packaging: make builder base-image registry substitutable for CI

The static-build builder Dockerfiles (agent, kernel, qemu, shim-v2, ovmf,
tools, virtiofsd, busybox, codegen, coco-guest-components, pause-image) and
the agent codegen image hardcoded their base images from Docker Hub
(ubuntu/alpine/busybox/golang). On a builder-image cache miss in CI these
pulls are subject to Docker Hub rate limiting.

Parameterize every FROM with `ARG IMAGE_REGISTRY=docker.io` +
`FROM ${IMAGE_REGISTRY}/...` (default unchanged, so local builds keep using
Docker Hub) and have each component build script forward the value via a new
get_image_registry_build_arg() helper in scripts/lib.sh (only emitted when
IMAGE_REGISTRY is set). kata-deploy-binaries-in-docker.sh forwards
IMAGE_REGISTRY into the build container.

The build-kata-static workflows set IMAGE_REGISTRY=ghcr.io/kata-containers
per-component on the Docker-Hub-only jobs (build-asset, shim-v2, tools) and,
for rootfs, on every asset except cbl-mariner. To keep the fedora
image-builder on its own registry, it now uses a dedicated
IMAGE_BUILDER_REGISTRY (default registry.fedoraproject.org) instead of
sharing IMAGE_REGISTRY, so the rootfs ubuntu/alpine base can be mirrored
without breaking the fedora- and mcr-based image builds.

Authored-by: Cursor <cursor@cursor.com>
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
This commit is contained in:
Fabiano Fidêncio
2026-06-11 20:35:35 +02:00
parent 8f5b898e6d
commit 908c53f79a
32 changed files with 107 additions and 26 deletions

View File

@@ -101,6 +101,10 @@ jobs:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
# Pull builder-image base layers (ubuntu/alpine) from the ghcr.io
# mirror instead of Docker Hub. rootfs (fedora/cbl-mariner) keeps its
# own defaults, so it is deliberately left untouched.
IMAGE_REGISTRY: ghcr.io/kata-containers
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
@@ -261,6 +265,10 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
# Mirror the ubuntu/alpine/debian rootfs base via ghcr.io. cbl-mariner
# (mcr.microsoft.com) is excluded; the fedora image-builder uses its
# own IMAGE_BUILDER_REGISTRY and is unaffected.
IMAGE_REGISTRY: ${{ contains(matrix.asset, 'mariner') && '' || 'ghcr.io/kata-containers' }}
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
@@ -369,6 +377,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
MEASURED_ROOTFS: yes
IMAGE_REGISTRY: ghcr.io/kata-containers
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
@@ -478,6 +487,7 @@ jobs:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
IMAGE_REGISTRY: ghcr.io/kata-containers
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

View File

@@ -95,6 +95,10 @@ jobs:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
# Pull builder-image base layers (ubuntu/alpine) from the ghcr.io
# mirror instead of Docker Hub. rootfs (fedora/cbl-mariner) keeps its
# own defaults, so it is deliberately left untouched.
IMAGE_REGISTRY: ghcr.io/kata-containers
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
@@ -251,6 +255,10 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
# Mirror the ubuntu/alpine/debian rootfs base via ghcr.io. cbl-mariner
# (mcr.microsoft.com) is excluded; the fedora image-builder uses its
# own IMAGE_BUILDER_REGISTRY and is unaffected.
IMAGE_REGISTRY: ${{ contains(matrix.asset, 'mariner') && '' || 'ghcr.io/kata-containers' }}
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
@@ -355,6 +363,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
MEASURED_ROOTFS: yes
IMAGE_REGISTRY: ghcr.io/kata-containers
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
@@ -408,6 +417,7 @@ jobs:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
IMAGE_REGISTRY: ghcr.io/kata-containers
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

View File

@@ -80,6 +80,9 @@ jobs:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
# Pull builder-image base layers (ubuntu/alpine) from the ghcr.io
# mirror instead of Docker Hub.
IMAGE_REGISTRY: ghcr.io/kata-containers
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
@@ -189,6 +192,7 @@ jobs:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
IMAGE_REGISTRY: ghcr.io/kata-containers
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
@@ -275,6 +279,7 @@ jobs:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
IMAGE_REGISTRY: ghcr.io/kata-containers
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

