From a5163aefcc03fa3b5ec7af4f99b6c0c3a8174854 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Sat, 16 Dec 2023 15:50:40 -0800 Subject: [PATCH] first pass at determinism --- README.md | 32 ++++++++++++++ autoconf/Dockerfile | 15 ++++--- automake/Dockerfile | 20 ++++++--- bash/Dockerfile | 15 ++++--- binutils/Dockerfile | 16 +++++-- bootstrap/Dockerfile | 1 + busybox/Dockerfile | 35 +++++++++------ ca-certificates/Dockerfile | 9 +++- cmake/Dockerfile | 33 ++++++++------ curl/Dockerfile | 30 +++++++------ gcc/Dockerfile | 25 ++++++----- go/Dockerfile | 88 +++++++++++++++++++++----------------- libtool/Dockerfile | 32 ++++++++------ libunwind/Dockerfile | 25 +++++++---- libxml2/Dockerfile | 29 ++++++++----- linux-headers/Dockerfile | 18 +++++--- llvm/Dockerfile | 23 ++++++---- m4/Dockerfile | 19 +++++--- make/Dockerfile | 16 +++++-- musl/Dockerfile | 27 +++++++----- ninja/Dockerfile | 36 +++++++++------- openssl/Dockerfile | 25 +++++++---- perl/Dockerfile | 30 ++++++++----- pkgconf/Dockerfile | 29 ++++++++----- py-setuptools/Dockerfile | 22 +++++++--- python/Dockerfile | 31 +++++++++----- rust/Dockerfile | 43 +++++++++++-------- sed/Dockerfile | 28 +++++++----- zlib/Dockerfile | 25 +++++++---- 29 files changed, 504 insertions(+), 273 deletions(-) diff --git a/README.md b/README.md index 1e96255..b1586ff 100644 --- a/README.md +++ b/README.md @@ -121,7 +121,39 @@ make clean reproduce make sign ``` +## Packaging + +Every package should have a minimum of 5 stages as follows + +* base + * based on busybox or bootstrap + * Runs as unprivileged user 1000 (user) + * Sets environment to be shared with fetch, build, and install stages + * Imports dependencies for fetch, build, and install stages +* fetch + * Based on "base" + * Runs as unprivileged user 1000 (user) + * Has internet access + * Obtains any needed source files from the internet + * Verifies sources against hardcoded hashes +* build + * Based on "fetch" + * Runs as unprivileged user 1000 (user) + * Extract sources + * Apply any patches as needed + * Build any artifacts as needed +* install + * Based on "build" + * Elevates privileges to user 0:0 (root) + * Installs all files in /home/user/rootfs owned by root + * Sets all timestamps in /home/user/rootfs to @0 (Unix Epoch) +* package + * Based on scratch + * Copies /home/user/rootfs from "install" to / + * Sets runtime user/perms/env as needed + ## Sponsors - Turnkey +- Distrust - Mysten Labs diff --git a/autoconf/Dockerfile b/autoconf/Dockerfile index 16d08a9..a91ce8e 100644 --- a/autoconf/Dockerfile +++ b/autoconf/Dockerfile @@ -5,8 +5,9 @@ FROM ${REGISTRY}/musl:latest as musl FROM ${REGISTRY}/make:latest as make FROM ${REGISTRY}/m4:latest as m4 FROM ${REGISTRY}/perl:latest as perl +FROM ${REGISTRY}/busybox:latest as busybox -FROM ${REGISTRY}/busybox:latest as base +FROM busybox as base ENV SRC_SITE https://ftp.gnu.org/gnu/autoconf ENV SRC_VERSION 2.71 ENV SRC_HASH f14c83cfebcc9427f2c3cea7258bd90df972d92eb26752da4ddad81c87a0faa4 @@ -30,11 +31,15 @@ ENV M4=/usr/bin/m4 RUN set -eux; \ ./configure \ --prefix=/usr; \ - make; -RUN make DESTDIR=/home/user/rootfs install -COPY --from=perl . /home/user/rootfs/ + make + +from build as install +USER 0:0 +RUN make DESTDIR=/rootfs install +COPY --from=perl . /rootfs/ +RUN find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / ENTRYPOINT ["/usr/bin/autoreconf"] CMD ["--version"] diff --git a/automake/Dockerfile b/automake/Dockerfile index 3ba6ec3..44ec32f 100644 --- a/automake/Dockerfile +++ b/automake/Dockerfile @@ -1,5 +1,4 @@ ARG REGISTRY=local -FROM ${REGISTRY}/busybox:latest as busybox FROM ${REGISTRY}/gcc:latest as gcc FROM ${REGISTRY}/binutils:latest as binutils FROM ${REGISTRY}/musl:latest as musl @@ -7,14 +6,19 @@ FROM ${REGISTRY}/make:latest as make FROM ${REGISTRY}/perl:latest as perl FROM ${REGISTRY}/autoconf:latest as autoconf FROM ${REGISTRY}/m4:latest as m4 +FROM ${REGISTRY}/busybox:latest as busybox -FROM busybox as build +FROM busybox as base ENV SRC_SITE=https://ftp.gnu.org/gnu/automake ENV SRC_VERSION=1.16.5 ENV SRC_HASH=f01d58cd6d9d77fbdca9eb4bbd5ead1988228fdb73d6f7a201f5f8d6b118b469 + +FROM base as fetch RUN wget ${SRC_SITE}/automake-${SRC_VERSION}.tar.xz RUN echo "${SRC_HASH} automake-${SRC_VERSION}.tar.xz" | sha256sum -c RUN tar -xf automake-${SRC_VERSION}.tar.xz + +FROM fetch as build WORKDIR automake-${SRC_VERSION} COPY --from=gcc . / COPY --from=binutils . / @@ -27,11 +31,15 @@ RUN set -eux; \ ./configure \ --prefix=/usr; \ make; -RUN make DESTDIR=/home/user/rootfs install -COPY --from=musl /usr/lib/libc.so /home/user/rootfs/lib/ld-musl-x86_64.so.1 -COPY --from=perl . /home/user/rootfs/ + +FROM build as install +USER 0:0 +RUN make DESTDIR=/rootfs install +COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1 +COPY --from=perl . /rootfs/ +RUN find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / ENTRYPOINT ["/usr/bin/automake"] CMD ["--version"] diff --git a/bash/Dockerfile b/bash/Dockerfile index 5aa3a01..56c8582 100644 --- a/bash/Dockerfile +++ b/bash/Dockerfile @@ -3,8 +3,9 @@ from ${REGISTRY}/binutils as binutils from ${REGISTRY}/gcc as gcc from ${REGISTRY}/musl as musl from ${REGISTRY}/make as make +from ${REGISTRY}/busybox as busybox -from ${REGISTRY}/busybox as base +FROM busybox as base ENV SRC_SITE=https://ftp.gnu.org/gnu/bash ENV SRC_VERSION=5.2.21 ENV SRC_HASH=c8e31bdc59b69aaffc5b36509905ba3e5cbb12747091d27b4b977f078560d5b8 @@ -23,6 +24,7 @@ COPY --from=binutils . / COPY --from=make . / COPY --from=musl . / RUN set -eux; \ + mkdir -p /home/user/rootfs/lib; \ ./configure \ --build=x86_64-unknown-linux-musl \ --host=x86_64-unknown-linux-musl \ @@ -35,11 +37,14 @@ RUN set -eux; \ --without-curses \ --without-bash-malloc; \ make -RUN make DESTDIR=/home/user/rootfs install -RUN ls -Rlah /home/user/rootfs -COPY --from=musl /usr/lib/libc.so /home/user/rootfs/lib/ld-musl-x86_64.so.1 + +FROM build as install +USER 0:0 +RUN make DESTDIR=/rootfs install +COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1 +RUN find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / ENTRYPOINT ["/bin/bash"] CMD ["--version"] diff --git a/binutils/Dockerfile b/binutils/Dockerfile index c694b5a..842e3d7 100644 --- a/binutils/Dockerfile +++ b/binutils/Dockerfile @@ -1,13 +1,17 @@ ARG REGISTRY=local FROM ${REGISTRY}/musl:latest as musl -FROM ${REGISTRY}/bootstrap:latest as build +FROM ${REGISTRY}/bootstrap:latest as bootstrap +FROM bootstrap as base ENV SRC_SITE https://ftp.gnu.org/gnu/binutils ENV SRC_VERSION 2.41 ENV SRC_HASH ae9a5789e23459e59606e6714723f2d3ffc31c03174191ef0d015bdf06007450 +FROM base as fetch RUN wget ${SRC_SITE}/binutils-${SRC_VERSION}.tar.xz RUN echo "${SRC_HASH} binutils-${SRC_VERSION}.tar.xz" | sha256sum -c + +FROM fetch as build RUN tar -xf binutils-${SRC_VERSION}.tar.xz WORKDIR binutils-${SRC_VERSION} RUN set -ex; \ @@ -43,11 +47,15 @@ RUN set -ex; \ --enable-threads \ --with-mmap \ --with-pic; \ - make -j "$(nproc)"; \ - make DESTDIR="/home/user/rootfs" install; + make -j "$(nproc)" + +FROM build as install +USER 0:0 +RUN make DESTDIR="/rootfs" install; COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1 +RUN find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / ENTRYPOINT ["/bin/ld"] CMD ["--version"] diff --git a/bootstrap/Dockerfile b/bootstrap/Dockerfile index 2d53f32..f515476 100644 --- a/bootstrap/Dockerfile +++ b/bootstrap/Dockerfile @@ -4,5 +4,6 @@ FROM seed as fetch RUN set -ex; \ apk update; \ apk add gcc g++ libc-dev make linux-headers patch +RUN find / -exec touch -hcd "@0" "{}" + FROM fetch as package diff --git a/busybox/Dockerfile b/busybox/Dockerfile index 063c157..9fd738b 100644 --- a/busybox/Dockerfile +++ b/busybox/Dockerfile @@ -1,13 +1,16 @@ ARG REGISTRY=local -FROM ${REGISTRY}/bootstrap as base +FROM ${REGISTRY}/bootstrap as bootstrap + +FROM bootstrap as base ENV SRC_SITE=https://busybox.net/downloads ENV SRC_VERSION=1.35.0 ENV SRC_HASH=faeeb244c35a348a334f4a59e44626ee870fb07b6884d68c10ae8bc19f83a694 ENV SRC_FILE=busybox-${SRC_VERSION}.tar.bz2 +ENV KCONFIG_NOTIMESTAMP=1 FROM base as fetch RUN set -eux; \ - wget ${SRC_SITE}/${SRC_FILE}; \ + wget ${SRC_SITE}/${SRC_FILE} echo "${SRC_HASH} ${SRC_FILE}" | sha256sum -c FROM fetch as build @@ -50,24 +53,30 @@ RUN set -eux; \ done; \ for confV in $setConfs; do \ grep -q "^$confV\$" .config; \ - done + done; \ + make -RUN make -RUN cp busybox / +FROM build as install +USER 0:0 +RUN set -eux; \ + mkdir -p /rootfs/bin; \ + cp busybox /rootfs/bin; \ + cd /rootfs; \ + mkdir -p home/user var/tmp etc tmp lib bin; \ + /bin/busybox --install -s bin; \ + echo "user:x:1000:" > etc/group; \ + echo "user:x:1000:1000::/home/user:/bin/sh" > etc/passwd; \ + ln -sT /lib lib64; \ + chown -R 1000:1000 /rootfs/home/user /tmp /var/tmp; \ + find . -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build busybox / -RUN ["/busybox","mkdir","/bin"] -RUN ["/busybox","--install","-s","/bin"] -RUN echo "user:x:1000:" > /etc/group -RUN echo "user:x:1000:1000::/home/user:/bin/sh" > /etc/passwd -RUN mkdir -p /home/user /tmp /lib /var/tmp -RUN ln -sT /lib /lib64 -RUN chown -R 1000:1000 /home/user /tmp /var/tmp +COPY --from=install /rootfs / WORKDIR /home/user USER 1000:1000 ENTRYPOINT ["/bin/sh"] ENV TZ=UTC ENV LANG=C.UTF-8 ENV SOURCE_DATE_EPOCH=1 +ENV KCONFIG_NOTIMESTAMP=1 ENV PS1="busybox$ " diff --git a/ca-certificates/Dockerfile b/ca-certificates/Dockerfile index 44a6601..907839a 100644 --- a/ca-certificates/Dockerfile +++ b/ca-certificates/Dockerfile @@ -1,2 +1,9 @@ +FROM ${REGISTRY}/busybox:latest as base + +FROM base as install +USER 0:0 +COPY cacert.pem /rootfs/etc/ssl/certs/ca-certificates.crt +RUN find /rootfs -exec touch -hcd "@0" "{}" + + FROM scratch as package -COPY cacert.pem /etc/ssl/certs/ca-certificates.crt +COPY --from=install /rootfs / diff --git a/cmake/Dockerfile b/cmake/Dockerfile index f16fac2..b2a6a5b 100644 --- a/cmake/Dockerfile +++ b/cmake/Dockerfile @@ -1,5 +1,4 @@ ARG REGISTRY=local -FROM ${REGISTRY}/busybox:latest as busybox FROM ${REGISTRY}/gcc:latest as gcc FROM ${REGISTRY}/binutils:latest as binutils FROM ${REGISTRY}/musl:latest as musl @@ -8,16 +7,13 @@ FROM ${REGISTRY}/ninja:latest as ninja FROM ${REGISTRY}/openssl:latest as openssl FROM ${REGISTRY}/linux-headers:latest as linux-headers FROM ${REGISTRY}/make:latest as make +FROM ${REGISTRY}/busybox:latest as busybox -FROM busybox as build +FROM busybox as base ENV SRC_SITE=https://cmake.org/files ENV SRC_VERSION=3.27.8 ENV SRC_HASH=fece24563f697870fbb982ea8bf17482c9d5f855d8c9bf0b82463d76c9e8d0cc COPY --from=curl . / -RUN curl -O ${SRC_SITE}/v3.27/cmake-${SRC_VERSION}.tar.gz -RUN echo "${SRC_HASH} cmake-${SRC_VERSION}.tar.gz" | sha256sum -c -RUN tar -xf cmake-${SRC_VERSION}.tar.gz -WORKDIR cmake-${SRC_VERSION} COPY --from=binutils . / COPY --from=ninja . / COPY --from=musl . / @@ -25,6 +21,13 @@ COPY --from=make . / COPY --from=linux-headers . / COPY --from=gcc . / +FROM base as fetch +RUN curl -O ${SRC_SITE}/v3.27/cmake-${SRC_VERSION}.tar.gz +RUN echo "${SRC_HASH} cmake-${SRC_VERSION}.tar.gz" | sha256sum -c + +FROM fetch as build +RUN tar -xf cmake-${SRC_VERSION}.tar.gz +WORKDIR cmake-${SRC_VERSION} RUN set -eux; \ ./bootstrap \ --prefix=/usr \ @@ -36,15 +39,19 @@ RUN set -eux; \ --no-system-jsoncpp \ --generator=Ninja; \ ninja -RUN DESTDIR=/home/user/rootfs bin/cmake -P cmake_install.cmake -COPY --from=musl /lib/* /home/user/rootfs/lib/ -COPY --from=musl /usr/lib/* /home/user/rootfs/usr/lib/ -COPY --from=gcc /usr/lib/* /home/user/rootfs/usr/lib/ -COPY --from=gcc /usr/lib64/* /home/user/rootfs/usr/lib/ -COPY --from=openssl /usr/lib/* /home/user/rootfs/usr/lib/ + +FROM build as install +USER 0:0 +RUN DESTDIR=/rootfs bin/cmake -P cmake_install.cmake +COPY --from=musl /lib/* /rootfs/lib/ +COPY --from=musl /usr/lib/* /rootfs/usr/lib/ +COPY --from=gcc /usr/lib/* /rootfs/usr/lib/ +COPY --from=gcc /usr/lib64/* /rootfs/usr/lib/ +COPY --from=openssl /usr/lib/* /rootfs/usr/lib/ +RUN find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / USER 100:100 ENTRYPOINT ["/usr/bin/cmake"] CMD ["--version"] diff --git a/curl/Dockerfile b/curl/Dockerfile index f90bd66..6bf148a 100644 --- a/curl/Dockerfile +++ b/curl/Dockerfile @@ -1,27 +1,29 @@ ARG REGISTRY=local FROM ${REGISTRY}/gcc:latest as gcc FROM ${REGISTRY}/musl:latest as musl -FROM ${REGISTRY}/busybox:latest as busybox FROM ${REGISTRY}/make:latest as make FROM ${REGISTRY}/binutils:latest as binutils FROM ${REGISTRY}/openssl:latest as openssl FROM ${REGISTRY}/ca-certificates:latest as ca-certificates +FROM ${REGISTRY}/busybox:latest as busybox -FROM busybox as build +FROM busybox as base ENV SRC_SITE=https://curl.se/download ENV SRC_VERSION=8.4.0 ENV SRC_HASH=16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d -RUN wget ${SRC_SITE}/curl-${SRC_VERSION}.tar.xz -RUN echo wget ${SRC_SITE}/curl-${SRC_VERSION}.tar.xz -RUN echo "${SRC_HASH} curl-${SRC_VERSION}.tar.xz" | sha256sum -c -RUN tar -xf curl-${SRC_VERSION}.tar.xz -WORKDIR curl-${SRC_VERSION} COPY --from=binutils . / COPY --from=make . / COPY --from=musl . / COPY --from=gcc . / COPY --from=openssl . / +FROM base as fetch +RUN wget ${SRC_SITE}/curl-${SRC_VERSION}.tar.xz +RUN echo "${SRC_HASH} curl-${SRC_VERSION}.tar.xz" | sha256sum -c + +FROM fetch as build +RUN tar -xf curl-${SRC_VERSION}.tar.xz +WORKDIR curl-${SRC_VERSION} RUN set -eux; \ ./configure \ --build=x86_64-linux-musl \ @@ -34,13 +36,17 @@ RUN set -eux; \ --with-openssl \ --enable-static-link; \ make -RUN make install DESTDIR=/home/user/rootfs -COPY --from=musl . /home/user/rootfs/ -COPY --from=openssl . /home/user/rootfs/ -COPY --from=ca-certificates . /home/user/rootfs/ + +FROM build as install +USER 0:0 +RUN make install DESTDIR=/rootfs +COPY --from=musl . /rootfs/ +COPY --from=openssl . /rootfs/ +COPY --from=ca-certificates . /rootfs/ +RUN find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / USER 100:100 ENTRYPOINT ["/usr/bin/curl"] CMD ["--version"] diff --git a/gcc/Dockerfile b/gcc/Dockerfile index 43adf52..c2f1108 100644 --- a/gcc/Dockerfile +++ b/gcc/Dockerfile @@ -1,7 +1,9 @@ ARG REGISTRY=local FROM ${REGISTRY}/musl:latest as musl +FROM ${REGISTRY}/binutils:latest as binutils +FROM ${REGISTRY}/bootstrap:latest as bootstrap -FROM ${REGISTRY}/bootstrap:latest as base +FROM bootstrap as base ENV VERSION 12.2.0 ENV SRC_FILE gcc-$VERSION.tar.xz ENV SRC_SITE https://mirrors.kernel.org/gnu/gcc/gcc-${VERSION} @@ -55,23 +57,26 @@ RUN set -eux; \ --enable-languages=c,c++ \ --enable-link-serialization=2 \ --enable-linker-build-id; \ - make -j "$(nproc)"; \ - make DESTDIR=/home/user/rootfs/ install-strip; \ - ln -s gcc /home/user/rootfs/usr/bin/cc -COPY --from=musl /lib/* /home/user/rootfs/lib/ + make -j "$(nproc)" -FROM ${REGISTRY}/binutils:latest as binutils -FROM scratch as test -COPY --from=busybox . / +FROM build as install +USER 0:0 +RUN set -eux; \ + make DESTDIR=/rootfs/ install-strip; \ + ln -s gcc /rootfs/usr/bin/cc +COPY --from=musl /lib/* /rootfs/lib/ +RUN find /rootfs -exec touch -hcd "@0" "{}" + + +FROM busybox as test COPY --from=binutils . / COPY --from=musl . / -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / ADD test.c . RUN set -eux; \ gcc test.c -static -o main; \ ./main | grep "Success" FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=build /rootfs / ENTRYPOINT ["/usr/bin/gcc"] CMD ["--version"] diff --git a/go/Dockerfile b/go/Dockerfile index b0e39b6..61854c4 100644 --- a/go/Dockerfile +++ b/go/Dockerfile @@ -4,90 +4,100 @@ FROM ${REGISTRY}/bash:latest as bash FROM ${REGISTRY}/gcc:latest as gcc FROM ${REGISTRY}/binutils:latest as binutils FROM ${REGISTRY}/musl:latest as musl -FROM ${REGISTRY}/busybox:${BUSYBOX_VERSION} as base +FROM ${REGISTRY}/busybox:${BUSYBOX_VERSION} as busybox + +FROM busybox as base ENV GOOS=linux ENV CGO_ENABLED=0 +ENV VERSION=1.21.4 +ENV SRC_SITE=https://storage.googleapis.com/golang +ENV SRC_HASH=e25c9ab72d811142b7f41ff6da5165fec2d1be5feec3ef2c66bc0bdecb431489 +ENV VERSION_BOOTSTRAP_2=1.19.11 +ENV SRC_SITE_BOOTSTRAP_2=https://storage.googleapis.com/golang +ENV SRC_HASH_BOOTSTRAP_2=e25c9ab72d811142b7f41ff6da5165fec2d1be5feec3ef2c66bc0bdecb431489 +ENV VERSION_BOOTSTRAP_1=1.4-bootstrap-20171003 +ENV SRC_SITE_BOOTSTRAP_1=https://dl.google.com/go +ENV SRC_HASH_BOOTSTRAP_1=f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52 +COPY --from=gcc . / COPY --from=gcc . / COPY --from=bash . / COPY --from=musl . / RUN rm /bin/ar COPY --from=binutils . / -FROM base as build-stage1 -ENV GO_SITE=https://dl.google.com/go -ENV GO_VERSION=1.4-bootstrap-20171003 -ENV GO_HASH=f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52 -ENV GOROOT_FINAL=/home/user/go-stage1 +FROM base as fetch +RUN set -eux; \ + wget ${SRC_SITE_BOOTSTRAP_1}/go${VERSION_BOOTSTRAP_1}.tar.gz; \ + echo "${SRC_HASH_BOOTSTRAP_1} go${VERSION_BOOTSTRAP_1}.tar.gz" | sha256sum -c; \ + wget ${SRC_SITE_BOOTSTRAP_2}/go${VERSION_BOOTSTRAP_2}.src.tar.gz; \ + echo "${SRC_HASH_BOOTSTRAP_2} go${VERSION_BOOTSTRAP_2}.src.tar.gz" | sha256sum -c; \ + wget ${SRC_SITE}/go${VERSION}.src.tar.gz; \ + echo "${SRC_HASH} go${VERSION}.src.tar.gz" | sha256sum -c + +FROM fetch as build +ENV GOROOT_FINAL=/home/user/go-bootstrap-1 ENV GOROOT=${GOROOT_FINAL} ENV DEST=${GOROOT_FINAL} ENV GOBIN=${GOROOT_FINAL}/bin -RUN wget ${GO_SITE}/go${GO_VERSION}.tar.gz -RUN echo "${GO_HASH} go${GO_VERSION}.tar.gz" | sha256sum -c -RUN tar -xzf go${GO_VERSION}.tar.gz -WORKDIR go +RUN set -eux; \ + tar -xzf go${VERSION_BOOTSTRAP_1}.tar.gz; \ + mv go go-bootstrap-1-src +WORKDIR go-bootstrap-1-src RUN set -eux; \ cd src; \ bash make.bash; \ cd ..; \ mkdir -p ${DEST}; \ cp -R bin lib pkg src ${DEST} - -FROM base as build-stage2 -COPY --from=build-stage1 /home/user/go-stage1 go-stage1 -ENV GO_VERSION=1.19.11 -ENV GO_HASH=e25c9ab72d811142b7f41ff6da5165fec2d1be5feec3ef2c66bc0bdecb431489 -ENV GO_SITE=https://storage.googleapis.com/golang ENV GO11MODULE=off -ENV GOROOT_BOOTSTRAP=/home/user/go-stage1 -ENV GOROOT_FINAL=/home/user/go-stage2 +ENV GOROOT_BOOTSTRAP=/home/user/go-bootstrap-1 +ENV GOROOT_FINAL=/home/user/go-bootstrap-2 ENV GOROOT=${GOROOT_FINAL} ENV DEST=${GOROOT_FINAL} ENV GOBIN=${GOROOT_FINAL}/bin -RUN wget ${GO_SITE}/go${GO_VERSION}.src.tar.gz -RUN echo "${GO_HASH} go${GO_VERSION}.src.tar.gz" | sha256sum -c -RUN tar -xvzf go${GO_VERSION}.src.tar.gz -WORKDIR go +RUN set -eux; \ + tar -xzf go${VERSION_BOOTSTRAP_2}.tar.gz; \ + mv go go-bootstrap-2-src +WORKDIR go-bootstrap-2-src RUN set -eux; \ cd src; \ bash make.bash; \ cd ..; \ mkdir -p ${DEST}; \ cp -R bin lib pkg src ${DEST} - -FROM base as build -COPY --from=build-stage2 /home/user/go-stage2 go-stage2 -ENV GO_VERSION=1.21.4 -ENV GO_HASH=47b26a83d2b65a3c1c1bcace273b69bee49a7a7b5168a7604ded3d26a37bd787 -ENV GO_SITE=https://storage.googleapis.com/golang ENV GOPROXY=off ENV GOTOOLCHAIN=local ENV GOFLAGS=-mod=vendor ENV GO11MODULE=on -ENV GOROOT_BOOTSTRAP=/home/user/go-stage2 +ENV GOROOT_BOOTSTRAP=/home/user/go-bootstrap-2 ENV GOROOT_FINAL="/lib/go" ENV GOBIN=${GOROOT_FINAL}/bin -ENV GOROOT=/home/user/go-stage2 -ENV DEST=/home/user/rootfs -RUN wget ${GO_SITE}/go${GO_VERSION}.src.tar.gz -RUN echo "${GO_HASH} go${GO_VERSION}.src.tar.gz" | sha256sum -c -RUN tar -xvzf go${GO_VERSION}.src.tar.gz -WORKDIR go +ENV GOROOT=/home/user/go-bootstrap-2 +RUN set -eux; \ + tar -xzf go${VERSION}.src.tar.gz; \ + mv go go-src +WORKDIR go-src RUN set -eux; \ cd src; \ bash make.bash; \ cd ..; \ - mkdir -p ${DEST}; \ - cp -R bin lib pkg src ${DEST} + +FROM build as install +USER 0:0 +RUN set -eux; \ + mkdir -p /rootfs; \ + cp -R bin lib pkg src /rootfs; \ + find /rootfs -exec touch -hcd "@0" "{}" + FROM base as test -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / ADD test.go . RUN set -eux; \ go build test.go; \ ./test | grep "Success" FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / USER 100:100 ENTRYPOINT ["/bin/go"] CMD ["version"] diff --git a/libtool/Dockerfile b/libtool/Dockerfile index d1e6151..fa90ea5 100644 --- a/libtool/Dockerfile +++ b/libtool/Dockerfile @@ -1,5 +1,4 @@ ARG REGISTRY=local -FROM ${REGISTRY}/busybox:latest as busybox FROM ${REGISTRY}/gcc:latest as gcc FROM ${REGISTRY}/binutils:latest as binutils FROM ${REGISTRY}/musl:latest as musl @@ -7,31 +6,40 @@ FROM ${REGISTRY}/make:latest as make FROM ${REGISTRY}/m4:latest as m4 FROM ${REGISTRY}/bash:latest as bash FROM ${REGISTRY}/sed:latest as sed +FROM ${REGISTRY}/busybox:latest as busybox -FROM busybox as build +FROM busybox as base ENV SRC_SITE=https://ftp.gnu.org/gnu/libtool ENV SRC_VERSION=2.4.6 ENV SRC_HASH=7c87a8c2c8c0fc9cd5019e402bed4292462d00a718a7cd5f11218153bf28b26f -RUN wget ${SRC_SITE}/libtool-${SRC_VERSION}.tar.xz -RUN echo "${SRC_HASH} libtool-${SRC_VERSION}.tar.xz" | sha256sum -c -RUN tar -xf libtool-${SRC_VERSION}.tar.xz -WORKDIR libtool-${SRC_VERSION} COPY --from=gcc . / COPY --from=binutils . / COPY --from=make . / COPY --from=musl . / COPY --from=m4 . / + +FROM base as fetch +RUN wget ${SRC_SITE}/libtool-${SRC_VERSION}.tar.xz +RUN echo "${SRC_HASH} libtool-${SRC_VERSION}.tar.xz" | sha256sum -c + +FROM fetch as build +RUN tar -xf libtool-${SRC_VERSION}.tar.xz +WORKDIR libtool-${SRC_VERSION} RUN set -eux; \ ./configure \ --prefix=/usr; \ make; -RUN make DESTDIR=/home/user/rootfs install -COPY --from=musl /usr/lib/libc.so /home/user/rootfs/lib/ld-musl-x86_64.so.1 -COPY --from=bash . /home/user/rootfs -COPY --from=sed . /home/user/rootfs -RUN ln -s /bin/bash /home/user/rootfs/bin/sh + +FROM build as install +USER 0:0 +RUN make DESTDIR=/rootfs install +COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1 +COPY --from=bash . /rootfs +COPY --from=sed . /rootfs +RUN ln -s /bin/bash /rootfs/bin/sh +RUN find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / ENTRYPOINT ["/usr/bin/libtool"] CMD ["--version"] diff --git a/libunwind/Dockerfile b/libunwind/Dockerfile index 26e7cec..1c69209 100644 --- a/libunwind/Dockerfile +++ b/libunwind/Dockerfile @@ -1,5 +1,4 @@ ARG REGISTRY=local -FROM ${REGISTRY}/busybox as busybox FROM ${REGISTRY}/gcc as gcc FROM ${REGISTRY}/binutils as binutils FROM ${REGISTRY}/musl as musl @@ -7,15 +6,12 @@ FROM ${REGISTRY}/make as make FROM ${REGISTRY}/autoconf as autoconf FROM ${REGISTRY}/automake as automake FROM ${REGISTRY}/libtool as libtool +FROM ${REGISTRY}/busybox as busybox -FROM busybox as build +FROM busybox as base ENV SRC_SITE=https://github.com/libunwind/libunwind/releases/download ENV SRC_VERSION=1.7.2 ENV SRC_HASH=a18a6a24307443a8ace7a8acc2ce79fbbe6826cd0edf98d6326d0225d6a5d6e6 -RUN wget ${SRC_SITE}/v${SRC_VERSION}/libunwind-${SRC_VERSION}.tar.gz -RUN echo "${SRC_HASH} libunwind-${SRC_VERSION}.tar.gz" | sha256sum -c -RUN tar -xf libunwind-${SRC_VERSION}.tar.gz -WORKDIR libunwind-${SRC_VERSION} COPY --from=gcc . / COPY --from=make . / COPY --from=musl . / @@ -23,6 +19,14 @@ COPY --from=binutils . / COPY --from=autoconf . / COPY --from=automake . / COPY --from=libtool . / + +FROM base as fetch +RUN wget ${SRC_SITE}/v${SRC_VERSION}/libunwind-${SRC_VERSION}.tar.gz +RUN echo "${SRC_HASH} libunwind-${SRC_VERSION}.tar.gz" | sha256sum -c + +FROM fetch as build +RUN tar -xf libunwind-${SRC_VERSION}.tar.gz +WORKDIR libunwind-${SRC_VERSION} RUN set -eux; \ ./configure \ --build=x86_64-unknown-linux-musl \ @@ -35,7 +39,12 @@ RUN set -eux; \ --disable-tests \ --infodir=/usr/share/info || cat config.log; \ make; -RUN make DESTDIR=/home/user/rootfs install + +FROM build as install +USER 0:0 +RUN set -eux; \ + make DESTDIR=/rootfs install; \ + find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / diff --git a/libxml2/Dockerfile b/libxml2/Dockerfile index a3af69b..186029c 100644 --- a/libxml2/Dockerfile +++ b/libxml2/Dockerfile @@ -1,5 +1,4 @@ ARG REGISTRY=local -FROM ${REGISTRY}/busybox:latest as busybox FROM ${REGISTRY}/gcc:latest as gcc FROM ${REGISTRY}/binutils:latest as binutils FROM ${REGISTRY}/musl:latest as musl @@ -10,15 +9,12 @@ FROM ${REGISTRY}/libtool:latest as libtool FROM ${REGISTRY}/pkgconf:latest as pkgconf FROM ${REGISTRY}/python:latest as python FROM ${REGISTRY}/m4:latest as m4 +FROM ${REGISTRY}/busybox:latest as busybox -FROM busybox as build +FROM busybox as base ENV SRC_SITE=https://gitlab.gnome.org/GNOME/libxml2/-/archive ENV SRC_VERSION=2.12.1 ENV SRC_HASH=1090e62c5a1900429f63e4681263b96e7829876ccbc66cf2d9266cd589f67286 -RUN wget ${SRC_SITE}/v${SRC_VERSION}/libxml2-v${SRC_VERSION}.tar.gz -RUN echo "${SRC_HASH} libxml2-v${SRC_VERSION}.tar.gz" | sha256sum -c -RUN tar -xf libxml2-v${SRC_VERSION}.tar.gz -WORKDIR libxml2-v${SRC_VERSION} COPY --from=gcc . / COPY --from=binutils . / COPY --from=make . / @@ -29,7 +25,14 @@ COPY --from=automake . / COPY --from=pkgconf . / COPY --from=libtool . / COPY --from=m4 . / -RUN ls -lah + +FROM base as fetch +RUN wget ${SRC_SITE}/v${SRC_VERSION}/libxml2-v${SRC_VERSION}.tar.gz +RUN echo "${SRC_HASH} libxml2-v${SRC_VERSION}.tar.gz" | sha256sum -c + +FROM fetch as build +RUN tar -xf libxml2-v${SRC_VERSION}.tar.gz +WORKDIR libxml2-v${SRC_VERSION} RUN set -eux; \ sh autogen.sh; \ ./configure \ @@ -40,9 +43,13 @@ RUN set -eux; \ --sysconfdir=/etc \ --mandir=/usr/share/man \ --infodir=/usr/share/info; \ - make; -RUN make DESTDIR=/home/user/rootfs install -RUN ls -Rlah /home/user/rootfs + make + +FROM build as install +USER 0:0 +RUN set -eux; \ + make DESTDIR=/rootfs install; \ + find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / diff --git a/linux-headers/Dockerfile b/linux-headers/Dockerfile index edd4cee..0c88e67 100644 --- a/linux-headers/Dockerfile +++ b/linux-headers/Dockerfile @@ -1,21 +1,27 @@ ARG REGISTRY=local FROM ${REGISTRY}/musl:latest as musl -FROM ${REGISTRY}/bootstrap:latest as build - +FROM ${REGISTRY}/bootstrap:latest as base ENV SRC_SITE https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ ENV SRC_VERSION 6.6 ENV SRC_HASH d926a06c63dd8ac7df3f86ee1ffc2ce2a3b81a2d168484e76b5b389aba8e56d0 +FROM base as fetch RUN wget ${SRC_SITE}/linux-${SRC_VERSION}.tar.xz RUN echo "${SRC_HASH} linux-${SRC_VERSION}.tar.xz" | sha256sum -c + +FROM fetch as build RUN tar -xf linux-${SRC_VERSION}.tar.xz WORKDIR linux-${SRC_VERSION} -RUN set -ex; \ - make headers; \ +RUN make headers + +FROM build as install +USER 0:0 +RUN set -eux; \ mkdir -p /rootfs/usr; \ cp -a usr/include /rootfs/usr/; \ find /rootfs/usr/include/ ! -iname "*.h" -type f -exec rm -v {} \+; \ - rm -rf /rootfs/usr/include/drm; + rm -rf /rootfs/usr/include/drm; \ + find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /rootfs / +COPY --from=install /rootfs / diff --git a/llvm/Dockerfile b/llvm/Dockerfile index 84e3625..bead6ac 100644 --- a/llvm/Dockerfile +++ b/llvm/Dockerfile @@ -9,7 +9,9 @@ FROM ${REGISTRY}/py-setuptools as py-setuptools FROM ${REGISTRY}/cmake as cmake FROM ${REGISTRY}/ninja as ninja FROM ${REGISTRY}/curl as curl -FROM ${REGISTRY}/busybox as base +FROM ${REGISTRY}/busybox as busybox + +FROM busybox as base ARG VERSION ENV VERSION=${VERSION} ENV SRC_VERSION=${VERSION} @@ -70,17 +72,20 @@ RUN set -eux; \ -DLLVM_LINK_LLVM_DYLIB=ON \ -DLLVM_USE_PERF=ON; \ cmake --build build; \ - python3 llvm/utils/lit/setup.py build + python3 llvm/utils/lit/setup.py build; + +FROM build as install +USER 0:0 RUN set -eux; \ - export DESTDIR="/home/user/rootfs/"; \ - cmake --install build; \ - python3 llvm/utils/lit/setup.py install --root="$DESTDIR" -COPY --from=musl /lib/* /home/user/rootfs/lib/ -COPY --from=gcc /usr/lib/* /home/user/rootfs/usr/lib/ -COPY --from=gcc /usr/lib64/* /home/user/rootfs/usr/lib/ + DESTDIR="/rootfs" cmake --install build; \ + python3 llvm/utils/lit/setup.py install --root="/rootfs" +COPY --from=musl /lib/* /rootfs/lib/ +COPY --from=gcc /usr/lib/* /rootfs/usr/lib/ +COPY --from=gcc /usr/lib64/* /rootfs/usr/lib/ +RUN find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / USER 100:100 ENTRYPOINT ["/usr/bin/llc"] CMD ["--version"] diff --git a/m4/Dockerfile b/m4/Dockerfile index 0965807..bdf22b4 100644 --- a/m4/Dockerfile +++ b/m4/Dockerfile @@ -1,11 +1,11 @@ ARG REGISTRY=local -FROM ${REGISTRY}/busybox:latest as busybox FROM ${REGISTRY}/gcc:latest as gcc FROM ${REGISTRY}/binutils:latest as binutils FROM ${REGISTRY}/musl:latest as musl FROM ${REGISTRY}/make:latest as make +FROM ${REGISTRY}/busybox:latest as busybox -FROM busybox as build +FROM busybox as base COPY --from=gcc . / COPY --from=binutils . / COPY --from=make . / @@ -13,19 +13,26 @@ COPY --from=musl . / ENV SRC_SITE=https://ftp.gnu.org/gnu/m4 ENV SRC_VERSION=1.4.19 ENV SRC_HASH=63aede5c6d33b6d9b13511cd0be2cac046f2e70fd0a07aa9573a04a82783af96 -RUN wget ${SRC_SITE}/m4-${SRC_VERSION}.tar.xz +FROM base as fetch +RUN wget ${SRC_SITE}/m4-${SRC_VERSION}.tar.xz RUN echo "${SRC_HASH} m4-${SRC_VERSION}.tar.xz" | sha256sum -c + +FROM fetch as build RUN tar -xf m4-${SRC_VERSION}.tar.xz WORKDIR m4-${SRC_VERSION} RUN set -eux; \ ./configure \ --prefix=/usr; \ make; -RUN make DESTDIR=/home/user/rootfs install -COPY --from=musl /usr/lib/libc.so /home/user/rootfs/lib/ld-musl-x86_64.so.1 + +FROM build as install +USER 0:0 +RUN make DESTDIR=/rootfs install +COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1 +RUN find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / ENTRYPOINT ["/usr/bin/m4"] CMD ["--version"] diff --git a/make/Dockerfile b/make/Dockerfile index 42cc186..73a44aa 100644 --- a/make/Dockerfile +++ b/make/Dockerfile @@ -1,13 +1,17 @@ ARG REGISTRY=local FROM ${REGISTRY}/musl:latest as musl -FROM ${REGISTRY}/bootstrap:latest as build +FROM ${REGISTRY}/bootstrap:latest as bootstrap +FROM bootstrap as base ENV SRC_SITE https://ftp.gnu.org/gnu/make ENV SRC_VERSION 4.4 ENV SRC_HASH 581f4d4e872da74b3941c874215898a7d35802f03732bdccee1d4a7979105d18 +FROM base as fetch RUN wget ${SRC_SITE}/make-${SRC_VERSION}.tar.gz RUN echo "${SRC_HASH} make-${SRC_VERSION}.tar.gz" | sha256sum -c + +FROM fetch as build RUN tar -xf make-${SRC_VERSION}.tar.gz WORKDIR make-${SRC_VERSION} RUN set -ex; \ @@ -19,11 +23,15 @@ RUN set -ex; \ --mandir=/usr/share/man \ --infodir=/usr/share/info \ --disable-nls; \ - make -j "$(nproc)"; \ - make DESTDIR="/rootfs" install; + make -j "$(nproc)" + +FROM build as install +USER 0:0 +RUN make DESTDIR="/rootfs" install COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1 +RUN find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /rootfs / +COPY --from=install /rootfs / ENTRYPOINT ["/usr/bin/make"] CMD ["--version"] diff --git a/musl/Dockerfile b/musl/Dockerfile index 0009c2d..2c6d9c3 100644 --- a/musl/Dockerfile +++ b/musl/Dockerfile @@ -1,6 +1,7 @@ ARG REGISTRY=local -FROM ${REGISTRY}/bootstrap:latest as build +FROM ${REGISTRY}/bootstrap:latest as bootstrap +FROM bootstrap as base ENV SRC_SITE http://musl.libc.org ENV SRC_VERSION 1.2.4 ENV SRC_HASH 7a35eae33d5372a7c0da1188de798726f68825513b7ae3ebe97aaaa52114f039 @@ -8,8 +9,11 @@ ENV CFLAGS="-Os -fstack-clash-protection -Wformat -Werror=format-security" ENV CXXFLAGS="-Os -fstack-clash-protection -Wformat -Werror=format-security -D_GLIBCXX_ASSERTIONS=1 -D_LIBCPP_ENABLE_THREAD_SAFETY_ANNOTATIONS=1 -D_LIBCPP_ENABLE_HARDENED_MODE=1" ENV LDFLAGS="-Wl,--as-needed,-O1,--sort-common -Wl,-soname,libc.musl-x86_64.so.1" +FROM base as fetch RUN wget ${SRC_SITE}/releases/musl-$SRC_VERSION.tar.gz RUN echo "${SRC_HASH} musl-${SRC_VERSION}.tar.gz" | sha256sum -c + +FROM fetch as build RUN tar -xzf musl-${SRC_VERSION}.tar.gz WORKDIR musl-${SRC_VERSION} ADD lfs64.patch . @@ -26,17 +30,20 @@ RUN set -eux; \ --infodir=/usr/share/info \ --localstatedir=/var \ --enable-debug; \ - make; + make +FROM build as install +USER 0:0 RUN set -eux; \ - make DESTDIR=/home/user/rootfs install; \ - mkdir -p /home/user/rootfs/usr/bin; \ + make DESTDIR=/rootfs install; \ + mkdir -p /rootfs/usr/bin; \ printf "%s\n%s\n" '#!/bin/sh' 'exec /lib/ld-musl-x86_64.so.1 --list "$@"' \ - > /home/user/rootfs/usr/bin/ldd; \ - chmod 755 /home/user/rootfs/usr/bin/ldd; \ - mv -f /home/user/rootfs/usr/lib/libc.so /home/user/rootfs/lib/ld-musl-x86_64.so.1; \ - ln -sf ld-musl-x86_64.so.1 /home/user/rootfs/lib/libc.musl-x86_64.so.1; \ - ln -sf ../../lib/ld-musl-x86_64.so.1 /home/user/rootfs/usr/lib/libc.so; + > /rootfs/usr/bin/ldd; \ + chmod 755 /rootfs/usr/bin/ldd; \ + mv -f /rootfs/usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1; \ + ln -sf ld-musl-x86_64.so.1 /rootfs/lib/libc.musl-x86_64.so.1; \ + ln -sf ../../lib/ld-musl-x86_64.so.1 /rootfs/usr/lib/libc.so; \ + find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / diff --git a/ninja/Dockerfile b/ninja/Dockerfile index fda25d8..d2e94bd 100644 --- a/ninja/Dockerfile +++ b/ninja/Dockerfile @@ -1,42 +1,48 @@ ARG REGISTRY=local -FROM ${REGISTRY}/busybox:latest as busybox FROM ${REGISTRY}/gcc:latest as gcc FROM ${REGISTRY}/binutils:latest as binutils FROM ${REGISTRY}/musl:latest as musl FROM ${REGISTRY}/make:latest as make FROM ${REGISTRY}/openssl:latest as openssl FROM ${REGISTRY}/python:latest as python +FROM ${REGISTRY}/busybox:latest as busybox -FROM busybox as build +FROM busybox as base ENV SRC_SITE=https://github.com/martine/ninja/archive/ ENV SRC_VERSION=1.9.0 ENV SRC_HASH=5d7ec75828f8d3fd1a0c2f31b5b0cea780cdfe1031359228c428c1a48bfcd5b9 -RUN wget ${SRC_SITE}/v${SRC_VERSION}.tar.gz -RUN echo "${SRC_HASH} v${SRC_VERSION}.tar.gz" | sha256sum -c -RUN tar -xf v${SRC_VERSION}.tar.gz -WORKDIR ninja-${SRC_VERSION} -ADD fix-musl.patch . -RUN patch -p1 < fix-musl.patch COPY --from=binutils . / COPY --from=make . / COPY --from=python . / COPY --from=musl . / COPY --from=gcc . / +FROM base as fetch +RUN wget ${SRC_SITE}/v${SRC_VERSION}.tar.gz +RUN echo "${SRC_HASH} v${SRC_VERSION}.tar.gz" | sha256sum -c + +FROM fetch as build +RUN tar -xf v${SRC_VERSION}.tar.gz +WORKDIR ninja-${SRC_VERSION} +ADD fix-musl.patch . +RUN patch -p1 < fix-musl.patch # HACK: figure out why gcc package puts these in the wrong path at install time COPY --from=gcc /usr/lib64/* /usr/lib/ - RUN set -eux; \ - python3 ./configure.py --bootstrap; \ - mkdir -p /home/user/rootfs/usr/bin/; \ - cp ninja /home/user/rootfs/usr/bin/ + python3 ./configure.py --bootstrap +FROM build as install +USER 0:0 +RUN set -eux; \ + mkdir -p /rootfs/usr/bin/; \ + cp ninja /rootfs/usr/bin/ # HACK: figure out why gcc package puts these in the wrong path at install time -COPY --from=gcc /usr/lib64/* /home/user/rootfs/usr/lib/ -COPY --from=musl . /home/user/rootfs/ +COPY --from=gcc /usr/lib64/* /rootfs/usr/lib/ +COPY --from=musl . /rootfs/ +RUN find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / USER 100:100 ENTRYPOINT ["/usr/bin/ninja"] CMD ["--version"] diff --git a/openssl/Dockerfile b/openssl/Dockerfile index 10714c6..fc7c929 100644 --- a/openssl/Dockerfile +++ b/openssl/Dockerfile @@ -1,24 +1,28 @@ ARG REGISTRY=local -FROM ${REGISTRY}/busybox:latest as busybox FROM ${REGISTRY}/gcc:latest as gcc FROM ${REGISTRY}/binutils:latest as binutils FROM ${REGISTRY}/musl:latest as musl FROM ${REGISTRY}/make:latest as make FROM ${REGISTRY}/perl:latest as perl FROM ${REGISTRY}/linux-headers:latest as linux-headers +FROM ${REGISTRY}/busybox:latest as busybox -FROM busybox as build +FROM busybox as base +ENV SRC_SITE=https://www.openssl.org/source +ENV SRC_VERSION=3.0.12 +ENV SRC_HASH=f93c9e8edde5e9166119de31755fc87b4aa34863662f67ddfcba14d0b6b69b61 COPY --from=gcc . / COPY --from=binutils . / COPY --from=make . / COPY --from=musl . / COPY --from=perl . / COPY --from=linux-headers . / -ENV SRC_SITE=https://www.openssl.org/source -ENV SRC_VERSION=3.0.12 -ENV SRC_HASH=f93c9e8edde5e9166119de31755fc87b4aa34863662f67ddfcba14d0b6b69b61 + +FROM base as fetch RUN wget ${SRC_SITE}/openssl-${SRC_VERSION}.tar.gz RUN echo "${SRC_HASH} openssl-${SRC_VERSION}.tar.gz" | sha256sum -c + +FROM fetch as build RUN tar -xf openssl-${SRC_VERSION}.tar.gz WORKDIR openssl-${SRC_VERSION} RUN set -eux; \ @@ -41,11 +45,16 @@ RUN set -eux; \ no-seed \ no-weak-ssl-ciphers \ linux-x86_64; \ - make; \ - make DESTDIR=/home/user/rootfs install + make + +FROM build as install +USER 0:0 +RUN set -eux; \ + make DESTDIR=/rootfs install; \ + find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / USER 100:100 ENTRYPOINT ["/usr/bin/openssl"] CMD ["version"] diff --git a/perl/Dockerfile b/perl/Dockerfile index 5746eb2..4370484 100644 --- a/perl/Dockerfile +++ b/perl/Dockerfile @@ -1,22 +1,26 @@ ARG REGISTRY=local -FROM ${REGISTRY}/busybox:latest as busybox FROM ${REGISTRY}/gcc:latest as gcc FROM ${REGISTRY}/binutils:latest as binutils FROM ${REGISTRY}/musl:latest as musl FROM ${REGISTRY}/make:latest as make +FROM ${REGISTRY}/busybox:latest as busybox -FROM busybox as build +FROM busybox as base ENV SRC_SITE=https://www.cpan.org/src/5.0 