${PWD} \;
# Build and install test binaries
ARG DOCKER_GITCOMMIT=undefined
RUN hack/make.sh build-integration-test-binary
RUN mkdir -p /build/tests && find . -name test.main -exec cp --parents '{}' /build/tests \;

## Generate testing image
FROM alpine:3.10 as runner

ENV DOCKER_REMOTE_DAEMON=1
ENV DOCKER_INTEGRATION_DAEMON_DEST=/
ENTRYPOINT ["/scripts/run.sh"]

# Add an unprivileged user to be used for tests which need it
RUN addgroup docker && adduser -D -G docker unprivilegeduser -s /bin/ash

# GNU tar is used for generating the emptyfs image
RUN apk --no-cache add \
    bash \
    ca-certificates \
    g++ \
    git \
    iptables \
    pigz \
    tar \
    xz

COPY hack/test/e2e-run.sh       /scripts/run.sh
COPY hack/make/.ensure-emptyfs  /scripts/ensure-emptyfs.sh

COPY integration/testdata       /tests/integration/testdata
COPY integration/build/testdata /tests/integration/build/testdata
COPY integration-cli/fixtures   /tests/integration-cli/fixtures

COPY --from=frozen-images /build/ /docker-frozen-images
COPY --from=dockercli     /build/ /usr/bin/
COPY --from=contrib       /build/ /tests/contrib/
COPY --from=builder       /build/ /
Update Golang 1.13.7 (CVE-2020-0601, CVE-2020-7919) full diff: https://github.com/golang/go/compare/go1.13.6...go1.13.7 go1.13.7 (released 2020/01/28) includes two security fixes. One mitigates the CVE-2020-0601 certificate verification bypass on Windows. The other affects only 32-bit architectures. https://github.com/golang/go/issues?q=milestone%3AGo1.13.7+label%3ACherryPickApproved - X.509 certificate validation bypass on Windows 10 A Windows vulnerability allows attackers to spoof valid certificate chains when the system root store is in use. These releases include a mitigation for Go applications, but it’s strongly recommended that affected users install the Windows security update to protect their system. This issue is CVE-2020-0601 and Go issue golang.org/issue/36834. - Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-01-29 17:13:13 +00:00			`ARG GO_VERSION=1.13.7`
Dockerfile: use GO_VERSION build-arg for overriding Go version This allows overriding the version of Go without making modifications in the source code, which can be useful to test against multiple versions. For example: make GO_VERSION=1.13beta1 shell Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-07-17 11:59:16 +00:00
			`FROM golang:${GO_VERSION}-alpine AS base`
Dockerfile: set GO111MODULE=off Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-09-11 07:36:53 +00:00			`ENV GO111MODULE=off`
Dockerfile.e2e: simplify apk calls As of Alpine Linux 3.3 (or 3.2?) there exists a new --no-cache option for apk. It allows users to install packages with an index that is updated and used on-the-fly and not cached locally. This avoids the need to use --update and remove /var/cache/apk/* when done installing packages. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2018-10-03 00:57:42 +00:00			`RUN apk --no-cache add \`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00			`bash \`
e2e: Add missing headers for build Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-11-03 09:09:06 +00:00			`btrfs-progs-dev \`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00			`build-base \`
			`curl \`
			`lvm2-dev \`
Dockerfile.e2e: simplify apk calls As of Alpine Linux 3.3 (or 3.2?) there exists a new --no-cache option for apk. It allows users to install packages with an index that is updated and used on-the-fly and not cached locally. This avoids the need to use --update and remove /var/cache/apk/* when done installing packages. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2018-10-03 00:57:42 +00:00			`jq`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00
Dockerfile.e2e: move frozen-images to a separate stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:15:03 +00:00			`RUN mkdir -p /build/`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00			`RUN mkdir -p /go/src/github.com/docker/docker/`
			`WORKDIR /go/src/github.com/docker/docker/`

