github.com/docker/engine@v22.0.0-20211208180946-d456264580cf+incompatible/Dockerfile (about) 1 # syntax=docker/dockerfile:1.3 2 3 ARG CROSS="false" 4 ARG SYSTEMD="false" 5 # IMPORTANT: When updating this please note that stdlib archive/tar pkg is vendored 6 ARG GO_VERSION=1.17.4 7 ARG DEBIAN_FRONTEND=noninteractive 8 ARG VPNKIT_VERSION=0.5.0 9 ARG DOCKER_BUILDTAGS="apparmor seccomp" 10 11 ARG BASE_DEBIAN_DISTRO="bullseye" 12 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" 13 14 FROM ${GOLANG_IMAGE} AS base 15 RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache 16 ARG APT_MIRROR 17 RUN sed -ri "s/(httpredir|deb).debian.org/${APT_MIRROR:-deb.debian.org}/g" /etc/apt/sources.list \ 18 && sed -ri "s/(security).debian.org/${APT_MIRROR:-security.debian.org}/g" /etc/apt/sources.list 19 ENV GO111MODULE=off 20 21 FROM base AS criu 22 ARG DEBIAN_FRONTEND 23 ADD --chmod=0644 https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_11/Release.key /etc/apt/trusted.gpg.d/criu.gpg.asc 24 RUN --mount=type=cache,sharing=locked,id=moby-criu-aptlib,target=/var/lib/apt \ 25 --mount=type=cache,sharing=locked,id=moby-criu-aptcache,target=/var/cache/apt \ 26 echo 'deb https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_11/ /' > /etc/apt/sources.list.d/criu.list \ 27 && apt-get update \ 28 && apt-get install -y --no-install-recommends criu \ 29 && install -D /usr/sbin/criu /build/criu 30 31 FROM base AS registry 32 WORKDIR /go/src/github.com/docker/distribution 33 34 # REGISTRY_VERSION specifies the version of the registry to build and install 35 # from the https://github.com/docker/distribution repository. This version of 36 # the registry is used to test both schema 1 and schema 2 manifests. Generally, 37 # the version specified here should match a current release. 38 ARG REGISTRY_VERSION=v2.3.0 39 40 # REGISTRY_VERSION_SCHEMA1 specifies the version of the regsitry to build and 41 # install from the https://github.com/docker/distribution repository. This is 42 # an older (pre v2.3.0) version of the registry that only supports schema1 43 # manifests. This version of the registry is not working on arm64, so installation 44 # is skipped on that architecture. 45 ARG REGISTRY_VERSION_SCHEMA1=v2.1.0 46 RUN --mount=type=cache,target=/root/.cache/go-build \ 47 --mount=type=cache,target=/go/pkg/mod \ 48 --mount=type=tmpfs,target=/go/src/ \ 49 set -x \ 50 && git clone https://github.com/docker/distribution.git . \ 51 && git checkout -q "$REGISTRY_VERSION" \ 52 && GOPATH="/go/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ 53 go build -buildmode=pie -o /build/registry-v2 github.com/docker/distribution/cmd/registry \ 54 && case $(dpkg --print-architecture) in \ 55 amd64|armhf|ppc64*|s390x) \ 56 git checkout -q "$REGISTRY_VERSION_SCHEMA1"; \ 57 GOPATH="/go/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH"; \ 58 go build -buildmode=pie -o /build/registry-v2-schema1 github.com/docker/distribution/cmd/registry; \ 59 ;; \ 60 esac 61 62 FROM base AS swagger 63 WORKDIR $GOPATH/src/github.com/go-swagger/go-swagger 64 65 # GO_SWAGGER_COMMIT specifies the version of the go-swagger binary to build and 66 # install. Go-swagger is used in CI for validating swagger.yaml in hack/validate/swagger-gen 67 # 68 # Currently uses a fork from https://github.com/kolyshkin/go-swagger/tree/golang-1.13-fix, 69 # TODO: move to under moby/ or fix upstream go-swagger to work for us. 70 ENV GO_SWAGGER_COMMIT