github.com/demonoid81/moby@v0.0.0-20200517203328-62dd8e17c460/Dockerfile (about) 1 # syntax=docker/dockerfile:1.1.7-experimental 2 3 ARG CROSS="false" 4 ARG SYSTEMD="false" 5 # IMPORTANT: When updating this please note that stdlib archive/tar pkg is vendored 6 ARG GO_VERSION=1.13.10 7 ARG DEBIAN_FRONTEND=noninteractive 8 ARG VPNKIT_VERSION=0.4.0 9 ARG DOCKER_BUILDTAGS="apparmor seccomp selinux" 10 ARG GOLANG_IMAGE="golang:${GO_VERSION}-buster" 11 12 FROM ${GOLANG_IMAGE} AS base 13 RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache 14 ARG APT_MIRROR 15 RUN sed -ri "s/(httpredir|deb).debian.org/${APT_MIRROR:-deb.debian.org}/g" /etc/apt/sources.list \ 16 && sed -ri "s/(security).debian.org/${APT_MIRROR:-security.debian.org}/g" /etc/apt/sources.list 17 ENV GO111MODULE=off 18 19 FROM base AS criu 20 ARG DEBIAN_FRONTEND 21 # Install dependency packages specific to criu 22 RUN --mount=type=cache,sharing=locked,id=moby-criu-aptlib,target=/var/lib/apt \ 23 --mount=type=cache,sharing=locked,id=moby-criu-aptcache,target=/var/cache/apt \ 24 apt-get update && apt-get install -y --no-install-recommends \ 25 libcap-dev \ 26 libnet-dev \ 27 libnl-3-dev \ 28 libprotobuf-c-dev \ 29 libprotobuf-dev \ 30 protobuf-c-compiler \ 31 protobuf-compiler \ 32 python-protobuf 33 34 # Install CRIU for checkpoint/restore support 35 ENV CRIU_VERSION 3.13 36 RUN mkdir -p /usr/src/criu \ 37 && curl -sSL https://github.com/checkpoint-restore/criu/archive/v${CRIU_VERSION}.tar.gz | tar -C /usr/src/criu/ -xz --strip-components=1 \ 38 && cd /usr/src/criu \ 39 && make \ 40 && make PREFIX=/build/ install-criu 41 42 FROM base AS registry 43 WORKDIR /go/src/github.com/docker/distribution 44 # Install two versions of the registry. The first one is a recent version that 45 # supports both schema 1 and 2 manifests. The second one is an older version that 46 # only supports schema1 manifests. This allows integration-cli tests to cover 47 # push/pull with both schema1 and schema2 manifests. 48 # The old version of the registry is not working on arm64, so installation is 49 # skipped on that architecture. 50 ENV REGISTRY_COMMIT_SCHEMA1 ec87e9b6971d831f0eff752ddb54fb64693e51cd 51 ENV REGISTRY_COMMIT 47a064d4195a9b56133891bbb13620c3ac83a827 52 RUN --mount=type=cache,target=/root/.cache/go-build \ 53 --mount=type=cache,target=/go/pkg/mod \ 54 --mount=type=tmpfs,target=/go/src/ \ 55 set -x \ 56 && git clone https://github.com/docker/distribution.git . \ 57 && git checkout -q "$REGISTRY_COMMIT" \ 58 && GOPATH="/go/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ 59 go build -buildmode=pie -o /build/registry-v2 github.com/docker/distribution/cmd/registry \ 60 && case $(dpkg --print-architecture) in \ 61 amd64|armhf|ppc64*|s390x) \ 62 git checkout -q "$REGISTRY_COMMIT_SCHEMA1"; \ 63 GOPATH="/go/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH"; \ 64 go build -buildmode=pie -o /build/registry-v2-schema1 github.com/docker/distribution/cmd/registry; \ 65 ;; \ 66 esac 67 68 FROM base AS swagger 69 WORKDIR $GOPATH/src/github.com/go-swagger/go-swagger 70 # Install go-swagger for validating swagger.yaml 71 # This is https://github.com/kolyshkin/go-swagger/tree/golang-1.13-fix 72 # TODO: move to under moby/ or fix upstream go-swagger to work for us. 73 ENV GO_SWAGGER_COMMIT 5e6cb12f7c82ce78e45ba71fa6cb1928094db050 74 RUN --mount=type=cache,target=/root/.cache/go-build \ 75 --mount=type=cache,target=/go/pkg/mod \ 76 --mount=type=tmpfs,target=/go/src/ \ 77 set -x \ 78 && git clone https://github.com/kolyshkin/go-swagger.git . \ 79 && git checkout -q "$GO_SWAGGER_COMMIT" \ 80 && go build -o /build/swagger github.com/go-swagger/go-swagger/cmd/swagger 81 82 FROM base AS frozen-images 83 ARG DEBIAN_FRONTEND 84 RUN --mount=type=cache,sharing=locked,id=moby-frozen-images-aptlib,target=/var/lib/apt \ 85 --mount=type=cache,sharing=locked,id=moby-frozen-images-aptcache,target=/var/cache/apt \ 86 apt-get update && apt-get install -y --no-install-recommends \ 87 ca-certificates \ 88 jq 89 # Get useful and necessary Hub images so we can "docker load" locally instead of pulling 90 COPY contrib/download-frozen-image-v2.sh / 91 RUN /download-frozen-image-v2.sh /build \ 92 buildpack-deps:jessie@sha256:dd86dced7c9cd2a724e779730f0a53f93b7ef42228d4344b25ce9a42a1486251 \ 93 busybox:latest@sha256:bbc3a03235220b170ba48a157dd097dd1379299370e1ed99ce976df0355d24f0 \ 94 busybox:glibc@sha256:0b55a30394294ab23b9afd58fab94e61a923f5834fba7ddbae7f8e0c11ba85e6 \ 95 debian:jessie@sha256:287a20c5f73087ab406e6b364833e3fb7b3ae63ca0eb3486555dc27ed32c6e60 \ 96 hello-world:latest@sha256:be0cd392e45be79ffeffa6b05338b98ebb16c87b255f48e297ec7f98e123905c 97 # See also ensureFrozenImagesLinux() in "integration-cli/fixtures_linux_daemon_test.go" (which needs to be updated when adding images to this list) 98 99 FROM base AS cross-false 100 101 FROM --platform=linux/amd64 base AS cross-true 102 ARG DEBIAN_FRONTEND 103 RUN dpkg --add-architecture arm64 104 RUN dpkg --add-architecture armel 105 RUN dpkg --add-architecture armhf 106 RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \ 107 --mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \ 108 apt-get update && apt-get install -y --no-install-recommends \ 109 crossbuild-essential-arm64 \ 110 crossbuild-essential-armel \ 111 crossbuild-essential-armhf 112 113 FROM cross-${CROSS} as dev-base 114 115 FROM dev-base AS runtime-dev-cross-false 116 ARG DEBIAN_FRONTEND 117 RUN --mount=type=cache,sharing=locked,id=moby-cross-false-aptlib,target=/var/lib/apt \ 118 --mount=type=cache,sharing=locked,id=moby-cross-false-aptcache,target=/var/cache/apt \ 119 apt-get update && apt-get install -y --no-install-recommends \ 120 binutils-mingw-w64 \ 121 g++-mingw-w64-x86-64 \ 122 libapparmor-dev \ 123 libbtrfs-dev \ 124 libdevmapper-dev \ 125 libseccomp-dev \ 126 libsystemd-dev \ 127 libudev-dev 128 129 FROM --platform=linux/amd64 runtime-dev-cross-false AS runtime-dev-cross-true 130 ARG DEBIAN_FRONTEND 131 # These crossbuild packages rely on gcc-<arch>, but this doesn't want to install 132 # on non-amd64 systems. 133 # Additionally, the crossbuild-amd64 is currently only on debian:buster, so 134 # other architectures cannnot crossbuild amd64. 