[v13] Update docker images

build.assets/Dockerfile

@@ -1,18 +1,16 @@
-# This Dockerfile makes the "build box": the container used to build official
-# releases of Teleport and its documentation.
+# This Dockerfile makes the "build box" the container used to:
+# * run test and linters in CI
+# * building other Docker images
+#
+# For Teleport releases we're using CentOS 7 box to keep the binaries compatible
+# with older Linux distributions (glibc 2.17+).
 #
 # Check the README to learn how to safely introduce changes to Dockerfiles.
 
-# Use Ubuntu 18.04 as base to get an older glibc version.
-# Using a newer base image will build against a newer glibc, which creates a
-# runtime requirement for the host to have newer glibc too. For example,
-# teleport built on any newer Ubuntu version will not run on Centos 7 because
-# of this.
-
 ## LIBFIDO2 ###################################################################
 
 # Build libfido2 separately for isolation, speed and flexibility.
-FROM buildpack-deps:18.04 AS libfido2
+FROM buildpack-deps:20.04 AS libfido2
 
 RUN apt-get update && \
     apt-get install -y --no-install-recommends cmake && \
@@ -64,7 +62,7 @@ RUN git clone --depth=1 https://github.com/Yubico/libfido2.git -b 1.13.0 && \
 
 ## LIBBPF #####################################################################
 
-FROM buildpack-deps:18.04 AS libbpf
+FROM buildpack-deps:20.04 AS libbpf
 
 # Install required dependencies
 RUN apt-get update -y --fix-missing && \
@@ -96,7 +94,7 @@ RUN mkdir -p /opt && cd /opt &&  \
 # 4. Fast, language-dependent dependencies
 # 5. Multi-stage layer copies
 
-FROM ubuntu:18.04 AS buildbox
+FROM ubuntu:20.04 AS buildbox
 
 COPY locale.gen /etc/locale.gen
 COPY profile /etc/profile
@@ -124,8 +122,8 @@ RUN apt-get -y update && \
         apt-utils \
         build-essential \
         ca-certificates \
-        clang-10 \
-        clang-format-10 \
+        clang \
+        clang-format \
         curl \
         default-jre \
         `if [ "$BUILDARCH" = "amd64" ] ; then echo gcc-multilib; fi`  \
@@ -137,7 +135,7 @@ RUN apt-get -y update && \
         libpam-dev \
         libsqlite3-0 \
         libssl-dev \
-        llvm-10 \
+        llvm \
         locales \
         mingw-w64 \
         mingw-w64-x86-64-dev \

build.assets/Dockerfile-connect

@@ -0,0 +1,46 @@
+# This Dockerfile makes the "build box connect" the container used
+# to build the Teleport Connect.
+#
+# This image is base on the node image, which is based on Debian Buster.
+# Using it as a image allows us to link agains the same version of
+# glibc as Node.js.
+#
+# Check the README to learn how to safely introduce changes to Dockerfiles.
+
+## BUILDBOX-CONNECT ###################################################################
+
+# Pin the tag to Debian Buster to make sure the Glibc compatibility.
+ARG NODE_VERSION
+FROM node:${NODE_VERSION}-buster AS buildbox
+
+COPY locale.gen /etc/locale.gen
+COPY profile /etc/profile
+ENV LANGUAGE="en_US.UTF-8" \
+    LANG="en_US.UTF-8" \
+    LC_ALL="en_US.UTF-8" \
+    LC_CTYPE="en_US.UTF-8" \
+    DEBIAN_FRONTEND="noninteractive"
+
+# Install packages.
+RUN apt-get -y update && \
+    apt-get install -q -y --no-install-recommends \
+        build-essential \
+        ca-certificates \
+        git \
+        libc6-dev \
+        libssl-dev \
+        locales \
+        openssh-client \
+        pkg-config \
+        python3-pip \
+        python3-setuptools \
+        python3-wheel \
+        # Used during tag builds to build the RPM package of Connect.
+        rpm \
+        && \
+    dpkg-reconfigure locales && \
+    apt-get -y clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Do not create the ci user as we do on other images, as node image
+# already has node user with UID:GID 1000:1000 user.

build.assets/Makefile

@@ -233,12 +233,24 @@ ifeq ($(CONNECT_VERSION),)
 CONNECT_VERSION := $(BUILDBOX_VERSION)-dev
 endif
 
+#
+# Builds a Docker buildbox for Linux Connect builds
+#
+.PHONY:buildbox-connect
+buildbox-connect:
+	if [[ $${DRONE} == "true" ]] && ! docker inspect --type=image $(BUILDBOX_CONNECT) 2>&1 >/dev/null; then docker pull $(BUILDBOX_CONNECT) || true; fi; \
+	DOCKER_BUILDKIT=1 docker build \
+		--build-arg NODE_VERSION=$(NODE_VERSION) \
+		--cache-from $(BUILDBOX_CONNECT) \
+		--tag $(BUILDBOX_CONNECT) -f Dockerfile-connect . ;
+
 #
 # Builds Teleport Connect inside the buildbox container.
 #
 .PHONY:teleterm
-teleterm: buildbox
-	docker run $(DOCKERFLAGS) $(NOROOT) $(BUILDBOX) \
+teleterm: buildbox-connect
+	# Always run this image as user 1000, as the Node base image assumes that.
+	docker run $(DOCKERFLAGS) -u 1000:1000 $(BUILDBOX_CONNECT) \
 		bash -c "cd $(SRCDIR) && export CONNECT_TSH_BIN_PATH=\$$PWD/../teleport/build/tsh && yarn install --frozen-lockfile && yarn build-term && yarn package-term -c.extraMetadata.version=$(CONNECT_VERSION)"
 
 # Builds webassets inside Docker.

build.assets/images.mk

@@ -12,6 +12,7 @@ BUILDBOX_CENTOS7_FIPS=$(BUILDBOX_BASE_NAME)-centos7-fips:$(BUILDBOX_VERSION)
 BUILDBOX_ARM=$(BUILDBOX_BASE_NAME)-arm:$(BUILDBOX_VERSION)
 BUILDBOX_ARM_FIPS=$(BUILDBOX_BASE_NAME)-arm-fips:$(BUILDBOX_VERSION)
 BUILDBOX_UI=$(BUILDBOX_BASE_NAME)-ui:$(BUILDBOX_VERSION)
+BUILDBOX_CONNECT=$(BUILDBOX_BASE_NAME)-connect:$(BUILDBOX_VERSION)
 BUILDBOX_CENTOS7_ASSETS=$(BUILDBOX_BASE_NAME)-centos7-assets:$(BUILDBOX_VERSION)
 
 .PHONY:show-buildbox-base-image