From 5bede30c5807eeaa0192c5a8e718c8e569fd32e2 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Fri, 19 Aug 2022 14:09:28 +0200 Subject: [PATCH 01/26] Dockerfile: use TARGETPLATFORM with scopeo for frozen images stage frozen-images stage doesn't use the download-frozen-image-v2.sh anymore so we can effectively use TARGETPLATFORM from global scope. The test util has been updated accordingly. In a follow-up we can remove download-frozen-image-v2.sh script but needs to look first at Dockerfile.e2e which seems not used anymore in our pipeline. Signed-off-by: CrazyMax --- Dockerfile | 47 ++++++++++++++++++------------ testutil/fixtures/load/frozen.go | 49 ++++++++++++++++++-------------- 2 files changed, 57 insertions(+), 39 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9bb4ba4d66781..f4e1b55079c55 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,6 +5,7 @@ ARG SYSTEMD="false" ARG GO_VERSION=1.18.5 ARG DEBIAN_FRONTEND=noninteractive ARG VPNKIT_VERSION=0.5.0 +ARG SKOPEO_VERSION=v1.9.0 ARG BASE_DEBIAN_DISTRO="bullseye" ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" @@ -74,24 +75,34 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ && git checkout -q "$GO_SWAGGER_COMMIT" \ && go build -o /build/swagger github.com/go-swagger/go-swagger/cmd/swagger -FROM debian:${BASE_DEBIAN_DISTRO} AS frozen-images -ARG DEBIAN_FRONTEND -RUN --mount=type=cache,sharing=locked,id=moby-frozen-images-aptlib,target=/var/lib/apt \ - --mount=type=cache,sharing=locked,id=moby-frozen-images-aptcache,target=/var/cache/apt \ - apt-get update && apt-get install -y --no-install-recommends \ - ca-certificates \ - curl \ - jq -# Get useful and necessary Hub images so we can "docker load" locally instead of pulling -COPY contrib/download-frozen-image-v2.sh / +# skopeo is used by frozen-images stage +FROM base AS skopeo +ARG SKOPEO_VERSION +RUN --mount=type=cache,target=/root/.cache/go-build \ + --mount=type=cache,target=/go/pkg/mod \ + GO111MODULE=on CGO_ENABLED=0 GOBIN=/out go install -tags "exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp" "github.com/containers/skopeo/cmd/skopeo@${SKOPEO_VERSION}" \ + && /out/skopeo --version + +# frozen-images gets useful and necessary Hub images so we can "docker load" +# locally instead of pulling. See also frozenImages in +# "testutil/environment/protect.go" (which needs to be updated when adding images to this list) +FROM base AS frozen-images +ARG TARGETOS ARG TARGETARCH -RUN /download-frozen-image-v2.sh /build \ - busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \ - busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \ - debian:bullseye-slim@sha256:dacf278785a4daa9de07596ec739dbc07131e189942772210709c5c0777e8437 \ - hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \ - arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1 -# See also frozenImages in "testutil/environment/protect.go" (which needs to be updated when adding images to this list) +ARG TARGETVARIANT +# OS, ARCH, VARIANT are used by skopeo cli +ENV OS=$TARGETOS +ENV ARCH=$TARGETARCH +ENV VARIANT=$TARGETVARIANT +RUN --mount=from=skopeo,source=/out/skopeo,target=/usr/bin/skopeo < Date: Fri, 19 Aug 2022 15:36:06 +0200 Subject: [PATCH 02/26] Dockerfile: handle multi base image for riscv64 and armel support To add support for riscv64 builds we need crossbuild packages for riscv64 but current golang image with debian bullseye does not support it. Ubuntu 22.04 supports riscv64 but unfortunately drops support for armel arch. Therefore we need a multi base image that will be picked up based on the target platform we want to build. Signed-off-by: CrazyMax --- Dockerfile | 54 +++++++++++++++++++++++++++++++++++++++++++------ docker-bake.hcl | 5 ++++- 2 files changed, 52 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index f4e1b55079c55..82c410b4c07e8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,21 +1,63 @@ # syntax=docker/dockerfile:1 -ARG CROSS="false" -ARG SYSTEMD="false" +# ubuntu base is only used for riscv64 builds +# we also need to keep debian to be able to build for armel +ARG DEBIAN_BASE="debian:bullseye" +ARG UBUNTU_BASE="ubuntu:22.04" + ARG GO_VERSION=1.18.5 + ARG DEBIAN_FRONTEND=noninteractive +ARG APT_MIRROR=deb.debian.org +ARG CROSS="false" +ARG SYSTEMD="false" + ARG VPNKIT_VERSION=0.5.0 ARG SKOPEO_VERSION=v1.9.0 -ARG BASE_DEBIAN_DISTRO="bullseye" -ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" - -FROM ${GOLANG_IMAGE} AS base +# go base image to retrieve /usr/local/go +FROM golang:${GO_VERSION} AS golang + +# base +FROM ${UBUNTU_BASE} AS base-ubuntu +FROM ${DEBIAN_BASE} AS base-debian +FROM base-debian AS base-windows +FROM base-debian AS base-linux-amd64 +FROM base-debian AS base-linux-armv5 +FROM base-debian AS base-linux-armv6 +FROM base-debian AS base-linux-armv7 +FROM base-debian AS base-linux-arm64 +FROM base-debian AS base-linux-ppc64le +FROM base-ubuntu AS base-linux-riscv64 +FROM base-debian AS base-linux-s390x + +FROM base-linux-${TARGETARCH}${TARGETVARIANT} AS base-linux +FROM base-${TARGETOS} AS base RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache ARG APT_MIRROR RUN sed -ri "s/(httpredir|deb).debian.org/${APT_MIRROR:-deb.debian.org}/g" /etc/apt/sources.list \ && sed -ri "s/(security).debian.org/${APT_MIRROR:-security.debian.org}/g" /etc/apt/sources.list ENV GO111MODULE=off +ARG DEBIAN_FRONTEND +RUN --mount=type=cache,sharing=locked,id=moby-base-aptlib,target=/var/lib/apt \ + --mount=type=cache,sharing=locked,id=moby-base-aptcache,target=/var/cache/apt \ + apt-get update && apt-get install --no-install-recommends -y \ + bash \ + ca-certificates \ + cmake \ + curl \ + file \ + gcc \ + git \ + libc6-dev \ + lld \ + make \ + pkg-config +COPY --from=golang /usr/local/go /usr/local/go +ENV GOROOT="/usr/local/go" +ENV GOPATH="/go" +ENV PATH="$GOPATH/bin:/usr/local/go/bin:$PATH" +RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" FROM base AS criu ARG DEBIAN_FRONTEND diff --git a/docker-bake.hcl b/docker-bake.hcl index e05fbec4cf84d..d28aad29a37ec 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,3 +1,6 @@ +variable "APT_MIRROR" { + default = "deb.debian.org" +} variable "BUNDLES_OUTPUT" { default = "./bundles" } @@ -8,7 +11,7 @@ variable "DOCKER_CROSSPLATFORMS" { target "_common" { args = { BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1 - APT_MIRROR = "cdn-fastly.deb.debian.org" + APT_MIRROR = APT_MIRROR } } From f6cccc7a7187946a3d34253dd6153cf77a687651 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Sat, 20 Aug 2022 14:25:59 +0200 Subject: [PATCH 03/26] Dockerfile: remove hardcoded platform for vpnkit stage vpnkit stage only supports linux/amd64 and linux/arm64 platforms when building dev image and will crash if we try building against another platform. with this change we can still build the dev image against any platform using dummy scratch base. Signed-off-by: CrazyMax --- Dockerfile | 23 ++++++++++++++--------- hack/make/.integration-daemon-start | 1 - 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index 82c410b4c07e8..144ce250d750d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -341,13 +341,18 @@ RUN --mount=type=tmpfs,target=/tmp/crun-build \ ./configure --bindir=/build && \ make -j install -FROM --platform=amd64 djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-amd64 - -FROM --platform=arm64 djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-arm64 - -FROM scratch AS vpnkit -COPY --from=vpnkit-amd64 /vpnkit /build/vpnkit.x86_64 -COPY --from=vpnkit-arm64 /vpnkit /build/vpnkit.aarch64 +# vpnkit +# TODO: build from source instead +FROM scratch AS vpnkit-windows +FROM scratch AS vpnkit-linux-386 +FROM djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-linux-amd64 +FROM scratch AS vpnkit-linux-arm +FROM djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-linux-arm64 +FROM scratch AS vpnkit-linux-ppc64le +FROM scratch AS vpnkit-linux-riscv64 +FROM scratch AS vpnkit-linux-s390x +FROM vpnkit-linux-${TARGETARCH} AS vpnkit-linux +FROM vpnkit-${TARGETOS} AS vpnkit # TODO: Some of this is only really needed for testing, it would be nice to split this up FROM runtime-dev AS dev-systemd-false @@ -420,7 +425,7 @@ COPY --from=shfmt /build/ /usr/local/bin/ COPY --from=runc /build/ /usr/local/bin/ COPY --from=containerd /build/ /usr/local/bin/ COPY --from=rootlesskit /build/ /usr/local/bin/ -COPY --from=vpnkit /build/ /usr/local/bin/ +COPY --from=vpnkit / /usr/local/bin/ COPY --from=crun /build/ /usr/local/bin/ COPY hack/dockerfile/etc/docker/ /etc/docker/ ENV PATH=/usr/local/cli:$PATH @@ -467,7 +472,7 @@ COPY --from=tini /build/ /usr/local/bin/ COPY --from=runc /build/ /usr/local/bin/ COPY --from=containerd /build/ /usr/local/bin/ COPY --from=rootlesskit /build/ /usr/local/bin/ -COPY --from=vpnkit /build/ /usr/local/bin/ +COPY --from=vpnkit / /usr/local/bin/ COPY --from=gowinres /build/ /usr/local/bin/ WORKDIR /go/src/github.com/docker/docker diff --git a/hack/make/.integration-daemon-start b/hack/make/.integration-daemon-start index af1a68796aa7a..766e09f7fb240 100644 --- a/hack/make/.integration-daemon-start +++ b/hack/make/.integration-daemon-start @@ -79,7 +79,6 @@ if [ -n "$DOCKER_ROOTLESS" ]; then echo >&2 '# DOCKER_ROOTLESS requires TEST_SKIP_INTEGRATION_CLI to be set' exit 1 fi - ln -sf "$(command -v vpnkit."$(uname -m)")" /usr/local/bin/vpnkit user="unprivilegeduser" uid=$(id -u $user) # shellcheck disable=SC2174 From cbe9d62e388dbdea6eac156e132c99a9e68c51aa Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Fri, 19 Aug 2022 14:39:50 +0200 Subject: [PATCH 04/26] Dockerfile: add cross compilation helper Signed-off-by: CrazyMax --- Dockerfile | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Dockerfile b/Dockerfile index 144ce250d750d..3d95b0b9abe38 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,6 +5,9 @@ ARG DEBIAN_BASE="debian:bullseye" ARG UBUNTU_BASE="ubuntu:22.04" +# XX_VERSION specifies the version of xx, an helper for cross-compilation. +ARG XX_VERSION=1.1.2 + ARG GO_VERSION=1.18.5 ARG DEBIAN_FRONTEND=noninteractive @@ -15,6 +18,9 @@ ARG SYSTEMD="false" ARG VPNKIT_VERSION=0.5.0 ARG SKOPEO_VERSION=v1.9.0 +# cross compilation helper +FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx + # go base image to retrieve /usr/local/go FROM golang:${GO_VERSION} AS golang @@ -33,6 +39,7 @@ FROM base-debian AS base-linux-s390x FROM base-linux-${TARGETARCH}${TARGETVARIANT} AS base-linux FROM base-${TARGETOS} AS base +COPY --from=xx / / RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache ARG APT_MIRROR RUN sed -ri "s/(httpredir|deb).debian.org/${APT_MIRROR:-deb.debian.org}/g" /etc/apt/sources.list \ From 27831cdee15312da70280ed9e5d6c74c5b13547f Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Fri, 19 Aug 2022 14:47:17 +0200 Subject: [PATCH 05/26] Dockerfile: pin criu version and build from source pin criu for better reproducibility and build from source so we can use it across any platform. Signed-off-by: CrazyMax --- Dockerfile | 36 ++++++++++++++++++++++++++++++------ 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3d95b0b9abe38..25afca1c9de27 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,6 +17,7 @@ ARG SYSTEMD="false" ARG VPNKIT_VERSION=0.5.0 ARG SKOPEO_VERSION=v1.9.0 +ARG CRIU_VERSION=v3.16.1 # cross compilation helper FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx @@ -66,15 +67,38 @@ ENV GOPATH="/go" ENV PATH="$GOPATH/bin:/usr/local/go/bin:$PATH" RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" +# criu +FROM base AS criu-src +WORKDIR /usr/src/criu +RUN git init . && git remote add origin "https://github.com/checkpoint-restore/criu.git" +ARG CRIU_VERSION +RUN git fetch --depth 1 origin "${CRIU_VERSION}" && git checkout -q FETCH_HEAD + FROM base AS criu +WORKDIR /go/src/github.com/checkpoint-restore/criu ARG DEBIAN_FRONTEND -ADD --chmod=0644 https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_11/Release.key /etc/apt/trusted.gpg.d/criu.gpg.asc RUN --mount=type=cache,sharing=locked,id=moby-criu-aptlib,target=/var/lib/apt \ --mount=type=cache,sharing=locked,id=moby-criu-aptcache,target=/var/cache/apt \ - echo 'deb https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_11/ /' > /etc/apt/sources.list.d/criu.list \ - && apt-get update \ - && apt-get install -y --no-install-recommends criu \ - && install -D /usr/sbin/criu /build/criu + apt-get update && apt-get install -y --no-install-recommends \ + clang \ + gcc \ + libc6-dev \ + libcap-dev \ + libnet1-dev \ + libnl-3-dev \ + libprotobuf-dev \ + libprotobuf-c-dev \ + protobuf-c-compiler \ + protobuf-compiler \ + python3-protobuf +RUN --mount=from=criu-src,src=/usr/src/criu,rw \ + --mount=type=cache,target=/root/.cache < Date: Fri, 19 Aug 2022 15:27:29 +0200 Subject: [PATCH 06/26] Dockerfile: add dummy stage dummy stage allows to bypass build for deps that don't support some platforms Signed-off-by: CrazyMax --- Dockerfile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Dockerfile b/Dockerfile index 25afca1c9de27..f080800bf604a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,6 +22,12 @@ ARG CRIU_VERSION=v3.16.1 # cross compilation helper FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx +# dummy stage to make sure the image is built for unsupported deps +FROM --platform=$BUILDPLATFORM busybox AS build-dummy +RUN mkdir -p /out +FROM scratch AS binary-dummy +COPY --from=build-dummy /out /out + # go base image to retrieve /usr/local/go FROM golang:${GO_VERSION} AS golang From e14fc4f82f7d084c56744161e08eb394d072fa13 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Fri, 19 Aug 2022 16:02:25 +0200 Subject: [PATCH 07/26] Dockerfile: containerd cross containerd build in Dockerfile is limited to host platform and could not be cross-built for other platforms. this change allows to build against any platforms if we want to smoke test in a follow-up but also enhance e2e tests for linux and windows in our pipeline. also introduced DOCKER_LINKMODE to be able to build dynamic or static binaries. Signed-off-by: CrazyMax --- Dockerfile | 59 ++++++++++++++++++++++++++++++++++++++++--------- docker-bake.hcl | 4 ++++ 2 files changed, 53 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index f080800bf604a..b30bb6f41f536 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,9 +12,12 @@ ARG GO_VERSION=1.18.5 ARG DEBIAN_FRONTEND=noninteractive ARG APT_MIRROR=deb.debian.org +ARG DOCKER_LINKMODE=static ARG CROSS="false" ARG SYSTEMD="false" +ARG CONTAINERD_VERSION=v1.6.7 + ARG VPNKIT_VERSION=0.5.0 ARG SKOPEO_VERSION=v1.9.0 ARG CRIU_VERSION=v3.16.1 @@ -279,17 +282,53 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ GOBIN=/build/ GO111MODULE=on go install "github.com/tc-hib/go-winres@${GOWINRES_VERSION}" \ && /build/go-winres --help -FROM dev-base AS containerd +# containerd +FROM base AS containerd-src +WORKDIR /usr/src/containerd +RUN git init . && git remote add origin "https://github.com/containerd/containerd.git" +ARG CONTAINERD_VERSION +RUN git fetch --depth 1 origin "${CONTAINERD_VERSION}" && git checkout -q FETCH_HEAD + +FROM base AS containerd-build +WORKDIR /go/src/github.com/containerd/containerd +ENV GO111MODULE=off ARG DEBIAN_FRONTEND +ARG TARGETPLATFORM RUN --mount=type=cache,sharing=locked,id=moby-containerd-aptlib,target=/var/lib/apt \ --mount=type=cache,sharing=locked,id=moby-containerd-aptcache,target=/var/cache/apt \ - apt-get update && apt-get install -y --no-install-recommends \ - libbtrfs-dev -ARG CONTAINERD_VERSION -COPY /hack/dockerfile/install/install.sh /hack/dockerfile/install/containerd.installer / -RUN --mount=type=cache,target=/root/.cache/go-build \ - --mount=type=cache,target=/go/pkg/mod \ - PREFIX=/build /install.sh containerd + xx-apt-get update && xx-apt-get install -y \ + binutils \ + g++ \ + gcc \ + libbtrfs-dev \ + libsecret-1-dev \ + pkg-config \ + && xx-go --wrap +ARG DOCKER_LINKMODE +RUN --mount=from=containerd-src,src=/usr/src/containerd,rw \ + --mount=type=cache,target=/root/.cache < Date: Fri, 19 Aug 2022 16:00:20 +0200 Subject: [PATCH 08/26] Dockerfile: runc cross runc build in Dockerfile is limited to host platform and could not be cross-built for other platforms. this change allows to build against any platforms if we want to smoke test in a follow-up but also enhance e2e tests for linux and windows in our pipeline. Signed-off-by: CrazyMax --- Dockerfile | 48 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 40 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index b30bb6f41f536..0289b25936347 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,6 +17,7 @@ ARG CROSS="false" ARG SYSTEMD="false" ARG CONTAINERD_VERSION=v1.6.7 +ARG RUNC_VERSION=v1.1.3 ARG VPNKIT_VERSION=0.5.0 ARG SKOPEO_VERSION=v1.9.0 @@ -359,13 +360,44 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ PREFIX=/build /install.sh dockercli -FROM runtime-dev AS runc +# runc +FROM base AS runc-src +WORKDIR /usr/src/runc +RUN git init . && git remote add origin "https://github.com/opencontainers/runc.git" ARG RUNC_VERSION -ARG RUNC_BUILDTAGS -COPY /hack/dockerfile/install/install.sh /hack/dockerfile/install/runc.installer / -RUN --mount=type=cache,target=/root/.cache/go-build \ - --mount=type=cache,target=/go/pkg/mod \ - PREFIX=/build /install.sh runc +RUN git fetch --depth 1 origin "${RUNC_VERSION}" && git checkout -q FETCH_HEAD + +FROM base AS runc-build +WORKDIR /go/src/github.com/opencontainers/runc +ARG DEBIAN_FRONTEND +ARG TARGETPLATFORM +RUN --mount=type=cache,sharing=locked,id=moby-runc-aptlib,target=/var/lib/apt \ + --mount=type=cache,sharing=locked,id=moby-runc-aptcache,target=/var/cache/apt \ + xx-apt-get update && xx-apt-get install -y \ + binutils \ + g++ \ + gcc \ + dpkg-dev \ + libseccomp-dev \ + pkg-config \ + && xx-go --wrap +ENV CGO_ENABLED=1 +ARG DOCKER_LINKMODE +# FIXME: should be built using clang but needs https://github.com/opencontainers/runc/pull/3465 +RUN --mount=from=runc-src,src=/usr/src/runc,rw \ + --mount=type=cache,target=/root/.cache < Date: Fri, 19 Aug 2022 16:12:52 +0200 Subject: [PATCH 09/26] Dockerfile: tini cross tini build in Dockerfile is limited to host platform and could not be cross-built for other platforms. this change allows to build against any platforms if we want to smoke test in a follow-up but also enhance e2e tests for linux and windows in our pipeline. Signed-off-by: CrazyMax --- Dockerfile | 59 ++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 42 insertions(+), 17 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0289b25936347..62067459743a6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,21 +5,24 @@ ARG DEBIAN_BASE="debian:bullseye" ARG UBUNTU_BASE="ubuntu:22.04" -# XX_VERSION specifies the version of xx, an helper for cross-compilation. -ARG XX_VERSION=1.1.2 - -ARG GO_VERSION=1.18.5 - ARG DEBIAN_FRONTEND=noninteractive ARG APT_MIRROR=deb.debian.org ARG DOCKER_LINKMODE=static ARG CROSS="false" ARG SYSTEMD="false" +## build deps +ARG GO_VERSION=1.18.5 +ARG TINI_VERSION=v0.19.0 + +## extra tools ARG CONTAINERD_VERSION=v1.6.7 ARG RUNC_VERSION=v1.1.3 - ARG VPNKIT_VERSION=0.5.0 + +## dev deps +# XX_VERSION specifies the version of xx, an helper for cross-compilation. +ARG XX_VERSION=1.1.2 ARG SKOPEO_VERSION=v1.9.0 ARG CRIU_VERSION=v3.16.1 @@ -399,18 +402,40 @@ FROM runc-build AS runc-linux FROM binary-dummy AS runc-windows FROM runc-${TARGETOS} AS runc -FROM dev-base AS tini -ARG DEBIAN_FRONTEND +# tini (docker-init) +FROM base AS tini-src +WORKDIR /usr/src/tini +RUN git init . && git remote add origin "https://github.com/krallin/tini.git" ARG TINI_VERSION +RUN git fetch --depth 1 origin "${TINI_VERSION}" && git checkout -q FETCH_HEAD + +FROM base AS tini-build +ENV GO111MODULE=off +WORKDIR /go/src/github.com/krallin/tini +ARG DEBIAN_FRONTEND +ARG TARGETPLATFORM RUN --mount=type=cache,sharing=locked,id=moby-tini-aptlib,target=/var/lib/apt \ --mount=type=cache,sharing=locked,id=moby-tini-aptcache,target=/var/cache/apt \ - apt-get update && apt-get install -y --no-install-recommends \ - cmake \ - vim-common -COPY /hack/dockerfile/install/install.sh /hack/dockerfile/install/tini.installer / -RUN --mount=type=cache,target=/root/.cache/go-build \ - --mount=type=cache,target=/go/pkg/mod \ - PREFIX=/build /install.sh tini + xx-apt-get update && xx-apt-get install -y \ + gcc \ + libc6-dev +ARG DOCKER_LINKMODE +RUN --mount=from=tini-src,src=/usr/src/tini,rw \ + --mount=type=cache,target=/root/.cache < Date: Fri, 19 Aug 2022 17:07:14 +0200 Subject: [PATCH 10/26] Dockerfile: rootlesskit cross rootlesskit build in Dockerfile is limited to host platform and could not be cross-built for other platforms. this change allows to build against any platforms if we want to smoke test in a follow-up but also enhance e2e tests for linux and windows in our pipeline. Signed-off-by: CrazyMax --- Dockerfile | 55 ++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 43 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index 62067459743a6..e70b3808d1ad1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,6 +18,7 @@ ARG TINI_VERSION=v0.19.0 ## extra tools ARG CONTAINERD_VERSION=v1.6.7 ARG RUNC_VERSION=v1.1.3 +ARG ROOTLESSKIT_VERSION=1920341cd41e047834a21007424162a2dc946315 ARG VPNKIT_VERSION=0.5.0 ## dev deps @@ -437,17 +438,47 @@ FROM tini-build AS tini-linux FROM binary-dummy AS tini-windows FROM tini-${TARGETOS} AS tini -FROM dev-base AS rootlesskit +# rootlesskit +FROM base AS rootlesskit-src +WORKDIR /usr/src/rootlesskit +RUN git init . && git remote add origin "https://github.com/rootless-containers/rootlesskit.git" ARG ROOTLESSKIT_VERSION -ARG PREFIX=/build -COPY /hack/dockerfile/install/install.sh /hack/dockerfile/install/rootlesskit.installer / -RUN --mount=type=cache,target=/root/.cache/go-build \ - --mount=type=cache,target=/go/pkg/mod \ - /install.sh rootlesskit \ - && "${PREFIX}"/rootlesskit --version \ - && "${PREFIX}"/rootlesskit-docker-proxy --help -COPY ./contrib/dockerd-rootless.sh /build -COPY ./contrib/dockerd-rootless-setuptool.sh /build +RUN git fetch --depth 1 origin "${ROOTLESSKIT_VERSION}" && git checkout -q FETCH_HEAD + +FROM base AS rootlesskit-build +WORKDIR /go/src/github.com/rootless-containers/rootlesskit +ARG DEBIAN_FRONTEND +ARG TARGETPLATFORM +RUN --mount=type=cache,sharing=locked,id=moby-rootlesskit-aptlib,target=/var/lib/apt \ + --mount=type=cache,sharing=locked,id=moby-rootlesskit-aptcache,target=/var/cache/apt \ + xx-apt-get update && xx-apt-get install -y \ + gcc \ + libc6-dev \ + && xx-go --wrap +ARG DOCKER_LINKMODE +ENV GOBIN=/out +ENV GO111MODULE=on +COPY ./contrib/dockerd-rootless.sh /out/ +COPY ./contrib/dockerd-rootless-setuptool.sh /out/ +RUN --mount=from=rootlesskit-src,src=/usr/src/rootlesskit,rw \ + --mount=type=cache,target=/root/.cache < Date: Fri, 19 Aug 2022 17:13:42 +0200 Subject: [PATCH 11/26] Dockerfile: containerutility cross containerutility build in Dockerfile is limited to windows platform atm but enabling cross build for it enhance and reduce footprint in our piepline for linux and windows e2e tests. Signed-off-by: CrazyMax --- Dockerfile | 84 +++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 61 insertions(+), 23 deletions(-) diff --git a/Dockerfile b/Dockerfile index e70b3808d1ad1..6a3dbbcea63a0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,6 +20,7 @@ ARG CONTAINERD_VERSION=v1.6.7 ARG RUNC_VERSION=v1.1.3 ARG ROOTLESSKIT_VERSION=1920341cd41e047834a21007424162a2dc946315 ARG VPNKIT_VERSION=0.5.0 +ARG CONTAINERUTILITY_VERSION=aa1ba87e99b68e0113bd27ec26c60b88f9d4ccd9 ## dev deps # XX_VERSION specifies the version of xx, an helper for cross-compilation. @@ -518,6 +519,41 @@ FROM scratch AS vpnkit-linux-s390x FROM vpnkit-linux-${TARGETARCH} AS vpnkit-linux FROM vpnkit-${TARGETOS} AS vpnkit +# containerutility +FROM base AS containerutility-src +WORKDIR /usr/src/containerutility +RUN git init . && git remote add origin "https://github.com/docker-archive/windows-container-utility.git" + +FROM base AS containerutility-build +WORKDIR /usr/src/containerutility +ARG TARGETPLATFORM +RUN --mount=type=cache,sharing=locked,id=moby-containerutility-aptlib,target=/var/lib/apt \ + --mount=type=cache,sharing=locked,id=moby-containerutility-aptcache,target=/var/cache/apt \ + xx-apt-get update && xx-apt-get install -y \ + binutils \ + dpkg-dev \ + g++ \ + gcc \ + pkg-config +ARG CONTAINERUTILITY_VERSION +RUN --mount=from=containerutility-src,src=/usr/src/containerutility,rw \ + --mount=type=cache,target=/root/.cache < Date: Fri, 19 Aug 2022 17:20:30 +0200 Subject: [PATCH 12/26] Dockerfile: verify and better cache for go-swagger stage Signed-off-by: CrazyMax --- Dockerfile | 38 ++++++++++++++++++++++---------------- 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6a3dbbcea63a0..9de06c4315a83 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,6 +25,10 @@ ARG CONTAINERUTILITY_VERSION=aa1ba87e99b68e0113bd27ec26c60b88f9d4ccd9 ## dev deps # XX_VERSION specifies the version of xx, an helper for cross-compilation. ARG XX_VERSION=1.1.2 +# GOSWAGGER_VERSION specifies the version of the go-swagger binary to build and +# install. Go-swagger is used in CI for validating swagger.yaml in +# hack/validate/swagger-gen +ARG GOSWAGGER_VERSION=c56166c036004ba7a3a321e5951ba472b9ae298c ARG SKOPEO_VERSION=v1.9.0 ARG CRIU_VERSION=v3.16.1 @@ -146,22 +150,24 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ ;; \ esac -FROM base AS swagger -WORKDIR $GOPATH/src/github.com/go-swagger/go-swagger - -# GO_SWAGGER_COMMIT specifies the version of the go-swagger binary to build and -# install. Go-swagger is used in CI for validating swagger.yaml in hack/validate/swagger-gen -# -# Currently uses a fork from https://github.com/kolyshkin/go-swagger/tree/golang-1.13-fix, +# go-swagger +FROM base AS swagger-src +WORKDIR /usr/src/swagger +# Currently uses a fork from https://github.com/kolyshkin/go-swagger/tree/golang-1.13-fix # TODO: move to under moby/ or fix upstream go-swagger to work for us. -ENV GO_SWAGGER_COMMIT c56166c036004ba7a3a321e5951ba472b9ae298c -RUN --mount=type=cache,target=/root/.cache/go-build \ - --mount=type=cache,target=/go/pkg/mod \ - --mount=type=tmpfs,target=/go/src/ \ - set -x \ - && git clone https://github.com/kolyshkin/go-swagger.git . \ - && git checkout -q "$GO_SWAGGER_COMMIT" \ - && go build -o /build/swagger github.com/go-swagger/go-swagger/cmd/swagger +RUN git init . && git remote add origin "https://github.com/kolyshkin/go-swagger.git" +ARG GOSWAGGER_VERSION +RUN git fetch --depth 1 origin "${GOSWAGGER_VERSION}" && git checkout -q FETCH_HEAD + +FROM base AS swagger +ENV GO111MODULE=off +WORKDIR /go/src/github.com/go-swagger/go-swagger +RUN --mount=from=swagger-src,src=/usr/src/swagger,rw \ + --mount=type=cache,target=/root/.cache < Date: Fri, 19 Aug 2022 17:32:38 +0200 Subject: [PATCH 13/26] Dockerfile: align deps format and output Signed-off-by: CrazyMax --- Dockerfile | 65 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 36 insertions(+), 29 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9de06c4315a83..63e0e81cdfc44 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,6 +14,7 @@ ARG SYSTEMD="false" ## build deps ARG GO_VERSION=1.18.5 ARG TINI_VERSION=v0.19.0 +ARG GOWINRES_VERSION=v0.2.3 ## extra tools ARG CONTAINERD_VERSION=v1.6.7 @@ -29,6 +30,13 @@ ARG XX_VERSION=1.1.2 # install. Go-swagger is used in CI for validating swagger.yaml in # hack/validate/swagger-gen ARG GOSWAGGER_VERSION=c56166c036004ba7a3a321e5951ba472b9ae298c +ARG GOLANGCI_LINT_VERSION=v1.46.2 +ARG GOTESTSUM_VERSION=v1.8.1 +ARG SHFMT_VERSION=v3.0.2 +# GOTOML_VERSION specifies the version of the tomll binary. When updating this +# version, consider updating the github.com/pelletier/go-toml dependency in +# vendor.mod accordingly. +ARG GOTOML_VERSION=v1.8.1 ARG SKOPEO_VERSION=v1.9.0 ARG CRIU_VERSION=v3.16.1 @@ -273,26 +281,22 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ ;; \ esac +# tomll builds and installs from https://github.com/pelletier/go-toml. This +# binary is used in CI in the hack/validate/toml script. FROM base AS tomll -# GOTOML_VERSION specifies the version of the tomll binary to build and install -# from the https://github.com/pelletier/go-toml repository. This