-
Notifications
You must be signed in to change notification settings - Fork 103
/
dockerfile.go
171 lines (148 loc) · 4.64 KB
/
dockerfile.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
package buildpack
import (
"bytes"
"errors"
"fmt"
"os"
"strings"
"github.com/moby/buildkit/frontend/dockerfile/instructions"
"github.com/moby/buildkit/frontend/dockerfile/parser"
"github.com/buildpacks/lifecycle/log"
)
const (
DockerfileKindBuild = "build"
DockerfileKindRun = "run"
buildDockerfileName = "build.Dockerfile"
runDockerfileName = "run.Dockerfile"
baseImageArgName = "base_image"
baseImageArgRef = "${base_image}"
errArgumentsNotPermitted = "run.Dockerfile should not expect arguments"
errBuildMissingRequiredARGCommand = "build.Dockerfile did not start with required ARG command"
errBuildMissingRequiredFROMCommand = "build.Dockerfile did not contain required FROM ${base_image} command"
errMissingRequiredStage = "%s should have at least one stage"
errMultiStageNotPermitted = "%s is not permitted to use multistage build"
errRunOtherInstructionsNotPermitted = "run.Dockerfile is not permitted to have instructions other than FROM"
warnCommandNotRecommended = "%s command %s on line %d is not recommended"
)
var recommendedCommands = []string{"FROM", "ADD", "ARG", "COPY", "ENV", "LABEL", "RUN", "SHELL", "USER", "WORKDIR"}
type DockerfileInfo struct {
ExtensionID string
Kind string
Path string
// WithBase if populated indicates that the Dockerfile switches the image base to the provided value.
// If WithBase is empty, Extend should be true, otherwise there is nothing for the Dockerfile to do.
// However if WithBase is populated, Extend may be true or false.
WithBase string
// Extend if true indicates that the Dockerfile contains image modifications
// and if false indicates that the Dockerfile only switches the image base.
// If Extend is false, WithBase should be non-empty, otherwise there is nothing for the Dockerfile to do.
// However if Extend is true, WithBase may be empty or non-empty.
Extend bool
Ignore bool
}
type ExtendConfig struct {
Build ExtendBuildConfig `toml:"build"`
}
type ExtendBuildConfig struct {
Args []ExtendArg `toml:"args"`
}
type ExtendArg struct {
Name string `toml:"name"`
Value string `toml:"value"`
}
func parseDockerfile(dockerfile string) ([]instructions.Stage, []instructions.ArgCommand, error) {
var err error
var d []uint8
d, err = os.ReadFile(dockerfile)
if err != nil {
return nil, nil, err
}
p, err := parser.Parse(bytes.NewReader(d))
if err != nil {
return nil, nil, err
}
stages, metaArgs, err := instructions.Parse(p.AST)
if err != nil {
return nil, nil, err
}
return stages, metaArgs, nil
}
func ValidateBuildDockerfile(dockerfile string, logger log.Logger) error {
stages, margs, err := parseDockerfile(dockerfile)
if err != nil {
return err
}
// validate only 1 FROM
if len(stages) > 1 {
return fmt.Errorf(errMultiStageNotPermitted, buildDockerfileName)
}
// validate only permitted Commands
for _, stage := range stages {
for _, command := range stage.Commands {
found := false
for _, rc := range recommendedCommands {
if rc == strings.ToUpper(command.Name()) {
found = true
break
}
}
if !found {
logger.Warnf(warnCommandNotRecommended, buildDockerfileName, strings.ToUpper(command.Name()), command.Location()[0].Start.Line)
}
}
}
// validate build.Dockerfile preamble
if len(margs) != 1 {
return errors.New(errBuildMissingRequiredARGCommand)
}
if margs[0].Args[0].Key != baseImageArgName {
return errors.New(errBuildMissingRequiredARGCommand)
}
// sanity check to prevent panic
if len(stages) == 0 {
return fmt.Errorf(errMissingRequiredStage, buildDockerfileName)
}
if stages[0].BaseName != baseImageArgRef {
return errors.New(errBuildMissingRequiredFROMCommand)
}
return nil
}
func ValidateRunDockerfile(dInfo *DockerfileInfo, logger log.Logger) error {
stages, _, err := parseDockerfile(dInfo.Path)
if err != nil {
return err
}
// validate only 1 FROM
if len(stages) > 1 {
return fmt.Errorf(errMultiStageNotPermitted, runDockerfileName)
}
if len(stages) == 0 {
return fmt.Errorf(errMissingRequiredStage, runDockerfileName)
}
var (
newBase string
extend bool
)
// validate only permitted Commands
for _, stage := range stages {
if stage.BaseName != baseImageArgRef {
newBase = stage.BaseName
}
for _, command := range stage.Commands {
extend = true
found := false
for _, rc := range recommendedCommands {
if rc == strings.ToUpper(command.Name()) {
found = true
break
}
}
if !found {
logger.Warnf(warnCommandNotRecommended, runDockerfileName, strings.ToUpper(command.Name()), command.Location()[0].Start.Line)
}
}
}
dInfo.WithBase = newBase
dInfo.Extend = extend
return nil
}