adding sed file for updating downstream image

Marcusk19 · Dec 3, 2024 · bf36df5 · bf36df5
1 parent 7690629
commit bf36df5
Show file tree

Hide file tree

Showing 3 changed files with 302 additions and 7 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -154,13 +154,6 @@ RUN set -ex\
 # containers are copied in.
 FROM base AS final
 LABEL maintainer "quay-devel@redhat.com"
-LABEL io.k8s.display-name="Quay Container Registry" \
-  io.k8s.description="Quay is a container registry optimized for building, storing, and distributing container images." \
-  io.openshift.tags="quay,registry,container,images" \
-  com.redhat.component="quay" \
-  name="quay" \
-  summary="quay container registry" \
-  description="Quay lets you build, store, and distribute your containers."
 
 ENV QUAYDIR /quay-registry
 ENV QUAYCONF /quay-registry/conf

diff --git a/Dockerfile.downstream b/Dockerfile.downstream
@@ -0,0 +1,214 @@
+FROM registry.redhat.io/rhel8-6-els/rhel:latest AS base
+# Only set variables or install packages that need to end up in the
+# final container here.
+ENV PATH=/app/bin/:$PATH \
+	PYTHONUNBUFFERED=1 \
+	PYTHONIOENCODING=UTF-8 \
+	LC_ALL=C.UTF-8 \
+	LANG=C.UTF-8
+ENV PYTHONUSERBASE /app
+ENV TZ UTC
+RUN set -ex\
+	; dnf -y module enable nginx:1.22 \
+	; dnf -y module enable python39:3.9 \
+	; dnf update -y \
+	; dnf -y --setopt=tsflags=nodocs install \
+		dnsmasq \
+		memcached \
+		nginx \
+		libpq-devel \
+		libjpeg-turbo \
+		openldap \
+		openssl \
+		python39 \
+		python3-gpg \
+		skopeo \
+		findutils \
+	; dnf -y reinstall tzdata \
+	; dnf remove -yplatform-python-pip python39-pip \
+	; dnf -y clean all && rm -rf /var/cache/yum
+
+# Config-editor builds the javascript for the configtool.
+FROM registry.access.redhat.com/ubi8/nodejs-10 AS config-editor
+WORKDIR /opt/app-root/src
+COPY --chown=1001:0 config-tool/pkg/lib/editor/ ./
+RUN set -ex\
+	; npm install --quiet --no-progress --ignore-engines \
+	; npm run --quiet build\
+	; rm -Rf .cache .npm* node_modules\
+	;
+
+# Build-python installs the requirements for the python code.
+FROM base AS build-python
+ENV PYTHONDONTWRITEBYTECODE 1
+RUN set -ex\
+	; dnf -y --setopt=tsflags=nodocs install \
+		gcc-c++ \
+		git \
+		openldap-devel \
+		python39-devel \
+		libffi-devel \
+        openssl-devel \
+        diffutils \
+        file \
+        make \
+        libjpeg-turbo \
+        libjpeg-turbo-devel \
+		wget \
+		rust-toolset \
+		libxml2-devel \
+		libxslt-devel \
+		freetype-devel \
+	; dnf -y clean all
+WORKDIR /build
+RUN python3 -m ensurepip --upgrade
+COPY requirements.txt .
+# Note that it installs into PYTHONUSERBASE because of the '--user'
+# flag.
+
+# When cross-compiling the container, cargo uncontrollably consumes memory and
+# gets killed by the OOM Killer when it fetches dependencies. The workaround is
+# to use the git executable.
+# See https://github.com/rust-lang/cargo/issues/10583 for details.
