github.com/rootless-containers/rootlesskit/v2@v2.3.4/Dockerfile

github.com/rootless-containers/rootlesskit/v2@v2.3.4/Dockerfile (about)

     1  ARG GO_VERSION=1.24
     2  ARG UBUNTU_VERSION=24.04
     3  ARG SHADOW_VERSION=4.16.0
     4  ARG SLIRP4NETNS_VERSION=v1.3.2
     5  ARG VPNKIT_VERSION=0.5.0
     6  ARG PASST_VERSION=2025_02_17.a1e48a0
     7  ARG DOCKER_VERSION=28.0.1
     8  ARG DOCKER_CHANNEL=stable
     9  
    10  FROM golang:${GO_VERSION}-alpine AS build
    11  RUN apk add --no-cache file git make
    12  ADD . /go/src/github.com/rootless-containers/rootlesskit
    13  WORKDIR /go/src/github.com/rootless-containers/rootlesskit
    14  
    15  FROM build AS rootlesskit
    16  RUN CGO_ENABLED=0 make && file /bin/* | grep -v dynamic
    17  
    18  FROM scratch AS artifact
    19  COPY --from=rootlesskit /go/src/github.com/rootless-containers/rootlesskit/bin/* /
    20  
    21  FROM build AS cross
    22  RUN make cross
    23  
    24  FROM scratch AS cross-artifact
    25  COPY --from=cross /go/src/github.com/rootless-containers/rootlesskit/_artifact/* /
    26  
    27  # `go test -race` requires non-Alpine
    28  FROM golang:${GO_VERSION} AS test-unit
    29  RUN apt-get update && apt-get install -y git iproute2 netcat-openbsd
    30  ADD . /go/src/github.com/rootless-containers/rootlesskit
    31  WORKDIR /go/src/github.com/rootless-containers/rootlesskit
    32  RUN go mod verify && go vet ./...
    33  CMD ["go","test","-v","-race","github.com/rootless-containers/rootlesskit/..."]
    34  
    35  # idmap runnable without --privileged (but still requires seccomp=unconfined apparmor=unconfined)
    36  FROM ubuntu:${UBUNTU_VERSION} AS idmap
    37  ENV DEBIAN_FRONTEND=noninteractive
    38  RUN apt-get update && apt-get install -y automake autopoint bison gettext git gcc libbsd-dev libcap-dev libtool make pkg-config
    39  RUN git clone https://github.com/shadow-maint/shadow.git /shadow
    40  WORKDIR /shadow
    41  ARG SHADOW_VERSION
    42  RUN git pull && git checkout $SHADOW_VERSION
    43  RUN ./autogen.sh --disable-nls --disable-man --without-audit --without-selinux --without-acl --without-attr --without-tcb --without-nscd && \
    44    make && \
    45    cp src/newuidmap src/newgidmap /usr/bin
    46  
    47  FROM djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit
    48  
    49  FROM ubuntu:${UBUNTU_VERSION} AS passt
    50  ENV DEBIAN_FRONTEND=noninteractive
    51  RUN apt-get update && apt-get install -y git gcc libtool make
    52  RUN git clone https://passt.top/passt
    53  WORKDIR /passt
    54  ARG PASST_VERSION
    55  RUN git pull && git checkout $PASST_VERSION
    56  RUN make && make install
    57  
    58  FROM ubuntu:${UBUNTU_VERSION} AS test-integration
    59  # iproute2: for `ip` command that rootlesskit needs to exec
    60  # liblxc-common and lxc-utils: for `lxc-user-nic` binary required for --net=lxc-user-nic
    61  # iperf3: only for benchmark purpose
    62  # busybox: only for debugging purpose
    63  # sudo: only for lxc-user-nic benchmark and rootful veth benchmark (for comparison)
    64  # libcap2-bin and curl: used by the RUN instructions in this Dockerfile.
    65  # bind9-dnsutils: for `nslookup` command used by integration-net.sh
    66  # systemd and uuid-runtime: for systemd-socket-activate used by integration-systemd-socket.sh
    67  # iptables: for Docker
    68  RUN apt-get update && apt-get install -y iproute2 liblxc-common lxc-utils iperf3 busybox sudo libcap2-bin curl bind9-dnsutils systemd uuid-runtime iptables
    69  COPY --from=idmap /usr/bin/newuidmap /usr/bin/newuidmap
    70  COPY --from=idmap /usr/bin/newgidmap /usr/bin/newgidmap
    71  RUN /sbin/setcap cap_setuid+eip /usr/bin/newuidmap && \
    72    /sbin/setcap cap_setgid+eip /usr/bin/newgidmap && \
    73    useradd --create-home --home-dir /home/user --uid 2000 user && \
    74    mkdir -p /run/user/2000 /etc/lxc && \
    75    echo "user veth lxcbr0 32" > /etc/lxc/lxc-usernet && \
    76    echo "user ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/user
    77  COPY --from=artifact /rootlesskit /home/user/bin/
    78  COPY --from=artifact /rootlessctl /home/user/bin/
    79  ARG SLIRP4NETNS_VERSION
    80  RUN curl -sSL -o /home/user/bin/slirp4netns https://github.com/rootless-containers/slirp4netns/releases/download/${SLIRP4NETNS_VERSION}/slirp4netns-x86_64 && \
    81    chmod +x /home/user/bin/slirp4netns
    82  COPY --from=vpnkit /vpnkit /home/user/bin/vpnkit
    83  COPY --from=passt /usr/local /usr/local
    84  ADD ./hack /home/user/hack
    85  RUN chown -R user:user /run/user/2000 /home/user
    86  USER user
    87  ENV HOME /home/user
    88  ENV USER user
    89  ENV XDG_RUNTIME_DIR=/run/user/2000
    90  ENV PATH /home/user/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    91  ENV LD_LIBRARY_PATH=/home/user/lib
    92  WORKDIR /home/user/hack
    93  
    94  FROM test-integration AS test-integration-docker
    95  ARG DOCKER_VERSION
    96  ARG DOCKER_CHANNEL
    97  RUN curl -fsSL https://download.docker.com/linux/static/${DOCKER_CHANNEL}/x86_64/docker-${DOCKER_VERSION}.tgz | tar xz --strip-components=1 -C /home/user/bin/
    98  RUN curl -fsSL -o /home/user/bin/dockerd-rootless.sh https://raw.githubusercontent.com/moby/moby/v${DOCKER_VERSION}/contrib/dockerd-rootless.sh && \
    99    chmod +x /home/user/bin/dockerd-rootless.sh
   100  # rootlesskit-docker-proxy is no longer needed since Docker v28
   101  RUN --mount=source=/rootlesskit-docker-proxy,target=/tmp/rootlesskit-docker-proxy,from=artifact <<EOT
   102    set -ex
   103    if [ "$(echo ${DOCKER_VERSION} | cut -d . -f 1)" -lt "28" ]; then
   104      cp -a /tmp/rootlesskit-docker-proxy /home/user/bin
   105    fi
   106  EOT
   107  ENV DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns
   108  ENV DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=builtin
   109  ENV DOCKER_HOST=unix:///run/user/2000/docker.sock
   110  RUN mkdir -p /home/user/.local
   111  VOLUME /home/user/.local
   112  CMD ["dockerd-rootless.sh"]