c56166c036004ba7a3a321e5951ba472b9ae298c 71 RUN --mount=type=cache,target=/root/.cache/go-build \ 72 --mount=type=cache,target=/go/pkg/mod \ 73 --mount=type=tmpfs,target=/go/src/ \ 74 set -x \ 75 && git clone https://github.com/kolyshkin/go-swagger.git . \ 76 && git checkout -q "$GO_SWAGGER_COMMIT" \ 77 && go build -o /build/swagger github.com/go-swagger/go-swagger/cmd/swagger 78 79 FROM debian:${BASE_DEBIAN_DISTRO} AS frozen-images 80 ARG DEBIAN_FRONTEND 81 RUN --mount=type=cache,sharing=locked,id=moby-frozen-images-aptlib,target=/var/lib/apt \ 82 --mount=type=cache,sharing=locked,id=moby-frozen-images-aptcache,target=/var/cache/apt \ 83 apt-get update && apt-get install -y --no-install-recommends \ 84 ca-certificates \ 85 curl \ 86 jq 87 # Get useful and necessary Hub images so we can "docker load" locally instead of pulling 88 COPY contrib/download-frozen-image-v2.sh / 89 ARG TARGETARCH 90 RUN /download-frozen-image-v2.sh /build \ 91 busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \ 92 busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \ 93 debian:bullseye-slim@sha256:dacf278785a4daa9de07596ec739dbc07131e189942772210709c5c0777e8437 \ 94 hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \ 95 arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1 96 # See also frozenImages in "testutil/environment/protect.go" (which needs to be updated when adding images to this list) 97 98 FROM base AS cross-false 99 100 FROM --platform=linux/amd64 base AS cross-true 101 ARG DEBIAN_FRONTEND 102 RUN dpkg --add-architecture arm64 103 RUN dpkg --add-architecture armel 104 RUN dpkg --add-architecture armhf 105 RUN dpkg --add-architecture ppc64el 106 RUN dpkg --add-architecture s390x 107 RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \ 108 --mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \ 109 apt-get update && apt-get install -y --no-install-recommends \ 110 crossbuild-essential-arm64 \ 111 crossbuild-essential-armel \ 112 crossbuild-essential-armhf \ 113 crossbuild-essential-ppc64el \ 114 crossbuild-essential-s390x 115 116 FROM cross-${CROSS} AS dev-base 117 118 FROM dev-base AS runtime-dev-cross-false 119 ARG DEBIAN_FRONTEND 120 RUN --mount=type=cache,sharing=locked,id=moby-cross-false-aptlib,target=/var/lib/apt \ 121 --mount=type=cache,sharing=locked,id=moby-cross-false-aptcache,target=/var/cache/apt \ 122 apt-get update && apt-get install -y --no-install-recommends \ 123 binutils-mingw-w64 \ 124 g++-mingw-w64-x86-64 \ 125 libapparmor-dev \ 126 libbtrfs-dev \ 127 libdevmapper-dev \ 128 libseccomp-dev \ 129 libsystemd-dev \ 130 libudev-dev 131 132 FROM --platform=linux/amd64 runtime-dev-cross-false AS runtime-dev-cross-true 133 ARG DEBIAN_FRONTEND 134 # These crossbuild packages rely on gcc-<arch>, but this doesn't want to install 135 # on non-amd64 systems, so other architectures cannnot crossbuild amd64. 136 RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \ 137 --mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \ 138 apt-get update && apt-get install -y --no-install-recommends \ 139 libapparmor-dev:arm64 \ 140 libapparmor-dev:armel \ 141 libapparmor-dev:armhf \ 142 libapparmor-dev:ppc64el \ 143 libapparmor-dev:s390x \ 144 libseccomp-dev:arm64 \ 145 libseccomp-dev:armel \ 146 libseccomp-dev:armhf \ 147 libseccomp-dev:ppc64el \ 148 libseccomp-dev:s390x 149 150 FROM runtime-dev-cross-${CROSS} AS runtime-dev 151 152 FROM base AS tomll 153 # GOTOML_VERSION specifies the version of the tomll binary to build and install 154 # from the https://github.com/pelletier/go-toml repository. This binary is used 155 # in CI in the hack/validate/toml script. 