135 lines
4.9 KiB
Docker
135 lines
4.9 KiB
Docker
#
|
|
# NOTE: Use the Makefiles to build this image correctly.
|
|
#
|
|
|
|
ARG BASE_IMG=<ubuntu>
|
|
FROM $BASE_IMG
|
|
|
|
ARG TARGETARCH
|
|
|
|
# common environemnt variables
|
|
ENV NB_USER jovyan
|
|
ENV NB_UID 1000
|
|
# WARNING: the primary GID of 'jovyan' MUST be 0!
|
|
# this allows any UID to be used as all important folders are owned by GID 0.
|
|
# some Kubernetes environments run containers as a random UID (e.g. OpenShift).
|
|
# note, having GID 0 (root) does NOT give you root permissions, so this is not a security issue.
|
|
ENV NB_GID 0
|
|
ENV NB_PREFIX /
|
|
ENV HOME /home/$NB_USER
|
|
ENV SHELL /bin/bash
|
|
|
|
# the GID of the 'users' group
|
|
ENV USERS_GID 100
|
|
|
|
# we copy the contents of $HOME_TMP to $HOME on startup
|
|
# this is to work around the fact that a PVC will be mounted to $HOME
|
|
# but we still want to have some default files in $HOME
|
|
# see `s6/cont-init.d/01-copy-tmp-home`
|
|
ENV HOME_TMP /tmp_home/$NB_USER
|
|
|
|
# s6-overlay only gives 5 seconds by default, which is too small for slow PVC storage backends
|
|
# when running `/etc/cont-inid.d/01-copy-tmp-home` (note, this is in milliseconds)
|
|
ENV S6_CMD_WAIT_FOR_SERVICES_MAXTIME 300000
|
|
|
|
# s6-overlay does not fail by default if the `/etc/cont-init.d/` or `/etc/services.d/` scripts fail
|
|
# this is not the desired behavior, so we set it to fail
|
|
ENV S6_BEHAVIOUR_IF_STAGE2_FAILS 2
|
|
|
|
# args - software versions
|
|
# https://kubernetes.io/releases/
|
|
# https://github.com/just-containers/s6-overlay/releases
|
|
ARG KUBECTL_VERSION=v1.31.6
|
|
ARG S6_VERSION=v3.2.0.2
|
|
|
|
# set shell to bash
|
|
SHELL ["/bin/bash", "-c"]
|
|
|
|
# install - usefull linux packages
|
|
RUN export DEBIAN_FRONTEND=noninteractive \
|
|
&& apt-get -yq update \
|
|
&& apt-get -yq install --no-install-recommends \
|
|
apt-transport-https \
|
|
bash \
|
|
bzip2 \
|
|
ca-certificates \
|
|
curl \
|
|
git \
|
|
gnupg \
|
|
gnupg2 \
|
|
locales \
|
|
lsb-release \
|
|
nano \
|
|
software-properties-common \
|
|
tzdata \
|
|
unzip \
|
|
vim \
|
|
wget \
|
|
xz-utils \
|
|
zip \
|
|
&& apt-get clean \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# install - s6 overlay
|
|
RUN case "${TARGETARCH}" in \
|
|
amd64) S6_ARCH="x86_64" ;; \
|
|
arm64) S6_ARCH="aarch64" ;; \
|
|
ppc64le) S6_ARCH="ppc64le" ;; \
|
|
*) echo "Unsupported architecture: ${TARGETARCH}"; exit 1 ;; \
|
|
esac \
|
|
&& curl -fsSL "https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-noarch.tar.xz" -o /tmp/s6-overlay-noarch.tar.xz \
|
|
&& curl -fsSL "https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-noarch.tar.xz.sha256" -o /tmp/s6-overlay-noarch.tar.xz.sha256 \
|
|
&& echo "$(cat /tmp/s6-overlay-noarch.tar.xz.sha256 | awk '{ print $1; }') /tmp/s6-overlay-noarch.tar.xz" | sha256sum -c - \
|
|
&& curl -fsSL "https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-${S6_ARCH}.tar.xz" -o /tmp/s6-overlay-${S6_ARCH}.tar.xz \
|
|
&& curl -fsSL "https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-${S6_ARCH}.tar.xz.sha256" -o /tmp/s6-overlay-${S6_ARCH}.tar.xz.sha256 \
|
|
&& echo "$(cat /tmp/s6-overlay-${S6_ARCH}.tar.xz.sha256 | awk '{ print $1; }') /tmp/s6-overlay-${S6_ARCH}.tar.xz" | sha256sum -c - \
|
|
&& tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz \
|
|
&& tar -C / -Jxpf /tmp/s6-overlay-${S6_ARCH}.tar.xz \
|
|
&& rm /tmp/s6-overlay-noarch.tar.xz \
|
|
/tmp/s6-overlay-noarch.tar.xz.sha256 \
|
|
/tmp/s6-overlay-${S6_ARCH}.tar.xz \
|
|
/tmp/s6-overlay-${S6_ARCH}.tar.xz.sha256
|
|
|
|
# fix permissions of '/run' folder for s6
|
|
# https://github.com/just-containers/s6-overlay/blob/v3.2.0.0/layout/rootfs-overlay/package/admin/s6-overlay-%40VERSION%40/libexec/preinit#L86
|
|
RUN chmod 0775 /run
|
|
|
|
# install - kubectl
|
|
RUN curl -fsSL "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" -o /usr/local/bin/kubectl \
|
|
&& curl -fsSL "https://dl.k8s.io/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256" -o /tmp/kubectl.sha256 \
|
|
&& echo "$(cat /tmp/kubectl.sha256 | awk '{ print $1; }') /usr/local/bin/kubectl" | sha256sum -c - \
|
|
&& rm /tmp/kubectl.sha256 \
|
|
&& chmod +x /usr/local/bin/kubectl
|
|
|
|
# create user and set required ownership
|
|
RUN useradd -M -N \
|
|
--shell /bin/bash \
|
|
--home ${HOME} \
|
|
--uid ${NB_UID} \
|
|
--gid ${NB_GID} \
|
|
--groups ${USERS_GID} \
|
|
${NB_USER} \
|
|
&& mkdir -pv ${HOME} \
|
|
&& mkdir -pv ${HOME_TMP} \
|
|
# in the interest of backwards compatibility we have the 'users' group owns the home directory
|
|
# we also set the SGID bit so that new files and directories are created with the 'users' group
|
|
&& chmod 2775 ${HOME} \
|
|
&& chmod 2775 ${HOME_TMP} \
|
|
&& chown -R ${NB_USER}:${USERS_GID} ${HOME} \
|
|
&& chown -R ${NB_USER}:${USERS_GID} ${HOME_TMP} \
|
|
&& chown -R ${NB_USER}:${NB_GID} /usr/local/bin
|
|
|
|
# set locale configs
|
|
RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen \
|
|
&& locale-gen
|
|
ENV LANG en_US.UTF-8
|
|
ENV LANGUAGE en_US.UTF-8
|
|
ENV LC_ALL en_US.UTF-8
|
|
|
|
# s6 - copy scripts
|
|
COPY --chown=${NB_USER}:${NB_GID} --chmod=755 s6/ /etc
|
|
|
|
USER $NB_UID
|
|
|
|
ENTRYPOINT ["/init"]
|