View File

@@ -67,6 +67,9 @@ jobs:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
# Pull builder-image base layers (ubuntu/alpine) from the ghcr.io
# mirror instead of Docker Hub.
IMAGE_REGISTRY: ghcr.io/kata-containers
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

View File

@@ -93,6 +93,10 @@ jobs:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
# Pull builder-image base layers (ubuntu/alpine) from the ghcr.io
# mirror instead of Docker Hub. rootfs (fedora/cbl-mariner) keeps its
# own defaults, so it is deliberately left untouched.
IMAGE_REGISTRY: ghcr.io/kata-containers
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
@@ -234,6 +238,9 @@ jobs:
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
# Mirror the ubuntu/alpine rootfs base via ghcr.io; the fedora
# image-builder uses its own IMAGE_BUILDER_REGISTRY and is unaffected.
IMAGE_REGISTRY: ghcr.io/kata-containers
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
@@ -324,6 +331,7 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
MEASURED_ROOTFS: no
IMAGE_REGISTRY: ghcr.io/kata-containers
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0

View File

@@ -213,6 +213,7 @@ codecov-html: check_tarpaulin
##TARGET generate-protocols: generate/update grpc agent protocols
generate-protocols:
image=$$(docker build -q \
$${IMAGE_REGISTRY:+--build-arg IMAGE_REGISTRY=$$IMAGE_REGISTRY} \
--build-arg GO_VERSION=$$(yq '.languages.golang.version' $(CURDIR)/../../versions.yaml) \
--build-arg PROTOC_VERSION=$$(yq '.externals.protoc.version' $(CURDIR)/../../versions.yaml | grep -oE "[0-9.]+") \
--build-arg PROTOC_GEN_GO_VERSION=$$(yq '.externals.protoc-gen-go.version' $(CURDIR)/../../versions.yaml) \

View File

@@ -2,8 +2,8 @@
# Copyright (c) 2018 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
ARG IMAGE_REGISTRY=registry.fedoraproject.org
FROM ${IMAGE_REGISTRY}/fedora:44
ARG IMAGE_BUILDER_REGISTRY=registry.fedoraproject.org
FROM ${IMAGE_BUILDER_REGISTRY}/fedora:44
RUN ([ -n "$http_proxy" ] && \
sed -i '$ a proxy='$http_proxy /etc/dnf/dnf.conf ; true) && \

View File

@@ -77,7 +77,7 @@ Extra environment variables:
AGENT_BIN: Use it to change the expected agent binary name
AGENT_INIT: Use kata agent as init process
BLOCK_SIZE: Use to specify the size of blocks in bytes. DEFAULT: 4096
IMAGE_REGISTRY: Hostname for the image registry used to pull down the rootfs build image.
IMAGE_BUILDER_REGISTRY: Hostname for the image registry used to pull down the image-builder base image (fedora).
NSDAX_BIN: Use to specify path to pre-compiled 'nsdax' tool.
SKIP_DAX_HEADER: If set to "yes", skip the DAX/NVDIMM header. Use for
virtio-blk-pci images that never use NVDIMM.
@@ -136,8 +136,11 @@ build_with_container() {
image_name=$(basename "${image}")
engine_build_args=""
if [[ -n "${IMAGE_REGISTRY}" ]]; then
engine_build_args+=" --build-arg IMAGE_REGISTRY=${IMAGE_REGISTRY}"
# The image-builder uses its own registry knob (IMAGE_BUILDER_REGISTRY,
# default registry.fedoraproject.org) so it is not affected by the
# IMAGE_REGISTRY used to mirror the rootfs base images (ubuntu/alpine/...).
if [[ -n "${IMAGE_BUILDER_REGISTRY:-}" ]]; then
engine_build_args+=" --build-arg IMAGE_BUILDER_REGISTRY=${IMAGE_BUILDER_REGISTRY}"
fi
if [[ -n "${USE_PODMAN}" ]]; then
engine_build_args+=" --runtime ${DOCKER_RUNTIME}"

