From c2f3edeccade3fc7da7895024297c1e9c48af791 Mon Sep 17 00:00:00 2001
From: "Lance R. Vick" <lance@lrvick.net>
Date: Mon, 5 Feb 2024 10:29:14 -0800
Subject: [PATCH] refactor bootstrap

---
 src/bootstrap/stage0/Containerfile | 126 +++++------
 src/bootstrap/stage1/Containerfile |  99 +++++----
 src/bootstrap/stage2/Containerfile | 232 +++++++++++----------
 src/bootstrap/stage3/Containerfile | 322 +++++++++++++++--------------
 4 files changed, 405 insertions(+), 374 deletions(-)

diff --git a/src/bootstrap/stage0/Containerfile b/src/bootstrap/stage0/Containerfile
index 7d9d0e9..cfffc41 100644
--- a/src/bootstrap/stage0/Containerfile
+++ b/src/bootstrap/stage0/Containerfile
@@ -1,69 +1,49 @@
-ARG VERSION=1.6.0
-ARG SRC_SITE=https://github.com/oriansj/stage0-posix/releases/download
-ARG SRC_HASH=9260ff69278366e5c056af7b8c436b74773eaa1330a0c6a6b8ab1b5f92e5065c
 FROM alpine@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48 as apline
 FROM debian@sha256:bac353db4cc04bc672b14029964e686cd7bad56fe34b51f432c1a1304b9928da as debian
-FROM archlinux@sha256:1f83ba0580a15cd6ad1d02d62ad432ddc940f53f07d0e39c8982d6c9c74e53e0 as archlinux
+FROM archlinux@sha256:1f83ba0580a15cd6ad1d02d62ad432ddc940f53f07d0e39c8982d6c9c74e53e0 as arch
 
-FROM debian as build1
-ARG VERSION
-ENV VERSION=${VERSION}
-ARG SRC_SITE
-ENV SRC_SITE=${SRC_SITE}
-ARG SRC_HASH
-ENV SRC_HASH=${SRC_HASH}
-RUN apt update && apt install -y wget gcc
-RUN set -eux; \
-    wget ${SRC_SITE}/Release_${VERSION}/stage0-posix-${VERSION}.tar.gz; \
-    echo "${SRC_HASH}  stage0-posix-${VERSION}.tar.gz" | sha256sum -c; \
-    tar -xf stage0-posix-${VERSION}.tar.gz
-WORKDIR stage0-posix-${VERSION}
-RUN set -eux; \
-    bootstrap-seeds/POSIX/x86/kaem-optional-seed; \
-    mkdir -p /rootfs && cp -R * /rootfs/
-WORKDIR /rootfs
-RUN sha256sum x86/bin/* > hashes.txt; \
-    find . -exec touch -hcd "@0" "{}" +
+FROM scratch as base
+ENV VERSION=1.6.0
+ENV SRC_SITE=https://github.com/oriansj/stage0-posix/releases/download
+ENV SRC_HASH=9260ff69278366e5c056af7b8c436b74773eaa1330a0c6a6b8ab1b5f92e5065c
+COPY <<-EOF build.sh
+	#!/bin/sh
+	set -eux
+	wget ${SRC_SITE}/Release_${VERSION}/stage0-posix-${VERSION}.tar.gz
+	echo "${SRC_HASH}  stage0-posix-${VERSION}.tar.gz" | sha256sum -c
+	tar -xf stage0-posix-${VERSION}.tar.gz
+	cd stage0-posix-${VERSION}
+	bootstrap-seeds/POSIX/x86/kaem-optional-seed
+	mkdir -p /rootfs && cp -R * /rootfs/
+	cd /rootfs
+	sha256sum x86/bin/* > hashes.txt; \
+	find . -exec touch -hcd "@0" "{}" +
+EOF
 
-FROM archlinux as build2
-ARG VERSION
-ENV VERSION=${VERSION}
-ARG SRC_SITE
-ENV SRC_SITE=${SRC_SITE}
-ARG SRC_HASH
-ENV SRC_HASH=${SRC_HASH}
-RUN pacman -Sy --noconfirm wget gcc
-RUN set -eux; \
-    wget ${SRC_SITE}/Release_${VERSION}/stage0-posix-${VERSION}.tar.gz; \
-    echo "${SRC_HASH}  stage0-posix-${VERSION}.tar.gz" | sha256sum -c; \
-    tar -xf stage0-posix-${VERSION}.tar.gz
-WORKDIR stage0-posix-${VERSION}
-RUN set -eux; \
-    bootstrap-seeds/POSIX/x86/kaem-optional-seed; \
-    mkdir -p /rootfs && cp -R * /rootfs/
-WORKDIR /rootfs
-RUN sha256sum x86/bin/* > hashes.txt; \
-    find . -exec touch -hcd "@0" "{}" +
+FROM base as build1
+COPY --from=debian . /
+RUN --mount=type=cache,target=/var/cache/apt <<-EOF
+	set -eux
+	apt update
+	apt install -y wget gcc
+	sh build.sh
+EOF
 
