├── .bazelignore ├── .bazelrc ├── .gitignore ├── BUILD ├── CONTRIB.md ├── LICENSE ├── Makefile ├── README.md ├── SECURITY.md ├── WORKSPACE ├── bootstrap_image.sh ├── build.sh ├── centos7 ├── .bazelrc ├── BUILD ├── README.md ├── WORKSPACE ├── autogenerated_dus_timestamp.txt ├── build.sh ├── centos_rpm.bzl ├── chroot.sh ├── cloudbuild.yaml ├── deps.bzl ├── deps_spec.yaml ├── file_updates.yaml ├── metadata_summary.yaml ├── revisions.bzl └── test.yaml ├── centos8 ├── .bazelrc ├── BUILD ├── README.md ├── WORKSPACE ├── autogenerated_dus_timestamp.txt ├── build.sh ├── centos_rpm.bzl ├── chroot.sh ├── cloudbuild.yaml ├── deps.bzl ├── deps_spec.yaml ├── file_updates.yaml ├── metadata_summary.yaml ├── revisions.bzl └── test.yaml ├── check-fmt.sh ├── debian ├── BUILD ├── README.md ├── cloudbuild.yaml └── reproducible │ ├── BUILD │ ├── README.md │ ├── cloudbuild.yaml │ ├── debootstrap.bzl │ ├── mkimage.sh │ └── overlay │ ├── etc │ ├── apt │ │ └── apt.conf.d │ │ │ ├── apt-retry │ │ │ ├── docker-autoremove-suggests │ │ │ ├── docker-clean │ │ │ ├── docker-gzip-indexes │ │ │ └── docker-no-languages │ ├── machine-id │ └── resolv.conf │ ├── sbin │ └── initctl │ └── usr │ └── sbin │ └── policy-rc.d ├── debian10 ├── .bazelrc ├── BUILD ├── Dockerfile ├── README.md ├── WORKSPACE ├── autogenerated_dus_timestamp.txt ├── cloudbuild-new.yaml ├── cloudbuild.yaml ├── deps.bzl ├── deps_spec.yaml ├── file_updates.yaml ├── metadata_summary.yaml ├── mkimage.sh ├── overlay │ ├── etc │ │ ├── apt │ │ │ └── apt.conf.d │ │ │ │ ├── apt-retry │ │ │ │ ├── docker-autoremove-suggests │ │ │ │ ├── docker-clean │ │ │ │ ├── docker-gzip-indexes │ │ │ │ └── docker-no-languages │ │ ├── machine-id │ │ └── resolv.conf │ └── usr │ │ └── sbin │ │ ├── initctl │ │ └── policy-rc.d ├── revisions.bzl ├── sources.list └── test.yaml ├── debian11 ├── .bazelrc ├── BUILD ├── Dockerfile ├── README.md ├── WORKSPACE ├── autogenerated_dus_timestamp.txt ├── cloudbuild-new.yaml ├── cloudbuild.yaml ├── deps.bzl ├── deps_spec.yaml ├── file_updates.yaml ├── metadata_summary.yaml ├── mkimage.sh ├── overlay │ ├── etc │ │ ├── apt │ │ │ └── apt.conf.d │ │ │ │ ├── apt-retry │ │ │ │ ├── docker-autoremove-suggests │ │ │ │ ├── docker-clean │ │ │ │ ├── docker-gzip-indexes │ │ │ │ └── docker-no-languages │ │ ├── machine-id │ │ └── resolv.conf │ └── usr │ │ └── sbin │ │ ├── initctl │ │ └── policy-rc.d ├── revisions.bzl ├── sources.list └── test.yaml ├── debian9 ├── .bazelrc ├── BUILD ├── README.md ├── WORKSPACE ├── autogenerated_dus_timestamp.txt ├── cloudbuild.yaml ├── deps.bzl ├── deps_spec.yaml ├── file_updates.yaml ├── metadata_summary.yaml ├── mkimage.sh ├── overlay │ ├── etc │ │ ├── apt │ │ │ └── apt.conf.d │ │ │ │ ├── apt-retry │ │ │ │ ├── docker-autoremove-suggests │ │ │ │ ├── docker-clean │ │ │ │ ├── docker-gzip-indexes │ │ │ │ └── docker-no-languages │ │ ├── machine-id │ │ └── resolv.conf │ ├── sbin │ │ └── initctl │ └── usr │ │ └── sbin │ │ └── policy-rc.d ├── revisions.bzl └── test.yaml ├── dockerfile_build ├── BUILD └── dockerfile_build.bzl ├── hack └── hooks │ └── pre-commit ├── package_managers ├── BUILD ├── apt_key.bzl ├── bootstrap_image.bzl ├── download_pkgs.bzl └── install_pkgs.bzl ├── release └── release.sh ├── store ├── BUILD └── git │ ├── BUILD │ ├── git.bzl │ └── git.py ├── tests ├── BUILD ├── debian │ ├── BUILD │ ├── debian_10_test.yaml │ ├── debian_11_test.yaml │ ├── debian_9_test.yaml │ └── debian_test.yaml ├── dockerfile_build │ ├── BUILD │ ├── Dockerfile │ ├── Dockerfile.2 │ ├── context │ │ ├── bar │ │ ├── bat │ │ │ └── hey │ │ └── baz │ ├── test.yaml │ └── test2.yaml ├── package_managers │ ├── .gitignore │ ├── BUILD │ └── test_bootstrap_image_macro.sh ├── presubmit │ └── presubmit.sh ├── store │ ├── BUILD │ └── git │ │ ├── BUILD │ │ └── git_test.py └── ubuntu │ ├── BUILD │ ├── ubuntu_18_test.yaml │ └── ubuntu_test.yaml ├── ubuntu ├── 16_0_4 │ └── builds │ │ └── 20190301 │ │ └── packages.tar ├── 18_0_4 │ └── builds │ │ └── 20190301 │ │ └── packages.tar ├── BUILD ├── Dockerfile.ubuntu ├── README.md ├── images_release.yaml ├── overlay │ ├── etc │ │ ├── apt │ │ │ ├── apt.conf.d │ │ │ │ ├── apt-retry │ │ │ │ ├── docker-autoremove-suggests │ │ │ │ ├── docker-clean │ │ │ │ ├── docker-gzip-indexes │ │ │ │ └── docker-no-languages │ │ │ ├── dpkg │ │ │ │ └── dpkg.cfg.d │ │ │ │ │ └── docker-apt-speedup │ │ │ └── sources.list │ │ ├── machine-id │ │ └── resolv.conf │ ├── run │ │ └── systemd │ │ │ └── container │ ├── sbin │ │ └── initctl │ └── usr │ │ └── sbin │ │ └── policy-rc.d └── scripts │ └── upload-latest.sh ├── ubuntu1604 ├── .bazelrc ├── BUILD ├── README.md ├── WORKSPACE ├── autogenerated_dus_timestamp.txt ├── cloudbuild.yaml ├── deps.bzl ├── deps_spec.yaml ├── file_updates.yaml ├── metadata_summary.yaml ├── revisions.bzl └── tests.yaml ├── ubuntu1804 ├── .bazelrc ├── BUILD ├── Dockerfile ├── README.md ├── WORKSPACE ├── autogenerated_dus_timestamp.txt ├── cloudbuild-new.yaml ├── cloudbuild.yaml ├── deps.bzl ├── deps_spec.yaml ├── file_updates.yaml ├── metadata_summary.yaml ├── revisions.bzl ├── sources.list └── tests.yaml ├── ubuntu2004 ├── BUILD ├── Dockerfile ├── README.md ├── WORKSPACE ├── autogenerated_dus_timestamp.txt ├── cloudbuild-new.yaml ├── cloudbuild.yaml ├── deps.bzl ├── deps_spec.yaml ├── file_updates.yaml ├── metadata_summary.yaml ├── revisions.bzl ├── sources.list └── tests.yaml └── util ├── BUILD └── run.bzl /.bazelignore: -------------------------------------------------------------------------------- 1 | # Disable targets that are part of an embedded bazel project as buildkite 2 | # only recognizes a single top level WORKSPACE file. 3 | ubuntu1604 4 | ubuntu1804 5 | debian9 6 | centos7 7 | -------------------------------------------------------------------------------- /.bazelrc: -------------------------------------------------------------------------------- 1 | # Copyright 2017 The Bazel Authors. All rights reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | build --host_force_python=PY2 16 | test --host_force_python=PY2 17 | run --host_force_python=PY2 18 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | cloudbuild_securitytest.yaml 3 | mkdebootstrap/mkimage.sh 4 | mkdebootstrap/mkimage/ 5 | mkdebootstrap/Dockerfile 6 | bazel-* 7 | rootfs.tar.gz 8 | centos/layer.tar 9 | -------------------------------------------------------------------------------- /BUILD: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Google Inc. All rights reserved. 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package(default_visibility = ["//visibility:public"]) 16 | -------------------------------------------------------------------------------- /CONTRIB.md: -------------------------------------------------------------------------------- 1 | # Environment Setup 2 | 3 | To build and test these images you will need to install `bazel`. This build is known to work with version 3.4.1 4 | 5 | To install a pre-commit hook that will automatically run tests, run the following command: 6 | 7 | ```shell 8 | cd .git/hooks/ 9 | ln -s ../../hacks/hooks/* . 10 | ``` 11 | 12 | Some of these images also rely on features only in a modern version of the `tar` command. 13 | Notably, OSX defaults to an older version of these coreutils. 14 | 15 | To install the newer versions on OSX, follow these steps: 16 | 17 | ```shell 18 | brew install coreutils 19 | brew install gnu-tar --with-default-names 20 | ``` 21 | 22 | # How to build these base images 23 | 24 | We use `bazel` to build most of the images in this repository, so that we can build them reproducibly. 25 | To learn about how we generate reproducible images, see [the design doc](./reproducible/README.md). 26 | 27 | To build all images, use: 28 | 29 | ```shell 30 | bazel build //... 31 | ``` 32 | 33 | This can be slow the first time, but future builds are incremental and very fast. 34 | 35 | Tests are implemented using the [structure_test](https://www.github.com/GoogleCloudPlatform/container-structure-test) library. 36 | The tests are defined as YAML files in the `tests` directory. 37 | 38 | To run tests, use: 39 | 40 | ```shell 41 | bazel test //... 42 | ``` 43 | 44 | We also have a set of formatting and style tests, which should be run before sending PRs. 45 | To run these, use: 46 | 47 | ```shell 48 | make test 49 | ``` 50 | 51 | Note: running either set of tests requires installing [container_diff](https://github.com/GoogleCloudPlatform/container-diff) and having it on your PATH. 52 | 53 | # How to become a contributor and submit your own code 54 | 55 | ## Contributor License Agreements 56 | 57 | We'd love to accept your patches! Before we can take them, we have to jump a couple of legal hurdles. 58 | 59 | Please fill out either the individual or corporate Contributor License Agreement (CLA). 60 | 61 | * If you are an individual writing original source code and you're sure you own the intellectual property, then you'll need to sign an [individual CLA](http://code.google.com/legal/individual-cla-v1.0.html). 62 | * If you work for a company that wants to allow you to contribute your work, then you'll need to sign a [corporate CLA](http://code.google.com/legal/corporate-cla-v1.0.html). 63 | 64 | Follow either of the two links above to access the appropriate CLA and instructions for how to sign and return it. Once we receive it, we'll be able to accept your pull requests. 65 | 66 | ## Contributing A Patch 67 | 68 | 1. Submit an issue describing your proposed change to the repo in question. 69 | 1. The repo owner will respond to your issue promptly. 70 | 1. If your proposed change is accepted, and you haven't already done so, sign a Contributor License Agreement (see details above). 71 | 1. Fork the desired repo, develop and test your code changes. 72 | 1. Submit a pull request. 73 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | PWD := $(shell pwd) 2 | 3 | CONTAINER_TEST_TARGETS = :image-test :configs_test 4 | BAZEL_TEST_OPTS = --test_output=errors --strategy=TestRunner=standalone 5 | 6 | .PHONY: test 7 | test: 8 | ./check-fmt.sh 9 | bazel version 10 | bazel build //... --action_env=GIT_ROOT=$(PWD) --sandbox_writable_path=$(PWD) --verbose_failures --incompatible_bzl_disallow_load_after_statement=false 11 | bazel test --test_output=errors //... --action_env=GIT_ROOT=$(PWD) --sandbox_writable_path=$(PWD) --verbose_failures --incompatible_bzl_disallow_load_after_statement=false 12 | cd ubuntu1604 && bazel test $(BAZEL_TEST_OPTS) $(CONTAINER_TEST_TARGETS) && cd .. 13 | cd ubuntu1804 && bazel test $(BAZEL_TEST_OPTS) $(CONTAINER_TEST_TARGETS) && cd .. 14 | cd ubuntu2004 && bazel test $(BAZEL_TEST_OPTS) $(CONTAINER_TEST_TARGETS) && cd .. 15 | cd debian9 && bazel test $(BAZEL_TEST_OPTS) $(CONTAINER_TEST_TARGETS) && cd .. 16 | cd debian10 && bazel test $(BAZEL_TEST_OPTS) $(CONTAINER_TEST_TARGETS) && cd .. 17 | cd debian11 && bazel test $(BAZEL_TEST_OPTS) $(CONTAINER_TEST_TARGETS) && cd .. 18 | cd centos7 && bazel test $(BAZEL_TEST_OPTS) $(CONTAINER_TEST_TARGETS) && cd .. 19 | cd centos8 && bazel test $(BAZEL_TEST_OPTS) $(CONTAINER_TEST_TARGETS) && cd .. 20 | 21 | complex-test: 22 | tests/package_managers/test_bootstrap_image_macro.sh 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | base-images-docker 2 | =================== 3 | Source for the Google-maintained base docker images. These images can be used as a base for container-based application development. 4 | 5 | Images currently supported: 6 | * Debian 10 (Buster) `launcher.gcr.io/google/debian10` and `gcr.io/google-appengine/debian10` 7 | * Debian 9 (Stretch) `launcher.gcr.io/google/debian9` and `gcr.io/google-appengine/debian9` 8 | * Ubuntu 16.04 (Xenial Xerus) `launcher.gcr.io/google/ubuntu16_04` and `gcr.io/gcp-runtimes/ubuntu_16_0_4` 9 | * Ubuntu 18.04 (Bionic Beaver) `launcher.gcr.io/google/ubuntu18_04` and `gcr.io/gcp-runtimes/ubuntu_18_0_4` 10 | * CentOS 7 `launcher.gcr.io/google/centos7` and `gcr.io/gcp-runtimes/centos7` 11 | 12 | Usage 13 | ======= 14 | Please navigate to respective base-image dir to read more on how to use to these 15 | base images. 16 | 17 | Contribution Guidelines 18 | ========================= 19 | For details on how to contribute to this repo, see our [contribution 20 | guidelines](CONTRIB.md). 