Merge pull request #1687 from rneugeba/multi-stage

Convert some images to multi-stage builds
2025-07-19 17:26:28 +00:00 · 2017-04-24 20:18:01 +01:00 · 2017-04-24 20:18:01 +01:00 · 22514db912
commit 22514db912
parent b78b5a7449 3ba9d8064b
30 changed files with 187 additions and 291 deletions
--- a/base/alpine-build-toybox/Dockerfile
+++ b/base/alpine-build-toybox/Dockerfile
@ -1,17 +0,0 @@
-FROM alpine:3.5
-RUN \
-  apk update && apk upgrade && \
-  apk add \
-  automake \
-  bash \
-  build-base \
-  git \
-  && true
-COPY . .
-# 0.7.2
-ENV LDFLAGS=--static
-RUN git clone https://github.com/landley/toybox.git && \
-  cd toybox && git checkout b27d5d9ad0c56014d8661d91f69ee498bbbe4cf9 && \
-  make defconfig
-WORKDIR /toybox
-ENTRYPOINT ["/build.sh"]
--- a/base/alpine-build-toybox/Makefile
+++ b/base/alpine-build-toybox/Makefile
@ -1,29 +0,0 @@
-.PHONY: tag push
-
-BASE=alpine:3.5
-IMAGE=alpine-build-toybox
-
-default: push
-
-hash: Dockerfile build.sh
-	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
-	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
-	docker run --rm --entrypoint sh $(IMAGE):build -c 'cat /Dockerfile /build.sh /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > hash
-
-push: hash
-	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) && \
-		 docker push linuxkit/$(IMAGE):$(shell cat hash))
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-tag: hash
-	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-clean:
-	rm -f hash
-
-.DELETE_ON_ERROR:
--- a/base/alpine-build-toybox/build.sh
+++ b/base/alpine-build-toybox/build.sh
@ -1,11 +0,0 @@
-#!/bin/sh
-
-FILES=$@
-make $FILES > /dev/null
-[ $# -eq 0 ] && FILES=toybox
-# TODO symlinks if just use toybox
-mkdir -p /out/bin
-mv $FILES /out/bin
-printf "FROM scratch\nCOPY bin/ bin/\n" > /out/Dockerfile
-cd /out
-tar cf - .
--- a/base/rng-tools/Dockerfile
+++ b/base/rng-tools/Dockerfile
@ -1,33 +0,0 @@
-FROM alpine:3.5
-RUN \
-  apk update && apk upgrade && \
-  apk add \
-  argp-standalone \
-  curl \
-  gcc \
-  linux-headers \
-  make \
-  musl-dev \
-  patch \
-  && true
-
-COPY . /
-
-ENV pkgname=rng-tools pkgver=5
-
-RUN curl -O -sSL http://downloads.sourceforge.net/project/gkernel/$pkgname/$pkgver/$pkgname-$pkgver.tar.gz
-RUN sha256sum -c sha256sums
-RUN zcat $pkgname-$pkgver.tar.gz | tar xf -
-
-RUN cd $pkgname-$pkgver && for p in ../*.patch; do cat $p | patch -p1; done
-
-RUN cd $pkgname-$pkgver && \
-  export LIBS="-largp" && \
-  LDFLAGS=-static ./configure \
-    --prefix=/usr \
-    --libexecdir=/usr/lib/rng-tools \
-    --sysconfdir=/etc \
-    --disable-silent-rules && \
-  make && \
-  make DESTDIR=/ install && \
-  strip /usr/sbin/rngd
--- a/base/rng-tools/Makefile
+++ b/base/rng-tools/Makefile
@ -1,29 +0,0 @@
-.PHONY: tag push
-
-BASE=alpine:3.5
-IMAGE=rng-tools
-
-default: push
-
-hash: Dockerfile fix-textrels-on-PIC-x86.patch sha256sums
-	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
-	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
-	docker run --rm $(IMAGE):build sh -c 'cat /Dockerfile /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > hash
-
-push: hash
-	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) && \
-		 docker push linuxkit/$(IMAGE):$(shell cat hash))
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-tag: hash
-	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-clean:
-	rm -f hash
-
-.DELETE_ON_ERROR:
--- a/base/tini/Makefile
+++ b/base/tini/Makefile
@ -1,29 +0,0 @@
-.PHONY: tag push
-
-BASE=alpine:3.5
-IMAGE=tini
-
-default: push
-
-hash: Dockerfile
-	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
-	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
-	docker run --rm --entrypoint sh $(IMAGE):build -c 'cat /Dockerfile /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > hash
-
-push: hash
-	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) && \
-		 docker push linuxkit/$(IMAGE):$(shell cat hash))
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-tag: hash
-	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-clean:
-	rm -f hash
-
-.DELETE_ON_ERROR:
--- a/base/toybox-media/Makefile
+++ b/base/toybox-media/Makefile
@ -1,28 +0,0 @@
-.PHONY: tag push
-BASE=linuxkit/alpine-build-toybox:1855c262e3b2b252540bab17dc09f0bb292b0633@sha256:ef748ed99678ac0a72ccccb975c45bc1c7b706fe9047c3ac62b2b80025b33d3f
-IMAGE=toybox-media
-
-default: push
-
-hash: 
-	docker run --rm $(BASE) ls tar sh find sha1sum | \
-		docker build -q -t $(IMAGE):build -
-	docker run --rm $(IMAGE):build tar cf - bin | docker run -i $(IMAGE):build sha1sum -b - > hash