-FROM alpine as build3
-ARG VERSION
-ENV VERSION=${VERSION}
-ARG SRC_SITE
-ENV SRC_SITE=${SRC_SITE}
-ARG SRC_HASH
-ENV SRC_HASH=${SRC_HASH}
-RUN apk add wget gcc
-RUN set -eux; \
-    wget ${SRC_SITE}/Release_${VERSION}/stage0-posix-${VERSION}.tar.gz; \
-    echo "${SRC_HASH}  stage0-posix-${VERSION}.tar.gz" | sha256sum -c; \
-    tar -xf stage0-posix-${VERSION}.tar.gz
-WORKDIR stage0-posix-${VERSION}
-RUN set -eux; \
-    bootstrap-seeds/POSIX/x86/kaem-optional-seed; \
-    mkdir -p /rootfs && cp -R * /rootfs/
-WORKDIR /rootfs
-RUN sha256sum x86/bin/* > hashes.txt; \
-    find . -exec touch -hcd "@0" "{}" +
+FROM base as build2
+COPY --from=arch . /
+RUN --mount=type=cache,target=/var/cache/pacman/pkg <<-EOF
+	set -eux
+	pacman -Sy --noconfirm wget gcc
+	sh build.sh
+EOF
+
+FROM base as build3
+COPY --from=alpine . /
+RUN --mount=type=cache,target=/var/cache/apk <<-EOF
+	set -eux
+	apk add wget gcc
+	sh build.sh
+EOF
 
 FROM scratch as compare
 COPY --from=build1 /rootfs/ /a
@@ -72,26 +52,26 @@ COPY --from=build3 /rootfs/ /c
 
 FROM compare as test1
 WORKDIR /a
-RUN ["x86/bin/sha256sum","-c","/a/hashes.txt"]
-RUN ["x86/bin/sha256sum","-c","/b/hashes.txt"]
-RUN ["x86/bin/sha256sum","-c","/c/hashes.txt"]
+RUN --network=none ["x86/bin/sha256sum","-c","/a/hashes.txt"]
+RUN --network=none ["x86/bin/sha256sum","-c","/b/hashes.txt"]
+RUN --network=none ["x86/bin/sha256sum","-c","/c/hashes.txt"]
 
 FROM compare as test2
 WORKDIR /b
-RUN ["x86/bin/sha256sum","-c","/a/hashes.txt"]
-RUN ["x86/bin/sha256sum","-c","/b/hashes.txt"]
-RUN ["x86/bin/sha256sum","-c","/c/hashes.txt"]
+RUN --network=none ["x86/bin/sha256sum","-c","/a/hashes.txt"]
+RUN --network=none ["x86/bin/sha256sum","-c","/b/hashes.txt"]
+RUN --network=none ["x86/bin/sha256sum","-c","/c/hashes.txt"]
 
 FROM compare as test3
 WORKDIR /c
-RUN ["x86/bin/sha256sum","-c","/a/hashes.txt"]
-RUN ["x86/bin/sha256sum","-c","/b/hashes.txt"]
-RUN ["x86/bin/sha256sum","-c","/c/hashes.txt"]
+RUN --network=none ["x86/bin/sha256sum","-c","/a/hashes.txt"]
+RUN --network=none ["x86/bin/sha256sum","-c","/b/hashes.txt"]
+RUN --network=none ["x86/bin/sha256sum","-c","/c/hashes.txt"]
 
 FROM scratch as install
-COPY --from=test1 /a/hashes.txt /a-hashes.txt
-COPY --from=test2 /b/hashes.txt /b-hashes.txt
-COPY --from=test3 /c/hashes.txt /c-hashes.txt
+COPY --from=test1 /a/hashes.txt /
+COPY --from=test2 /b/hashes.txt /
+COPY --from=test3 /c/hashes.txt /
 COPY --from=build1 /rootfs /
 
 FROM scratch as package
diff --git a/src/bootstrap/stage1/Containerfile b/src/bootstrap/stage1/Containerfile
index ff3b66e..937006e 100644
--- a/src/bootstrap/stage1/Containerfile
+++ b/src/bootstrap/stage1/Containerfile
@@ -2,7 +2,6 @@ ARG VERSION=fc6eeb6bd75ea0d0025a79ea9fe45614bd60ba14
 ARG SRC_SITE=https://codeload.github.com/lrvick/live-bootstrap/legacy.tar.gz
 ARG SRC_HASH=0c268b19cf9f4eefdaf45dab64ac393ccf8ee43de58f0721624cab358044bf78
 FROM debian@sha256:bac353db4cc04bc672b14029964e686cd7bad56fe34b51f432c1a1304b9928da as debian
-FROM stagex/stage0 as stage0
 
 FROM debian as fetch
 ARG VERSION
@@ -11,56 +10,68 @@ ARG SRC_SITE
 ENV SRC_SITE=${SRC_SITE}
 ARG SRC_HASH
 ENV SRC_HASH=${SRC_HASH}
-RUN apt update && apt install -y curl gcc
-RUN set -eux; \
-    curl ${SRC_SITE}/${VERSION} -o live-bootstrap.tar.gz; \
-    echo "${SRC_HASH}  live-bootstrap.tar.gz" | sha256sum -c; \
-    tar -xvf live-bootstrap.tar.gz; \
-    mv lrvick-live-bootstrap-* live-bootstrap
-WORKDIR live-bootstrap
-RUN ./download-distfiles.sh
+WORKDIR /home/user
+RUN \
+	--mount=type=cache,target=/var/cache/apt \
+	--mount=type=cache,target=/var/lib/apt \
+	apt update && apt install -y curl
+RUN <<-EOF
+	set -uex
+	curl -C - ${SRC_SITE}/${VERSION} -o live-bootstrap.tgz
+	echo "${SRC_HASH}  live-bootstrap.tgz" | sha256sum -c
+	tar -xvf live-bootstrap.tgz
+	mv lrvick-live-bootstrap-* live-bootstrap
+	live-bootstrap/download-distfiles.sh
+EOF
 
