From 0cf452340d0749f392142eb2a8e8242af2893a3d Mon Sep 17 00:00:00 2001 From: Go Kudo Date: Wed, 10 Jul 2024 13:44:55 +0900 Subject: [PATCH] wip --- .dockerignore | 5 +++++ .github/workflows/ci.yml | 37 +++++++++++++++++++++++++++++++++++ Dockerfile | 42 ++++++++++++++++++++-------------------- README.md | 19 ++++++++++++++++++ 4 files changed, 82 insertions(+), 21 deletions(-) create mode 100644 .dockerignore create mode 100644 .github/workflows/ci.yml create mode 100644 README.md diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..ab8cdec --- /dev/null +++ b/.dockerignore @@ -0,0 +1,5 @@ +.git +.github +*.DS_Store +LICENSE +README.md diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..960521e --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,37 @@ +name: CI + +on: + workflow_dispatch: + pull_request_target: + push: + branches: + - main + +jobs: + ci: + runs-on: ubuntu-latest + strategy: + matrix: + arch: ["i386", "amd64", "arm64/v8", "arm/v7"] + busybox: ["glibc", "musl", "uclibc"] + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Setup QEMU + uses: docker/setup-qemu-action@v3 + with: + platforms: arm64,arm + - name: Setup buildx + uses: docker/setup-buildx-action@v3 + - name: Build container + uses: docker/build-push-action@v6 + with: + build-args: ARCH=${{ matrix.arch }} + context: . + file: ./Dockerfile + load: true + push: false + tags: test-${{ matrix.arch }}-${{ matrix.busybox }} + - name: Test + run: | + test "$(docker run --rm -it "test-${{ matrix.arch }}-${{ matrix.busybox }}" -c "php -r 'echo shell_exec(\"whoami\");'")" = "nonroot" diff --git a/Dockerfile b/Dockerfile index 43c443f..ac332b9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,41 +1,41 @@ +ARG _DEB_VERSION="12" + ARG ARCH="arm64/v8" -ARG PKGS="bash curl php" -ARG BINS="bash curl php" -ARG BASE_IMAGE="debian" -ARG BASE_TAG="12" +ARG BASE="debian:${_DEB_VERSION}" +ARG BASE_PKGS="php" +ARG BASE_BINS="php" ARG BASE_PKG_INSTALL_CMD="apt-get update && apt-get install -y" -ARG TARGET_IMAGE="gcr.io/distroless/base-nossl-debian${BASE_TAG}" -ARG TARGET_TAG="latest" +ARG BUSYBOX="busybox:latest" + +ARG TARGET="gcr.io/distroless/base-nossl-debian${_DEB_VERSION}:latest" + +FROM --platform="linux/${ARCH}" ${BUSYBOX} AS busybox -FROM --platform="linux/${ARCH}" ${BASE_IMAGE}:${BASE_TAG} AS base +FROM --platform="linux/${ARCH}" ${BASE} AS base -ARG PKGS -ARG BINS +ARG BASE_PKGS +ARG BASE_BINS ARG BASE_PKG_INSTALL_CMD COPY --chmod=755 "dependency_resolve" "/usr/local/bin/dependency_resolve" -RUN /bin/sh -c "${BASE_PKG_INSTALL_CMD} ${PKGS}" \ +RUN /bin/sh -c "${BASE_PKG_INSTALL_CMD} ${BASE_PKGS}" \ && /usr/local/bin/dependency_resolve \ "$(which "ldd")" \ - $(echo "${BINS}" | xargs which) \ - | xargs -I {} sh -c 'mkdir -p /root/rootfs/$(dirname "{}") && cp -apP "{}" "/root/rootfs/{}"' \ -&& for BINARY in ${BINS}; do \ - "${BINARY}" --version >> "/root/rootfs/expect.txt"; \ - done + $(echo "${BASE_BINS}" | xargs which) \ + | xargs -I {} sh -c 'mkdir -p /root/rootfs/$(dirname "{}") && cp -apP "{}" "/root/rootfs/{}"' -FROM --platform="linux/${ARCH}" busybox:latest as busybox +FROM --platform="linux/${ARCH}" ${TARGET} AS target -FROM --platform="linux/${ARCH}" ${TARGET_IMAGE}:${TARGET_TAG} as target - -ARG PKGS -ARG BINS +ARG BASE_BINS COPY --from=base "/root/rootfs" "/" COPY --from=busybox "/bin/busybox" "/bin/busybox" -RUN ["/bin/busybox", "ln", "-s", "/bin/busybox", "/bin/sh"] +RUN ["/bin/busybox", "--install", "-s"] + +USER nonroot ENTRYPOINT ["/bin/sh"] diff --git a/README.md b/README.md new file mode 100644 index 0000000..330ec02 --- /dev/null +++ b/README.md @@ -0,0 +1,19 @@ +# dependency_resolve - distroless packaging support + +Binary packaging support tool for distroless / alpine. + +## Usage + +```Dockerfile +FROM debian:12 AS builder +COPY --chmod=755 "dependency_resolve" "/usr/local/bin/dependency_resolve" +RUN apt-get update && apt-get install -y "php" +RUN dependency_resolve "$(which "ldd")" "$(which "php")" | xargs -I {} sh -c 'mkdir -p /root/rootfs/$(dirname "{}") && cp -apP "{}" "/root/rootfs/{}"' + +FROM gcr.io/distroless/base-nossl-debian12:latest +COPY --from=builder "/root/rootfs" "/" + +ENTRYPOINT ["/usr/bin/php"] +``` + +See `Dockerfile` for more details.