forked from rancher/rke2
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile
194 lines (177 loc) · 6.12 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
ARG KUBERNETES_VERSION=dev
# Build environment
FROM rancher/hardened-build-base:v1.23.3b1 AS build
ARG DAPPER_HOST_ARCH
ENV ARCH $DAPPER_HOST_ARCH
RUN set -x && \
apk --no-cache add \
bash \
curl \
file \
git \
libseccomp-dev \
rsync \
gcc \
bsd-compat-headers \
py-pip \
py3-pip \
pigz \
tar \
yq \
helm
RUN if [ "${ARCH}" = "amd64" ]; then \
apk --no-cache add mingw-w64-gcc; \
fi
FROM registry.suse.com/bci/bci-base AS rpm-macros
RUN zypper install -y systemd-rpm-macros
# Dapper/Drone/CI environment
FROM build AS dapper
ENV DAPPER_ENV GODEBUG CI GOCOVER REPO TAG GITHUB_ACTION_TAG PAT_USERNAME PAT_TOKEN KUBERNETES_VERSION DOCKER_BUILDKIT DRONE_BUILD_EVENT IMAGE_NAME AWS_SECRET_ACCESS_KEY AWS_ACCESS_KEY_ID ENABLE_REGISTRY DOCKER_USERNAME DOCKER_PASSWORD GH_TOKEN
ARG DAPPER_HOST_ARCH
ENV ARCH $DAPPER_HOST_ARCH
ENV DAPPER_OUTPUT ./dist ./bin ./build
ENV DAPPER_DOCKER_SOCKET true
ENV DAPPER_TARGET dapper
ENV DAPPER_RUN_ARGS "--privileged --network host -v /tmp:/tmp -v rke2-pkg:/go/pkg -v rke2-cache:/root/.cache/go-build -v trivy-cache:/root/.cache/trivy"
RUN if [ "${ARCH}" = "amd64" ] || [ "${ARCH}" = "arm64" ]; then \
VERSION=0.56.10 OS=linux && \
curl -sL "https://github.com/vmware-tanzu/sonobuoy/releases/download/v${VERSION}/sonobuoy_${VERSION}_${OS}_${ARCH}.tar.gz" | \
tar -xzf - -C /usr/local/bin; \
fi
RUN curl -sL "https://github.com/cli/cli/releases/download/v2.53.0/gh_2.53.0_linux_${ARCH}.tar.gz" | \
tar --strip-components=2 -xzvf - -C /usr/local/bin gh_2.53.0_linux_${ARCH}/bin/gh;
RUN curl -sL https://dl.k8s.io/release/$( \
curl -sL https://dl.k8s.io/release/stable.txt \
)/bin/linux/${ARCH}/kubectl -o /usr/local/bin/kubectl && \
chmod a+x /usr/local/bin/kubectl; \
pip install codespell
RUN python3 -m pip install awscli
RUN curl -sL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v1.55.2
RUN set -x && \
apk --no-cache add \
libarchive-tools \
zstd \
jq \
python3 && \
if [ "${ARCH}" != "s390x" ] || [ "${GOARCH}" != "arm64" ]; then \
apk add --no-cache rpm-dev; \
fi
RUN GOCR_VERSION="v0.20.2" && \
if [ "${ARCH}" = "arm64" ]; then \
wget https://github.com/google/go-containerregistry/releases/download/${GOCR_VERSION}/go-containerregistry_Linux_arm64.tar.gz && \
tar -zxvf go-containerregistry_Linux_arm64.tar.gz && \
mv crane /usr/local/bin && \
chmod a+x /usr/local/bin/crane; \
else \
wget https://github.com/google/go-containerregistry/releases/download/${GOCR_VERSION}/go-containerregistry_Linux_x86_64.tar.gz && \
tar -zxvf go-containerregistry_Linux_x86_64.tar.gz && \
mv crane /usr/local/bin && \
chmod a+x /usr/local/bin/crane; \
fi
WORKDIR /source
COPY --from=rpm-macros /usr/lib/rpm/macros.d/macros.systemd /usr/lib/rpm/macros.d
# End Dapper stuff
# Shell used for debugging
FROM dapper AS shell
RUN set -x && \
apk --no-cache add \
bash-completion \
iptables \
less \
psmisc \
rsync \
socat \
sudo \
vim
# For integration tests
RUN go get github.com/onsi/ginkgo/v2 github.com/onsi/gomega/...