View File

@@ -91,6 +91,10 @@ ARTEFACT_REGISTRY_USERNAME="${ARTEFACT_REGISTRY_USERNAME:-}"
ARTEFACT_REGISTRY_PASSWORD="${ARTEFACT_REGISTRY_PASSWORD:-}"
TARGET_BRANCH="${TARGET_BRANCH:-}"
BUILDER_REGISTRY="${BUILDER_REGISTRY:-}"
# Optional mirror registry for third-party base images (e.g. ubuntu, alpine).
# When set, it is forwarded to the component build scripts, which pass it down
# as the IMAGE_REGISTRY build-arg used in the builder Dockerfiles' FROM lines.
IMAGE_REGISTRY="${IMAGE_REGISTRY:-}"
PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-"no"}"
RELEASE="${RELEASE:-"no"}"
AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER:-}"
@@ -134,6 +138,7 @@ docker run \
--env TARGET_BRANCH="${TARGET_BRANCH}" \
--env RELEASE="${RELEASE}" \
--env BUILDER_REGISTRY="${BUILDER_REGISTRY}" \
--env IMAGE_REGISTRY="${IMAGE_REGISTRY}" \
--env PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY}" \
--env AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER}" \
--env COCO_GUEST_COMPONENTS_CONTAINER_BUILDER="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER}" \

View File

@@ -126,6 +126,16 @@ get_last_modification() {
popd &> /dev/null || return
}
# Echo the "--build-arg IMAGE_REGISTRY=..." fragment used to redirect a
# Dockerfile's base image to a mirror, but only when IMAGE_REGISTRY is set.
# When unset, nothing is emitted and the Dockerfile's own ARG default (e.g.
# docker.io) is used. The mirror value contains no spaces, so callers can use
# the unquoted expansion to word-split it into two arguments.
get_image_registry_build_arg() {
[[ -n "${IMAGE_REGISTRY:-}" ]] || return 0
echo "--build-arg IMAGE_REGISTRY=${IMAGE_REGISTRY}"
}
# $1 - The tag to be pushed to the registry
# $2 - "yes" to use sudo, "no" otherwise
push_to_registry() {

View File

@@ -2,7 +2,8 @@
#
# SPDX-License-Identifier: Apache-2.0
FROM ubuntu:22.04
ARG IMAGE_REGISTRY=docker.io
FROM ${IMAGE_REGISTRY}/ubuntu:22.04
ARG RUST_TOOLCHAIN
COPY install_libseccomp.sh /usr/bin/install_libseccomp.sh

View File

@@ -18,9 +18,10 @@ container_image="${AGENT_CONTAINER_BUILDER:-$(get_agent_image_name)}"
# shellcheck disable=SC2154
[[ "${CROSS_BUILD}" == "true" ]] && container_image="${container_image}-cross-build"
# shellcheck disable=SC2154,SC2086
# shellcheck disable=SC2046,SC2154,SC2086
docker pull "${container_image}" || \
(docker ${BUILDX} build ${PLATFORM} \
$(get_image_registry_build_arg) \
--build-arg RUST_TOOLCHAIN="$(get_from_kata_deps ".languages.rust.meta.newest-version")" \
-t "${container_image}" "${script_dir}" && \
# No-op unless PUSH_TO_REGISTRY is exported as "yes"

View File

@@ -2,7 +2,8 @@
#
# SPDX-License-Identifier: Apache-2.0
FROM alpine:3.20.0
ARG IMAGE_REGISTRY=docker.io
FROM ${IMAGE_REGISTRY}/alpine:3.20.0
# Install build dependencies and ORAS for cache support
RUN apk update && apk --no-cache add gpg gpg-agent coreutils bash curl make \

View File

@@ -30,9 +30,10 @@ container_image="${BUSYBOX_CONTAINER_BUILDER:-$(get_busybox_image_name)}"
# shellcheck disable=SC2154
[[ "${CROSS_BUILD}" == "true" ]] && container_image="${container_image}-cross-build"
# shellcheck disable=SC2154,SC2086
# shellcheck disable=SC2046,SC2154,SC2086
docker pull "${container_image}" || \
(docker ${BUILDX} build ${PLATFORM} \
$(get_image_registry_build_arg) \
-t "${container_image}" "${script_dir}" \
# No-op unless PUSH_TO_REGISTRY is exported as "yes"
push_to_registry "${container_image}")

View File

@@ -3,7 +3,8 @@
#
# SPDX-License-Identifier: Apache-2.0
FROM ubuntu:24.04
ARG IMAGE_REGISTRY=docker.io
FROM ${IMAGE_REGISTRY}/ubuntu:24.04
ARG RUST_TOOLCHAIN
ENV DEBIAN_FRONTEND=noninteractive