binary is used -# in CI in the hack/validate/toml script. -# -# When updating this version, consider updating the github.com/pelletier/go-toml -# dependency in vendor.mod accordingly. -ARG GOTOML_VERSION=v1.8.1 +ARG GOTOML_VERSION RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ - GOBIN=/build/ GO111MODULE=on go install "github.com/pelletier/go-toml/cmd/tomll@${GOTOML_VERSION}" \ - && /build/tomll --help + GO111MODULE=on GOBIN=/out go install "github.com/pelletier/go-toml/cmd/tomll@${GOTOML_VERSION}" \ + && /out/tomll --help +# go-winres FROM base AS gowinres -# GOWINRES_VERSION defines go-winres tool version -ARG GOWINRES_VERSION=v0.2.3 +ARG GOWINRES_VERSION RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ - GOBIN=/build/ GO111MODULE=on go install "github.com/tc-hib/go-winres@${GOWINRES_VERSION}" \ - && /build/go-winres --help + GO111MODULE=on GOBIN=/out go install "github.com/tc-hib/go-winres@${GOWINRES_VERSION}" \ + && /out/go-winres --help # containerd FROM base AS containerd-src @@ -342,26 +346,29 @@ FROM containerd-build AS containerd-linux FROM binary-dummy AS containerd-windows FROM containerd-${TARGETOS} AS containerd -FROM base AS golangci_lint -ARG GOLANGCI_LINT_VERSION=v1.46.2 +# golangci-lint +FROM base AS golangci-lint +ARG GOLANGCI_LINT_VERSION RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ - GOBIN=/build/ GO111MODULE=on go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \ - && /build/golangci-lint --version + GO111MODULE=on GOBIN=/out go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \ + && /out/golangci-lint --version +# gotestsum FROM base AS gotestsum -ARG GOTESTSUM_VERSION=v1.8.1 +ARG GOTESTSUM_VERSION RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ - GOBIN=/build/ GO111MODULE=on go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \ - && /build/gotestsum --version + GO111MODULE=on GOBIN=/out go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \ + && /out/gotestsum --version +# shfmt FROM base AS shfmt -ARG SHFMT_VERSION=v3.0.2 +ARG SHFMT_VERSION RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ - GOBIN=/build/ GO111MODULE=on go install "mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION}" \ - && /build/shfmt --version + GO111MODULE=on GOBIN=/out go install "mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION}" \ + && /out/shfmt --version FROM dev-base AS dockercli ARG DOCKERCLI_CHANNEL @@ -620,14 +627,14 @@ COPY --from=dockercli /build/ /usr/local/cli COPY --from=frozen-images /out/ /docker-frozen-images COPY --from=swagger /out/ /usr/local/bin/ COPY --from=delve /build/ /usr/local/bin/ -COPY --from=tomll /build/ /usr/local/bin/ -COPY --from=gowinres /build/ /usr/local/bin/ +COPY --from=tomll /out/ /usr/local/bin/ +COPY --from=gowinres /out/ /usr/local/bin/ COPY --from=tini /out/ /usr/local/bin/ COPY --from=registry /build/ /usr/local/bin/ COPY --from=criu /out/ /usr/local/bin/ -COPY --from=gotestsum /build/ /usr/local/bin/ -COPY --from=golangci_lint /build/ /usr/local/bin/ -COPY --from=shfmt /build/ /usr/local/bin/ +COPY --from=gotestsum /out/ /usr/local/bin/ +COPY --from=golangci-lint /out/ /usr/local/bin/ +COPY --from=shfmt /out/ /usr/local/bin/ COPY --from=runc /out/ /usr/local/bin/ COPY --from=containerd /out/ /usr/local/bin/ COPY --from=rootlesskit /out/ /usr/local/bin/ @@ -681,7 +688,7 @@ COPY --from=containerd /out/ /usr/local/bin/ COPY --from=rootlesskit /out/ /usr/local/bin/ COPY --from=vpnkit / /usr/local/bin/ COPY --from=containerutility /out/ /usr/local/bin/ -COPY --from=gowinres /build/ /usr/local/bin/ +COPY --from=gowinres /out/ /usr/local/bin/ WORKDIR /go/src/github.com/docker/docker FROM binary-base AS build-binary From 1e13269d6bd00e77375f9314b5569639b91b996b Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Fri, 19 Aug 2022 17:37:49 +0200 Subject: [PATCH 14/26] Dockerfile: use TARGETPLATFORM for delve stage and verify Signed-off-by: CrazyMax --- Dockerfile | 41 ++++++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/Dockerfile b/Dockerfile index 63e0e81cdfc44..5515747ef46c8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -37,6 +37,11 @@ ARG SHFMT_VERSION=v3.0.2 # version, consider updating the github.com/pelletier/go-toml dependency in # vendor.mod accordingly. ARG GOTOML_VERSION=v1.8.1 +# DELVE_VERSION specifies the version of the Delve debugger binary +# from the https://github.com/go-delve/delve repository. +# It can be used to run Docker with a possibility of +# attaching debugger to it. +ARG DELVE_VERSION=v1.8.1 ARG SKOPEO_VERSION=v1.9.0 ARG CRIU_VERSION=v3.16.1 @@ -260,26 +265,24 @@ RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/ FROM runtime-dev-cross-${CROSS} AS runtime-dev +# delve builds and installs from https://github.com/go-delve/delve. It can be +# used to run Docker with a possibility of attaching debugger to it. FROM base AS delve -# DELVE_VERSION specifies the version of the Delve debugger binary -# from the https://github.com/go-delve/delve repository. -# It can be used to run Docker with a possibility of -# attaching debugger to it. -# -ARG DELVE_VERSION=v1.8.1 -# Delve on Linux is currently only supported on amd64 and arm64; -# https://github.com/go-delve/delve/blob/v1.8.1/pkg/proc/native/support_sentinel.go#L1-L6 +ARG DELVE_VERSION RUN --mount=type=cache,target=/root/.cache/go-build \ - --mount=type=cache,target=/go/pkg/mod \ - case $(dpkg --print-architecture) in \ - amd64|arm64) \ - GOBIN=/build/ GO111MODULE=on go install "github.com/go-delve/delve/cmd/dlv@${DELVE_VERSION}" \ - && /build/dlv --help \ - ;; \ - *) \ - mkdir -p /build/ \ - ;; \ - esac + --mount=type=cache,target=/go/pkg/mod < Date: Fri, 19 Aug 2022 17:41:00 +0200 Subject: [PATCH 15/26] Dockerfile: verify and better cache for dockercli stage Signed-off-by: CrazyMax --- Dockerfile | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5515747ef46c8..78b3c638a79fe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -44,6 +44,7 @@ ARG GOTOML_VERSION=v1.8.1 ARG DELVE_VERSION=v1.8.1 ARG SKOPEO_VERSION=v1.9.0 ARG CRIU_VERSION=v3.16.1 +ARG DOCKERCLI_VERSION=v17.06.2-ce # cross compilation helper FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx @@ -373,13 +374,33 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ GO111MODULE=on GOBIN=/out go install "mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION}" \ && /out/shfmt --version -FROM dev-base AS dockercli -ARG DOCKERCLI_CHANNEL +# dockercli +FROM base AS dockercli-src +WORKDIR /usr/src/dockercli +RUN git init . && git remote add origin "https://github.com/docker/cli.git" ARG DOCKERCLI_VERSION -COPY /hack/dockerfile/install/install.sh /hack/dockerfile/install/dockercli.installer / -RUN --mount=type=cache,target=/root/.cache/go-build \ - --mount=type=cache,target=/go/pkg/mod \ - PREFIX=/build /install.sh dockercli +RUN git fetch --depth 1 origin "${DOCKERCLI_VERSION}" && git checkout -q FETCH_HEAD + +FROM base AS dockercli +ENV GO111MODULE=off +WORKDIR /go/src/github.com/docker/cli +ENV CGO_ENABLED=0 +ARG DOCKERCLI_VERSION +RUN --mount=from=dockercli-src,src=/usr/src/dockercli/components/cli,rw \ + --mount=type=cache,target=/root/.cache \ + --mount=type=cache,target=/go/pkg/mod </dev/null 2>&1; then + mkdir /out + (set -x ; curl -Ls "${DOWNLOAD_URL}" | tar -xz docker/docker) + mv docker/docker /out/docker + else + (set -x ; go build -o /out/docker -v ./cmd/docker) + fi + xx-verify /out/docker +EOT # runc FROM base AS runc-src @@ -626,7 +647,7 @@ RUN update-alternatives --set iptables /usr/sbin/iptables-legacy || true \ RUN pip3 install yamllint==1.26.1 -COPY --from=dockercli /build/ /usr/local/cli +COPY --from=dockercli /out/ /usr/local/cli COPY --from=frozen-images /out/ /docker-frozen-images COPY --from=swagger /out/ /usr/local/bin/ COPY --from=delve /out/ /usr/local/bin/ From 0924ec1d7ad8997c85e66f7d78781fc0a04c7c56 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Fri, 19 Aug 2022 17:44:07 +0200 Subject: [PATCH 16/26] Dockerfile: use global scope platform args for registry stage and verify Signed-off-by: CrazyMax --- Dockerfile | 69 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 40 insertions(+), 29 deletions(-) diff --git a/Dockerfile b/Dockerfile index 78b3c638a79fe..9374899406d8a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -45,6 +45,17 @@ ARG DELVE_VERSION=v1.8.1 ARG SKOPEO_VERSION=v1.9.0 ARG CRIU_VERSION=v3.16.1 ARG DOCKERCLI_VERSION=v17.06.2-ce +# REGISTRY_VERSION specifies the version of the registry to build and install +# from the https://github.com/docker/distribution repository. This version of +# the registry is used to test both schema 1 and schema 2 manifests. Generally, +# the version specified here should match a current release. +ARG REGISTRY_VERSION=v2.3.0 +# REGISTRY_VERSION_SCHEMA1 specifies the version of the registry to build and +# install from the https://github.com/docker/distribution repository. This is +# an older (pre v2.3.0) version of the registry that only supports schema1 +# manifests. This version of the registry is not working on arm64, so installation +# is skipped on that architecture. +ARG REGISTRY_VERSION_SCHEMA1=v2.1.0 # cross compilation helper FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx @@ -133,36 +144,36 @@ RUN --mount=from=criu-src,src=/usr/src/criu,rw \ mv ./criu/criu /out/ EOT +# registry +FROM base AS registry-src +WORKDIR /usr/src/registry +RUN git init . && git remote add origin "https://github.com/distribution/distribution.git" + FROM base AS registry WORKDIR /go/src/github.com/docker/distribution - -# REGISTRY_VERSION specifies the version of the registry to build and install -# from the https://github.com/docker/distribution repository. This version of -# the registry is used to test both schema 1 and schema 2 manifests. Generally, -# the version specified here should match a current release. -ARG REGISTRY_VERSION=v2.3.0 - -# REGISTRY_VERSION_SCHEMA1 specifies the version of the registry to build and -# install from the https://github.com/docker/distribution repository. This is -# an older (pre v2.3.0) version of the registry that only supports schema1 -# manifests. This version of the registry is not working on arm64, so installation -# is skipped on that architecture. -ARG REGISTRY_VERSION_SCHEMA1=v2.1.0 -RUN --mount=type=cache,target=/root/.cache/go-build \ - --mount=type=cache,target=/go/pkg/mod \ - --mount=type=tmpfs,target=/go/src/ \ - set -x \ - && git clone https://github.com/docker/distribution.git . \ - && git checkout -q "$REGISTRY_VERSION" \ - && GOPATH="/go/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ - go build -buildmode=pie -o /build/registry-v2 github.com/docker/distribution/cmd/registry \ - && case $(dpkg --print-architecture) in \ - amd64|armhf|ppc64*|s390x) \ - git checkout -q "$REGISTRY_VERSION_SCHEMA1"; \ - GOPATH="/go/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH"; \ - go build -buildmode=pie -o /build/registry-v2-schema1 github.com/docker/distribution/cmd/registry; \ - ;; \ - esac +ENV GO111MODULE=off +ENV CGO_ENABLED=0 +ARG REGISTRY_VERSION +ARG REGISTRY_VERSION_SCHEMA1 +ARG BUILDPLATFORM +RUN --mount=from=registry-src,src=/usr/src/registry,rw \ + --mount=type=cache,target=/root/.cache \ + --mount=type=cache,target=/go/pkg/mod < Date: Fri, 19 Aug 2022 17:50:00 +0200 Subject: [PATCH 17/26] Dockerfile: better cache for crun stage Signed-off-by: CrazyMax --- Dockerfile | 52 ++++++++++++++++++++++++++++++---------------------- 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9374899406d8a..e86b4ac94f3df 100644 --- a/Dockerfile +++ b/Dockerfile @@ -44,6 +44,7 @@ ARG GOTOML_VERSION=v1.8.1 ARG DELVE_VERSION=v1.8.1 ARG SKOPEO_VERSION=v1.9.0 ARG CRIU_VERSION=v3.16.1 +ARG CRUN_VERSION=1.4.5 ARG DOCKERCLI_VERSION=v17.06.2-ce # REGISTRY_VERSION specifies the version of the registry to build and install # from the https://github.com/docker/distribution repository. This version of @@ -529,30 +530,37 @@ FROM rootlesskit-build AS rootlesskit-linux FROM binary-dummy AS rootlesskit-windows FROM rootlesskit-${TARGETOS} AS rootlesskit +# crun +FROM base AS crun-src +WORKDIR /usr/src/crun +RUN git init . && git remote add origin "https://github.com/containers/crun.git" +ARG CRUN_VERSION +RUN git fetch --depth 1 origin "${CRUN_VERSION}" && git checkout -q FETCH_HEAD + FROM base AS crun -ARG CRUN_VERSION=1.4.5 +WORKDIR /go/src/github.com/containers/crun +ARG DEBIAN_FRONTEND RUN --mount=type=cache,sharing=locked,id=moby-crun-aptlib,target=/var/lib/apt \ --mount=type=cache,sharing=locked,id=moby-crun-aptcache,target=/var/cache/apt \ - apt-get update && apt-get install -y --no-install-recommends \ - autoconf \ - automake \ - build-essential \ - libcap-dev \ - libprotobuf-c-dev \ - libseccomp-dev \ - libsystemd-dev \ - libtool \ - libudev-dev \ - libyajl-dev \ - python3 \ - ; -RUN --mount=type=tmpfs,target=/tmp/crun-build \ - git clone https://github.com/containers/crun.git /tmp/crun-build && \ - cd /tmp/crun-build && \ - git checkout -q "${CRUN_VERSION}" && \ - ./autogen.sh && \ - ./configure --bindir=/build && \ - make -j install + apt-get update && apt-get install -y --no-install-recommends \ + autoconf \ + automake \ + build-essential \ + libcap-dev \ + libprotobuf-c-dev \ + libseccomp-dev \ + libsystemd-dev \ + libtool \ + libudev-dev \ + libyajl-dev \ + python3 +RUN --mount=from=crun-src,src=/usr/src/crun,rw \ + --mount=type=cache,target=/root/.cache < Date: Fri, 19 Aug 2022 17:53:46 +0200 Subject: [PATCH 18/26] Dockerfile: GO111MODULE=on by default Signed-off-by: CrazyMax --- Dockerfile | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index e86b4ac94f3df..f141bb6c73648 100644 --- a/Dockerfile +++ b/Dockerfile @@ -90,7 +90,7 @@ RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.con ARG APT_MIRROR RUN sed -ri "s/(httpredir|deb).debian.org/${APT_MIRROR:-deb.debian.org}/g" /etc/apt/sources.list \ && sed -ri "s/(security).debian.org/${APT_MIRROR:-security.debian.org}/g" /etc/apt/sources.list -ENV GO111MODULE=off +ENV GO111MODULE=on ARG DEBIAN_FRONTEND RUN --mount=type=cache,sharing=locked,id=moby-base-aptlib,target=/var/lib/apt \ --mount=type=cache,sharing=locked,id=moby-base-aptcache,target=/var/cache/apt \ @@ -200,7 +200,7 @@ FROM base AS skopeo ARG SKOPEO_VERSION RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ - GO111MODULE=on CGO_ENABLED=0 GOBIN=/out go install -tags "exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp" "github.com/containers/skopeo/cmd/skopeo@${SKOPEO_VERSION}" \ + CGO_ENABLED=0 GOBIN=/out go install -tags "exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp" "github.com/containers/skopeo/cmd/skopeo@${SKOPEO_VERSION}" \ && /out/skopeo --version # frozen-images gets useful and necessary Hub images so we can "docker load" @@ -290,7 +290,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ # Delve on Linux is currently only supported on amd64 and arm64; # https://github.com/go-delve/delve/blob/v1.8.1/pkg/proc/native/support_sentinel.go#L1-L6 linux/amd64 | linux/arm64) - GO111MODULE=on GOBIN=/out go install "github.com/go-delve/delve/cmd/dlv@${DELVE_VERSION}" + GOBIN=/out go install "github.com/go-delve/delve/cmd/dlv@${DELVE_VERSION}" xx-verify /out/dlv /out/dlv --help ;; @@ -303,7 +303,7 @@ FROM base AS tomll ARG GOTOML_VERSION RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ - GO111MODULE=on GOBIN=/out go install "github.com/pelletier/go-toml/cmd/tomll@${GOTOML_VERSION}" \ + GOBIN=/out go install "github.com/pelletier/go-toml/cmd/tomll@${GOTOML_VERSION}" \ && /out/tomll --help # go-winres @@ -311,7 +311,7 @@ FROM base AS gowinres ARG GOWINRES_VERSION RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ - GO111MODULE=on GOBIN=/out go install "github.com/tc-hib/go-winres@${GOWINRES_VERSION}" \ + GOBIN=/out go install "github.com/tc-hib/go-winres@${GOWINRES_VERSION}" \ && /out/go-winres --help # containerd @@ -367,7 +367,7 @@ FROM base AS golangci-lint ARG GOLANGCI_LINT_VERSION RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ - GO111MODULE=on GOBIN=/out go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \ + GOBIN=/out go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \ && /out/golangci-lint --version # gotestsum @@ -375,7 +375,7 @@ FROM base AS gotestsum ARG GOTESTSUM_VERSION RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ - GO111MODULE=on GOBIN=/out go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \ + GOBIN=/out go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \ && /out/gotestsum --version # shfmt @@ -383,7 +383,7 @@ FROM base AS shfmt ARG SHFMT_VERSION RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ - GO111MODULE=on GOBIN=/out go install "mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION}" \ + GOBIN=/out go install "mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION}" \ && /out/shfmt --version # dockercli @@ -507,7 +507,6 @@ RUN --mount=type=cache,sharing=locked,id=moby-rootlesskit-aptlib,target=/var/lib && xx-go --wrap ARG DOCKER_LINKMODE ENV GOBIN=/out -ENV GO111MODULE=on COPY ./contrib/dockerd-rootless.sh /out/ COPY ./contrib/dockerd-rootless-setuptool.sh /out/ RUN --mount=from=rootlesskit-src,src=/usr/src/rootlesskit,rw \ @@ -688,6 +687,7 @@ COPY hack/dockerfile/etc/docker/ /etc/docker/ ENV PATH=/usr/local/cli:$PATH ARG DOCKER_BUILDTAGS ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}" +ENV GO111MODULE=off WORKDIR /go/src/github.com/docker/docker VOLUME /var/lib/docker VOLUME /home/unprivilegeduser/.local/share/docker @@ -733,6 +733,7 @@ COPY --from=vpnkit / /usr/local/bin/ COPY --from=containerutility /out/ /usr/local/bin/ COPY --from=gowinres /out/ /usr/local/bin/ WORKDIR /go/src/github.com/docker/docker +ENV GO111MODULE=off FROM binary-base AS build-binary RUN --mount=type=cache,target=/root/.cache \ From 0c993787a80599ab9d42a6121f172b8bf74ac374 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Sat, 20 Aug 2022 13:09:29 +0200 Subject: [PATCH 19/26] Dockerfile: enhanced for cross compilation Better support for cross compilation so we can rely on --platform flag of buildx for a seamless integration. This removes not necessary extra cross logic in the Dockerfile as well as hack scripts. Tried my best to reduce the footprint of changes but modifying one bit in the Dockerfile involves other changes in ./hack scripts. Non-sandboxed build invocation is still supported. It also handles cross compilation for external tools dynamically based on platform arg available in global scope (containerd, runc, tini, ...). Dev stages have been updated accordingly to changes for cross comp as well as linked tools (swagger, tomll, gotestsum, ...) The current bake definition has been updated to take the changes into account as well as the ci gha workflow. Signed-off-by: CrazyMax --- .dockerignore | 1 - .github/workflows/ci.yml | 92 +++-- Dockerfile | 332 ++++++++---------- Jenkinsfile | 6 +- Makefile | 86 ++--- cli/winresources/docker-proxy/winresources.go | 2 +- cli/winresources/dockerd/winresources.go | 2 +- docker-bake.hcl | 100 +++++- docs/contributing/set-up-dev-env.md | 8 +- docs/contributing/test.md | 6 +- hack/make.sh | 99 ++---- hack/make/.binary | 120 +++++-- hack/make/.go-autogen | 27 -- hack/make/.integration-daemon-start | 2 +- hack/make/.integration-test-helpers | 1 - hack/make/.mkwinres | 15 +- hack/make/README.md | 2 +- hack/make/binary | 10 +- hack/make/binary-daemon | 34 +- hack/make/binary-proxy | 14 +- hack/make/containerutility | 20 -- hack/make/cross | 37 -- hack/make/cross-platform-dependent | 6 - hack/make/dynbinary | 10 +- hack/make/dynbinary-daemon | 16 +- hack/make/dynbinary-proxy | 19 +- hack/make/install-binary | 2 +- hack/make/install-proxy | 2 +- 28 files changed, 519 insertions(+), 552 deletions(-) delete mode 100644 hack/make/.go-autogen delete mode 100644 hack/make/containerutility delete mode 100644 hack/make/cross delete mode 100644 hack/make/cross-platform-dependent diff --git a/.dockerignore b/.dockerignore index 2a8bcd5a54eff..3aaf86784d4fe 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,4 +1,3 @@ -.git .go-pkg-cache .gopath bundles diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ff0f33e9626e0..d5655584a4542 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,17 +15,22 @@ on: pull_request: env: - BUNDLES_OUTPUT: ./bundles + PLATFORM: "Moby Engine" + PRODUCT: "Moby" + DEFAULT_PRODUCT_LICENSE: "Moby" + PACKAGER_NAME: "Moby" jobs: - build: + binary: runs-on: ubuntu-20.04 + env: + DESTDIR: ./build strategy: fail-fast: false matrix: - target: - - binary - - dynbinary + linkmode: + - static + - dynamic steps: - name: Checkout @@ -39,34 +44,57 @@ jobs: name: Build uses: docker/bake-action@v1 with: - targets: ${{ matrix.target }} + targets: binary set: | - *.cache-from=type=gha,scope=build-${{ matrix.target }} - *.cache-to=type=gha,scope=build-${{ matrix.target }} + *.cache-from=type=gha,scope=build-${{ matrix.linkmode }} + *.cache-to=type=gha,scope=build-${{ matrix.linkmode }},mode=max + env: + DOCKER_LINKMODE: ${{ matrix.linkmode }} + - + name: List artifacts + run: | + tree -nh ${{ env.DESTDIR }} + - + name: Check artifacts + run: | + find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} + - name: Upload artifacts uses: actions/upload-artifact@v3 with: - name: ${{ matrix.target }} - path: ${{ env.BUNDLES_OUTPUT }} + name: binary-${{ matrix.linkmode }} + path: ${{ env.DESTDIR }} if-no-files-found: error retention-days: 7 + prepare: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.platforms.outputs.matrix }} + steps: + - + name: Checkout + uses: actions/checkout@v3 + - + name: Create matrix + id: platforms + run: | + echo ::set-output name=matrix::$(docker buildx bake binary-cross --print | jq -cr '.target."binary-cross".platforms') + - + name: Show matrix + run: | + echo ${{ steps.platforms.outputs.matrix }} + cross: runs-on: ubuntu-20.04 + needs: + - prepare + env: + DESTDIR: ./build strategy: fail-fast: false matrix: - platform: - - linux/amd64 - - linux/arm/v5 - - linux/arm/v6 - - linux/arm/v7 - - linux/arm64 - - linux/ppc64le - - linux/s390x - - windows/amd64 - - windows/arm64 + platform: ${{ fromJson(needs.prepare.outputs.matrix) }} steps: - name: Checkout @@ -78,6 +106,9 @@ jobs: run: | platform=${{ matrix.platform }} echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + - + name: Set up QEMU + uses: docker/setup-qemu-action@v1 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 @@ -85,24 +116,31 @@ jobs: name: Build uses: docker/bake-action@v1 with: - targets: cross + targets: binary set: | + *.platform=${{ matrix.platform }} *.cache-from=type=gha,scope=cross-${{ env.PLATFORM_PAIR }} *.cache-to=type=gha,scope=cross-${{ env.PLATFORM_PAIR }} - env: - DOCKER_CROSSPLATFORMS: ${{ matrix.platform }} + - + name: List artifacts + run: | + tree -nh ${{ env.DESTDIR }} + - + name: Check artifacts + run: | + find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} + - name: Upload artifacts uses: actions/upload-artifact@v2 with: name: cross-${{ env.PLATFORM_PAIR }} - path: ${{ env.BUNDLES_OUTPUT }} + path: ${{ env.DESTDIR }} if-no-files-found: error retention-days: 7 test-buildkit: needs: - - build + - binary runs-on: ubuntu-20.04 strategy: fail-fast: false @@ -147,7 +185,7 @@ jobs: name: Download binary artifacts uses: actions/download-artifact@v3 with: - name: binary + name: binary-static path: ./buildkit/build/moby/ - name: Update daemon.json @@ -163,7 +201,7 @@ jobs: env: CONTEXT: "." TEST_DOCKERD: "1" - TEST_DOCKERD_BINARY: "./build/moby/binary-daemon/dockerd" + TEST_DOCKERD_BINARY: "./build/moby/dockerd" TESTPKGS: "${{ matrix.pkg }}" TESTFLAGS: "-v --parallel=1 --timeout=30m --run=//worker=dockerd$" SKIP_INTEGRATION_TESTS: "${{ matrix.skip-integration-tests }}" diff --git a/Dockerfile b/Dockerfile index f141bb6c73648..a2d084d1cb785 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,8 +8,7 @@ ARG UBUNTU_BASE="ubuntu:22.04" ARG DEBIAN_FRONTEND=noninteractive ARG APT_MIRROR=deb.debian.org ARG DOCKER_LINKMODE=static -ARG CROSS="false" -ARG SYSTEMD="false" +ARG SYSTEMD=false ## build deps ARG GO_VERSION=1.18.5 @@ -68,11 +67,11 @@ FROM scratch AS binary-dummy COPY --from=build-dummy /out /out # go base image to retrieve /usr/local/go -FROM golang:${GO_VERSION} AS golang +FROM --platform=$BUILDPLATFORM golang:${GO_VERSION} AS golang # base -FROM ${UBUNTU_BASE} AS base-ubuntu -FROM ${DEBIAN_BASE} AS base-debian +FROM --platform=$BUILDPLATFORM ${UBUNTU_BASE} AS base-ubuntu +FROM --platform=$BUILDPLATFORM ${DEBIAN_BASE} AS base-debian FROM base-debian AS base-windows FROM base-debian AS base-linux-amd64 FROM base-debian AS base-linux-armv5 @@ -224,60 +223,6 @@ RUN --mount=from=skopeo,source=/out/skopeo,target=/usr/bin/skopeo <, but this doesn't want to install -# on non-amd64 systems, so other architectures cannot crossbuild amd64. -RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \ - --mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \ - apt-get update && apt-get install -y --no-install-recommends \ - libapparmor-dev:arm64 \ - libapparmor-dev:armel \ - libapparmor-dev:armhf \ - libapparmor-dev:ppc64el \ - libapparmor-dev:s390x \ - libseccomp-dev:arm64 \ - libseccomp-dev:armel \ - libseccomp-dev:armhf \ - libseccomp-dev:ppc64el \ - libseccomp-dev:s390x - -FROM runtime-dev-cross-${CROSS} AS runtime-dev - # delve builds and installs from https://github.com/go-delve/delve. It can be # used to run Docker with a possibility of attaching debugger to it. FROM base AS delve @@ -609,8 +554,48 @@ FROM binary-dummy AS containerutility-windows-arm64 FROM containerutility-windows-${TARGETARCH} AS containerutility-windows FROM containerutility-${TARGETOS} AS containerutility -# TODO: Some of this is only really needed for testing, it would be nice to split this up -FROM runtime-dev AS dev-systemd-false +FROM base AS dev-systemd-false +COPY --link --from=frozen-images /out/ /docker-frozen-images +COPY --link --from=tini /out/ /usr/local/bin/ +COPY --link --from=runc /out/ /usr/local/bin/ +COPY --link --from=containerd /out/ /usr/local/bin/ +COPY --link --from=rootlesskit /out/ /usr/local/bin/ +COPY --link --from=containerutility /out/ /usr/local/bin/ +COPY --link --from=vpnkit / /usr/local/bin/ +COPY --link --from=swagger /out/ /usr/local/bin/ +COPY --link --from=tomll /out/ /usr/local/bin/ +COPY --link --from=delve /out/ /usr/local/bin/ +COPY --link --from=gotestsum /out/ /usr/local/bin/ +COPY --link --from=shfmt /out/ /usr/local/bin/ +COPY --link --from=golangci-lint /out/ /usr/local/bin/ +COPY --link --from=criu /out/ /usr/local/bin/ +COPY --link --from=crun /out/ /usr/local/bin/ +COPY --link --from=registry /out/ /usr/local/bin/ +COPY --link --from=dockercli /out/ /usr/local/cli/ +COPY hack/dockerfile/etc/docker/ /etc/docker/ +ENV PATH=/usr/local/cli:$PATH +ARG DOCKER_BUILDTAGS +ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}" +ENV GO111MODULE=off +WORKDIR /go/src/github.com/docker/docker +VOLUME /var/lib/docker +VOLUME /home/unprivilegeduser/.local/share/docker +# Wrap all commands in the "docker-in-docker" script to allow nested containers +ENTRYPOINT ["hack/dind"] + +FROM dev-systemd-false AS dev-systemd-true +ARG DEBIAN_FRONTEND +RUN --mount=type=cache,sharing=locked,id=moby-systemd-aptlib,target=/var/lib/apt \ + --mount=type=cache,sharing=locked,id=moby-systemd-aptcache,target=/var/cache/apt \ + apt-get update && apt-get install -y --no-install-recommends \ + curl \ + dbus \ + dbus-user-session \ + systemd \ + systemd-sysv +ENTRYPOINT ["hack/dind-systemd"] + +FROM dev-systemd-${SYSTEMD} AS dev-base ARG DEBIAN_FRONTEND RUN groupadd -r docker RUN useradd --create-home --gid docker unprivilegeduser \ @@ -626,145 +611,124 @@ RUN ldconfig # Do you really need to add another package here? Can it be done in a different build stage? RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \ - apt-get update && apt-get install -y --no-install-recommends \ - apparmor \ - bash-completion \ - bzip2 \ - inetutils-ping \ - iproute2 \ - iptables \ - jq \ - libcap2-bin \ - libnet1 \ - libnl-3-200 \ - libprotobuf-c1 \ - libyajl2 \ - net-tools \ - patch \ - pigz \ - python3-pip \ - python3-setuptools \ - python3-wheel \ - sudo \ - systemd-journal-remote \ - thin-provisioning-tools \ - uidmap \ - vim \ - vim-common \ - xfsprogs \ - xz-utils \ - zip \ - zstd - - + apt-get update && apt-get install -y --no-install-recommends \ + apparmor \ + bash-completion \ + bzip2 \ + inetutils-ping \ + iproute2 \ + iptables \ + jq \ + libcap2-bin \ + libnet1 \ + libnl-3-200 \ + libprotobuf-c1 \ + libyajl2 \ + net-tools \ + patch \ + pigz \ + python3-pip \ + python3-setuptools \ + python3-wheel \ + sudo \ + systemd-journal-remote \ + thin-provisioning-tools \ + uidmap \ + vim \ + vim-common \ + xfsprogs \ + xz-utils \ + zip \ + zstd # Switch to use iptables instead of nftables (to match the CI hosts) # TODO use some kind of runtime auto-detection instead if/when nftables is supported (https://github.com/moby/moby/issues/26824) RUN update-alternatives --set iptables /usr/sbin/iptables-legacy || true \ && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || true \ && update-alternatives --set arptables /usr/sbin/arptables-legacy || true - RUN pip3 install yamllint==1.26.1 - -COPY --from=dockercli /out/ /usr/local/cli -COPY --from=frozen-images /out/ /docker-frozen-images -COPY --from=swagger /out/ /usr/local/bin/ -COPY --from=delve /out/ /usr/local/bin/ -COPY --from=tomll /out/ /usr/local/bin/ -COPY --from=gowinres /out/ /usr/local/bin/ -COPY --from=tini /out/ /usr/local/bin/ -COPY --from=registry /out/ /usr/local/bin/ -COPY --from=criu /out/ /usr/local/bin/ -COPY --from=gotestsum /out/ /usr/local/bin/ -COPY --from=golangci-lint /out/ /usr/local/bin/ -COPY --from=shfmt /out/ /usr/local/bin/ -COPY --from=runc /out/ /usr/local/bin/ -COPY --from=containerd /out/ /usr/local/bin/ -COPY --from=rootlesskit /out/ /usr/local/bin/ -COPY --from=vpnkit / /usr/local/bin/ -COPY --from=containerutility /out/ /usr/local/bin/ -COPY --from=crun /out/ /usr/local/bin/ -COPY hack/dockerfile/etc/docker/ /etc/docker/ -ENV PATH=/usr/local/cli:$PATH -ARG DOCKER_BUILDTAGS -ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}" -ENV GO111MODULE=off +# set dev environment as safe git directory +RUN git config --global --add safe.directory $GOPATH/src/github.com/docker/docker +RUN --mount=type=cache,sharing=locked,id=moby-build-aptlib,target=/var/lib/apt \ + --mount=type=cache,sharing=locked,id=moby-build-aptcache,target=/var/cache/apt \ + apt-get update && apt-get install --no-install-recommends -y \ + binutils \ + gcc \ + g++ \ + pkg-config \ + dpkg-dev \ + libapparmor-dev \ + libbtrfs-dev \ + libdevmapper-dev \ + libseccomp-dev \ + libsecret-1-dev \ + libsystemd-dev \ + libudev-dev + +FROM base AS build-base WORKDIR /go/src/github.com/docker/docker -VOLUME /var/lib/docker -VOLUME /home/unprivilegeduser/.local/share/docker -# Wrap all commands in the "docker-in-docker" script to allow nested containers -ENTRYPOINT ["hack/dind"] - -FROM dev-systemd-false AS dev-systemd-true -RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ - --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \ - apt-get update && apt-get install -y --no-install-recommends \ - dbus \ - dbus-user-session \ - systemd \ - systemd-sysv -ENTRYPOINT ["hack/dind-systemd"] - -FROM dev-systemd-${SYSTEMD} AS dev +ENV GO111MODULE=off +ARG DEBIAN_FRONTEND +ARG TARGETPLATFORM +RUN --mount=type=cache,sharing=locked,id=moby-build-aptlib,target=/var/lib/apt \ + --mount=type=cache,sharing=locked,id=moby-build-aptcache,target=/var/cache/apt \ + xx-apt-get update && xx-apt-get install --no-install-recommends -y \ + binutils \ + dpkg-dev \ + g++ \ + gcc \ + libapparmor-dev \ + libbtrfs-dev \ + libdevmapper-dev \ + libseccomp-dev \ + libsecret-1-dev \ + libsystemd-dev \ + libudev-dev \ + pkg-config \ + && xx-go --wrap -FROM runtime-dev AS binary-base -ARG DOCKER_GITCOMMIT=HEAD -ENV DOCKER_GITCOMMIT=${DOCKER_GITCOMMIT} +FROM build-base AS build +COPY --from=gowinres /out/ /usr/local/bin +ARG CGO_ENABLED +ARG DOCKER_DEBUG +ARG DOCKER_STRIP +ARG DOCKER_LINKMODE +ARG DOCKER_BUILDTAGS +ARG DOCKER_LDFLAGS +ARG DOCKER_BUILDMODE +ARG DOCKER_BUILDTAGS ARG VERSION -ENV VERSION=${VERSION} ARG PLATFORM -ENV PLATFORM=${PLATFORM} ARG PRODUCT -ENV PRODUCT=${PRODUCT} ARG DEFAULT_PRODUCT_LICENSE -ENV DEFAULT_PRODUCT_LICENSE=${DEFAULT_PRODUCT_LICENSE} ARG PACKAGER_NAME -ENV PACKAGER_NAME=${PACKAGER_NAME} -ARG DOCKER_BUILDTAGS -ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}" -ENV PREFIX=/build -# TODO: This is here because hack/make.sh binary copies these extras binaries -# from $PATH into the bundles dir. -# It would be nice to handle this in a different way. -COPY --from=tini /out/ /usr/local/bin/ -COPY --from=runc /out/ /usr/local/bin/ -COPY --from=containerd /out/ /usr/local/bin/ -COPY --from=rootlesskit /out/ /usr/local/bin/ -COPY --from=vpnkit / /usr/local/bin/ -COPY --from=containerutility /out/ /usr/local/bin/ -COPY --from=gowinres /out/ /usr/local/bin/ -WORKDIR /go/src/github.com/docker/docker -ENV GO111MODULE=off - -FROM binary-base AS build-binary -RUN --mount=type=cache,target=/root/.cache \ - --mount=type=bind,target=.,ro \ - --mount=type=tmpfs,target=cli/winresources/dockerd \ - --mount=type=tmpfs,target=cli/winresources/docker-proxy \ - hack/make.sh binary - -FROM binary-base AS build-dynbinary -RUN --mount=type=cache,target=/root/.cache \ - --mount=type=bind,target=.,ro \ - --mount=type=tmpfs,target=cli/winresources/dockerd \ - --mount=type=tmpfs,target=cli/winresources/docker-proxy \ - hack/make.sh dynbinary - -FROM binary-base AS build-cross -ARG DOCKER_CROSSPLATFORMS -RUN --mount=type=cache,target=/root/.cache \ - --mount=type=bind,target=.,ro \ +# PREFIX overrides DEST dir in make.sh script otherwise it fails because of +# read only mount in current work dir +ARG PREFIX=/tmp +# OUTPUT is used in hack/make/.binary to override DEST from make.sh script +ARG OUTPUT=/out +RUN --mount=type=bind,target=. \ --mount=type=tmpfs,target=cli/winresources/dockerd \ --mount=type=tmpfs,target=cli/winresources/docker-proxy \ - hack/make.sh cross + --mount=type=cache,target=/root/.cache < docker buildx bake binary +# > DOCKER_LINKMODE=dynamic docker buildx bake binary +# or +# > make binary +# > make dynbinary FROM scratch AS binary -COPY --from=build-binary /build/bundles/ / - -FROM scratch AS dynbinary -COPY --from=build-dynbinary /build/bundles/ / +COPY --link --from=tini /out/ / +COPY --link --from=build /out / -FROM scratch AS cross -COPY --from=build-cross /build/bundles/ / +# usage: +# > make shell +FROM dev-base AS dev +COPY . . -FROM dev AS final -COPY . /go/src/github.com/docker/docker +FROM dev diff --git a/Jenkinsfile b/Jenkinsfile index fd3408472e1c0..0d6b04e7f1f33 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -84,7 +84,7 @@ pipeline { } stage("Build dev image") { steps { - sh 'docker build --force-rm --build-arg APT_MIRROR --build-arg CROSS=true -t docker:${GIT_COMMIT} .' + sh 'docker build --force-rm --build-arg APT_MIRROR -t docker:${GIT_COMMIT} .' } } stage("Validate") { @@ -286,7 +286,7 @@ pipeline { [ -n "$TESTDEBUG" ] && rm= || rm=--rm; docker run $rm -t --privileged \ -v "$WORKSPACE/bundles/${TEST_INTEGRATION_DEST}:/go/src/github.com/docker/docker/bundles" \ - -v "$WORKSPACE/bundles/dynbinary-daemon:/go/src/github.com/docker/docker/bundles/dynbinary-daemon" \ + -v "$WORKSPACE/bundles/dynbinary:/go/src/github.com/docker/docker/bundles/dynbinary" \ -v "$WORKSPACE/.git:/go/src/github.com/docker/docker/.git" \ --name "$CONTAINER_NAME" \ -e KEEPBUNDLE=1 \ @@ -756,7 +756,6 @@ pipeline { // ppc64le machines run on Docker 18.06, and buildkit has some // bugs on that version. Build and use buildx instead. environment { - USE_BUILDX = '1' DOCKER_BUILDKIT = '0' } @@ -875,7 +874,6 @@ pipeline { // ppc64le machines run on Docker 18.06, and buildkit has some // bugs on that version. Build and use buildx instead. environment { - USE_BUILDX = '1' DOCKER_BUILDKIT = '0' } diff --git a/Makefile b/Makefile index be17598c5abd3..928da90820f5f 100644 --- a/Makefile +++ b/Makefile @@ -1,28 +1,22 @@ .PHONY: all binary dynbinary build cross help install manpages run shell test test-docker-py test-integration test-unit validate win BUILDX_VERSION ?= v0.9.0 - -ifdef USE_BUILDX -BUILDX ?= $(shell command -v buildx) -BUILDX ?= $(shell command -v docker-buildx) -DOCKER_BUILDX_CLI_PLUGIN_PATH ?= ~/.docker/cli-plugins/docker-buildx -BUILDX ?= $(shell if [ -x "$(DOCKER_BUILDX_CLI_PLUGIN_PATH)" ]; then echo $(DOCKER_BUILDX_CLI_PLUGIN_PATH); fi) -endif - -ifndef USE_BUILDX -DOCKER_BUILDKIT := 1 -export DOCKER_BUILDKIT +ifneq (, $(BUILDX_BIN)) + BUILDX := $(BUILDX_BIN) +else ifneq (, $(shell docker buildx version)) + BUILDX := docker buildx +else ifneq (, $(shell which buildx)) + BUILDX := $(which buildx) endif BUILDX ?= bundles/buildx DOCKER ?= docker +DOCKER_BUILDKIT ?= 1 # set the graph driver as the current graphdriver if not set DOCKER_GRAPHDRIVER := $(if $(DOCKER_GRAPHDRIVER),$(DOCKER_GRAPHDRIVER),$(shell docker info 2>&1 | grep "Storage Driver" | sed 's/.*: //')) export DOCKER_GRAPHDRIVER -# get OS/Arch of docker engine -DOCKER_OSARCH := $(shell bash -c 'source hack/make/.detect-daemon-osarch && echo $${DOCKER_ENGINE_OSARCH}') DOCKERFILE := $(shell bash -c 'source hack/make/.detect-daemon-osarch && echo $${DOCKERFILE}') DOCKER_GITCOMMIT := $(shell git rev-parse --short HEAD || echo unsupported) @@ -45,10 +39,14 @@ export VALIDATE_ORIGIN_BRANCH # make DOCKER_LDFLAGS="-X github.com/docker/docker/daemon/graphdriver.priority=overlay2,devicemapper" dynbinary # DOCKER_ENVS := \ - -e DOCKER_CROSSPLATFORMS \ -e BUILD_APT_MIRROR \ - -e BUILDFLAGS \ -e KEEPBUNDLE \ + -e DOCKER_DEBUG \ + -e DOCKER_STRIP \ + -e DOCKER_LINKMODE \ + -e DOCKER_LDFLAGS \ + -e DOCKER_BUILDMODE \ + -e DOCKER_BUILDFLAGS \ -e DOCKER_BUILD_ARGS \ -e DOCKER_BUILD_GOGC \ -e DOCKER_BUILD_OPTS \ @@ -56,11 +54,9 @@ DOCKER_ENVS := \ -e DOCKER_BUILDKIT \ -e DOCKER_BASH_COMPLETION_PATH \ -e DOCKER_CLI_PATH \ - -e DOCKER_DEBUG \ -e DOCKER_EXPERIMENTAL \ -e DOCKER_GITCOMMIT \ -e DOCKER_GRAPHDRIVER \ - -e DOCKER_LDFLAGS \ -e DOCKER_PORT \ -e DOCKER_REMAP_ROOT \ -e DOCKER_ROOTLESS \ @@ -76,8 +72,6 @@ DOCKER_ENVS := \ -e TESTDEBUG \ -e TESTDIRS \ -e TESTFLAGS \ - -e TESTFLAGS_INTEGRATION \ - -e TESTFLAGS_INTEGRATION_CLI \ -e TEST_FILTER \ -e TIMEOUT \ -e VALIDATE_REPO \ @@ -145,38 +139,22 @@ DOCKER_BUILD_ARGS += --build-arg=SYSTEMD=true endif BUILD_OPTS := ${BUILD_APT_MIRROR} ${DOCKER_BUILD_ARGS} ${DOCKER_BUILD_OPTS} -f "$(DOCKERFILE)" -ifdef USE_BUILDX -BUILD_OPTS += $(BUILDX_BUILD_EXTRA_OPTS) BUILD_CMD := $(BUILDX) build -else -BUILD_CMD := $(DOCKER) build -endif - -# This is used for the legacy "build" target and anything still depending on it -BUILD_CROSS = -ifdef DOCKER_CROSS -BUILD_CROSS = --build-arg CROSS=$(DOCKER_CROSS) -endif -ifdef DOCKER_CROSSPLATFORMS -BUILD_CROSS = --build-arg CROSS=true -endif - -VERSION_AUTOGEN_ARGS = --build-arg VERSION --build-arg DOCKER_GITCOMMIT --build-arg PRODUCT --build-arg PLATFORM --build-arg DEFAULT_PRODUCT_LICENSE --build-arg PACKAGER_NAME +BAKE_CMD := $(BUILDX) bake default: binary -all: build ## validate all checks, build linux binaries, run all tests,\ncross build non-linux binaries, and generate archives +all: build ## validate all checks, build linux binaries and run all tests $(DOCKER_RUN_DOCKER) bash -c 'hack/validate/default && hack/make.sh' binary: buildx ## build statically linked linux binaries - $(BUILD_CMD) $(BUILD_OPTS) --output=bundles/ --target=$@ $(VERSION_AUTOGEN_ARGS) . + $(BAKE_CMD) binary dynbinary: buildx ## build dynamically linked linux binaries - $(BUILD_CMD) $(BUILD_OPTS) --output=bundles/ --target=$@ $(VERSION_AUTOGEN_ARGS) . + DOCKER_LINKMODE=dynamic $(BAKE_CMD) binary -cross: BUILD_OPTS += --build-arg CROSS=true --build-arg DOCKER_CROSSPLATFORMS -cross: buildx ## cross build the binaries for darwin, freebsd and\nwindows - $(BUILD_CMD) $(BUILD_OPTS) --output=bundles/ --target=$@ $(VERSION_AUTOGEN_ARGS) . +cross: buildx ## cross build the binaries + $(BAKE_CMD) binary-cross bundles: mkdir bundles @@ -196,24 +174,21 @@ install: ## install the linux binaries run: build ## run the docker daemon in a container $(DOCKER_RUN_DOCKER) sh -c "KEEPBUNDLE=1 hack/make.sh install-binary run" - + .PHONY: build ifeq ($(BIND_DIR), .) -build: shell_target := --target=dev +build: shell_target := --target=dev-base else -build: shell_target := --target=final -endif -ifdef USE_BUILDX -build: buildx_load := --load +build: shell_target := --target=dev endif build: buildx - $(BUILD_CMD) $(BUILD_OPTS) $(shell_target) $(buildx_load) $(BUILD_CROSS) -t "$(DOCKER_IMAGE)" . + $(BUILD_CMD) $(BUILD_OPTS) $(shell_target) --load -t "$(DOCKER_IMAGE)" . shell: build ## start a shell inside the build env $(DOCKER_RUN_DOCKER) bash test: build test-unit ## run the unit, integration and docker-py tests - $(DOCKER_RUN_DOCKER) hack/make.sh dynbinary cross test-integration test-docker-py + $(DOCKER_RUN_DOCKER) hack/make.sh dynbinary test-integration test-docker-py test-docker-py: build ## run the docker-py tests $(DOCKER_RUN_DOCKER) hack/make.sh dynbinary test-docker-py @@ -238,7 +213,7 @@ validate: build ## validate DCO, Seccomp profile generation, gofmt,\n./pkg/ isol $(DOCKER_RUN_DOCKER) hack/validate/all win: build ## cross build the binary for windows - $(DOCKER_RUN_DOCKER) DOCKER_CROSSPLATFORMS=windows/amd64 hack/make.sh cross + $(BAKE_CMD) --set *.platform=windows/amd64 binary .PHONY: swagger-gen swagger-gen: @@ -257,12 +232,11 @@ swagger-docs: ## preview the API documentation bfirsh/redoc:1.14.0 .PHONY: buildx -ifdef USE_BUILDX ifeq ($(BUILDX), bundles/buildx) -buildx: bundles/buildx ## build buildx cli tool -endif -endif - -bundles/buildx: bundles ## build buildx CLI tool +buildx: bundles/buildx ## download buildx CLI tool +bundles/buildx: curl -fsSL https://raw.githubusercontent.com/moby/buildkit/70deac12b5857a1aa4da65e90b262368e2f71500/hack/install-buildx | VERSION="$(BUILDX_VERSION)" BINDIR="$(@D)" bash $@ version +else +buildx: bundles +endif diff --git a/cli/winresources/docker-proxy/winresources.go b/cli/winresources/docker-proxy/winresources.go index 856ded949fee2..5617fb6d6c0c1 100644 --- a/cli/winresources/docker-proxy/winresources.go +++ b/cli/winresources/docker-proxy/winresources.go @@ -7,6 +7,6 @@ // * Events message table // // The resource object files are generated when building with go-winres -// in hack/make/.go-autogen and are located in cli/winresources. +// in hack/make/.binary and are located in cli/winresources. // This occurs automatically when you cross build against Windows OS. package winresources diff --git a/cli/winresources/dockerd/winresources.go b/cli/winresources/dockerd/winresources.go index b71057bafea02..66c907a68df33 100644 --- a/cli/winresources/dockerd/winresources.go +++ b/cli/winresources/dockerd/winresources.go @@ -7,6 +7,6 @@ // * Events message table // // The resource object files are generated when building with go-winres -// in hack/make/.go-autogen and are located in cli/winresources. +// in hack/make/.binary and are located in cli/winresources. // This occurs automatically when you cross build against Windows OS. package winresources diff --git a/docker-bake.hcl b/docker-bake.hcl index f683c0ebd5fe9..0e6879fc4337a 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,21 +1,79 @@ variable "APT_MIRROR" { default = "deb.debian.org" } +variable "DOCKER_DEBUG" { + default = "" +} +variable "DOCKER_STRIP" { + default = "" +} variable "DOCKER_LINKMODE" { default = "static" } -variable "BUNDLES_OUTPUT" { - default = "./bundles" +variable "DOCKER_LDFLAGS" { + default = "" } -variable "DOCKER_CROSSPLATFORMS" { +variable "DOCKER_BUILDMODE" { + default = "" +} +variable "DOCKER_BUILDTAGS" { default = "" } +# Docker version such as 17.04.0-dev. Automatically generated through Git ref. +variable "VERSION" { + default = "" +} + +# The platform name, such as "Docker Engine - Community". +variable "PLATFORM" { + default = "" +} + +# The product name, used to set version.ProductName, which is used to set +# BuildKit's ExportedProduct variable in order to show useful error messages +# to users when a certain version of the product doesn't support a BuildKit feature. +variable "PRODUCT" { + default = "" +} + +# Sets the version.DefaultProductLicense string, such as "Community Engine". +# This field can contain a summary of the product license of the daemon if a +# commercial license has been applied to the daemon. +variable "DEFAULT_PRODUCT_LICENSE" { + default = "" +} + +# The name of the packager (e.g. "Docker, Inc."). This used to set CompanyName +# in the manifest. +variable "PACKAGER_NAME" { + default = "" +} + +# Defines the output folder +variable "DESTDIR" { + default = "" +} +function "bindir" { + params = [defaultdir] + result = DESTDIR != "" ? DESTDIR : "./bundles/${defaultdir}" +} + target "_common" { args = { - BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1 + BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1 # https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md#built-in-build-args APT_MIRROR = APT_MIRROR + DOCKER_DEBUG = DOCKER_DEBUG + DOCKER_STRIP = DOCKER_STRIP DOCKER_LINKMODE = DOCKER_LINKMODE + DOCKER_LDFLAGS = DOCKER_LDFLAGS + DOCKER_BUILDMODE = DOCKER_BUILDMODE + DOCKER_BUILDTAGS = DOCKER_BUILDTAGS + VERSION = VERSION + PLATFORM = PLATFORM + PRODUCT = PRODUCT + DEFAULT_PRODUCT_LICENSE = DEFAULT_PRODUCT_LICENSE + PACKAGER_NAME = PACKAGER_NAME } } @@ -23,22 +81,30 @@ group "default" { targets = ["binary"] } +target "_platforms" { + platforms = [ + "linux/amd64", + "linux/arm/v5", + "linux/arm/v6", + "linux/arm/v7", + "linux/arm64", + "linux/ppc64le", + "linux/s390x", + "windows/amd64", + "windows/arm64" + ] +} + +# +# binaries targets build dockerd, docker-proxy and docker-init +# + target "binary" { inherits = ["_common"] target = "binary" - output = [BUNDLES_OUTPUT] + output = [bindir(DOCKER_LINKMODE == "static" ? "binary" : "dynbinary")] } -target "dynbinary" { - inherits = ["binary"] - target = "dynbinary" -} - -target "cross" { - inherits = ["binary"] - args = { - CROSS = "true" - DOCKER_CROSSPLATFORMS = DOCKER_CROSSPLATFORMS - } - target = "cross" +target "binary-cross" { + inherits = ["binary", "_platforms"] } diff --git a/docs/contributing/set-up-dev-env.md b/docs/contributing/set-up-dev-env.md index d3efcd029fbb2..7d6739f0388c0 100644 --- a/docs/contributing/set-up-dev-env.md +++ b/docs/contributing/set-up-dev-env.md @@ -150,10 +150,10 @@ can take over 15 minutes to complete. Removing bundles/ ---> Making bundle: binary (in bundles/binary) - Building: bundles/binary-daemon/dockerd-17.06.0-dev - Created binary: bundles/binary-daemon/dockerd-17.06.0-dev - Copying nested executables into bundles/binary-daemon - + Building static dockerd (linux/amd64)... + Created binary: bundles/binary/dockerd + Building static docker-proxy (linux/amd64)... + Created binary: bundles/binary/docker-proxy ``` 7. Run `make install`, which copies the binary to the container's diff --git a/docs/contributing/test.md b/docs/contributing/test.md index 099b92c7d819e..fe162a9d428e1 100644 --- a/docs/contributing/test.md +++ b/docs/contributing/test.md @@ -123,7 +123,7 @@ Try this now. 4. Run the tests using the `hack/make.sh` script. ```bash - # hack/make.sh dynbinary binary cross test-integration test-docker-py + # hack/make.sh dynbinary binary test-integration test-docker-py ``` The tests run just as they did within your local host. @@ -132,11 +132,11 @@ Try this now. just the integration tests: ```bash - # hack/make.sh dynbinary binary cross test-integration + # hack/make.sh dynbinary binary test-integration ``` Most test targets require that you build these precursor targets first: - `dynbinary binary cross` + `dynbinary binary` ## Run unit tests diff --git a/hack/make.sh b/hack/make.sh index f0b2720439f6f..9588ce965476b 100755 --- a/hack/make.sh +++ b/hack/make.sh @@ -36,34 +36,8 @@ DEFAULT_BUNDLES=( dynbinary test-integration test-docker-py - cross ) -VERSION=${VERSION:-dev} -! BUILDTIME=$(date -u -d "@${SOURCE_DATE_EPOCH:-$(date +%s)}" --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/') -if [ "$DOCKER_GITCOMMIT" ]; then - GITCOMMIT="$DOCKER_GITCOMMIT" -elif command -v git &> /dev/null && [ -e .git ] && git rev-parse &> /dev/null; then - GITCOMMIT=$(git rev-parse --short HEAD) - if [ -n "$(git status --porcelain --untracked-files=no)" ]; then - GITCOMMIT="$GITCOMMIT-unsupported" - echo "#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" - echo "# GITCOMMIT = $GITCOMMIT" - echo "# The version you are building is listed as unsupported because" - echo "# there are some files in the git repository that are in an uncommitted state." - echo "# Commit these changes, or add to .gitignore to remove the -unsupported from the version." - echo "# Here is the current list:" - git status --porcelain --untracked-files=no - echo "#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" - fi -else - echo >&2 'error: .git directory missing and DOCKER_GITCOMMIT not specified' - echo >&2 ' Please either build with the .git directory accessible, or specify the' - echo >&2 ' exact (--short) commit hash you are building using DOCKER_GITCOMMIT for' - echo >&2 ' future accountability in diagnosing build issues. Thanks!' - exit 1 -fi - if [ "$AUTO_GOPATH" ]; then rm -rf .gopath mkdir -p .gopath/src/"$(dirname "${DOCKER_PKG}")" @@ -83,43 +57,21 @@ add_buildtag() { [[ " $DOCKER_BUILDTAGS" == *" $1_"* ]] || DOCKER_BUILDTAGS+=" $1_$2" } -if ${PKG_CONFIG} 'libsystemd' 2> /dev/null; then - DOCKER_BUILDTAGS+=" journald" +if [ -z "$CGO_ENABLED" ]; then + case "$(go env GOOS)/$(go env GOARCH)" in + darwin/* | windows/amd64 | linux/amd64 | linux/arm64 | linux/arm | linux/s390x | linux/ppc64le | linux/riscv*) + export CGO_ENABLED=1 + ;; + *) + export CGO_ENABLED=0 + ;; + esac fi -# test whether "libdevmapper.h" is new enough to support deferred remove -# functionality. We favour libdm_dlsym_deferred_remove over -# libdm_no_deferred_remove in dynamic cases because the binary could be shipped -# with a newer libdevmapper than the one it was built with. -if - command -v gcc &> /dev/null \ - && ! (echo -e '#include \nint main() { dm_task_deferred_remove(NULL); }' | gcc -xc - -o /dev/null $(pkg-config --libs devmapper) &> /dev/null) \ - ; -then - add_buildtag libdm dlsym_deferred_remove +if [ "$CGO_ENABLED" = "1" ] && [ "$DOCKER_LINKMODE" = "static" ] && [ "$(go env GOOS)" = "linux" ]; then + DOCKER_LDFLAGS+=" -extldflags -static" fi -# Use these flags when compiling the tests and final binary - -IAMSTATIC='true' -if [ -z "$DOCKER_DEBUG" ]; then - LDFLAGS='-w' -fi - -LDFLAGS_STATIC='' -EXTLDFLAGS_STATIC='-static' -# ORIG_BUILDFLAGS is necessary for the cross target which cannot always build -# with options like -race. -ORIG_BUILDFLAGS=(-tags "netgo osusergo static_build $DOCKER_BUILDTAGS" -installsuffix netgo) -# see https://github.com/golang/go/issues/9369#issuecomment-69864440 for why -installsuffix is necessary here - -BUILDFLAGS=(${BUILDFLAGS} "${ORIG_BUILDFLAGS[@]}") - -LDFLAGS_STATIC_DOCKER=" - $LDFLAGS_STATIC - -extldflags \"$EXTLDFLAGS_STATIC\" -" - if [ "$(uname -s)" = 'FreeBSD' ]; then # Tell cgo the compiler is Clang, not GCC # https://code.google.com/p/go/source/browse/src/cmd/cgo/gcc.go?spec=svne77e74371f2340ee08622ce602e9f7b15f29d8d3&r=e6794866ebeba2bf8818b9261b54e2eef1c9e588#752 @@ -127,9 +79,36 @@ if [ "$(uname -s)" = 'FreeBSD' ]; then # "-extld clang" is a workaround for # https://code.google.com/p/go/issues/detail?id=6845 - LDFLAGS="$LDFLAGS -extld clang" + DOCKER_LDFLAGS+=" -extld clang" fi +if [ "$CGO_ENABLED" = "1" ] && [ "$DOCKER_LINKMODE" = "static" ]; then + DOCKER_BUILDTAGS+=" netgo osusergo static_build" +fi + +if [ "$CGO_ENABLED" = "1" ] && [ "$(go env GOOS)" != "windows" ] && [ "$DOCKER_LINKMODE" != "static" ]; then + # pkcs11 cannot be compiled statically if CGO is enabled (and glibc is used) + DOCKER_BUILDTAGS+=" pkcs11" +fi + +if ${PKG_CONFIG} 'libsystemd' 2> /dev/null; then + DOCKER_BUILDTAGS+=" journald" +fi + +if [ "$DOCKER_LINKMODE" != "static" ]; then + # test whether "libdevmapper.h" is new enough to support deferred remove + # functionality. We favour libdm_dlsym_deferred_remove over + # libdm_no_deferred_remove in dynamic cases because the binary could be shipped + # with a newer libdevmapper than the one it was built with. + if command -v gcc &> /dev/null && ! (echo -e '#include \nint main() { dm_task_deferred_remove(NULL); }' | gcc -xc - -o /dev/null $(${PKG_CONFIG} --libs devmapper 2> /dev/null) &> /dev/null); then + add_buildtag libdm dlsym_deferred_remove + fi +fi + +export DOCKER_LDFLAGS +export DOCKER_BUILDFLAGS=(-tags "${DOCKER_BUILDTAGS}" -installsuffix netgo) +# see https://github.com/golang/go/issues/9369#issuecomment-69864440 for why -installsuffix is necessary here + bundle() { local bundle="$1" shift diff --git a/hack/make/.binary b/hack/make/.binary index 20bedb9a77d3a..4374980fabc4c 100644 --- a/hack/make/.binary +++ b/hack/make/.binary @@ -1,23 +1,31 @@ #!/usr/bin/env bash -set -e +set -eu -# a helper to provide ".exe" when it's appropriate -binary_extension() { - if [ "$(go env GOOS)" = 'windows' ]; then - echo -n '.exe' - fi -} +: "${OUTPUT=./bundles}" +: "${PACKAGE=./cmd/dockerd}" +: "${TARGETPLATFORM=}" -BINARY_EXTENSION="$(binary_extension)" -BINARY_FULLNAME="$BINARY_NAME$BINARY_EXTENSION" +: "${CGO_ENABLED=}" -source "${MAKEDIR}/.go-autogen" +: "${DOCKER_DEBUG=}" +: "${DOCKER_STRIP=}" +: "${DOCKER_LINKMODE=static}" +: "${DOCKER_LDFLAGS=}" +: "${DOCKER_BUILDMODE=}" +: "${DOCKER_BUILDFLAGS=}" -( - export GOGC=${DOCKER_BUILD_GOGC:-1000} +: "${VERSION=}" +: "${GITCOMMIT=}" +: "${BUILDTIME=}" +: "${PLATFORM=}" +: "${PRODUCT=}" +: "${DEFAULT_PRODUCT_LICENSE=}" +: "${PACKAGER_NAME=}" +# for non-sandboxed invocation +if ! command -v xx-go > /dev/null 2>&1; then + export GO111MODULE=off if [ "$(go env GOOS)/$(go env GOARCH)" != "$(go env GOHOSTOS)/$(go env GOHOSTARCH)" ]; then - # must be cross-compiling! case "$(go env GOOS)/$(go env GOARCH)" in windows/amd64) export CC="${CC:-x86_64-w64-mingw32-gcc}" @@ -67,30 +75,76 @@ source "${MAKEDIR}/.go-autogen" ;; esac fi +fi - # -buildmode=pie is not supported on Windows and Linux on mips, riscv64 and ppc64be. - # https://github.com/golang/go/blob/77aa209b386a184e7f4b44938f2a05a1b5c5a3cf/src/cmd/internal/sys/supported.go#L89-L99 - case "$(go env GOOS)/$(go env GOARCH)" in - windows/* | linux/mips* | linux/riscv* | linux/ppc64) ;; - # TODO remove windows in Go 1.15+: https://github.com/golang/go/commit/95f382139043059a2a0780ba577b53893408f7e4 - # TODO remove riscv64 in Go 1.16+: https://github.com/golang/go/commit/8eb846fd37eb7bded8a1cf6932be2c59069863e5 +if [ -z "$VERSION" ]; then + VERSION=$(git describe --match 'v[0-9]*' --dirty='.m' --always --tags | sed 's/^v//' 2> /dev/null || echo "unknown-version") +fi +if [ -z "$GITCOMMIT" ]; then + GITCOMMIT=$(git rev-parse --short HEAD 2> /dev/null || true) +fi +if [ -z "$BUILDTIME" ]; then + BUILDTIME=$(date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +"%Y-%m-%dT%H:%M:%SZ") +fi + +BIN_NAME=$(basename "$PACKAGE") +BIN_EXT= +if [ "$(go env GOOS)" = "windows" ]; then + BIN_EXT=.exe +fi +# -buildmode=pie is not supported on Windows and Linux on mips, riscv64 and ppc64be. +# https://github.com/golang/go/blob/77aa209b386a184e7f4b44938f2a05a1b5c5a3cf/src/cmd/internal/sys/supported.go#L89-L99 +if [ "$CGO_ENABLED" = "1" ]; then + case "$(go env GOOS)/$(go env GOARCH)" in + windows/* | linux/mips* | linux/riscv* | linux/ppc64) + # TODO remove windows in Go 1.15+: https://github.com/golang/go/commit/95f382139043059a2a0780ba577b53893408f7e4 + # TODO remove riscv64 in Go 1.16+: https://github.com/golang/go/commit/8eb846fd37eb7bded8a1cf6932be2c59069863e5 + ;; *) - BUILDFLAGS+=("-buildmode=pie") + DOCKER_BUILDMODE="-buildmode=pie" ;; esac +fi - echo "Building: $DEST/$BINARY_FULLNAME" - echo "GOOS=\"${GOOS}\" GOARCH=\"${GOARCH}\" GOARM=\"${GOARM}\"" - go build \ - -o "$DEST/$BINARY_FULLNAME" \ - "${BUILDFLAGS[@]}" \ - -ldflags " - $LDFLAGS - $LDFLAGS_STATIC_DOCKER - $DOCKER_LDFLAGS - " \ - ${GO_PACKAGE} -) +DOCKER_LDFLAGS+="\ + -X \"github.com/docker/docker/dockerversion.Version=${VERSION}\" \ + -X \"github.com/docker/docker/dockerversion.GitCommit=${GITCOMMIT}\" \ + -X \"github.com/docker/docker/dockerversion.BuildTime=${BUILDTIME}\" \ + -X \"github.com/docker/docker/dockerversion.PlatformName=${PLATFORM}\" \ + -X \"github.com/docker/docker/dockerversion.ProductName=${PRODUCT}\" \ + -X \"github.com/docker/docker/dockerversion.DefaultProductLicense=${DEFAULT_PRODUCT_LICENSE}\" \ +" -echo "Created binary: $DEST/$BINARY_FULLNAME" +if [ -z "$DOCKER_DEBUG" ]; then + DOCKER_LDFLAGS+=" -w" +fi + +if [ -n "$DOCKER_STRIP" ]; then + DOCKER_LDFLAGS+=" -s" +fi + +# compile the Windows resources into the sources +if [ "$(go env GOOS)" = "windows" ]; then + ( + . hack/make/.mkwinres + go generate -v "${PACKAGE}" + ) +fi + +# only necessary for non-sandboxed invocation where TARGETPLATFORM is empty +PLATFORM_NAME=$TARGETPLATFORM +if [ -z "$PLATFORM_NAME" ]; then + PLATFORM_NAME="$(go env GOOS)/$(go env GOARCH)" + if [ -n "$(go env GOARM)" ]; then + PLATFORM_NAME+="/$(go env GOARM)" + elif [ -n "$(go env GOAMD64)" ] && [ "$(go env GOAMD64)" != "v1" ]; then + PLATFORM_NAME+="/$(go env GOAMD64)" + fi +fi + +echo "Building $DOCKER_LINKMODE $BIN_NAME ($PLATFORM_NAME)..." +( + go build -o "${OUTPUT}/${BIN_NAME}${BIN_EXT}" -trimpath ${DOCKER_BUILDMODE} "${DOCKER_BUILDFLAGS[@]}" -ldflags "${DOCKER_LDFLAGS}" "${PACKAGE}" + echo "Created binary: ${OUTPUT}/${BIN_NAME}${BIN_EXT}" +) diff --git a/hack/make/.go-autogen b/hack/make/.go-autogen deleted file mode 100644 index bd6215f6a30e7..0000000000000 --- a/hack/make/.go-autogen +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bash - -source hack/dockerfile/install/runc.installer -source hack/dockerfile/install/tini.installer -source hack/dockerfile/install/containerd.installer - -LDFLAGS="${LDFLAGS} \ - -X \"github.com/docker/docker/dockerversion.Version=${VERSION}\" \ - -X \"github.com/docker/docker/dockerversion.GitCommit=${GITCOMMIT}\" \ - -X \"github.com/docker/docker/dockerversion.BuildTime=${BUILDTIME}\" \ - -X \"github.com/docker/docker/dockerversion.IAmStatic=${IAMSTATIC:-true}\" \ - -X \"github.com/docker/docker/dockerversion.PlatformName=${PLATFORM}\" \ - -X \"github.com/docker/docker/dockerversion.ProductName=${PRODUCT}\" \ - -X \"github.com/docker/docker/dockerversion.DefaultProductLicense=${DEFAULT_PRODUCT_LICENSE}\" \ -" - -# Compile the Windows resources into the sources -if [ "$(go env GOOS)" = "windows" ]; then - if [ ! -x "$(command -v go-winres)" ]; then - >&2 echo "go-winres not found, skipping manifesting binary" - else - ( - . hack/make/.mkwinres - go generate -v "${GO_PACKAGE}" - ) - fi -fi diff --git a/hack/make/.integration-daemon-start b/hack/make/.integration-daemon-start index 766e09f7fb240..e1f87d06b839f 100644 --- a/hack/make/.integration-daemon-start +++ b/hack/make/.integration-daemon-start @@ -3,7 +3,7 @@ # see test-integration for example usage of this script base="$ABS_DEST/.." -export PATH="$base/dynbinary-daemon:$base/binary-daemon:$PATH" +export PATH="$base/dynbinary:$base/binary:$PATH" export TEST_CLIENT_BINARY=docker diff --git a/hack/make/.integration-test-helpers b/hack/make/.integration-test-helpers index b8b4896ef4823..fc74b2be9a08b 100644 --- a/hack/make/.integration-test-helpers +++ b/hack/make/.integration-test-helpers @@ -10,7 +10,6 @@ if [ -z "${MAKEDIR}" ]; then MAKEDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" export MAKEDIR fi -source "${MAKEDIR}/.go-autogen" # Set defaults : "${TEST_REPEAT:=1}" diff --git a/hack/make/.mkwinres b/hack/make/.mkwinres index 70d66814c2e11..44ce22251b17b 100644 --- a/hack/make/.mkwinres +++ b/hack/make/.mkwinres @@ -9,6 +9,11 @@ quadVersionNum() { fi } +if [ ! -x "$(command -v go-winres)" ]; then + echo >&2 "go-winres not found, skipping manifesting binary" + exit 0 +fi + # Create version quad for Windows of the form major.minor.patch.build VERSION_QUAD=$(printf "%s" "$VERSION" | sed -re 's/^([0-9.]*).*$/\1/' | sed -re 's/\.$//' | sed -re 's/^[0-9]+$/\0\.0/' | sed -re 's/^[0-9]+\.[0-9]+$/\0\.0/' | sed -re 's/^[0-9]+\.[0-9]+\.[0-9]+$/\0\.0/') @@ -16,7 +21,7 @@ VERSION_QUAD=$(printf "%s" "$VERSION" | sed -re 's/^([0-9.]*).*$/\1/' | sed -re # Microsoft Windows Version Information and an icon using go-winres. # https://docs.microsoft.com/en-us/windows/win32/menurc/stringfileinfo-block # https://github.com/tc-hib/go-winres#json-format -cat > "./cli/winresources/${BINARY_NAME}/winres.json" << EOL +cat > "./cli/winresources/${BIN_NAME}/winres.json" << EOL { "RT_GROUP_ICON": { "#1": { @@ -63,7 +68,7 @@ cat > "./cli/winresources/${BINARY_NAME}/winres.json" << EOL "CompanyName": "${PACKAGER_NAME}", "FileVersion": "${VERSION}", "LegalCopyright": "Copyright © 2015-$(date +'%Y') Docker Inc.", - "OriginalFileName": "$(basename "${BINARY_FULLNAME}")", + "OriginalFileName": "${BIN_NAME}${BIN_EXT}", "ProductName": "${PRODUCT}", "ProductVersion": "${VERSION}", "SpecialBuild": "${GITCOMMIT}" @@ -76,10 +81,10 @@ cat > "./cli/winresources/${BINARY_NAME}/winres.json" << EOL EOL ( set -x - cat "./cli/winresources/${BINARY_NAME}/winres.json" + cat "./cli/winresources/${BIN_NAME}/winres.json" ) # Create winresources package stub if removed while using tmpfs in Dockerfile -if [ ! -f "./cli/winresources/${BINARY_NAME}/winresources.go" ]; then - echo "package winresources" > "./cli/winresources/${BINARY_NAME}/winresources.go" +if [ ! -f "./cli/winresources/${BIN_NAME}/winresources.go" ]; then + echo "package winresources" > "./cli/winresources/${BIN_NAME}/winresources.go" fi diff --git a/hack/make/README.md b/hack/make/README.md index 3d069fa16550c..4e3313ed3bf51 100644 --- a/hack/make/README.md +++ b/hack/make/README.md @@ -4,7 +4,7 @@ Each script is named after the bundle it creates. They should not be called directly - instead, pass it as argument to make.sh, for example: ``` -./hack/make.sh binary ubuntu +./hack/make.sh binary # Or to run all default bundles: ./hack/make.sh diff --git a/hack/make/binary b/hack/make/binary index 9e24410adb715..af638bacffc07 100644 --- a/hack/make/binary +++ b/hack/make/binary @@ -1,11 +1,13 @@ #!/usr/bin/env bash set -e -rm -rf "$DEST" - +# # This script exists as backwards compatibility for CI +# + +[ -n "$DEST" ] && rm -rf "$DEST" + ( - DEST="${DEST}-daemon" - ABS_DEST="${ABS_DEST}-daemon" + export KEEPDEST=1 . hack/make/binary-daemon . hack/make/binary-proxy ) diff --git a/hack/make/binary-daemon b/hack/make/binary-daemon index 50ba154f91bb4..b75c2e3b2f4d4 100644 --- a/hack/make/binary-daemon +++ b/hack/make/binary-daemon @@ -1,35 +1,13 @@ #!/usr/bin/env bash set -e -copy_binaries() { - local dir="$1" - - # Add nested executables to bundle dir so we have complete set of - # them available, but only if the native OS/ARCH is the same as the - # OS/ARCH of the build target - if [ "$(go env GOOS)/$(go env GOARCH)" != "$(go env GOHOSTOS)/$(go env GOHOSTARCH)" ]; then - return - fi - if [ ! -x /usr/local/bin/runc ]; then - return - fi - echo "Copying nested executables into $dir" - for file in containerd containerd-shim-runc-v2 ctr runc docker-init rootlesskit rootlesskit-docker-proxy dockerd-rootless.sh dockerd-rootless-setuptool.sh; do - cp -f "$(command -v "$file")" "$dir/" - done - - # vpnkit is available for x86_64 and aarch64 - if command -v "vpnkit.$(uname -m)" 2>&1 > /dev/null; then - cp -f "$(command -v "vpnkit.$(uname -m)")" "$dir/vpnkit" - fi -} - [ -z "$KEEPDEST" ] && rm -rf "$DEST" ( - GO_PACKAGE='github.com/docker/docker/cmd/dockerd' - BINARY_NAME='dockerd' - - source "${MAKEDIR}/.binary" - copy_binaries "$DEST" + if [ -n "$DEST" ] && [ -z "$OUTPUT" ]; then + OUTPUT="$(dirname "$DEST")/binary" + export OUTPUT + fi + export PACKAGE=./cmd/dockerd + . hack/make/.binary ) diff --git a/hack/make/binary-proxy b/hack/make/binary-proxy index 011cf9d500419..89af6026bc7bd 100644 --- a/hack/make/binary-proxy +++ b/hack/make/binary-proxy @@ -1,12 +1,14 @@ #!/usr/bin/env bash - set -e +[ -z "$KEEPDEST" ] && rm -rf "$DEST" + ( + if [ -n "$DEST" ] && [ -z "$OUTPUT" ]; then + OUTPUT="$(dirname "$DEST")/binary" + export OUTPUT + fi export CGO_ENABLED=0 - - GO_PACKAGE='github.com/docker/docker/cmd/docker-proxy' - BINARY_NAME='docker-proxy' - - source "${MAKEDIR}/.binary" + export PACKAGE=./cmd/docker-proxy + . hack/make/.binary ) diff --git a/hack/make/containerutility b/hack/make/containerutility deleted file mode 100644 index 8525d971f6053..0000000000000 --- a/hack/make/containerutility +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env bash -set -e - -: "${CONTAINER_UTILITY_COMMIT:=aa1ba87e99b68e0113bd27ec26c60b88f9d4ccd9}" - -( - git clone https://github.com/docker/windows-container-utility.git "$GOPATH/src/github.com/docker/windows-container-utility" - cd "$GOPATH/src/github.com/docker/windows-container-utility" - git checkout -q "$CONTAINER_UTILITY_COMMIT" - - echo Building: ${DEST}/containerutility.exe - - ( - make - ) - - mkdir -p ${ABS_DEST} - - cp containerutility.exe ${ABS_DEST}/containerutility.exe -) diff --git a/hack/make/cross b/hack/make/cross deleted file mode 100644 index 1e2d5d628d0f9..0000000000000 --- a/hack/make/cross +++ /dev/null @@ -1,37 +0,0 @@ -#!/usr/bin/env bash -set -e - -# if we have our linux/amd64 version compiled, let's symlink it in -if [ -x "${DEST}/../binary-daemon/dockerd" ]; then - arch=$(go env GOHOSTARCH) - mkdir -p "$DEST/linux/${arch}" - ( - cd "${DEST}/linux/${arch}" - ln -sf ../../../binary-daemon/* ./ - ) - echo "Created symlinks:" "${DEST}/linux/${arch}/"* -fi - -DOCKER_CROSSPLATFORMS=${DOCKER_CROSSPLATFORMS:-"linux/amd64 windows/amd64 linux/ppc64le linux/s390x"} - -for platform in ${DOCKER_CROSSPLATFORMS}; do - ( - export KEEPDEST=1 - export DEST="${DEST}/${platform}" # bundles/VERSION/cross/GOOS/GOARCH/docker-VERSION - export GOOS=${platform%%/*} - export GOARCH=${platform#*/} - - if [[ "${GOARCH}" = "arm/"* ]]; then - GOARM=${GOARCH##*/v} - GOARCH=${GOARCH%/v*} - export GOARM - fi - - echo "Cross building: ${DEST}" - mkdir -p "${DEST}" - ABS_DEST="$(cd "${DEST}" && pwd -P)" - source "${MAKEDIR}/binary" - - source "${MAKEDIR}/cross-platform-dependent" - ) -done diff --git a/hack/make/cross-platform-dependent b/hack/make/cross-platform-dependent deleted file mode 100644 index 21824ed7c96e4..0000000000000 --- a/hack/make/cross-platform-dependent +++ /dev/null @@ -1,6 +0,0 @@ -#!/usr/bin/env bash -set -e - -if [ ${platform} == "windows/amd64" ]; then - source "${MAKEDIR}/containerutility" -fi diff --git a/hack/make/dynbinary b/hack/make/dynbinary index 08ce8b5725e99..02e2af949d785 100644 --- a/hack/make/dynbinary +++ b/hack/make/dynbinary @@ -1,11 +1,13 @@ #!/usr/bin/env bash set -e -rm -rf "$DEST" - +# # This script exists as backwards compatibility for CI +# + +[ -n "$DEST" ] && rm -rf "$DEST" + ( - DEST="${DEST}-daemon" - ABS_DEST="${ABS_DEST}-daemon" + export KEEPDEST=1 . hack/make/dynbinary-daemon . hack/make/dynbinary-proxy ) diff --git a/hack/make/dynbinary-daemon b/hack/make/dynbinary-daemon index 7d659695d4bed..ab33b0089c317 100644 --- a/hack/make/dynbinary-daemon +++ b/hack/make/dynbinary-daemon @@ -4,13 +4,11 @@ set -e [ -z "$KEEPDEST" ] && rm -rf "$DEST" ( - export IAMSTATIC='false' - export LDFLAGS_STATIC_DOCKER='' - export BUILDFLAGS=("${BUILDFLAGS[@]/netgo /}") # disable netgo, since we don't need it for a dynamic binary - export BUILDFLAGS=("${BUILDFLAGS[@]/osusergo /}") # ditto for osusergo - export BUILDFLAGS=("${BUILDFLAGS[@]/static_build /}") # we're not building a "static" binary here - - GO_PACKAGE='github.com/docker/docker/cmd/dockerd' - BINARY_NAME='dockerd' - source "${MAKEDIR}/.binary" + if [ -n "$DEST" ] && [ -z "$OUTPUT" ]; then + OUTPUT="$(dirname "$DEST")/dynbinary" + export OUTPUT + fi + export DOCKER_LINKMODE="dynamic" + export PACKAGE=./cmd/dockerd + . hack/make/.binary ) diff --git a/hack/make/dynbinary-proxy b/hack/make/dynbinary-proxy index ff408b299ebd3..3d4af85a2181e 100644 --- a/hack/make/dynbinary-proxy +++ b/hack/make/dynbinary-proxy @@ -1,15 +1,14 @@ #!/usr/bin/env bash - set -e -( - export IAMSTATIC='false' - export LDFLAGS_STATIC_DOCKER='' - export BUILDFLAGS=("${BUILDFLAGS[@]/netgo /}") # disable netgo, since we don't need it for a dynamic binary - export BUILDFLAGS=("${BUILDFLAGS[@]/osusergo /}") # ditto for osusergo - export BUILDFLAGS=("${BUILDFLAGS[@]/static_build /}") # we're not building a "static" binary here +[ -z "$KEEPDEST" ] && rm -rf "$DEST" - GO_PACKAGE='github.com/docker/docker/cmd/docker-proxy' - BINARY_NAME='docker-proxy' - source "${MAKEDIR}/.binary" +( + if [ -n "$DEST" ] && [ -z "$OUTPUT" ]; then + OUTPUT="$(dirname "$DEST")/dynbinary" + export OUTPUT + fi + export DOCKER_LINKMODE="dynamic" + export PACKAGE=./cmd/docker-proxy + . hack/make/.binary ) diff --git a/hack/make/install-binary b/hack/make/install-binary index 96e7cc0a39cee..0efbd615a6c40 100644 --- a/hack/make/install-binary +++ b/hack/make/install-binary @@ -6,7 +6,7 @@ rm -rf "$DEST" source "${MAKEDIR}/.install" ( - DEST="$(dirname $DEST)/binary-daemon" + DEST="$(dirname $DEST)/binary" install_binary "${DEST}/dockerd" install_binary "${DEST}/runc" install_binary "${DEST}/containerd" diff --git a/hack/make/install-proxy b/hack/make/install-proxy index 04ea1bf88efdc..bfb36d78ec424 100644 --- a/hack/make/install-proxy +++ b/hack/make/install-proxy @@ -6,6 +6,6 @@ rm -rf "$DEST" source "${MAKEDIR}/.install" ( - DEST="$(dirname $DEST)/binary-proxy" + DEST="$(dirname $DEST)/binary" install_binary "${DEST}/docker-proxy" ) From 0bf53ffeeaa5809b138a0f5be35272d3abcf8023 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Sat, 20 Aug 2022 13:02:01 +0200 Subject: [PATCH 20/26] Dockerfile: add "all" stage to build binaries and extra tools Signed-off-by: CrazyMax --- .github/workflows/ci.yml | 2 +- Dockerfile | 11 +++++++++++ docker-bake.hcl | 14 ++++++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d5655584a4542..9d85df8c78da2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -116,7 +116,7 @@ jobs: name: Build uses: docker/bake-action@v1 with: - targets: binary + targets: all set: | *.platform=${{ matrix.platform }} *.cache-from=type=gha,scope=cross-${{ env.PLATFORM_PAIR }} diff --git a/Dockerfile b/Dockerfile index a2d084d1cb785..30ab0dc49dee3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -726,6 +726,17 @@ FROM scratch AS binary COPY --link --from=tini /out/ / COPY --link --from=build /out / +# usage: +# > docker buildx bake all +FROM scratch AS all +COPY --link --from=tini /out/ / +COPY --link --from=runc /out/ / +COPY --link --from=containerd /out/ / +COPY --link --from=rootlesskit /out/ / +COPY --link --from=containerutility /out/ / +COPY --link --from=vpnkit / / +COPY --link --from=build /out / + # usage: # > make shell FROM dev-base AS dev diff --git a/docker-bake.hcl b/docker-bake.hcl index 0e6879fc4337a..57cc34aac97c7 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -108,3 +108,17 @@ target "binary" { target "binary-cross" { inherits = ["binary", "_platforms"] } + +# +# all targets build binaries and extra tools as well (containerd, runc, ...) +# + +target "all" { + inherits = ["_common"] + target = "all" + output = [bindir("all")] +} + +target "all-cross" { + inherits = ["all", "_platforms"] +} From 454233abcbc76eba5a82ae0569809f7aeca40988 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Sat, 20 Aug 2022 13:10:00 +0200 Subject: [PATCH 21/26] ci: add job to test building dev image Signed-off-by: CrazyMax --- .github/workflows/ci.yml | 31 +++++++++++++++++++++++++++++++ docker-bake.hcl | 18 ++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9d85df8c78da2..a034cc030ef6a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -206,3 +206,34 @@ jobs: TESTFLAGS: "-v --parallel=1 --timeout=30m --run=//worker=dockerd$" SKIP_INTEGRATION_TESTS: "${{ matrix.skip-integration-tests }}" working-directory: buildkit + + dev: + runs-on: ubuntu-20.04 + strategy: + fail-fast: false + matrix: + mode: + - "" + - systemd + steps: + - name: Prepare + run: | + if [ "${{ matrix.mode }}" = "systemd" ]; then + echo "SYSTEMD=true" >> $GITHUB_ENV + fi + - + name: Checkout + uses: actions/checkout@v3 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - + name: Build dev image + uses: docker/bake-action@v2 + with: + targets: dev + set: | + *.cache-from=type=gha,scope=cross-linux-amd64 + *.cache-from=type=gha,scope=dev${{ matrix.mode }} + *.cache-to=type=gha,scope=dev${{ matrix.mode }},mode=max + *.output=type=cacheonly diff --git a/docker-bake.hcl b/docker-bake.hcl index 57cc34aac97c7..ed09de57ec163 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -122,3 +122,21 @@ target "all" { target "all-cross" { inherits = ["all", "_platforms"] } + +# +# dev +# + +variable "SYSTEMD" { + default = "false" +} + +target "dev" { + inherits = ["_common"] + target = "dev" + args = { + SYSTEMD = SYSTEMD + } + tags = ["docker-dev"] + output = ["type=docker"] +} From 7517f977a7922efdf3feeffe339daf2d4b9dc56b Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Sat, 20 Aug 2022 13:10:54 +0200 Subject: [PATCH 22/26] Jenkinsfile: remove cross stage (moved to gha) Signed-off-by: CrazyMax --- Jenkinsfile | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 0d6b04e7f1f33..aefdd899ed051 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -161,19 +161,6 @@ pipeline { ''' } } - stage("Cross") { - steps { - sh ''' - docker run --rm -t --privileged \ - -v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \ - --name docker-pr$BUILD_NUMBER \ - -e DOCKER_GITCOMMIT=${GIT_COMMIT} \ - -e DOCKER_GRAPHDRIVER \ - docker:${GIT_COMMIT} \ - hack/make.sh cross - ''' - } - } // needs to be last stage that calls make.sh for the junit report to work stage("Unit tests") { steps { From 55ef5eca229277deea198aaf6c9e39a16f4dd135 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Sat, 20 Aug 2022 13:20:01 +0200 Subject: [PATCH 23/26] Dockerfile: smoke test stage and gha workflow Signed-off-by: CrazyMax --- .github/workflows/test.yml | 69 ++++++++++++++++++++++++++++++++++++++ Dockerfile | 20 +++++++++++ docker-bake.hcl | 12 +++++++ 3 files changed, 101 insertions(+) create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000000000..f534d9850e391 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,69 @@ +name: test + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +on: + workflow_dispatch: + push: + branches: + - 'master' + - '[0-9]+.[0-9]{2}' + tags: + - 'v*' + pull_request: + +jobs: + prepare: + runs-on: ubuntu-20.04 + outputs: + matrix: ${{ steps.platforms.outputs.matrix }} + steps: + - + name: Checkout + uses: actions/checkout@v3 + - + name: Create matrix + id: platforms + run: | + echo ::set-output name=matrix::$(docker buildx bake binary-smoketest --print | jq -cr '.target."binary-smoketest".platforms') + - + name: Show matrix + run: | + echo ${{ steps.platforms.outputs.matrix }} + + smoke: + runs-on: ubuntu-20.04 + needs: + - prepare + strategy: + fail-fast: false + matrix: + platform: ${{ fromJson(needs.prepare.outputs.matrix) }} + steps: + - + name: Checkout + uses: actions/checkout@v3 + - + name: Prepare + run: | + platform=${{ matrix.platform }} + echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + - + name: Set up QEMU + uses: docker/setup-qemu-action@v2 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - + name: Test + uses: docker/bake-action@v2 + with: + targets: binary-smoketest + set: | + *.platform=${{ matrix.platform }} + *.cache-from=type=gha,scope=binary-smoketest-${{ env.PLATFORM_PAIR }} + *.cache-to=type=gha,scope=binary-smoketest-${{ env.PLATFORM_PAIR }} + env: + DOCKER_LINKMODE: static diff --git a/Dockerfile b/Dockerfile index 30ab0dc49dee3..94a1b36963801 100644 --- a/Dockerfile +++ b/Dockerfile @@ -737,6 +737,26 @@ COPY --link --from=containerutility /out/ / COPY --link --from=vpnkit / / COPY --link --from=build /out / +# smoke tests +# usage: +# > docker builx bake binary-smoketest +FROM --platform=$TARGETPLATFORM base AS smoketest +WORKDIR /usr/local/bin +COPY --link --from=runc /out/ . +COPY --link --from=containerd /out/ . +COPY --link --from=rootlesskit /out/ . +COPY --link --from=build /out/ . +RUN < make shell FROM dev-base AS dev diff --git a/docker-bake.hcl b/docker-bake.hcl index ed09de57ec163..9fee11a536d3a 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -109,6 +109,18 @@ target "binary-cross" { inherits = ["binary", "_platforms"] } +target "binary-smoketest" { + inherits = ["_common"] + target = "smoketest" + output = ["type=cacheonly"] + platforms = [ + "linux/amd64", + "linux/arm64", + "linux/ppc64le", + "linux/s390x" + ] +} + # # all targets build binaries and extra tools as well (containerd, runc, ...) # From f87e91b422b009e445e2b2f1846d05e4aa297c73 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Sat, 20 Aug 2022 13:23:56 +0200 Subject: [PATCH 24/26] Dockerfile: refactor Dockerfile.simple and create gha workflow Signed-off-by: CrazyMax --- .github/workflows/simple.yml | 33 ++++++++++++++++++++++++++++++ Dockerfile.simple | 22 ++++++++++---------- docker-bake.hcl | 39 ++++++++++++++++++++++++++++++++++++ 3 files changed, 83 insertions(+), 11 deletions(-) create mode 100644 .github/workflows/simple.yml diff --git a/.github/workflows/simple.yml b/.github/workflows/simple.yml new file mode 100644 index 0000000000000..8372e71b4bc98 --- /dev/null +++ b/.github/workflows/simple.yml @@ -0,0 +1,33 @@ +name: simple + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +on: + workflow_dispatch: + push: + branches: + - 'master' + - '[0-9]+.[0-9]{2}' + pull_request: + +jobs: + build: + runs-on: ubuntu-20.04 + steps: + - + name: Checkout + uses: actions/checkout@v3 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - + name: Build simple image + uses: docker/bake-action@v2 + with: + targets: simple + - + name: Build dynbinary + run: | + docker run --rm docker:simple hack/make.sh dynbinary diff --git a/Dockerfile.simple b/Dockerfile.simple index 29397631ef389..4ede7fd5098c5 100644 --- a/Dockerfile.simple +++ b/Dockerfile.simple @@ -1,4 +1,4 @@ -# docker build -t docker:simple -f Dockerfile.simple . +# docker build bake simple # docker run --rm docker:simple hack/make.sh dynbinary # docker run --rm --privileged docker:simple hack/dind hack/make.sh test-unit # docker run --rm --privileged -v /var/lib/docker docker:simple hack/dind hack/make.sh dynbinary test-integration @@ -42,14 +42,14 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ vim-common \ && rm -rf /var/lib/apt/lists/* -# Install runc, containerd, tini and docker-proxy -# Please edit hack/dockerfile/install/.installer to update them. -COPY hack/dockerfile/install hack/dockerfile/install -RUN for i in runc containerd tini proxy dockercli; \ - do hack/dockerfile/install/install.sh $i; \ - done -ENV PATH=/usr/local/cli:$PATH +# install dependencies as linked context from main Dockerfile to avoid +# deduplication. see docker-bake.hcl for more info +COPY --link --from=tini /out/ /usr/local/bin/ +COPY --link --from=runc /out/ /usr/local/bin/ +COPY --link --from=containerd /out/ /usr/local/bin/ +COPY --link --from=rootlesskit /out/ /usr/local/bin/ +COPY --link --from=dockercli /out/ /usr/local/cli/ -ENV AUTO_GOPATH 1 -WORKDIR /usr/src/docker -COPY . /usr/src/docker +ENV PATH=/usr/local/cli:$PATH +WORKDIR /go/src/github.com/docker/docker +COPY . . diff --git a/docker-bake.hcl b/docker-bake.hcl index 9fee11a536d3a..ed6aa91d2f6c7 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -152,3 +152,42 @@ target "dev" { tags = ["docker-dev"] output = ["type=docker"] } + +# +# simple +# + +target "simple" { + inherits = ["_common"] + dockerfile = "Dockerfile.simple" + tags = ["docker:simple"] + output = ["type=docker"] + contexts = { + tini = "target:_tini" + runc = "target:_runc" + containerd = "target:_containerd" + rootlesskit = "target:_rootlesskit" + dockercli = "target:_dockercli" + } +} + +target "_tini" { + inherits = ["_common"] + target = "tini" +} +target "_runc" { + inherits = ["_common"] + target = "runc" +} +target "_containerd" { + inherits = ["_common"] + target = "containerd" +} +target "_rootlesskit" { + inherits = ["_common"] + target = "rootlesskit" +} +target "_dockercli" { + inherits = ["_common"] + target = "dockercli" +} From c9c4bf7322f0ef3a658a2c1d98cb22833143156d Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Sat, 20 Aug 2022 13:35:46 +0200 Subject: [PATCH 25/26] riscv64 support needs to update supported platforms for pie buildmode and adds smoke test Signed-off-by: CrazyMax --- docker-bake.hcl | 2 ++ hack/make/.binary | 9 +++------ 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/docker-bake.hcl b/docker-bake.hcl index ed6aa91d2f6c7..c2a17d8dcb656 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -89,6 +89,7 @@ target "_platforms" { "linux/arm/v7", "linux/arm64", "linux/ppc64le", + "linux/riscv64", "linux/s390x", "windows/amd64", "windows/arm64" @@ -117,6 +118,7 @@ target "binary-smoketest" { "linux/amd64", "linux/arm64", "linux/ppc64le", + "linux/riscv64", "linux/s390x" ] } diff --git a/hack/make/.binary b/hack/make/.binary index 4374980fabc4c..51c0a60e15168 100644 --- a/hack/make/.binary +++ b/hack/make/.binary @@ -93,14 +93,11 @@ if [ "$(go env GOOS)" = "windows" ]; then BIN_EXT=.exe fi -# -buildmode=pie is not supported on Windows and Linux on mips, riscv64 and ppc64be. -# https://github.com/golang/go/blob/77aa209b386a184e7f4b44938f2a05a1b5c5a3cf/src/cmd/internal/sys/supported.go#L89-L99 +# -buildmode=pie is not supported on Windows arm64 and Linux mips*, ppc64be +# https://github.com/golang/go/blob/4aa1efed4853ea067d665a952eee77c52faac774/src/cmd/internal/sys/supported.go#L125-L131 if [ "$CGO_ENABLED" = "1" ]; then case "$(go env GOOS)/$(go env GOARCH)" in - windows/* | linux/mips* | linux/riscv* | linux/ppc64) - # TODO remove windows in Go 1.15+: https://github.com/golang/go/commit/95f382139043059a2a0780ba577b53893408f7e4 - # TODO remove riscv64 in Go 1.16+: https://github.com/golang/go/commit/8eb846fd37eb7bded8a1cf6932be2c59069863e5 - ;; + windows/arm64 | linux/mips* | linux/ppc64) ;; *) DOCKER_BUILDMODE="-buildmode=pie" ;; From 01ca536875466f5e694283d84e4e9c4fb3f5298d Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Sat, 20 Aug 2022 13:58:04 +0200 Subject: [PATCH 26/26] docs: contributing docs update for cross comp Signed-off-by: CrazyMax --- docs/contributing/README.md | 1 + docs/contributing/ctn-build.md | 35 ++++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 docs/contributing/ctn-build.md diff --git a/docs/contributing/README.md b/docs/contributing/README.md index d419e52c14cd6..fb2e7980614b5 100644 --- a/docs/contributing/README.md +++ b/docs/contributing/README.md @@ -6,5 +6,6 @@ * (Optional) [Configure project for IDE](set-up-ide.md) * [Configure Git for contributing](set-up-git.md) * [Work with a development container](set-up-dev-env.md) + * [Containerized build and cross compilation](ctn-build.md) * [Run tests and test documentation](test.md) * [Debugging the daemon](debug.md) diff --git a/docs/contributing/ctn-build.md b/docs/contributing/ctn-build.md new file mode 100644 index 0000000000000..0f628bb843655 --- /dev/null +++ b/docs/contributing/ctn-build.md @@ -0,0 +1,35 @@ +The `Dockerfile` supports building and cross compiling docker daemon and extra +tools using [Docker Buildx](https://github.com/docker/buildx) and [BuildKit](https://github.com/moby/buildkit). +A [bake definition](https://github.com/docker/buildx/blob/master/docs/reference/buildx_bake.md) +named `docker-bake.hcl` is in place to ease the build process: + +```shell +# build binaries for the current host platform +# output to ./bundles/binary by default +docker buildx bake + +# build binaries for the current host platform +# output to ./bin +DESTDIR=./bin docker buildx bake + +# build dynamically linked binaries +# output to ./bundles/dynbinary by default +DOCKER_LINKMODE=dynamic docker buildx bake + +# build binaries for all supported platforms +docker buildx bake binary-cross + +# build binaries for a specific platform +docker buildx bake --set *.platform=linux/arm64 + +# build all for the current host platform (binaries + containerd, runc, tini, ...) +# output to ./bundles/all by default +docker buildx bake all + +# build all for the current host platform +# output to ./bin +DESTDIR=./bin docker buildx bake all + +# build all for all supported platforms +docker buildx bake all-cross +```