+ENV CARGO_NET_GIT_FETCH_WITH_CLI=true
+
+# Added GRPC & Gevent support for IBMZ
+# wget has been added to reduce the build time
+# In Future if wget is to be removed , then uncomment below line for grpc installation on IBMZ i.e. s390x
+ENV GRPC_PYTHON_BUILD_SYSTEM_OPENSSL 1
+
+RUN ARCH=$(uname -m) ; echo $ARCH; \
+    if [ "$ARCH" == "ppc64le" ] ; then \
+    GE_LATEST=$(grep "gevent" requirements.txt |cut -d "=" -f 3); \
+	wget https://github.com/IBM/oss-ecosystem-gevent/releases/download/${GE_LATEST}/manylinux_ppc64le_wheels_${GE_LATEST}.tar.gz; \
+	tar xvf manylinux_ppc64le_wheels_${GE_LATEST}.tar.gz; \
+	python3 -m pip install --no-cache-dir --user wheelhouse/gevent-${GE_LATEST}-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl; \
+    GRPC_LATEST=$(grep "grpcio" requirements.txt |cut -d "=" -f 3); \
+	wget https://github.com/IBM/oss-ecosystem-grpc/releases/download/${GRPC_LATEST}/grpcio-${GRPC_LATEST}-cp39-cp39-linux_ppc64le.whl; \
+	python3 -m pip install --no-cache-dir --user grpcio-${GRPC_LATEST}-cp39-cp39-linux_ppc64le.whl; \
+	fi
+
+RUN set -ex\
+	; python3 -m pip install --no-cache-dir --progress-bar off --user $(grep -e '^pip=' -e '^wheel=' -e '^setuptools=' ./requirements.txt) \
+	; python3 -m pip install --no-cache-dir --progress-bar off --user --requirement requirements.txt \
+	;
+RUN set -ex\
+# Doing this is explicitly against the purpose and use of certifi.
+	; for dir in\
+		$(find "$(python3 -m site --user-base)" -type d -name certifi)\
+	; do chgrp -R 0 "$dir" && chmod -R g=u "$dir" ; done\
+	;
+
+# Build-static downloads the static javascript.
+FROM registry.access.redhat.com/ubi8/nodejs-10 AS build-static
+WORKDIR /opt/app-root/src
+COPY --chown=1001:0 package.json package-lock.json  ./
+RUN npm clean-install
+COPY --chown=1001:0 static/  ./static/
+COPY --chown=1001:0 *.json *.js  ./
+RUN npm run --quiet build
+
+# Build React UI
+FROM registry.access.redhat.com/ubi8/nodejs-16:latest as build-ui
+WORKDIR /opt/app-root
+COPY --chown=1001:0 web/package.json web/package-lock.json  ./
+RUN npm clean-install
+COPY --chown=1001:0 web .
+RUN npm run --quiet build
+
+# Pushgateway grabs pushgateway.
+FROM registry.access.redhat.com/ubi8/ubi:latest AS pushgateway
+ENV OS=linux
+ARG PUSHGATEWAY_VERSION=1.6.0
+RUN set -ex\
+	; ARCH=$(uname -m) ; echo $ARCH \
+	; if [ "$ARCH" == "x86_64" ] ; then ARCH="amd64" ; elif [ "$ARCH" == "aarch64" ] ; then ARCH="arm64" ; fi \
+	; curl -fsSL "https://github.com/prometheus/pushgateway/releases/download/v${PUSHGATEWAY_VERSION}/pushgateway-${PUSHGATEWAY_VERSION}.${OS}-${ARCH}.tar.gz"\
+	| tar xz "pushgateway-${PUSHGATEWAY_VERSION}.${OS}-${ARCH}/pushgateway"\
+	; install "pushgateway-${PUSHGATEWAY_VERSION}.${OS}-${ARCH}/pushgateway" /usr/local/bin/pushgateway\
+	;
+
+# Config-tool builds the go binary in the configtool.
+FROM registry.access.redhat.com/ubi8/go-toolset as config-tool
+WORKDIR /opt/app-root/src
+COPY config-tool/ ./
+COPY --from=config-editor /opt/app-root/src/static/build  /opt/app-root/src/pkg/lib/editor/static/build
+RUN go install -tags=fips ./cmd/config-tool
+
+FROM registry.redhat.io/rhel8-6-els/rhel AS build-quaydir
+WORKDIR /quaydir
+COPY --from=config-editor /opt/app-root/src /quaydir/config_app
+COPY --from=build-static /opt/app-root/src/static /quaydir/static
+COPY --from=build-ui /opt/app-root/dist /quaydir/static/patternfly
+
+# Copy in source and update local copy of AWS IP Ranges.
+# This is a bad place to do the curl, but there's no good place to do
+# it except to have it checked in.
+COPY --chown=0:0 . .
+RUN set -ex\
+	; chmod -R g=u ./conf\
+	; curl -fsSL https://ip-ranges.amazonaws.com/ip-ranges.json -o util/ipresolver/aws-ip-ranges.json\
+	;
+
+# Final is the end container, where all the work from the other
+# containers are copied in.