21 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | To report a security issue, please use [g.co/vulnz](https://g.co/vulnz). 4 | 5 | The Google Security Team will respond within 5 working days of your report on g.co/vulnz. 6 | 7 | We use g.co/vulnz for our intake, and do coordination and disclosure here using GitHub Security Advisory to privately discuss and fix the issue. 8 | -------------------------------------------------------------------------------- /bootstrap_image.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -xe 3 | 4 | # This script kicks of the bootstrap image macro with the right flags. 5 | 6 | while getopts t:g:d option 7 | do 8 | case "${option}" 9 | in 10 | t) TARGET=${OPTARG};; 11 | g) GIT_ROOT=${OPTARG};; 12 | d) DEBUG="--verbose_failures --sandbox_debug";; 13 | *) echo "Invalid option"; exit 1;; 14 | esac 15 | done 16 | 17 | # Error out if -t does not exists 18 | if [ -z "${TARGET}" ]; then 19 | echo """ 20 | $(basename "$0") 21 | Mandatory Args 22 | -t 23 | Optional Args 24 | -g Local Git root location 25 | -d Add debug options to bazel command 26 | """ 27 | exit 1 28 | fi 29 | 30 | if [ -z "${GIT_ROOT}" ]; then 31 | GIT_ROOT=$(git rev-parse --show-toplevel) 32 | fi 33 | 34 | echo "Running bazel build ${TARGET}" 35 | # shellcheck disable=SC2086 36 | bazel build "${TARGET}" \ 37 | --action_env=GIT_ROOT="${GIT_ROOT}" \ 38 | --sandbox_writable_path="${GIT_ROOT}" ${DEBUG} 39 | 40 | # get rid of running this once we figure out how to make put_status output mandatory in bootstrap_image. 41 | echo "Running bazel build ${TARGET}_fetch to make we store the downloaded packages in the store back" 42 | # shellcheck disable=SC2086 43 | bazel build "${TARGET}_fetch" \ 44 | --action_env=GIT_ROOT="${GIT_ROOT}" \ 45 | --sandbox_writable_path="${GIT_ROOT}" ${DEBUG} 46 | 47 | echo "Please run 'git status' and 'git commit' commands to commit the downloaded packages to the git repository" 48 | -------------------------------------------------------------------------------- /build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | usage() { 4 | echo "Usage: $0 [-r repository] [-v version] [-c config] [-o os]" 5 | echo 6 | echo "[repository]: remote repository to push the debian image to (e.g. 'gcr.io/gcp-runtimes/debian')" 7 | echo "[version]: version of debian to build (e.g. 'stretch')" 8 | echo "[config]: the yaml file defining the steps of the build, defaults to cloudbuild.yaml" 9 | echo "[os]: which image to build, either debian or ubuntu. defaults to debian." 10 | echo 11 | exit 1 12 | } 13 | 14 | set -e 15 | if [ -z "$TAG" ] 16 | then 17 | TAG=$(date +%Y-%m-%d-%H%M%S) 18 | export TAG 19 | fi 20 | 21 | while test $# -gt 0; do 22 | case "$1" in 23 | --repo|--repository|-r) 24 | shift 25 | if test $# -gt 0; then 26 | REPO=$1 27 | else 28 | usage 29 | fi 30 | shift 31 | ;; 32 | --version|-v) 33 | shift 34 | if test $# -gt 0; then 35 | export VERSION=$1 36 | else 37 | usage 38 | fi 39 | shift 40 | ;; 41 | --config|-c) 42 | shift 43 | if test $# -gt 0; then 44 | CONFIG=$1 45 | else 46 | usage 47 | fi 48 | shift 49 | ;; 50 | --os|-o) 51 | shift 52 | if test $# -gt 0; then 53 | OS=$1 54 | else 55 | usage 56 | fi 57 | shift 58 | ;; 59 | *) 60 | usage 61 | shift 62 | ;; 63 | esac 64 | done 65 | 66 | if [ -z "$OS" ]; then 67 | OS=debian 68 | fi 69 | 70 | if [ -z "$CONFIG" ]; then 71 | CONFIG=$OS/reproducible/cloudbuild.yaml 72 | fi 73 | 74 | if [ -z "$REPO" ] || [ -z "$VERSION" ]; then 75 | usage 76 | fi 77 | 78 | if [ "$VERSION" == "stretch" ] 79 | then 80 | export VERSION_NUMBER=9 81 | elif [ "$VERSION" == "buster" ] 82 | then 83 | export VERSION_NUMBER=10 84 | else 85 | echo "Invalid version $VERSION" 86 | usage 87 | fi 88 | 89 | gcloud builds submit . --config="$CONFIG" --verbosity=info --substitutions=_REPO="$REPO",_TAG="$TAG",_VERSION_NUMBER="$VERSION_NUMBER" 90 | -------------------------------------------------------------------------------- /centos7/.bazelrc: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Google Inc. All rights reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | build --host_force_python=PY2 16 | test --host_force_python=PY2 17 | run --host_force_python=PY2 18 | -------------------------------------------------------------------------------- /centos7/BUILD: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Google Inc. All rights reserved. 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@bazel_tools//tools/build_defs/pkg:pkg.bzl", "pkg_tar") 16 | load("@io_bazel_rules_docker//container:container.bzl", "container_image") 17 | load("@io_bazel_rules_docker//contrib:repro_test.bzl", "container_repro_test") 18 | load("@io_bazel_rules_docker//contrib:test.bzl", "container_test") 19 | load( 20 | "@io_bazel_rules_docker//contrib/automatic_container_release:configs_test.bzl", 21 | "configs_test", 22 | ) 23 | load("@io_bazel_rules_docker//docker/security:security_check.bzl", "security_check") 24 | load("@io_bazel_rules_docker//docker/util:run.bzl", "container_run_and_extract") 25 | 26 | licenses(["notice"]) # Apache 2.0 27 | 28 | package(default_visibility = ["//visibility:public"]) 29 | 30 | VERSION = "7" 31 | 32 | # Used by File Update Service only. 33 | pkg_tar( 34 | name = "chroot_tar", 35 | srcs = [ 36 | ":chroot.sh", 37 | ], 38 | package_dir = "/target/", 39 | strip_prefix = ".", 40 | tags = ["manual"], 41 | ) 42 | 43 | # Used by File Update Service only. 44 | container_image( 45 | name = "builder", 46 | base = "@centos_base//image", 47 | files = [ 48 | ":build.sh", 49 | "@centos7_latest//file", 50 | ], 51 | tars = [ 52 | ":chroot_tar", 53 | ], 54 | ) 55 | 56 | # Used by File Update Service only. 57 | container_run_and_extract( 58 | name = "centos_layer", 59 | commands = ["/build.sh " + VERSION], 60 | docker_run_flags = ["--privileged"], 61 | extract_file = "/layer.tar", 62 | image = ":builder.tar", 63 | ) 64 | 65 | container_image( 66 | name = "image", 67 | cmd = ["/bin/bash"], 68 | env = { 69 | "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 70 | }, 71 | tars = [ 72 | "@centos7_tar//file", 73 | ], 74 | ) 75 | 76 | # Run the security check script to generate a metadata YAML file indicating 77 | # whether the centos 7 has critical security vulnerability fixes. 78 | security_check( 79 | name = "metadata", 80 | image = "gcr.io/gcp-runtimes/centos7:latest", 81 | ) 82 | 83 | container_test( 84 | name = "image-test", 85 | configs = [":test.yaml"], 86 | image = ":image", 87 | ) 88 | 89 | container_repro_test( 90 | name = "img_repro_test", 91 | image = ":image", 92 | workspace_file = "//:WORKSPACE", 93 | ) 94 | 95 | configs_test( 96 | name = "configs_test", 97 | dependency_update_specs = ["deps_spec.yaml"], 98 | file_update_specs = ["file_updates.yaml"], 99 | ) 100 | -------------------------------------------------------------------------------- /centos7/README.md: -------------------------------------------------------------------------------- 1 | ## CentOS 2 | 3 | This directory contains scripts and Dockerfiles for building a CentOS container image. 4 | 5 | ### Overview 6 | 7 | We bootstrap the image following a process based on a combination of https://wiki.centos.org/HowTos/ManualInstall 8 | and https://github.com/CentOS/sig-cloud-instance-build/blob/master/docker/centos-7.ks. 9 | 10 | We avoid using kickstart to make it easier to run in a container environment like Cloud Build, but still reuse the 11 | package list and cleanup steps from the kickstart installation. 12 | 13 | To build an image: 14 | 15 | ```shell 16 | gcloud builds submit --config=cloudbuild.yaml 17 | ``` 18 | 19 | To build locally: 20 | 21 | ```shell 22 | bazel run :image 23 | ``` 24 | -------------------------------------------------------------------------------- /centos7/WORKSPACE: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | workspace(name = "centos7") 16 | 17 | load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") 18 | 19 | http_archive( 20 | name = "io_bazel_rules_docker", 21 | sha256 = "4521794f0fba2e20f3bf15846ab5e01d5332e587e9ce81629c7f96c793bb7036", 22 | strip_prefix = "rules_docker-0.14.4", 23 | urls = ["https://github.com/bazelbuild/rules_docker/releases/download/v0.14.4/rules_docker-v0.14.4.tar.gz"], 24 | ) 25 | 26 | load( 27 | "@io_bazel_rules_docker//repositories:repositories.bzl", 28 | container_repositories = "repositories", 29 | ) 30 | 31 | container_repositories() 32 | 33 | load("@io_bazel_rules_docker//repositories:deps.bzl", container_deps = "deps") 34 | 35 | container_deps() 36 | 37 | load("@io_bazel_rules_docker//repositories:pip_repositories.bzl", "pip_deps") 38 | 39 | pip_deps() 40 | 41 | load( 42 | "@io_bazel_rules_docker//container:container.bzl", 43 | "container_pull", 44 | ) 45 | 46 | # Pull existing Centos base, only used by File Update Service to create a new 47 | # Centos base tarball. 48 | container_pull( 49 | name = "centos_base", 50 | registry = "l.gcr.io", 51 | repository = "google/centos7", 52 | tag = "latest", 53 | ) 54 | 55 | load(":centos_rpm.bzl", "centos_rpm") 56 | 57 | # Non-deterministic latest version of Centos 7 release rpm. This is used by 58 | # File Update Service to archive each version in our managed GCS bucket, and 59 | # should NOT be used by container release directly. 60 | centos_rpm( 61 | name = "centos7_latest", 62 | version = 7, 63 | ) 64 | 65 | load(":deps.bzl", "deps") 66 | 67 | deps() 68 | -------------------------------------------------------------------------------- /centos7/autogenerated_dus_timestamp.txt: -------------------------------------------------------------------------------- 1 | Tue Feb 7 19:01:48 UTC 2023 -------------------------------------------------------------------------------- /centos7/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This script sets up a bootstrapped CentOS chroot and saves it as a tarball. 4 | 5 | rpm --nodeps --root /target/ -i /centos.rpm 6 | cp -f /etc/resolv.conf /target/etc 7 | 8 | sed -i '/nodocs/d' /etc/yum.conf 9 | yum -q -y --installroot=/target --releasever=${1} install yum 10 | cp -f /etc/yum.conf /target/etc/ 11 | mkdir -p /target/dev 12 | mount --bind /dev/ /target/dev/ 13 | mount -t proc procfs /target/proc/ 14 | mount -t sysfs sysfs /target/sys/ 15 | 16 | # Execute the chroot script. 17 | chroot /target ./chroot.sh ${1} 18 | 19 | # Cleanup and save as a tar. 20 | yum clean all 21 | echo 'container' > /etc/yum/vars/infra 22 | rm -rf /var/lib/systemd/random-seed 23 | #rpm --rebuilddb 24 | 25 | umount /target/dev/ 26 | umount /target/proc/ 27 | umount /target/sys/ 28 | rm /target/chroot.sh 29 | echo 7 > /target/etc/yum/vars/releasevar 30 | 31 | tar -C /target --mtime='1970-01-01' -cf /layer.tar . 32 | -------------------------------------------------------------------------------- /centos7/chroot.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This script runs inside a chroot and sets up a bootstrapped centos image. 4 | 5 | yum -y -q --releasever=${1} install yum centos-release 6 | yum install -q -y bind-utils bash yum vim-minimal centos-release less iputils iproute systemd rootfiles tar passwd yum-utils yum-plugin-ovl hostname which 7 | yum -q -y erase kernel* *firmware firewalld-filesystem os-prober gettext* GeoIP bind-license freetype libteam teamd 8 | rpm -e kernel 9 | yum -y remove bind-libs bind-libs-lite dhclient dhcp-common dhcp-libs dracut-network e2fsprogs e2fsprogs-libs ebtables ethtool file firewalld freetype gettext gettext-libs groff-base grub2 grub2-tools grubby initscripts iproute iptables kexec-tools libcroco libgomp libmnl libnetfilter_conntrack libnfnetlink libselinux-python lzo libunistring os-prober python-decorator python-slip python-slip-dbus snappy sysvinit-tools which linux-firmware GeoIP firewalld-filesystem qemu-guest-agent 10 | yum clean all 11 | rm -rf /var/cache/yum 12 | rm -rf /boot 13 | rm -rf /etc/firewalld 14 | passwd -l root 15 | echo 'container' > /etc/yum/vars/infra 16 | rm -rf /var/cache/yum/x86_64 17 | rm -rf /var/lib/yum/history 18 | rm -rf /var/lib/yum/yumdb 19 | rm -f /var/lib/yum/uuid 20 | rm -f /var/log/yum.log 21 | rm -f /tmp/ks-script* 22 | rm -rf /etc/sysconfig/network-scripts/ifcfg-* 23 | rm -rf /etc/udev/hwdb.bin 24 | rm -rf /usr/lib/udev/hwdb.d/* 25 | :> /etc/machine-id 26 | umount /run 27 | systemd-tmpfiles --create --boot 28 | rm /var/run/nologin 29 | rm -rf /var/lib/systemd/random-seed 30 | rm -rf /var/cache/ldconfig/aux-cache 31 | 32 | rm /etc/resolv.conf 33 | 34 | rm -rf /root/.bash_history 35 | 36 | echo 7 > /etc/yum/vars/releasever 37 | 38 | echo 'success' 39 | -------------------------------------------------------------------------------- /centos7/deps.bzl: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_file") 16 | load(":revisions.bzl", "CENTOS7_TAR") 17 | 18 | def deps(): 19 | """Download dependencies required to use this layer.""" 