Dockerfile.e2e: move frozen-images to a separate stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:15:03 +00:00			`FROM base AS frozen-images`
			`# Get useful and necessary Hub images so we can "docker load" locally instead of pulling`
			`COPY contrib/download-frozen-image-v2.sh /`
			`RUN /download-frozen-image-v2.sh /build \`
Unify the frozen images to the multi-arch version Update and unify the `busybox` images on all arches to the `glibc` multi-arch version and remove the temp workaround on amd64 which uses the old version busybox (v1.26) before this PR to bypass the failure of those network related test cases. Also, this PR will fix all the network related issues with `glibc` version `busybox` image. Signed-off-by: Dennis Chen <dennis.chen@arm.com> 2018-02-13 04:52:10 +00:00			`buildpack-deps:jessie@sha256:dd86dced7c9cd2a724e779730f0a53f93b7ef42228d4344b25ce9a42a1486251 \`
Add `busybox:latest` into the frozen images Adding `busybox:latest` and `busybox:glibc` as the frozen images Signed-off-by: Dennis Chen <dennis.chen@arm.com> 2018-02-27 06:28:29 +00:00			`busybox:latest@sha256:bbc3a03235220b170ba48a157dd097dd1379299370e1ed99ce976df0355d24f0 \`
			`busybox:glibc@sha256:0b55a30394294ab23b9afd58fab94e61a923f5834fba7ddbae7f8e0c11ba85e6 \`
Unify the frozen images to the multi-arch version Update and unify the `busybox` images on all arches to the `glibc` multi-arch version and remove the temp workaround on amd64 which uses the old version busybox (v1.26) before this PR to bypass the failure of those network related test cases. Also, this PR will fix all the network related issues with `glibc` version `busybox` image. Signed-off-by: Dennis Chen <dennis.chen@arm.com> 2018-02-13 04:52:10 +00:00			`debian:jessie@sha256:287a20c5f73087ab406e6b364833e3fb7b3ae63ca0eb3486555dc27ed32c6e60 \`
			`hello-world:latest@sha256:be0cd392e45be79ffeffa6b05338b98ebb16c87b255f48e297ec7f98e123905c`
Dockerfile.e2e: move frozen-images to a separate stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:15:03 +00:00			`# See also ensureFrozenImagesLinux() in "integration-cli/fixtures_linux_daemon_test.go" (which needs to be updated when adding images to this list)`

Dockerfile.e2e: move dockercli to a separate build-stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:24:33 +00:00			`FROM base AS dockercli`
			`ENV INSTALL_BINARY_NAME=dockercli`
			`COPY hack/dockerfile/install/install.sh ./install.sh`
			`COPY hack/dockerfile/install/$INSTALL_BINARY_NAME.installer ./`
			`RUN PREFIX=/build ./install.sh $INSTALL_BINARY_NAME`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00
Dockerfile.e2e: move "contrib" to a separate build-stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:26:10 +00:00			`# Build DockerSuite.TestBuild* dependency`
			`FROM base AS contrib`
			`COPY contrib/syscall-test /build/syscall-test`
			`COPY contrib/httpserver/Dockerfile /build/httpserver/Dockerfile`
			`COPY contrib/httpserver contrib/httpserver`
			`RUN CGO_ENABLED=0 go build -buildmode=pie -o /build/httpserver/httpserver github.com/docker/docker/contrib/httpserver`

