github.com/pwn-term/docker@v0.0.0-20210616085119-6e977cce2565/moby/Dockerfile (about) 1 # syntax=docker/dockerfile:1.1.7-experimental 2 3 ARG CROSS="false" 4 ARG SYSTEMD="false" 5 # IMPORTANT: When updating this please note that stdlib archive/tar pkg is vendored 6 ARG GO_VERSION=1.13.15 7 ARG DEBIAN_FRONTEND=noninteractive 8 ARG VPNKIT_VERSION=0.4.0 9 ARG DOCKER_BUILDTAGS="apparmor seccomp" 10 11 ARG BASE_DEBIAN_DISTRO="buster" 12 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" 13 14 FROM ${GOLANG_IMAGE} AS base 15 RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache 16 ARG APT_MIRROR 17 RUN sed -ri "s/(httpredir|deb).debian.org/${APT_MIRROR:-deb.debian.org}/g" /etc/apt/sources.list \ 18 && sed -ri "s/(security).debian.org/${APT_MIRROR:-security.debian.org}/g" /etc/apt/sources.list 19 ENV GO111MODULE=off 20 21 FROM base AS criu 22 ARG DEBIAN_FRONTEND 23 # Install dependency packages specific to criu 24 RUN --mount=type=cache,sharing=locked,id=moby-criu-aptlib,target=/var/lib/apt \ 25 --mount=type=cache,sharing=locked,id=moby-criu-aptcache,target=/var/cache/apt \ 26 apt-get update && apt-get install -y --no-install-recommends \ 27 libcap-dev \ 28 libnet-dev \ 29 libnl-3-dev \ 30 libprotobuf-c-dev \ 31 libprotobuf-dev \ 32 protobuf-c-compiler \ 33 protobuf-compiler \ 34 python-protobuf 35 36 # Install CRIU for checkpoint/restore support 37 ARG CRIU_VERSION=3.14 38 RUN mkdir -p /usr/src/criu \ 39 && curl -sSL https://github.com/checkpoint-restore/criu/archive/v${CRIU_VERSION}.tar.gz | tar -C /usr/src/criu/ -xz --strip-components=1 \ 40 && cd /usr/src/criu \ 41 && make \ 42 && make PREFIX=/build/ install-criu 43 44 FROM base AS registry 45 WORKDIR /go/src/github.com/docker/distribution 46 # Install two versions of the registry. The first one is a recent version that 47 # supports both schema 1 and 2 manifests. The second one is an older version that 48 # only supports schema1 manifests. This allows integration-cli tests to cover 49 # push/pull with both schema1 and schema2 manifests. 50 # The old version of the registry is not working on arm64, so installation is 51 # skipped on that architecture. 52 ENV REGISTRY_COMMIT_SCHEMA1 ec87e9b6971d831f0eff752ddb54fb64693e51cd 53 ENV REGISTRY_COMMIT 47a064d4195a9b56133891bbb13620c3ac83a827 54 RUN --mount=type=cache,target=/root/.cache/go-build \ 55 --mount=type=cache,target=/go/pkg/mod \ 56 --mount=type=tmpfs,target=/go/src/ \ 57 set -x \ 58 && git clone https://github.com/docker/distribution.git . \ 59 && git checkout -q "$REGISTRY_COMMIT" \ 60 && GOPATH="/go/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ 61 go build -buildmode=pie -o /build/registry-v2 github.com/docker/distribution/cmd/registry \ 62 && case $(dpkg --print-architecture) in \ 63 amd64|armhf|ppc64*|s390x) \ 64 git checkout -q "$REGISTRY_COMMIT_SCHEMA1"; \ 65 GOPATH="/go/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH"; \ 66 go build -buildmode=pie -o /build/registry-v2-schema1 github.com/docker/distribution/cmd/registry; \ 67 ;; \ 68 esac 69 70 FROM base AS swagger 71 WORKDIR $GOPATH/src/github.com/go-swagger/go-swagger 72 # Install go-swagger for validating swagger.yaml 73 # This is https://github.com/kolyshkin/go-swagger/tree/golang-1.13-fix 