-FROM fetch as config
-RUN set -eux; \
-    mkdir -p /rootfs/external; \
-    mv steps seed/* /rootfs/; \
-    mv distfiles /rootfs/external/; \
-    export CORES=$(nproc --all); \
-    echo "\
-FORCE_TIMESTAMPS=False\n\
-CHROOT=True\n\
-UPDATE_CHECKSUMS=False\n\
-JOBS=${CORES}\n\
-SWAP_SIZE=0\n\
-FINAL_JOBS=${CORES}\n\
-INTERNAL_CI=False\n\
-INTERACTIVE=False\n\
-BARE_METAL=False\n\
-EXTERNAL_SOURCES=True\n\
-DISK=sda1\n\
-KERNEL_BOOTSTRAP=False\n\
-BUILD_KERNELS=False" \
-    > /rootfs/steps/bootstrap.cfg
-RUN touch /rootfs/steps/lwext4-1.0.0-lb1/files/fiwix-file-list.txt
+FROM debian as config
+COPY --from=fetch . /
+RUN <<-EOF
+	set -eux
+	mkdir -p /rootfs/external
+	cd /home/user/live-bootstrap
+	cp -R distfiles /rootfs/external/
+	cp -R steps seed/* /rootfs/
+	export CORES=$(nproc --all)
+	printf "\
+	FORCE_TIMESTAMPS=False\n\
+	CHROOT=True\n\
+	UPDATE_CHECKSUMS=False\n\
+	JOBS=${CORES}\n\
+	SWAP_SIZE=0\n\
+	FINAL_JOBS=${CORES}\n\
+	INTERNAL_CI=False\n\
+	INTERACTIVE=False\n\
+	BARE_METAL=False\n\
+	EXTERNAL_SOURCES=True\n\
+	DISK=sda1\n\
+	KERNEL_BOOTSTRAP=False\n\
+	BUILD_KERNELS=False" \
+	> /rootfs/steps/bootstrap.cfg
+	touch /rootfs/steps/lwext4-1.0.0-lb1/files/fiwix-file-list.txt
+EOF
 
-FROM scratch as build
-COPY --from=stagex/stage0 / .
-COPY --from=config /rootfs .
+FROM stagex/stage0 as build
 ENV ARCH_DIR=x86
 ENV ARCH=x86
-RUN ["/x86/bin/kaem","--verbose","--strict","--file","./after.kaem"]
+COPY --from=config /rootfs .
+RUN --network=none \
+	["/x86/bin/kaem","--verbose","--strict","--file","./after.kaem"]
 
 FROM build as install
 ENV PATH=/bin:/usr/sbin:/usr/bin
-RUN set -eux; \
-    rm -rf /usr/lib/python*/__pycache__; \
-    mkdir -p /rootfs/etc /rootfs/home/user /rootfs/tmp; \
-    chown -R 1000:1000 /rootfs/home/user /rootfs/tmp; \
-    cp -R $(ls -d /etc/* | grep -v '\(resolv.conf\|hosts\)') /rootfs/etc/; \
-    cp -R lib usr bin var /rootfs/; \
-    echo "user:x:1000:" > /rootfs/etc/group; \
-    echo "user:x:1000:1000::/home/user:/bin/bash" > /rootfs/etc/passwd; \
-    find /rootfs -exec touch -hcd "@0" "{}" +
+RUN --mount=type=cache,target=/rootfs \
+	--network=none <<-EOF
+	set -eux
+	rm -rf /usr/lib/python*/__pycache__
+	mkdir -p /rootfs/etc /rootfs/home/user /rootfs/tmp
+	chown -R 1000:1000 /rootfs/home/user /rootfs/tmp
+	cp -R $(ls -d /etc/* | grep -v '\(resolv.conf\|hosts\)') /rootfs/etc/
+	cp -R lib usr bin var /rootfs/
+	echo "user:x:1000:" > /rootfs/etc/group
+	echo "user:x:1000:1000::/home/user:/bin/bash" > /rootfs/etc/passwd
+	find /rootfs -exec touch -hcd "@0" "{}" +
+EOF
 
 FROM scratch as package
 COPY --from=install /rootfs /
diff --git a/src/bootstrap/stage2/Containerfile b/src/bootstrap/stage2/Containerfile
index b187103..5b040da 100644
--- a/src/bootstrap/stage2/Containerfile
+++ b/src/bootstrap/stage2/Containerfile
@@ -34,108 +34,120 @@ ENV BINUTILS_DIR ${HOME}/build-binutils
 
