Distroless with binaries - initial

deckhouse · Jan 15, 2025 · ae877cb · ae877cb
1 parent 5d75d40
commit ae877cb
Showing 1 changed file with 62 additions and 14 deletions.
diff --git a/images/sds-local-volume-csi/werf.inc.yaml b/images/sds-local-volume-csi/werf.inc.yaml
@@ -1,3 +1,5 @@
+{{- $csiBinaries := "/usr/bin/curl" "/usr/sbin/fsck.xfs" "/usr/sbin/mkfs.xfs" "/usr/sbin/xfs_admin" "/usr/sbin/xfs_bmap" "/usr/sbin/xfs_copy" "/usr/sbin/xfs_db" "/usr/sbin/xfs_estimate" "/usr/sbin/xfs_freeze" "/usr/sbin/xfs_fsr" "/usr/sbin/xfs_growfs" "/usr/sbin/xfs_info" "/usr/sbin/xfs_io" "/usr/sbin/xfs_logprint" "/usr/sbin/xfs_mdrestore" "/usr/sbin/xfs_metadump" "/usr/sbin/xfs_mkfile" "/usr/sbin/xfs_ncheck" "/usr/sbin/xfs_property" "/usr/sbin/xfs_quota" "/usr/sbin/xfs_repair" "/usr/sbin/xfs_rtcp" "/usr/sbin/xfs_scrub" "/usr/sbin/xfs_scrub_all" "/usr/sbin/xfs_spaceman" "/sbin/badblocks" "/sbin/debugfs" "/sbin/dumpe2fs" "/sbin/e2freefrag" "/sbin/e2fsck" "/sbin/e2image" "/sbin/e2initrd_helper" "/sbin/e2label" "/sbin/e2mmpstatus" "/sbin/e2scrub" "/sbin/e2scrub_all" "/sbin/e2undo" "/sbin/e4crypt" "/sbin/e4defrag" "/sbin/filefrag" "/sbin/fsck.ext2" "/sbin/fsck.ext3" "/sbin/fsck.ext4" "/sbin/fsck.ext4dev" "/sbin/logsave" "/sbin/mke2fs" "/sbin/mkfs.ext2" "/sbin/mkfs.ext3" "/sbin/mkfs.ext4" "/sbin/mkfs.ext4dev" "/sbin/mklost+found" "/sbin/resize2fs" "/sbin/tune2fs" "/usr/bin/chattr" "/usr/bin/lsattr" "/usr/sbin/dmfilemapd" "/usr/sbin/fsadm" "/usr/sbin/lvchange" "/usr/sbin/lvconvert" "/usr/sbin/lvcreate" "/usr/sbin/lvdisplay" "/usr/sbin/lvextend" "/usr/sbin/lvm" "/usr/sbin/lvm_import_vdo" "/usr/sbin/lvmconfig" "/usr/sbin/lvmdevices" "/usr/sbin/lvmdiskscan" "/usr/sbin/lvmdump" "/usr/sbin/lvmpolld" "/usr/sbin/lvmsadc" "/usr/sbin/lvmsar" "/usr/sbin/lvreduce" "/usr/sbin/lvremove" "/usr/sbin/lvrename" "/usr/sbin/lvresize" "/usr/sbin/lvs" "/usr/sbin/lvscan" "/usr/sbin/pvchange" "/usr/sbin/pvck" "/usr/sbin/pvcreate" "/usr/sbin/pvdisplay" "/usr/sbin/pvmove" "/usr/sbin/pvremove" "/usr/sbin/pvresize" "/usr/sbin/pvs" "/usr/sbin/pvscan" "/usr/sbin/vgcfgbackup" "/usr/sbin/vgcfgrestore" "/usr/sbin/vgchange" "/usr/sbin/vgck" "/usr/sbin/vgconvert" "/usr/sbin/vgcreate" "/usr/sbin/vgdisplay" "/usr/sbin/vgexport" "/usr/sbin/vgextend" "/usr/sbin/vgimport" "/usr/sbin/vgimportclone" "/usr/sbin/vgimportdevices" "/usr/sbin/vgmerge" "/usr/sbin/vgmknodes" "/usr/sbin/vgreduce" "/usr/sbin/vgremove" "/usr/sbin/vgrename" "/usr/sbin/vgs" "/usr/sbin/vgscan" "/usr/sbin/vgsplit" "/bin/mount" "/bin/umount" "/sbin/swapoff" "/sbin/swapon" }}
+# "/usr/bin/mount"  "/usr/sbin/mkfs" "/usr/sbin/mkfs.xfs" "/usr/sbin/mkfs.ext4" "/usr/sbin/resize2fs" "/usr/sbin/lvm"
 # Required for external analytics. Do not remove!
 ---
 image: {{ $.ImageName }}-src-artifact
@@ -40,28 +42,74 @@ shell:
     - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s -w" -o /{{ $.ImageName }}
     - chmod +x /{{ $.ImageName }}
 
