Move base images directory to top level

These are standalone, better to have them at the top. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2025-11-03 03:21:40 +00:00 · 2017-01-24 18:55:23 +00:00
parent f27c3ff5ed
commit f8e0a3d61c
93 changed files with 0 additions and 0 deletions
--- a/base/riddler/Dockerfile
+++ b/base/riddler/Dockerfile
@@ -0,0 +1,23 @@
+FROM golang:1.7-alpine
+
+RUN \
+  apk update && apk upgrade && \
+  apk add \
+  docker \
+  gcc \
+  git \
+  jq \
+  linux-headers \
+  musl-dev \
+  && true
+
+COPY Dockerfile /
+COPY riddler.sh /usr/bin/
+
+RUN git clone https://github.com/jessfraz/riddler.git /go/src/github.com/jessfraz/riddler
+
+WORKDIR /go/src/github.com/jessfraz/riddler
+RUN git checkout 23befa0b232877b5b502b828e24161d801bd67f6
+RUN go build -o /usr/bin/riddler .
+
+ENTRYPOINT ["/usr/bin/riddler.sh"]
--- a/base/riddler/Makefile
+++ b/base/riddler/Makefile
@@ -0,0 +1,29 @@
+.PHONY: tag push
+
+BASE=golang:1.7-alpine
+IMAGE=riddler
+
+default: push
+
+hash: Dockerfile riddler.sh
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
+	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
+	docker run --entrypoint=/bin/sh --rm $(IMAGE):build -c 'cat /Dockerfile /usr/bin/riddler.sh /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > hash
+
+push: hash
+	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
+		 (docker tag $(IMAGE):build mobylinux/$(IMAGE):latest && \
+		  docker push mobylinux/$(IMAGE):$(shell cat hash))
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+tag: hash
+	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
+		docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+clean:
+	rm -f hash
+
+.DELETE_ON_ERROR:
--- a/base/riddler/riddler.sh
+++ b/base/riddler/riddler.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+set -e
+
+# riddler always adds the apparmor options if this is not present
+EXTRA_OPTIONS="--security-opt apparmor=unconfined"
+
+ARGS="$@"
+CONTAINER=$(docker create $EXTRA_OPTIONS $ARGS)
+riddler $CONTAINER > /dev/null
+docker rm $CONTAINER > /dev/null
+
+# unfixed known issues
+# noNewPrivileges is always set by riddler, but that is fine for our use cases
+
+# These fixes should be removed when riddler is fixed
+# process.rlimits, just a constant at present, not useful
+# memory swappiness is too big by default
+# remove user namespaces
+# --read-only sets /dev ro
+# /sysfs ro unless privileged - cannot detect so will do if grant all caps
+# 
+cat config.json | \
+  jq 'del(.process.rlimits)' | \
+  jq 'del (.linux.resources.memory.swappiness)' | \
+  jq 'del(.linux.uidMappings) | del(.linux.gidMappings) | .linux.namespaces = (.linux.namespaces|map(select(.type!="user")))' | \
+  jq 'if .root.readonly==true then .mounts = (.mounts|map(if .destination=="/dev" then .options |= .+ ["ro"] else . end)) else . end' | \
+  jq '.mounts = if .process.capabilities | length != 38 then (.mounts|map(if .destination=="/sys" then .options |= .+ ["ro"] else . end)) else . end'