Add a base Alpine package that includes a package mirror

This means that we limit to one place where we use network access in building, and in future all other package builds can be deterministic. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2025-07-19 09:16:29 +00:00 · 2017-05-03 14:56:53 +01:00 · 2017-05-03 14:56:53 +01:00 · edfac0e8fb
commit edfac0e8fb
parent 6c2974d49d
4 changed files with 295 additions and 0 deletions
--- a/tools/alpine/Dockerfile
+++ b/tools/alpine/Dockerfile
@ -0,0 +1,39 @@
+FROM alpine:edge AS mirror
+
+# update base image
+RUN apk update && apk upgrade -a
+
+COPY packages /tmp/
+
+# get full set of dependent packages by installing
+RUN cat /tmp/packages | xargs apk add --no-cache
+RUN apk info -v | sed 's/$/.apk/g' > /tmp/exact-packages
+
+# install rsync, abuild for mirroring, gcc dep for abuild-keygen
+RUN apk add --no-cache rsync abuild gcc
+
+# mirror packages
+RUN mkdir -p /mirror/$(uname -m) && \
+  rsync --files-from=/tmp/exact-packages rsync://rsync.alpinelinux.org/alpine/edge/main/$(uname -m)/ /mirror/$(uname -m)/
+
+# install a new key into /etc/apk/keys
+RUN abuild-keygen -a -i -n
+
+# index the new repo
+RUN apk index -o /mirror/$(uname -m)/APKINDEX.unsigned.tar.gz /mirror/$(uname -m)/*.apk
+
+# sign the index
+RUN cp /mirror/$(uname -m)/APKINDEX.unsigned.tar.gz /mirror/$(uname -m)/APKINDEX.tar.gz
+RUN abuild-sign /mirror/$(uname -m)/APKINDEX.tar.gz
+
+# set this as our repo
+RUN echo "/mirror" > /etc/apk/repositories && apk update
+
+FROM alpine:edge
+
+# update base image
+RUN apk update && apk upgrade -a
+
+COPY --from=mirror /etc/apk/repositories /etc/apk/repositories
+COPY --from=mirror /etc/apk/keys /etc/apk/keys/
+COPY --from=mirror /mirror /mirror/
--- a/tools/alpine/Makefile
+++ b/tools/alpine/Makefile
@ -0,0 +1,34 @@
+.PHONY: tag push
+
+BASE=alpine:edge
+IMAGE=alpine
+
+default: push
+
+define NEWLINE
+
+endef
+
+hash: Dockerfile packages
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
+	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
+	docker run --rm $(IMAGE):build sh -c 'find /mirror -name '*.apk' -type f | xargs cat | cat /lib/apk/db/installed - | sha1sum' | sed 's/ .*//' > $@
+
+push: hash
+	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
+		(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) && \
+		 docker push linuxkit/$(IMAGE):$(shell cat hash))
+	docker run --rm $(IMAGE):build find /mirror -name '*.apk' -exec basename '{}' .apk \; | sort | (echo '# automatically generated list of installed packages'; cat -) > versions
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+tag: hash
+	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
+		docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+clean:
+	rm -f hash
+
+.DELETE_ON_ERROR:
--- a/tools/alpine/packages
+++ b/tools/alpine/packages
@ -0,0 +1,58 @@
+argp-standalone
+automake
+bash
+bc
+binutils
+binutils-dev
+bison
+bsd-compat-headers
+btrfs-progs
+btrfs-progs-dev
+build-base
+ca-certificates
+cdrkit
+cmake
+curl
+dhcpcd
+dosfstools
+e2fsprogs
+e2fsprogs-extra
+flex
+gcc
+git
+gmp-dev
+gummiboot
+installkernel
+iptables
+jq
+kmod
+libarchive-tools
+libc-dev
+libelf-dev
+libseccomp-dev
+linux-headers
+make
+mtools
+musl-dev
+ncurses-dev
+openntpd
+openrc
+openssh-server
+patch
+qemu-aarch64
+qemu-arm
+qemu-img
+qemu-ppc64le
+qemu-system-arm
+qemu-system-x86_64
+sed
+sfdisk
+squashfs-tools
+syslinux