20 | excludes = native.existing_rules().keys() 21 | 22 | # Centos release layer tar. 23 | if "centos7_tar" not in excludes: 24 | http_file( 25 | name = "centos7_tar", 26 | downloaded_file_path = CENTOS7_TAR.revision + "_layer.tar", 27 | sha256 = CENTOS7_TAR.sha256, 28 | urls = [ 29 | "https://storage.googleapis.com/container-deps/centos7/tar/" + CENTOS7_TAR.revision + "_layer.tar", 30 | ], 31 | ) 32 | -------------------------------------------------------------------------------- /centos7/deps_spec.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | revisionsFilePath: "centos7/revisions.bzl" 16 | timestampFilePath: "centos7/autogenerated_dus_timestamp.txt" 17 | metadataSummaryFilePath: "centos7/metadata_summary.yaml" 18 | 19 | githubRepoDeps: 20 | 21 | # bazelbuild/rules_docker GitHub repo. 22 | - name: "RULES_DOCKER" 23 | repoSpec: 24 | owner: "bazelbuild" 25 | repository: "rules_docker" 26 | updateType: "release" 27 | releasePolicies: 28 | - tag: "default" 29 | # Every Wednesday at 5am. 30 | schedule: "0 0 5 * * Wed" 31 | 32 | gcsDeps: 33 | 34 | # Centos 7 release layer tarball. 35 | - name: "CENTOS7_TAR" 36 | bucket: "container-deps" 37 | versionRegex: "\\d{10,}" 38 | fileRegex: "^centos7/tar/\\d{10,}_layer\\.tar$" 39 | startsWith: "centos7/tar/" 40 | fusMetadataBucket: "container-deps" 41 | fusMetadataObject: "centos7/metadata/tar/metadata.yaml" 42 | releasePolicies: 43 | - tag: "default" 44 | # Weekly release schedule at 5am every Monday. 45 | # TODO (smukherj1): Change schedule to monthly once the automatic 46 | # updates infrastructure is deemed to be stable. 47 | schedule: "0 0 5 * * Mon" 48 | # Release immediate for security vulnerabilities with severity medium 49 | # or higher. 50 | - tag: "cveMedium" 51 | schedule: "* * * * * *" 52 | - tag: "cveHigh" 53 | schedule: "* * * * * *" 54 | - tag: "cveCritical" 55 | schedule: "* * * * * *" 56 | -------------------------------------------------------------------------------- /centos7/file_updates.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # This file is used by the File Update Service which continuously 16 | # checks for updates in the `triggerFile` listed here. If there is an update 17 | # in the `triggerFile`, the service will 18 | # 1. archive the new version of the `triggerFile` in its GCS bucket. 19 | # 2. for each one of `extraFiles`, generate a new version of it and archive it 20 | # in its GCS bucket. 21 | 22 | # ================================= Ubuntu1604 ================================= 23 | 24 | # Centos 7 release layer tar. 25 | - triggerFile: 26 | target: "//:centos_layer/layer.tar" 27 | bucket: "container-deps" 28 | dir: "centos7/tar" 29 | metadata: 30 | target: "//:metadata.yaml" 31 | bucket: "container-deps" 32 | object: "centos7/metadata/tar/metadata.yaml" 33 | -------------------------------------------------------------------------------- /centos7/metadata_summary.yaml: -------------------------------------------------------------------------------- 1 | {} 2 | -------------------------------------------------------------------------------- /centos7/revisions.bzl: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # This file is autogenerated by the dependency update service and should not be modified directly. 16 | # For more details, check the deps_spec.yaml file in the current folder. 17 | 18 | CENTOS7_TAR = struct( 19 | revision = "1675794689", 20 | sha256 = "e6428c1dcd36487ce6c9c7a0532965f386286b35c722908e848d60227a528657", 21 | ) 22 | 23 | RULES_DOCKER = struct( 24 | commit = "master", 25 | sha256 = "3fdae8c4571d6d3fc343f63c87b3fb030132ad091284b8cbdb7533cb063ded0a", 26 | ) 27 | -------------------------------------------------------------------------------- /centos7/test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | schemaVersion: '2.0.0' 16 | 17 | # TODO: add more 18 | 19 | fileExistenceTests: 20 | - name: 'Root' 21 | path: '/' 22 | shouldExist: true 23 | 24 | metadataTest: 25 | cmd: ['/bin/bash'] 26 | env: 27 | - key: 'PATH' 28 | value: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' 29 | -------------------------------------------------------------------------------- /centos8/.bazelrc: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Google Inc. All rights reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | build --host_force_python=PY2 16 | test --host_force_python=PY2 17 | run --host_force_python=PY2 18 | -------------------------------------------------------------------------------- /centos8/BUILD: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Google Inc. All rights reserved. 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@bazel_tools//tools/build_defs/pkg:pkg.bzl", "pkg_tar") 16 | load("@io_bazel_rules_docker//container:container.bzl", "container_image") 17 | load("@io_bazel_rules_docker//contrib:repro_test.bzl", "container_repro_test") 18 | load("@io_bazel_rules_docker//contrib:test.bzl", "container_test") 19 | load( 20 | "@io_bazel_rules_docker//contrib/automatic_container_release:configs_test.bzl", 21 | "configs_test", 22 | ) 23 | load("@io_bazel_rules_docker//docker/security:security_check.bzl", "security_check") 24 | load("@io_bazel_rules_docker//docker/util:run.bzl", "container_run_and_extract") 25 | 26 | licenses(["notice"]) # Apache 2.0 27 | 28 | package(default_visibility = ["//visibility:public"]) 29 | 30 | VERSION = "8" 31 | 32 | # Used by File Update Service only. 33 | pkg_tar( 34 | name = "chroot_tar", 35 | srcs = [ 36 | ":chroot.sh", 37 | ], 38 | package_dir = "/target/", 39 | strip_prefix = ".", 40 | tags = ["manual"], 41 | ) 42 | 43 | # Used by File Update Service only. 44 | container_image( 45 | name = "builder", 46 | base = "@centos_base//image", 47 | files = [ 48 | ":build.sh", 49 | "@centos8_latest//file", 50 | ], 51 | tars = [ 52 | ":chroot_tar", 53 | ], 54 | ) 55 | 56 | # Used by File Update Service only. 57 | container_run_and_extract( 58 | name = "centos_layer", 59 | commands = ["/build.sh " + VERSION], 60 | docker_run_flags = ["--privileged"], 61 | extract_file = "/layer.tar", 62 | image = ":builder.tar", 63 | ) 64 | 65 | container_image( 66 | name = "image", 67 | cmd = ["/bin/bash"], 68 | env = { 69 | "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 70 | }, 71 | tars = [ 72 | "@centos8_tar//file", 73 | ], 74 | ) 75 | 76 | # Run the security check script to generate a metadata YAML file indicating 77 | # whether the centos 8 has critical security vulnerability fixes. 78 | security_check( 79 | name = "metadata", 80 | image = "gcr.io/gcp-runtimes/centos8:latest", 81 | ) 82 | 83 | container_test( 84 | name = "image-test", 85 | configs = [":test.yaml"], 86 | image = ":image", 87 | ) 88 | 89 | container_repro_test( 90 | name = "img_repro_test", 91 | image = ":image", 92 | workspace_file = "//:WORKSPACE", 93 | ) 94 | 95 | configs_test( 96 | name = "configs_test", 97 | dependency_update_specs = ["deps_spec.yaml"], 98 | file_update_specs = ["file_updates.yaml"], 99 | ) 100 | -------------------------------------------------------------------------------- /centos8/README.md: -------------------------------------------------------------------------------- 1 | ## CentOS 2 | 3 | This directory contains scripts and Dockerfiles for building a CentOS container image. 4 | 5 | ### Overview 6 | 7 | We bootstrap the image following a process based on a combination of https://wiki.centos.org/HowTos/ManualInstall 8 | and https://github.com/CentOS/sig-cloud-instance-build/blob/master/docker/centos-8.ks. 9 | 10 | We avoid using kickstart to make it easier to run in a container environment like Cloud Build, but still reuse the 11 | package list and cleanup steps from the kickstart installation. 12 | 13 | To build an image: 14 | 15 | ```shell 16 | gcloud builds submit --config=cloudbuild.yaml 17 | ``` 18 | 19 | To build locally: 20 | 21 | ```shell 22 | bazel run :image 23 | ``` 24 | -------------------------------------------------------------------------------- /centos8/WORKSPACE: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | workspace(name = "centos8") 16 | 17 | load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") 18 | 19 | http_archive( 20 | name = "io_bazel_rules_docker", 21 | sha256 = "4521794f0fba2e20f3bf15846ab5e01d5332e587e9ce81629c7f96c793bb7036", 22 | strip_prefix = "rules_docker-0.14.4", 23 | urls = ["https://github.com/bazelbuild/rules_docker/releases/download/v0.14.4/rules_docker-v0.14.4.tar.gz"], 24 | ) 25 | 26 | load( 27 | "@io_bazel_rules_docker//repositories:repositories.bzl", 28 | container_repositories = "repositories", 29 | ) 30 | 31 | container_repositories() 32 | 33 | load("@io_bazel_rules_docker//repositories:deps.bzl", container_deps = "deps") 34 | 35 | container_deps() 36 | 37 | load("@io_bazel_rules_docker//repositories:pip_repositories.bzl", "pip_deps") 38 | 39 | pip_deps() 40 | 41 | load( 42 | "@io_bazel_rules_docker//container:container.bzl", 43 | "container_pull", 44 | ) 45 | 46 | # Pull existing Centos base, only used by File Update Service to create a new 47 | # Centos base tarball. 48 | #container_pull( 49 | # name = "centos_base", 50 | # registry = "gcr.io", 51 | # repository = "gcp-runtimes/centos8", 52 | # tag = "latest", 53 | #) 54 | container_pull( 55 | name = "centos_base", 56 | registry = "index.docker.io", 57 | repository = "library/centos", 58 | tag = "8", 59 | ) 60 | 61 | load(":centos_rpm.bzl", "centos_rpm") 62 | 63 | # Non-deterministic latest version of Centos 8 release rpm. This is used by 64 | # File Update Service to archive each version in our managed GCS bucket, and 65 | # should NOT be used by container release directly. 66 | centos_rpm( 67 | name = "centos8_latest", 68 | version = 8, 69 | ) 70 | 71 | load(":deps.bzl", "deps") 72 | 73 | deps() 74 | -------------------------------------------------------------------------------- /centos8/autogenerated_dus_timestamp.txt: -------------------------------------------------------------------------------- 1 | Tue Jan 31 14:01:43 UTC 2023 -------------------------------------------------------------------------------- /centos8/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This script sets up a bootstrapped CentOS chroot and saves it as a tarball. 4 | 5 | rpm --nodeps --root /target/ -i /centos.rpm 6 | cp -f /etc/resolv.conf /target/etc 7 | 8 | sed -i '/nodocs/d' /etc/yum.conf 9 | yum -q -y --installroot=/target --releasever=${1} install yum 10 | cp -f /etc/yum.conf /target/etc/ 11 | mkdir -p /target/dev 12 | mount --bind /dev/ /target/dev/ 13 | mount -t proc procfs /target/proc/ 14 | mount -t sysfs sysfs /target/sys/ 15 | 16 | # Execute the chroot script. 17 | chroot /target ./chroot.sh ${1} 18 | 19 | # Cleanup and save as a tar. 20 | yum clean all 21 | echo 'container' > /etc/yum/vars/infra 22 | rm -rf /var/lib/systemd/random-seed 23 | rm -rf /etc/pki/ca-trust/extracted/java 24 | #rpm --rebuilddb 25 | 26 | umount /target/dev/ 27 | umount /target/proc/ 28 | umount /target/sys/ 29 | rm /target/chroot.sh 30 | echo 8 > /target/etc/yum/vars/releasevar 31 | 32 | tar -C /target --mtime='1970-01-01' -cf /layer.tar . 33 | -------------------------------------------------------------------------------- /centos8/chroot.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This script runs inside a chroot and sets up a bootstrapped centos image. 