 FROM base as fetch
 WORKDIR ${HOME}
-RUN set -eux; \
-    curl -OJ ${LINUX_SITE}/${LINUX_FILE}; \
-    echo "${LINUX_HASH}  ${LINUX_FILE}" | sha256sum -c; \
-    curl -OJ ${GCC_SITE}/${GCC_FILE}; \
-    echo "${GCC_HASH}  ${GCC_FILE}" | sha256sum -c; \
-    curl -OJ ${GCC_DEP_SITE}/${GMP_FILE}; \
-    echo "${GMP_HASH}  ${GMP_FILE}" | sha256sum -c; \
-    curl -OJ ${GCC_DEP_SITE}/${MPFR_FILE}; \
-    echo "${MPFR_HASH}  ${MPFR_FILE}" | sha256sum -c; \
-    curl -OJ ${GCC_DEP_SITE}/${MPC_FILE}; \
-    echo "${MPC_HASH}  ${MPC_FILE}" | sha256sum -c; \
-    curl -OJ ${GCC_DEP_SITE}/${ISL_FILE}; \
-    echo "${ISL_HASH}  ${ISL_FILE}" | sha256sum -c; \
-    curl -OJ ${MUSL_SITE}/releases/${MUSL_FILE}; \
-    echo "${MUSL_HASH} ${MUSL_FILE}" | sha256sum -c; \
-    curl -OJ ${BINUTILS_SITE}/${BINUTILS_FILE}; \
-    echo "${BINUTILS_HASH} ${BINUTILS_FILE}" | sha256sum -c
+RUN <<-EOF
+	set -eux
+	curl -OJ ${LINUX_SITE}/${LINUX_FILE}
+	echo "${LINUX_HASH}  ${LINUX_FILE}" | sha256sum -c
+	curl -OJ ${GCC_SITE}/${GCC_FILE}
+	echo "${GCC_HASH}  ${GCC_FILE}" | sha256sum -c
+	curl -OJ ${GCC_DEP_SITE}/${GMP_FILE}
+	echo "${GMP_HASH}  ${GMP_FILE}" | sha256sum -c
+	curl -OJ ${GCC_DEP_SITE}/${MPFR_FILE}
+	echo "${MPFR_HASH}  ${MPFR_FILE}" | sha256sum -c
+	curl -OJ ${GCC_DEP_SITE}/${MPC_FILE}
+	echo "${MPC_HASH}  ${MPC_FILE}" | sha256sum -c
+	curl -OJ ${GCC_DEP_SITE}/${ISL_FILE}
+	echo "${ISL_HASH}  ${ISL_FILE}" | sha256sum -c
+	curl -OJ ${MUSL_SITE}/releases/${MUSL_FILE}
+	echo "${MUSL_HASH} ${MUSL_FILE}" | sha256sum -c
+	curl -OJ ${BINUTILS_SITE}/${BINUTILS_FILE}
+	echo "${BINUTILS_HASH} ${BINUTILS_FILE}" | sha256sum -c
+EOF
 
 FROM fetch as extract
-RUN set -eux; \
-    tar -xf ${LINUX_FILE}; \
-    tar -xzf ${MUSL_FILE}; \
-    tar -xf ${BINUTILS_FILE}; \
-    tar -xf ${GCC_FILE}; \
-    cd gcc-${GCC_VERSION}; \
-    mv ../*.tar.* .; \
-    ./contrib/download_prerequisites
+RUN <<-EOF
+	set -eux
+	tar -xf ${LINUX_FILE}
+	tar -xzf ${MUSL_FILE}
+	tar -xf ${BINUTILS_FILE}
+	tar -xf ${GCC_FILE}
+	cd gcc-${GCC_VERSION}
+	mv ../*.tar.* .
+	./contrib/download_prerequisites
+EOF
 
 FROM extract as build
 
 # Phase 1: Build cross binutils in build-binutils
 WORKDIR ${BINUTILS_DIR}
-RUN set -eux; \
-    ../binutils-${BINUTILS_VERSION}/configure \
-        --build=i386-unknown-linux-musl \
-        --host=i386-unknown-linux-musl \
-        --target=${TARGET} \
-        --with-sysroot=/${TARGET} \
-        --prefix= \
-        --libdir=/lib \
-        --disable-nls \
-        --disable-multilib \
-        --disable-plugins \
-        --disable-gprofng \
-        --enable-64-bit-bfd \
-        --enable-ld=default \
-        --enable-install-libiberty \
-        --enable-deterministic-archives; \
-    make all
+RUN <<-EOF
+	set -eux
+	../binutils-${BINUTILS_VERSION}/configure \
+		--build=i386-unknown-linux-musl \
+		--host=i386-unknown-linux-musl \
+		--target=${TARGET} \
+		--with-sysroot=/${TARGET} \
+		--prefix= \
+		--libdir=/lib \
+		--disable-nls \
+		--disable-multilib \
+		--disable-plugins \
+		--disable-gprofng \
+		--enable-64-bit-bfd \
+		--enable-ld=default \
+		--enable-install-libiberty \
+		--enable-deterministic-archives
+	make all
+EOF
 
 # Phase 2: Prepare build sysroot
 WORKDIR ${SYSROOT_DIR}
-RUN set -eux; \
-    mkdir -p include; \
-    ln -sf . usr; \
-    ln -sf lib lib32; \
-    ln -sf lib lib64
+RUN <<-EOF
+	set -eux
+	mkdir -p include
+	ln -sf . usr
+	ln -sf lib lib32
+	ln -sf lib lib64
+EOF
 
