forked from nestybox/sysbox
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile.debian-bullseye
More file actions
207 lines (184 loc) · 7.37 KB
/
Copy pathDockerfile.debian-bullseye
File metadata and controls
207 lines (184 loc) · 7.37 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
#
# Sysbox Test Container Dockerfile (Debian-Bullseye image)
#
# This Dockerfile creates the sysbox test container image. The image
# contains all dependencies needed to build, run, and test sysbox.
#
# The image does not contain sysbox itself; the sysbox repo
# must be bind mounted into the image. It can then be built,
# installed, and executed within the container.
#
# The image must be run as a privileged container (i.e., docker run --privileged ...)
# Refer to the sysbox Makefile test targets.
#
# This Dockerfile is based on a similar Dockerfile in the OCI runc
# github repo, but adapted to sysbox testing.
#
# Instructions:
#
# docker build -t sysbox-test .
#
FROM debian:bullseye
# Desired platform architecture to build upon.
ARG sys_arch
ENV SYS_ARCH=${sys_arch}
ARG target_arch
ENV TARGET_ARCH=${target_arch}
ENV DEBIAN_FRONTEND=noninteractive
ARG k8s_version=v1.28.2
# CRI-O & crictl version for testing sysbox pods; CRI-O 1.20 is required as it
# introduces rootless pod support (via the Linux user-ns)
ARG crio_version=1.28
ARG crio_os=Debian_11
ARG crictl_version=v1.28.0
RUN apt-get update && apt-get install -y \
acl \
build-essential \
gcc-x86-64-linux-gnu \
libc6-dev-amd64-cross \
linux-libc-dev-amd64-cross \
gcc-aarch64-linux-gnu \
libc6-dev-arm64-cross \
linux-libc-dev-arm64-cross \
gcc-arm-linux-gnueabi \
libc6-dev-armel-cross \
linux-libc-dev-armel-cross \
gcc-arm-linux-gnueabihf \
libc6-dev-armhf-cross \
linux-libc-dev-armhf-cross \
automake \
autoconf \
libtool \
procps \
psmisc \
nano \
less \
curl \
sudo \
gawk \
git \
iptables \
jq \
pkg-config \
libaio-dev \
libcap-dev \
libprotobuf-dev \
libnl-3-dev \
libnet-dev \
libseccomp2 \
libseccomp-dev \
protobuf-c-compiler \
protobuf-compiler \
python3 \
uidmap \
kmod \
unzip \
time \
net-tools \
lsb-release \
wget \
lsof \
iproute2 \
iputils-ping \
ca-certificates \
bc \
ssh-client \
# sysbox deps
fuse \
rsync \
bash-completion \
attr \
tree \
strace \
--no-install-recommends \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* \
&& echo ". /etc/bash_completion" >> /etc/bash.bashrc \
&& ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa \
&& echo " StrictHostKeyChecking accept-new" >> /etc/ssh/ssh_config
# Install Golang
RUN wget https://go.dev/dl/go1.22.6.linux-${sys_arch}.tar.gz && \
tar -C /usr/local -xzf go1.22.6.linux-${sys_arch}.tar.gz && \
/usr/local/go/bin/go env -w GONOSUMDB=/root/nestybox
ENV GOPATH=/go
ENV PATH=$GOPATH/bin:/usr/local/go/bin:$PATH
RUN go env -w GONOSUMDB=/root/nestybox && \
mkdir -p "$GOPATH/src" "$GOPATH/bin" && \
chmod -R 777 "$GOPATH"