4 | 5 | yum -y -q --releasever=${1} install yum centos-linux-release 6 | yum install -q -y bind-utils bash yum vim-minimal centos-linux-release less iputils iproute systemd rootfiles tar passwd yum-utils yum-plugin-ovl hostname which 7 | yum -q -y erase kernel* *firmware firewalld-filesystem os-prober gettext* GeoIP bind-license freetype libteam teamd 8 | rpm -e kernel 9 | yum -y remove bind-libs bind-libs-lite dhclient dhcp-common dhcp-libs dracut-network e2fsprogs e2fsprogs-libs ebtables ethtool file firewalld freetype gettext gettext-libs groff-base grub2 grub2-tools grubby initscripts iproute iptables kexec-tools libcroco libgomp libmnl libnetfilter_conntrack libnfnetlink libselinux-python lzo libunistring os-prober python-decorator python-slip python-slip-dbus snappy sysvinit-tools which linux-firmware GeoIP firewalld-filesystem qemu-guest-agent 10 | yum clean all 11 | rm -rf /var/cache/yum 12 | rm -rf /boot 13 | rm -rf /etc/firewalld 14 | passwd -l root 15 | echo 'container' > /etc/yum/vars/infra 16 | rm -rf /var/cache/yum/x86_64 17 | rm -rf /var/lib/yum/history 18 | rm -rf /var/lib/yum/yumdb 19 | rm -f /var/lib/yum/uuid 20 | rm -f /var/log/yum.log 21 | rm -f /tmp/ks-script* 22 | rm -rf /etc/sysconfig/network-scripts/ifcfg-* 23 | rm -rf /etc/udev/hwdb.bin 24 | rm -rf /usr/lib/udev/hwdb.d/* 25 | :> /etc/machine-id 26 | umount /run 27 | systemd-tmpfiles --create --boot 28 | rm /var/run/nologin 29 | rm -rf /var/lib/systemd/random-seed 30 | rm -rf /var/cache/ldconfig/aux-cache 31 | rm -rf /etc/pki/ca-trust/extracted/java 32 | 33 | rm /etc/resolv.conf 34 | 35 | rm -rf /root/.bash_history 36 | 37 | echo 8 > /etc/yum/vars/releasever 38 | 39 | echo 'success' 40 | -------------------------------------------------------------------------------- /centos8/deps.bzl: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_file") 16 | load(":revisions.bzl", "CENTOS8_TAR") 17 | 18 | def deps(): 19 | """Download dependencies required to use this layer.""" 20 | excludes = native.existing_rules().keys() 21 | 22 | # Centos release layer tar. 23 | if "centos8_tar" not in excludes: 24 | http_file( 25 | name = "centos8_tar", 26 | downloaded_file_path = CENTOS8_TAR.revision + "_layer.tar", 27 | sha256 = CENTOS8_TAR.sha256, 28 | urls = [ 29 | "https://storage.googleapis.com/container-deps/centos8/tar/" + CENTOS8_TAR.revision + "_layer.tar", 30 | ], 31 | ) 32 | -------------------------------------------------------------------------------- /centos8/deps_spec.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | revisionsFilePath: "centos8/revisions.bzl" 16 | timestampFilePath: "centos8/autogenerated_dus_timestamp.txt" 17 | metadataSummaryFilePath: "centos8/metadata_summary.yaml" 18 | 19 | githubRepoDeps: 20 | 21 | # bazelbuild/rules_docker GitHub repo. 22 | - name: "RULES_DOCKER" 23 | repoSpec: 24 | owner: "bazelbuild" 25 | repository: "rules_docker" 26 | updateType: "release" 27 | releasePolicies: 28 | - tag: "default" 29 | # Every Wednesday at 5am. 30 | schedule: "0 0 5 * * Wed" 31 | 32 | gcsDeps: 33 | 34 | # Centos 8 release layer tarball. 35 | - name: "CENTOS8_TAR" 36 | bucket: "container-deps" 37 | versionRegex: "\\d{10,}" 38 | fileRegex: "^centos8/tar/\\d{10,}_layer\\.tar$" 39 | startsWith: "centos8/tar/" 40 | fusMetadataBucket: "container-deps" 41 | fusMetadataObject: "centos8/metadata/tar/metadata.yaml" 42 | releasePolicies: 43 | - tag: "default" 44 | # Weekly release schedule at 5am every Monday. 45 | # TODO (smukherj1): Change schedule to monthly once the automatic 46 | # updates infrastructure is deemed to be stable. 47 | schedule: "0 0 5 * * Mon" 48 | # Release immediate for security vulnerabilities with severity medium 49 | # or higher. 50 | - tag: "cveMedium" 51 | schedule: "* * * * * *" 52 | - tag: "cveHigh" 53 | schedule: "* * * * * *" 54 | - tag: "cveCritical" 55 | schedule: "* * * * * *" 56 | -------------------------------------------------------------------------------- /centos8/file_updates.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # This file is used by the File Update Service which continuously 16 | # checks for updates in the `triggerFile` listed here. If there is an update 17 | # in the `triggerFile`, the service will 18 | # 1. archive the new version of the `triggerFile` in its GCS bucket. 19 | # 2. for each one of `extraFiles`, generate a new version of it and archive it 20 | # in its GCS bucket. 21 | 22 | # ================================= Ubuntu1604 ================================= 23 | 24 | # Centos 8 release layer tar. 25 | - triggerFile: 26 | target: "//:centos_layer/layer.tar" 27 | bucket: "container-deps" 28 | dir: "centos8/tar" 29 | metadata: 30 | target: "//:metadata.yaml" 31 | bucket: "container-deps" 32 | object: "centos8/metadata/tar/metadata.yaml" 33 | -------------------------------------------------------------------------------- /centos8/metadata_summary.yaml: -------------------------------------------------------------------------------- 1 | {} 2 | -------------------------------------------------------------------------------- /centos8/revisions.bzl: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # This file is autogenerated by the dependency update service and should not be modified directly. 16 | # For more details, check the deps_spec.yaml file in the current folder. 17 | 18 | CENTOS8_TAR = struct( 19 | revision = "1643610670", 20 | sha256 = "4d396dc95238e99f57dac30d5d69481d0926fe1fdf856cf6399aff726f9b1b21", 21 | ) 22 | 23 | RULES_DOCKER = struct( 24 | commit = "master", 25 | sha256 = "3fdae8c4571d6d3fc343f63c87b3fb030132ad091284b8cbdb7533cb063ded0a", 26 | ) 27 | -------------------------------------------------------------------------------- /centos8/test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | schemaVersion: '2.0.0' 16 | 17 | # TODO: add more 18 | 19 | fileExistenceTests: 20 | - name: 'Root' 21 | path: '/' 22 | shouldExist: true 23 | 24 | metadataTest: 25 | cmd: ['/bin/bash'] 26 | env: 27 | - key: 'PATH' 28 | value: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' 29 | -------------------------------------------------------------------------------- /check-fmt.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -ex 3 | 4 | echo "Checking gofmt..." 5 | files=$(gofmt -l -s ./tests) 6 | if [[ $files ]]; then 7 | echo "Gofmt errors in files: $files" 8 | exit 1 9 | fi 10 | 11 | echo "Checking buildifer..." 12 | # shellcheck disable=SC2046 13 | files=$(buildifier -mode=check $(find . -not -path "./vendor/*" -name 'BUILD' -type f)) 14 | if [[ $files ]]; then 15 | echo "$files" 16 | echo "Run 'buildifier -mode fix \$(find . -name BUILD -type f)' to fix formatting" 17 | exit 1 18 | fi 19 | 20 | 21 | #echo "Checking shellcheck..." 22 | #find . -name "*.sh" | grep -v "third_party/" | xargs shellcheck 23 | -------------------------------------------------------------------------------- /debian/BUILD: -------------------------------------------------------------------------------- 1 | package(default_visibility = ["//visibility:public"]) 2 | -------------------------------------------------------------------------------- /debian/README.md: -------------------------------------------------------------------------------- 1 | Debian 8 and Debian 9 Images 2 | ============= 3 | 4 | Source for the Google-maintained Debian container images. 5 | These [docker](https://docker.io) images bundle the stable 6 | [debian](https://www.debian.org) distribution suites, 7 | with a few essential packages installed. Debian 9 (Stretch) is actively supported. 8 | 9 | This image are available at `launcher.gcr.io/google/debian9` 10 | and `gcr.io/google-appengine/debian9`. 11 | 12 | The image is built using docker's 13 | [`mkimage.sh`](./reproducible/mkimage.sh). 14 | 15 | ## Usage 16 | 17 | To use this image in your application, create a Dockerfile that 18 | starts with this FROM line: 19 | 20 | ``` 21 | FROM launcher.gcr.io/google/debian9:latest 22 | ``` 23 | -------------------------------------------------------------------------------- /debian/cloudbuild.yaml: -------------------------------------------------------------------------------- 1 | # All items surrounded by ${} are variables to be replaced with real values. 2 | # ${_REPO}: The repository to push debian to, e.g. gcr.io/myproject 3 | # ${_TAG}: What the tag the image with, e.g. latest 4 | # ${_VERSION}: The version of debian to build, e.g. stretch 5 | # ${_VERSION_NUMBER}: The version number associated with the ${_VERSION} string, e.g. 9 for stretch 6 | steps: 7 | - name: gcr.io/gcp-runtimes/check_if_tag_exists 8 | args: 9 | - '--image=${_REPO}/debian${_VERSION_NUMBER}:${_TAG}' 10 | - name: gcr.io/cloud-builders/docker 11 | args: 12 | - 'build' 13 | - '--tag=${_REPO}/mkdebootstrap:${_VERSION}' 14 | - '--no-cache' 15 | - 'mkdebootstrap/' 16 | - name: ${_REPO}/mkdebootstrap:${_VERSION} 17 | args: 18 | - '-d' 19 | - '/workspace' 20 | - 'debootstrap' 21 | - '--variant=minbase' 22 | - '${_VERSION}' 23 | - 'http://httpredir.debian.org/debian' 24 | - name: gcr.io/cloud-builders/docker 25 | args: 26 | - 'build' 27 | - '--tag=${_REPO}/debian${_VERSION_NUMBER}:${_TAG}' 28 | - '--no-cache' 29 | - '.' 30 | - name: gcr.io/gcp-runtimes/structure_test 31 | args: [ 32 | '--image', '${_REPO}/debian${_VERSION_NUMBER}:${_TAG}', 33 | '--config', '/workspace/tests/debian_test.yaml'] 34 | - name: gcr.io/gcp-runtimes/structure_test 35 | args: [ 36 | '--image', '${_REPO}/debian${_VERSION_NUMBER}:${_TAG}', 37 | '--config', '/workspace/tests/debian_${_VERSION_NUMBER}_test.yaml'] 38 | images: ['${_REPO}/mkdebootstrap:${_VERSION}', '${_REPO}/debian${_VERSION_NUMBER}:${_TAG}'] 39 | -------------------------------------------------------------------------------- /debian/reproducible/BUILD: -------------------------------------------------------------------------------- 1 | package(default_visibility = ["//visibility:public"]) 2 | 3 | load("@io_bazel_rules_docker//docker:docker.bzl", "docker_build") 4 | load( 5 | "@package_bundle//file:packages.bzl", 6 | builder_packages = "packages", 7 | ) 8 | load("@bazel_tools//tools/build_defs/pkg:pkg.bzl", "pkg_tar") 9 | 10 | # TODO: Try to reuse this variable from WORKSPACE. 11 | # The Debian snapshot datetime to use. See http://snapshot.debian.org/ for more information. 12 | DEB_SNAPSHOT = "20190708T153325Z" 13 | 14 | docker_build( 15 | name = "builder", 16 | base = "@debian_base//image", 17 | debs = builder_packages.values(), 18 | entrypoint = [ 19 | "/mkimage.sh", 20 | DEB_SNAPSHOT, 21 | ], 22 | files = [":mkimage.sh"], 23 | ) 24 | 25 | # The overlay directory contains files that should be overlaid into the rootfs at /. 26 | pkg_tar( 27 | name = "overlay", 28 | srcs = glob(["overlay/**/*"]), 29 | package_dir = "/", 30 | strip_prefix = "overlay/", 31 | ) 32 | 33 | load("//debian/reproducible:debootstrap.bzl", "debootstrap_image") 34 | 35 | DEBIAN_ENV = { 36 | "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 37 | "PORT": "8080", 38 | "DEBIAN_FRONTEND": "noninteractive", 39 | } 40 | 41 | DEBIAN_MAP = { 42 | 9: "stretch", 43 | } 44 | 45 | [debootstrap_image( 46 | name = "debian%s" % num, 47 | distro = distro, 48 | env = DEBIAN_ENV, 49 | overlay_tar = ":overlay.tar", 50 | ) for num, distro in DEBIAN_MAP.items()] 51 | -------------------------------------------------------------------------------- /debian/reproducible/README.md: -------------------------------------------------------------------------------- 1 | ## Reproducible Debian Builds 2 | 3 | This directory contains code and scripts for building reproducible 4 | Debian base images. 5 | 6 | The same git revision will result in a Docker image with the same digest, 7 | every time. 8 | 9 | ### Usage 10 | 11 | Use `gcloud container builds submit --config=debian/reproducible/cloudbuild.yaml .` 12 | to build the image in the cloud. 13 | To build locally, use: `bazel build //debian/reproducible:debian9`. 14 | To run tests locally, use: `bazel test //debian/reproducible:debian9_test`. 15 | 16 | 17 | ### Process 18 | 19 | We use a custom bazel rule to run debootstrap in a docker container. 20 | Debootstrap must run in a container because it is incompatible with 21 | the bazel sandbox. 