From 713046e158cbf76fa7ebccf51ef3b88e074660ab Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Wed, 26 Apr 2017 15:24:26 +0100 Subject: [PATCH] Update ca-certificates to be based on Alpine and use nested build We were using Debian but Alpine more consistent. Use nested build. Currently extract the hash in a nasty way but this can be fixed later when we switch over hashing method. Signed-off-by: Justin Cormack --- examples/docker.yml | 2 +- examples/gcp.yml | 2 +- examples/packet.yml | 2 +- examples/sshd.yml | 2 +- examples/vmware.yml | 2 +- linuxkit.yml | 2 +- pkg/ca-certificates/Dockerfile | 11 ++++++----- pkg/ca-certificates/Makefile | 15 +++++++++------ projects/etcd/etcd.yml | 2 +- projects/kubernetes/kube-master.yml | 2 +- projects/kubernetes/kube-node.yml | 2 +- projects/okernel/examples/okernel_simple.yaml | 2 +- test/docker-bench/test-docker-bench.yml | 2 +- test/ltp/test-ltp.yml | 2 +- test/test.yml | 2 +- test/virtsock/test-virtsock-server.yml | 2 +- 16 files changed, 29 insertions(+), 25 deletions(-) diff --git a/examples/docker.yml b/examples/docker.yml index fa584a4dd..fefde6a2d 100644 --- a/examples/docker.yml +++ b/examples/docker.yml @@ -5,7 +5,7 @@ init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 + - linuxkit/ca-certificates:e091a05fbf7c5e16f18b23602febd45dd690ba2f onboot: - name: sysctl image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a" diff --git a/examples/gcp.yml b/examples/gcp.yml index 7cf5c2c6c..666a13917 100644 --- a/examples/gcp.yml +++ b/examples/gcp.yml @@ -5,7 +5,7 @@ init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 + - linuxkit/ca-certificates:e091a05fbf7c5e16f18b23602febd45dd690ba2f onboot: - name: sysctl image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a" diff --git a/examples/packet.yml b/examples/packet.yml index 88aed2102..ecf6a6db8 100644 --- a/examples/packet.yml +++ b/examples/packet.yml @@ -5,7 +5,7 @@ init: - linuxkit/init:e10e2efc1b78ef41d196175cbc07e069391f406e - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 + - linuxkit/ca-certificates:e091a05fbf7c5e16f18b23602febd45dd690ba2f onboot: - name: sysctl image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a" diff --git a/examples/sshd.yml b/examples/sshd.yml index 5f6f0a27a..3fad65d10 100644 --- a/examples/sshd.yml +++ b/examples/sshd.yml @@ -5,7 +5,7 @@ init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 + - linuxkit/ca-certificates:e091a05fbf7c5e16f18b23602febd45dd690ba2f onboot: - name: sysctl image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" diff --git a/examples/vmware.yml b/examples/vmware.yml index 3ef706d4e..eadf07913 100644 --- a/examples/vmware.yml +++ b/examples/vmware.yml @@ -5,7 +5,7 @@ init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 + - linuxkit/ca-certificates:e091a05fbf7c5e16f18b23602febd45dd690ba2f onboot: - name: sysctl image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" diff --git a/linuxkit.yml b/linuxkit.yml index 30feb8eb8..9ca92ed03 100644 --- a/linuxkit.yml +++ b/linuxkit.yml @@ -5,7 +5,7 @@ init: - linuxkit/init:1c8cd75ec89313f4058b069449e9bac966cd96b1 - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed - - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 + - linuxkit/ca-certificates:e091a05fbf7c5e16f18b23602febd45dd690ba2f onboot: - name: sysctl image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" diff --git a/pkg/ca-certificates/Dockerfile b/pkg/ca-certificates/Dockerfile index cbf55ab87..8fa210d5b 100644 --- a/pkg/ca-certificates/Dockerfile +++ b/pkg/ca-certificates/Dockerfile @@ -1,7 +1,8 @@ -FROM debian:testing +FROM alpine:3.5 as alpine -ENV DEBIAN_FRONTEND=noninteractive -RUN apt-get update && apt-get -yq upgrade && apt-get install -yq ca-certificates +RUN apk update && apk upgrade -a && apk add --no-cache ca-certificates -RUN printf "FROM scratch\nCOPY /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/\n" > Dockerfile -CMD ["tar", "cf", "-", "Dockerfile", "etc/ssl/certs/ca-certificates.crt"] +FROM scratch +ENTRYPOINT [] +WORKDIR / +COPY --from=alpine /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ diff --git a/pkg/ca-certificates/Makefile b/pkg/ca-certificates/Makefile index cf6345108..3c7b51c56 100644 --- a/pkg/ca-certificates/Makefile +++ b/pkg/ca-certificates/Makefile @@ -1,16 +1,19 @@ .PHONY: tag push -BASE=debian:testing +BASE=alpine:3.5 IMAGE=ca-certificates +SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8 + default: push hash: Dockerfile DOCKER_CONTENT_TRUST=1 docker pull $(BASE) - tar cf - $^ | docker build --no-cache -t $(IMAGE):build0 - - docker run --rm $(IMAGE):build0 | docker build --no-cache -t $(IMAGE):build - - docker run --rm -i $(IMAGE):build0 sh -c "cat /etc/ssl/certs/ca-certificates.crt /etc/debian_version | sha1sum - | sed 's/ .