From 61bbbf0808f19d8b6365fb1c7ff0bd33e7ddccd7 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Mon, 8 May 2017 22:37:59 +0100 Subject: [PATCH] Change containerd and runc to use multistage builds from new Alpine base Signed-off-by: Justin Cormack --- examples/docker.yml | 2 +- examples/gcp.yml | 2 +- examples/minimal.yml | 4 +-- examples/node_exporter.yml | 2 +- examples/packet.yml | 2 +- examples/redis-os.yml | 2 +- examples/sshd.yml | 2 +- examples/swap.yml | 4 +-- examples/vmware.yml | 2 +- linuxkit.yml | 4 +-- pkg/containerd/Dockerfile | 15 ++++++--- pkg/containerd/Makefile | 32 ++++--------------- pkg/runc/Dockerfile | 13 +++++--- pkg/runc/Makefile | 32 ++++--------------- projects/etcd/etcd.yml | 2 +- projects/kubernetes/kube-master.yml | 2 +- projects/kubernetes/kube-node.yml | 2 +- projects/okernel/examples/okernel_simple.yaml | 2 +- test/cases/test-docker-bench.yml | 2 +- test/cases/test-kernel-config.yml | 2 +- test/cases/test-ltp.yml | 2 +- test/cases/test-virtsock-server.yml | 2 +- test/kmod/kmod.yml | 2 +- 23 files changed, 52 insertions(+), 84 deletions(-) diff --git a/examples/docker.yml b/examples/docker.yml index 5031c19ad..fac0ea561 100644 --- a/examples/docker.yml +++ b/examples/docker.yml @@ -3,7 +3,7 @@ kernel: cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288 onboot: diff --git a/examples/gcp.yml b/examples/gcp.yml index d740def8e..a7dca3414 100644 --- a/examples/gcp.yml +++ b/examples/gcp.yml @@ -3,7 +3,7 @@ kernel: cmdline: "console=ttyS0 page_poison=1" init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288 onboot: diff --git a/examples/minimal.yml b/examples/minimal.yml index d9501a0d3..c50067013 100644 --- a/examples/minimal.yml +++ b/examples/minimal.yml @@ -3,8 +3,8 @@ kernel: cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - linuxkit/init:6c9b2dfac4ac446e57ad83e9817db4b5a334301c - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 + - linuxkit/containerd:987b62d8411bc92f092e6e6e8d1038c4e06f0a53 onboot: - name: dhcpcd image: "linuxkit/dhcpcd:2def74ab3f9233b4c09ebb196ba47c27c08b0ed8" diff --git a/examples/node_exporter.yml b/examples/node_exporter.yml index d1ac96baa..66c287eec 100644 --- a/examples/node_exporter.yml +++ b/examples/node_exporter.yml @@ -3,7 +3,7 @@ kernel: cmdline: "console=ttyS0 page_poison=1" init: - linuxkit/init:6c9b2dfac4ac446e57ad83e9817db4b5a334301c - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 - linuxkit/containerd:fe1b7f438a234cb6481c6538295115eac2a0596d services: - name: rngd diff --git a/examples/packet.yml b/examples/packet.yml index a363b88ca..28712411b 100644 --- a/examples/packet.yml +++ b/examples/packet.yml @@ -3,7 +3,7 @@ kernel: cmdline: "console=ttyS1 page_poison=1" init: - linuxkit/init:e10e2efc1b78ef41d196175cbc07e069391f406e - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288 onboot: diff --git a/examples/redis-os.yml b/examples/redis-os.yml index 0e34cca79..bff6175b3 100644 --- a/examples/redis-os.yml +++ b/examples/redis-os.yml @@ -5,7 +5,7 @@ kernel: cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b services: - name: dhcpcd diff --git a/examples/sshd.yml b/examples/sshd.yml index 7ac6e7703..2125b535d 100644 --- a/examples/sshd.yml +++ b/examples/sshd.yml @@ -3,7 +3,7 @@ kernel: cmdline: "console=ttyS0 page_poison=1" init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288 onboot: diff --git a/examples/swap.yml b/examples/swap.yml index 4b28eae27..0a6861302 100644 --- a/examples/swap.yml +++ b/examples/swap.yml @@ -3,8 +3,8 @@ kernel: cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - linuxkit/init:42fe8cb1508b3afed39eb89821906e3cc7a70551 - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 + - linuxkit/containerd:987b62d8411bc92f092e6e6e8d1038c4e06f0a53 - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 onboot: - name: sysctl diff --git a/examples/vmware.yml b/examples/vmware.yml index 1a38a74b4..e4561e95a 100644 --- a/examples/vmware.yml +++ b/examples/vmware.yml @@ -3,7 +3,7 @@ kernel: cmdline: "console=tty0 page_poison=1" init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288 onboot: diff --git