 # Phase 3: Build gcc (without libgcc) in build-gcc
 WORKDIR ${GCC_DIR}
-RUN set -eux; \
-    ../gcc-${GCC_VERSION}/configure \
-        --build=i386-unknown-linux-musl \
-        --host=i386-unknown-linux-musl \
-        --target=${TARGET} \
-        --with-build-sysroot=${SYSROOT_DIR} \
-        --with-sysroot=/${TARGET} \
-        --prefix= \
-        --libdir=/lib \
-        --disable-multilib \
-        --disable-bootstrap \
-        --disable-assembly \
-        --disable-libmudflap \
-        --disable-libsanitizer \
-        --disable-gnu-indirect-function \
-        --disable-libmpx \
-        --disable-werror \
-        --enable-languages=c,c++ \
-        --enable-tls \
-        --enable-initfini-array \
-        --enable-libstdcxx-time=rt \
-        --enable-deterministic-archives \
-        AR_FOR_TARGET=${BINUTILS_DIR}/binutils/ar \
-        AS_FOR_TARGET=${BINUTILS_DIR}/gas/as-new \
-        LD_FOR_TARGET=${BINUTILS_DIR}/ld/ld-new \
-        NM_FOR_TARGET=${BINUTILS_DIR}/binutils/nm-new \
-        OBJCOPY_FOR_TARGET=${BINUTILS_DIR}/binutils/objcopy \
-        OBJDUMP_FOR_TARGET=${BINUTILS_DIR}/binutils/objdump \
-        RANLIB_FOR_TARGET=${BINUTILS_DIR}/binutils/ranlib \
-        READELF_FOR_TARGET=${BINUTILS_DIR}/binutils/readelf \
-        STRIP_FOR_TARGET=${BINUTILS_DIR}/binutils/strip-new; \
-    make all-gcc
+RUN <<-EOF
+	set -eux
+	../gcc-${GCC_VERSION}/configure \
+		--build=i386-unknown-linux-musl \
+		--host=i386-unknown-linux-musl \
+		--target=${TARGET} \
+		--with-build-sysroot=${SYSROOT_DIR} \
+		--with-sysroot=/${TARGET} \
+		--prefix= \
+		--libdir=/lib \
+		--disable-multilib \
+		--disable-bootstrap \
+		--disable-assembly \
+		--disable-libmudflap \
+		--disable-libsanitizer \
+		--disable-gnu-indirect-function \
+		--disable-libmpx \
+		--disable-werror \
+		--enable-languages=c,c++ \
+		--enable-tls \
+		--enable-initfini-array \
+		--enable-libstdcxx-time=rt \
+		--enable-deterministic-archives \
+		AR_FOR_TARGET=${BINUTILS_DIR}/binutils/ar \
+		AS_FOR_TARGET=${BINUTILS_DIR}/gas/as-new \
+		LD_FOR_TARGET=${BINUTILS_DIR}/ld/ld-new \
+		NM_FOR_TARGET=${BINUTILS_DIR}/binutils/nm-new \
+		OBJCOPY_FOR_TARGET=${BINUTILS_DIR}/binutils/objcopy \
+		OBJDUMP_FOR_TARGET=${BINUTILS_DIR}/binutils/objdump \
+		RANLIB_FOR_TARGET=${BINUTILS_DIR}/binutils/ranlib \
+		READELF_FOR_TARGET=${BINUTILS_DIR}/binutils/readelf \
+		STRIP_FOR_TARGET=${BINUTILS_DIR}/binutils/strip-new
+	make all-gcc
+EOF
 
 # Phase 4: Install musl libc headers to build-sysroot for use by libgcc
 WORKDIR ${MUSL_DIR}
-RUN set -eux; \
-    ../musl-${MUSL_VERSION}/configure \
-        CC="${GCC_DIR}/gcc/xgcc -B ${GCC_DIR}/gcc" \
-        LIBCC="${GCC_DIR}/${TARGET}/libgcc/libgcc.a" \
-        --prefix= \
-        --host=${TARGET}; \
-    make DESTDIR=${SYSROOT_DIR} install-headers
+RUN <<-EOF
+	set -eux
+	../musl-${MUSL_VERSION}/configure \
+		CC="${GCC_DIR}/gcc/xgcc -B ${GCC_DIR}/gcc" \
+		LIBCC="${GCC_DIR}/${TARGET}/libgcc/libgcc.a" \
+		--prefix= \
+		--host=${TARGET}
+	make DESTDIR=${SYSROOT_DIR} install-headers
+EOF
 
 # Phase 5: Compile libgcc
 WORKDIR ${GCC_DIR}
@@ -143,11 +155,13 @@ RUN make MAKE="make enable_shared=no" all-target-libgcc
 
 # Phase 5: Compile musl libc and install to sysroot
 WORKDIR ${MUSL_DIR}
-RUN set -eux; \
-    make \
-        AR=${BINUTILS_DIR}/binutils/ar \
-        RANLIB=${BINUTILS_DIR}/binutils/ranlib; \
-    make DESTDIR=${SYSROOT_DIR} install
+RUN <<-EOF
+	set -eux
+	make \
+		AR=${BINUTILS_DIR}/binutils/ar \
+		RANLIB=${BINUTILS_DIR}/binutils/ranlib
+	make DESTDIR=${SYSROOT_DIR} install
+EOF
 
 # Phase 6: Compile remaining gcc targets
 WORKDIR ${GCC_DIR}
@@ -155,27 +169,31 @@ RUN make all
 
 # Phase 7: Generate linux headers
 WORKDIR ${HOME}/linux-${LINUX_VERSION}
-RUN set -eux; \
-    make ARCH=${ARCH} headers; \
-    find usr/include -name '.*' -delete; \
-    rm usr/include/Makefile; \
-    rm usr/include/headers_check.pl; \
-    cp -rv usr/include ${LINUX_DIR}
+RUN <<-EOF
+	set -eux
+	make ARCH=${ARCH} headers
+	find usr/include -name '.*' -delete
+	rm usr/include/Makefile
+	rm usr/include/headers_check.pl
+	cp -rv usr/include ${LINUX_DIR}
+EOF
 