View File

@@ -36,9 +36,10 @@ container_image="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER:-$(get_coco_guest_com
# shellcheck disable=SC2154
[[ "${CROSS_BUILD}" == "true" ]] && container_image="${container_image}-cross-build"
# shellcheck disable=SC2154,SC2086
# shellcheck disable=SC2046,SC2154,SC2086
docker pull "${container_image}" || \
(docker ${BUILDX} build ${PLATFORM} \
$(get_image_registry_build_arg) \
--build-arg RUST_TOOLCHAIN="${coco_guest_components_toolchain}" \
--build-arg NVAT_VERSION="${nvat_version}" \
-t "${container_image}" "${script_dir}" && \

View File

@@ -3,8 +3,9 @@
# SPDX-License-Identifier: Apache-2.0
ARG GO_VERSION=
ARG IMAGE_REGISTRY=docker.io
FROM busybox:1.37.0 AS resources
FROM ${IMAGE_REGISTRY}/busybox:1.37.0 AS resources
WORKDIR /usr/local
@@ -12,7 +13,7 @@ ARG PROTOC_VERSION=
RUN wget -O /tmp/protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-linux-x86_64.zip && \
unzip /tmp/protoc.zip
FROM golang:${GO_VERSION}
FROM ${IMAGE_REGISTRY}/golang:${GO_VERSION}
COPY --from=resources /usr/local /usr

View File

@@ -2,7 +2,8 @@
#
# SPDX-License-Identifier: Apache-2.0
FROM ubuntu:22.04
ARG IMAGE_REGISTRY=docker.io
FROM ${IMAGE_REGISTRY}/ubuntu:22.04
ENV DEBIAN_FRONTEND=noninteractive
ENV INSTALL_IN_GOPATH=false

View File

@@ -60,6 +60,10 @@ fi
container_build+=" --build-arg ARCH=${ARCH:-}"
if [[ -n "${IMAGE_REGISTRY:-}" ]]; then
container_build+=" --build-arg IMAGE_REGISTRY=${IMAGE_REGISTRY}"
fi
"${container_engine}" pull "${container_image}" || \
{
${container_build} -t "${container_image}" "${script_dir}" && \

View File

@@ -2,7 +2,8 @@
#
# SPDX-License-Identifier: Apache-2.0
FROM ubuntu:22.04
ARG IMAGE_REGISTRY=docker.io
FROM ${IMAGE_REGISTRY}/ubuntu:22.04
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update && \

View File

@@ -58,8 +58,9 @@ fi
[[ -n "${ovmf_package}" ]] || die "failed to get ovmf package or commit"
[[ -n "${package_output_dir}" ]] || die "failed to get ovmf package or commit"
# shellcheck disable=SC2046
docker pull "${container_image}" || \
(docker build -t "${container_image}" "${script_dir}" && \
(docker build $(get_image_registry_build_arg) -t "${container_image}" "${script_dir}" && \
# No-op unless PUSH_TO_REGISTRY is exported as "yes"
push_to_registry "${container_image}")

View File

@@ -1,7 +1,8 @@
# Copyright (c) 2024 Intel
#
# SPDX-License-Identifier: Apache-2.0
FROM ubuntu:22.04
ARG IMAGE_REGISTRY=docker.io
FROM ${IMAGE_REGISTRY}/ubuntu:22.04
ENV DEBIAN_FRONTEND=noninteractive

View File

@@ -30,9 +30,10 @@ container_image="${PAUSE_IMAGE_CONTAINER_BUILDER:-$(get_pause_image_name)}"
# shellcheck disable=SC2154
[[ "${CROSS_BUILD}" == "true" ]] && container_image="${container_image}-cross-build"
# shellcheck disable=SC2154,SC2086
# shellcheck disable=SC2046,SC2154,SC2086
docker pull "${container_image}" || \
(docker ${BUILDX} build ${PLATFORM} \
$(get_image_registry_build_arg) \
-t "${container_image}" "${script_dir}" && \
# No-op unless PUSH_TO_REGISTRY is exported as "yes"
push_to_registry "${container_image}")

View File

@@ -2,7 +2,8 @@
# Copyright (c) 2020 Ant Group
#
# SPDX-License-Identifier: Apache-2.0
FROM ubuntu:22.04
ARG IMAGE_REGISTRY=docker.io
FROM ${IMAGE_REGISTRY}/ubuntu:22.04
# CACHE_TIMEOUT: date to invalid cache, if the date changes the image will be rebuild
# This is required to keep build dependencies with security fixes.

