-
Notifications
You must be signed in to change notification settings - Fork 979
/
Copy pathDockerfile
124 lines (112 loc) · 5.85 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Amazon Software License (the "License"). You may not use this file except in compliance with the License.
# A copy of the License is located at
#
# http://aws.amazon.com/asl/
#
# or in the "license" file accompanying this file.
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied.
# See the License for the specific language governing permissions and limitations under the License.
FROM public.ecr.aws/amazoncorretto/amazoncorretto:8
# Install git, SSH, and other utilities
RUN set -ex \
&& yum update -y \
&& yum install -y -q openssh-clients tar gzip wget unzip perl\
&& mkdir ~/.ssh \
&& mkdir -p /opt/tools \
&& mkdir -p /codebuild/image/config \
&& touch ~/.ssh/known_hosts \
&& ssh-keyscan -t rsa,dsa,ed25519,ecdsa -H github.com >> ~/.ssh/known_hosts \
&& ssh-keyscan -t rsa,dsa,ed25519,ecdsa -H bitbucket.org >> ~/.ssh/known_hosts \
&& chmod 600 ~/.ssh/known_hosts \
&& yum install -y -q make gettext-devel gcc openssl-devel curl-devel expat-devel iptables
RUN useradd codebuild-user
ARG MAVEN_HOME="/opt/maven"
ARG MAVEN_VERSION=3.9.1
ARG MAVEN_CONFIG_HOME="/root/.m2"
ARG GRADLE_VERSION=8.1.1
ARG GRADLE_PATH="/usr/local/gradle"
RUN set -ex \
# Install Maven
&& mkdir -p $MAVEN_HOME \
&& curl -LSso /var/tmp/apache-maven-$MAVEN_VERSION-bin.tar.gz https://archive.apache.org/dist/maven/maven-3/$MAVEN_VERSION/binaries/apache-maven-$MAVEN_VERSION-bin.tar.gz \
&& tar xzf /var/tmp/apache-maven-$MAVEN_VERSION-bin.tar.gz -C $MAVEN_HOME --strip-components=1 \
&& rm /var/tmp/apache-maven-$MAVEN_VERSION-bin.tar.gz \
&& update-alternatives --install /usr/bin/mvn mvn /opt/maven/bin/mvn 10000 \
&& mkdir -p $MAVEN_CONFIG_HOME \
# Install Gradle
&& mkdir -p $GRADLE_PATH \
&& wget -q "https://services.gradle.org/distributions/gradle-$GRADLE_VERSION-all.zip" -O "$GRADLE_PATH/gradle-$GRADLE_VERSION-all.zip" \
&& unzip -q "$GRADLE_PATH/gradle-$GRADLE_VERSION-all.zip" -d /usr/local \
&& rm "$GRADLE_PATH/gradle-$GRADLE_VERSION-all.zip" \
&& mkdir "/tmp/gradle-$GRADLE_VERSION" \
&& "/usr/local/gradle-$GRADLE_VERSION/bin/gradle" -p "/tmp/gradle-$GRADLE_VERSION" init \
&& "/usr/local/gradle-$GRADLE_VERSION/bin/gradle" -p "/tmp/gradle-$GRADLE_VERSION" wrapper \
&& perl -pi -e "s/gradle-$GRADLE_VERSION-bin.zip/gradle-$GRADLE_VERSION-all.zip/" "/tmp/gradle-$GRADLE_VERSION/gradle/wrapper/gradle-wrapper.properties" \
&& "/tmp/gradle-$GRADLE_VERSION/gradlew" -p "/tmp/gradle-$GRADLE_VERSION" init \
&& rm -rf "/tmp/gradle-$GRADLE_VERSION" \
# Install default GRADLE_VERSION to path
&& ln -s /usr/local/gradle-$GRADLE_VERSION/bin/gradle /usr/bin/gradle \
&& rm -rf $GRADLE_PATH
# Install Git
RUN set -ex \
&& GIT_VERSION=2.41.0 \
&& GIT_TAR_FILE=git-$GIT_VERSION.tar.gz \
