From ae877cb2eeb8488949b38575fad0c0250f8bd38b Mon Sep 17 00:00:00 2001 From: Alexey Yakubov Date: Wed, 15 Jan 2025 15:36:31 +0300 Subject: [PATCH] Distroless with binaries - initial --- images/sds-local-volume-csi/werf.inc.yaml | 76 ++++++++++++++++++----- 1 file changed, 62 insertions(+), 14 deletions(-) diff --git a/images/sds-local-volume-csi/werf.inc.yaml b/images/sds-local-volume-csi/werf.inc.yaml index 439eb9a3..d1ecc5fc 100644 --- a/images/sds-local-volume-csi/werf.inc.yaml +++ b/images/sds-local-volume-csi/werf.inc.yaml @@ -1,3 +1,5 @@ +{{- $csiBinaries := "/usr/bin/curl" "/usr/sbin/fsck.xfs" "/usr/sbin/mkfs.xfs" "/usr/sbin/xfs_admin" "/usr/sbin/xfs_bmap" "/usr/sbin/xfs_copy" "/usr/sbin/xfs_db" "/usr/sbin/xfs_estimate" "/usr/sbin/xfs_freeze" "/usr/sbin/xfs_fsr" "/usr/sbin/xfs_growfs" "/usr/sbin/xfs_info" "/usr/sbin/xfs_io" "/usr/sbin/xfs_logprint" "/usr/sbin/xfs_mdrestore" "/usr/sbin/xfs_metadump" "/usr/sbin/xfs_mkfile" "/usr/sbin/xfs_ncheck" "/usr/sbin/xfs_property" "/usr/sbin/xfs_quota" "/usr/sbin/xfs_repair" "/usr/sbin/xfs_rtcp" "/usr/sbin/xfs_scrub" "/usr/sbin/xfs_scrub_all" "/usr/sbin/xfs_spaceman" "/sbin/badblocks" "/sbin/debugfs" "/sbin/dumpe2fs" "/sbin/e2freefrag" "/sbin/e2fsck" "/sbin/e2image" "/sbin/e2initrd_helper" "/sbin/e2label" "/sbin/e2mmpstatus" "/sbin/e2scrub" "/sbin/e2scrub_all" "/sbin/e2undo" "/sbin/e4crypt" "/sbin/e4defrag" "/sbin/filefrag" "/sbin/fsck.ext2" "/sbin/fsck.ext3" "/sbin/fsck.ext4" "/sbin/fsck.ext4dev" "/sbin/logsave" "/sbin/mke2fs" "/sbin/mkfs.ext2" "/sbin/mkfs.ext3" "/sbin/mkfs.ext4" "/sbin/mkfs.ext4dev" "/sbin/mklost+found" "/sbin/resize2fs" "/sbin/tune2fs" "/usr/bin/chattr" "/usr/bin/lsattr" "/usr/sbin/dmfilemapd" "/usr/sbin/fsadm" "/usr/sbin/lvchange" "/usr/sbin/lvconvert" "/usr/sbin/lvcreate" "/usr/sbin/lvdisplay" "/usr/sbin/lvextend" "/usr/sbin/lvm" "/usr/sbin/lvm_import_vdo" "/usr/sbin/lvmconfig" "/usr/sbin/lvmdevices" "/usr/sbin/lvmdiskscan" "/usr/sbin/lvmdump" "/usr/sbin/lvmpolld" "/usr/sbin/lvmsadc" "/usr/sbin/lvmsar" "/usr/sbin/lvreduce" "/usr/sbin/lvremove" "/usr/sbin/lvrename" "/usr/sbin/lvresize" "/usr/sbin/lvs" "/usr/sbin/lvscan" "/usr/sbin/pvchange" "/usr/sbin/pvck" "/usr/sbin/pvcreate" "/usr/sbin/pvdisplay" "/usr/sbin/pvmove" "/usr/sbin/pvremove" "/usr/sbin/pvresize" "/usr/sbin/pvs" "/usr/sbin/pvscan" "/usr/sbin/vgcfgbackup" "/usr/sbin/vgcfgrestore" "/usr/sbin/vgchange" "/usr/sbin/vgck" "/usr/sbin/vgconvert" "/usr/sbin/vgcreate" "/usr/sbin/vgdisplay" "/usr/sbin/vgexport" "/usr/sbin/vgextend" "/usr/sbin/vgimport" "/usr/sbin/vgimportclone" "/usr/sbin/vgimportdevices" "/usr/sbin/vgmerge" "/usr/sbin/vgmknodes" "/usr/sbin/vgreduce" "/usr/sbin/vgremove" "/usr/sbin/vgrename" "/usr/sbin/vgs" "/usr/sbin/vgscan" "/usr/sbin/vgsplit" "/bin/mount" "/bin/umount" "/sbin/swapoff" "/sbin/swapon" }} +# "/usr/bin/mount" "/usr/sbin/mkfs" "/usr/sbin/mkfs.xfs" "/usr/sbin/mkfs.ext4" "/usr/sbin/resize2fs" "/usr/sbin/lvm" # Required