Remove img, push a pure on-demand runner build instead.

.changelog/2534.txt

@@ -0,0 +1,6 @@
+```release-note:breaking-change
+plugin/docker: `img`-based Dockerless builds are no longer supported.
+Dockerless builds are still fully supported via Kaniko and on-demand
+runners that shipped in Waypoint 0.6. Static runners without access to
+a Docker daemon can no longer build images.
+```

Dockerfile

@@ -23,48 +23,6 @@ WORKDIR /tmp/wp-src
 RUN --mount=type=cache,target=/root/.cache/go-build make bin
 RUN --mount=type=cache,target=/root/.cache/go-build make bin/entrypoint
 
-#--------------------------------------------------------------------
-# imgbase builds the "img" tool and all of its dependencies
-#--------------------------------------------------------------------
-
-# We build a fork of img for now so we can get the `img inspect` CLI
-#
-# These PRs were required for us:
-# - https://github.com/genuinetools/img/pull/324
-# - https://github.com/genuinetools/img/pull/326
-#
-# We are now waiting on the img maintainers to do a new release of 'img' that
-# includes these fixes before we can delete this and install img directly.
-FROM docker.mirror.hashicorp.services/golang:1.16.5-alpine3.13 AS imgbuilder
-
-RUN apk add --no-cache \
- bash \
- build-base \
- gcc \
- git \
- libseccomp-dev \
- linux-headers \
- make
-
-RUN git clone https://github.com/mitchellh/img.git /img
-WORKDIR /img
-RUN go get github.com/go-bindata/go-bindata/go-bindata
-RUN make BUILDTAGS="seccomp noembed dfrunmount dfsecrets dfssh" && mv img /usr/bin/img
-
-# Copied from img repo, see notes for specific reasons:
-# https://github.com/genuinetools/img/blob/d858ac71f93cc5084edd2ba2d425b90234cf2ead/Dockerfile
-FROM docker.mirror.hashicorp.services/alpine:3.13.5 AS imgbase
-RUN apk add --no-cache autoconf automake build-base byacc gettext gettext-dev \
- gcc git libcap-dev libtool libxslt runc
-RUN git clone https://github.com/shadow-maint/shadow.git /shadow
-WORKDIR /shadow
-RUN git checkout 59c2dabb264ef7b3137f5edb52c0b31d5af0cf76
-RUN ./autogen.sh --disable-nls --disable-man --without-audit \
- --without-selinux --without-acl --without-attr --without-tcb \
- --without-nscd \
- && make \
- && cp src/newuidmap src/newgidmap /usr/bin
-
 # This is only used by ODR
 FROM docker.mirror.hashicorp.services/busybox:stable-musl as busybox
 RUN touch /tmp/.keep
@@ -95,27 +53,10 @@ ENTRYPOINT ["/kaniko/waypoint"]
 # final image
 #--------------------------------------------------------------------
 
-# Notes on img and what is required to make it work, since there's a lot
-# of small details below that are absolutely required for everything to
-# come together:
-#
-# - img, runc, newuidmap, newgidmap need to be installed
-# - libseccomp-dev must be installed for runc
-# - newuidmap/newgidmap need to have suid set (u+s)
-# - /etc/subuid and /etc/subgid need to have an entry for the user
-# - USER, HOME, and XDG_RUNTIME_DIR all need to be set
-#
-
 FROM docker.mirror.hashicorp.services/alpine:3.13.5
 
-COPY --from=imgbuilder /usr/bin/img /usr/bin/img
-COPY --from=imgbase /usr/bin/runc /usr/bin/runc
-COPY --from=imgbase /usr/bin/newuidmap /usr/bin/newuidmap
-COPY --from=imgbase /usr/bin/newgidmap /usr/bin/newgidmap
-
-# libseccomp-dev is required for runc
 # git is for gitrefpretty() and other calls for Waypoint
-RUN apk add --no-cache libseccomp-dev git
+RUN apk add --no-cache git
 
 COPY --from=builder /tmp/wp-src/waypoint /usr/bin/waypoint
 COPY --from=builder /tmp/wp-src/waypoint-entrypoint /usr/bin/waypoint-entrypoint
@@ -130,8 +71,7 @@ RUN addgroup waypoint && \
  chown -R waypoint:waypoint /data
 
 # configure newuidmap/newgidmap to work with our waypoint user
-RUN chmod u+s /usr/bin/newuidmap /usr/bin/newgidmap \
- && mkdir -p /run/user/100 \
+RUN mkdir -p /run/user/100 \
  && chown -R waypoint /run/user/100 /home/waypoint \
  && echo waypoint:100000:65536 | tee /etc/subuid | tee /etc/subgid
 

builtin/docker/builder.go

@@ -96,14 +96,11 @@ to a Docker server. In these cases, it is desirable to perform what is called
 a "dockerless" build: building a Docker image without access to a Docker
 daemon. Waypoint supports dockerless builds.
 