&& GIT_SRC=https://github.com/git/git/archive/v${GIT_VERSION}.tar.gz \
&& curl -L -o $GIT_TAR_FILE $GIT_SRC \
&& tar zxf $GIT_TAR_FILE \
&& cd git-$GIT_VERSION \
&& make -j4 prefix=/usr \
&& make install prefix=/usr \
&& cd .. && rm -rf git-$GIT_VERSION \
&& rm -rf $GIT_TAR_FILE /tmp/*
#Docker 23
ENV DOCKER_BUCKET="download.docker.com" \
DOCKER_CHANNEL="stable" \
DIND_COMMIT="3b5fac462d21ca164b3778647420016315289034" \
DOCKER_COMPOSE_VERSION="2.17.3" \
DOCKER_BUILDX_VERSION="0.11.0"
ENV DOCKER_SHA256="544262F4A3621222AFB79960BFAD4D486935DAB80893478B5CC9CF8EBAF409AE"
ENV DOCKER_VERSION="23.0.6"
VOLUME /var/lib/docker
RUN set -ex \
&& curl -fSL "https://${DOCKER_BUCKET}/linux/static/${DOCKER_CHANNEL}/x86_64/docker-${DOCKER_VERSION}.tgz" -o docker.tgz \
&& echo "${DOCKER_SHA256} *docker.tgz" | sha256sum -c - \
&& tar --extract --file docker.tgz --strip-components 1 --directory /usr/local/bin/ \
&& rm docker.tgz \
&& docker -v \
# replace runc package to resolve CVE-2024-21626
&& amazon-linux-extras enable docker \
&& yum -y install runc \
&& rm -f /usr/local/bin/runc \
&& ln -s /usr/sbin/runc /usr/local/bin/runc \
&& runc -v \
# set up subuid/subgid so that "--userns-remap=default" works out-of-the-box
&& groupadd dockremap \
&& useradd -g dockremap dockremap \
&& echo 'dockremap:165536:65536' >> /etc/subuid \
&& echo 'dockremap:165536:65536' >> /etc/subgid \
&& wget -q "https://raw.githubusercontent.com/docker/docker/${DIND_COMMIT}/hack/dind" -O /usr/local/bin/dind \
# Install docker compose as docker plugin and maintain docker-compose usage
&& mkdir -p /usr/local/lib/docker/cli-plugins \
&& curl -L https://github.com/docker/compose/releases/download/v${DOCKER_COMPOSE_VERSION}/docker-compose-Linux-x86_64 -o /usr/local/lib/docker/cli-plugins/docker-compose \
&& chmod +x /usr/local/bin/dind /usr/local/lib/docker/cli-plugins/docker-compose \
&& ln -s /usr/local/lib/docker/cli-plugins/docker-compose /usr/local/bin/docker-compose \
# Ensure docker-compose and docker compose work
&& docker-compose version \
&& docker compose version \
# Add docker buildx tool
&& curl -L https://github.com/docker/buildx/releases/download/v${DOCKER_BUILDX_VERSION}/buildx-v${DOCKER_BUILDX_VERSION}.linux-amd64 -o /usr/local/lib/docker/cli-plugins/docker-buildx \
&& chmod +x /usr/local/lib/docker/cli-plugins/docker-buildx \
&& ln -s /usr/local/lib/docker/cli-plugins/docker-buildx /usr/local/bin/docker-buildx \
# Ensure docker-buildx works
&& docker-buildx version \
&& docker buildx version
# Configure SSH
COPY ssh_config /root/.ssh/config
COPY runtimes.yml /codebuild/image/config/runtimes.yml
COPY dockerd-entrypoint.sh /usr/local/bin/dockerd-entrypoint.sh
RUN chmod +x /usr/local/bin/dockerd-entrypoint.sh
COPY legal/bill_of_material.txt /usr/share/doc/bill_of_material.txt
ENTRYPOINT ["/usr/local/bin/dockerd-entrypoint.sh"]