74 # TODO: move to under moby/ or fix upstream go-swagger to work for us. 75 ENV GO_SWAGGER_COMMIT 5e6cb12f7c82ce78e45ba71fa6cb1928094db050 76 RUN --mount=type=cache,target=/root/.cache/go-build \ 77 --mount=type=cache,target=/go/pkg/mod \ 78 --mount=type=tmpfs,target=/go/src/ \ 79 set -x \ 80 && git clone https://github.com/kolyshkin/go-swagger.git . \ 81 && git checkout -q "$GO_SWAGGER_COMMIT" \ 82 && go build -o /build/swagger github.com/go-swagger/go-swagger/cmd/swagger 83 84 FROM debian:${BASE_DEBIAN_DISTRO} AS frozen-images 85 ARG DEBIAN_FRONTEND 86 RUN --mount=type=cache,sharing=locked,id=moby-frozen-images-aptlib,target=/var/lib/apt \ 87 --mount=type=cache,sharing=locked,id=moby-frozen-images-aptcache,target=/var/cache/apt \ 88 apt-get update && apt-get install -y --no-install-recommends \ 89 ca-certificates \ 90 curl \ 91 jq 92 # Get useful and necessary Hub images so we can "docker load" locally instead of pulling 93 COPY contrib/download-frozen-image-v2.sh / 94 ARG TARGETARCH 95 RUN /download-frozen-image-v2.sh /build \ 96 buildpack-deps:buster@sha256:d0abb4b1e5c664828b93e8b6ac84d10bce45ee469999bef88304be04a2709491 \ 97 busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \ 98 busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \ 99 debian:bullseye@sha256:7190e972ab16aefea4d758ebe42a293f4e5c5be63595f4d03a5b9bf6839a4344 \ 100 hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \ 101 arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1 102 # See also frozenImages in "testutil/environment/protect.go" (which needs to be updated when adding images to this list) 103 104 FROM base AS cross-false 105 106 FROM --platform=linux/amd64 base AS cross-true 107 ARG DEBIAN_FRONTEND 108 RUN dpkg --add-architecture arm64 109 RUN dpkg --add-architecture armel 110 RUN dpkg --add-architecture armhf 111 RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \ 112 --mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \ 113 apt-get update && apt-get install -y --no-install-recommends \ 114 crossbuild-essential-arm64 \ 115 crossbuild-essential-armel \ 116 crossbuild-essential-armhf 117 118 FROM cross-${CROSS} as dev-base 119 120 FROM dev-base AS runtime-dev-cross-false 121 ARG DEBIAN_FRONTEND 122 RUN --mount=type=cache,sharing=locked,id=moby-cross-false-aptlib,target=/var/lib/apt \ 123 --mount=type=cache,sharing=locked,id=moby-cross-false-aptcache,target=/var/cache/apt \ 124 apt-get update && apt-get install -y --no-install-recommends \ 125 binutils-mingw-w64 \ 126 g++-mingw-w64-x86-64 \ 127 libapparmor-dev \ 128 libbtrfs-dev \ 129 libdevmapper-dev \ 130 libseccomp-dev \ 131 libsystemd-dev \ 132 libudev-dev 133 134 FROM --platform=linux/amd64 runtime-dev-cross-false AS runtime-dev-cross-true 135 ARG DEBIAN_FRONTEND 136 # These crossbuild packages rely on gcc-<arch>, but this doesn't want to install 137 # on non-amd64 systems. 138 # Additionally, the crossbuild-amd64 is currently only on debian:buster, so 139 # other architectures cannnot crossbuild amd64. 