-
-push: hash
-	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) && \
-		 docker push linuxkit/$(IMAGE):$(shell cat hash))
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-tag: hash
-	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-clean:
-	rm -f hash
-
-.DELETE_ON_ERROR:
--- a/examples/docker.yml
+++ b/examples/docker.yml
@ -40,7 +40,7 @@ onboot:
    command: ["/mount.sh", "/var/lib/docker"]
 services:
  - name: rngd
-    image: "linuxkit/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9"
+    image: "linuxkit/rngd:c42fd499690b2cb6e4e6cb99e41dfafca1cf5b14"
    capabilities:
     - CAP_SYS_ADMIN
    oomScoreAdj: -800
--- a/examples/gcp.yml
+++ b/examples/gcp.yml
@ -37,7 +37,7 @@ onboot:
     - CAP_SYS_ADMIN
 services:
  - name: rngd
-    image: "linuxkit/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9"
+    image: "linuxkit/rngd:c42fd499690b2cb6e4e6cb99e41dfafca1cf5b14"
    capabilities:
     - CAP_SYS_ADMIN
    oomScoreAdj: -800
--- a/examples/node_exporter.yml
+++ b/examples/node_exporter.yml
@ -8,7 +8,7 @@ init:
  - linuxkit/containerd:fe1b7f438a234cb6481c6538295115eac2a0596d
 services:
  - name: rngd
-    image: "linuxkit/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9"
+    image: "linuxkit/rngd:c42fd499690b2cb6e4e6cb99e41dfafca1cf5b14"
    capabilities:
     - CAP_SYS_ADMIN
    oomScoreAdj: -800
--- a/examples/packet.yml
+++ b/examples/packet.yml
@ -16,7 +16,7 @@ onboot:
     - CAP_SYS_ADMIN
 services:
  - name: rngd
-    image: "linuxkit/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9@sha256:1c93c1db7196f6f71f8e300bc1d15f0376dd18e8891c8789d77c8ff19f3a9a92"
+    image: "linuxkit/rngd:c42fd499690b2cb6e4e6cb99e41dfafca1cf5b14"
    capabilities:
     - CAP_SYS_ADMIN
    oomScoreAdj: -800
--- a/examples/sshd.yml
+++ b/examples/sshd.yml
@ -16,7 +16,7 @@ onboot:
     - CAP_SYS_ADMIN
 services:
  - name: rngd
-    image: "linuxkit/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9"
+    image: "linuxkit/rngd:c42fd499690b2cb6e4e6cb99e41dfafca1cf5b14"
    capabilities:
     - CAP_SYS_ADMIN
    oomScoreAdj: -800
--- a/examples/vmware.yml
+++ b/examples/vmware.yml
@ -17,7 +17,7 @@ onboot:
    readonly: true
 services:
  - name: rngd
-    image: "linuxkit/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9"
+    image: "linuxkit/rngd:c42fd499690b2cb6e4e6cb99e41dfafca1cf5b14"
    capabilities:
     - CAP_SYS_ADMIN
    oomScoreAdj: -800
--- a/linuxkit.yml
+++ b/linuxkit.yml
@ -33,7 +33,7 @@ onboot:
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
  - name: rngd
-    image: "linuxkit/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9"
+    image: "linuxkit/rngd:c42fd499690b2cb6e4e6cb99e41dfafca1cf5b14"
    capabilities:
     - CAP_SYS_ADMIN
    oomScoreAdj: -800
--- a/pkg/rngd/Dockerfile
+++ b/pkg/rngd/Dockerfile
@ -1,3 +1,33 @@
-FROM scratch
-COPY . ./
+FROM linuxkit/c-compile:f52f485825c890d581e82a62af6906c1d33d8e5d@sha256:473fd283a090d3546e93915adacf00c69a23ff615c95c968c4a40e8723985853 AS rng-build
+
+COPY . /
+
+ENV pkgname=rng-tools pkgver=5
+RUN curl -O -sSL http://downloads.sourceforge.net/project/gkernel/$pkgname/$pkgver/$pkgname-$pkgver.tar.gz
+RUN sha256sum -c sha256sums
+RUN zcat $pkgname-$pkgver.tar.gz | tar xf -
+
+RUN cd $pkgname-$pkgver && for p in ../*.patch; do cat $p | patch -p1; done
+
+RUN cd $pkgname-$pkgver && \
+  export LIBS="-largp" && \
+  LDFLAGS=-static ./configure \
+    --prefix=/usr \
+    --libexecdir=/usr/lib/rng-tools \
+    --sysconfdir=/etc \
+    --disable-silent-rules && \
+  make && \
+  make DESTDIR=/ install && \
+  strip /usr/sbin/rngd
+RUN mkdir -p /tmp/dev /tmp/proc /tmp/sys
+
+
+FROM linuxkit/tini:6714d66b82b5397f497b2aa05764096ed1ffe7d7@sha256:ba594b96af6195737ce2df702196d7adea2cafde554e18940ee14ad575d27f3b
+ENTRYPOINT []
+WORKDIR /
+COPY --from=rng-build usr/sbin/rngd usr/sbin/rngd
+# Can't create directories, so copy empty dirs from previous context
+COPY --from=rng-build tmp/dev dev
+COPY --from=rng-build tmp/proc proc
+COPY --from=rng-build tmp/sys sys
 CMD ["/bin/tini", "/usr/sbin/rngd", "-f"]
--- a/pkg/rngd/Makefile
+++ b/pkg/rngd/Makefile
@ -1,50 +1,26 @@
-RNG_TOOLS_IMAGE=linuxkit/rng-tools:d77676ea6ae229b779868e5eff4600f59b0eb0d8@sha256:61cafe4075e1223a110d8569961bbf9ec0ab64abd4abb04c1677d7ecd7078383
-RNGD_BINARY=usr/sbin/rngd
-
-TINI_IMAGE=linuxkit/tini:da0e068f8b537b81f817439a52f63e8f6d91cca3@sha256:bdca5e6703c9553d890c79a4a094e2f05df87f09f6bd5bef26c06d6cba56c112
-TINI_BINARY=bin/tini
-
-.PHONY: tag push clean container
+.PHONY: tag push
 default: push

