Change containerd and runc to use multistage builds from new Alpine base

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2025-07-19 17:26:28 +00:00 · 2017-05-08 22:37:59 +01:00 · 2017-05-08 22:37:59 +01:00 · 61bbbf0808
commit 61bbbf0808
parent f2fc503bb0
23 changed files with 52 additions and 84 deletions
--- a/examples/docker.yml
+++ b/examples/docker.yml
@ -3,7 +3,7 @@ kernel:
  cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
  - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
  - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b
  - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288
 onboot:
--- a/examples/gcp.yml
+++ b/examples/gcp.yml
@ -3,7 +3,7 @@ kernel:
  cmdline: "console=ttyS0 page_poison=1"
 init:
  - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
  - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b
  - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288
 onboot:
--- a/examples/minimal.yml
+++ b/examples/minimal.yml
@ -3,8 +3,8 @@ kernel:
  cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
  - linuxkit/init:6c9b2dfac4ac446e57ad83e9817db4b5a334301c
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
-  - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
+  - linuxkit/containerd:987b62d8411bc92f092e6e6e8d1038c4e06f0a53
 onboot:
  - name: dhcpcd
    image: "linuxkit/dhcpcd:2def74ab3f9233b4c09ebb196ba47c27c08b0ed8"
--- a/examples/node_exporter.yml
+++ b/examples/node_exporter.yml
@ -3,7 +3,7 @@ kernel:
  cmdline: "console=ttyS0 page_poison=1"
 init:
  - linuxkit/init:6c9b2dfac4ac446e57ad83e9817db4b5a334301c
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
  - linuxkit/containerd:fe1b7f438a234cb6481c6538295115eac2a0596d
 services:
  - name: rngd
--- a/examples/packet.yml
+++ b/examples/packet.yml
@ -3,7 +3,7 @@ kernel:
  cmdline: "console=ttyS1 page_poison=1"
 init:
  - linuxkit/init:e10e2efc1b78ef41d196175cbc07e069391f406e
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
  - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b
  - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288
 onboot:
--- a/examples/redis-os.yml
+++ b/examples/redis-os.yml
@ -5,7 +5,7 @@ kernel:
  cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
  - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
  - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b
 services:
  - name: dhcpcd
--- a/examples/sshd.yml
+++ b/examples/sshd.yml
@ -3,7 +3,7 @@ kernel:
  cmdline: "console=ttyS0 page_poison=1"
 init:
  - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
  - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b
  - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288
 onboot:
--- a/examples/swap.yml
+++ b/examples/swap.yml
@ -3,8 +3,8 @@ kernel:
  cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
  - linuxkit/init:42fe8cb1508b3afed39eb89821906e3cc7a70551
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
-  - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
+  - linuxkit/containerd:987b62d8411bc92f092e6e6e8d1038c4e06f0a53
  - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935
 onboot:
  - name: sysctl
--- a/examples/vmware.yml
+++ b/examples/vmware.yml
@ -3,7 +3,7 @@ kernel:
  cmdline: "console=tty0 page_poison=1"
 init:
  - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
  - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b
  - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288
 onboot:
--- a/linuxkit.yml
+++ b/linuxkit.yml
@ -3,8 +3,8 @@ kernel:
  cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
  - linuxkit/init:6c9b2dfac4ac446e57ad83e9817db4b5a334301c
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
-  - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
+  - linuxkit/containerd:987b62d8411bc92f092e6e6e8d1038c4e06f0a53
  - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288
 onboot:
  - name: sysctl
--- a/pkg/containerd/Dockerfile
+++ b/pkg/containerd/Dockerfile
@ -1,14 +1,15 @@
-FROM golang:1.8-alpine
+FROM linuxkit/alpine:d0cef04aa75159e373fa08a49478ed6bf4adb9b4@sha256:4d8e181db968645b8b3308d2fe725e6f7bb9d9d44a9c3c7782e86c02a6d9e0f1 as alpine
 RUN \
-  apk update && apk upgrade -a && \
-  apk add --no-cache \
+  apk add \
  btrfs-progs-dev \
  gcc \
  git \
+  go \
  libc-dev \
  linux-headers \
  make \
  && true
+ENV GOPATH=/root/go
 ENV CONTAINERD_COMMIT=25a161bf5d4483bd0bea9e38b0e8fe3ecb17b53e
 RUN mkdir -p $GOPATH/src/github.com/containerd && \
  cd $GOPATH/src/github.com/containerd && \
@ -19,5 +20,9 @@ RUN make binaries GO_GCFLAGS="-buildmode pie --ldflags '-extldflags \"-fno-PIC -
 RUN cp bin/containerd bin/ctr bin/containerd-shim bin/dist /usr/bin/
 WORKDIR /
 COPY . .
-RUN printf "FROM scratch\nCOPY /usr/bin/* /usr/bin/\nCOPY /etc/containerd/config.toml /etc/containerd/\n" > Dockerfile
-CMD ["tar", "cf", "-", "Dockerfile", "usr/bin/containerd", "usr/bin/ctr", "usr/bin/containerd-shim", "etc/containerd/config.toml"]
+
+FROM scratch
+ENTRYPOINT []
+WORKDIR /
+COPY --from=alpine /usr/bin/containerd /usr/bin/ctr /usr/bin/containerd-shim /usr/bin/
+COPY --from=alpine /etc/containerd/config.toml /etc/containerd/
--- a/pkg/containerd/Makefile
+++ b/pkg/containerd/Makefile
@ -1,33 +1,13 @@
-SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
-
 .PHONY: tag push

-BASE=golang:1.8-alpine
 IMAGE=containerd

+HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}')
+
 default: push

-hash: Dockerfile etc/containerd/config.toml
-	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
-	tar cf - $^ | docker build --no-cache -t $(IMAGE):build0 -
-	docker run --rm $(IMAGE):build0 | docker build --no-cache -t $(IMAGE):build -
-	docker rmi $(IMAGE):build0
-	find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > $@
+tag: Dockerfile
+	docker build -t linuxkit/$(IMAGE):$(HASH) .

