forked from nestybox/sysbox
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile.ubuntu-focal
210 lines (189 loc) · 7.59 KB
/
Dockerfile.ubuntu-focal
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
#
# Sysbox Test Container Dockerfile (Ubuntu-Focal image)
#
# This Dockerfile creates the sysbox test container image. The image
# contains all dependencies needed to build, run, and test sysbox.
#
# The image does not contain sysbox itself; the sysbox repo
# must be bind mounted into the image. It can then be built,
# installed, and executed within the container.
#
# The image must be run as a privileged container (i.e., docker run --privileged ...)
# Refer to the sysbox Makefile test targets.
#
# This Dockerfile is based on a similar Dockerfile in the OCI runc
# github repo, but adapted to sysbox testing.
#
# Instructions:
#
# docker build -t sysbox-test .
#
FROM ubuntu:focal
# K8s version for k8s-in-docker (i.e., this is the version of K8s running inside
# the k8s-in-docker container).
ARG k8s_version=v1.20.2
# Desired platform architecture to build upon.
ARG sys_arch
ENV SYS_ARCH=${sys_arch}
ARG target_arch
ENV TARGET_ARCH=${target_arch}
# CRI-O & crictl version for testing sysbox pods; CRI-O 1.20 is required as it
# introduces rootless pod support (via the Linux user-ns)
ARG crio_version=1.20
ARG crio_os=xUbuntu_20.04
ARG crictl_version=v1.20.0
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y \
acl \
build-essential \
gcc-x86-64-linux-gnu \
libc6-dev-amd64-cross \
linux-libc-dev-amd64-cross \
gcc-aarch64-linux-gnu \
libc6-dev-arm64-cross \
linux-libc-dev-arm64-cross \
gcc-arm-linux-gnueabi \
libc6-dev-armel-cross \
linux-libc-dev-armel-cross \
gcc-arm-linux-gnueabihf \
libc6-dev-armhf-cross \
linux-libc-dev-armhf-cross \
automake \
autoconf \
libtool \
procps \
psmisc \
nano \
less \
curl \
sudo \
gawk \
git \
iptables \
jq \
pkg-config \
libaio-dev \
libcap-dev \
libprotobuf-dev \
libnl-3-dev \
libnet-dev \
libseccomp2 \
libseccomp-dev \
protobuf-c-compiler \
protobuf-compiler \
python3 \
uidmap \
kmod \
unzip \
time \
net-tools \
lsb-release \
wget \
lsof \
iproute2 \
iputils-ping \
ca-certificates \
bc \
ssh-client \
shellcheck \
gperf \
# sysbox deps
fuse \
rsync \
bash-completion \
attr \
tree \
strace \
--no-install-recommends \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* \
&& echo ". /etc/bash_completion" >> /etc/bash.bashrc \
&& ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa \
&& echo " StrictHostKeyChecking accept-new" >> /etc/ssh/ssh_config
# Install Golang
RUN wget https://go.dev/dl/go1.19.6.linux-${sys_arch}.tar.gz && \
tar -C /usr/local -xzf go1.19.6.linux-${sys_arch}.tar.gz && \
/usr/local/go/bin/go env -w GONOSUMDB=/root/nestybox
ENV GOPATH /go
ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
RUN go env -w GONOSUMDB=/root/nestybox && \
mkdir -p "$GOPATH/src" "$GOPATH/bin" && \
chmod -R 777 "$GOPATH"
# Add a dummy user for the rootless integration tests; needed by the
# `git clone` operations below.
RUN useradd -u1000 -m -d/home/rootless -s/bin/bash rootless
# install bats
RUN cd /tmp \
&& git clone https://github.com/sstephenson/bats.git \
&& cd bats \
&& git reset --hard 03608115df2071fff4eaaff1605768c275e5f81f \
&& ./install.sh /usr/local \
&& rm -rf /tmp/bats
# install protoc compiler for gRPC
RUN if [ "$sys_arch" = "amd64" ] ; then arch_str="x86_64"; \
elif [ "$sys_arch" = "arm64" ]; then arch_str="aarch_64"; \
else echo "Unsupported platform: ${sys_arch}"; exit; fi \
&& curl -LO https://github.com/protocolbuffers/protobuf/releases/download/v3.15.8/protoc-3.15.8-linux-${arch_str}.zip \
&& unzip protoc-3.15.8-linux-${arch_str}.zip -d $HOME/.local \
&& export PATH="$PATH:$HOME/.local/bin" \
&& go install github.com/golang/protobuf/protoc-gen-go@latest \
&& export PATH="$PATH:$(go env GOPATH)/bin"
# Install Docker
RUN curl -fsSL https://get.docker.com -o get-docker.sh \
&& sh get-docker.sh
ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker /etc/bash_completion.d/docker.sh
# Go Dlv for debugging
RUN go install github.com/go-delve/delve/cmd/dlv@latest
# Install Kubectl for k8s-in-docker integration-testing. Notice that we are explicitly
# stating the kubectl version to download, which should match the K8s release
# deployed in the K8s-in-docker nodes (L2).
RUN curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add - \
&& echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee -a /etc/apt/sources.list.d/kubernetes.list \
&& apt-get update \
&& apt-get install kubectl:${sys_arch}="${k8s_version#v}"-00 \
&& apt-get clean -y \
&& rm -rf /var/lib/apt/lists/*
# CRI-O and crictl for testing deployment of pods with sysbox (aka "sysbox pods")
RUN echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/${crio_os}/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list \
&& echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/${crio_version}/${crio_os}/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:${crio_version}.list \
&& curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:${crio_version}/${crio_os}/Release.key | apt-key add - \
&& curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/${crio_os}/Release.key | apt-key add - \
&& apt-get update && apt-get install -y --no-install-recommends conntrack:${sys_arch} cri-o:${sys_arch} cri-o-runc:${sys_arch} \
&& wget https://github.com/kubernetes-sigs/cri-tools/releases/download/${crictl_version}/crictl-${crictl_version}-linux-${sys_arch}.tar.gz \
&& sudo tar zxvf crictl-${crictl_version}-linux-${sys_arch}.tar.gz -C /usr/local/bin \
&& rm -f crictl-${crictl_version}-linux-${sys_arch}.tar.gz
# Container CNIs (needed by CRI-O)
RUN cd /root \
&& git clone https://github.com/containernetworking/plugins \
&& cd plugins \
&& git checkout -b v0.9.1 v0.9.1 \
&& ./build_linux.sh \
&& mkdir -p /opt/cni/bin \
&& cp bin/* /opt/cni/bin/
# Dasel (for yaml, toml, json parsing) (https://github.com/TomWright/dasel)
# Note: manually download Dasel v1 as our testContainerInit script does not yet support Dasel v2.
RUN wget https://github.com/TomWright/dasel/releases/download/v1.27.2/dasel_linux_${sys_arch} && mv dasel_linux_${sys_arch} dasel && chmod +x dasel \
&& mv ./dasel /usr/local/bin/dasel
# Use the old definition for SECCOMP_NOTIF_ID_VALID in /usr/include/linux/seccomp.h
#
# This is needed because the definition changed in the mainline kernel
# on 06/2020 (from SECCOMP_IOR -> SECCOMP_IOW), and some distros we
# support have picked it up in their latest releases / kernels
# updates. The kernel change was backward compatible, so by using the
# old definition, we are guaranteed it will work on kernels before and
# after the change. On the other hand, if we were to use the new
# definition, seccomp notify would fail when sysbox runs in old
# kernels.
RUN sed -i 's/^#define SECCOMP_IOCTL_NOTIF_ID_VALID[ \t]*SECCOMP_IOW(2, __u64)/#define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOR(2, __u64)/g' /usr/include/linux/seccomp.h
# sysbox env
RUN useradd sysbox \
&& mkdir -p /var/lib/sysboxfs
# test scripts
COPY scr/testContainerInit /usr/bin
COPY scr/testContainerCleanup /usr/bin
COPY scr/buildContainerInit /usr/bin
COPY scr/sindTestContainerInit /usr/bin
COPY bin/userns_child_exec_${sys_arch} /usr/bin
RUN mkdir -p /root/nestybox
WORKDIR /root/nestybox/sysbox
CMD /bin/bash