-
Notifications
You must be signed in to change notification settings - Fork 72
Expand file tree
/
Copy pathContainerfile
More file actions
319 lines (257 loc) · 12.2 KB
/
Containerfile
File metadata and controls
319 lines (257 loc) · 12.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
ARG BASE_IMAGE=registry.access.redhat.com/ubi10/ubi:10.1-1770180700
FROM ${BASE_IMAGE} as tools-base
ARG OUTPUT_DIR="/opt"
RUN dnf --assumeyes install gzip jq tar python3 python3-pip
RUN pip3 install --no-cache-dir requests
# Adds Platform Conversion Tool for arm64/x86_64 compatibility
# need to add this a second time to add it to the builder image
COPY utils/dockerfile_assets/platforms.sh /usr/local/bin/platform_convert
COPY utils/dockerfile_assets/github_dl.py /usr/local/bin/github_dl
### BACKPLANE TOOLS - download SRE standad binaries to a temporary container
FROM tools-base as backplane-tools
ARG OUTPUT_DIR="/opt"
ARG BACKPLANE_TOOLS_VERSION="tags/v1.2.0"
ENV BACKPLANE_TOOLS_URL_SLUG="openshift/backplane-tools"
ENV BACKPLANE_TOOLS_URL="https://api.github.com/repos/${BACKPLANE_TOOLS_URL_SLUG}/releases/${BACKPLANE_TOOLS_VERSION}"
ENV BACKPLANE_TOOLS_CHECKSUM_FILE="checksums.txt"
ENV BACKPLANE_TOOLS_CHECKSUM_ALGORITHM="sha256"
ENV BACKPLANE_TOOLS_PLATFORM_PREFIX="linux_"
ENV BACKPLANE_BIN_DIR="/root/.local/bin/backplane"
RUN mkdir -p /backplane-tools
WORKDIR /backplane-tools
# Download the checksum and binary, and validate them
RUN --mount=type=secret,id=GITHUB_TOKEN \
--mount=type=secret,id=read-only-github-pat/token \
github_dl download --url ${BACKPLANE_TOOLS_URL} --checksum_file ${BACKPLANE_TOOLS_CHECKSUM_FILE} --checksum_algorithm ${BACKPLANE_TOOLS_CHECKSUM_ALGORITHM} --platform ${BACKPLANE_TOOLS_PLATFORM_PREFIX}$(platform_convert "@@PLATFORM@@" --amd64 --arm64)
# Extract the binary tarball
RUN tar --extract --gunzip --no-same-owner --directory "/usr/local/bin" --file *.tar.gz
# Install core using backplane-tools
RUN --mount=type=secret,id=GITHUB_TOKEN \
--mount=type=secret,id=read-only-github-pat/token \
if [[ -f /run/secrets/read-only-github-pat/token ]]; then \
echo "PAT FOUND: $(wc -c < /run/secrets/read-only-github-pat/token) bytes, first4=$(head -c 4 /run/secrets/read-only-github-pat/token)"; \
GITHUB_TOKEN=$(cat /run/secrets/read-only-github-pat/token) /usr/local/bin/backplane-tools install all; \
elif [[ -f /run/secrets/GITHUB_TOKEN ]]; then \
echo "GITHUB_TOKEN FOUND: $(wc -c < /run/secrets/GITHUB_TOKEN) bytes, first4=$(head -c 4 /run/secrets/GITHUB_TOKEN)"; \
GITHUB_TOKEN=$(cat /run/secrets/GITHUB_TOKEN) /usr/local/bin/backplane-tools install all; \
else echo "nope" && /usr/local/bin/backplane-tools install all ;\
fi
# Copy symlink sources from ./local/bin to $OUTPUT_DIR
RUN cp -Hv ${BACKPLANE_BIN_DIR}/latest/* ${OUTPUT_DIR}
# copy aws cli assets
RUN cp -r ${BACKPLANE_BIN_DIR}/aws/*/aws-cli/dist /${OUTPUT_DIR}/aws_dist
### Builder - Get or Build Individual Binaries
FROM tools-base as builder
ARG OUTPUT_DIR="/opt"
# jq is a pre-req for making parsing of download urls easier
RUN dnf --assumeyes --nodocs install \
gcc \
git \
jq \
make \
tar \
unzip
# Directory for the extracted binaries, etc; used in child images
RUN mkdir -p /${OUTPUT_DIR}
### Pre-install yum stuff for final images
FROM ${BASE_IMAGE} as base-update
