forked from projectcalico/go-build
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile.amd64
148 lines (124 loc) · 7.71 KB
/
Dockerfile.amd64
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
FROM calico/bpftool:v5.3-amd64 as bpftool
FROM goboring/golang:1.16.7b7
MAINTAINER Shaun Crampton <shaun@projectcalico.org>
# Override the go boring version in the image with the latest release. There is currently no 1.17 container image,
# so starting with 1.16 and then overwriting with 1.17.
ARG GO_BORING_VERSION=1.17.5b7
ARG QEMU_VERSION=4.2.0-6
# we need these two distinct lists. The first one is the names used by the qemu distributions
# these second is the names used by golang see https://github.com/golang/go/blob/master/src/go/build/syslist.go
# the primary difference as of this writing is that qemu uses aarch64 and golang uses arm64
ARG QEMU_ARCHS="arm aarch64 ppc64le s390x"
ARG CROSS_ARCHS="arm arm64 ppc64le s390x"
ARG MANIFEST_TOOL_VERSION=v1.0.2
# Install su-exec for use in the entrypoint.sh (so processes run as the right user)
# Install bash for the entry script (and because it's generally useful)
# Install curl
# Install git for fetching Go dependencies
# Install ssh for fetching Go dependencies
# Install mercurial for fetching go dependencies
# Install wget since it's useful for fetching
# Install make for building things
# Install util-linux for column command (used for output formatting).
# Install grep, sed, zip, and jq for use in some Makefiles
# Install gcc for cgo.
# Install clang, libbpf and newer kernel headers for building BPF binaries.
# Install apt-utils, libpcre++-dev and libraries for ModSecurity dependencies.
RUN echo 'APT::Default-Release "buster";' > /etc/apt/apt.conf.d/99defaultrelease && \
echo 'deb http://ftp.am.debian.org/debian/ buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list && \
apt-get -y update && \
apt-get -y upgrade && \
apt-get install --no-install-recommends -y -t buster-backports \
libbpf-dev linux-headers-5.10.0-0.bpo.9-amd64 && \
apt-get install --no-install-recommends -y \
curl bash git openssh-client mercurial make wget util-linux file grep sed jq zip \
llvm-11 clang-11 binutils file iproute2 \
ca-certificates gcc mingw-w64 libc-dev bsdmainutils strace libpcap-dev \
apt-utils autoconf automake build-essential \
libcurl4-openssl-dev libgeoip-dev liblmdb-dev \
libpcre++-dev libtool libxml2-dev libyajl-dev \
pkgconf zlib1g-dev && \
rm -rf /var/lib/apt/lists/*
RUN wget https://storage.googleapis.com/go-boringcrypto/go${GO_BORING_VERSION}.linux-amd64.tar.gz
RUN rm -rf /usr/local/go && tar -C /usr/local -xzf go${GO_BORING_VERSION}.linux-amd64.tar.gz
RUN rm go${GO_BORING_VERSION}.linux-amd64.tar.gz
# su-exec is used by the entrypoint script to execute the user's command with the right UID/GID.
# (sudo doesn't work easily in a container.) The version was current master at the time of writing.
ARG SU_EXEC_VER=212b75144bbc06722fbd7661f651390dc47a43d1
RUN set -ex; \
curl -o /sbin/su-exec.c https://raw.githubusercontent.com/ncopa/su-exec/${SU_EXEC_VER}/su-exec.c; \
gcc -Wall /sbin/su-exec.c -o/sbin/su-exec; \
chown root:root /sbin/su-exec; \
chmod 0755 /sbin/su-exec; \
rm /sbin/su-exec.c
# Install fossa for foss license checks
ARG FOSSA_VER=1.0.1
RUN curl -L https://github.com/fossas/fossa-cli/releases/download/v${FOSSA_VER}/fossa-cli_${FOSSA_VER}_linux_amd64.tar.gz | tar zxvf - -C /usr/local/bin --extract fossa
RUN chmod +x /usr/local/bin/fossa
ARG MOCKERY_VER=2.3.0
RUN curl -L https://github.com/vektra/mockery/releases/download/v${MOCKERY_VER}/mockery_${MOCKERY_VER}_Linux_x86_64.tar.gz | tar zxvf - -C /usr/local/bin --extract mockery