+FROM base AS final
+LABEL com.redhat.component="quay-registry-container"
+LABEL name="quay/quay-rhel8"
+LABEL io.k8s.display-name="Red Hat Quay"
+LABEL io.k8s.description="Red Hat Quay"
+LABEL summary="Red Hat Quay"
+LABEL maintainer="support@redhat.com"
+LABEL io.openshift.tags="quay"
+ENV RED_HAT_QUAY=true
+
+ENV QUAYDIR /quay-registry
+ENV QUAYCONF /quay-registry/conf
+ENV QUAYRUN /quay-registry/conf
+ENV QUAYPATH $QUAYDIR
+ENV PYTHONPATH $QUAYPATH
+
+# All of these chgrp+chmod commands are an Openshift-ism.
+#
+# Openshift runs a container as a random UID and GID 0, so anything
+# that's in the base image and needs to be modified at runtime needs
+# to make sure it's group-writable.
+RUN alternatives --set python /usr/bin/python3
+RUN set -ex\
+	; setperms() { for d in "$@"; do chgrp -R 0 "$d" && chmod -R g=u "$d" && ls -ld "$d"; done; }\
+	; newdir() { for d in "$@"; do mkdir -m 775 "$d" && ls -ld "$d"; done; }\
+# Allow TLS certs to be created and installed as non-root user.
+# See also update-ca-trust(8).
+	; setperms /etc/pki/ca-trust/extracted /etc/pki/ca-trust/source/anchors\
+# Allow for nginx to run unprivledged.
+	; setperms /etc/nginx\
+	; ln -sf /dev/stdout /var/log/nginx/access.log\
+	; ln -sf /dev/stdout /var/log/nginx/error.log\
+# The code doesn't agree on where the configuration lives, so create a
+# symlink.
+	; ln -s $QUAYCONF /conf\
+# Make a grip of runtime directories.
+	; newdir /certificates "$QUAYDIR" "$QUAYDIR/conf" "$QUAYDIR/conf/stack" /datastorage\
+# Another Openshift-ism: it doesn't bother picking a uid that means
+# anything to the OS inside the container, so the process needs
+# permissions to modify the user database.
+	; setperms /etc/passwd\
+	;
+
+WORKDIR $QUAYDIR
+# Ordered from least changing to most changing.
+COPY --from=pushgateway /usr/local/bin/pushgateway /usr/local/bin/pushgateway
+COPY --from=build-python /app /app
+COPY --from=config-tool /opt/app-root/src/go/bin/config-tool /bin
+COPY --from=build-quaydir /quaydir $QUAYDIR
+
+EXPOSE 8080 8443 7443 9091 55443
+# Don't expose /var/log as a volume, because we just configured it
+# correctly above.
+# It's probably unwise to mount /tmp as a volume but if someone must,
+# make sure it's mode 1777 like /tmp should be.
+VOLUME ["/datastorage", "/tmp", "/conf/stack"]
+# In non-Openshift environments, drop privilege.
+USER 1001
+ENTRYPOINT ["dumb-init", "--", "/quay-registry/quay-entrypoint.sh"]
+CMD ["registry"]
diff --git a/downstream-dockerfile.sed b/downstream-dockerfile.sed
@@ -0,0 +1,88 @@
+s|FROM registry.access.redhat.com/ubi8/ubi-minimal|FROM registry.redhat.io/rhel8-6-els/rhel|
+s|microdnf|dnf|
+s|dnf remove |dnf remove -y|
+
+# /^FROM .* [Aa][Ss] config-editor$/,/^FROM /{
+# 	s|^WORKDIR .*|WORKDIR .quay/config-tool/pkg/lib/editor|
+# 	# s|^COPY --chown=1001:0 config-tool/.*|COPY --chown=1001:0 $REMOTE_SOURCES $REMOTE_SOURCES_DIR|
+# }
+
+# /^FROM .* [Aa][Ss] build-python$/,/^FROM /{
+# # 	/^FROM .* [Aa][Ss] build-python$/a\
+# # COPY cargo/config.toml /root/.cargo/config.toml\
+# # COPY cargo/vendor/ /opt/cargo/vendor/
+# 	# s|^WORKDIR .*|WORKDIR $REMOTE_SOURCES_DIR/quay/app|
+# 	# s|^COPY requirements.txt \.$|COPY $REMOTE_SOURCES $REMOTE_SOURCES_DIR|