ENV SRC_VERSION=5.38.0 ENV SRC_HASH=eca551caec3bc549a4e590c0015003790bdd1a604ffe19cc78ee631d51f7072e -RUN wget ${SRC_SITE}/perl-${SRC_VERSION}.tar.xz -RUN echo "${SRC_HASH} perl-${SRC_VERSION}.tar.xz" | sha256sum -c -RUN tar -xf perl-${SRC_VERSION}.tar.xz -WORKDIR perl-${SRC_VERSION} COPY --from=gcc . / COPY --from=binutils . / COPY --from=make . / COPY --from=musl . / + +FROM base as fetch +RUN wget ${SRC_SITE}/perl-${SRC_VERSION}.tar.xz +RUN echo "${SRC_HASH} perl-${SRC_VERSION}.tar.xz" | sha256sum -c + +FROM fetch as build +RUN tar -xf perl-${SRC_VERSION}.tar.xz +WORKDIR perl-${SRC_VERSION} RUN set -eux; \ ./Configure \ -des \ @@ -45,12 +49,18 @@ RUN set -eux; \ -Ud_fpos64_t \ -Ud_off64_t \ -Dusenm; \ - make; \ - make DESTDIR=/home/user/rootfs install -COPY --from=musl /usr/lib/libc.so /home/user/rootfs/lib/ld-musl-x86_64.so.1 + make + +FROM build as install +USER 0:0 +RUN set -eux; \ + make DESTDIR=/rootfs install; \ + mkdir -p /rootfs/lib +COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1 +RUN find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / USER 100:100 ENTRYPOINT ["/usr/bin/perl"] CMD ["--version"] diff --git a/pkgconf/Dockerfile b/pkgconf/Dockerfile index b4066e5..c50f0f3 100644 --- a/pkgconf/Dockerfile +++ b/pkgconf/Dockerfile @@ -1,31 +1,38 @@ ARG REGISTRY=local -FROM ${REGISTRY}/busybox:latest as busybox FROM ${REGISTRY}/gcc:latest as gcc FROM ${REGISTRY}/binutils:latest as binutils FROM ${REGISTRY}/musl:latest as musl FROM ${REGISTRY}/make:latest as make +FROM ${REGISTRY}/busybox:latest as busybox -FROM busybox as build +FROM busybox as base ENV SRC_SITE=https://distfiles.ariadne.space/pkgconf/ ENV SRC_VERSION=1.6.3 ENV SRC_HASH=61f0b31b0d5ea0e862b454a80c170f57bad47879c0c42bd8de89200ff62ea210 -RUN wget ${SRC_SITE}/pkgconf-${SRC_VERSION}.tar.xz -RUN echo "${SRC_HASH} pkgconf-${SRC_VERSION}.tar.xz" | sha256sum -c -RUN tar -xf pkgconf-${SRC_VERSION}.tar.xz -WORKDIR pkgconf-${SRC_VERSION} COPY --from=gcc . / COPY --from=binutils . / COPY --from=make . / COPY --from=musl . / + +FROM base as fetch +RUN wget ${SRC_SITE}/pkgconf-${SRC_VERSION}.tar.xz +RUN echo "${SRC_HASH} pkgconf-${SRC_VERSION}.tar.xz" | sha256sum -c +RUN tar -xf pkgconf-${SRC_VERSION}.tar.xz +WORKDIR pkgconf-${SRC_VERSION} RUN set -eux; \ ./configure \ --prefix=/usr; \ - make; -RUN make DESTDIR=/home/user/rootfs install -RUN ln -s pkgconf /home/user/rootfs/usr/bin/pkg-config -COPY --from=musl /usr/lib/libc.so /home/user/rootfs/lib/ld-musl-x86_64.so.1 + make + +FROM build as install +USER 0:0 +RUN set -eux; \ + make DESTDIR=/rootfs install; \ + ln -s pkgconf /rootfs/usr/bin/pkg-config +COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1 +RUN find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / ENTRYPOINT ["/usr/bin/pkgconf"] CMD ["--version"] diff --git a/py-setuptools/Dockerfile b/py-setuptools/Dockerfile index 918b236..dbd1e56 100644 --- a/py-setuptools/Dockerfile +++ b/py-setuptools/Dockerfile @@ -1,20 +1,28 @@ ARG REGISTRY=local -FROM ${REGISTRY}/busybox:latest as busybox FROM ${REGISTRY}/python:latest as python +FROM ${REGISTRY}/busybox:latest as busybox -FROM busybox as build +FROM busybox as base ENV SRC_SITE=https://pypi.io/packages/source/s/setuptools ENV SRC_VERSION=68.2.2 ENV SRC_HASH=4ac1475276d2f1c48684874089fefcd83bd7162ddaafb81fac866ba0db282a87 +COPY --from=python . / + +FROM base as fetch RUN wget ${SRC_SITE}/setuptools-${SRC_VERSION}.tar.gz RUN echo "${SRC_HASH} setuptools-${SRC_VERSION}.tar.gz" | sha256sum -c + +FROM fetch as build RUN tar -xzf setuptools-${SRC_VERSION}.tar.gz WORKDIR setuptools-${SRC_VERSION} -COPY --from=python . / RUN set -eux; \ - python3 setup.py build; \ - python3 setup.py install --root=/home/user/rootfs; \ - ls -Rlah /home/user/rootfs + python3 setup.py build + +FROM build as install +USER 0:0 +RUN set -eux; \ + python3 setup.py install --root=/rootfs; \ + find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / diff --git a/python/Dockerfile b/python/Dockerfile index c4d3f79..1e4b2df 100644 --- a/python/Dockerfile +++ b/python/Dockerfile @@ -1,24 +1,28 @@ ARG REGISTRY=local -FROM ${REGISTRY}/busybox:latest as busybox FROM ${REGISTRY}/gcc:latest as gcc FROM ${REGISTRY}/binutils:latest as binutils FROM ${REGISTRY}/musl:latest as musl FROM ${REGISTRY}/make:latest as make FROM ${REGISTRY}/openssl:latest as openssl +FROM ${REGISTRY}/busybox:latest as busybox -FROM busybox as build +FROM busybox as base ENV SRC_SITE=https://www.python.org/ftp/python ENV SRC_VERSION=3.12.0 ENV SRC_HASH=795c34f44df45a0e9b9710c8c71c15c671871524cd412ca14def212e8ccb155d -RUN wget ${SRC_SITE}/${SRC_VERSION}/Python-${SRC_VERSION}.tar.xz -RUN echo "${SRC_HASH} Python-${SRC_VERSION}.tar.xz" | sha256sum -c -RUN tar -xf Python-${SRC_VERSION}.tar.xz -WORKDIR Python-${SRC_VERSION} COPY --from=gcc . / COPY --from=binutils . / COPY --from=make . / COPY --from=musl . / COPY --from=openssl . / + +FROM base as fetch +RUN wget ${SRC_SITE}/${SRC_VERSION}/Python-${SRC_VERSION}.tar.xz +RUN echo "${SRC_HASH} Python-${SRC_VERSION}.tar.xz" | sha256sum -c + +FROM fetch as build +RUN tar -xf Python-${SRC_VERSION}.tar.xz +WORKDIR Python-${SRC_VERSION} RUN set -eux; \ ./configure \ --build="x86_64-linux-musl" \ @@ -30,13 +34,18 @@ RUN set -eux; \ --with-lto \ --with-computed-gotos \ --without-ensurepip; \ - make; \ - make DESTDIR=/home/user/rootfs install -RUN ln -s /usr/bin/python3 /home/user/rootfs/usr/bin/python -COPY --from=musl . /home/user/rootfs/ + make + +FROM build as install +USER 0:0 +RUN set -eux; \ + make DESTDIR=/rootfs install; \ + ln -s /usr/bin/python3 /rootfs/usr/bin/python +COPY --from=musl . /rootfs/ +RUN find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / USER 100:100 ENTRYPOINT ["/usr/bin/python"] CMD ["--version"] diff --git a/rust/Dockerfile b/rust/Dockerfile index e1f4656..11a3ad5 100644 --- a/rust/Dockerfile +++ b/rust/Dockerfile @@ -17,8 +17,9 @@ FROM ${REGISTRY}/zlib as zlib FROM ${REGISTRY}/openssl as openssl FROM ${REGISTRY}/pkgconf as pkgconf FROM ${REGISTRY}/llvm:${LLVM_VERSION} as llvm +FROM ${REGISTRY}/busybox