*//'" > $@ - docker rmi $(IMAGE):build0 + tar cf - $^ | docker build --no-cache -t $(IMAGE):build - + CONTAINER=$$(docker create $(IMAGE):build /dev/null); \ + mkdir tmp && docker export $${CONTAINER} | tar xf - -C tmp && \ + cat tmp/etc/ssl/certs/ca-certificates.crt | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > $@ && \ + rm -rf tmp && docker rm $${CONTAINER} push: hash docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ @@ -26,6 +29,6 @@ tag: hash rm -f hash clean: - rm -f hash + rm -f hash tmp .DELETE_ON_ERROR: diff --git a/projects/etcd/etcd.yml b/projects/etcd/etcd.yml index 208f0e852..fd7f10001 100644 --- a/projects/etcd/etcd.yml +++ b/projects/etcd/etcd.yml @@ -5,7 +5,7 @@ init: - linuxkit/init:1c8cd75ec89313f4058b069449e9bac966cd96b1 - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - linuxkit/containerd:fe1b7f438a234cb6481c6538295115eac2a0596d - - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 + - linuxkit/ca-certificates:e091a05fbf7c5e16f18b23602febd45dd690ba2f onboot: - name: sysctl image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a" diff --git a/projects/kubernetes/kube-master.yml b/projects/kubernetes/kube-master.yml index f68e7ff7d..fe5798504 100644 --- a/projects/kubernetes/kube-master.yml +++ b/projects/kubernetes/kube-master.yml @@ -5,7 +5,7 @@ init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 + - linuxkit/ca-certificates:e091a05fbf7c5e16f18b23602febd45dd690ba2f onboot: - name: sysctl image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a" diff --git a/projects/kubernetes/kube-node.yml b/projects/kubernetes/kube-node.yml index 611f813f1..5bf2bcca7 100644 --- a/projects/kubernetes/kube-node.yml +++ b/projects/kubernetes/kube-node.yml @@ -5,7 +5,7 @@ init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 + - linuxkit/ca-certificates:e091a05fbf7c5e16f18b23602febd45dd690ba2f onboot: - name: sysctl image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a" diff --git a/projects/okernel/examples/okernel_simple.yaml b/projects/okernel/examples/okernel_simple.yaml index 79599043d..d2f2f2e81 100644 --- a/projects/okernel/examples/okernel_simple.yaml +++ b/projects/okernel/examples/okernel_simple.yaml @@ -5,7 +5,7 @@ init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 + - linuxkit/ca-certificates:e091a05fbf7c5e16f18b23602febd45dd690ba2f onboot: - name: sysctl image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" diff --git a/test/docker-bench/test-docker-bench.yml b/test/docker-bench/test-docker-bench.yml index 19df9a6b7..a8b63ba8f 100644 --- a/test/docker-bench/test-docker-bench.yml +++ b/test/docker-bench/test-docker-bench.yml @@ -5,7 +5,7 @@ init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 + - linuxkit/ca-certificates:e091a05fbf7c5e16f18b23602febd45dd690ba2f onboot: - name: sysctl image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a" diff --git a/test/ltp/test-ltp.yml b/test/ltp/test-ltp.yml index 072c0f6e6..cbcbc180e 100644 --- a/test/ltp/test-ltp.yml +++ b/test/ltp/test-ltp.yml @@ -5,7 +5,7 @@ init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 + - linuxkit/ca-certificates:e091a05fbf7c5e16f18b23602febd45dd690ba2f onboot: - name: ltp image: "linuxkit/test-ltp-20170116:81229df2d25065b06f0a3071faaace8d66c87e67" diff --git a/test/test.yml b/test/test.yml index dcfa7f755..321036201 100644 --- a/test/test.yml +++ b/test/test.yml @@ -5,7 +5,7 @@ init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 + - linuxkit/ca-certificates:e091a05fbf7c5e16f18b23602febd45dd690ba2f onboot: - name: dhcpcd image: "linuxkit/dhcpcd:48e249ebef6a521eed886b3bce032db69fbb4afa" diff --git a/test/virtsock/test-virtsock-server.yml b/test/virtsock/test-virtsock-server.yml index 07ae20d9c..40ff99063 100644 --- a/test/virtsock/test-virtsock-server.yml +++ b/test/virtsock/test-virtsock-server.yml @@ -9,7 +9,7 @@ init: - linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 + - linuxkit/ca-certificates:e091a05fbf7c5e16f18b23602febd45dd690ba2f onboot: - name: sysctl image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a"