140 RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \ 141 --mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \ 142 apt-get update && apt-get install -y --no-install-recommends \ 143 libapparmor-dev:arm64 \ 144 libapparmor-dev:armel \ 145 libapparmor-dev:armhf \ 146 libseccomp-dev:arm64 \ 147 libseccomp-dev:armel \ 148 libseccomp-dev:armhf 149 150 FROM runtime-dev-cross-${CROSS} AS runtime-dev 151 152 FROM base AS tomlv 153 ARG TOMLV_COMMIT 154 RUN --mount=type=cache,target=/root/.cache/go-build \ 155 --mount=type=cache,target=/go/pkg/mod \ 156 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 157 PREFIX=/build /tmp/install/install.sh tomlv 158 159 FROM base AS vndr 160 ARG VNDR_COMMIT 161 RUN --mount=type=cache,target=/root/.cache/go-build \ 162 --mount=type=cache,target=/go/pkg/mod \ 163 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 164 PREFIX=/build /tmp/install/install.sh vndr 165 166 FROM dev-base AS containerd 167 ARG DEBIAN_FRONTEND 168 RUN --mount=type=cache,sharing=locked,id=moby-containerd-aptlib,target=/var/lib/apt \ 169 --mount=type=cache,sharing=locked,id=moby-containerd-aptcache,target=/var/cache/apt \ 170 apt-get update && apt-get install -y --no-install-recommends \ 171 libbtrfs-dev 172 ARG CONTAINERD_COMMIT 173 RUN --mount=type=cache,target=/root/.cache/go-build \ 174 --mount=type=cache,target=/go/pkg/mod \ 175 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 176 PREFIX=/build /tmp/install/install.sh containerd 177 178 FROM dev-base AS proxy 179 ARG LIBNETWORK_COMMIT 180 RUN --mount=type=cache,target=/root/.cache/go-build \ 181 --mount=type=cache,target=/go/pkg/mod \ 182 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 183 PREFIX=/build /tmp/install/install.sh proxy 184 185 FROM base AS golangci_lint 186 ARG GOLANGCI_LINT_COMMIT 187 RUN --mount=type=cache,target=/root/.cache/go-build \ 188 --mount=type=cache,target=/go/pkg/mod \ 189 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 190 PREFIX=/build /tmp/install/install.sh golangci_lint 191 192 FROM base AS gotestsum 193 ARG GOTESTSUM_COMMIT 194 RUN --mount=type=cache,target=/root/.cache/go-build \ 195 --mount=type=cache,target=/go/pkg/mod \ 196 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 197 PREFIX=/build /tmp/install/install.sh gotestsum 198 199 FROM base AS shfmt 200 ARG SHFMT_COMMIT 201 RUN --mount=type=cache,target=/root/.cache/go-build \ 202 --mount=type=cache,target=/go/pkg/mod \ 203 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 204 PREFIX=/build /tmp/install/install.sh shfmt 205 206 FROM dev-base AS dockercli 207 ARG DOCKERCLI_CHANNEL 208 ARG DOCKERCLI_VERSION 209 RUN --mount=type=cache,target=/root/.cache/go-build \ 210 --mount=type=cache,target=/go/pkg/mod \ 211 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 212 PREFIX=/build /tmp/install/install.sh dockercli 213 214 FROM runtime-dev AS runc 215 ARG RUNC_COMMIT 216 ARG RUNC_BUILDTAGS 217 RUN --mount=type=cache,target=/root/.cache/go-build \ 218 --mount=type=cache,target=/go/pkg/mod \ 219 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 220 PREFIX=/build /tmp/install/install.sh runc 221 222 FROM dev-base AS tini 223 ARG DEBIAN_FRONTEND 224 ARG TINI_COMMIT 225 RUN --mount=type=cache,sharing=locked,id=moby-tini-aptlib,target=/var/lib/apt \ 226 --mount=type=cache,sharing=locked,id=moby-tini-aptcache,target=/var/cache/apt \ 227 apt-get update && apt-get