-push: hash
-	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) && \
-		 docker push linuxkit/$(IMAGE):$(shell cat hash))
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-tag: hash
-	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-clean:
-	rm -f hash
-
-.DELETE_ON_ERROR:
+push: tag
+	docker pull linuxkit/$(IMAGE):$(HASH) || docker push linuxkit/$(IMAGE):$(HASH)
--- a/pkg/runc/Dockerfile
+++ b/pkg/runc/Dockerfile
@ -1,15 +1,16 @@
-FROM golang:1.7-alpine3.5
+FROM linuxkit/alpine:d0cef04aa75159e373fa08a49478ed6bf4adb9b4@sha256:4d8e181db968645b8b3308d2fe725e6f7bb9d9d44a9c3c7782e86c02a6d9e0f1 as alpine
 RUN \
-  apk update && apk upgrade -a && \
-  apk add --no-cache \
+  apk add \
  bash \
  gcc \
  git \
+  go \
  libc-dev \
  libseccomp-dev \
  linux-headers \
  make \
  && true
+ENV GOPATH=/root/go
 ENV RUNC_COMMIT=ac50e77bbb440dcab354a328c79754e2502b79ca
 RUN mkdir -p $GOPATH/src/github.com/opencontainers && \
  cd $GOPATH/src/github.com/opencontainers && \
@ -19,6 +20,8 @@ RUN git checkout $RUNC_COMMIT
 # TODO static pie, currently no easy way to change build options
 RUN make static BUILDTAGS="seccomp"
 RUN cp runc /usr/bin/
+
+FROM scratch
+ENTRYPOINT []
 WORKDIR /
-RUN printf "FROM scratch\nCOPY /usr/bin/runc /usr/bin/\n" > Dockerfile
-CMD ["tar", "cf", "-", "Dockerfile", "usr/bin/runc"]
+COPY --from=alpine /usr/bin/runc /usr/bin/
--- a/pkg/runc/Makefile
+++ b/pkg/runc/Makefile
@ -1,33 +1,13 @@
-SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
-
 .PHONY: tag push

-BASE=golang:1.7-alpine3.5
 IMAGE=runc

+HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}')
+
 default: push

-hash: Dockerfile
-	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
-	tar cf - $^ | docker build --no-cache -t $(IMAGE):build0 -
-	docker run --rm $(IMAGE):build0 | docker build --no-cache -t $(IMAGE):build -
-	docker rmi $(IMAGE):build0
-	find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > $@
+tag: Dockerfile
+	docker build -t linuxkit/$(IMAGE):$(HASH) .

-push: hash
-	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) && \
-		 docker push linuxkit/$(IMAGE):$(shell cat hash))
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-tag: hash
-	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-clean:
-	rm -f hash
-
-.DELETE_ON_ERROR:
+push: tag
+	docker pull linuxkit/$(IMAGE):$(HASH) || docker push linuxkit/$(IMAGE):$(HASH)
--- a/projects/etcd/etcd.yml
+++ b/projects/etcd/etcd.yml
@ -3,7 +3,7 @@ kernel:
  cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
  - linuxkit/init:6c9b2dfac4ac446e57ad83e9817db4b5a334301c
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
  - linuxkit/containerd:fe1b7f438a234cb6481c6538295115eac2a0596d
  - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288
 onboot:
--- a/projects/kubernetes/kube-master.yml
+++ b/projects/kubernetes/kube-master.yml
@ -3,7 +3,7 @@ kernel:
  cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
  - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
  - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b
  - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288
 onboot:
--- a/projects/kubernetes/kube-node.yml
+++ b/projects/kubernetes/kube-node.yml
@ -3,7 +3,7 @@ kernel:
  cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
  - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
  - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b
  - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288
 onboot:
--- a/projects/okernel/examples/okernel_simple.yaml
+++ b/projects/okernel/examples/okernel_simple.yaml
@ -3,7 +3,7 @@ kernel:
  cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
  - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
  - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b
  - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288
 onboot:
--- a/test/cases/test-docker-bench.yml
+++ b/test/cases/test-docker-bench.yml
@ -3,7 +3,7 @@ kernel:
  cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
  - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
  - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b
  - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288
 onboot:
--- a/test/cases/test-kernel-config.yml
+++ b/test/cases/test-kernel-config.yml
@ -3,7 +3,7 @@ kernel:
  cmdline: "console=ttyS0"
 init:
  - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
  - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b
  - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288
 onboot:
--- a/test/cases/test-ltp.yml
+++ b/test/cases/test-ltp.yml
@ -3,7 +3,7 @@ kernel:
  cmdline: "console=ttyS0"
 init:
  - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
  - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b
  - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288
 onboot:
--- a/test/cases/test-virtsock-server.yml
+++ b/test/cases/test-virtsock-server.yml
@ -7,7 +7,7 @@ kernel:
  cmdline: "console=ttyS0 page_poison=1"
 init:
  - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
  - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b
  - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288
 onboot:
--- a/test/kmod/kmod.yml
+++ b/test/kmod/kmod.yml
@ -3,7 +3,7 @@ kernel:
  cmdline: "console=ttyS0"
 init:
  - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b
-  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
+  - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
  - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b
 onboot:
  - name: check