22 | This rule outputs a rootfs tarball, which can then be inserted into a 23 | tarball with the `docker_build` rule. 24 | 25 | #### Debootstrap 26 | 27 | The first step is to generate a debian rootfs using debootstrap. 28 | We use the debian snapshot mirror system to ensure the same debian 29 | packages are used each build. 30 | The SNAPSHOT file contains the name of the snapshot to use. 31 | See the `mkimage.sh` script for this portion of the process. 32 | 33 | #### Updates 34 | 35 | To update the debian package versions used in the build, 36 | modify the `DEB_SNAPSHOT` variable in the top-level `WORKSPACE` file 37 | (along with its accompanying SHA256 checksum), 38 | as well as in the `BUILD` file in this directory. 39 | -------------------------------------------------------------------------------- /debian/reproducible/cloudbuild.yaml: -------------------------------------------------------------------------------- 1 | steps: 2 | # It's unclear why we need this, but bazel appears to need it sometimes. 3 | - name: 'l.gcr.io/google/debian9:latest' 4 | args: ['chmod', 'a+rx', '-R', '/workspace'] 5 | 6 | # We have to build and load the builder image first, so it can be used in the next step. 7 | # Using "run" instead of "build" loads the built image into the daemon. 8 | - name: gcr.io/cloud-builders/bazel 9 | args: ['run', '--incompatible_disable_deprecated_attr_params=false', '--incompatible_string_join_requires_strings=false', '--incompatible_new_actions_api=false', '--incompatible_no_support_tools_in_action_inputs=false', '//debian/reproducible:debian${_VERSION_NUMBER}'] 10 | 11 | # Give the image the right tag, and let CloudBuild push it. 12 | - name: gcr.io/cloud-builders/docker 13 | args: ['tag', 'bazel/debian/reproducible:debian${_VERSION_NUMBER}', '${_REPO}/debian${_VERSION_NUMBER}:${_TAG}'] 14 | 15 | images: ['${_REPO}/debian${_VERSION_NUMBER}:${_TAG}'] 16 | -------------------------------------------------------------------------------- /debian/reproducible/mkimage.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # shellcheck disable=SC2115 3 | set -ex 4 | 5 | usage() { 6 | echo "Usage: $0 [SNAPSHOT] [VARIANT] [DIST]" 7 | echo 8 | echo "[SNAPSHOT]: The debian snapshot datetime to use." 9 | echo "[VARIANT]: The debian variant to use." 10 | echo "[DIST]: The debian dist to use." 11 | echo 12 | exit 1 13 | } 14 | 15 | if [ $# -ne 3 ]; then 16 | usage 17 | fi 18 | 19 | SNAPSHOT=$1 20 | VARIANT=$2 21 | DIST=$3 22 | 23 | WORKDIR="/workspace/jessie" 24 | mkdir -p "$WORKDIR" 25 | 26 | debootstrap --variant="$VARIANT" "$DIST" "$WORKDIR" http://snapshot.debian.org/archive/debian/"$SNAPSHOT" 27 | 28 | rootfs_chroot() { 29 | 30 | PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \ 31 | chroot "$WORKDIR" "$@" 32 | } 33 | 34 | 35 | # Add some tools we need. 36 | rootfs_chroot apt-get install -y --no-install-recommends \ 37 | netbase \ 38 | ca-certificates 39 | 40 | # We have our own version of initctl, tell dpkg to not overwrite it. 41 | rootfs_chroot dpkg-divert --local --rename --add /sbin/initctl 42 | 43 | # Add the SNAPSHOT security and updates mirrors, for a final upgrade. 44 | cat << EOF > $WORKDIR/etc/apt/sources.list 45 | deb http://snapshot.debian.org/archive/debian/$SNAPSHOT $DIST main 46 | deb http://snapshot.debian.org/archive/debian/$SNAPSHOT $DIST-updates main 47 | deb http://snapshot.debian.org/archive/debian-security/$SNAPSHOT $DIST/updates main 48 | EOF 49 | rootfs_chroot apt-get -o Acquire::Check-Valid-Until=false update 50 | rootfs_chroot apt-get -y -q upgrade 51 | 52 | # Clean some apt artifacts 53 | rootfs_chroot apt-get clean 54 | 55 | # Reset the mirrors to distro-based ones 56 | cat << EOF > $WORKDIR/etc/apt/sources.list 57 | deb http://httpredir.debian.org/debian $DIST main 58 | deb http://httpredir.debian.org/debian $DIST-updates main 59 | deb http://security.debian.org $DIST/updates main 60 | EOF 61 | 62 | # Delete dirs we don't need, leaving the entries. 63 | rm -rf "${WORKDIR:?}"/dev "$WORKDIR"/proc 64 | mkdir -p "$WORKDIR"/dev "$WORKDIR"/proc 65 | 66 | rm -rf "$WORKDIR"/var/lib/apt/lists/snapshot* 67 | rm -rf "$WORKDIR"/etc/apt/apt.conf.d/01autoremove-kernels 68 | 69 | # These are showing up as broken symlinks? 70 | rm -rf "$WORKDIR"/usr/share/vim/vimrc 71 | rm -rf "$WORKDIR"/usr/share/vim/vimrc.tiny 72 | 73 | # Remove files with non-determinism 74 | rm -rf "$WORKDIR"/var/cache/man 75 | rm -rf "$WORKDIR"/var/cache/ldconfig/aux-cache 76 | rm -rf "$WORKDIR"/var/log/dpkg.log 77 | rm -rf "$WORKDIR"/var/log/bootstrap.log 78 | rm -rf "$WORKDIR"/var/log/alternatives.log 79 | 80 | # Hardcode this somewhere 81 | rm -f "$WORKDIR"/etc/machine-id 82 | 83 | # This gets overridden by Docker at runtime. 84 | rm -f "$WORKDIR"/etc/hostname 85 | 86 | # pass -n to gzip to strip timestamps 87 | # strip the '.' with --transform that tar includes at the root to build a real rootfs 88 | GZIP="-n" tar --numeric-owner -czf /workspace/rootfs.tar.gz -C "$WORKDIR" . --transform='s,^./,,' --mtime='1970-01-01' 89 | md5sum /workspace/rootfs.tar.gz 90 | -------------------------------------------------------------------------------- /debian/reproducible/overlay/etc/apt/apt.conf.d/apt-retry: -------------------------------------------------------------------------------- 1 | # Retry apt failures 3 times. See here for more information: https://linux.die.net/man/5/apt.conf 2 | Acquire::Retries 3; 3 | -------------------------------------------------------------------------------- /debian/reproducible/overlay/etc/apt/apt.conf.d/docker-autoremove-suggests: -------------------------------------------------------------------------------- 1 | # Since Docker users are looking for the smallest possible final images, the 2 | # following emerges as a very common pattern: 3 | 4 | # RUN apt-get update \ 5 | # && apt-get install -y \ 6 | # && \ 7 | # && apt-get purge -y --auto-remove 8 | 9 | # By default, APT will actually _keep_ packages installed via Recommends or 10 | # Depends if another package Suggests them, even and including if the package 11 | # that originally caused them to be installed is removed. Setting this to 12 | # "false" ensures that APT is appropriately aggressive about removing the 13 | # packages it added. 14 | 15 | # https://aptitude.alioth.debian.org/doc/en/ch02s05s05.html#configApt-AutoRemove-SuggestsImportant 16 | Apt::AutoRemove::SuggestsImportant "false"; 17 | -------------------------------------------------------------------------------- /debian/reproducible/overlay/etc/apt/apt.conf.d/docker-clean: -------------------------------------------------------------------------------- 1 | # Since for most Docker users, package installs happen in "docker build" steps, 2 | # they essentially become individual layers due to the way Docker handles 3 | # layering, especially using CoW filesystems. What this means for us is that 4 | # the caches that APT keeps end up just wasting space in those layers, making 5 | # our layers unnecessarily large (especially since we'll normally never use 6 | # these caches again and will instead just "docker build" again and make a brand 7 | # new image). 8 | 9 | # Ideally, these would just be invoking "apt-get clean", but in our testing, 10 | # that ended up being cyclic and we got stuck on APT's lock, so we get this fun 11 | # creation that's essentially just "apt-get clean". 12 | DPkg::Post-Invoke { "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"; }; 13 | APT::Update::Post-Invoke { "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"; }; 14 | 15 | Dir::Cache::pkgcache ""; 16 | Dir::Cache::srcpkgcache ""; 17 | 18 | # Note that we do realize this isn't the ideal way to do this, and are always 19 | # open to better suggestions (https://github.com/docker/docker/issues). 20 | -------------------------------------------------------------------------------- /debian/reproducible/overlay/etc/apt/apt.conf.d/docker-gzip-indexes: -------------------------------------------------------------------------------- 1 | # Since Docker users using "RUN apt-get update && apt-get install -y ..." in 2 | # their Dockerfiles don't go delete the lists files afterwards, we want them to 3 | # be as small as possible on-disk, so we explicitly request "gz" versions and 4 | # tell Apt to keep them gzipped on-disk. 5 | 6 | # For comparison, an "apt-get update" layer without this on a pristine 7 | # "debian:wheezy" base image was "29.88 MB", where with this it was only 8 | # "8.273 MB". 9 | 10 | Acquire::GzipIndexes "true"; 11 | Acquire::CompressionTypes::Order:: "gz"; 12 | -------------------------------------------------------------------------------- /debian/reproducible/overlay/etc/apt/apt.conf.d/docker-no-languages: -------------------------------------------------------------------------------- 1 | # In Docker, we don't often need the "Translations" files, so we're just wasting 2 | # time and space by downloading them, and this inhibits that. For users that do 3 | # need them, it's a simple matter to delete this file and "apt-get update". :) 4 | 5 | Acquire::Languages "none"; 6 | -------------------------------------------------------------------------------- /debian/reproducible/overlay/etc/machine-id: -------------------------------------------------------------------------------- 1 | 793274e99ef692a48f77ea0eea7bd0cb 2 | -------------------------------------------------------------------------------- /debian/reproducible/overlay/etc/resolv.conf: -------------------------------------------------------------------------------- 1 | nameserver 8.8.8.8 2 | nameserver 8.8.4.4 3 | -------------------------------------------------------------------------------- /debian/reproducible/overlay/sbin/initctl: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # For most Docker users, "apt-get install" only happens during "docker build", 4 | # where starting services doesn't work and often fails in humorous ways. This 5 | # prevents those failures by stopping the services from attempting to start. 6 | 7 | exit 0 8 | -------------------------------------------------------------------------------- /debian/reproducible/overlay/usr/sbin/policy-rc.d: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # For most Docker users, "apt-get install" only happens during "docker build", 4 | # where starting services doesn't work and often fails in humorous ways. This 5 | # prevents those failures by stopping the services from attempting to start. 6 | 7 | exit 101 8 | -------------------------------------------------------------------------------- /debian10/.bazelrc: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Google Inc. All rights reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | build --host_force_python=PY2 16 | test --host_force_python=PY2 17 | run --host_force_python=PY2 18 | -------------------------------------------------------------------------------- /debian10/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM base-image-temp 2 | 3 | COPY sources.list /etc/apt/sources.list 4 | 5 | RUN apt-get update && apt -y upgrade 6 | 7 | CMD ["/bin/bash"] 8 | -------------------------------------------------------------------------------- /debian10/README.md: -------------------------------------------------------------------------------- 1 | This is a Debian 10 container. 2 | 3 | ## Reproducible Debian Builds 4 | 5 | This directory contains code and scripts for building reproducible 6 | Debian base images. 7 | 8 | The same git revision will result in a Docker image with the same digest, 9 | every time. 10 | 11 | ### Usage 12 | 13 | Use `gcloud builds submit --config=cloudbuild.yaml` 14 | to build the image in the cloud. 15 | To build locally, use: `bazel run :image`. 16 | To run tests locally, use: `bazel test :image-test`. 17 | 18 | ### Process 19 | 20 | We use debootstrap in a docker container to generate a debian rootfs tarball. 21 | See the `mkimage.sh` script for this portion of the process. This tarball can 22 | then be inserted into a tarball with the `container_image` rule. 23 | 24 | We archive the generated rootfs tarballs in a GCS bucket and use them in 25 | container releases to ensure containers are reproducible. 