View File

@@ -54,7 +54,9 @@ CACHE_TIMEOUT=$(date +"%Y-%m-%d")
container_image="${QEMU_CONTAINER_BUILDER:-$(get_qemu_image_name)}"
[[ "${CROSS_BUILD}" == "true" ]] && container_image="${container_image}-cross-build"
# shellcheck disable=SC2046
"${container_engine}" pull "${container_image}" || ("${container_engine}" build \
$(get_image_registry_build_arg) \
--build-arg CACHE_TIMEOUT="${CACHE_TIMEOUT}" \
--build-arg http_proxy="${http_proxy}" \
--build-arg https_proxy="${https_proxy}" \

View File

@@ -2,7 +2,8 @@
#
# SPDX-License-Identifier: Apache-2.0
FROM ubuntu:22.04
ARG IMAGE_REGISTRY=docker.io
FROM ${IMAGE_REGISTRY}/ubuntu:22.04
ENV DEBIAN_FRONTEND=noninteractive
ENV GO_HOME="/opt"

View File

@@ -67,9 +67,10 @@ for entry in "${verity_variants[@]}"; do
EXTRA_OPTS+=" ${param_var}=${root_measure_config}"
done
# shellcheck disable=SC2154,SC2086
# shellcheck disable=SC2046,SC2154,SC2086
docker pull "${container_image}" || \
(docker ${BUILDX} build ${PLATFORM} \
$(get_image_registry_build_arg) \
--build-arg GO_VERSION="${GO_VERSION}" \
--build-arg RUST_VERSION="${RUST_VERSION}" \
-t "${container_image}" \

View File

@@ -2,7 +2,8 @@
#
# SPDX-License-Identifier: Apache-2.0
FROM ubuntu:22.04
ARG IMAGE_REGISTRY=docker.io
FROM ${IMAGE_REGISTRY}/ubuntu:22.04
ARG GO_TOOLCHAIN
ARG RUST_TOOLCHAIN

View File

@@ -20,9 +20,10 @@ container_image="${TOOLS_CONTAINER_BUILDER:-$(get_tools_image_name)}"
# shellcheck disable=SC2154
[[ "${CROSS_BUILD}" == "true" ]] && container_image="${container_image}-cross-build"
# shellcheck disable=SC2154,SC2086
# shellcheck disable=SC2046,SC2154,SC2086
docker pull "${container_image}" || \
(docker ${BUILDX} build ${PLATFORM} \
$(get_image_registry_build_arg) \
--build-arg GO_TOOLCHAIN="$(get_from_kata_deps ".languages.golang.meta.newest-version")" \
--build-arg RUST_TOOLCHAIN="$(get_from_kata_deps ".languages.rust.meta.newest-version")" \
-t "${container_image}" "${script_dir}" && \

View File

@@ -55,9 +55,10 @@ container_image="${VIRTIOFSD_CONTAINER_BUILDER:-$(get_virtiofsd_image_name)}"
# shellcheck disable=SC2154
[[ "${CROSS_BUILD}" == "true" ]] && container_image="${container_image}-cross-build"
# shellcheck disable=SC2154,SC2086
# shellcheck disable=SC2046,SC2154,SC2086
docker pull "${container_image}" || \
(docker ${BUILDX} build ${PLATFORM} \
$(get_image_registry_build_arg) \
--build-arg RUST_TOOLCHAIN="${virtiofsd_toolchain}" \
-t "${container_image}" "${script_dir}/${libc}" && \
# No-op unless PUSH_TO_REGISTRY is exported as "yes"

View File

@@ -2,7 +2,8 @@
#
# SPDX-License-Identifier: Apache-2.0
FROM ubuntu:22.04
ARG IMAGE_REGISTRY=docker.io
FROM ${IMAGE_REGISTRY}/ubuntu:22.04
ENV DEBIAN_FRONTEND=noninteractive
ARG RUST_TOOLCHAIN

View File

@@ -2,7 +2,8 @@
#
# SPDX-License-Identifier: Apache-2.0
FROM alpine:3.23.0
ARG IMAGE_REGISTRY=docker.io
FROM ${IMAGE_REGISTRY}/alpine:3.23.0
ARG RUST_TOOLCHAIN
ENV RUSTUP_HOME="/opt/rustup"