-$(TINI_BINARY):
-	mkdir -p $(dir $@)
-	docker run --rm --net=none $(TINI_IMAGE) tar cf - $@ | tar xf -
-
-$(RNGD_BINARY):
-	mkdir -p $(dir $@)
-	docker run --rm --net=none $(RNG_TOOLS_IMAGE) tar cf - $@ | tar xf -
-
-SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
-
 IMAGE=rngd
+SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
+DEPS=Dockerfile Makefile

-DIRS=dev proc sys
-$(DIRS):
-	mkdir -p $@
-
-DEPS=$(DIRS) $(TINI_BINARY) $(RNGD_BINARY)
-
-container: Dockerfile $(DEPS)
-	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
-
-hash: Dockerfile $(DEPS)
+hash: $(DEPS)
 	find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash

-push: hash container
+tag: hash
 	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) && \
-		 docker push linuxkit/$(IMAGE):$(shell cat hash))
-	docker rmi $(IMAGE):build
-	rm -f hash
+		(docker build --no-cache -t $(IMAGE):build . && \
+		 docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash))

-tag: hash container
+push: tag
 	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)
-	docker rmi $(IMAGE):build
+		docker push linuxkit/$(IMAGE):$(shell cat hash)
 	rm -f hash
+	docker rmi $(IMAGE):build || true

 clean:
-	rm -rf hash $(DIRS) usr bin
+	rm -f hash
+	docker rmi $(IMAGE):build || true