26 | -------------------------------------------------------------------------------- /debian10/WORKSPACE: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | workspace(name = "debian10") 16 | 17 | load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") 18 | 19 | http_archive( 20 | name = "io_bazel_rules_docker", 21 | sha256 = "4521794f0fba2e20f3bf15846ab5e01d5332e587e9ce81629c7f96c793bb7036", 22 | strip_prefix = "rules_docker-0.14.4", 23 | urls = ["https://github.com/bazelbuild/rules_docker/releases/download/v0.14.4/rules_docker-v0.14.4.tar.gz"], 24 | ) 25 | 26 | load( 27 | "@io_bazel_rules_docker//repositories:repositories.bzl", 28 | container_repositories = "repositories", 29 | ) 30 | 31 | container_repositories() 32 | 33 | load("@io_bazel_rules_docker//repositories:deps.bzl", container_deps = "deps") 34 | 35 | container_deps() 36 | 37 | load("@io_bazel_rules_docker//repositories:pip_repositories.bzl", "pip_deps") 38 | 39 | pip_deps() 40 | 41 | load( 42 | "@io_bazel_rules_docker//container:container.bzl", 43 | "container_pull", 44 | ) 45 | 46 | # Pull existing Debian base, only used to create builder image to debootstrap. 47 | #container_pull( 48 | # name = "debian_base", 49 | # digest = "sha256:00109fa40230a081f5ecffe0e814725042ff62a03e2d1eae0563f1f82eaeae9b", 50 | # registry = "gcr.io", 51 | # repository = "google-appengine/debian10", 52 | #) 53 | container_pull( 54 | name = "debian_base", 55 | registry = "index.docker.io", 56 | repository = "library/debian", 57 | tag = "10", 58 | ) 59 | 60 | load(":deps.bzl", "deps") 61 | 62 | deps() 63 | -------------------------------------------------------------------------------- /debian10/autogenerated_dus_timestamp.txt: -------------------------------------------------------------------------------- 1 | Tue Feb 7 14:01:55 UTC 2023 -------------------------------------------------------------------------------- /debian10/cloudbuild-new.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | steps: 16 | # Step: build the rootfs 17 | - name: "ubuntu" 18 | env: 19 | - 'DISTRO_NAME=${_DISTRO_NAME}' 20 | script: | 21 | #!/usr/bin/env bash 22 | apt-get update 23 | apt-get -y install debootstrap 24 | debootstrap --variant=minbase --include=netbase "${DISTRO_NAME}" "${DISTRO_NAME}" 25 | tar -C "${DISTRO_NAME}" -czf rootfs.tar.gz . 26 | id: "rootfs" 27 | 28 | # Step: build the image 29 | - name: "gcr.io/cloud-builders/docker" 30 | args: ["import", "rootfs.tar.gz", "base-image-temp"] 31 | id: "container-build" 32 | 33 | # Step: build the image 34 | - name: "gcr.io/cloud-builders/docker" 35 | dir: debian10 36 | args: ["build", "-t", "gcr.io/${_IMG_DEST}", "."] 37 | id: "upgrade-dist" 38 | 39 | # Step: tags 40 | - name: "gcr.io/cloud-builders/docker" 41 | args: ["tag", "gcr.io/${_IMG_DEST}", "us.gcr.io/${_IMG_DEST}"] 42 | 43 | - name: "gcr.io/cloud-builders/docker" 44 | args: ["tag", "gcr.io/${_IMG_DEST}", "eu.gcr.io/${_IMG_DEST}"] 45 | 46 | - name: "gcr.io/cloud-builders/docker" 47 | args: ["tag", "gcr.io/${_IMG_DEST}", "asia.gcr.io/${_IMG_DEST}"] 48 | 49 | - name: "gcr.io/cloud-builders/docker" 50 | args: ["tag", "gcr.io/${_IMG_DEST}", "gcr.io/${_IMG_BACKUP_DEST}"] 51 | 52 | substitutions: 53 | # Default values for substitution variables. 54 | # These variables are altered in the cloudbuild trigger definition 55 | #_IMG_DEST: gcp-runtimes/ubuntu_20_0_4:latest-new 56 | #_IMG_BACKUP_DEST: asci-toolchain-backup/ubuntu2004:latest-new 57 | _DISTRO_NAME: buster 58 | _IMG_DEST: google-appengine/debian10:latest-new 59 | _IMG_BACKUP_DEST: asci-toolchain-backup/debian10:latest-new 60 | 61 | # Push the new image and its backup. 62 | # Push by using the `images` field here so they will show up in the build results 63 | # or the GCB Build information page. 64 | # https://cloud.google.com/cloud-build/docs/configuring-builds/store-images-artifacts 65 | images: 66 | - "gcr.io/${_IMG_DEST}" 67 | - "us.gcr.io/${_IMG_DEST}" 68 | - "eu.gcr.io/${_IMG_DEST}" 69 | - "asia.gcr.io/${_IMG_DEST}" 70 | - "gcr.io/${_IMG_BACKUP_DEST}" 71 | -------------------------------------------------------------------------------- /debian10/deps.bzl: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_file") 16 | load(":revisions.bzl", "DEBIAN10_TAR") 17 | 18 | def deps(): 19 | """Download dependencies required to use this layer.""" 20 | excludes = native.existing_rules().keys() 21 | 22 | # Base Ubuntu1604 tarball. 23 | if "debian10_tar" not in excludes: 24 | http_file( 25 | name = "debian10_tar", 26 | downloaded_file_path = DEBIAN10_TAR.revision + "_rootfs.tar.gz", 27 | sha256 = DEBIAN10_TAR.sha256, 28 | urls = [ 29 | "https://storage.googleapis.com/container-deps/debian10/tar/" + DEBIAN10_TAR.revision + "_rootfs.tar.gz", 30 | ], 31 | ) 32 | -------------------------------------------------------------------------------- /debian10/deps_spec.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | revisionsFilePath: "debian10/revisions.bzl" 16 | timestampFilePath: "debian10/autogenerated_dus_timestamp.txt" 17 | metadataSummaryFilePath: "debian10/metadata_summary.yaml" 18 | 19 | githubRepoDeps: 20 | 21 | # bazelbuild/rules_docker GitHub repo. 22 | - name: "RULES_DOCKER" 23 | repoSpec: 24 | owner: "bazelbuild" 25 | repository: "rules_docker" 26 | updateType: "release" 27 | releasePolicies: 28 | - tag: "default" 29 | # Every Wednesday at 5am. 30 | schedule: "0 0 5 * * Wed" 31 | 32 | gcsDeps: 33 | 34 | # Base Debian10 tarball. 35 | - name: "DEBIAN10_TAR" 36 | bucket: "container-deps" 37 | versionRegex: "\\d{8,}" 38 | fileRegex: "^debian10/tar/\\d{8,}_rootfs\\.tar\\.gz$" 39 | startsWith: "debian10/tar/" 40 | fusMetadataBucket: "container-deps" 41 | fusMetadataObject: "debian10/metadata/tar/metadata.yaml" 42 | releasePolicies: 43 | - tag: "default" 44 | # Weekly release schedule at 5am every Monday. 45 | # TODO (smukherj1): Change schedule to monthly once the automatic 46 | # updates infrastructure is deemed to be stable. 47 | schedule: "0 0 5 * * Mon" 48 | # Release immediate for security vulnerabilities with severity medium 49 | # or higher. 50 | - tag: "cveMedium" 51 | schedule: "* * * * * *" 52 | - tag: "cveHigh" 53 | schedule: "* * * * * *" 54 | - tag: "cveCritical" 55 | schedule: "* * * * * *" 56 | -------------------------------------------------------------------------------- /debian10/file_updates.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # This file is used by the File Update Service which continuously 16 | # checks for updates in the `triggerFile` listed here. If there is an update 17 | # in the `triggerFile`, the service will 18 | # 1. archive the new version of the `triggerFile` in its GCS bucket. 19 | # 2. for each one of `extraFiles`, generate a new version of it and archive it 20 | # in its GCS bucket. 21 | 22 | # Debian10 base image tarball. 23 | - triggerFile: 24 | target: "//:rootfs/workspace/rootfs.tar.gz" 25 | bucket: "container-deps" 26 | dir: "debian10/tar" 27 | metadata: 28 | target: "//:metadata.yaml" 29 | bucket: "container-deps" 30 | object: "debian10/metadata/tar/metadata.yaml" 31 | -------------------------------------------------------------------------------- /debian10/metadata_summary.yaml: -------------------------------------------------------------------------------- 1 | {} 2 | -------------------------------------------------------------------------------- /debian10/mkimage.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # shellcheck disable=SC2115 3 | set -ex 4 | 5 | usage() { 6 | echo "Usage: $0 [VARIANT] [DIST]" 7 | echo 8 | echo "[VARIANT]: The debian variant to use." 9 | echo "[DIST]: The debian dist to use." 10 | echo 11 | exit 1 12 | } 13 | 14 | if [ $# -ne 2 ]; then 15 | usage 16 | fi 17 | 18 | VARIANT=$1 19 | DIST=$2 20 | 21 | WORKDIR="/workspace/$DIST" 22 | mkdir -p "$WORKDIR" 23 | 24 | debootstrap --variant="$VARIANT" "$DIST" "$WORKDIR" http://httpredir.debian.org/debian 25 | 26 | rootfs_chroot() { 27 | PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \ 28 | chroot "$WORKDIR" "$@" 29 | } 30 | 31 | # Add some tools we need. 32 | rootfs_chroot apt-get install -y --no-install-recommends \ 33 | netbase \ 34 | ca-certificates 35 | 36 | # We have our own version of initctl, tell dpkg to not overwrite it. 37 | rootfs_chroot dpkg-divert --local --rename --add /sbin/initctl 38 | 39 | # Set the mirrors to distro-based ones 40 | cat << EOF > $WORKDIR/etc/apt/sources.list 41 | deb http://deb.debian.org/debian $DIST main 42 | deb http://deb.debian.org/debian $DIST-updates main 43 | deb http://security.debian.org $DIST/updates main 44 | EOF 45 | 46 | # Do a final upgrade. 47 | rootfs_chroot apt-get -o Acquire::Check-Valid-Until=false update 48 | rootfs_chroot apt-get -y -q upgrade 49 | 50 | # Clean some apt artifacts 51 | rootfs_chroot apt-get clean 52 | 53 | # Delete dirs we don't need, leaving the entries. 54 | rm -rf "${WORKDIR:?}"/dev "$WORKDIR"/proc 55 | mkdir -p "$WORKDIR"/dev "$WORKDIR"/proc 56 | 57 | rm -rf "$WORKDIR"/var/lib/apt/lists/httpredir* 58 | rm -rf "$WORKDIR"/etc/apt/apt.conf.d/01autoremove-kernels 59 | 60 | # These are showing up as broken symlinks? 61 | rm -rf "$WORKDIR"/usr/share/vim/vimrc 62 | rm -rf "$WORKDIR"/usr/share/vim/vimrc.tiny 63 | 64 | # Remove files with non-determinism 65 | rm -rf "$WORKDIR"/var/cache/man 66 | rm -rf "$WORKDIR"/var/cache/ldconfig/aux-cache 67 | rm -rf "$WORKDIR"/var/log/dpkg.log 68 | rm -rf "$WORKDIR"/var/log/bootstrap.log 69 | rm -rf "$WORKDIR"/var/log/alternatives.log 70 | rm -rf "$WORKDIR"/var/log/apt/history.log 71 | rm -rf "$WORKDIR"/var/log/apt/term.log 72 | 73 | # Hardcode this somewhere 74 | rm -f "$WORKDIR"/etc/machine-id 75 | 76 | # This gets overridden by Docker at runtime. 77 | rm -f "$WORKDIR"/etc/hostname 78 | 79 | # pass -n to gzip to strip timestamps 80 | # strip the '.' with --transform that tar includes at the root to build a real rootfs 81 | GZIP="-n" tar --numeric-owner -czf /workspace/rootfs.tar.gz -C "$WORKDIR" . --transform='s,^./,,' --mtime='1970-01-01' 82 | md5sum /workspace/rootfs.tar.gz 83 | -------------------------------------------------------------------------------- /debian10/overlay/etc/apt/apt.conf.d/apt-retry: -------------------------------------------------------------------------------- 1 | # Retry apt failures 3 times. See here for more information: https://linux.die.net/man/5/apt.conf 2 | Acquire::Retries 3; 3 | -------------------------------------------------------------------------------- /debian10/overlay/etc/apt/apt.conf.d/docker-autoremove-suggests: -------------------------------------------------------------------------------- 1 | # Since Docker users are looking for the smallest possible final images, the 2 | # following emerges as a very common pattern: 3 | 4 | # RUN apt-get update \ 5 | # && apt-get install -y \ 6 | # && \ 7 | # && apt-get purge -y --auto-remove 8 | 9 | # By default, APT will actually _keep_ packages installed via Recommends or 10 | # Depends if another package Suggests them, even and including if the package 11 | # that originally caused them to be installed is removed. Setting this to 12 | # "false" ensures that APT is appropriately aggressive about removing the 13 | # packages it added. 14 | 15 | # https://aptitude.alioth.debian.org/doc/en/ch02s05s05.html#configApt-AutoRemove-SuggestsImportant 16 | Apt::AutoRemove::SuggestsImportant "false"; 17 | -------------------------------------------------------------------------------- /debian10/overlay/etc/apt/apt.conf.d/docker-clean: -------------------------------------------------------------------------------- 1 | # Since for most Docker users, package installs happen in "docker build" steps, 2 | # they essentially become individual layers due to the way Docker handles 3 | # layering, especially using CoW filesystems. What this means for us is that 4 | # the caches that APT keeps end up just wasting space in those layers, making 5 | # our layers unnecessarily large (especially since we'll normally never use 6 | # these caches again and will instead just "docker build" again and make a brand 7 | # new image). 