From daa67d18579024947d69a45e6d028c5adb1c8c23 Mon Sep 17 00:00:00 2001 From: Justin Kromlinger Date: Mon, 2 Nov 2020 19:30:07 +0100 Subject: [PATCH 1/7] Switch to alpine in verify stage This fixes a circular dependency issue noted in [1]. `curl -s` and removal of `--auto-compress` are needed because of differences in the binaries in alpine. [1] https://github.com/docker-library/official-images/pull/8999#issuecomment-720622797 --- Dockerfile.template | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Dockerfile.template b/Dockerfile.template index ad79c50..f97ec55 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -8,13 +8,14 @@ # The second stage is for actually configuring the system a little bit. # Some templating is done in order to allow us to easily build different configurations and to # allow us to automate the releaes process. -FROM archlinux:latest AS verify +FROM alpine:3.12 AS verify COPY TEMPLATE_ROOTFS_FILE / +RUN apk update && apk add curl bash SHELL ["/bin/bash", "-c"] -RUN ROOTFS="$(curl -OJL --continue-at - -w "%{filename_effective}" TEMPLATE_ROOTFS_URL)" && \ +RUN ROOTFS="$(curl -sOJL --continue-at - -w "%{filename_effective}" TEMPLATE_ROOTFS_URL)" && \ sha256sum -c <<< "TEMPLATE_ROOTFS_HASH" && \ mkdir /rootfs && \ - tar -C /rootfs --extract --auto-compress --file "${ROOTFS}" + tar -C /rootfs --extract --file "${ROOTFS}" FROM scratch AS root COPY --from=verify /rootfs/ / From 1fe6646735da32ba0aa3954a23dc4cc737b737f9 Mon Sep 17 00:00:00 2001 From: Justin Kromlinger Date: Mon, 2 Nov 2020 19:37:20 +0100 Subject: [PATCH 2/7] DL3018, DL3018: Pin apk package versions, use --no-cache --- Dockerfile.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.template b/Dockerfile.template index f97ec55..37d4f67 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -10,7 +10,7 @@ # allow us to automate the releaes process. FROM alpine:3.12 AS verify COPY TEMPLATE_ROOTFS_FILE / -RUN apk update && apk add curl bash +RUN apk update && apk add --no-cache curl=7.73.0-r0 bash=5.0.18-r0 SHELL ["/bin/bash", "-c"] RUN ROOTFS="$(curl -sOJL --continue-at - -w "%{filename_effective}" TEMPLATE_ROOTFS_URL)" && \ sha256sum -c <<< "TEMPLATE_ROOTFS_HASH" && \ From fdd9e81fc0eac8f073ad2023d1246d8eb1af4785 Mon Sep 17 00:00:00 2001 From: Justin Kromlinger Date: Mon, 2 Nov 2020 19:44:04 +0100 Subject: [PATCH 3/7] Switch to 3.12 versions for curl and bash --- Dockerfile.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.template b/Dockerfile.template index 37d4f67..22113b4 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -10,7 +10,7 @@ # allow us to automate the releaes process. FROM alpine:3.12 AS verify COPY TEMPLATE_ROOTFS_FILE / -RUN apk update && apk add --no-cache curl=7.73.0-r0 bash=5.0.18-r0 +RUN apk update && apk add --no-cache curl=7.69.1-r1 bash=5.0.17-r0 SHELL ["/bin/bash", "-c"] RUN ROOTFS="$(curl -sOJL --continue-at - -w "%{filename_effective}" TEMPLATE_ROOTFS_URL)" && \ sha256sum -c <<< "TEMPLATE_ROOTFS_HASH" && \ From 0ad84af7b75714cbfa85a88da4b28fe25befe45c Mon Sep 17 00:00:00 2001 From: Justin Kromlinger Date: Mon, 2 Nov 2020 20:03:42 +0100 Subject: [PATCH 4/7] Drop alpine version pins, ignore DL3018 https://gitlab.archlinux.org/archlinux/archlinux-docker/-/merge_requests/47#note_6125 --- .gitlab-ci.yml | 3 ++- Dockerfile.template | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e8935a5..0c242a9 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -13,7 +13,8 @@ lint: stage: lint image: hadolint/hadolint:latest # DL3007: We use the latest tag for multistage build - script: hadolint --ignore DL3007 --ignore DL3020 Dockerfile.template + # DL3018: We don't need alpine version pins + script: hadolint --ignore DL3007 --ignore DL3018 --ignore DL3020 Dockerfile.template except: - releases - tags diff --git a/Dockerfile.template b/Dockerfile.template index 22113b4..363fb71 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -10,7 +10,7 @@ # allow us to automate the releaes process. FROM alpine:3.12 AS verify COPY TEMPLATE_ROOTFS_FILE / -RUN apk update && apk add --no-cache curl=7.69.1-r1 bash=5.0.17-r0 +RUN apk update && apk add --no-cache curl bash SHELL ["/bin/bash", "-c"] RUN ROOTFS="$(curl -sOJL --continue-at - -w "%{filename_effective}" TEMPLATE_ROOTFS_URL)" && \ sha256sum -c <<< "TEMPLATE_ROOTFS_HASH" && \ From 2f647bce7495a438bc8c7c322498ca93675ba5bc Mon Sep 17 00:00:00 2001 From: Justin Kromlinger Date: Mon, 2 Nov 2020 20:05:46 +0100 Subject: [PATCH 5/7] Drop DL3007 from ignore list since we pin alpine:3.12 --- .gitlab-ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0c242a9..19ea3ae 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -12,9 +12,8 @@ stages: lint: stage: lint image: hadolint/hadolint:latest - # DL3007: We use the latest tag for multistage build # DL3018: We don't need alpine version pins - script: hadolint --ignore DL3007 --ignore DL3018 --ignore DL3020 Dockerfile.template + script: hadolint --ignore DL3018 --ignore DL3020 Dockerfile.template except: - releases - tags From 7d5a90c0a0da15318159cd7ffc3ea298597a2de7 Mon Sep 17 00:00:00 2001 From: Justin Kromlinger Date: Mon, 2 Nov 2020 20:13:19 +0100 Subject: [PATCH 6/7] Drop apk update since we use --no-cache --- Dockerfile.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.template b/Dockerfile.template index 363fb71..1ddf356 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -10,7 +10,7 @@ # allow us to automate the releaes process. FROM alpine:3.12 AS verify COPY TEMPLATE_ROOTFS_FILE / -RUN apk update && apk add --no-cache curl bash +RUN apk add --no-cache curl bash SHELL ["/bin/bash", "-c"] RUN ROOTFS="$(curl -sOJL --continue-at - -w "%{filename_effective}" TEMPLATE_ROOTFS_URL)" && \ sha256sum -c <<< "TEMPLATE_ROOTFS_HASH" && \ From 9c5a9ccc9577b96b6d3d3234ea20680f4a5ccf9a Mon Sep 17 00:00:00 2001 From: Justin Kromlinger Date: Mon, 2 Nov 2020 20:14:12 +0100 Subject: [PATCH 7/7] Drop DL3020 ignore since we are using COPY --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 19ea3ae..99d870e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -13,7 +13,7 @@ lint: stage: lint image: hadolint/hadolint:latest # DL3018: We don't need alpine version pins - script: hadolint --ignore DL3018 --ignore DL3020 Dockerfile.template + script: hadolint --ignore DL3018 Dockerfile.template except: - releases - tags