156 # 157 # When updating this version, consider updating the github.com/pelletier/go-toml 158 # dependency in vendor.conf accordingly. 159 ARG GOTOML_VERSION=v1.8.1 160 RUN --mount=type=cache,target=/root/.cache/go-build \ 161 --mount=type=cache,target=/go/pkg/mod \ 162 GOBIN=/build/ GO111MODULE=on go install "github.com/pelletier/go-toml/cmd/tomll@${GOTOML_VERSION}" \ 163 && /build/tomll --help 164 165 FROM base AS vndr 166 # VNDR_VERSION specifies the version of the vndr tool to build and install 167 # from the https://github.com/LK4D4/vndr repository. 168 # 169 # The vndr tool is used to manage vendored go packages in the vendor directory, 170 # and is pinned to a fixed version because different versions of this tool 171 # can result in differences in the (go) files that are considered for vendoring. 172 ARG VNDR_VERSION=v0.1.2 173 RUN --mount=type=cache,target=/root/.cache/go-build \ 174 --mount=type=cache,target=/go/pkg/mod \ 175 GOBIN=/build/ GO111MODULE=on go install "github.com/LK4D4/vndr@${VNDR_VERSION}" \ 176 && /build/vndr --help 177 178 FROM dev-base AS containerd 179 ARG DEBIAN_FRONTEND 180 RUN --mount=type=cache,sharing=locked,id=moby-containerd-aptlib,target=/var/lib/apt \ 181 --mount=type=cache,sharing=locked,id=moby-containerd-aptcache,target=/var/cache/apt \ 182 apt-get update && apt-get install -y --no-install-recommends \ 183 libbtrfs-dev 184 ARG CONTAINERD_VERSION 185 COPY /hack/dockerfile/install/install.sh /hack/dockerfile/install/containerd.installer / 186 RUN --mount=type=cache,target=/root/.cache/go-build \ 187 --mount=type=cache,target=/go/pkg/mod \ 188 PREFIX=/build /install.sh containerd 189 190 FROM base AS golangci_lint 191 ARG GOLANGCI_LINT_VERSION=v1.23.8 192 RUN --mount=type=cache,target=/root/.cache/go-build \ 193 --mount=type=cache,target=/go/pkg/mod \ 194 GOBIN=/build/ GO111MODULE=on go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \ 195 && /build/golangci-lint --version 196 197 FROM base AS gotestsum 198 ARG GOTESTSUM_VERSION=v1.7.0 199 RUN --mount=type=cache,target=/root/.cache/go-build \ 200 --mount=type=cache,target=/go/pkg/mod \ 201 GOBIN=/build/ GO111MODULE=on go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \ 202 && /build/gotestsum --version 203 204 FROM base AS shfmt 205 ARG SHFMT_VERSION=v3.0.2 206 RUN --mount=type=cache,target=/root/.cache/go-build \ 207 --mount=type=cache,target=/go/pkg/mod \ 208 GOBIN=/build/ GO111MODULE=on go install "mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION}" \ 209 && /build/shfmt --version 210 211 FROM dev-base AS dockercli 212 ARG DOCKERCLI_CHANNEL 213 ARG DOCKERCLI_VERSION 214 COPY /hack/dockerfile/install/install.sh /hack/dockerfile/install/dockercli.installer / 215 RUN --mount=type=cache,target=/root/.cache/go-build \ 216 --mount=type=cache,target=/go/pkg/mod \ 217 PREFIX=/build /install.sh dockercli 218 219 FROM runtime-dev AS runc 220 ARG RUNC_VERSION 221 ARG RUNC_BUILDTAGS 222 COPY /hack/dockerfile/install/install.sh /hack/dockerfile/install/runc.installer / 223 RUN --mount=type=cache,target=/root/.cache/go-build \ 224 --mount=type=cache,target=/go/pkg/mod \ 225 PREFIX=/build /install.sh runc 226 227 FROM dev-base AS tini 228 ARG DEBIAN_FRONTEND 229 ARG TINI_VERSION 230 RUN --mount=type=cache,sharing=locked,id=moby-tini-aptlib,target=/var/lib/apt \ 231 --mount=type=cache,sharing=locked,id=moby-tini-aptcache,target=/var/cache/apt \ 232 apt-get update && apt-get install -y --no-install-recommends \ 233 cmake \ 234 vim-common 235 COPY /hack/dockerfile/install/install.sh /hack/dockerfile/install/tini.installer / 236 RUN --mount=type=cache,target=/root/.cache/go-build \ 237 --mount=type=cache,target=/go/pkg/mod \ 238 PREFIX=/build /install.sh tini 239 240 FROM dev-base AS rootlesskit 241 ARG ROOTLESSKIT_VERSION 242 ARG PREFIX=/build 243 COPY /hack/dockerfile/install/install.sh /hack/dockerfile/install/rootlesskit.installer / 244 RUN --mount=type=cache,target=/root/.cache/go-build \ 245 --mount=type=cache,target=/go/pkg/mod \ 246 /install.sh rootlesskit \ 247 && "${PREFIX}"/rootlesskit --version \ 248 && "${PREFIX}"/rootlesskit-docker-proxy --help 249 COPY ./contrib/dockerd-rootless.sh /build 250 COPY ./contrib/dockerd-rootless-setuptool.sh /build 251 252 FROM --platform=amd64 djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-amd64 253 254 FROM --platform=arm64 djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-arm64 255 256 FROM scratch AS vpnkit 257 COPY --from=vpnkit-amd64 /vpnkit /build/vpnkit.x86_64 258 COPY --from=vpnkit-arm64 /vpnkit /build/vpnkit.aarch64 259 260 # TODO: Some of this is only really needed for testing, it would be nice to split this up 261 FROM runtime-dev AS dev-systemd-false 262 ARG DEBIAN_FRONTEND 263 RUN groupadd -r docker 264 RUN useradd --create-home --gid docker unprivilegeduser \ 265 && mkdir -p /home/unprivilegeduser/.local/share/docker \ 266 && chown -R unprivilegeduser /home/unprivilegeduser 267 # Let us use a .bashrc file 268 RUN ln -sfv /go/src/github.com/docker/docker/.bashrc ~/.bashrc 269 # Activate bash completion and include Docker's completion if mounted with DOCKER_BASH_COMPLETION_PATH 270 RUN echo "source /usr/share/bash-completion/bash_completion" >> /etc/bash.bashrc 271 RUN ln -s /usr/local/completion/bash/docker /etc/bash_completion.d/docker 272 RUN ldconfig 273 # This should only install packages that are specifically needed for the dev environment and nothing else 274 # Do you really need to add another package here? Can it be done in a different build stage? 275 RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ 276 --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \ 277 apt-get update && apt-get install -y --no-install-recommends \ 278 apparmor \ 279 bash-completion \ 280 bzip2 \ 281 inetutils-ping \ 282 iproute2 \ 283 iptables \ 284 jq \ 285 libcap2-bin \ 286 libnet1 \ 287 libnl-3-200 \ 288 libprotobuf-c1 \ 289 net-tools \ 290 patch \ 291 pigz \ 292 python3-pip \ 293 python3-setuptools \ 294 python3-wheel \ 295 sudo \ 296 thin-provisioning-tools \ 297 uidmap \ 298 vim \ 299 vim-common \ 300 xfsprogs \ 301 xz-utils \ 302 zip \ 303 zstd 304 305 306 # Switch to use iptables instead of nftables (to match the CI hosts) 307 # TODO use some kind of runtime auto-detection instead if/when nftables is supported (https://github.com/moby/moby/issues/26824) 308 RUN update-alternatives --set iptables /usr/sbin/iptables-legacy || true \ 309 && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || true \ 310 && update-alternatives --set arptables /usr/sbin/arptables-legacy || true 311 312 RUN pip3 install yamllint==1.26.1 313 314 COPY --from=dockercli /build/ /usr/local/cli 315 COPY --from=frozen-images /build/ /docker-frozen-images 316 COPY --from=swagger /build/ /usr/local/bin/ 317 COPY --from=tomll /build/ /usr/local/bin/ 318 COPY --from=tini /build/ /usr/local/bin/ 319 COPY --from=registry /build/ /usr/local/bin/ 320 COPY --from=criu /build/ /usr/local/bin/ 321 COPY --from=vndr /build/ /usr/local/bin/ 322 COPY --from=gotestsum /build/ /usr/local/bin/ 323 COPY --from=golangci_lint /build/ /usr/local/bin/ 324 COPY --from=shfmt /build/ /usr/local/bin/ 325 COPY --from=runc /build/ /usr/local/bin/ 326 COPY --from=containerd /build/ /usr/local/bin/ 327 COPY --from=rootlesskit /build/ /usr/local/bin/ 328 COPY --from=vpnkit /build/ /usr/local/bin/ 329 ENV PATH=/usr/local/cli:$PATH 330 ARG DOCKER_BUILDTAGS 331 ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}" 332 WORKDIR /go/src/github.com/docker/docker 333 VOLUME /var/lib/docker 334 VOLUME /home/unprivilegeduser/.local/share/docker 335 # Wrap all commands in the "docker-in-docker" script to allow nested containers 336 ENTRYPOINT ["hack/dind"] 337 338 FROM dev-systemd-false AS dev-systemd-true 339 RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ 340 --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \ 341 apt-get update && apt-get install -y --no-install-recommends \ 342 dbus \ 343 dbus-user-session \ 344 systemd \ 345 systemd-sysv 346 RUN mkdir -p hack \ 347 && curl -o hack/dind-systemd https://raw.githubusercontent.com/AkihiroSuda/containerized-systemd/b70bac0daeea120456764248164c21684ade7d0d/docker-entrypoint.sh \ 348 && chmod +x hack/dind-systemd 349 ENTRYPOINT ["hack/dind-systemd"] 350 351 FROM dev-systemd-${SYSTEMD} AS dev 352 353 FROM runtime-dev AS binary-base 354 ARG DOCKER_GITCOMMIT=HEAD 355 ENV DOCKER_GITCOMMIT=${DOCKER_GITCOMMIT} 356 ARG VERSION 357 ENV VERSION=${VERSION} 358 ARG PLATFORM 359 ENV PLATFORM=${PLATFORM} 360 ARG PRODUCT 361 ENV PRODUCT=${PRODUCT} 362 ARG DEFAULT_PRODUCT_LICENSE 363 ENV DEFAULT_PRODUCT_LICENSE=${DEFAULT_PRODUCT_LICENSE} 364 ARG DOCKER_BUILDTAGS 365 ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}" 366 ENV PREFIX=/build 367 # TODO: This is here because hack/make.sh binary copies these extras binaries 368 # from $PATH into the bundles dir. 369 # It would be nice to handle this in a different way. 370 COPY --from=tini /build/ /usr/local/bin/ 371 COPY --from=runc /build/ /usr/local/bin/ 372 COPY --from=containerd /build/ /usr/local/bin/ 373 COPY --from=rootlesskit /build/ /usr/local/bin/ 374 COPY --from=vpnkit /build/ /usr/local/bin/ 375 WORKDIR /go/src/github.com/docker/docker 376 377 FROM binary-base AS build-binary 378 RUN --mount=type=cache,target=/root/.cache/go-build \ 379 --mount=type=bind,target=/go/src/github.com/docker/docker \ 380 hack/make.sh binary 381 382 FROM binary-base AS build-dynbinary 383 RUN --mount=type=cache,target=/root/.cache/go-build \ 384 --mount=type=bind,target=/go/src/github.com/docker/docker \ 385 hack/make.sh dynbinary 386 387 FROM binary-base AS build-cross 388 ARG DOCKER_CROSSPLATFORMS 389 RUN --mount=type=cache,target=/root/.cache/go-build \ 390 --mount=type=bind,target=/go/src/github.com/docker/docker \ 391 --mount=type=tmpfs,target=/go/src/github.com/docker/docker/autogen \ 392 hack/make.sh cross 393 394 FROM scratch AS binary 395 COPY --from=build-binary /build/bundles/ / 396 397 FROM scratch AS dynbinary 398 COPY --from=build-dynbinary /build/bundles/ / 399 400 FROM scratch AS cross 401 COPY --from=build-cross /build/bundles/ / 402 403 FROM dev AS final 404 COPY . /go/src/github.com/docker/docker