+
 ---
-image: {{ $.ImageName }}
+image: {{ $.ImageName }}-binaries-artifact
+from: {{ $.Root.BASE_ALT }}
+final: false
+
+git:
+  - add: /tools/dev_images/additional_tools/binary_replace.sh
+    to: /binary_replace.sh
+    stageDependencies:
+      install:
+        - '**/*'
+
+shell:
+  install:
+    - apt-get update
+    - apt-get -y install glibc-utils mount nfs-utils curl
+    - rm -rf /var/lib/apt/lists/* /var/cache/apt/* && mkdir -p /var/lib/apt/lists/partial /var/cache/apt/archives/partial
+    - chmod +x /binary_replace.sh
+    - /binary_replace.sh -i "{{ $csiBinaries }}" -o /relocate
+
+---
+image: {{ $.ImageName }}-distroless-artifact
 from: {{ $.Root.BASE_ALT_P11 }}
+final: false
+
+shell:
+  install:
+    - apt-get update
+    - apt-get -y install ca-certificates tzdata curl lvm2 e2fsprogs xfsprogs mkfs 
+    - mkdir -p /relocate/bin /relocate/sbin /relocate/etc /relocate/etc/ssl /relocate/usr/bin /relocate/usr/sbin /relocate/usr/share
+    - cp -pr /tmp /relocate
+    - cp -pr /etc/passwd /etc/group /etc/hostname /etc/hosts /etc/shadow /etc/protocols /etc/services /etc/nsswitch.conf /relocate/etc
+    - cp -pr /usr/share/ca-certificates /relocate/usr/share
+    - cp -pr /usr/share/zoneinfo /relocate/usr/share
+    # changed from /etc/ssl/* to ALTLinux specific
+    - cp -pr /etc/pki/tls/cert.pem /relocate/etc/ssl
+    - cp -pr /etc/pki/tls/certs /relocate/etc/ssl
+    - echo "deckhouse:x:64535:64535:deckhouse:/:/sbin/nologin" >> /relocate/etc/passwd
+    - echo "deckhouse:x:64535:" >> /relocate/etc/group
+    - echo "deckhouse:!::0:::::" >> /relocate/etc/shadow
+
+---
+image: {{ $.ImageName }}-distroless
+from: {{ $.Root.BASE_SCRATCH }}
+final: false
+
+import:
+  - image: {{ $.ImageName }}-distroless-artifact
+    add: /relocate
+    to: /
+    before: install
+
+---
+image: {{ $.ImageName }}
+fromImage: {{ $.ImageName }}-distroless
 
 import:
   - image: {{ $.ImageName }}-golang-artifact
     add: /{{ $.ImageName }}
     to: /{{ $.ImageName }}
     before: install
-
-shell:
-  beforeInstall:
-    - export DEBIAN_FRONTEND=noninteractive
-    - apt-get update
-    - apt-get install -y curl
-    - |
-      apt-get -y install lvm2 e2fsprogs xfsprogs \
-      && apt-get clean \
-      && rm -rf /var/lib/apt/lists/*
-    - echo "deckhouse:x:64535:64535:deckhouse:/:/sbin/nologin" >> /etc/passwd
-    - echo "deckhouse:x:64535:" >> /etc/group
-    - echo "deckhouse:!::0:::::" >> /etc/shadow
+  - image: {{ $.ImageName }}-binaries-artifact
+    add: /relocate
+    to: /
+    before: install
+    includePaths:
+      - '**/*'
 
 docker:
   ENTRYPOINT: ["/{{ $.ImageName }}"]