# ARG keeps the values from the final image
ARG OUTPUT_DIR="/opt"
# Set an exposable port for the cluster console proxy
# Can be used with `-o "-P"` to map 9999 inside the container to a random port at runtime
ENV OCM_BACKPLANE_CONSOLE_PORT 9999
EXPOSE $OCM_BACKPLANE_CONSOLE_PORT
ENTRYPOINT ["/bin/bash"]
# Create a directory for the ocm config file
RUN mkdir -p /root/.config/ocm
### Micro Image
FROM base-update as ocm-container-micro
# ARG keeps the values from the final image
ARG OUTPUT_DIR="/opt"
ARG BIN_DIR="/usr/local/bin"
# Install the dig binary for resolving backplane hostname
RUN dnf --assumeyes --nodocs install \
bind-utils \
jq \
&& dnf clean all \
&& rm -rf /var/cache/yum
COPY --from=backplane-tools /${OUTPUT_DIR}/ocm ${BIN_DIR}
RUN ocm completion > /etc/bash_completion.d/ocm
COPY --from=backplane-tools /${OUTPUT_DIR}/ocm-backplane ${BIN_DIR}
RUN ocm backplane completion bash > /etc/bash_completion.d/ocm-backplane
COPY --from=backplane-tools /${OUTPUT_DIR}/oc ${BIN_DIR}
RUN oc completion bash > /etc/bash_completion.d/oc
ENV IO_OPENSHIFT_MANAGED_NAME="ocm-container"
ENV IO_OPENSHIFT_MANAGED_COMPONENT="micro"
### Final Minimal Image
FROM ocm-container-micro as ocm-container-minimal
# ARG keeps the values from the final image
ARG OUTPUT_DIR="/opt"
ARG BIN_DIR="/usr/local/bin"
COPY --from=backplane-tools /${OUTPUT_DIR}/aws_dist /usr/local/aws-cli
RUN /usr/local/aws-cli/aws --version
RUN /usr/local/aws-cli/aws_completer bash > /etc/bash_completion.d/aws-cli
COPY --from=backplane-tools /${OUTPUT_DIR}/ocm-addons ${BIN_DIR}
RUN ocm addons completion bash > /etc/bash_completion.d/ocm-addons
COPY --from=backplane-tools /${OUTPUT_DIR}/osdctl ${BIN_DIR}
RUN osdctl completion bash --skip-version-check > /etc/bash_completion.d/osdctl
COPY --from=backplane-tools /${OUTPUT_DIR}/rosa ${BIN_DIR}
RUN rosa completion bash > /etc/bash_completion.d/rosa
COPY --from=backplane-tools /${OUTPUT_DIR}/servicelogger ${BIN_DIR}
RUN servicelogger completion bash > /etc/bash_completion.d/servicelogger
## Comment this out for everyone until SREP-1737 is completed
# COPY --from=backplane-tools /${OUTPUT_DIR}/yq ${BIN_DIR}
# RUN yq --version
ENV IO_OPENSHIFT_MANAGED_NAME="ocm-container"
ENV IO_OPENSHIFT_MANAGED_COMPONENT="minimal"
### DNF Install other tools on top of Minimal
FROM ocm-container-minimal as dnf-install
# Add epel repos - dynamically detect RHEL version
RUN RHEL_VERSION=$(rpm -E %{rhel}) && \
rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-${RHEL_VERSION} && \
rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-${RHEL_VERSION}.noarch.rpm
# Install packages
# These packages will end up in the final image
# Installed here to save build time
RUN dnf --assumeyes --nodocs install \
bash-completion \
crun\
findutils \
fuse-overlayfs \
git \
golang \
krb5-workstation \
make \
nodejs \
nodejs-nodemon \
npm \
openssl \
podman \
procps-ng \
python3 \
python3-pip \
rsync \
socat \
tar \
vim-enhanced \
wget \
xz \
&& dnf clean all \
&& rm -rf /var/cache/yum
RUN git clone --depth 1 https://github.com/junegunn/fzf.git /root/.fzf \
&& /root/.fzf/install --all
### podman container config
# Overlay over overlay is often denied by the kernel, so this creates non overlay volumes to be used within the container.