 FROM build as install
 WORKDIR ${HOME}
 USER 0:0
 COPY --from=stagex/stage1 . /rootfs/
-RUN set -eux; \
-    rm /rootfs/lib; \
-    env -C build-musl make DESTDIR=/rootfs/${TARGET} install; \
-    env -C build-gcc make DESTDIR=/rootfs/ install; \
-    env -C build-binutils make DESTDIR=/rootfs/ install; \
-    cp -Rv ${LINUX_DIR}/* /rootfs/${TARGET}/include; \
-    ln -s /usr/lib/ld-musl-i386.so.1 /rootfs/lib/libc.so; \
-    ln -s /usr/lib/ld-musl-i386.so.1 /rootfs/lib/ld-musl-i386.so.1; \
-    ln -s /${TARGET}/lib/ld-musl-${ARCH}.so.1 /rootfs/lib/ld-musl-${ARCH}.so.1; \
-    find /rootfs -exec touch -hcd "@0" "{}" +
+RUN <<-EOF
+	set -eux
+	rm /rootfs/lib
+	env -C build-musl make DESTDIR=/rootfs/${TARGET} install
+	env -C build-gcc make DESTDIR=/rootfs/ install
+	env -C build-binutils make DESTDIR=/rootfs/ install
+	cp -Rv ${LINUX_DIR}/* /rootfs/${TARGET}/include
+	ln -s /usr/lib/ld-musl-i386.so.1 /rootfs/lib/libc.so
+	ln -s /usr/lib/ld-musl-i386.so.1 /rootfs/lib/ld-musl-i386.so.1
+	ln -s /${TARGET}/lib/ld-musl-${ARCH}.so.1 /rootfs/lib/ld-musl-${ARCH}.so.1
+	find /rootfs -exec touch -hcd "@0" "{}" +
+EOF
 
 FROM scratch as package
 COPY --from=install /rootfs/ /
diff --git a/src/bootstrap/stage3/Containerfile b/src/bootstrap/stage3/Containerfile
index 0d70497..36f1607 100644
--- a/src/bootstrap/stage3/Containerfile
+++ b/src/bootstrap/stage3/Containerfile
@@ -56,168 +56,190 @@ ENV LINUX_DIR ${HOME}/build-linux
 
 FROM base as fetch
 WORKDIR /home/user
-RUN set -eux; \
-    curl -OJ ${LINUX_SITE}/${LINUX_FILE}; \
-    echo "${LINUX_HASH}  ${LINUX_FILE}" | sha256sum -c; \
-    curl --insecure -OJ ${MUSL_SITE}/${MUSL_FILE}; \
-    echo "${MUSL_HASH}  ${MUSL_FILE}" | sha256sum -c; \
-    curl --insecure -OJ ${BUSYBOX_SITE}/${BUSYBOX_FILE}; \
-    echo "${BUSYBOX_HASH}  ${BUSYBOX_FILE}" | sha256sum -c; \
-    curl --insecure -OJ ${BINUTILS_SITE}/${BINUTILS_FILE}; \
-    echo "${BINUTILS_HASH}  ${BINUTILS_FILE}" | sha256sum -c; \
-    curl --insecure -OJ ${MAKE_SITE}/${MAKE_FILE}; \
-    echo "${MAKE_HASH}  ${MAKE_FILE}" | sha256sum -c; \
-    curl --insecure -OJ ${GCC_SITE}/${GCC_FILE}; \
-    echo "${GCC_HASH}  ${GCC_FILE}" | sha256sum -c; \
-    curl --insecure -OJ ${GMP_SITE}/${GMP_FILE}; \
-    echo "${GMP_HASH}  ${GMP_FILE}" | sha256sum -c; \
-    curl --insecure -OJ ${MPFR_SITE}/${MPFR_FILE}; \
-    echo "${MPFR_HASH}  ${MPFR_FILE}" | sha256sum -c; \
-    curl --insecure -OJ ${MPC_SITE}/${MPC_FILE}; \
-    echo "${MPC_HASH}  ${MPC_FILE}" | sha256sum -c; \
-    curl --insecure -OJ ${ISL_SITE}/${ISL_FILE}; \
-    echo "${ISL_HASH}  ${ISL_FILE}" | sha256sum -c
+RUN <<-EOF
+	set -eux
+	curl -OJ ${LINUX_SITE}/${LINUX_FILE}
+	echo "${LINUX_HASH}  ${LINUX_FILE}" | sha256sum -c
+	curl --insecure -OJ ${MUSL_SITE}/${MUSL_FILE}
+	echo "${MUSL_HASH}  ${MUSL_FILE}" | sha256sum -c
+	curl --insecure -OJ ${BUSYBOX_SITE}/${BUSYBOX_FILE}
+	echo "${BUSYBOX_HASH}  ${BUSYBOX_FILE}" | sha256sum -c
+	curl --insecure -OJ ${BINUTILS_SITE}/${BINUTILS_FILE}
+	echo "${BINUTILS_HASH}  ${BINUTILS_FILE}" | sha256sum -c
+	curl --insecure -OJ ${MAKE_SITE}/${MAKE_FILE}
+	echo "${MAKE_HASH}  ${MAKE_FILE}" | sha256sum -c
+	curl --insecure -OJ ${GCC_SITE}/${GCC_FILE}
+	echo "${GCC_HASH}  ${GCC_FILE}" | sha256sum -c
+	curl --insecure -OJ ${GMP_SITE}/${GMP_FILE}
+	echo "${GMP_HASH}  ${GMP_FILE}" | sha256sum -c
+	curl --insecure -OJ ${MPFR_SITE}/${MPFR_FILE}
+	echo "${MPFR_HASH}  ${MPFR_FILE}" | sha256sum -c
+	curl --insecure -OJ ${MPC_SITE}/${MPC_FILE}
+	echo "${MPC_HASH}  ${MPC_FILE}" | sha256sum -c
+	curl --insecure -OJ ${ISL_SITE}/${ISL_FILE}
+	echo "${ISL_HASH}  ${ISL_FILE}" | sha256sum -c
+EOF
 
