From ab48aafbe7b2752b6b412fa10f25d84e8acf53a3 Mon Sep 17 00:00:00 2001 From: Adrian Cole Date: Thu, 7 Dec 2023 09:22:04 +0800 Subject: [PATCH] ci: adds comments around docker configuration Signed-off-by: Adrian Cole --- .github/workflows/deploy.yml | 5 +++-- build-bin/docker/docker_args | 2 +- build-bin/docker/docker_build | 7 ++++++- build-bin/docker/docker_push | 4 ++++ 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index d898236..2058961 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -17,8 +17,9 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 1 # only needed to get the sha label - # We can't cache Docker without using buildx because GH actions restricts /var/lib/docker - # That's ok because DOCKER_PARENT_IMAGE is always ghcr.io and local anyway. + # Don't attempt to cache Docker. Sensitive information can be stolen + # via forks, and login session ends up in ~/.docker. This is ok because + # we publish DOCKER_PARENT_IMAGE to ghcr.io, hence local to the runner. - name: Deploy env: # GH_USER= diff --git a/build-bin/docker/docker_args b/build-bin/docker/docker_args index 1cd6c97..c396708 100755 --- a/build-bin/docker/docker_args +++ b/build-bin/docker/docker_args @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright 2020 The OpenZipkin Authors +# Copyright 2015-2023 The OpenZipkin Authors # # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except # in compliance with the License. You may obtain a copy of the License at diff --git a/build-bin/docker/docker_build b/build-bin/docker/docker_build index 9d4184f..33aa598 100755 --- a/build-bin/docker/docker_build +++ b/build-bin/docker/docker_build @@ -19,5 +19,10 @@ docker_tag=${1?full docker_tag is required. Ex openzipkin/zipkin:test} version=${2:-} docker_args=$($(dirname "$0")/docker_args ${version}) +# We don't need build kit, but Docker 20.10 no longer accepts --platform +# without it. It is simpler to always enable it vs require maintainers to use +# alternate OCI tools. See https://github.com/moby/moby/issues/41552 +export DOCKER_BUILDKIT=1 + echo "Building image ${docker_tag}" -DOCKER_BUILDKIT=1 docker build --network=host --pull ${docker_args} --tag ${docker_tag} . +docker build --network=host --pull ${docker_args} --tag ${docker_tag} . diff --git a/build-bin/docker/docker_push b/build-bin/docker/docker_push index adae746..8200e26 100755 --- a/build-bin/docker/docker_push +++ b/build-bin/docker/docker_push @@ -27,6 +27,10 @@ set -ue docker_image=${1?docker_image is required, notably without a tag. Ex openzipkin/zipkin} version=${2:-master} + +# We don't need build kit, but Docker 20.10 no longer accepts --platform +# without it. It is simpler to always enable it vs require maintainers to use +# alternate OCI tools. See https://github.com/moby/moby/issues/41552 export DOCKER_BUILDKIT=1 case ${version} in