8 | 9 | # Ideally, these would just be invoking "apt-get clean", but in our testing, 10 | # that ended up being cyclic and we got stuck on APT's lock, so we get this fun 11 | # creation that's essentially just "apt-get clean". 12 | DPkg::Post-Invoke { "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"; }; 13 | APT::Update::Post-Invoke { "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"; }; 14 | 15 | Dir::Cache::pkgcache ""; 16 | Dir::Cache::srcpkgcache ""; 17 | 18 | # Note that we do realize this isn't the ideal way to do this, and are always 19 | # open to better suggestions (https://github.com/docker/docker/issues). 20 | -------------------------------------------------------------------------------- /debian10/overlay/etc/apt/apt.conf.d/docker-gzip-indexes: -------------------------------------------------------------------------------- 1 | # Since Docker users using "RUN apt-get update && apt-get install -y ..." in 2 | # their Dockerfiles don't go delete the lists files afterwards, we want them to 3 | # be as small as possible on-disk, so we explicitly request "gz" versions and 4 | # tell Apt to keep them gzipped on-disk. 5 | 6 | # For comparison, an "apt-get update" layer without this on a pristine 7 | # "debian:wheezy" base image was "29.88 MB", where with this it was only 8 | # "8.273 MB". 9 | 10 | Acquire::GzipIndexes "true"; 11 | Acquire::CompressionTypes::Order:: "gz"; 12 | -------------------------------------------------------------------------------- /debian10/overlay/etc/apt/apt.conf.d/docker-no-languages: -------------------------------------------------------------------------------- 1 | # In Docker, we don't often need the "Translations" files, so we're just wasting 2 | # time and space by downloading them, and this inhibits that. For users that do 3 | # need them, it's a simple matter to delete this file and "apt-get update". :) 4 | 5 | Acquire::Languages "none"; 6 | -------------------------------------------------------------------------------- /debian10/overlay/etc/machine-id: -------------------------------------------------------------------------------- 1 | 793274e99ef692a48f77ea0eea7bd0cb 2 | -------------------------------------------------------------------------------- /debian10/overlay/etc/resolv.conf: -------------------------------------------------------------------------------- 1 | nameserver 8.8.8.8 2 | nameserver 8.8.4.4 3 | -------------------------------------------------------------------------------- /debian10/overlay/usr/sbin/initctl: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # For most Docker users, "apt-get install" only happens during "docker build", 4 | # where starting services doesn't work and often fails in humorous ways. This 5 | # prevents those failures by stopping the services from attempting to start. 6 | 7 | exit 0 8 | -------------------------------------------------------------------------------- /debian10/overlay/usr/sbin/policy-rc.d: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # For most Docker users, "apt-get install" only happens during "docker build", 4 | # where starting services doesn't work and often fails in humorous ways. This 5 | # prevents those failures by stopping the services from attempting to start. 6 | 7 | exit 101 8 | -------------------------------------------------------------------------------- /debian10/revisions.bzl: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # This file is autogenerated by the dependency update service and should not be modified directly. 16 | # For more details, check the deps_spec.yaml file in the current folder. 17 | 18 | DEBIAN10_TAR = struct( 19 | revision = "1675776713", 20 | sha256 = "0f4439d6226e1a27c1b6163c2a83b84e1073fe8bd692ace85ec532027dc6ce24", 21 | ) 22 | 23 | RULES_DOCKER = struct( 24 | commit = "master", 25 | sha256 = "3fdae8c4571d6d3fc343f63c87b3fb030132ad091284b8cbdb7533cb063ded0a", 26 | ) 27 | -------------------------------------------------------------------------------- /debian10/sources.list: -------------------------------------------------------------------------------- 1 | # deb http://snapshot.debian.org/archive/debian/20230411T000000Z buster main 2 | deb http://deb.debian.org/debian buster main 3 | # deb http://snapshot.debian.org/archive/debian-security/20230411T000000Z buster/updates main 4 | deb http://deb.debian.org/debian-security buster/updates main 5 | # deb http://snapshot.debian.org/archive/debian/20230411T000000Z buster-updates main 6 | deb http://deb.debian.org/debian buster-updates main 7 | -------------------------------------------------------------------------------- /debian10/test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | schemaVersion: '2.0.0' 16 | 17 | commandTests: 18 | - name: 'apt-get' 19 | command: 'apt-get' 20 | args: ['help'] 21 | excludedError: ['.*FAIL.*'] 22 | expectedOutput: ['.*Usage.*'] 23 | - name: 'apt-config' 24 | command: 'apt-config' 25 | args: ['dump'] 26 | expectedOutput: ['Acquire::Retries "3"'] 27 | 28 | fileContentTests: 29 | - name: 'Debian Sources' 30 | excludedContents: ['.*gce_debian_mirror.*'] 31 | expectedContents: ['.*deb\.debian\.org.*'] 32 | path: '/etc/apt/sources.list' 33 | - name: 'Retry Policy' 34 | expectedContents: ['Acquire::Retries 3;'] 35 | path: '/etc/apt/apt.conf.d/apt-retry' 36 | # Debian 10 specific tests. 37 | - name: 'Debian Sources Version' 38 | expectedContents: ['buster'] 39 | path: '/etc/apt/sources.list' 40 | 41 | fileExistenceTests: 42 | - name: 'Root' 43 | path: '/' 44 | shouldExist: true 45 | - name: 'Netbase' 46 | path: '/etc/protocols' 47 | shouldExist: true 48 | - name: 'Machine ID' 49 | path: '/etc/machine-id' 50 | shouldExist: true 51 | 52 | metadataTest: 53 | env: 54 | - key: PORT 55 | value: 8080 56 | - key: DEBIAN_FRONTEND 57 | value: noninteractive 58 | - key: PATH 59 | value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 60 | 61 | licenseTests: 62 | - debian: true 63 | files: 64 | -------------------------------------------------------------------------------- /debian11/.bazelrc: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Google Inc. All rights reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | build --host_force_python=PY2 16 | test --host_force_python=PY2 17 | run --host_force_python=PY2 18 | -------------------------------------------------------------------------------- /debian11/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM base-image-temp 2 | 3 | COPY sources.list /etc/apt/sources.list 4 | 5 | RUN apt-get update && apt -y upgrade 6 | 7 | CMD ["/bin/bash"] 8 | -------------------------------------------------------------------------------- /debian11/README.md: -------------------------------------------------------------------------------- 1 | This is a Debian 11 container. 2 | 3 | ## Reproducible Debian Builds 4 | 5 | This directory contains code and scripts for building reproducible 6 | Debian base images. 7 | 8 | The same git revision will result in a Docker image with the same digest, 9 | every time. 10 | 11 | ### Usage 12 | 13 | Use `gcloud builds submit --config=cloudbuild.yaml` 14 | to build the image in the cloud. 15 | To build locally, use: `bazel run :image`. 16 | To run tests locally, use: `bazel test :image-test`. 17 | 18 | ### Process 19 | 20 | We use debootstrap in a docker container to generate a debian rootfs tarball. 21 | See the `mkimage.sh` script for this portion of the process. This tarball can 22 | then be inserted into a tarball with the `container_image` rule. 23 | 24 | We archive the generated rootfs tarballs in a GCS bucket and use them in 25 | container releases to ensure containers are reproducible. 26 | -------------------------------------------------------------------------------- /debian11/WORKSPACE: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | workspace(name = "debian11") 16 | 17 | load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") 18 | 19 | http_archive( 20 | name = "io_bazel_rules_docker", 21 | sha256 = "4521794f0fba2e20f3bf15846ab5e01d5332e587e9ce81629c7f96c793bb7036", 22 | strip_prefix = "rules_docker-0.14.4", 23 | urls = ["https://github.com/bazelbuild/rules_docker/releases/download/v0.14.4/rules_docker-v0.14.4.tar.gz"], 24 | ) 25 | 26 | load( 27 | "@io_bazel_rules_docker//repositories:repositories.bzl", 28 | container_repositories = "repositories", 29 | ) 30 | 31 | container_repositories() 32 | 33 | load("@io_bazel_rules_docker//repositories:deps.bzl", container_deps = "deps") 34 | 35 | container_deps() 36 | 37 | load("@io_bazel_rules_docker//repositories:pip_repositories.bzl", "pip_deps") 38 | 39 | pip_deps() 40 | 41 | load( 42 | "@io_bazel_rules_docker//container:container.bzl", 43 | "container_pull", 44 | ) 45 | 46 | # Pull existing Debian base, only used to create builder image to debootstrap. 47 | #container_pull( 48 | # name = "debian_base", 49 | # digest = "sha256:00109fa40230a081f5ecffe0e814725042ff62a03e2d1eae0563f1f82eaeae9b", 50 | # registry = "gcr.io", 51 | # repository = "google-appengine/debian11", 52 | #) 53 | container_pull( 54 | name = "debian_base", 55 | registry = "index.docker.io", 56 | repository = "library/debian", 57 | tag = "11", 58 | ) 59 | 60 | load(":deps.bzl", "deps") 61 | 62 | deps() 63 | -------------------------------------------------------------------------------- /debian11/autogenerated_dus_timestamp.txt: -------------------------------------------------------------------------------- 1 | Wed Apr 19 21:31:46 UTC 2023 -------------------------------------------------------------------------------- /debian11/cloudbuild-new.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | steps: 16 | # Step: build the rootfs 17 | - name: "ubuntu" 18 | env: 19 | - 'DISTRO_NAME=${_DISTRO_NAME}' 20 | script: | 21 | #!/usr/bin/env bash 22 | apt-get update 23 | apt-get -y install debootstrap 24 | debootstrap --variant=minbase --include=netbase "${DISTRO_NAME}" "${DISTRO_NAME}" 25 | tar -C "${DISTRO_NAME}" -czf rootfs.tar.gz . 26 | id: "rootfs" 27 | 28 | # Step: build the image 29 | - name: "gcr.io/cloud-builders/docker" 30 | args: ["import", "rootfs.tar.gz", "base-image-temp"] 31 | id: "container-build" 32 | 33 | # Step: build the image 34 | - name: "gcr.io/cloud-builders/docker" 35 | dir: debian11 36 | args: ["build", "-t", "gcr.io/${_IMG_DEST}", "."] 37 | id: "upgrade-dist" 38 | 39 | # Step: tags 40 | - name: "gcr.io/cloud-builders/docker" 41 | args: ["tag", "gcr.io/${_IMG_DEST}", "us.gcr.io/${_IMG_DEST}"] 42 | 43 | - name: "gcr.io/cloud-builders/docker" 44 | args: ["tag", "gcr.io/${_IMG_DEST}", "eu.gcr.io/${_IMG_DEST}"] 45 | 46 | - name: "gcr.io/cloud-builders/docker" 47 | args: ["tag", "gcr.io/${_IMG_DEST}", "asia.gcr.io/${_IMG_DEST}"] 48 | 49 | - name: "gcr.io/cloud-builders/docker" 50 | args: ["tag", "gcr.io/${_IMG_DEST}", "gcr.io/${_IMG_BACKUP_DEST}"] 51 | 52 | substitutions: 53 | # Default values for substitution variables. 54 | # These variables are altered in the cloudbuild trigger definition 55 | #_IMG_DEST: gcp-runtimes/ubuntu_20_0_4:latest-new 56 | #_IMG_BACKUP_DEST: asci-toolchain-backup/ubuntu2004:latest-new 57 | _DISTRO_NAME: bullseye 58 | _IMG_DEST: google-appengine/debian11:latest-new 59 | _IMG_BACKUP_DEST: asci-toolchain-backup/debian11:latest-new 60 | 61 | # Push the new image and its backup. 62 | # Push by using the `images` field here so they will show up in the build results 63 | # or the GCB Build information page. 64 | # https://cloud.google.com/cloud-build/docs/configuring-builds/store-images-artifacts 65 | images: 66 | - "gcr.io/${_IMG_DEST}" 67 | - "us.gcr.io/${_IMG_DEST}" 68 | - "eu.gcr.io/${_IMG_DEST}" 69 | - "asia.gcr.io/${_IMG_DEST}" 70 | - "gcr.io/${_IMG_BACKUP_DEST}" 71 | -------------------------------------------------------------------------------- /debian11/deps.bzl: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_file") 16 | load(":revisions.bzl", "DEBIAN11_TAR") 17 | 18 | def deps(): 19 | """Download dependencies required to use this layer.""" 20 | excludes = native.existing_rules().keys() 21 | 22 | # Base Ubuntu1604 tarball. 