 FROM fetch as extract
-RUN set -eux; \
-    tar -xf ${LINUX_FILE}; \
-    tar -kxzf ${MUSL_FILE}; \
-    tar -kxjf ${BUSYBOX_FILE}; \
-    tar -kxf ${BINUTILS_FILE}; \
-    tar -kxzf ${MAKE_FILE}; \
-    tar -kxf ${GCC_FILE}
+RUN <<-EOF
+	set -eux
+	tar -xf ${LINUX_FILE}
+	tar -kxzf ${MUSL_FILE}
+	tar -kxjf ${BUSYBOX_FILE}
+	tar -kxf ${BINUTILS_FILE}
+	tar -kxzf ${MAKE_FILE}
+	tar -kxf ${GCC_FILE}
+EOF
 
 FROM extract as build
 WORKDIR ${MUSL_DIR}
-RUN set -eux; \
-    ../musl-${MUSL_VERSION}/configure \
-        --prefix=/usr \
-        --build=${BUILD} \
-        --host=${TARGET}; \
-    make
-WORKDIR ${BINUTILS_DIR}
-RUN set -eux; \
-    ../binutils-${BINUTILS_VERSION}/configure \
-        --build=${BUILD} \
-        --host=${TARGET} \
-        --prefix=/usr \
-        --bindir=/usr/bin \
-        --mandir=/usr/share/man \
-        --infodir=/usr/share/info \
-        --sysconfdir=/etc \
-        --disable-nls \
-        --disable-multilib \
-        --disable-plugins \
-        --disable-gprofng \
-        --enable-64-bit-bfd \
-        --enable-ld=default \
-        --enable-install-libiberty \
-        --enable-deterministic-archives; \
-    make
-WORKDIR ${MAKE_DIR}
-RUN set -ex; \
-    ../make-${MAKE_VERSION}/configure \
-        --build=${BUILD} \
-        --host=${TARGET} \
-        --prefix=/usr \
-        --mandir=/usr/share/man \
-        --infodir=/usr/share/info \
-        --disable-nls; \
+RUN <<-EOF
+	set -eux
+	../musl-${MUSL_VERSION}/configure \
+		--prefix=/usr \
+		--build=${BUILD} \
+		--host=${TARGET}
 	make
+EOF
+
+WORKDIR ${BINUTILS_DIR}
+RUN <<-EOF
+	set -eux
+	../binutils-${BINUTILS_VERSION}/configure \
+		--build=${BUILD} \
+		--host=${TARGET} \
+		--prefix=/usr \
+		--bindir=/usr/bin \
+		--mandir=/usr/share/man \
+		--infodir=/usr/share/info \
+		--sysconfdir=/etc \
+		--disable-nls \
+		--disable-multilib \
+		--disable-plugins \
+		--disable-gprofng \
+		--enable-64-bit-bfd \
+		--enable-ld=default \
+		--enable-install-libiberty \
+		--enable-deterministic-archives
+	make
+EOF
+
+WORKDIR ${MAKE_DIR}
+RUN <<-EOF
+	set -eux
+	../make-${MAKE_VERSION}/configure \
+		--build=${BUILD} \
+		--host=${TARGET} \
+		--prefix=/usr \
+		--mandir=/usr/share/man \
+		--infodir=/usr/share/info \
+		--disable-nls
+	make
+EOF
+
 WORKDIR ${GCC_DIR}
-RUN set -eux; \
-    cp ../*.tar.* ../gcc-${GCC_VERSION}; \
-    env -C ${HOME}/gcc-${GCC_VERSION} ./contrib/download_prerequisites; \
-    ../gcc-${GCC_VERSION}/configure \
-        --build=${BUILD} \
-        --host=${TARGET} \
-        --target=${TARGET} \
-        --prefix=/usr \
-        --mandir=/usr/share/man \
-        --infodir=/usr/share/info \
-        --libdir=/usr/lib \
-        --disable-cet \
-        --disable-fixed-point \
-        --disable-libstdcxx-pch \
-        --disable-multilib \
-        --disable-libsanitizer \
-        --disable-nls \
-        --disable-werror \
-        --enable-__cxa_atexit \
-        --enable-default-pie \
-        --enable-default-ssp \
-        --enable-languages=c,c++ \
-        --enable-link-serialization=2 \
-        --enable-linker-build-id; \
-    make
+RUN <<-EOF
+	set -eux
+	cp ../*.tar.* ../gcc-${GCC_VERSION}
+	env -C ${HOME}/gcc-${GCC_VERSION} ./contrib/download_prerequisites
+	../gcc-${GCC_VERSION}/configure \
+		--build=${BUILD} \
+		--host=${TARGET} \
+		--target=${TARGET} \
+		--prefix=/usr \
+		--mandir=/usr/share/man \
+		--infodir=/usr/share/info \
+		--libdir=/usr/lib \
+		--disable-cet \
+		--disable-fixed-point \
+		--disable-libstdcxx-pch \
+		--disable-multilib \
+		--disable-libsanitizer \
+		--disable-nls \
+		--disable-werror \
+		--enable-__cxa_atexit \
+		--enable-default-pie \
+		--enable-default-ssp \
+		--enable-languages=c,c++ \
+		--enable-link-serialization=2 \
+		--enable-linker-build-id
+	make
+EOF
 WORKDIR ${BUSYBOX_DIR}
-RUN set -eux; \
-    setConfs=' \
-        CONFIG_LAST_SUPPORTED_WCHAR=0 \
-        CONFIG_STATIC=y \
-    '; \
-    unsetConfs=' \
-        CONFIG_FEATURE_SYNC_FANCY \
-        CONFIG_FEATURE_HAVE_RPC \
-        CONFIG_FEATURE_INETD_RPC \
-        CONFIG_FEATURE_UTMP \
-        CONFIG_FEATURE_WTMP \
-    '; \
-    make \
-        -f ../busybox-${BUSYBOX_VERSION}/Makefile \
-        KBUILD_SRC=../busybox-${BUSYBOX_VERSION} \
-        CROSS_COMPILE=${TARGET}- \
-        defconfig; \
-    for conf in $unsetConfs; do \
-        sed -i \
-            -e "s!^$conf=.*\$!# $conf is not set!" \
-            .config; \
-    done; \
-    for confV in $setConfs; do \
-        conf="${confV%=*}"; \
-        sed -i \
-            -e "s!^$conf=.*\$!$confV!" \
-            -e "s!^# $conf is not set\$!$confV!" \
-            .config; \
-        if ! grep -q "^$confV\$" .config; then \
-            echo "$confV" >> .config; \
-        fi; \
-    done; \
-    make oldconfig CROSS_COMPILE=${TARGET}-; \
-    for conf in $unsetConfs; do \
-        ! grep -q "^$conf=" .config; \
-    done; \
-    for confV in $setConfs; do \
-        grep -q "^$confV\$" .config; \
-    done; \
-    make CROSS_COMPILE=${TARGET}-
+RUN <<-EOF
+	set -eux
+	setConfs=' \
+		CONFIG_LAST_SUPPORTED_WCHAR=0 \
+		CONFIG_STATIC=y \
+	'
+	unsetConfs=' \
+		CONFIG_FEATURE_SYNC_FANCY \
+		CONFIG_FEATURE_HAVE_RPC \
+		CONFIG_FEATURE_INETD_RPC \
+		CONFIG_FEATURE_UTMP \
+		CONFIG_FEATURE_WTMP \
+	'
+	make \
+		-f ../busybox-${BUSYBOX_VERSION}/Makefile \
+		KBUILD_SRC=../busybox-${BUSYBOX_VERSION} \
+		CROSS_COMPILE=${TARGET}- \
+		defconfig
+	for conf in $unsetConfs; do \
+		sed -i \
+			-e "s!^$conf=.*\$!# $conf is not set!" \
+			.config
+	done
+	for confV in $setConfs; do \
+		conf="${confV%=*}"
+		sed -i \
+			-e "s!^$conf=.*\$!$confV!" \
+			-e "s!^# $conf is not set\$!$confV!" \
+			.config
+		if ! grep -q "^$confV\$" .config; then \
+			echo "$confV" >> .config; \
+		fi
+	done
+	make oldconfig CROSS_COMPILE=${TARGET}-
+	for conf in $unsetConfs; do
+		! grep -q "^$conf=" .config
+	done
+	for confV in $setConfs; do
+		grep -q "^$confV\$" .config
+	done
+	make CROSS_COMPILE=${TARGET}-
+EOF
+
 WORKDIR ${HOME}/linux-${LINUX_VERSION}
-RUN set -eux; \
-    make ARCH=${ARCH} headers; \
-    find usr/include -name '.*' -delete; \
-    rm usr/include/Makefile; \
-    rm usr/include/headers_check.pl; \
-    cp -rv usr/include ${LINUX_DIR}
+RUN <<-EOF
+	set -eux
+	make ARCH=${ARCH} headers
+	find usr/include -name '.*' -delete
+	rm usr/include/Makefile
+	rm usr/include/headers_check.pl
+	cp -rv usr/include ${LINUX_DIR}
+EOF
 
