-
Notifications
You must be signed in to change notification settings - Fork 597
/
Dockerfile-cli.template
95 lines (86 loc) · 2.77 KB
/
Dockerfile-cli.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
{{ include "shared" -}}
FROM alpine:3.21
RUN apk add --no-cache \
ca-certificates \
# DOCKER_HOST=ssh://... -- https://github.com/docker/cli/pull/1014
openssh-client \
# https://github.com/docker-library/docker/issues/482#issuecomment-2197116408
git
# ensure that nsswitch.conf is set up for Go's "netgo" implementation (which Docker explicitly uses)
# - https://github.com/moby/moby/blob/v24.0.6/hack/make.sh#L111
# - https://github.com/golang/go/blob/go1.19.13/src/net/conf.go#L227-L303
# - docker run --rm debian:stretch grep '^hosts:' /etc/nsswitch.conf
RUN [ -e /etc/nsswitch.conf ] && grep '^hosts: files dns' /etc/nsswitch.conf
# pre-add a "docker" group for socket usage
RUN set -eux; \
addgroup -g 2375 -S docker
ENV DOCKER_VERSION {{ .version }}
RUN set -eux; \
\
{{
download({
arches: .arches,
urlKey: "dockerUrl",
# TODO sha256Key (once Docker publishes them 😭)
target: "docker.tgz",
})
}}; \
\
tar --extract \
--file docker.tgz \
--strip-components 1 \
--directory /usr/local/bin/ \
--no-same-owner \
'docker/docker' \
; \
rm docker.tgz; \
\
docker --version
{{
{
buildx: .buildx,
compose: .compose,
}
| to_entries | map(
.key as $key | .value | (
-}}
ENV DOCKER_{{ $key | ascii_upcase }}_VERSION {{ .version }}
RUN set -eux; \
\
{{
download({
arches: .arches,
urlKey: "url",
sha256Key: "sha256",
target: ("docker-" + $key),
missingArchWarning: true,
})
}}; \
\
plugin='/usr/local/libexec/docker/cli-plugins/docker-{{ $key }}'; \
mkdir -p "$(dirname "$plugin")"; \
mv -vT {{ "docker-" + $key | @sh }} "$plugin"; \
chmod +x "$plugin"; \
\
{{ if $key == "compose" then ( -}}
ln -sv "$plugin" /usr/local/bin/; \
docker-{{ $key }} --version; \
{{ ) else "" end -}}
docker {{ $key }} version
{{
)
)
| add
-}}
COPY modprobe.sh /usr/local/bin/modprobe
COPY docker-entrypoint.sh /usr/local/bin/
# https://github.com/docker-library/docker/pull/166
# dockerd-entrypoint.sh uses DOCKER_TLS_CERTDIR for auto-generating TLS certificates
# docker-entrypoint.sh uses DOCKER_TLS_CERTDIR for auto-setting DOCKER_TLS_VERIFY and DOCKER_CERT_PATH
# (For this to work, at least the "client" subdirectory of this path needs to be shared between the client and server containers via a volume, "docker cp", or other means of data sharing.)
ENV DOCKER_TLS_CERTDIR=/certs
# also, ensure the directory pre-exists and has wide enough permissions for "dockerd-entrypoint.sh" to create subdirectories, even when run in "rootless" mode
RUN mkdir /certs /certs/client && chmod 1777 /certs /certs/client
# (doing both /certs and /certs/client so that if Docker does a "copy-up" into a volume defined on /certs/client, it will "do the right thing" by default in a way that still works for rootless users)
ENTRYPOINT ["docker-entrypoint.sh"]
CMD ["sh"]