 .DELETE_ON_ERROR:
--- a/base/rng-tools/fix-textrels-on-PIC-x86.patch
+++ b/base/rng-tools/fix-textrels-on-PIC-x86.patch
@ -1,17 +1,17 @@
 --- rng-tools/rdrand_asm.S
 +++ rng-tools/rdrand_asm.S
@@ -49,6 +49,7 @@
- 	ret
+	ret
 ENDPROC(x86_rdrand_nlong)
- 
+
 +#define INIT_PIC()
 #define SETPTR(var,ptr)	leaq var(%rip),ptr
 #define PTR0	%rdi
 #define PTR1	%rsi
@@ -84,7 +85,16 @@
- 	ret
+	ret
 ENDPROC(x86_rdrand_nlong)
- 
+
 +#if defined(__PIC__)
 +#undef __i686 /* gcc builtin define gets in our way */
 +#define INIT_PIC() \
@ -26,16 +26,16 @@
 #define PTR1	%edx
 #define PTR2	%ecx
@@ -101,6 +111,7 @@
- 	movl	8(%ebp), %eax
- 	movl	12(%ebp), %edx
+	movl	8(%ebp), %eax
+	movl	12(%ebp), %edx
 #endif
 +	INIT_PIC()
- 
- 	SETPTR(aes_round_keys, PTR2)
- 
+
+	SETPTR(aes_round_keys, PTR2)
+
@@ -166,6 +177,17 @@
 #endif
- 	ret
+	ret
 ENDPROC(x86_aes_mangle)
 +
 +#if defined(__i386__) && defined(__PIC__)
--- a/base/rng-tools/sha256sums
+++ b/base/rng-tools/sha256sums
--- a/test/docker-bench/test-docker-bench.yml
+++ b/test/docker-bench/test-docker-bench.yml
@ -40,7 +40,7 @@ onboot:
    command: ["/mount.sh", "/var/lib/docker"]
 services:
  - name: rngd
-    image: "linuxkit/rngd:f5e5be43e730ea819c3293d5c6dcbfa7f4c5c314"
+    image: "linuxkit/rngd:c42fd499690b2cb6e4e6cb99e41dfafca1cf5b14"
    capabilities:
     - CAP_SYS_ADMIN
    oomScoreAdj: -800
--- a/test/virtsock/Dockerfile.build
+++ b/test/virtsock/Dockerfile.build
@ -1,4 +1,4 @@
-FROM linuxkit/go-compile:4513068d9a7e919e4ec42e2d7ee879ff5b95b7f5@sha256:bdfadbe3e4ec699ca45b67453662321ec270f2d1a1dbdbf09625776d3ebd68c5
+FROM linuxkit/go-compile:4513068d9a7e919e4ec42e2d7ee879ff5b95b7f5@sha256:bdfadbe3e4ec699ca45b67453662321ec270f2d1a1dbdbf09625776d3ebd68c5 AS virtsock-build

 ENV VIRTSOCK_COMMIT=6b4dec728264e07c41e108caebd6bc2b72559a5f
 RUN mkdir -p $GOPATH/src/github.com/rneugeba && \
@ -7,5 +7,8 @@ RUN mkdir -p $GOPATH/src/github.com/rneugeba && \
 WORKDIR $GOPATH/src/github.com/rneugeba/virtsock
 RUN git checkout $VIRTSOCK_COMMIT
 RUN make build/virtsock_stress.linux
+RUN cp -a build/virtsock_stress.linux /virtsock_stress

-ENTRYPOINT ["cat", "build/virtsock_stress.linux"]
+FROM linuxkit/tini:6714d66b82b5397f497b2aa05764096ed1ffe7d7@sha256:ba594b96af6195737ce2df702196d7adea2cafde554e18940ee14ad575d27f3b
+COPY --from=virtsock-build virtsock_stress bin/virtsock_stress
+CMD ["/bin/tini", "/bin/virtsock_stress", "-s", "-v", "1"]
--- a/test/virtsock/Dockerfile.pkg
+++ b/test/virtsock/Dockerfile.pkg
@ -1,3 +0,0 @@
-FROM scratch
-COPY . ./
-CMD ["/bin/tini", "/bin/virtsock_stress", "-s", "-v", "1"]
--- a/test/virtsock/Makefile
+++ b/test/virtsock/Makefile
@ -1,46 +1,26 @@
-.PHONY: tag push clean container
-all: push
-
-# Build the virtsock stress server
-VIRTSOCK_BINARY=bin/virtsock_stress
-DEPS=Dockerfile.build Makefile
-virtsock.tag: $(DEPS)
-	BUILD=$$(docker build -f $< -q .) && [ -n "$$BUILD" ] && echo "Built $$BUILD" && echo "$$BUILD" > $@
-
-$(VIRTSOCK_BINARY): virtsock.tag
-	mkdir -p $(dir $@)
-	docker run --rm --net=none --log-driver=none $(shell cat virtsock.tag) > $@
-	chmod ugo+x $@
-
-TINI_IMAGE=linuxkit/tini:da0e068f8b537b81f817439a52f63e8f6d91cca3@sha256:bdca5e6703c9553d890c79a4a094e2f05df87f09f6bd5bef26c06d6cba56c112
-TINI_BINARY=bin/tini
-
-$(TINI_BINARY):
-	mkdir -p $(dir $@)
-	docker run --rm --net=none $(TINI_IMAGE) tar cf - $@ | tar xf -
-
-SHASUM=alpine:3.5
+.PHONY: tag push
 IMAGE=test-virtsock
-container: Dockerfile.pkg $(DEPS) $(VIRTSOCK_BINARY) $(TINI_BINARY)
-	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -f $< -

-hash: Dockerfile.pkg $(DEPS)
+default: push
+
+DEPS=Dockerfile Makefile
+SHASUM=alpine:3.5
+hash: $(DEPS)
 	find $^ -type f | xargs cat  | DOCKER_CONTENT_TRUST=1 docker run --rm -i $(SHASUM) sha1sum | sed 's/ .*//' > $@

-push: hash container
+tag: hash
 	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) && \
-		docker push linuxkit/$(IMAGE):$(shell cat hash))
-	docker rmi $(IMAGE):build
-	rm -f hash
+		(docker build --no-cache -t $(IMAGE):build . && \
+		 docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash))
+	docker rmi $(IMAGE):build || true

-tag: hash container
+push: tag
 	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)
-	docker rmi $(IMAGE):build
+		docker push linuxkit/$(IMAGE):$(shell cat hash)
 	rm -f hash

 clean:
-	rm -rf $(VIRTSOCK_BINARY) $(TINI_BINARY) virtsock.tag hash
+	rm -rf hash
+	docker rmi $(IMAGE):build || true

 .DELETE_ON_ERROR:
--- a/test/virtsock/test-virtsock-server.yml
+++ b/test/virtsock/test-virtsock-server.yml
@ -21,7 +21,7 @@ onboot:
    readonly: true
 services:
  - name: rngd
-    image: "linuxkit/rngd:f5e5be43e730ea819c3293d5c6dcbfa7f4c5c314"
+    image: "linuxkit/rngd:c42fd499690b2cb6e4e6cb99e41dfafca1cf5b14"
    capabilities:
     - CAP_SYS_ADMIN
    oomScoreAdj: -800
@ -38,8 +38,11 @@ services:
    net: host
    oomScoreAdj: -800
  - name: virtsock-server
-    image: "linuxkit/test-virtsock:cd2135acdc225f3bd0503678bb50bbd3e0b194b2"
+    image: "linuxkit/test-virtsock:89133a5081b44dcda66e57502bcbc783e0a654be"
    readonly: true
+trust:
+  image:
+    - linuxkit/kernel
 outputs:
  - format: kernel+initrd
  - format: iso-bios
--- a/tools/c-compile/Dockerfile
+++ b/tools/c-compile/Dockerfile
@ -2,13 +2,22 @@ FROM alpine:3.5
 RUN \
  apk update && apk upgrade && \
  apk add \
-  bsd-compat-headers \
-  curl \
-  gcc \
-  git \
-  libc-dev \
-  linux-headers \
-  util-linux-dev \
+    argp-standalone \
+    automake \
+    bash \
+    bsd-compat-headers \
+    build-base \
+    cmake \
+    curl \
+    gcc \
+    git \
+    libc-dev \
+    linux-headers \
+    make \
+    musl-dev \
+    patch \
+    util-linux-dev \
+    vim \
  && true

