forked from felipecrs/docker-images
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile
255 lines (232 loc) · 10.5 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
# Build skopeo from source because of https://github.com/containers/skopeo/issues/1648
FROM golang:1.18 AS skopeo-build
WORKDIR /usr/src/skopeo
ARG SKOPEO_VERSION="1.8.0"
RUN curl -fsSL "https://github.com/containers/skopeo/archive/v${SKOPEO_VERSION}.tar.gz" \
| tar -xzf - --strip-components=1
RUN CGO_ENABLED=0 DISABLE_DOCS=1 make BUILDTAGS=containers_image_openpgp GO_DYN_FLAGS=
RUN ./bin/skopeo --version
FROM scratch AS skopeo-rootfs
COPY --from=skopeo-build /usr/src/skopeo/bin/skopeo /usr/local/bin/
COPY --from=skopeo-build /usr/src/skopeo/default-policy.json /etc/containers/policy.json
FROM buildpack-deps:focal
# set bash as the default interpreter for the build with:
# -e: exits on error, so we can use colon as line separator
# -u: throw error on variable unset
# -o pipefail: exits on first command failed in pipe
SHELL ["/bin/bash", "-euxo", "pipefail", "-c"]
ENV USER=jenkins
ENV HOME="/home/${USER}"
# build helpers
ARG DEBIANFRONTEND="noninteractive"
ARG APT_GET="apt-get"
ARG APT_GET_INSTALL="${APT_GET} install -yq --no-install-recommends"
ARG SUDO_APT_GET="sudo ${APT_GET}"
ARG SUDO_APT_GET_INSTALL="sudo DEBIANFRONTEND=noninteractive ${APT_GET_INSTALL}"
ARG CLEAN_APT="rm -rf /var/lib/apt/lists/*"
ARG SUDO_CLEAN_APT="sudo ${CLEAN_APT}"
ARG CURL="curl -fsSL"
ARG NPM_GLOBAL_PATH="${HOME}/.npm-global"
ENV AGENT_WORKDIR="${HOME}/agent" \
CI=true \
PATH="${NPM_GLOBAL_PATH}/bin:${HOME}/.local/bin:${PATH}" \
JAVA_HOME="/usr/lib/jvm/temurin-11-jdk-arm64" \
# locale and encoding
LANG="en_US.UTF-8" \
LANGUAGE="en_US:en" \
LC_ALL="en_US.UTF-8" \
## Entrypoint related \
# Wait for dind before running CMD \
S6_CMD_WAIT_FOR_SERVICES=1 \
# Time to wait for the cleanup.sh to finish \
S6_KILL_FINISH_MAXTIME=45000
# create non-root user
RUN group=${USER}; \
uid=1000; \
gid=${uid}; \
groupadd -g ${gid} ${group}; \
useradd -l -c "Jenkins user" -d "${HOME}" -u ${uid} -g ${gid} -m ${USER} -s /bin/bash; \
# install sudo and locales\
${APT_GET} update; \
${APT_GET_INSTALL} \
sudo \
locales; \
# clean apt cache \
${CLEAN_APT}; \
# setup locale \
sudo sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen; \
sudo locale-gen; \
# setup sudo \
usermod -aG sudo ${USER}; \
echo "${USER} ALL=(ALL) NOPASSWD:ALL" | tee "/etc/sudoers.d/${USER}"; \
# dismiss sudo welcome message \
sudo -u "${USER}" sudo true
# use non-root user with sudo when needed
USER "${USER}"
VOLUME "${AGENT_WORKDIR}"
WORKDIR "${HOME}"
COPY --from=skopeo-rootfs / /
RUN \
# ensure skopeo is working
skopeo --version; \
# assure jenkins-agent directories \
mkdir -p "${AGENT_WORKDIR}"; \
## apt \
${SUDO_APT_GET} update; \
# upgrade system \
${SUDO_APT_GET} -yq upgrade; \
# install add-apt-repository \
${SUDO_APT_GET_INSTALL} software-properties-common; \
## apt repositories \
# adoptium openjdk \
${CURL} https://packages.adoptium.net/artifactory/api/gpg/key/public | sudo apt-key add -; \
sudo add-apt-repository --no-update -y "https://packages.adoptium.net/artifactory/deb"; \
# kubernetes \
${CURL} https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -; \
sudo add-apt-repository --no-update -y "deb https://apt.kubernetes.io/ kubernetes-xenial main"; \