as busybox -FROM ${REGISTRY}/busybox as base +FROM busybox as base ENV BOOTSTRAP_VERSION=1.54.0 ENV SRC_SITE=https://static.rust-lang.org/dist ENV MRUSTC_VERSION=16d744fd62e74a2d4356df864b5850bf782918da @@ -101,20 +102,20 @@ RUN make -f minicargo.mk LLVM_CONFIG=/usr/bin/llvm-config output/rustc RUN make -f minicargo.mk LLVM_CONFIG=/usr/bin/llvm-config output/cargo RUN make -C run_rustc LLVM_CONFIG=/usr/bin/llvm-config RUN set -eux; \ - mkdir -p /home/user/rootfs/usr/bin /home/user/rootfs/usr/lib; \ - cp -R run_rustc/output/prefix/* /home/user/rootfs/; \ - rm /home/user/rootfs/bin/rustc; \ - mv /home/user/rootfs/bin/rustc_binary /home/user/rootfs/usr/bin/rustc; \ - mv /home/user/rootfs/bin/cargo /home/user/rootfs/usr/bin/; \ - mv /home/user/rootfs/lib/rustlib /home/user/rootfs/usr/lib/rustlib; \ - mv /home/user/rootfs/usr/lib/rustlib/x86_64-unknown-linux-musl/lib/librustc_driver.so /home/user/rootfs/usr/lib/ -COPY --from=musl /lib/* /home/user/rootfs/lib/ -COPY --from=gcc /usr/lib/* /home/user/rootfs/usr/lib/ -COPY --from=gcc /usr/lib64/* /home/user/rootfs/usr/lib/ + mkdir -p /rootfs/usr/bin /rootfs/usr/lib; \ + cp -R run_rustc/output/prefix/* /rootfs/; \ + rm /rootfs/bin/rustc; \ + mv /rootfs/bin/rustc_binary /rootfs/usr/bin/rustc; \ + mv /rootfs/bin/cargo /rootfs/usr/bin/; \ + mv /rootfs/lib/rustlib /rootfs/usr/lib/rustlib; \ + mv /rootfs/usr/lib/rustlib/x86_64-unknown-linux-musl/lib/librustc_driver.so /rootfs/usr/lib/ +COPY --from=musl /lib/* /rootfs/lib/ +COPY --from=gcc /usr/lib/* /rootfs/usr/lib/ +COPY --from=gcc /usr/lib64/* /rootfs/usr/lib/ FROM scratch as bootstrap-package USER 100:100 -COPY --from=bootstrap-build /home/user/rootfs/ / +COPY --from=bootstrap-build /rootfs/ / ENTRYPOINT ["/usr/bin/rustc"] CMD ["--version"] @@ -139,7 +140,7 @@ RUN set -eux; \ --release-channel="stable" \ --enable-local-rust \ --local-rust-root="/usr" \ - --sysconfdir="/home/user/rootfs/etc" \ + --sysconfdir="/rootfs/etc" \ --llvm-root="/usr/lib/llvm${LLVM_VERSION}" \ --disable-docs \ --tools="cargo" \ @@ -149,7 +150,7 @@ RUN set -eux; \ --enable-vendor \ --dist-compression-formats=gz \ --python="python3" \ - --set="install.prefix=/home/user/rootfs/usr" \ + --set="install.prefix=/rootfs/usr" \ --set="build.extended=true" \ --set="rust.musl-root=/usr" \ --set="rust.backtrace-on-ice=true" \ @@ -167,14 +168,18 @@ RUN set -eux; \ --set="target.x86_64-unknown-linux-musl.ar=ar" \ --set="target.x86_64-unknown-linux-musl.linker=cc"; \ python3 x.py dist + +FROM build as install +USER 0:0 RUN python3 x.py install -COPY --from=musl /lib/* /home/user/rootfs/lib/ -COPY --from=gcc /usr/lib/* /home/user/rootfs/usr/lib/ -COPY --from=gcc /usr/lib64/* /home/user/rootfs/usr/lib/ -COPY --from=llvm /usr/lib/* /home/user/rootfs/usr/lib/ +COPY --from=musl /lib/* /rootfs/lib/ +COPY --from=gcc /usr/lib/* /rootfs/usr/lib/ +COPY --from=gcc /usr/lib64/* /rootfs/usr/lib/ +COPY --from=llvm /usr/lib/* /rootfs/usr/lib/ +RUN find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package USER 100:100 -COPY --from=build /home/user/rootfs/ / +COPY --from=install /rootfs/ / ENTRYPOINT ["/usr/bin/rustc"] CMD ["--version"] diff --git a/sed/Dockerfile b/sed/Dockerfile index e449b72..dabf98b 100644 --- a/sed/Dockerfile +++ b/sed/Dockerfile @@ -1,31 +1,39 @@ ARG REGISTRY=local -FROM ${REGISTRY}/busybox:latest as busybox FROM ${REGISTRY}/gcc:latest as gcc FROM ${REGISTRY}/binutils:latest as binutils FROM ${REGISTRY}/musl:latest as musl FROM ${REGISTRY}/make:latest as make FROM ${REGISTRY}/bash:latest as bash +FROM ${REGISTRY}/busybox:latest as busybox -FROM busybox as build +FROM busybox as base ENV SRC_SITE=https://ftp.gnu.org/gnu/sed ENV SRC_VERSION=4.9 ENV SRC_HASH=6e226b732e1cd739464ad6862bd1a1aba42d7982922da7a53519631d24975181 -RUN wget ${SRC_SITE}/sed-${SRC_VERSION}.tar.xz -RUN echo "${SRC_HASH} sed-${SRC_VERSION}.tar.xz" | sha256sum -c -RUN tar -xf sed-${SRC_VERSION}.tar.xz -WORKDIR sed-${SRC_VERSION} COPY --from=gcc . / COPY --from=binutils . / COPY --from=make . / COPY --from=musl . / + +FROM base as fetch +RUN wget ${SRC_SITE}/sed-${SRC_VERSION}.tar.xz +RUN echo "${SRC_HASH} sed-${SRC_VERSION}.tar.xz" | sha256sum -c + +FROM fetch as build +RUN tar -xf sed-${SRC_VERSION}.tar.xz +WORKDIR sed-${SRC_VERSION} RUN set -eux; \ ./configure \ --prefix=/; \ - make; -RUN make DESTDIR=/home/user/rootfs install -COPY --from=musl /usr/lib/libc.so /home/user/rootfs/lib/ld-musl-x86_64.so.1 + make + +FROM build as install +USER 0:0 +RUN make DESTDIR=/rootfs install +COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1 +RUN find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs / ENTRYPOINT ["/bin/sed"] CMD ["--version"] diff --git a/zlib/Dockerfile b/zlib/Dockerfile index 95056dc..81e656d 100644 --- a/zlib/Dockerfile +++ b/zlib/Dockerfile @@ -1,20 +1,24 @@ ARG REGISTRY=local -FROM ${REGISTRY}/busybox:latest as busybox FROM ${REGISTRY}/gcc:latest as gcc FROM ${REGISTRY}/binutils:latest as binutils FROM ${REGISTRY}/musl:latest as musl FROM ${REGISTRY}/make:latest as make +FROM ${REGISTRY}/busybox:latest as busybox -FROM busybox as build +FROM busybox as base +ENV SRC_SITE=https://www.zlib.net/ +ENV SRC_VERSION=1.3 +ENV SRC_HASH=ff0ba4c292013dbc27530b3a81e1f9a813cd39de01ca5e0f8bf355702efa593e COPY --from=gcc . / COPY --from=binutils . / COPY --from=make . / COPY --from=musl . / -ENV SRC_SITE=https://www.zlib.net/ -ENV SRC_VERSION=1.3 -ENV SRC_HASH=ff0ba4c292013dbc27530b3a81e1f9a813cd39de01ca5e0f8bf355702efa593e + +FROM base as fetch RUN wget ${SRC_SITE}/zlib-${SRC_VERSION}.tar.gz RUN echo "${SRC_HASH} zlib-${SRC_VERSION}.tar.gz" | sha256sum -c + +FROM fetch as build RUN tar -xf zlib-${SRC_VERSION}.tar.gz WORKDIR zlib-${SRC_VERSION} RUN set -eux; \ @@ -22,8 +26,13 @@ RUN set -eux; \ --prefix=/usr \ --libdir=/lib \ --shared; \ - make; -RUN make DESTDIR=/home/user/rootfs install + make + +FROM build as install +USER 0:0 +RUN set -eux; \ + make DESTDIR=/rootfs install; \ + find /rootfs -exec touch -hcd "@0" "{}" + FROM scratch as package -COPY --from=build /home/user/rootfs / +COPY --from=install /rootfs /