# Copyright 2016 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # HOW TO USE THIS CONTAINER: # # The only commandline argument (or env var) that is really required is # `--repo` ($GITSYNC_REPO). Everything else is optional (run this with # `--man` for details). # # This container will run as UID:GID 65533:65533 by default. For most users, # the simplest ways to use this container are either: # a) use the default UID/GID and mount a volume on /git writeable by those # b) set your own UID/GID and mount a volume on /git writeable by those # # If you mount a volume anywhere else, you must set `--root` ($GITSYNC_ROOT). # If you do not mount a volume, this will run but you can't access the results # (which might be useful for testing, but not much else). # # Newly created docker volumes (the very first `docker run -v`) are initialized # based on the in-image mountpoint's UID/GID?mode, so another solution for # using this with docker is to set your own UID/GID and also add the default # GID as a supplemental group (see `docker run --group-add`). # # Kubernetes offers `Pod.spec.securityContext.fsGroup` to manage volume # permissions. # # If you set any UID other than the default and want to use git over SSH, you # should set `--add-user` ($GITSYNC_ADD_USER). ############################################################################# # First we prepare the image that we want, regardless of build layers. ############################################################################# FROM {ARG_FROM} AS base # When building, we can pass a unique value (e.g. `date +%s`) for this arg, # which will force a rebuild from here (by invalidating docker's cache). ARG FORCE_REBUILD=0 RUN apt-get -y -qq -o Dpkg::Use-Pty=0 update RUN apt-get -y -qq -o Dpkg::Use-Pty=0 -y upgrade RUN apt-get -y -qq -o Dpkg::Use-Pty=0 install --no-install-recommends bash # for the staging scripts and ldd RUN mkdir -p {ARG_STAGING} COPY stage_binaries.sh / RUN /stage_binaries.sh -o {ARG_STAGING} \ -p base-files \ -p bash \ -p coreutils \ -p git \ -p openssh-client \ -p ca-certificates \ -p curl \ -p socat \ -b /bin/grep \ -b /bin/sed \ -f /etc/debian_version \ -f /etc/group \ -f /etc/nsswitch.conf \ -f /etc/os-release \ -f /etc/passwd \ -f /tmp RUN ln -s bash {ARG_STAGING}/bin/sh # Not sure why this is not set up automatically FROM scratch AS intermediate # Docker doesn't do vars in COPY, so we can't use a regular ARG. COPY --from=base {ARG_STAGING} / # This list is not generic - it is specific to git-sync on debian trixie. RUN rm -rf \ /usr/share/base-files \ /usr/share/doc \ /usr/share/man \ /usr/lib/*-linux-gnu/gconv \ /usr/bin/c_rehash \ /usr/bin/git-shell \ /usr/bin/openssl \ /usr/bin/scalar \ /usr/bin/scp \ /usr/bin/sftp \ /usr/bin/ssh-add \ /usr/bin/ssh-agent \ /usr/bin/ssh-keygen \ /usr/bin/ssh-keyscan \ /usr/lib/git-core/git-shell \ /usr/bin/openssl \ /usr/lib/git-core/git-daemon \ /usr/lib/git-core/git-http-backend \ /usr/lib/git-core/git-http-fetch \ /usr/lib/git-core/git-http-push \ /usr/lib/git-core/git-imap-send \ /usr/lib/git-core/git-instaweb \ /usr/lib/git-core/git-sh-i18n--envsubst \ /usr/lib/git-core/scalar \ /usr/lib/openssh/ssh-keysign \ /usr/lib/openssh/ssh-pkcs11-helper \ /usr/lib/openssh/ssh-sk-helper \ /usr/share/gitweb \ /usr/share/locale RUN rm -f /usr/bin/git && ln -s /usr/lib/git-core/git /usr/bin/git # Add the default UID to /etc/passwd so SSH is satisfied. RUN echo "git-sync:x:65533:65533::/tmp:/sbin/nologin" >> /etc/passwd # A user might choose a different UID and set the `--add-user` flag, which # needs to be able to write to /etc/passwd. RUN chmod 0666 /etc/passwd # Add the default GID to /etc/group for completeness. RUN echo "git-sync:x:65533:git-sync" >> /etc/group # Make a directory that can be used to mount volumes. Setting the mode to # include group-write allows users to run this image as a different user, as # long as they use our git-sync group. RUN mkdir -m 02775 /git && chown 65533:65533 /git # When building, we can pass a hash of the licenses tree, which docker checks # against its cache and can force a rebuild from here. ARG HASH_LICENSES=0 # Add third-party licenses. COPY .licenses/ /LICENSES/ # When building, we can pass a hash of the binary, which docker checks against # its cache and can force a rebuild from here. ARG HASH_BINARY=0 # Add the platform-specific binary. COPY bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN} ############################################################################# # Now we make a "clean" final image. ############################################################################# FROM scratch COPY --from=intermediate / / # Run as non-root by default. There's simply no reason to run as root. USER 65533:65533 # Setting HOME ensures that whatever UID this ultimately runs as can write to # files like ~/.gitconfig. ENV HOME=/tmp WORKDIR /tmp # Default values for flags. # Git-sync itself does not default the `--root` ($GITSYNC_ROOT) flag, but we # can set a default here, which makes the container image easier to use. The # permissions were set for the default git-sync UID and GID. If the user needs # a different group or sets `--root` ($GITSYNC_ROOT), their values will # override this, and we assume they are handling permissions themselves. ENV GITSYNC_ROOT=/git ENTRYPOINT ["/{ARG_BIN}"]