forked from kubernetes/git-sync
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile.rh
145 lines (120 loc) · 5.05 KB
/
Dockerfile.rh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# Copyright 2016 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# HOW TO USE THIS CONTAINER:
#
# For most users, the simplest way to use this container is to mount a volume
# on /tmp/git. The only commandline argument (or env var) that is really
# required is `--repo` ($GIT_SYNC_REPO). Everything else is optional (run this
# with `--man` for details).
#
# This container will run as UID:GID 65533:65533 by default, and unless you
# change that, you do not need to think about permissions much. If you run
# into permissions problems, this might help:
#
# - User does not mount a volume
# => should work, but limited utility
#
# - User mounts a new docker volume on /tmp/git
# => should work
#
# - User mounts an existing docker volume on /tmp/git
# => if the volume already exists with compatible permissions it should work
# => if the volume already exists with different permissions you can either
# set the container UID or GID(s) or you can chown the volume
#
# - User mounts an existing dir on /tmp/git
# => set container UID or GID(s) to be able to access that dir
#
# - User sets a different UID and git-sync GID
# => should work
#
# - User sets a different GID
# => either add the git-sync GID or else set --root, mount a volume,
# and manage volume permissions to access that volume
ARG BUILDER_IMAGE
ARG BASE_IMAGE
# Build the manager binary
FROM --platform=${BUILDPLATFORM} ${BUILDER_IMAGE:-golang:1.17.7} as builder
ARG ARG_OS=linux
ARG ARG_ARCH=amd64
ARG ARG_BIN=git-sync
ARG TARGETOS=linux
ARG TARGETARCH=amd64
WORKDIR /workspace
# Copy the Go Modules manifests
COPY go.mod go.mod
COPY go.sum go.sum
# cache deps before building and copying source so that we don't need to re-download as much
# and so that source changes don't invalidate our downloaded layer
RUN go mod download
# Copy the go source
COPY pkg/ pkg/
COPY cmd/ cmd/
COPY vendor/ vendor/
USER root
# Build
RUN CGO_ENABLED=0 \
GOOS=${TARGETOS} \
GOARCH=${TARGETARCH} \
GOFLAGS="-mod=vendor" \
go install -v -x -a \
-installsuffix "static" \
-ldflags "-X $(go list -m)/pkg/version.VERSION=${VERSION}" \
./...
#############################################################################
# First we prepare the image that we want, regardless of build layers.
#############################################################################
FROM registry.access.redhat.com/ubi8/ubi:8.6-754 as prep
# When building, we can pass a unique value (e.g. `date +%s`) for this arg,
# which will force a rebuild from here (by invalidating docker's cache).
ARG FORCE_REBUILD=0
RUN yum install -y ca-certificates socat openssh-clients git
# By default we will run as this user...
RUN echo "git-sync:x:65533:65533::/tmp:/sbin/nologin" >> /etc/passwd
# ...but the user might choose a different UID and pass --add-user
# which needs to be able to write to /etc/passwd.
RUN chmod 0666 /etc/passwd
# Add the default GID to /etc/group for completeness.
RUN echo "git-sync:x:65533:git-sync" >> /etc/group
# Make a directory that can be used to mount volumes and make it the default,
# which makes the container image easier to use. Setting the mode to include
# group-write allows users to run this image as a different user, as long as
# they use our git-sync group. If the user needs a different group or sets
# $GIT_SYNC_ROOT or --root, their values will override this, and we assume they
# are handling permissions themselves.
RUN mkdir -m 02775 /tmp/git && chown 65533:65533 /tmp/git
# When building, we can pass a hash of the licenses tree, which docker checks
# against its cache and can force a rebuild from here.
ARG HASH_LICENSES=0
# Add third-party licenses.
#COPY .licenses/ /LICENSES/
# When building, we can pass a hash of the binary, which docker checks against
# its cache and can force a rebuild from here.
ARG HASH_BINARY=0
# Add the platform-specific binary.
COPY --from=builder /opt/app-root/src/go/bin/git-sync /{ARG_BIN}
#############################################################################
# Now we make a "clean" final image.
#############################################################################
FROM registry.access.redhat.com/ubi8/ubi:8.6-754
COPY --from=prep / /
# Run as non-root by default. There's simply no reason to run as root.
USER 65533:65533
# Setting HOME ensures that whatever UID this ultimately runs as can write to
# files like ~/.gitconfig.
ENV HOME=/tmp
WORKDIR /tmp
# Default values for flags.
ENV GIT_SYNC_ROOT=/tmp/git
ENTRYPOINT ["/{ARG_BIN}"]