From 29b7921e83cbce5f9a4e1b7e22885ebf465a1e2e Mon Sep 17 00:00:00 2001 From: Matt Thalman Date: Mon, 22 Aug 2022 12:11:50 -0500 Subject: [PATCH] Refactor runtime-deps Dockerfile template (#4017) --- .../runtime-deps/Dockerfile | 54 +++---------------- .../Dockerfile.distroless-mariner | 42 +++++++++++++++ manifest.json | 10 ++-- 3 files changed, 55 insertions(+), 51 deletions(-) create mode 100644 eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner diff --git a/eng/dockerfile-templates/runtime-deps/Dockerfile b/eng/dockerfile-templates/runtime-deps/Dockerfile index a674a1ef0..c00a064e8 100644 --- a/eng/dockerfile-templates/runtime-deps/Dockerfile +++ b/eng/dockerfile-templates/runtime-deps/Dockerfile @@ -3,13 +3,9 @@ set isAlpine to find(OS_ARCH_HYPHENATED, "Alpine") >= 0 ^ set isDebian to find(OS_ARCH_HYPHENATED, "Debian") >= 0 ^ set isUbuntu to find(OS_ARCH_HYPHENATED, "Ubuntu") >= 0 ^ - set isFullMariner to defined(match(OS_VERSION, "^cbl-mariner\d+\.\d+$")) ^ - set isDistrolessMariner to defined(match(OS_VERSION, "^cbl-mariner\d+\.\d+-distroless$")) ^ - set isMariner to isFullMariner || isDistrolessMariner ^ + set isMariner to defined(match(OS_VERSION, "^cbl-mariner\d+\.\d+$")) ^ set baseUrl to VARIABLES[cat("base-url|", dotnetVersion, "|", VARIABLES["branch"])] ^ set isInternal to find(baseUrl, "msrc") >= 0 || find(baseUrl, "internal") >= 0 ^ - set distrolessStagingDir to "/staging" ^ - set marinerRepo to "mcr.microsoft.com/cbl-mariner" ^ set baseImageRepo to when(isAlpine, cat(ARCH_VERSIONED, "/alpine"), when(isDebian, @@ -17,15 +13,15 @@ when(isUbuntu, cat(ARCH_VERSIONED, "/ubuntu"), when(isMariner, - cat(marinerRepo, "/base/core"), + "mcr.microsoft.com/cbl-mariner/base/core", "")))) ^ set baseImageTag to when(isAlpine || isMariner, OS_VERSION_NUMBER, OS_VERSION) ^ - set isSingleStage to !isDistrolessMariner && !(isFullMariner && isInternal) ^ + set isSingleStage to !(isMariner && isInternal) ^ set urlSuffix to when(isInternal, "$SAS_QUERY_STRING", "") ^ set rpmFilename to "dotnet-runtime-deps.rpm" }}{{ if !isSingleStage:# Installer image -}}FROM {{baseImageRepo}}:{{baseImageTag}}{{if !isSingleStage: AS installer}}{{ if isInternal && isFullMariner: +}}FROM {{baseImageRepo}}:{{baseImageTag}}{{if !isSingleStage: AS installer}}{{ if isInternal && isMariner: ARG SAS_QUERY_STRING @@ -35,41 +31,10 @@ RUN {{InsertTemplate("Dockerfile.download-runtime-deps-pkg", "filename": rpmFilename, "is-internal": isInternal ], " ")}}}} -{{ if isDistrolessMariner && find(OS_VERSION, "1.0") >= 0: -RUN {{InsertTemplate("../Dockerfile.linux.install-pkgs", - [ - "pkgs": ["dnf"] - ])}} +{{if isMariner && isInternal:FROM {{baseImageRepo}}:{{baseImageTag}} }} -{{if isDistrolessMariner:# Install .NET's dependencies into a staging location -^elif isMariner && isInternal:FROM {{baseImageRepo}}:{{baseImageTag}} - -}}RUN {{if isDistrolessMariner:mkdir {{distrolessStagingDir}} \ - && }}{{InsertTemplate("../Dockerfile.linux.install-deps", ["distroless-staging-dir": distrolessStagingDir])}} -{{ if isDistrolessMariner: -# Create a non-root user and group -RUN {{if find(OS_VERSION, "1.0") < 0:tdnf install -y shadow-utils \ - && tdnf clean all \ - && }}{{InsertTemplate("Dockerfile.linux.distroless-user", [], " ")}} \ - # Copy user/group info to staging - && cp /etc/passwd {{distrolessStagingDir}}/etc/passwd \ - && cp /etc/group {{distrolessStagingDir}}/etc/group - -# Clean up staging -RUN rm -rf {{distrolessStagingDir}}/etc/{{when(find(OS_VERSION, "1.0") >= 0, "dnf", "tdnf")}} \ - && rm -rf {{distrolessStagingDir}}/run/* \ - && rm -rf {{distrolessStagingDir}}/var/cache/{{when(find(OS_VERSION, "1.0") >= 0, "dnf", "tdnf")}} \ - && rm -rf {{distrolessStagingDir}}/var/lib/rpm \ - && rm -rf {{distrolessStagingDir}}/usr/share/doc \ - && rm -rf {{distrolessStagingDir}}/usr/share/man \ - && find {{distrolessStagingDir}}/var/log -type f -size +0 -delete - - -# .NET runtime-deps image -FROM {{marinerRepo}}/distroless/minimal:{{OS_VERSION_NUMBER}} - -COPY --from=installer {{distrolessStagingDir}}/ / -^elif isFullMariner: +RUN {{InsertTemplate("../Dockerfile.linux.install-deps")}} +{{ if isMariner: {{if isInternal:{{InsertTemplate("../Dockerfile.linux.copy-files", [ "files": [ @@ -87,7 +52,4 @@ COPY --from=installer {{distrolessStagingDir}}/ / "filename": rpmFilename ])}} }} -{{InsertTemplate("../Dockerfile.common-dotnet-envs") ^ -if isDistrolessMariner: - -USER app}} +{{InsertTemplate("../Dockerfile.common-dotnet-envs")}} diff --git a/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner b/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner new file mode 100644 index 000000000..9d82c3128 --- /dev/null +++ b/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner @@ -0,0 +1,42 @@ +{{ + set isDistrolessMariner to defined(match(OS_VERSION, "^cbl-mariner\d+\.\d+-distroless$")) ^ + set distrolessStagingDir to "/staging" ^ + set marinerRepo to "mcr.microsoft.com/cbl-mariner" +}}# Installer image +FROM {{marinerRepo}}/base/core:{{OS_VERSION_NUMBER}} AS installer +{{ if find(OS_VERSION, "1.0") >= 0: +RUN {{InsertTemplate("../Dockerfile.linux.install-pkgs", + [ + "pkgs": ["dnf"] + ])}} +}} +# Install .NET's dependencies into a staging location +RUN mkdir {{distrolessStagingDir}} \ + && {{InsertTemplate("../Dockerfile.linux.install-deps", ["distroless-staging-dir": distrolessStagingDir])}} +{{ if isDistrolessMariner: +# Create a non-root user and group +RUN {{if find(OS_VERSION, "1.0") < 0:tdnf install -y shadow-utils \ + && tdnf clean all \ + && }}{{InsertTemplate("Dockerfile.linux.distroless-user", [], " ")}} \ + # Copy user/group info to staging + && cp /etc/passwd {{distrolessStagingDir}}/etc/passwd \ + && cp /etc/group {{distrolessStagingDir}}/etc/group + +# Clean up staging +RUN rm -rf {{distrolessStagingDir}}/etc/{{when(find(OS_VERSION, "1.0") >= 0, "dnf", "tdnf")}} \ + && rm -rf {{distrolessStagingDir}}/run/* \ + && rm -rf {{distrolessStagingDir}}/var/cache/{{when(find(OS_VERSION, "1.0") >= 0, "dnf", "tdnf")}} \ + && rm -rf {{distrolessStagingDir}}/var/lib/rpm \ + && rm -rf {{distrolessStagingDir}}/usr/share/doc \ + && rm -rf {{distrolessStagingDir}}/usr/share/man \ + && find {{distrolessStagingDir}}/var/log -type f -size +0 -delete + + +# .NET runtime-deps image +FROM {{marinerRepo}}/distroless/minimal:{{OS_VERSION_NUMBER}} + +COPY --from=installer {{distrolessStagingDir}}/ /}} + +{{InsertTemplate("../Dockerfile.common-dotnet-envs")}} + +USER app diff --git a/manifest.json b/manifest.json index bac64569b..7b7bf9305 100644 --- a/manifest.json +++ b/manifest.json @@ -758,7 +758,7 @@ "platforms": [ { "dockerfile": "src/runtime-deps/6.0/cbl-mariner1.0-distroless/amd64", - "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile", + "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner", "os": "linux", "osVersion": "cbl-mariner1.0-distroless", "tags": { @@ -797,7 +797,7 @@ "platforms": [ { "dockerfile": "src/runtime-deps/6.0/cbl-mariner2.0-distroless/amd64", - "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile", + "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner", "os": "linux", "osVersion": "cbl-mariner2.0-distroless", "tags": { @@ -824,7 +824,7 @@ { "architecture": "arm64", "dockerfile": "src/runtime-deps/6.0/cbl-mariner2.0-distroless/arm64v8", - "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile", + "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner", "os": "linux", "osVersion": "cbl-mariner2.0-distroless", "tags": { @@ -1104,7 +1104,7 @@ "platforms": [ { "dockerfile": "src/runtime-deps/6.0/cbl-mariner2.0-distroless/amd64", - "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile", + "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner", "os": "linux", "osVersion": "cbl-mariner2.0-distroless", "tags": { @@ -1131,7 +1131,7 @@ { "architecture": "arm64", "dockerfile": "src/runtime-deps/6.0/cbl-mariner2.0-distroless/arm64v8", - "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile", + "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner", "os": "linux", "osVersion": "cbl-mariner2.0-distroless", "tags": {