for external analytics. Do not remove! --- image: {{ $.ImageName }}-src-artifact @@ -40,28 +42,74 @@ shell: - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s -w" -o /{{ $.ImageName }} - chmod +x /{{ $.ImageName }} + --- -image: {{ $.ImageName }} +image: {{ $.ImageName }}-binaries-artifact +from: {{ $.Root.BASE_ALT }} +final: false + +git: + - add: /tools/dev_images/additional_tools/binary_replace.sh + to: /binary_replace.sh + stageDependencies: + install: + - '**/*' + +shell: + install: + - apt-get update + - apt-get -y install glibc-utils mount nfs-utils curl + - rm -rf /var/lib/apt/lists/* /var/cache/apt/* && mkdir -p /var/lib/apt/lists/partial /var/cache/apt/archives/partial + - chmod +x /binary_replace.sh + - /binary_replace.sh -i "{{ $csiBinaries }}" -o /relocate + +--- +image: {{ $.ImageName }}-distroless-artifact from: {{ $.Root.BASE_ALT_P11 }} +final: false + +shell: + install: + - apt-get update + - apt-get -y install ca-certificates tzdata curl lvm2 e2fsprogs xfsprogs mkfs + - mkdir -p /relocate/bin /relocate/sbin /relocate/etc /relocate/etc/ssl /relocate/usr/bin /relocate/usr/sbin /relocate/usr/share + - cp -pr /tmp /relocate + - cp -pr /etc/passwd /etc/group /etc/hostname /etc/hosts /etc/shadow /etc/protocols /etc/services /etc/nsswitch.conf /relocate/etc + - cp -pr /usr/share/ca-certificates /relocate/usr/share + - cp -pr /usr/share/zoneinfo /relocate/usr/share + # changed from /etc/ssl/* to ALTLinux specific + - cp -pr /etc/pki/tls/cert.pem /relocate/etc/ssl + - cp -pr /etc/pki/tls/certs /relocate/etc/ssl + - echo "deckhouse:x:64535:64535:deckhouse:/:/sbin/nologin" >> /relocate/etc/passwd + - echo "deckhouse:x:64535:" >> /relocate/etc/group + - echo "deckhouse:!::0:::::" >> /relocate/etc/shadow + +--- +image: {{ $.ImageName }}-distroless +from: {{ $.Root.BASE_SCRATCH }} +final: false + +import: + - image: {{ $.ImageName }}-distroless-artifact + add: /relocate + to: / + before: install + +--- +image: {{ $.ImageName }} +fromImage: {{ $.ImageName }}-distroless import: - image: {{ $.ImageName }}-golang-artifact add: /{{ $.ImageName }} to: /{{ $.ImageName }} before: install - -shell: - beforeInstall: - - export DEBIAN_FRONTEND=noninteractive - - apt-get update - - apt-get install -y curl - - | - apt-get -y install lvm2 e2fsprogs xfsprogs \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - - echo "deckhouse:x:64535:64535:deckhouse:/:/sbin/nologin" >> /etc/passwd - - echo "deckhouse:x:64535:" >> /etc/group - - echo "deckhouse:!::0:::::" >> /etc/shadow + - image: {{ $.ImageName }}-binaries-artifact + add: /relocate + to: / + before: install + includePaths: + - '**/*' docker: ENTRYPOINT: ["/{{ $.ImageName }}"]