+tar
+util-linux
+util-linux-dev
+vim
+xfsprogs
+xorriso
+xz
--- a/tools/alpine/versions
+++ b/tools/alpine/versions
@ -0,0 +1,164 @@
+# automatically generated list of installed packages
+alpine-baselayout-3.0.4-r0
+alpine-keys-2.1-r1
+alsa-lib-1.1.3-r0
+apk-tools-2.7.1-r0
+argp-standalone-1.3-r2
+automake-1.15-r0
+bash-4.3.48-r1
+bc-1.06.95-r2
+binutils-2.28-r1
+binutils-dev-2.28-r1
+binutils-libs-2.28-r1
+bison-3.0.4-r0
+blkid-2.28.2-r1
+bsd-compat-headers-0.7.1-r0
+btrfs-progs-4.10.2-r0
+btrfs-progs-dev-4.10.2-r0
+btrfs-progs-libs-4.10.2-r0
+build-base-0.5-r0
+busybox-1.26.2-r2
+bzip2-1.0.6-r5
+ca-certificates-20161130-r2
+cdrkit-1.1.11-r2
+celt051-0.5.1.3-r0
+cmake-3.8.0-r0
+cryptsetup-libs-1.7.5-r0
+curl-7.54.0-r0
+db-5.3.28-r0
+device-mapper-libs-2.02.168-r3
+dhcpcd-6.11.5-r1
+dosfstools-4.1-r1
+e2fsprogs-1.43.4-r0
+e2fsprogs-extra-1.43.4-r0
+e2fsprogs-libs-1.43.4-r0
+expat-2.2.0-r0
+file-5.30-r0
+findmnt-2.28.2-r1
+flex-2.6.3-r1
+fortify-headers-0.8-r0
+g++-6.3.0-r4
+gcc-6.3.0-r4
+git-2.12.2-r1
+glib-2.52.1-r0
+gmp-6.1.2-r0
+gmp-dev-6.1.2-r0
+gnutls-3.5.10-r0
+gummiboot-48.1-r0
+installkernel-3.5-r0
+iptables-1.6.1-r0
+isl-0.17.1-r0
+jq-1.5-r3
+jsoncpp-1.8.0-r0
+kmod-23-r1
+lddtree-1.26-r0
+libacl-2.2.52-r3
+libaio-0.3.110-r0
+libarchive-3.3.1-r1
+libarchive-tools-3.3.1-r1
+libatomic-6.3.0-r4
+libattr-2.4.47-r6
+libblkid-2.28.2-r1
+libburn-1.4.6-r0
+libbz2-1.0.6-r5
+libc-dev-0.7.1-r0
+libc-utils-0.7.1-r0
+libcap-2.25-r1
+libcap-ng-0.7.8-r0
+libcom_err-1.43.4-r0
+libcurl-7.54.0-r0
+libdrm-2.4.80-r0
+libedit-20170329.3.1-r1
+libelf-0.8.13-r2
+libelf-dev-0.8.13-r2
+libepoxy-1.4.1-r0
+libfdisk-2.28.2-r1
+libffi-3.2.1-r3
+libgcc-6.3.0-r4
+libgmpxx-6.1.2-r0
+libgomp-6.3.0-r4
+libintl-0.19.8.1-r1
+libisoburn-1.4.6-r0
+libisofs-1.4.6-r0
+libjpeg-turbo-1.5.1-r0
+libmagic-5.30-r0
+libmnl-1.0.4-r0
+libmount-2.28.2-r1
+libnfs-1.11.0-r0
+libnftnl-libs-1.0.7-r0
+libogg-1.3.2-r1
+libpciaccess-0.13.4-r1
+libpng-1.6.29-r1
+libressl-2.5.3-r1
+libressl2.5-libcrypto-2.5.3-r1
+libressl2.5-libssl-2.5.3-r1
+libressl2.5-libtls-2.5.3-r1
+libsasl-2.1.26-r10
+libseccomp-2.3.2-r0
+libseccomp-dev-2.3.2-r0
+libsmartcols-2.28.2-r1
+libssh2-1.8.0-r1
+libstdc++-6.3.0-r4
+libtasn1-4.10-r0
+libunistring-0.9.7-r0
+libusb-1.0.21-r0
+libuuid-2.28.2-r1
+libuv-1.11.0-r1
+linux-headers-4.4.6-r2
+lua5.2-libs-5.2.4-r2
+lz4-libs-1.7.5-r0
+lzo-2.10-r0
+m4-1.4.18-r0
+make-4.2.1-r0
+mesa-gbm-17.0.3-r1
+mkinitfs-3.0.9-r1
+mpc1-1.0.3-r0
+mpfr3-3.1.5-r0
+mtools-4.0.18-r1
+musl-1.1.16-r8
+musl-dev-1.1.16-r8
+musl-utils-1.1.16-r8
+ncurses-dev-6.0-r7
+ncurses-libs-6.0-r7
+ncurses-terminfo-6.0-r7
+ncurses-terminfo-base-6.0-r7
+nettle-3.3-r0
+oniguruma-6.2.0-r0
+openntpd-6.0_p1-r3
+openrc-0.24.1-r2
+openssh-keygen-7.5_p1-r1
+openssh-server-7.5_p1-r1
+opus-1.1.4-r0
+p11-kit-0.23.2-r1
+patch-2.7.5-r1
+pcre-8.40-r2
+perl-5.24.1-r2
+pixman-0.34.0-r0
+pkgconf-1.3.5-r0
+qemu-2.8.1-r1
+qemu-aarch64-2.8.1-r1
+qemu-arm-2.8.1-r1
+qemu-img-2.8.1-r1
+qemu-ppc64le-2.8.1-r1
+qemu-system-arm-2.8.1-r1
+qemu-system-x86_64-2.8.1-r1
+readline-6.3.008-r5
+scanelf-1.2.2-r0
+sed-4.4-r0
+sfdisk-2.28.2-r1
+snappy-1.1.4-r1
+spice-server-0.13.3-r1
+squashfs-tools-4.3-r3
+syslinux-6.04_pre1-r1
+tar-1.29-r1
+usbredir-0.7-r2
+util-linux-2.28.2-r1
+util-linux-dev-2.28.2-r1
+vde2-libs-2.3.2-r7
+vim-8.0.0595-r0
+wayland-1.13.0-r0
+xfsprogs-4.5.0-r0
+xorriso-1.4.6-r0
+xz-5.2.3-r0
+xz-libs-5.2.3-r0
+zlib-1.2.11-r0