 COPY compile.sh /usr/bin/
--- a/tools/tini/Dockerfile
+++ b/tools/tini/Dockerfile
@ -1,16 +1,13 @@
-FROM alpine:3.5
-RUN \
-  apk update && apk upgrade && \
-  apk add \
-  cmake \
-  gcc \
-  make \
-  musl-dev \
-  vim \
-  && true
-
+FROM linuxkit/c-compile:f52f485825c890d581e82a62af6906c1d33d8e5d@sha256:473fd283a090d3546e93915adacf00c69a23ff615c95c968c4a40e8723985853 AS tini-build
 COPY . /
 ENV TINI_VERSION=0.13.0
 ADD https://github.com/krallin/tini/archive/v${TINI_VERSION}.tar.gz tini-${TINI_VERSION}.tar.gz
+
 RUN zcat tini-${TINI_VERSION}.tar.gz | tar xvf -
 RUN cd tini-${TINI_VERSION} && cmake . && make && cp -a tini-static /bin/tini
+
+FROM scratch
+ENTRYPOINT []
+CMD []
+WORKDIR /
+COPY --from=tini-build bin/tini bin/tini
--- a/tools/tini/Makefile
+++ b/tools/tini/Makefile
@ -0,0 +1,26 @@
+.PHONY: tag push
+default: push
+
+IMAGE=tini
+SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
+DEPS=Dockerfile Makefile
+
+hash: $(DEPS)
+	find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash
+
+tag: hash
+	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
+		(docker build --no-cache -t $(IMAGE):build . && \
+		 docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash))
+
+push: tag
+	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
+		docker push linuxkit/$(IMAGE):$(shell cat hash)
+	rm -f hash
+	docker rmi $(IMAGE):build || true
+
+clean:
+	rm -f hash
+	docker rmi $(IMAGE):build || true
+
+.DELETE_ON_ERROR:
--- a/tools/tini/README.md
+++ b/tools/tini/README.md
@ -0,0 +1,4 @@
+[tini](https://github.com/krallin/tini) is a tiny program which can be
+used as a minimal `init` process for container images.
+
+The `linuxkit/tini` image just contains `/bin/tini` and can be used as the base image by packages, requiring `tini`.
--- a/tools/toybox-media/Dockerfile
+++ b/tools/toybox-media/Dockerfile
@ -0,0 +1,18 @@
+FROM linuxkit/c-compile:f52f485825c890d581e82a62af6906c1d33d8e5d@sha256:473fd283a090d3546e93915adacf00c69a23ff615c95c968c4a40e8723985853 AS toybox-build
+COPY . .
+ENV FILES="ls tar sh find sha1sum"
+# 0.7.2
+ENV LDFLAGS=--static
+RUN git clone https://github.com/landley/toybox.git && \
+  cd toybox && git checkout b27d5d9ad0c56014d8661d91f69ee498bbbe4cf9 && \
+  make defconfig
+WORKDIR /toybox
+RUN make ${FILES}
+RUN mkdir -p /out/bin
+RUN cp ${FILES} /out/bin
+
+FROM scratch
+ENTRYPOINT []
+CMD []
+WORKDIR /
+COPY --from=toybox-build out/bin bin/
--- a/tools/toybox-media/Makefile
+++ b/tools/toybox-media/Makefile
@ -0,0 +1,26 @@
+.PHONY: tag push
+default: push
+
+IMAGE=toybox-media
+SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
+DEPS=Dockerfile Makefile
+
+hash: $(DEPS)
+	find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash
+
+tag: hash
+	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
+		(docker build --no-cache -t $(IMAGE):build . && \
+		 docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash))
+
+push: tag
+	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
+		docker push linuxkit/$(IMAGE):$(shell cat hash)
+	rm -f hash
+	docker rmi $(IMAGE):build || true
+
+clean:
+	rm -f hash
+	docker rmi $(IMAGE):build || true
+
+.DELETE_ON_ERROR:
--- a/tools/toybox-media/README.md
+++ b/tools/toybox-media/README.md
@ -0,0 +1,3 @@
+`linuxkit/toybox-media` is a small container image, which can be use
+to distribute other files in. It contains a basic shell, `tar`, `ls`,
+`find`, and `sha1sum`. It's compiled from [toybox](https://github.com/landley/toybox.git).