# Copyright 2016 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # HOW TO USE THIS CONTAINER: # # For most users, the simplest way to use this container is to mount a volume # on /git. The only commandline argument (or env var) that is really required # is `--repo` ($GIT_SYNC_REPO). Everything else is optional (run this with # `--man` for details). # # This container will run as UID:GID 65533:65533 by default, and unless you # change that, you do not need to think about permissions much. If you run # into permissions problems, this might help: # # - User does not mount a volume # => should work, but limited utility # # - User mounts a new docker volume on /git # => should work # # - User mounts an existing docker volume on /git # => if the volume already exists with compatible permissions it should work # => if the volume already exists with different permissions you can either # set the container UID or GID(s) or you can chown the volume # # - User mounts an existing dir on /git # => set container UID or GID(s) to be able to access that dir # # - User sets a different UID and git-sync GID # => should work # # - User sets a different GID # => either add the git-sync GID or else set --root, mount a volume, # and manage volume permissions to access that volume ############################################################################# # First we prepare the image that we want, regardless of build layers. ############################################################################# FROM {ARG_FROM} as prep # When building, we can pass a unique value (e.g. `date +%s`) for this arg, # which will force a rebuild from here (by invalidating docker's cache). ARG FORCE_REBUILD=0 RUN apt-get -q -y update RUN apt-get -q -y upgrade RUN apt-get -q -y install --no-install-recommends \ ca-certificates \ coreutils \ socat \ openssh-client \ git RUN apt-get -q -y autoremove RUN rm -rf /var/lib/apt/lists/* # Add the default UID to /etc/passwd so SSH is satisfied. RUN echo "git-sync:x:65533:65533::/tmp:/sbin/nologin" >> /etc/passwd # A user might choose a different UID and set the --add-user flag, which needs # to be able to write to /etc/passwd. RUN chmod 0666 /etc/passwd # Add the default GID to /etc/group for completeness. RUN echo "git-sync:x:65533:git-sync" >> /etc/group # Make a directory that can be used to mount volumes. Git-sync itself does not # default the --root ($GIT_SYNC_ROOT) flag, but we can set a default here, # which makes the container image easier to use. Setting the mode to include # group-write allows users to run this image as a different user, as long as # they use our git-sync group. If the user needs a different group or sets # $GIT_SYNC_ROOT or --root, their values will override this, and we assume they # are handling permissions themselves. RUN mkdir -m 02775 /git && chown 65533:65533 /git # When building, we can pass a hash of the licenses tree, which docker checks # against its cache and can force a rebuild from here. ARG HASH_LICENSES=0 # Add third-party licenses. COPY .licenses/ /LICENSES/ # When building, we can pass a hash of the binary, which docker checks against # its cache and can force a rebuild from here. ARG HASH_BINARY=0 # Add the platform-specific binary. COPY bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN} ############################################################################# # Now we make a "clean" final image. ############################################################################# FROM scratch COPY --from=prep / / # Run as non-root by default. There's simply no reason to run as root. USER 65533:65533 # Setting HOME ensures that whatever UID this ultimately runs as can write to # files like ~/.gitconfig. ENV HOME=/tmp WORKDIR /tmp # Default values for flags. ENV GIT_SYNC_ROOT=/tmp/git ENTRYPOINT ["/{ARG_BIN}"]