135 RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \ 136 --mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \ 137 apt-get update && apt-get install -y --no-install-recommends \ 138 libapparmor-dev:arm64 \ 139 libapparmor-dev:armel \ 140 libapparmor-dev:armhf \ 141 libseccomp-dev:arm64 \ 142 libseccomp-dev:armel \ 143 libseccomp-dev:armhf 144 145 FROM runtime-dev-cross-${CROSS} AS runtime-dev 146 147 FROM base AS tomlv 148 ARG TOMLV_COMMIT 149 RUN --mount=type=cache,target=/root/.cache/go-build \ 150 --mount=type=cache,target=/go/pkg/mod \ 151 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 152 PREFIX=/build /tmp/install/install.sh tomlv 153 154 FROM base AS vndr 155 ARG VNDR_COMMIT 156 RUN --mount=type=cache,target=/root/.cache/go-build \ 157 --mount=type=cache,target=/go/pkg/mod \ 158 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 159 PREFIX=/build /tmp/install/install.sh vndr 160 161 FROM dev-base AS containerd 162 ARG DEBIAN_FRONTEND 163 RUN --mount=type=cache,sharing=locked,id=moby-containerd-aptlib,target=/var/lib/apt \ 164 --mount=type=cache,sharing=locked,id=moby-containerd-aptcache,target=/var/cache/apt \ 165 apt-get update && apt-get install -y --no-install-recommends \ 166 libbtrfs-dev 167 ARG CONTAINERD_COMMIT 168 RUN --mount=type=cache,target=/root/.cache/go-build \ 169 --mount=type=cache,target=/go/pkg/mod \ 170 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 171 PREFIX=/build /tmp/install/install.sh containerd 172 173 FROM dev-base AS proxy 174 ARG LIBNETWORK_COMMIT 175 RUN --mount=type=cache,target=/root/.cache/go-build \ 176 --mount=type=cache,target=/go/pkg/mod \ 177 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 178 PREFIX=/build /tmp/install/install.sh proxy 179 180 FROM base AS golangci_lint 181 ARG GOLANGCI_LINT_COMMIT 182 RUN --mount=type=cache,target=/root/.cache/go-build \ 183 --mount=type=cache,target=/go/pkg/mod \ 184 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 185 PREFIX=/build /tmp/install/install.sh golangci_lint 186 187 FROM base AS gotestsum 188 ARG GOTESTSUM_COMMIT 189 RUN --mount=type=cache,target=/root/.cache/go-build \ 190 --mount=type=cache,target=/go/pkg/mod \ 191 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 192 PREFIX=/build /tmp/install/install.sh gotestsum 193 194 FROM base AS shfmt 195 ARG SHFMT_COMMIT 196 RUN --mount=type=cache,target=/root/.cache/go-build \ 197 --mount=type=cache,target=/go/pkg/mod \ 198 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 199 PREFIX=/build /tmp/install/install.sh shfmt 200 201 FROM dev-base AS dockercli 202 ARG DOCKERCLI_CHANNEL 203 ARG DOCKERCLI_VERSION 204 RUN --mount=type=cache,target=/root/.cache/go-build \ 205 --mount=type=cache,target=/go/pkg/mod \ 206 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 207 PREFIX=/build /tmp/install/install.sh dockercli 208 209 FROM runtime-dev AS runc 210 ARG RUNC_COMMIT 211 ARG RUNC_BUILDTAGS 212 RUN --mount=type=cache,target=/root/.cache/go-build \ 213 --mount=type=cache,target=/go/pkg/mod \ 214 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 215 PREFIX=/build /tmp/install/install.sh runc 216 217 FROM dev-base AS tini 218 ARG DEBIAN_FRONTEND 219 ARG TINI_COMMIT 220 RUN --mount=type=cache,sharing=locked,id=moby-tini-aptlib,target=/var/lib/apt \ 221 --mount=type=cache,sharing=locked,id=moby-tini-aptcache,target=/var/cache/apt \ 222 apt-get update && apt-get install -y --no-install-recommends \ 223 cmake \ 224 vim-common 225 RUN --mount=type=cache,target=/root/.cache/go-build \ 226 --mount=type=cache,target=/go/pkg/mod \ 227 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 228 PREFIX=/build /tmp/install/install.sh tini 229 230 FROM dev-base AS rootlesskit 231 ARG ROOTLESSKIT_COMMIT 232 RUN --mount=type=cache,target=/root/.cache/go-build \ 233 --mount=type=cache,target=/go/pkg/mod \ 234 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 235 PREFIX=/build /tmp/install/install.sh rootlesskit 236 COPY ./contrib/dockerd-rootless.sh /build 237 238 FROM djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit 239 240 # TODO: Some of this is only really needed for testing, it would be nice to split this up 241 FROM runtime-dev AS dev-systemd-false 242 ARG DEBIAN_FRONTEND 243 RUN groupadd -r docker 244 RUN useradd --create-home --gid docker unprivilegeduser \ 245 && mkdir -p /home/unprivilegeduser/.local/share/docker \ 246 && chown -R unprivilegeduser /home/unprivilegeduser 247 # Let us use a .bashrc file 248 RUN ln -sfv /go/src/github.com/demonoid81/moby/.bashrc ~/.bashrc 249 # Activate bash completion and include Docker's completion if mounted with DOCKER_BASH_COMPLETION_PATH 250 RUN echo "source /usr/share/bash-completion/bash_completion" >> /etc/bash.bashrc 251 RUN ln -s /usr/local/completion/bash/docker /etc/bash_completion.d/docker 252 RUN ldconfig 253 # This should only install packages that are specifically needed for the dev environment and nothing else 254 # Do you really need to add another package here? Can it be done in a different build stage? 255 RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ 256 --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \ 257 apt-get update && apt-get install -y --no-install-recommends \ 258 apparmor \ 259 aufs-tools \ 260 bash-completion \ 261 bzip2 \ 262 iptables \ 263 jq \ 264 libcap2-bin \ 265 libnet1 \ 266 libnl-3-200 \ 267 libprotobuf-c1 \ 268 net-tools \ 269 pigz \ 270 python3-pip \ 271 python3-setuptools \ 272 python3-wheel \ 273 sudo \ 274 thin-provisioning-tools \ 275 uidmap \ 276 vim \ 277 vim-common \ 278 xfsprogs \ 279 xz-utils \ 280 zip 281 282 283 # Switch to use iptables instead of nftables (to match the CI hosts) 284 # TODO use some kind of runtime auto-detection instead if/when nftables is supported (https://github.com/moby/moby/issues/26824) 285 RUN update-alternatives --set iptables /usr/sbin/iptables-legacy || true \ 286 && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || true \ 287 && update-alternatives --set arptables /usr/sbin/arptables-legacy || true 288 289 RUN pip3 install yamllint==1.16.0 290 291 COPY --from=dockercli /build/ /usr/local/cli 292 COPY --from=frozen-images /build/ /docker-frozen-images 293 COPY --from=swagger /build/ /usr/local/bin/ 294 COPY --from=tomlv /build/ /usr/local/bin/ 295 COPY --from=tini /build/ /usr/local/bin/ 296 COPY --from=registry /build/ /usr/local/bin/ 297 COPY --from=criu /build/ /usr/local/ 298 COPY --from=vndr /build/ /usr/local/bin/ 299 COPY --from=gotestsum /build/ /usr/local/bin/ 300 COPY --from=golangci_lint /build/ /usr/local/bin/ 301 COPY --from=shfmt /build/ /usr/local/bin/ 302 COPY --from=runc /build/ /usr/local/bin/ 303 COPY --from=containerd /build/ /usr/local/bin/ 304 COPY --from=rootlesskit /build/ /usr/local/bin/ 305 COPY --from=vpnkit /vpnkit /usr/local/bin/vpnkit.x86_64 306 COPY --from=proxy /build/ /usr/local/bin/ 307 ENV PATH=/usr/local/cli:$PATH 308 ARG DOCKER_BUILDTAGS 309 ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}" 310 WORKDIR /go/src/github.com/demonoid81/moby 311 VOLUME /var/lib/docker 312 VOLUME /home/unprivilegeduser/.local/share/docker 313 # Wrap all commands in the "docker-in-docker" script to allow nested containers 314 ENTRYPOINT ["hack/dind"] 315 316 FROM dev-systemd-false AS dev-systemd-true 317 RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ 318 --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \ 319 apt-get update && apt-get install -y --no-install-recommends \ 320 dbus \ 321 dbus-user-session \ 322 systemd \ 323 systemd-sysv 324 RUN mkdir -p hack \ 325 && curl -o hack/dind-systemd https://raw.githubusercontent.com/AkihiroSuda/containerized-systemd/b70bac0daeea120456764248164c21684ade7d0d/docker-entrypoint.sh \ 326 && chmod +x hack/dind-systemd 327 ENTRYPOINT ["hack/dind-systemd"] 328 329 FROM dev-systemd-${SYSTEMD} AS dev 330 331 FROM runtime-dev AS binary-base 332 ARG DOCKER_GITCOMMIT=HEAD 333 ENV DOCKER_GITCOMMIT=${DOCKER_GITCOMMIT} 334 ARG VERSION 335 ENV VERSION=${VERSION} 336 ARG PLATFORM 337 ENV PLATFORM=${PLATFORM} 338 ARG PRODUCT 339 ENV PRODUCT=${PRODUCT} 340 ARG DEFAULT_PRODUCT_LICENSE 341 ENV DEFAULT_PRODUCT_LICENSE=${DEFAULT_PRODUCT_LICENSE} 342 ARG DOCKER_BUILDTAGS 343 ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}" 344 ENV PREFIX=/build 345 # TODO: This is here because hack/make.sh binary copies these extras binaries 346 # from $PATH into the bundles dir. 347 # It would be nice to handle this in a different way. 348 COPY --from=tini /build/ /usr/local/bin/ 349 COPY --from=runc /build/ /usr/local/bin/ 350 COPY --from=containerd /build/ /usr/local/bin/ 351 COPY --from=rootlesskit /build/ /usr/local/bin/ 352 COPY --from=proxy /build/ /usr/local/bin/ 353 COPY --from=vpnkit /vpnkit /usr/local/bin/vpnkit.x86_64 354 WORKDIR /go/src/github.com/demonoid81/moby 355 356 FROM binary-base AS build-binary 357 RUN --mount=type=cache,target=/root/.cache/go-build \ 358 --mount=type=bind,target=/go/src/github.com/demonoid81/moby \ 359 hack/make.sh binary 360 361 FROM binary-base AS build-dynbinary 362 RUN --mount=type=cache,target=/root/.cache/go-build \ 363 --mount=type=bind,target=/go/src/github.com/demonoid81/moby \ 364 hack/make.sh dynbinary 365 366 FROM binary-base AS build-cross 367 ARG DOCKER_CROSSPLATFORMS 368 RUN --mount=type=cache,target=/root/.cache/go-build \ 369 --mount=type=bind,target=/go/src/github.com/demonoid81/moby \ 370 --mount=type=tmpfs,target=/go/src/github.com/demonoid81/moby/autogen \ 371 hack/make.sh cross 372 373 FROM scratch AS binary 374 COPY --from=build-binary /build/bundles/ / 375 376 FROM scratch AS dynbinary 377 COPY --from=build-dynbinary /build/bundles/ / 378 379 FROM scratch AS cross 380 COPY --from=build-cross /build/bundles/ / 381 382 FROM dev AS final 383 COPY . /go/src/github.com/demonoid81/moby