-Waypoint will automatically attempt a dockerless build if a Docker daemon
-is not available and no remote Docker server environment variables are set.
-
-Dockerless builds require user namespaces to be enabled. This is a host-level
-setting that is often not enabled by default. For GKE, you must not use ContainerOS.
-For AKS (Azure) and EKS (AWS), you must use a custom AMI that has user namespaces
-enabled. Please search for how to enable user namespaces for your distro; it is
-usually a single line configuration.
+Waypoint performs Dockerless builds by leveraging
+[Kaniko](https://github.com/GoogleContainerTools/kaniko)
+within on-demand launched runners. This should work in all supported
+Waypoint installation environments by default and you should not have
+to specify any additional configuration.
 `)
 
  doc.Example(`
@@ -142,10 +139,10 @@ build {
 
  doc.SetField(
  "build_args",
- "build args to pass to docker or img for the build step",
+ "build args to pass to docker for the build step",
  docs.Summary(
  "An array of strings of build-time variables passed as build-arg to docker",
- " or img for the build step.",
+ " for the build step.",
  ),
  )
 
@@ -309,38 +306,11 @@ func (b *Builder) Build(
  "dockerfile", relDockerfile,
  )
 
- // We now test if Docker is actually functional. We do this here because we
- // need all of the above to complete the actual build.
- log.Debug("testing if we should use a Docker fallback")
- useImg := false
- if fallback, err := wpdockerclient.Fallback(ctx, log, cli); err != nil {
- log.Warn("error during check if we should use Docker fallback", "err", err)
- return nil, status.Errorf(codes.Internal,
- "error validating Docker connection: %s", err)
- } else if fallback && HasImg() {
- // If we're falling back and have "img" available, use that. If we
- // don't have "img" available, we continue to try to use Docker. We'll
- // fail but that error message should help the user.
- step.Update("Docker isn't available. Falling back to daemonless image build...")
- step.Done()
- step = nil
- if err := b.buildWithImg(ctx, ui, sg, relDockerfile, contextDir, result.Name(), b.config.BuildArgs, b.config.Target); err != nil {
- return nil, err
- }
-
- // Our image is in the img registry now. We set this so that
- // future users of this result type know where to look.
- result.Location = &Image_Img{Img: &empty.Empty{}}
-
- // We set this to true so we use the img-based injector later
- useImg = true
- } else {
- // No fallback, build with Docker
- step.Done()
- step = nil
- if err := b.buildWithDocker(ctx, ui, sg, cli, contextDir, relDockerfile, result.Name(), b.config.Platform, b.config.BuildArgs, b.config.Target, log); err != nil {
- return nil, err
- }
+ // Build
+ step.Done()
+ step = nil
+ if err := b.buildWithDocker(ctx, ui, sg, cli, contextDir, relDockerfile, result.Name(), b.config.Platform, b.config.BuildArgs, b.config.Target, log); err != nil {
+ return nil, err
  }
 
  if !b.config.DisableCEB {
@@ -370,11 +340,7 @@ func (b *Builder) Build(
  return ep, nil
  }
 
- if !useImg {
- _, err = epinject.AlterEntrypoint(ctx, result.Name(), callback)
- } else {
- _, err = epinject.AlterEntrypointImg(ctx, result.Name(), callback)
- }
+ _, err = epinject.AlterEntrypoint(ctx, result.Name(), callback)
  if err != nil {
  return nil, status.Errorf(codes.Internal, "unable to set modify Docker entrypoint: %s", err)
  }

builtin/docker/kaniko.go

@@ -143,10 +143,8 @@ func (b *Builder) buildWithKaniko(
  step.Done()
  step = sg.Add("Executing kaniko...")
 
- // NOTE(mitchellh): we can probably use the img Go pkg directly one day.
- cmd := exec.CommandContext(ctx, args[0], args[1:]...)
-
  // Command output should go to the step
+ cmd := exec.CommandContext(ctx, args[0], args[1:]...)
  cmd.Stdout = step.TermOutput()
  cmd.Stderr = cmd.Stdout