# Add a dummy user for the rootless integration tests; needed by the
# `git clone` operations below.
RUN useradd -u1000 -m -d/home/rootless -s/bin/bash rootless
# install bats
RUN cd /tmp \
&& git clone https://github.com/sstephenson/bats.git \
&& cd bats \
&& git reset --hard 03608115df2071fff4eaaff1605768c275e5f81f \
&& ./install.sh /usr/local \
&& rm -rf /tmp/bats
# install protoc compiler for gRPC
RUN if [ "$sys_arch" = "amd64" ] ; then arch_str="x86_64"; \
elif [ "$sys_arch" = "arm64" ]; then arch_str="aarch_64"; \
else echo "Unsupported platform: ${sys_arch}"; exit; fi \
&& curl -LO https://github.com/protocolbuffers/protobuf/releases/download/v3.15.8/protoc-3.15.8-linux-${arch_str}.zip \
&& unzip protoc-3.15.8-linux-${arch_str}.zip -d $HOME/.local \
&& export PATH="$PATH:$HOME/.local/bin" \
&& go install github.com/golang/protobuf/protoc-gen-go@latest \
&& export PATH="$PATH:$(go env GOPATH)/bin"
# Install Docker
RUN curl -fsSL https://get.docker.com -o get-docker.sh \
&& sh get-docker.sh
ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker /etc/bash_completion.d/docker.sh
# shellcheck for lint of shell scripts
RUN apt-get update && apt-get install -y shellcheck
# Go Dlv for debugging
RUN go install github.com/go-delve/delve/cmd/dlv@latest
# Install Kubectl for k8s-in-docker integration-testing. Notice that we are explicitly
# stating the kubectl version to download, which should match the K8s release
# deployed in the K8s-in-docker nodes (L2).
RUN cd /tmp && curl -LO "https://dl.k8s.io/release/${k8s_version}/bin/linux/amd64/kubectl" \
&& install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl \
&& rm /tmp/kubectl
# CRI-O and crictl for testing deployment of pods with sysbox (aka "sysbox pods")
RUN echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/${crio_os}/ /"| tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list \
&& echo "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/${crio_version}/${crio_os}/ /"| tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:${crio_version}.list \
&& curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:${crio_version}/${crio_os}/Release.key | sudo apt-key add - \
&& curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/${crio_os}/Release.key | sudo apt-key add - \
&& apt-get update && apt-get install -y --no-install-recommends conntrack:${sys_arch} cri-o:${sys_arch} cri-o-runc:${sys_arch} \
&& wget https://github.com/kubernetes-sigs/cri-tools/releases/download/${crictl_version}/crictl-${crictl_version}-linux-${sys_arch}.tar.gz \
&& sudo tar zxvf crictl-${crictl_version}-linux-${sys_arch}.tar.gz -C /usr/local/bin \
&& rm -f crictl-${crictl_version}-linux-${sys_arch}.tar.gz
# Container CNIs (needed by CRI-O)
RUN cd /root \
&& git clone https://github.com/containernetworking/plugins \
&& cd plugins \
&& git checkout -b v0.9.1 v0.9.1 \
&& ./build_linux.sh \
&& mkdir -p /opt/cni/bin \
&& cp bin/* /opt/cni/bin/
# Dasel (for yaml, toml, json parsing) (https://github.com/TomWright/dasel)
# Note: manually download Dasel v1 as our testContainerInit script does not yet support Dasel v2.
RUN wget https://github.com/TomWright/dasel/releases/download/v1.27.2/dasel_linux_${sys_arch} && mv dasel_linux_${sys_arch} dasel && chmod +x dasel \
&& mv ./dasel /usr/local/bin/dasel
# K8s.io KinD
RUN go install sigs.k8s.io/kind@v0.24.0
# Use the old definition for SECCOMP_NOTIF_ID_VALID in /usr/include/linux/seccomp.h
#
# This is needed because the definition changed in the mainline kernel
# on 06/2020 (from SECCOMP_IOR -> SECCOMP_IOW), and some distros we
# support have picked it up in their latest releases / kernels
# updates. The kernel change was backward compatible, so by using the
# old definition, we are guaranteed it will work on kernels before and
# after the change. On the other hand, if we were to use the new
# definition, seccomp notify would fail when sysbox runs in old
# kernels.
RUN sed -i 's/^#define SECCOMP_IOCTL_NOTIF_ID_VALID[ \t]*SECCOMP_IOW(2, __u64)/#define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOR(2, __u64)/g' /usr/include/linux/seccomp.h
# sysbox env
RUN useradd sysbox
# test scripts
COPY scr/testContainerInit /usr/bin
COPY scr/testContainerCleanup /usr/bin
COPY scr/buildContainerInit /usr/bin
COPY bin/userns_child_exec_${sys_arch} /usr/bin
RUN mkdir -p /root/nestybox
WORKDIR /root/nestybox/sysbox
CMD /bin/bash