			`# Build the integration tests and copy the resulting binaries to /build/tests`
Dockerfile.e2e: move dockercli to a separate build-stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:24:33 +00:00			`FROM base AS builder`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00
Fixes for dnephin review Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-12 12:53:20 +00:00			`# Set tag and add sources`
Dockerfile.e2e: re-order steps for caching Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:20:24 +00:00			`COPY . .`
Dockerfile.e2e: copy test sources Package "gotest.tools/assert" uses source introspection to print more info in case of assertion failure. When source code is not available, it prints an error instead. In other words, before this commit: > --- SKIP: TestCgroupDriverSystemdMemoryLimit (0.00s) > cgroupdriver_systemd_test.go:32: failed to parse source file: /go/src/github.com/docker/docker/integration/system/cgroupdriver_systemd_test.go: open /go/src/github.com/docker/docker/integration/system/cgroupdriver_systemd_test.go: no such file or directory > cgroupdriver_systemd_test.go:32: and after: > --- SKIP: TestCgroupDriverSystemdMemoryLimit (0.09s) > cgroupdriver_systemd_test.go:32: !hasSystemd() This increases the resulting image size by about 2 MB on my system (from 758 to 760 MB). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2019-04-27 04:38:55 +00:00			`# Copy test sources tests that use assert can print errors`
			`RUN mkdir -p /build${PWD} && find integration integration-cli -name \*_test.go -exec cp --parents '{}' /build${PWD} \;`
			`# Build and install test binaries`
Dockerfile.e2e: fix DOCKER_GITCOMMIT handling 1. There is no need to persist DOCKER_GITCOMMIT, as it's not needed for runtime, only for build. So, remove ENV. 2. In case $GITCOMMIT is not defined during build time (and it happens if .git directory is not present), we still need to have some value set, so set it to `undefined`. Otherwise we'll have something like > => ERROR [builder 2/3] RUN hack/make.sh build-integration-test-binary > ------ > > [builder 2/3] RUN hack/make.sh build-integration-test-binary: > #32 0.488 > #32 0.505 error: .git directory missing and DOCKER_GITCOMMIT not specified > #32 0.505 Please either build with the .git directory accessible, or specify the > #32 0.505 exact (--short) commit hash you are building using DOCKER_GITCOMMIT for > #32 0.505 future accountability in diagnosing build issues. Thanks! Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2019-04-30 07:22:22 +00:00			`ARG DOCKER_GITCOMMIT=undefined`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00			`RUN hack/make.sh build-integration-test-binary`
Dockerfile.e2e: copy test sources Package "gotest.tools/assert" uses source introspection to print more info in case of assertion failure. When source code is not available, it prints an error instead. In other words, before this commit: > --- SKIP: TestCgroupDriverSystemdMemoryLimit (0.00s) > cgroupdriver_systemd_test.go:32: failed to parse source file: /go/src/github.com/docker/docker/integration/system/cgroupdriver_systemd_test.go: open /go/src/github.com/docker/docker/integration/system/cgroupdriver_systemd_test.go: no such file or directory > cgroupdriver_systemd_test.go:32: and after: > --- SKIP: TestCgroupDriverSystemdMemoryLimit (0.09s) > cgroupdriver_systemd_test.go:32: !hasSystemd() This increases the resulting image size by about 2 MB on my system (from 758 to 760 MB). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2019-04-27 04:38:55 +00:00			`RUN mkdir -p /build/tests && find . -name test.main -exec cp --parents '{}' /build/tests \;`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00
Dockerfile.e2e: move frozen-images to a separate stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:15:03 +00:00			`## Generate testing image`
Update to using alpine 3.10 Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> 2019-06-23 17:39:20 +00:00			`FROM alpine:3.10 as runner`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00
Dockerfile.e2e: re-order steps for caching Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:20:24 +00:00			`ENV DOCKER_REMOTE_DAEMON=1`
			`ENV DOCKER_INTEGRATION_DAEMON_DEST=/`
			`ENTRYPOINT ["/scripts/run.sh"]`

			`# Add an unprivileged user to be used for tests which need it`
			`RUN addgroup docker && adduser -D -G docker unprivilegeduser -s /bin/ash`

Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00			`# GNU tar is used for generating the emptyfs image`
Dockerfile.e2e: simplify apk calls As of Alpine Linux 3.3 (or 3.2?) there exists a new --no-cache option for apk. It allows users to install packages with an index that is updated and used on-the-fly and not cached locally. This avoids the need to use --update and remove /var/cache/apk/* when done installing packages. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2018-10-03 00:57:42 +00:00			`RUN apk --no-cache add \`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00			`bash \`
			`ca-certificates \`
			`g++ \`
			`git \`
			`iptables \`
Make image (layer) downloads faster by using pigz The Golang built-in gzip library is serialized, and fairly slow at decompressing. It also only decompresses on demand, versus pipelining decompression. This change switches to using the pigz external command for gzip decompression, as opposed to using the built-in golang one. This code is not vendored, but will be used if it autodetected as part of the OS. This also switches to using context, versus a manually managed channel to manage cancellations, and synchronization. There is a little bit of weirdness around manually having to cancel in the error cases. Signed-off-by: Sargun Dhillon <sargun@sargun.me> 2018-01-16 18:49:18 +00:00			`pigz \`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00			`tar \`
Dockerfile.e2e: simplify apk calls As of Alpine Linux 3.3 (or 3.2?) there exists a new --no-cache option for apk. It allows users to install packages with an index that is updated and used on-the-fly and not cached locally. This avoids the need to use --update and remove /var/cache/apk/* when done installing packages. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2018-10-03 00:57:42 +00:00			`xz`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00
Dockerfile.e2e: re-order steps for caching Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:20:24 +00:00			`COPY hack/test/e2e-run.sh /scripts/run.sh`
			`COPY hack/make/.ensure-emptyfs /scripts/ensure-emptyfs.sh`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00
Dockerfile.e2e fix TestBuildPreserveOwnership The Dockerfile missed some fixtures, which caused this test fail when running from this image. I also noticed some other fixtures missing in integration-cli, where the image had symlinks to some certificates, but the original files were not included; ``` \|-- integration-cli \|-- fixtures \| \|-- auth \| \| `-- docker-credential-shell-test \| \|-- credentialspecs \| \| `-- valid.json \| \|-- https \| \| \|-- ca.pem -> ../../../integration/testdata/https/ca.pem \| \| \|-- client-cert.pem -> ../../../integration/testdata/https/client-cert.pem \| \| \|-- client-key.pem -> ../../../integration/testdata/https/client-key.pem \| \| \|-- client-rogue-cert.pem \| \| \|-- client-rogue-key.pem \| \| \|-- server-cert.pem -> ../../../integration/testdata/https/server-cert.pem \| \| \|-- server-key.pem -> ../../../integration/testdata/https/server-key.pem \| \| \|-- server-rogue-cert.pem \| \| `-- server-rogue-key.pem ``` Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:02:22 +00:00			`COPY integration/testdata /tests/integration/testdata`
			`COPY integration/build/testdata /tests/integration/build/testdata`
			`COPY integration-cli/fixtures /tests/integration-cli/fixtures`
Containerize integration tests Signed-off-by: Christopher Crone <christopher.crone@docker.com> 2017-09-08 14:43:04 +00:00
Dockerfile.e2e: move frozen-images to a separate stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:15:03 +00:00			`COPY --from=frozen-images /build/ /docker-frozen-images`
Dockerfile.e2e: move dockercli to a separate build-stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:24:33 +00:00			`COPY --from=dockercli /build/ /usr/bin/`
Dockerfile.e2e: move "contrib" to a separate build-stage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-19 14:26:10 +00:00			`COPY --from=contrib /build/ /tests/contrib/`
Dockerfile.e2e: copy test sources Package "gotest.tools/assert" uses source introspection to print more info in case of assertion failure. When source code is not available, it prints an error instead. In other words, before this commit: > --- SKIP: TestCgroupDriverSystemdMemoryLimit (0.00s) > cgroupdriver_systemd_test.go:32: failed to parse source file: /go/src/github.com/docker/docker/integration/system/cgroupdriver_systemd_test.go: open /go/src/github.com/docker/docker/integration/system/cgroupdriver_systemd_test.go: no such file or directory > cgroupdriver_systemd_test.go:32: and after: > --- SKIP: TestCgroupDriverSystemdMemoryLimit (0.09s) > cgroupdriver_systemd_test.go:32: !hasSystemd() This increases the resulting image size by about 2 MB on my system (from 758 to 760 MB). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> 2019-04-27 04:38:55 +00:00			`COPY --from=builder /build/ /`