VOLUME /var/lib/containers
# copy storage.conf to enable fuse-overlayfs storage.
COPY utils/dockerfile_assets/storage.conf /etc/containers/storage.conf
# add containers.conf file to make sure containers run easier.
COPY utils/dockerfile_assets/containers.conf /etc/containers/containers.conf
# Binary builds for extra (full ocm-container) packages
FROM builder as omc-builder
ARG OUTPUT_DIR="/opt"
# Add `omc` utility to inspect must-gathers easily with 'oc' like commands
# Replace "/latest" with "/tags/{tag}" to pin to a specific version (eg: "/tags/v0.4.0")
# the URL_SLUG is for checking the releasenotes when a version updates
ARG OMC_VERSION="tags/v3.8.0"
ENV OMC_URL_SLUG="gmeghnag/omc"
ENV OMC_URL="https://api.github.com/repos/${OMC_URL_SLUG}/releases/${OMC_VERSION}"
ENV OMC_CHECKSUM_FILE="checksums.txt"
ENV OMC_CHECKSUM_ALGORITHM="md5"
ENV OMC_PLATFORM_PREFIX="Linux_"
ENV OMC_PLATFORM_SUFFIX=".tar.gz"
# Install omc
RUN mkdir /omc
WORKDIR /omc
# Download the checksum and binary, and validate them
RUN --mount=type=secret,id=GITHUB_TOKEN \
--mount=type=secret,id=read-only-github-pat/token \
github_dl download --url ${OMC_URL} --checksum_file checksums.txt --checksum_algorithm ${OMC_CHECKSUM_ALGORITHM} --platform ${OMC_PLATFORM_PREFIX}$(platform_convert "@@PLATFORM@@" --x86_64 --arm64)${OMC_PLATFORM_SUFFIX}
# Extract the binary tarball
RUN tar --extract --gunzip --no-same-owner --directory /${OUTPUT_DIR} omc --file *.tar.gz
RUN chmod -R +x /${OUTPUT_DIR}
FROM builder as jira-builder
ARG OUTPUT_DIR="/opt"
# Add `jira` utility for working with OHSS tickets
# Replace "/latest" with "/tags/{tag}" to pin to a specific version (eg: "/tags/v0.4.0")
# the URL_SLUG is for checking the releasenotes when a version updates
ARG JIRA_VERSION="tags/v1.6.0"
ENV JIRA_URL_SLUG="ankitpokhrel/jira-cli"
ENV JIRA_URL="https://api.github.com/repos/${JIRA_URL_SLUG}/releases/${JIRA_VERSION}"
ENV JIRA_CHECKSUM_FILE="checksums.txt"
ENV JIRA_CHECKSUM_ALGORITHM="sha256"
ENV JIRA_PLATFORM_PREFIX="linux_"
RUN mkdir /jira
WORKDIR /jira
# Download the checksum and binary, and validate them
RUN --mount=type=secret,id=GITHUB_TOKEN \
--mount=type=secret,id=read-only-github-pat/token \
github_dl download --url ${JIRA_URL} --checksum_file checksums.txt --checksum_algorithm ${JIRA_CHECKSUM_ALGORITHM} --platform ${JIRA_PLATFORM_PREFIX}$(platform_convert "@@PLATFORM@@" --x86_64 --arm64)
# Extract the binary tarball
RUN tar --extract --gunzip --no-same-owner --directory /${OUTPUT_DIR} --strip-components=2 */bin/jira --file *.tar.gz
RUN chmod -R +x /${OUTPUT_DIR}
FROM builder as oc-nodepp-builder
ARG OUTPUT_DIR="/opt"
# Add `oc-nodepp` utility
# Replace "/latest" with "/tags/{tag}" to pin to a specific version (eg: "/tags/v0.4.0")
# the URL_SLUG is for checking the releasenotes when a version updates
ARG NODEPP_VERSION="tags/v0.1.2"
ENV NODEPP_URL_SLUG="mrbarge/oc-nodepp"
