kubernetes
/
git-sync
mirror of https://github.com/kubernetes/git-sync.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
git-sync/Dockerfile.in

164 lines
5.9 KiB
Docker
Raw Permalink Blame History

# Copyright 2016 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# HOW TO USE THIS CONTAINER:
#
# The only commandline argument (or env var) that is really required is
# `--repo` ($GITSYNC_REPO). Everything else is optional (run this with
# `--man` for details).
#
# This container will run as UID:GID 65533:65533 by default. For most users,
# the simplest ways to use this container are either:
# a) use the default UID/GID and mount a volume on /git writeable by those
# b) set your own UID/GID and mount a volume on /git writeable by those
#
# If you mount a volume anywhere else, you must set `--root` ($GITSYNC_ROOT).
# If you do not mount a volume, this will run but you can't access the results
# (which might be useful for testing, but not much else).
#
# Newly created docker volumes (the very first `docker run -v`) are initialized
# based on the in-image mountpoint's UID/GID?mode, so another solution for
# using this with docker is to set your own UID/GID and also add the default
# GID as a supplemental group (see `docker run --group-add`).
#
# Kubernetes offers `Pod.spec.securityContext.fsGroup` to manage volume
# permissions.
#
# If you set any UID other than the default and want to use git over SSH, you
# should set `--add-user` ($GITSYNC_ADD_USER).
#############################################################################
# First we prepare the image that we want, regardless of build layers.
#############################################################################
FROM {ARG_FROM} AS base
# When building, we can pass a unique value (e.g. `date +%s`) for this arg,
# which will force a rebuild from here (by invalidating docker's cache).
ARG FORCE_REBUILD=0
RUN apt-get -y -qq -o Dpkg::Use-Pty=0 update
RUN apt-get -y -qq -o Dpkg::Use-Pty=0 -y upgrade
RUN apt-get -y -qq -o Dpkg::Use-Pty=0 install --no-install-recommends bash # for the staging scripts and ldd
RUN mkdir -p {ARG_STAGING}
COPY stage_binaries.sh /
RUN /stage_binaries.sh -o {ARG_STAGING} \
-p base-files \
-p bash \
-p coreutils \
-p git \
-p openssh-client \
-p ca-certificates \
-p curl \
-p socat \
-b /bin/grep \
-b /bin/sed \
-f /etc/debian_version \
-f /etc/group \
-f /etc/nsswitch.conf \
-f /etc/os-release \
-f /etc/passwd \
-f /tmp
RUN ln -s bash {ARG_STAGING}/bin/sh # Not sure why this is not set up automatically
FROM scratch AS intermediate
# Docker doesn't do vars in COPY, so we can't use a regular ARG.
COPY --from=base {ARG_STAGING} /
# This list is not generic - it is specific to git-sync on debian trixie.
RUN rm -rf \
/usr/share/base-files \
/usr/share/doc \
/usr/share/man \
/usr/lib/*-linux-gnu/gconv \
/usr/bin/c_rehash \
/usr/bin/git-shell \
/usr/bin/openssl \
/usr/bin/scalar \
/usr/bin/scp \
/usr/bin/sftp \
/usr/bin/ssh-add \
/usr/bin/ssh-agent \
/usr/bin/ssh-keygen \
/usr/bin/ssh-keyscan \
/usr/lib/git-core/git-shell \
/usr/bin/openssl \
/usr/lib/git-core/git-daemon \
/usr/lib/git-core/git-http-backend \
/usr/lib/git-core/git-http-fetch \
/usr/lib/git-core/git-http-push \
/usr/lib/git-core/git-imap-send \
/usr/lib/git-core/git-instaweb \
/usr/lib/git-core/git-sh-i18n--envsubst \
/usr/lib/git-core/scalar \
/usr/lib/openssh/ssh-keysign \
/usr/lib/openssh/ssh-pkcs11-helper \
/usr/lib/openssh/ssh-sk-helper \
/usr/share/gitweb \
/usr/share/locale
RUN rm -f /usr/bin/git && ln -s /usr/lib/git-core/git /usr/bin/git
# Add the default UID to /etc/passwd so SSH is satisfied.
RUN echo "git-sync:x:65533:65533::/tmp:/sbin/nologin" >> /etc/passwd
# A user might choose a different UID and set the `--add-user` flag, which
# needs to be able to write to /etc/passwd.
RUN chmod 0666 /etc/passwd
# Add the default GID to /etc/group for completeness.
RUN echo "git-sync:x:65533:git-sync" >> /etc/group
# Make a directory that can be used to mount volumes. Setting the mode to
# include group-write allows users to run this image as a different user, as
# long as they use our git-sync group.
RUN mkdir -m 02775 /git && chown 65533:65533 /git
# When building, we can pass a hash of the licenses tree, which docker checks
# against its cache and can force a rebuild from here.
ARG HASH_LICENSES=0
# Add third-party licenses.
COPY .licenses/ /LICENSES/
# When building, we can pass a hash of the binary, which docker checks against
# its cache and can force a rebuild from here.
ARG HASH_BINARY=0
# Add the platform-specific binary.
COPY bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN}
#############################################################################
# Now we make a "clean" final image.
#############################################################################
FROM scratch
COPY --from=intermediate / /
# Run as non-root by default. There's simply no reason to run as root.
USER 65533:65533
# Setting HOME ensures that whatever UID this ultimately runs as can write to
# files like ~/.gitconfig.
ENV HOME=/tmp
WORKDIR /tmp
# Default values for flags.
# Git-sync itself does not default the `--root` ($GITSYNC_ROOT) flag, but we
# can set a default here, which makes the container image easier to use. The
# permissions were set for the default git-sync UID and GID. If the user needs
# a different group or sets `--root` ($GITSYNC_ROOT), their values will
# override this, and we assume they are handling permissions themselves.
ENV GITSYNC_ROOT=/git
ENTRYPOINT ["/{ARG_BIN}"]
Reference in New Issue View Git Blame Copy Permalink