+# 	s|microdnf|dnf|
+# 	s|dnf remove|dnf remove -y|
+# 	# s|python3 -m pip install|source $REMOTE_SOURCES_DIR/quay/cachito.env \&\& python3 -m pip install|
+# }
+
+# /^RUN ARCH=$(uname -m) ; echo $ARCH; .*/,/^RUN /{
+# 	/^RUN set/!d
+# }
+
+# /^FROM .* [Aa][Ss] build-static$/,/^FROM /{
+# 	# s|^WORKDIR .*|WORKDIR $REMOTE_SOURCES_DIR/quay/app|
+# 	# s|^COPY --chown=1001:0 package\.json.*|COPY --chown=1001:0 $REMOTE_SOURCES $REMOTE_SOURCES_DIR|
+# 	\|COPY --chown=1001:0 static/.*|d
+# 	\|COPY --chown=1001:0 \*\.json.*|d
+# }
+
+# /^FROM .* [Aa][Ss] build-ui$/,/^FROM /{
+# 	# s|^WORKDIR .*|WORKDIR $REMOTE_SOURCES_DIR/quay/app/web|
+# 	# s|^COPY --chown=1001:0 web/package\.json.*|COPY --chown=1001:0 $REMOTE_SOURCES $REMOTE_SOURCES_DIR|
+# 	\|COPY --chown=1001:0 web.*|d
+# }
+
+# /^FROM .* [Aa][Ss] pushgateway$/,/^FROM /{
+# 	/^FROM .* [Aa][Ss] pushgateway$/{
+# 		i\
+# FROM registry.access.redhat.com/ubi8/go-toolset:1.19 AS pushgateway\
+# RUN go mod vendor && GOEXPERIMENT=strictfipsruntime go build -tags strictfipsruntime\
+# \
+# # Config-tool builds the go binary in the configtool.
+# 		d
+# 	}
+# 	/^FROM /!d
+# }
+
+# /^FROM .* [Aa][Ss] config-tool/,/^FROM /{
+# 	# s|WORKDIR /opt/app-root/src|WORKDIR $REMOTE_SOURCES_DIR/quay/app/config-tool|
+# 	# s|^COPY config-tool/.*|COPY $REMOTE_SOURCES $REMOTE_SOURCES_DIR|
+# 	s|go install -tags=|GOEXPERIMENT=strictfipsruntime go install -tags strictfipsruntime,|
+# 	# s|COPY --from=config-editor /opt/app-root/src/static/build  */opt/app-root/src/pkg/lib/editor/static/build|COPY --from=config-editor $REMOTE_SOURCES_DIR/quay/app/config-tool/pkg/lib/editor/static/build $REMOTE_SOURCES_DIR/quay/app/config-tool/pkg/lib/editor/static/build|
+# }
+
+# /^FROM .* [Aa][Ss] build-quaydir$/,/^FROM /{
+# 	# s|COPY --from=config-editor /opt/app-root/src |COPY --from=config-editor $REMOTE_SOURCES_DIR/quay/app/config-tool/pkg/lib/editor |
+# 	# s|COPY --from=build-static /opt/app-root/src/static |COPY --from=build-static $REMOTE_SOURCES_DIR/quay/app/static |
+# 	# s|COPY --from=build-ui /opt/app-root/dist |COPY --from=build-ui $REMOTE_SOURCES_DIR/quay/app/web/dist |
+# 	# s|COPY --chown=0:0 \. \.|COPY --chown=0:0 $REMOTE_SOURCES/quay/app .|
+# 	\|	; curl -fsSL https://ip-ranges.amazonaws.com/ip-ranges.json -o util/ipresolver/aws-ip-ranges.json\\|d
+# }
+
+/^FROM .* [Aa][Ss] final$/,/^FROM /{
+	/^LABEL maintainer "quay-devel@redhat.com"/{
+		i\
+LABEL com.redhat.component="quay-registry-container"\
+LABEL name="quay/quay-rhel8"\
+LABEL io.k8s.display-name="Red Hat Quay"\
+LABEL io.k8s.description="Red Hat Quay"\
+LABEL summary="Red Hat Quay"\
+LABEL maintainer="support@redhat.com"\
+LABEL io.openshift.tags="quay"\
+ENV RED_HAT_QUAY=true
+		d
+	}
+	# s|COPY --from=pushgateway /usr/local/bin/pushgateway |COPY --from=pushgateway $REMOTE_SOURCES_DIR/pushgateway/app/pushgateway |
+	# s|COPY --from=config-tool /opt/app-root/src/go/bin/config-tool |COPY --from=config-tool $REMOTE_SOURCES_DIR/quay/deps/gomod/bin/config-tool |
+	# s|microdnf|dnf|
+	# s|dnf remove|dnf remove -y|
+}
+
+# /^FROM .* [Aa][Ss] /{
+# 	h
+# 	s/^FROM \(.*\) [Aa][Ss] .*/#@follow_tag(\1)/
+# 	G
+# }