 FROM build as install
 USER 0:0
-RUN set -eux; \
-    env -C ${BUSYBOX_DIR} make \
-        CROSS_COMPILE=${TARGET}- \
-        CONFIG_PREFIX=/rootfs \
-        install ; \
-    env -C ${MUSL_DIR} make DESTDIR=/rootfs install; \
-    env -C ${BINUTILS_DIR} make DESTDIR=/rootfs install; \
-    env -C ${MAKE_DIR} make DESTDIR=/rootfs install; \
-    env -C ${GCC_DIR} make DESTDIR=/rootfs install; \
-    cp -Rv ${LINUX_DIR}/* /rootfs/usr/include/; \
-    cd /rootfs/; \
-    ln -sT /lib lib64; \
-    mkdir -p etc tmp var/tmp home/user; \
-    echo "user:x:1000:" > etc/group; \
-    echo "user:x:1000:1000::/home/user:/bin/sh" > etc/passwd; \
-    chown -R 1000:1000 tmp var/tmp home/user; \
-    find /rootfs -exec touch -hcd "@0" "{}" +
+RUN <<-EOF
+	set -eux
+	env -C ${BUSYBOX_DIR} make \
+		CROSS_COMPILE=${TARGET}- \
+		CONFIG_PREFIX=/rootfs \
+		install
+	env -C ${MUSL_DIR} make DESTDIR=/rootfs install
+	env -C ${BINUTILS_DIR} make DESTDIR=/rootfs install
+	env -C ${MAKE_DIR} make DESTDIR=/rootfs install
+	env -C ${GCC_DIR} make DESTDIR=/rootfs install
+	cp -Rv ${LINUX_DIR}/* /rootfs/usr/include/
+	cd /rootfs/
+	ln -sT /lib lib64
+	mkdir -p etc tmp var/tmp home/user
+	echo "user:x:1000:" > etc/group
+	echo "user:x:1000:1000::/home/user:/bin/sh" > etc/passwd
+	chown -R 1000:1000 tmp var/tmp home/user
+	find /rootfs -exec touch -hcd "@0" "{}" +
+EOF
 
 FROM scratch as package
 COPY --from=install /rootfs /