RUN GO111MODULE=off GOBIN=/usr/local/bin go get github.com/go-delve/delve/cmd/dlv
RUN echo 'alias abort="echo -e '\''q\ny\n'\'' | dlv connect :2345"' >> /root/.bashrc
ENV PATH=/var/lib/rancher/rke2/bin:$PATH
ENV KUBECONFIG=/etc/rancher/rke2/rke2.yaml
VOLUME /var/lib/rancher/rke2
# This makes it so we can run and debug k3s too
VOLUME /var/lib/rancher/k3s
FROM build AS charts
ARG CHART_REPO="https://rke2-charts.rancher.io"
ARG KUBERNETES_VERSION=""
ARG CACHEBUST="cachebust"
COPY charts/ /charts/
RUN echo ${CACHEBUST}>/dev/null
RUN /charts/build-charts.sh
RUN rm -vf /charts/*.sh /charts/*.md /charts/chart_versions.yaml
# rke2-runtime image
# This image includes any host level programs that we might need. All binaries
# must be placed in bin/ of the file image and subdirectories of bin/ will be flattened during installation.
# This means bin/foo/bar will become bin/bar when rke2 installs this to the host
FROM rancher/hardened-kubernetes:v1.32.0-rke2r1-build20241212 AS kubernetes
FROM rancher/hardened-containerd:v1.7.23-k3s2-build20241203 AS containerd
FROM rancher/hardened-crictl:v1.31.1-build20241011 AS crictl
FROM rancher/hardened-runc:v1.2.4-build20250109 AS runc
FROM scratch AS runtime-collect
COPY --from=runc \
/usr/local/bin/runc \
/bin/
COPY --from=crictl \
/usr/local/bin/crictl \
/bin/
COPY --from=containerd \
/usr/local/bin/containerd \
/usr/local/bin/containerd-shim \
/usr/local/bin/containerd-shim-runc-v1 \
/usr/local/bin/containerd-shim-runc-v2 \
/usr/local/bin/ctr \
/bin/
COPY --from=kubernetes \
/usr/local/bin/kubectl \
/usr/local/bin/kubelet \
/bin/
COPY --from=charts \
/charts/ \
/charts/
FROM scratch AS runtime
LABEL org.opencontainers.image.url="https://hub.docker.com/r/rancher/rke2-runtime"
LABEL org.opencontainers.image.source="https://github.com/rancher/rke2"
COPY --from=runtime-collect / /
FROM ubuntu:24.04 AS test
ARG TARGETARCH
VOLUME /var/lib/rancher/rke2
VOLUME /var/lib/kubelet
VOLUME /var/lib/cni
VOLUME /var/log
COPY bin/rke2 /bin/
# use built air-gap images
COPY build/images/rke2-images.linux-amd64.tar.zst /var/lib/rancher/rke2/agent/images/
COPY build/images.txt /images.txt
# use rke2 bundled binaries
ENV PATH=/var/lib/rancher/rke2/bin:$PATH
# for kubectl
ENV KUBECONFIG=/etc/rancher/rke2/rke2.yaml
# for crictl
ENV CONTAINER_RUNTIME_ENDPOINT="unix:///run/k3s/containerd/containerd.sock"
# for ctr
RUN mkdir -p /run/containerd && \
ln -s /run/k3s/containerd/containerd.sock /run/containerd/containerd.sock
# for go dns bug
RUN mkdir -p /etc && \
echo 'hosts: files dns' > /etc/nsswitch.conf
# for conformance testing
RUN chmod 1777 /tmp
RUN set -x && \
export DEBIAN_FRONTEND=noninteractive && \
apt-get -y update && \
apt-get -y upgrade && \
apt-get -y install \
bash \
bash-completion \
ca-certificates \
conntrack \
ebtables \
ethtool \
iptables \
jq \
less \
socat \
vim
ENTRYPOINT ["/bin/rke2"]
CMD ["server"]