Split out init to have standalone runc, containerd

Also add ca-certificates to base, needed to use `dist` to pull.

Make two stage builds for `containerd` and `runc` so they have a
from `scratch` second stage.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>

pkg/ca-certificates/Dockerfile

@@ -0,0 +1,7 @@
+FROM debian:testing
+
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get -yq upgrade && apt-get install -yq ca-certificates
+
+RUN printf "FROM scratch\nCOPY /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/\n" > Dockerfile
+CMD ["tar", "cf", "-", "Dockerfile", "etc/ssl/certs/ca-certificates.crt"]

pkg/ca-certificates/Makefile

@@ -0,0 +1,31 @@
+.PHONY: tag push
+
+BASE=debian:testing
+IMAGE=ca-certificates
+
+default: push
+
+hash: Dockerfile
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
+	tar cf - $^ | docker build --no-cache -t $(IMAGE):build0 -
+	docker run --rm $(IMAGE):build0 | docker build --no-cache -t $(IMAGE):build -
+	docker run --rm -i $(IMAGE):build0 sh -c "cat /etc/ssl/certs/ca-certificates.crt /etc/debian_version | sha1sum - | sed 's/ .*//'" > $@
+	docker rmi $(IMAGE):build0
+
+push: hash
+	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
+		(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
+		 docker push mobylinux/$(IMAGE):$(shell cat hash))
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+tag: hash
+	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
+		docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+clean:
+	rm -f hash
+
+.DELETE_ON_ERROR:

pkg/containerd/Dockerfile

@@ -0,0 +1,22 @@
+FROM golang:1.7-alpine3.5
+RUN \
+  apk update && apk upgrade -a && \
+  apk add --no-cache \
+  btrfs-progs-dev \
+  gcc \
+  git \
+  libc-dev \
+  linux-headers \
+  make \
+  && true
+ENV CONTAINERD_COMMIT=e5c8c5634a1fa82da41c1b707f8a9889bcfca248
+RUN mkdir -p $GOPATH/src/github.com/containerd && \
+  cd $GOPATH/src/github.com/containerd && \
+  git clone https://github.com/containerd/containerd.git
+WORKDIR $GOPATH/src/github.com/containerd/containerd
+RUN git checkout $CONTAINERD_COMMIT
+RUN make binaries GO_GCFLAGS="-buildmode pie --ldflags '-extldflags \"-fno-PIC -static\"'"
+RUN cp bin/containerd bin/ctr bin/containerd-shim bin/dist /usr/bin/
+WORKDIR /
+RUN printf "FROM scratch\nCOPY /usr/bin/* /usr/bin/\n" > Dockerfile
+CMD ["tar", "cf", "-", "Dockerfile", "usr/bin/containerd", "usr/bin/ctr", "usr/bin/containerd-shim", "usr/bin/dist"]

pkg/containerd/Makefile

@@ -0,0 +1,33 @@
+SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
+
+.PHONY: tag push
+
+BASE=golang:1.7-alpine3.5
+IMAGE=containerd
+
+default: push
+
+hash: Dockerfile
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
+	tar cf - $^ | docker build --no-cache -t $(IMAGE):build0 -
+	docker run --rm $(IMAGE):build0 | docker build --no-cache -t $(IMAGE):build -
+	docker rmi $(IMAGE):build0
+	find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > $@
+
+push: hash
+	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
+		(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
+		 docker push mobylinux/$(IMAGE):$(shell cat hash))
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+tag: hash
+	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
+		docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+clean:
+	rm -f hash
+
+.DELETE_ON_ERROR:

pkg/init/Makefile

@@ -1,22 +1,8 @@
-CONTAINERD_IMAGE=mobylinux/containerd:a688df6aee1e3700eb8d54dbc81070361df397a2@sha256:59ee3da05fe4dad4fbecff582c86fc30ce75e19a225eeeb07e203c9cc36fe34f
-CONTAINERD_BINARIES=usr/bin/containerd usr/bin/containerd-shim usr/bin/ctr usr/bin/dist
-
-RUNC_IMAGE=mobylinux/runc:f225fb93dc3e6dda1cc9004962893015b29dc2d6@sha256:e75c4b274236bd3ad9f4db0a91a6f2174c8c77009c361ab5dd7a4169406675bc
-RUNC_BINARY=usr/bin/runc
-
 C_COMPILE=mobylinux/c-compile:81a6bd8ff45d769b60a2ee1acdaccda11ab835c8@sha256:eac250997a3b9784d3285a03c0c8311d4ca6fb63dc75164c987411ba93006487
 START_STOP_DAEMON=sbin/start-stop-daemon
 
 default: push
 
-$(RUNC_BINARY): Makefile
-	mkdir -p $(dir $@)
-	docker run --rm --net=none $(RUNC_IMAGE) tar cf - $@ | tar xf -
-
-$(CONTAINERD_BINARIES): Makefile
-	mkdir -p $(dir $@)
-	docker run --rm --net=none $(CONTAINERD_IMAGE) tar cf - $@ | tar xf -
-
 $(START_STOP_DAEMON): start-stop-daemon.c
 	mkdir -p $(dir $@)
 	tar cf - $^ | docker run --rm --net=none --log-driver=none -i $(C_COMPILE) -o $@ | tar xf -
@@ -28,7 +14,7 @@ IMAGE=init
 
 ETC=$(shell find etc -type f)
 
-hash: Dockerfile $(ETC) init $(RUNC_BINARY) $(CONTAINERD_BINARIES) $(START_STOP_DAEMON)
+hash: Dockerfile $(ETC) init $(START_STOP_DAEMON)
 	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
 	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
 	docker run --rm $(IMAGE):build sh -c 'cat $^ /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > $@

pkg/runc/Dockerfile

@@ -0,0 +1,24 @@
+FROM golang:1.7-alpine3.5
+RUN \
+  apk update && apk upgrade -a && \
+  apk add --no-cache \
+  bash \
+  gcc \
+  git \
+  libc-dev \
+  libseccomp-dev \
+  linux-headers \
+  make \
+  && true
+ENV RUNC_COMMIT=ac50e77bbb440dcab354a328c79754e2502b79ca
+RUN mkdir -p $GOPATH/src/github.com/opencontainers && \
+  cd $GOPATH/src/github.com/opencontainers && \
+  git clone https://github.com/opencontainers/runc.git
+WORKDIR $GOPATH/src/github.com/opencontainers/runc
+RUN git checkout $RUNC_COMMIT
+# TODO static pie, currently no easy way to change build options
+RUN make static BUILDTAGS="seccomp"
+RUN cp runc /usr/bin/
+WORKDIR /
+RUN printf "FROM scratch\nCOPY /usr/bin/runc /usr/bin/\n" > Dockerfile
+CMD ["tar", "cf", "-", "Dockerfile", "usr/bin/runc"]

pkg/runc/Makefile

@@ -0,0 +1,33 @@
+SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
+
+.PHONY: tag push
+
+BASE=golang:1.7-alpine3.5
+IMAGE=runc
+
+default: push
+
+hash: Dockerfile
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
+	tar cf - $^ | docker build --no-cache -t $(IMAGE):build0 -
+	docker run --rm $(IMAGE):build0 | docker build --no-cache -t $(IMAGE):build -
+	docker rmi $(IMAGE):build0
+	find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > $@
+
+push: hash
+	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
+		(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
+		 docker push mobylinux/$(IMAGE):$(shell cat hash))
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+tag: hash
+	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
+		docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+clean:
+	rm -f hash
+
+.DELETE_ON_ERROR: