DockerCLI/Dockerfile

# syntax=docker/dockerfile:1

ARG BASE_VARIANT=alpine
ARG GO_VERSION=1.18.9
ARG ALPINE_VERSION=3.16
ARG XX_VERSION=1.1.0

FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx

FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS build-base-alpine
COPY --from=xx / /
RUN apk add --no-cache clang lld llvm file git
WORKDIR /go/src/github.com/docker/cli

FROM build-base-alpine AS build-alpine
ARG TARGETPLATFORM
# gcc is installed for libgcc only
RUN xx-apk add --no-cache musl-dev gcc

FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-buster AS build-base-buster
COPY --from=xx / /
RUN apt-get update && apt-get install --no-install-recommends -y clang lld file
WORKDIR /go/src/github.com/docker/cli

FROM build-base-buster AS build-buster
ARG TARGETPLATFORM
RUN xx-apt install --no-install-recommends -y libc6-dev libgcc-8-dev

FROM build-${BASE_VARIANT} AS build
# GO_LINKMODE defines if static or dynamic binary should be produced
ARG GO_LINKMODE=static
# GO_BUILDTAGS defines additional build tags
ARG GO_BUILDTAGS
# GO_STRIP strips debugging symbols if set
ARG GO_STRIP
# CGO_ENABLED manually sets if cgo is used
ARG CGO_ENABLED
# VERSION sets the version for the produced binary
ARG VERSION
RUN --mount=ro --mount=type=cache,target=/root/.cache \
    --mount=from=dockercore/golang-cross:xx-sdk-extras,target=/xx-sdk,src=/xx-sdk \
    --mount=type=tmpfs,target=cli/winresources \
    xx-go --wrap && \
    # export GOCACHE=$(go env GOCACHE)/$(xx-info)$([ -f /etc/alpine-release ] && echo "alpine") && \
    TARGET=/out ./scripts/build/binary && \
    xx-verify $([ "$GO_LINKMODE" = "static" ] && echo "--static") /out/docker

FROM build-base-${BASE_VARIANT} AS dev
COPY . .

FROM scratch AS binary
COPY --from=build /out .
[20.10] Dockerfile: use syntax=docker/dockerfile:1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2022-08-19 10:50:01 -04:00			`# syntax=docker/dockerfile:1`
dockerfile based binary building Using cross compilation toolchains that work from any platform Adds darwin/arm64 support and bake targets. Static and dynamic binary targets are available, both with glibc and musl. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 6423da8dcd076433b2629cfababa0fde9965b389) Signed-off-by: Tibor Vass <tibor@docker.com> 2021-03-03 02:03:02 -05:00
			`ARG BASE_VARIANT=alpine`
[20.10] update to go1.18.9 Includes security fixes for net/http (CVE-2022-41717, CVE-2022-41720), and os (CVE-2022-41720). These minor releases include 2 security fixes following the security policy: - os, net/http: avoid escapes from os.DirFS and http.Dir on Windows The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permitted access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") would open the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory \(the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. The behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error. This is CVE-2022-41720 and Go issue https://go.dev/issue/56694. - net/http: limit canonical header cache by bytes, not entries An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. This issue is also fixed in golang.org/x/net/http2 vX.Y.Z, for users manually configuring HTTP/2. Thanks to Josselin Costanzi for reporting this issue. This is CVE-2022-41717 and Go issue https://go.dev/issue/56350. View the release notes for more information: https://go.dev/doc/devel/release#go1.18.9 And the milestone on the issue tracker: https://github.com/golang/go/issues?q=milestone%3AGo1.18.9+label%3ACherryPickApproved Full diff: https://github.com/golang/go/compare/go1.18.8...go1.18.9 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2022-12-06 17:07:52 -05:00			`ARG GO_VERSION=1.18.9`
Dockerfile: add ALPINE_VERSION build-arg This allows us to pin to a specific version of Alpine, in case the golang:alpine image switches to a newer version, which may at times be incompatible, e.g. see https://github.com/moby/moby/issues/44570 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 1b0d6fc804a7333b96615e9a2835ccffc1281343) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2022-12-04 08:01:30 -05:00			`ARG ALPINE_VERSION=3.16`
Dockerfile: update xx to 1.1 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 40d8016627cc78988fc03f45d6540bf65a39b4f9) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2022-03-26 01:57:27 -04:00			`ARG XX_VERSION=1.1.0`
dockerfile based binary building Using cross compilation toolchains that work from any platform Adds darwin/arm64 support and bake targets. Static and dynamic binary targets are available, both with glibc and musl. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 6423da8dcd076433b2629cfababa0fde9965b389) Signed-off-by: Tibor Vass <tibor@docker.com> 2021-03-03 02:03:02 -05:00
Dockerfile: update tonistiigi/xx to 1.0.0-rc.2, add XX_VERSION arg Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 47c7a096ff0180599e67a7aaffbd5941038525a3) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-09-15 06:47:50 -04:00			`FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx`
dockerfile based binary building Using cross compilation toolchains that work from any platform Adds darwin/arm64 support and bake targets. Static and dynamic binary targets are available, both with glibc and musl. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 6423da8dcd076433b2629cfababa0fde9965b389) Signed-off-by: Tibor Vass <tibor@docker.com> 2021-03-03 02:03:02 -05:00
Dockerfile: add ALPINE_VERSION build-arg This allows us to pin to a specific version of Alpine, in case the golang:alpine image switches to a newer version, which may at times be incompatible, e.g. see https://github.com/moby/moby/issues/44570 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 1b0d6fc804a7333b96615e9a2835ccffc1281343) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2022-12-04 08:01:30 -05:00			`FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS build-base-alpine`
dockerfile based binary building Using cross compilation toolchains that work from any platform Adds darwin/arm64 support and bake targets. Static and dynamic binary targets are available, both with glibc and musl. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 6423da8dcd076433b2629cfababa0fde9965b389) Signed-off-by: Tibor Vass <tibor@docker.com> 2021-03-03 02:03:02 -05:00			`COPY --from=xx / /`
update windows resources generation New solution is not hardcoded to amd64 but integrates with the cross toolchain and support creating arm binaries. Go has been updated so that ASLR works Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 8b822c9219afb4ca323e573a4f5586c95d1a43ad) Signed-off-by: Tibor Vass <tibor@docker.com> 2021-03-05 03:56:55 -05:00			`RUN apk add --no-cache clang lld llvm file git`
dockerfile based binary building Using cross compilation toolchains that work from any platform Adds darwin/arm64 support and bake targets. Static and dynamic binary targets are available, both with glibc and musl. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 6423da8dcd076433b2629cfababa0fde9965b389) Signed-off-by: Tibor Vass <tibor@docker.com> 2021-03-03 02:03:02 -05:00			`WORKDIR /go/src/github.com/docker/cli`

			`FROM build-base-alpine AS build-alpine`
			`ARG TARGETPLATFORM`
			`# gcc is installed for libgcc only`
			`RUN xx-apk add --no-cache musl-dev gcc`

update go to 1.17.8 Removes the platform based switch between different versions. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 6119e4ba908c232e9fada67ff9685ec03802d38d) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-08-16 23:07:43 -04:00			`FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-buster AS build-base-buster`
dockerfile based binary building Using cross compilation toolchains that work from any platform Adds darwin/arm64 support and bake targets. Static and dynamic binary targets are available, both with glibc and musl. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 6423da8dcd076433b2629cfababa0fde9965b389) Signed-off-by: Tibor Vass <tibor@docker.com> 2021-03-03 02:03:02 -05:00			`COPY --from=xx / /`
			`RUN apt-get update && apt-get install --no-install-recommends -y clang lld file`
			`WORKDIR /go/src/github.com/docker/cli`

			`FROM build-base-buster AS build-buster`
			`ARG TARGETPLATFORM`
			`RUN xx-apt install --no-install-recommends -y libc6-dev libgcc-8-dev`

			`FROM build-${BASE_VARIANT} AS build`
			`# GO_LINKMODE defines if static or dynamic binary should be produced`
			`ARG GO_LINKMODE=static`
			`# GO_BUILDTAGS defines additional build tags`
			`ARG GO_BUILDTAGS`
			`# GO_STRIP strips debugging symbols if set`
			`ARG GO_STRIP`
			`# CGO_ENABLED manually sets if cgo is used`
			`ARG CGO_ENABLED`
			`# VERSION sets the version for the produced binary`
			`ARG VERSION`
			`RUN --mount=ro --mount=type=cache,target=/root/.cache \`
			`--mount=from=dockercore/golang-cross:xx-sdk-extras,target=/xx-sdk,src=/xx-sdk \`
update windows resources generation New solution is not hardcoded to amd64 but integrates with the cross toolchain and support creating arm binaries. Go has been updated so that ASLR works Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 8b822c9219afb4ca323e573a4f5586c95d1a43ad) Signed-off-by: Tibor Vass <tibor@docker.com> 2021-03-05 03:56:55 -05:00			`--mount=type=tmpfs,target=cli/winresources \`
dockerfile based binary building Using cross compilation toolchains that work from any platform Adds darwin/arm64 support and bake targets. Static and dynamic binary targets are available, both with glibc and musl. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 6423da8dcd076433b2629cfababa0fde9965b389) Signed-off-by: Tibor Vass <tibor@docker.com> 2021-03-03 02:03:02 -05:00			`xx-go --wrap && \`
			`# export GOCACHE=$(go env GOCACHE)/$(xx-info)$([ -f /etc/alpine-release ] && echo "alpine") && \`
			`TARGET=/out ./scripts/build/binary && \`
			`xx-verify $([ "$GO_LINKMODE" = "static" ] && echo "--static") /out/docker`

Dockerfile: update xx to 1.1 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 40d8016627cc78988fc03f45d6540bf65a39b4f9) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2022-03-26 01:57:27 -04:00			`FROM build-base-${BASE_VARIANT} AS dev`
update windows resources generation New solution is not hardcoded to amd64 but integrates with the cross toolchain and support creating arm binaries. Go has been updated so that ASLR works Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 8b822c9219afb4ca323e573a4f5586c95d1a43ad) Signed-off-by: Tibor Vass <tibor@docker.com> 2021-03-05 03:56:55 -05:00			`COPY . .`
dockerfile based binary building Using cross compilation toolchains that work from any platform Adds darwin/arm64 support and bake targets. Static and dynamic binary targets are available, both with glibc and musl. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 6423da8dcd076433b2629cfababa0fde9965b389) Signed-off-by: Tibor Vass <tibor@docker.com> 2021-03-03 02:03:02 -05:00
			`FROM scratch AS binary`
			`COPY --from=build /out .`