pkg: Convert binfmt to use the Alpine base image and git tree hash

Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2025-11-04 02:17:42 +00:00 · 2017-05-04 12:05:01 +01:00
parent 6deddf749c
commit aea6d6c54e
2 changed files with 13 additions and 46 deletions
--- a/pkg/binfmt/Dockerfile
+++ b/pkg/binfmt/Dockerfile
@@ -1,13 +1,10 @@
-FROM alpine:edge AS qemu-build
-RUN \
-  apk update && apk upgrade && \
-  apk add \
+FROM linuxkit/alpine:f0169b60fb260d74025496ae6fd93213fecaba8f@sha256:23743c7206ebe8a609442c5ac7084a26ed45ce8f5213960428bca264225849f1 AS qemu
+RUN apk add \
    qemu-aarch64 \
    qemu-arm \
-  qemu-ppc64le \
-  && true
+    qemu-ppc64le

-FROM linuxkit/go-compile:4513068d9a7e919e4ec42e2d7ee879ff5b95b7f5@sha256:bdfadbe3e4ec699ca45b67453662321ec270f2d1a1dbdbf09625776d3ebd68c5 AS binfmt-build
+FROM linuxkit/go-compile:4513068d9a7e919e4ec42e2d7ee879ff5b95b7f5@sha256:bdfadbe3e4ec699ca45b67453662321ec270f2d1a1dbdbf09625776d3ebd68c5 AS build
 COPY main.go main.go
 RUN echo "gofmt..." && test -z $(gofmt -s -l main.go) && \
    echo "go vet..." && test -z $(GOOS=linux go tool vet -printf=false main.go) && \
@@ -17,7 +14,7 @@ RUN go build -o usr/bin/binfmt -buildmode pie -ldflags "-s -w -extldflags -stati
 FROM scratch
 ENTRYPOINT []
 WORKDIR /
-COPY --from=qemu-build usr/bin/qemu-* usr/bin/
-COPY --from=binfmt-build usr/bin/binfmt usr/bin/binfmt
+COPY --from=qemu usr/bin/qemu-* usr/bin/
+COPY --from=build usr/bin/binfmt usr/bin/binfmt
 COPY etc/binfmt.d/00_linuxkit.conf etc/binfmt.d/00_linuxkit.conf
 CMD ["/usr/bin/binfmt", "-dir", "/etc/binfmt.d/", "-mount", "/binfmt_misc"]
--- a/pkg/binfmt/Makefile
+++ b/pkg/binfmt/Makefile
@@ -2,43 +2,13 @@
 default: push

 IMAGE=binfmt
-BASE=alpine:edge
-SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
 DEPS=Dockerfile Makefile main.go $(wildcard etc/binmft.d/*)

-# Note, this isn't quite right as we pull in qemu binaries from
-# alpine:edge and they may vary over time. BUT: We are going to change
-# the hashing stuff soon anyway, so there is little point in faffing
-# about with computing a hash during the build and get it out.
-hash: $(DEPS)
-	find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash
+HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}')

-tag: hash
-	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		(DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \
-		 docker build --no-cache -t $(IMAGE):build . && \
-		 docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash))
+tag: $(DEPS)
+	docker build --no-cache --network=none -t linuxkit/$(IMAGE):$(HASH) .

 push: tag
-	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		docker push linuxkit/$(IMAGE):$(shell cat hash)
-	rm -f hash
-	docker rmi $(IMAGE):build || true
-
-signed-tag: hash
-	DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		(DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \
-		 docker build --no-cache -t $(IMAGE):build . && \
-		 docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash))
-
-sign: signed-tag
-	DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash)
-	rm -f hash
-	docker rmi $(IMAGE):build || true
-
-clean:
-	rm -f hash
-	docker rmi $(IMAGE):build || true
-
-.DELETE_ON_ERROR:
+	DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(HASH) || \
+	DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(HASH)