# skopeo, podman, buildah \
# version_id="$(source /etc/os-release && echo -n "$VERSION_ID")"; \
# ${CURL} https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${version_id}/Release.key | sudo apt-key add -; \
# sudo add-apt-repository --no-update -y "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${version_id}/ /"; \
# yarn \
${CURL} https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -; \
sudo add-apt-repository --no-update -y "deb https://dl.yarnpkg.com/debian/ stable main"; \
# jfrog \
# ${CURL} https://releases.jfrog.io/artifactory/api/gpg/key/public | sudo apt-key add -; \
# sudo add-apt-repository --no-update -y "deb https://releases.jfrog.io/artifactory/jfrog-debs xenial contrib"; \
# git \
sudo add-apt-repository --no-update -y ppa:git-core/ppa; \
# yq \
sudo add-apt-repository --no-update -y ppa:rmescandon/yq; \
# git-lfs \
${CURL} https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | sudo -E bash -; \
# nodejs \
${CURL} https://deb.nodesource.com/setup_lts.x | sudo -E bash -; \
# install apt packages \
${SUDO_APT_GET_INSTALL} \
git \
git-lfs \
tree \
jq \
yq \
parallel \
rsync \
sshpass \
python3-pip \
temurin-11-jdk \
nodejs \
# yarn \
# kubectl \
# skopeo \
# jfrog-cli \
# shellcheck \
# maven \
# ant \
# ant-contrib \
zip \
unzip \
time \
# required for docker in docker \
iptables \
xz-utils \
btrfs-progs \
# network \
net-tools \
iputils-ping \
traceroute \
dnsutils; \
# install docker \
${CURL} https://get.docker.com | sudo sh; \
${SUDO_APT_GET} autoremove -yq; \
${SUDO_CLEAN_APT}; \
# setup docker \
sudo usermod -aG docker "${USER}"; \
# setup buildx \
version=$(${CURL} https://api.github.com/repos/docker/buildx/releases/latest | jq .tag_name -er); \
${CURL} --create-dirs -o "$HOME/.docker/cli-plugins/docker-buildx" "https://github.com/docker/buildx/releases/download/${version}/buildx-${version}.$(uname -s)-arm64"; \
chmod a+x "$HOME/.docker/cli-plugins/docker-buildx"; \
docker buildx install; \
# install docker compose \
version=$(${CURL} https://api.github.com/repos/docker/compose/releases/latest | jq .tag_name -er); \
${CURL} --create-dirs -o "$HOME/.docker/cli-plugins/docker-compose" "https://github.com/docker/compose/releases/download/${version}/docker-compose-$(uname -s)-$(uname -m)"; \
chmod a+x "$HOME/.docker/cli-plugins/docker-compose"; \
## setup docker-switch (docker-compose v1 compatibility) \
version=$(${CURL} https://api.github.com/repos/docker/compose-switch/releases/latest | jq .tag_name -er); \
sudo ${CURL} --create-dirs -o "/usr/local/bin/docker-compose" "https://github.com/docker/compose-switch/releases/download/${version}/docker-compose-$(uname -s)-arm64"; \
sudo chmod +x /usr/local/bin/docker-compose; \
## dind \
# set up subuid/subgid so that "--userns-remap=default" works out-of-the-box \
sudo addgroup --system dockremap; \
sudo adduser --system --ingroup dockremap dockremap; \
echo 'dockremap:165536:65536' | sudo tee -a /etc/subuid; \
echo 'dockremap:165536:65536' | sudo tee -a /etc/subgid; \
# install dind hack \
version="42b1175eda071c0e9121e1d64345928384a93df1"; \
sudo ${CURL} -o /usr/local/bin/dind "https://raw.githubusercontent.com/moby/moby/${version}/hack/dind"; \
sudo chmod +x /usr/local/bin/dind; \
# install jenkins-agent \
base_url="https://repo.jenkins-ci.org/public/org/jenkins-ci/main/remoting"; \
# version=$(curl -fsS ${base_url}/maven-metadata.xml | grep "<latest>.*</latest>" | sed -e "s#\(.*\)\(<latest>\)\(.*\)\(</latest>\)\(.*\)#\3#g"); \
version="4.13"; \
sudo curl --create-dirs -fsSLo /usr/share/jenkins/agent.jar "${base_url}/${version}/remoting-${version}.jar"; \
sudo chmod 755 /usr/share/jenkins; \
sudo chmod +x /usr/share/jenkins/agent.jar; \
sudo ln -sf /usr/share/jenkins/agent.jar /usr/share/jenkins/slave.jar; \
# install jenkins-agent wrapper from inbound-agent \
version=$(${CURL} https://api.github.com/repos/jenkinsci/docker-inbound-agent/releases/latest | jq .tag_name -er); \
sudo ${CURL} -o /usr/local/bin/jenkins-agent "https://raw.githubusercontent.com/jenkinsci/docker-inbound-agent/${version}/jenkins-agent"; \
sudo chmod +x /usr/local/bin/jenkins-agent; \
sudo ln -sf /usr/local/bin/jenkins-agent /usr/local/bin/jenkins-slave; \
## pip \
# upgrade pip \
sudo python3 -m pip install --no-cache-dir --upgrade pip; \
# setup python and pip aliases \
sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 1; \
sudo update-alternatives --install /usr/bin/pip pip /usr/bin/pip3 1; \
# install pip packages \
# pip install --user --no-cache-dir ansible; \
## npm \
# upgrade npm \
sudo npm install -g npm@latest; \
# allow npm --global to run as non-root \
mkdir "${NPM_GLOBAL_PATH}"; \
npm config set prefix "${NPM_GLOBAL_PATH}"; \
# # install npm packages \
# npm install --global \
# semver \
# bats; \
# clean npm cache \
sudo npm cache clean --force; \
npm cache clean --force; \
## miscellaneous \
# # install kind \
# version=$(${CURL} https://api.github.com/repos/kubernetes-sigs/kind/releases/latest | jq .tag_name -er); \
# sudo ${CURL} -o /usr/local/bin/kind "https://github.com/kubernetes-sigs/kind/releases/download/${version}/kind-$(uname)-arm64"; \
# sudo chmod +x /usr/local/bin/kind; \
# # install hadolint \
# version=$(${CURL} https://api.github.com/repos/hadolint/hadolint/releases/latest | jq .tag_name -er); \
# sudo ${CURL} -o /usr/local/bin/hadolint "https://github.com/hadolint/hadolint/releases/download/${version}/hadolint-Linux-arm64"; \
# sudo chmod +x /usr/local/bin/hadolint; \
# # install helm 3 \
# ${CURL} https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | sudo -E bash -; \
# install s6-overlay \
${CURL} -o /tmp/s6-overlay-installer https://github.com/just-containers/s6-overlay/releases/download/v2.2.0.3/s6-overlay-aarch64-installer; \
chmod +x /tmp/s6-overlay-installer; \
sudo /tmp/s6-overlay-installer /; \
rm -f /tmp/s6-overlay-installer
USER root
COPY rootfs/ /
# s6-overlay runs as root so that it can properly start the docker daemon
# but it executes CMD as jenkins by dropping the privileges with s6-setuidgid
# hadolint ignore=DL3002
ENTRYPOINT [ "/init",\
# write jenkins-agent logs to /dev/termination-log so that Kubernets can use
# it as the termination message. See:
# https://github.com/just-containers/s6-overlay/issues/425
# redirect stdout of CMD to /dev/termination-log
"pipeline", "-w", "tee", "/dev/termination-log", "", \
# redirect stderr of CMD to stdout so that both goes to /dev/termination-log
"fdmove", "-c", "2", "1", \
# drop privileges for CMD (run as jenkins user)
"s6-setuidgid", "jenkins"]
CMD [ "jenkins-agent" ]