install -y --no-install-recommends \ 228 cmake \ 229 vim-common 230 RUN --mount=type=cache,target=/root/.cache/go-build \ 231 --mount=type=cache,target=/go/pkg/mod \ 232 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 233 PREFIX=/build /tmp/install/install.sh tini 234 235 FROM dev-base AS rootlesskit 236 ARG ROOTLESSKIT_COMMIT 237 RUN --mount=type=cache,target=/root/.cache/go-build \ 238 --mount=type=cache,target=/go/pkg/mod \ 239 --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ 240 PREFIX=/build /tmp/install/install.sh rootlesskit 241 COPY ./contrib/dockerd-rootless.sh /build 242 COPY ./contrib/dockerd-rootless-setuptool.sh /build 243 244 FROM djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit 245 246 # TODO: Some of this is only really needed for testing, it would be nice to split this up 247 FROM runtime-dev AS dev-systemd-false 248 ARG DEBIAN_FRONTEND 249 RUN groupadd -r docker 250 RUN useradd --create-home --gid docker unprivilegeduser \ 251 && mkdir -p /home/unprivilegeduser/.local/share/docker \ 252 && chown -R unprivilegeduser /home/unprivilegeduser 253 # Let us use a .bashrc file 254 RUN ln -sfv /go/src/github.com/docker/docker/.bashrc ~/.bashrc 255 # Activate bash completion and include Docker's completion if mounted with DOCKER_BASH_COMPLETION_PATH 256 RUN echo "source /usr/share/bash-completion/bash_completion" >> /etc/bash.bashrc 257 RUN ln -s /usr/local/completion/bash/docker /etc/bash_completion.d/docker 258 RUN ldconfig 259 # This should only install packages that are specifically needed for the dev environment and nothing else 260 # Do you really need to add another package here? Can it be done in a different build stage? 261 RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ 262 --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \ 263 apt-get update && apt-get install -y --no-install-recommends \ 264 apparmor \ 265 aufs-tools \ 266 bash-completion \ 267 bzip2 \ 268 iptables \ 269 jq \ 270 libcap2-bin \ 271 libnet1 \ 272 libnl-3-200 \ 273 libprotobuf-c1 \ 274 net-tools \ 275 pigz \ 276 python3-pip \ 277 python3-setuptools \ 278 python3-wheel \ 279 sudo \ 280 thin-provisioning-tools \ 281 uidmap \ 282 vim \ 283 vim-common \ 284 xfsprogs \ 285 xz-utils \ 286 zip 287 288 289 # Switch to use iptables instead of nftables (to match the CI hosts) 290 # TODO use some kind of runtime auto-detection instead if/when nftables is supported (https://github.com/moby/moby/issues/26824) 291 RUN update-alternatives --set iptables /usr/sbin/iptables-legacy || true \ 292 && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || true \ 293 && update-alternatives --set arptables /usr/sbin/arptables-legacy || true 294 295 RUN pip3 install yamllint==1.16.0 296 297 COPY --from=dockercli /build/ /usr/local/cli 298 COPY --from=frozen-images /build/ /docker-frozen-images 299 COPY --from=swagger /build/ /usr/local/bin/ 300 COPY --from=tomlv /build/ /usr/local/bin/ 301 COPY --from=tini /build/ /usr/local/bin/ 302 COPY --from=registry /build/ /usr/local/bin/ 303 COPY --from=criu /build/ /usr/local/ 304 COPY --from=vndr /build/ /usr/local/bin/ 305 COPY --from=gotestsum /build/ /usr/local/bin/ 306 COPY --from=golangci_lint /build/ /usr/local/bin/ 