a/linuxkit.yml b/linuxkit.yml index d20520d79..f3f88a20c 100644 --- a/linuxkit.yml +++ b/linuxkit.yml @@ -3,8 +3,8 @@ kernel: cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - linuxkit/init:6c9b2dfac4ac446e57ad83e9817db4b5a334301c - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 + - linuxkit/containerd:987b62d8411bc92f092e6e6e8d1038c4e06f0a53 - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288 onboot: - name: sysctl diff --git a/pkg/containerd/Dockerfile b/pkg/containerd/Dockerfile index 637b87a1f..adac4949b 100644 --- a/pkg/containerd/Dockerfile +++ b/pkg/containerd/Dockerfile @@ -1,14 +1,15 @@ -FROM golang:1.8-alpine +FROM linuxkit/alpine:d0cef04aa75159e373fa08a49478ed6bf4adb9b4@sha256:4d8e181db968645b8b3308d2fe725e6f7bb9d9d44a9c3c7782e86c02a6d9e0f1 as alpine RUN \ - apk update && apk upgrade -a && \ - apk add --no-cache \ + apk add \ btrfs-progs-dev \ gcc \ git \ + go \ libc-dev \ linux-headers \ make \ && true +ENV GOPATH=/root/go ENV CONTAINERD_COMMIT=25a161bf5d4483bd0bea9e38b0e8fe3ecb17b53e RUN mkdir -p $GOPATH/src/github.com/containerd && \ cd $GOPATH/src/github.com/containerd && \ @@ -19,5 +20,9 @@ RUN make binaries GO_GCFLAGS="-buildmode pie --ldflags '-extldflags \"-fno-PIC - RUN cp bin/containerd bin/ctr bin/containerd-shim bin/dist /usr/bin/ WORKDIR / COPY . . -RUN printf "FROM scratch\nCOPY /usr/bin/* /usr/bin/\nCOPY /etc/containerd/config.toml /etc/containerd/\n" > Dockerfile -CMD ["tar", "cf", "-", "Dockerfile", "usr/bin/containerd", "usr/bin/ctr", "usr/bin/containerd-shim", "etc/containerd/config.toml"] + +FROM scratch +ENTRYPOINT [] +WORKDIR / +COPY --from=alpine /usr/bin/containerd /usr/bin/ctr /usr/bin/containerd-shim /usr/bin/ +COPY --from=alpine /etc/containerd/config.toml /etc/containerd/ diff --git a/pkg/containerd/Makefile b/pkg/containerd/Makefile index bf293a80c..55ed50160 100644 --- a/pkg/containerd/Makefile +++ b/pkg/containerd/Makefile @@ -1,33 +1,13 @@ -SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8 - .PHONY: tag push -BASE=golang:1.8-alpine IMAGE=containerd +HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}') + default: push -hash: Dockerfile etc/containerd/config.toml - DOCKER_CONTENT_TRUST=1 docker pull $(BASE) - tar cf - $^ | docker build --no-cache -t $(IMAGE):build0 - - docker run --rm $(IMAGE):build0 | docker build --no-cache -t $(IMAGE):build - - docker rmi $(IMAGE):build0 - find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > $@ +tag: Dockerfile + docker build -t linuxkit/$(IMAGE):$(HASH) . -push: hash - docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ - (docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) && \ - docker push linuxkit/$(IMAGE):$(shell cat hash)) - docker rmi $(IMAGE):build - rm -f hash - -tag: hash - docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ - docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) - docker rmi $(IMAGE):build - rm -f hash - -clean: - rm -f hash - -.DELETE_ON_ERROR: +push: tag + docker pull linuxkit/$(IMAGE):$(HASH) || docker push linuxkit/$(IMAGE):$(HASH) diff --git a/pkg/runc/Dockerfile b/pkg/runc/Dockerfile index 15a5f41a7..b92e6d9d1 100644 --- a/pkg/runc/Dockerfile +++ b/pkg/runc/Dockerfile @@ -1,15 +1,16 @@ -FROM golang:1.7-alpine3.5 +FROM linuxkit/alpine:d0cef04aa75159e373fa08a49478ed6bf4adb9b4@sha256:4d8e181db968645b8b3308d2fe725e6f7bb9d9d44a9c3c7782e86c02a6d9e0f1 as alpine RUN \ - apk update && apk upgrade -a && \ - apk add --no-cache \ + apk add \ bash \ gcc \ git \ + go \ libc-dev \ libseccomp-dev \ linux-headers \ make \ && true +ENV GOPATH=/root/go ENV RUNC_COMMIT=ac50e77bbb440dcab354a328c79754e2502b79ca RUN mkdir -p $GOPATH/src/github.com/opencontainers && \ cd $GOPATH/src/github.com/opencontainers && \ @@ -19,6 +20,8 @@ RUN git checkout $RUNC_COMMIT # TODO static pie, currently no easy way to change build options RUN make static BUILDTAGS="seccomp" RUN cp runc /usr/bin/ + +FROM scratch +ENTRYPOINT [] WORKDIR / -RUN printf "FROM scratch\nCOPY /usr/bin/runc /usr/bin/\n" > Dockerfile -CMD ["tar", "cf", "-", "Dockerfile", "usr/bin/runc"] +COPY --from=alpine /usr/bin/runc /usr/bin/ diff --git a/pkg/runc/Makefile b/pkg/runc/Makefile index f449ed193..337150a18 100644 --- a/pkg/runc/Makefile +++ b/pkg/runc/Makefile @@ -1,33 +1,13 @@ -SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8 - .PHONY: tag push -BASE=golang:1.7-alpine3.5 IMAGE=runc +HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}') + default: push -hash: Dockerfile - DOCKER_CONTENT_TRUST=1 docker pull $(BASE) - tar cf - $^ | docker build --no-cache -t $(IMAGE):build0 - - docker run --rm $(IMAGE):build0 | docker build --no-cache -t $(IMAGE):build - - docker rmi $(IMAGE):build0 - find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > $@ +tag: Dockerfile + docker build -t linuxkit/$(IMAGE):$(HASH) . -push: hash - docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ - (docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) && \ - docker push linuxkit/$(IMAGE):$(shell cat hash)) - docker rmi $(IMAGE):build - rm -f hash - -tag: hash - docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ - docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) - docker rmi $(IMAGE):build - rm -f hash - -clean: - rm -f hash - -.DELETE_ON_ERROR: +push: tag + docker pull linuxkit/$(IMAGE):$(HASH) || docker push linuxkit/$(IMAGE):$(HASH) diff --git a/projects/etcd/etcd.yml b/projects/etcd/etcd.yml index a6963249c..cab6983d6 100644 --- a/projects/etcd/etcd.yml +++ b/projects/etcd/etcd.yml @@ -3,7 +3,7 @@ kernel: cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - linuxkit/init:6c9b2dfac4ac446e57ad83e9817db4b5a334301c - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 - linuxkit/containerd:fe1b7f438a234cb6481c6538295115eac2a0596d - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288 onboot: diff --git a/projects/kubernetes/kube-master.yml b/projects/kubernetes/kube-master.yml index 6fc6ea530..2bf7f8ff1 100644 --- a/projects/kubernetes/kube-master.yml +++ b/projects/kubernetes/kube-master.yml @@ -3,7 +3,7 @@ kernel: cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288 onboot: diff --git a/projects/kubernetes/kube-node.yml b/projects/kubernetes/kube-node.yml index 14c82dd08..0f1a6303d 100644 --- a/projects/kubernetes/kube-node.yml +++ b/projects/kubernetes/kube-node.yml @@ -3,7 +3,7 @@ kernel: cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288 onboot: diff --git a/projects/okernel/examples/okernel_simple.yaml b/projects/okernel/examples/okernel_simple.yaml index 74d006e24..0ddf92eee 100644 --- a/projects/okernel/examples/okernel_simple.yaml +++ b/projects/okernel/examples/okernel_simple.yaml @@ -3,7 +3,7 @@ kernel: cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288 onboot: diff --git a/test/cases/test-docker-bench.yml b/test/cases/test-docker-bench.yml index dc3201b59..37846cfc0 100644 --- a/test/cases/test-docker-bench.yml +++ b/test/cases/test-docker-bench.yml @@ -3,7 +3,7 @@ kernel: cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288 onboot: diff --git a/test/cases/test-kernel-config.yml b/test/cases/test-kernel-config.yml index 31703a774..83e4cf817 100644 --- a/test/cases/test-kernel-config.yml +++ b/test/cases/test-kernel-config.yml @@ -3,7 +3,7 @@ kernel: cmdline: "console=ttyS0" init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288 onboot: diff --git a/test/cases/test-ltp.yml b/test/cases/test-ltp.yml index 21eb58d85..55eb13a4a 100644 --- a/test/cases/test-ltp.yml +++ b/test/cases/test-ltp.yml @@ -3,7 +3,7 @@ kernel: cmdline: "console=ttyS0" init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288 onboot: diff --git a/test/cases/test-virtsock-server.yml b/test/cases/test-virtsock-server.yml index 51950010e..50cd33d6a 100644 --- a/test/cases/test-virtsock-server.yml +++ b/test/cases/test-virtsock-server.yml @@ -7,7 +7,7 @@ kernel: cmdline: "console=ttyS0 page_poison=1" init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288 onboot: diff --git a/test/kmod/kmod.yml b/test/kmod/kmod.yml index ff554c1e5..6eb434992 100644 --- a/test/kmod/kmod.yml +++ b/test/kmod/kmod.yml @@ -3,7 +3,7 @@ kernel: cmdline: "console=ttyS0" init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b onboot: - name: check