ENV NODEPP_URL="https://api.github.com/repos/${NODEPP_URL_SLUG}/releases/${NODEPP_VERSION}"
ENV NODEPP_CHECKSUM_FILE="checksums.txt"
ENV NODEPP_CHECKSUM_ALGORITHM="sha256"
ENV NODEPP_PLATFORM_PREFIX="Linux_"
# Install oc-nodepp
RUN mkdir /nodepp
WORKDIR /nodepp
# Download the checksum and binary, and validate them
RUN --mount=type=secret,id=GITHUB_TOKEN \
--mount=type=secret,id=read-only-github-pat/token \
github_dl download --url ${NODEPP_URL} --checksum_file ${NODEPP_CHECKSUM_FILE} --checksum_algorithm ${NODEPP_CHECKSUM_ALGORITHM} --platform ${NODEPP_PLATFORM_PREFIX}$(platform_convert "@@PLATFORM@@" --x86_64 --arm64)
# Extract the binary tarball
RUN tar --extract --gunzip --no-same-owner --directory /${OUTPUT_DIR} oc-nodepp --file *.tar.gz
RUN chmod +x /${OUTPUT_DIR}/oc-nodepp
###########################
## Build the final image ##
###########################
# This is based on the first image build, with the yum packages installed
FROM dnf-install as ocm-container
# ARG keeps the values from the final image
ARG OUTPUT_DIR="/opt"
ARG BIN_DIR="/usr/local/bin"
# Copy previously acquired binaries into the $PATH
WORKDIR /
COPY --from=jira-builder /${OUTPUT_DIR}/jira ${BIN_DIR}
RUN jira completion bash > /etc/bash_completion.d/jira
COPY --from=omc-builder /${OUTPUT_DIR}/omc ${BIN_DIR}
RUN ocm completion bash > /etc/bash_completion.d/omc
COPY --from=oc-nodepp-builder /${OUTPUT_DIR}/oc-nodepp ${BIN_DIR}
RUN oc-nodepp --help
# Install utils
COPY utils/bin /root/.local/bin
# Install o-must-gather
# Replace "" with "=={tag}" to pin to a specific version (eg: "==1.2.6")
ARG O_MUST_GATHER_VERSION=""
RUN pip3 install --no-cache-dir o-must-gather${O_MUST_GATHER_VERSION}
RUN omg completion bash > /etc/bash_completion.d/omg
# install ssm plugin
COPY --from=tools-base /usr/local/bin/platform_convert ${BIN_DIR}
RUN rpm -i $(platform_convert https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_@@PLATFORM@@/session-manager-plugin.rpm --arm64 --custom-amd64 64bit)
RUN /usr/local/aws-cli/aws ssm help
RUN rm ${BIN_DIR}/platform_convert
# install rh-aws-saml-login
RUN dnf install -y python3-devel krb5-devel
RUN pip3 install rh-aws-saml-login
RUN dnf remove -y python3-devel krb5-devel
# Setup bashrc.d directory
# Files with a ".bashrc" extension are sourced on login
COPY utils/bashrc.d /root/.bashrc.d
RUN printf 'if [ -d ${HOME}/.bashrc.d ] ; then\n for file in ~/.bashrc.d/*.bashrc ; do\n source ${file}\n done\nfi\n' >> /root/.bashrc \
&& printf "[ -f ~/.fzf.bash ] && source ~/.fzf.bash" >> /root/.bashrc \
# don't run automatically run commands when pasting from clipboard with a newline
&& printf "set enable-bracketed-paste on\n" >> /root/.inputrc
# Cleanup Home Dir
RUN rm -rf /root/anaconda* /root/original-ks.cfg /root/buildinfo
WORKDIR /root
ENV IO_OPENSHIFT_MANAGED_NAME="ocm-container"
ENV IO_OPENSHIFT_MANAGED_COMPONENT="full"