307 COPY --from=shfmt /build/ /usr/local/bin/ 308 COPY --from=runc /build/ /usr/local/bin/ 309 COPY --from=containerd /build/ /usr/local/bin/ 310 COPY --from=rootlesskit /build/ /usr/local/bin/ 311 COPY --from=vpnkit /vpnkit /usr/local/bin/vpnkit.x86_64 312 COPY --from=proxy /build/ /usr/local/bin/ 313 ENV PATH=/usr/local/cli:$PATH 314 ARG DOCKER_BUILDTAGS 315 ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}" 316 WORKDIR /go/src/github.com/docker/docker 317 VOLUME /var/lib/docker 318 VOLUME /home/unprivilegeduser/.local/share/docker 319 # Wrap all commands in the "docker-in-docker" script to allow nested containers 320 ENTRYPOINT ["hack/dind"] 321 322 FROM dev-systemd-false AS dev-systemd-true 323 RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ 324 --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \ 325 apt-get update && apt-get install -y --no-install-recommends \ 326 dbus \ 327 dbus-user-session \ 328 systemd \ 329 systemd-sysv 330 RUN mkdir -p hack \ 331 && curl -o hack/dind-systemd https://raw.githubusercontent.com/AkihiroSuda/containerized-systemd/b70bac0daeea120456764248164c21684ade7d0d/docker-entrypoint.sh \ 332 && chmod +x hack/dind-systemd 333 ENTRYPOINT ["hack/dind-systemd"] 334 335 FROM dev-systemd-${SYSTEMD} AS dev 336 337 FROM runtime-dev AS binary-base 338 ARG DOCKER_GITCOMMIT=HEAD 339 ENV DOCKER_GITCOMMIT=${DOCKER_GITCOMMIT} 340 ARG VERSION 341 ENV VERSION=${VERSION} 342 ARG PLATFORM 343 ENV PLATFORM=${PLATFORM} 344 ARG PRODUCT 345 ENV PRODUCT=${PRODUCT} 346 ARG DEFAULT_PRODUCT_LICENSE 347 ENV DEFAULT_PRODUCT_LICENSE=${DEFAULT_PRODUCT_LICENSE} 348 ARG DOCKER_BUILDTAGS 349 ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}" 350 ENV PREFIX=/build 351 # TODO: This is here because hack/make.sh binary copies these extras binaries 352 # from $PATH into the bundles dir. 353 # It would be nice to handle this in a different way. 354 COPY --from=tini /build/ /usr/local/bin/ 355 COPY --from=runc /build/ /usr/local/bin/ 356 COPY --from=containerd /build/ /usr/local/bin/ 357 COPY --from=rootlesskit /build/ /usr/local/bin/ 358 COPY --from=proxy /build/ /usr/local/bin/ 359 COPY --from=vpnkit /vpnkit /usr/local/bin/vpnkit.x86_64 360 WORKDIR /go/src/github.com/docker/docker 361 362 FROM binary-base AS build-binary 363 RUN --mount=type=cache,target=/root/.cache/go-build \ 364 --mount=type=bind,target=/go/src/github.com/docker/docker \ 365 hack/make.sh binary 366 367 FROM binary-base AS build-dynbinary 368 RUN --mount=type=cache,target=/root/.cache/go-build \ 369 --mount=type=bind,target=/go/src/github.com/docker/docker \ 370 hack/make.sh dynbinary 371 372 FROM binary-base AS build-cross 373 ARG DOCKER_CROSSPLATFORMS 374 RUN --mount=type=cache,target=/root/.cache/go-build \ 375 --mount=type=bind,target=/go/src/github.com/docker/docker \ 376 --mount=type=tmpfs,target=/go/src/github.com/docker/docker/autogen \ 377 hack/make.sh cross 378 379 FROM scratch AS binary 380 COPY --from=build-binary /build/bundles/ / 381 382 FROM scratch AS dynbinary 383 COPY --from=build-dynbinary /build/bundles/ / 384 385 FROM scratch AS cross 386 COPY --from=build-cross /build/bundles/ / 387 388 FROM dev AS final 389 COPY . /go/src/github.com/docker/docker