RUN chmod +x /usr/local/bin/mockery
# Disable ssh host key checking
RUN echo 'Host *' >> /etc/ssh/ssh_config \
&& echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config
# We want to be able to do both cgo and non-cgo builds. That's awkward because toggling cgo
# results in parts of the stdlib getting rebuilt (which fails due to the container's read-only
# filesystem). As a workaround: take a copy of the go root for cgo builds and have the
# entrypoint script swap it into the path if it detects CGO_ENABLED=1.
ENV GOROOT=/usr/local/go
ENV GOCGO=/usr/local/go-cgo
# Disable cgo by default so that binaries we build will be fully static by default.
ENV CGO_ENABLED=0
RUN cp -a $GOROOT $GOCGO && \
go install -v std && \
rm -rf /go/src/* /root/.cache
# Install go programs that we rely on
RUN go get github.com/onsi/ginkgo/ginkgo && \
go get golang.org/x/tools/cmd/goimports && \
wget -O - -q https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s v1.27.0 && \
golangci-lint --version && \
go get github.com/pmezard/licenses && \
go get github.com/wadey/gocovmerge && \
GO111MODULE=on go get github.com/mikefarah/yq/v3 && \
go get -u github.com/jstemmer/go-junit-report && \
go get -u golang.org/x/tools/cmd/stringer && \
GO111MODULE=on go get k8s.io/code-generator/cmd/openapi-gen@v0.21.0 && \
GO111MODULE=on go get k8s.io/code-generator/cmd/deepcopy-gen@v0.21.0 && \
GO111MODULE=on go get k8s.io/code-generator/cmd/client-gen@v0.21.0 && \
GO111MODULE=on go get k8s.io/code-generator/cmd/lister-gen@v0.21.0 && \
GO111MODULE=on go get k8s.io/code-generator/cmd/informer-gen@v0.21.0 && \
GO111MODULE=on go get k8s.io/code-generator/cmd/defaulter-gen@v0.21.0 && \
GO111MODULE=on go get k8s.io/code-generator/cmd/conversion-gen@v0.21.0 && \
rm -rf /go/src/* /root/.cache
# Install necessary Kubernetes binaries used in tests.
RUN wget https://dl.k8s.io/v1.22.2/bin/linux/amd64/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \
wget https://dl.k8s.io/release/v1.22.2/bin/linux/amd64/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
wget https://dl.k8s.io/v1.22.2/bin/linux/amd64/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager
# Used for generating CRD files.
# Download a version of controller-gen that has been hacked to support additional types (e.g., float).
# We can remove this once we update the Calico v3 APIs to use only types which are supported by the upstream controller-gen
# tooling. Example: float, all the types in the numorstring package, etc.
RUN wget -O ${GOPATH}/bin/controller-gen https://github.com/projectcalico/controller-tools/releases/download/calico-0.1/controller-gen && chmod +x ${GOPATH}/bin/controller-gen
# Enable non-native runs on amd64 architecture hosts
RUN for i in ${QEMU_ARCHS}; do curl -L https://github.com/multiarch/qemu-user-static/releases/download/v${QEMU_VERSION}/qemu-${i}-static.tar.gz | tar zxvf - -C /usr/bin; done
RUN chmod +x /usr/bin/qemu-*
# When running cross built binaries run-times will be auto-installed,
# ensure the install directory is writable by everyone.
RUN for arch in ${CROSS_ARCHS}; do mkdir -m +w -p /usr/local/go/pkg/linux_${arch}; GOARCH=${arch} go install -v std; done
# Ensure that everything under the GOPATH is writable by everyone
RUN chmod -R 777 $GOPATH
RUN curl -sSL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-amd64 > manifest-tool && \
chmod +x manifest-tool && \
mv manifest-tool /usr/bin/
# crane is needed for our release targets to copy images from the dev registries to the release registries.
RUN wget https://github.com/google/go-containerregistry/releases/download/v0.4.1/go-containerregistry_Linux_x86_64.tar.gz && \
tar -xvf go-containerregistry_Linux_x86_64.tar.gz && \
chmod +x crane && \
mv crane /usr/bin
# Add bpftool for Felix UT/FV.
COPY --from=bpftool /bpftool /usr/bin
# Build ModSecurity for Dikastes.
COPY scripts/modsec.sh /usr/local/bin/scripts/modsec.sh
RUN /usr/local/bin/scripts/modsec.sh
COPY entrypoint.sh /usr/local/bin/entrypoint.sh
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]