23 | if "debian11_tar" not in excludes: 24 | http_file( 25 | name = "debian11_tar", 26 | downloaded_file_path = DEBIAN11_TAR.revision + "_rootfs.tar.gz", 27 | sha256 = DEBIAN11_TAR.sha256, 28 | urls = [ 29 | "https://storage.googleapis.com/container-deps/debian11/tar/" + DEBIAN11_TAR.revision + "_rootfs.tar.gz", 30 | ], 31 | ) 32 | -------------------------------------------------------------------------------- /debian11/deps_spec.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | revisionsFilePath: "debian11/revisions.bzl" 16 | timestampFilePath: "debian11/autogenerated_dus_timestamp.txt" 17 | metadataSummaryFilePath: "debian11/metadata_summary.yaml" 18 | 19 | githubRepoDeps: 20 | 21 | # bazelbuild/rules_docker GitHub repo. 22 | - name: "RULES_DOCKER" 23 | repoSpec: 24 | owner: "bazelbuild" 25 | repository: "rules_docker" 26 | updateType: "release" 27 | releasePolicies: 28 | - tag: "default" 29 | # Every Wednesday at 5am. 30 | schedule: "0 0 5 * * Wed" 31 | 32 | gcsDeps: 33 | 34 | # Base Debian11 tarball. 35 | - name: "DEBIAN11_TAR" 36 | bucket: "container-deps" 37 | versionRegex: "\\d{8,}" 38 | fileRegex: "^debian11/tar/\\d{8,}_rootfs\\.tar\\.gz$" 39 | startsWith: "debian11/tar/" 40 | fusMetadataBucket: "container-deps" 41 | fusMetadataObject: "debian11/metadata/tar/metadata.yaml" 42 | releasePolicies: 43 | - tag: "default" 44 | # Weekly release schedule at 5am every Monday. 45 | # TODO (smukherj1): Change schedule to monthly once the automatic 46 | # updates infrastructure is deemed to be stable. 47 | schedule: "0 0 5 * * Mon" 48 | # Release immediate for security vulnerabilities with severity medium 49 | # or higher. 50 | - tag: "cveMedium" 51 | schedule: "* * * * * *" 52 | - tag: "cveHigh" 53 | schedule: "* * * * * *" 54 | - tag: "cveCritical" 55 | schedule: "* * * * * *" 56 | -------------------------------------------------------------------------------- /debian11/file_updates.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # This file is used by the File Update Service which continuously 16 | # checks for updates in the `triggerFile` listed here. If there is an update 17 | # in the `triggerFile`, the service will 18 | # 1. archive the new version of the `triggerFile` in its GCS bucket. 19 | # 2. for each one of `extraFiles`, generate a new version of it and archive it 20 | # in its GCS bucket. 21 | 22 | # Debian11 base image tarball. 23 | - triggerFile: 24 | target: "//:rootfs/workspace/rootfs.tar.gz" 25 | bucket: "container-deps" 26 | dir: "debian11/tar" 27 | metadata: 28 | target: "//:metadata.yaml" 29 | bucket: "container-deps" 30 | object: "debian11/metadata/tar/metadata.yaml" 31 | -------------------------------------------------------------------------------- /debian11/metadata_summary.yaml: -------------------------------------------------------------------------------- 1 | {} 2 | -------------------------------------------------------------------------------- /debian11/mkimage.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # shellcheck disable=SC2115 3 | set -ex 4 | 5 | usage() { 6 | echo "Usage: $0 [VARIANT] [DIST]" 7 | echo 8 | echo "[VARIANT]: The debian variant to use." 9 | echo "[DIST]: The debian dist to use." 10 | echo 11 | exit 1 12 | } 13 | 14 | if [ $# -ne 2 ]; then 15 | usage 16 | fi 17 | 18 | VARIANT=$1 19 | DIST=$2 20 | 21 | WORKDIR="/workspace/$DIST" 22 | mkdir -p "$WORKDIR" 23 | 24 | debootstrap --variant="$VARIANT" "$DIST" "$WORKDIR" http://httpredir.debian.org/debian 25 | 26 | rootfs_chroot() { 27 | PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \ 28 | chroot "$WORKDIR" "$@" 29 | } 30 | 31 | # Add some tools we need. 32 | rootfs_chroot apt-get install -y --no-install-recommends \ 33 | netbase \ 34 | ca-certificates 35 | 36 | # We have our own version of initctl, tell dpkg to not overwrite it. 37 | rootfs_chroot dpkg-divert --local --rename --add /sbin/initctl 38 | 39 | # Set the mirrors to distro-based ones 40 | cat << EOF > $WORKDIR/etc/apt/sources.list 41 | deb http://deb.debian.org/debian $DIST main 42 | deb http://deb.debian.org/debian $DIST-updates main 43 | deb http://deb.debian.org/debian-security $DIST-security main 44 | EOF 45 | 46 | # Do a final upgrade. 47 | rootfs_chroot apt-get -o Acquire::Check-Valid-Until=false update 48 | rootfs_chroot apt-get -y -q upgrade 49 | 50 | # Clean some apt artifacts 51 | rootfs_chroot apt-get clean 52 | 53 | # Delete dirs we don't need, leaving the entries. 54 | rm -rf "${WORKDIR:?}"/dev "$WORKDIR"/proc 55 | mkdir -p "$WORKDIR"/dev "$WORKDIR"/proc 56 | 57 | rm -rf "$WORKDIR"/var/lib/apt/lists/httpredir* 58 | rm -rf "$WORKDIR"/etc/apt/apt.conf.d/01autoremove-kernels 59 | 60 | # These are showing up as broken symlinks? 61 | rm -rf "$WORKDIR"/usr/share/vim/vimrc 62 | rm -rf "$WORKDIR"/usr/share/vim/vimrc.tiny 63 | 64 | # Remove files with non-determinism 65 | rm -rf "$WORKDIR"/var/cache/man 66 | rm -rf "$WORKDIR"/var/cache/ldconfig/aux-cache 67 | rm -rf "$WORKDIR"/var/log/dpkg.log 68 | rm -rf "$WORKDIR"/var/log/bootstrap.log 69 | rm -rf "$WORKDIR"/var/log/alternatives.log 70 | rm -rf "$WORKDIR"/var/log/apt/history.log 71 | rm -rf "$WORKDIR"/var/log/apt/term.log 72 | 73 | # Hardcode this somewhere 74 | rm -f "$WORKDIR"/etc/machine-id 75 | 76 | # This gets overridden by Docker at runtime. 77 | rm -f "$WORKDIR"/etc/hostname 78 | 79 | # pass -n to gzip to strip timestamps 80 | # strip the '.' with --transform that tar includes at the root to build a real rootfs 81 | GZIP="-n" tar --numeric-owner -czf /workspace/rootfs.tar.gz -C "$WORKDIR" . --transform='s,^./,,' --mtime='1970-01-01' 82 | md5sum /workspace/rootfs.tar.gz 83 | -------------------------------------------------------------------------------- /debian11/overlay/etc/apt/apt.conf.d/apt-retry: -------------------------------------------------------------------------------- 1 | # Retry apt failures 3 times. See here for more information: https://linux.die.net/man/5/apt.conf 2 | Acquire::Retries 3; 3 | -------------------------------------------------------------------------------- /debian11/overlay/etc/apt/apt.conf.d/docker-autoremove-suggests: -------------------------------------------------------------------------------- 1 | # Since Docker users are looking for the smallest possible final images, the 2 | # following emerges as a very common pattern: 3 | 4 | # RUN apt-get update \ 5 | # && apt-get install -y \ 6 | # && \ 7 | # && apt-get purge -y --auto-remove 8 | 9 | # By default, APT will actually _keep_ packages installed via Recommends or 10 | # Depends if another package Suggests them, even and including if the package 11 | # that originally caused them to be installed is removed. Setting this to 12 | # "false" ensures that APT is appropriately aggressive about removing the 13 | # packages it added. 14 | 15 | # https://aptitude.alioth.debian.org/doc/en/ch02s05s05.html#configApt-AutoRemove-SuggestsImportant 16 | Apt::AutoRemove::SuggestsImportant "false"; 17 | -------------------------------------------------------------------------------- /debian11/overlay/etc/apt/apt.conf.d/docker-clean: -------------------------------------------------------------------------------- 1 | # Since for most Docker users, package installs happen in "docker build" steps, 2 | # they essentially become individual layers due to the way Docker handles 3 | # layering, especially using CoW filesystems. What this means for us is that 4 | # the caches that APT keeps end up just wasting space in those layers, making 5 | # our layers unnecessarily large (especially since we'll normally never use 6 | # these caches again and will instead just "docker build" again and make a brand 7 | # new image). 8 | 9 | # Ideally, these would just be invoking "apt-get clean", but in our testing, 10 | # that ended up being cyclic and we got stuck on APT's lock, so we get this fun 11 | # creation that's essentially just "apt-get clean". 12 | DPkg::Post-Invoke { "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"; }; 13 | APT::Update::Post-Invoke { "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"; }; 14 | 15 | Dir::Cache::pkgcache ""; 16 | Dir::Cache::srcpkgcache ""; 17 | 18 | # Note that we do realize this isn't the ideal way to do this, and are always 19 | # open to better suggestions (https://github.com/docker/docker/issues). 20 | -------------------------------------------------------------------------------- /debian11/overlay/etc/apt/apt.conf.d/docker-gzip-indexes: -------------------------------------------------------------------------------- 1 | # Since Docker users using "RUN apt-get update && apt-get install -y ..." in 2 | # their Dockerfiles don't go delete the lists files afterwards, we want them to 3 | # be as small as possible on-disk, so we explicitly request "gz" versions and 4 | # tell Apt to keep them gzipped on-disk. 5 | 6 | # For comparison, an "apt-get update" layer without this on a pristine 7 | # "debian:wheezy" base image was "29.88 MB", where with this it was only 8 | # "8.273 MB". 9 | 10 | Acquire::GzipIndexes "true"; 11 | Acquire::CompressionTypes::Order:: "gz"; 12 | -------------------------------------------------------------------------------- /debian11/overlay/etc/apt/apt.conf.d/docker-no-languages: -------------------------------------------------------------------------------- 1 | # In Docker, we don't often need the "Translations" files, so we're just wasting 2 | # time and space by downloading them, and this inhibits that. For users that do 3 | # need them, it's a simple matter to delete this file and "apt-get update". :) 4 | 5 | Acquire::Languages "none"; 6 | -------------------------------------------------------------------------------- /debian11/overlay/etc/machine-id: -------------------------------------------------------------------------------- 1 | 793274e99ef692a48f77ea0eea7bd0cb 2 | -------------------------------------------------------------------------------- /debian11/overlay/etc/resolv.conf: -------------------------------------------------------------------------------- 1 | nameserver 8.8.8.8 2 | nameserver 8.8.4.4 3 | -------------------------------------------------------------------------------- /debian11/overlay/usr/sbin/initctl: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # For most Docker users, "apt-get install" only happens during "docker build", 4 | # where starting services doesn't work and often fails in humorous ways. This 5 | # prevents those failures by stopping the services from attempting to start. 6 | 7 | exit 0 8 | -------------------------------------------------------------------------------- /debian11/overlay/usr/sbin/policy-rc.d: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # For most Docker users, "apt-get install" only happens during "docker build", 4 | # where starting services doesn't work and often fails in humorous ways. This 5 | # prevents those failures by stopping the services from attempting to start. 6 | 7 | exit 101 8 | -------------------------------------------------------------------------------- /debian11/revisions.bzl: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # This file is autogenerated by the dependency update service and should not be modified directly. 16 | # For more details, check the deps_spec.yaml file in the current folder. 17 | 18 | DEBIAN11_TAR = struct( 19 | revision = "1675776713", 20 | sha256 = "884580755684b89b168554b11a7791eb034dab76539a78bdd16b0c6241a5ec2e", 21 | ) 22 | 23 | RULES_DOCKER = struct( 24 | commit = "master", 25 | sha256 = "0992bc9370cced3ae0fa31367d93301425c311ca0c2abcfda0d579948c32bf74", 26 | ) 27 | -------------------------------------------------------------------------------- /debian11/sources.list: -------------------------------------------------------------------------------- 1 | # deb http://snapshot.debian.org/archive/debian/20230411T000000Z bullseye main 2 | deb http://deb.debian.org/debian bullseye main 3 | # deb http://snapshot.debian.org/archive/debian-security/20230411T000000Z bullseye-security main 4 | deb http://deb.debian.org/debian-security bullseye-security main 5 | # deb http://snapshot.debian.org/archive/debian/20230411T000000Z bullseye-updates main 6 | deb http://deb.debian.org/debian bullseye-updates main 7 | -------------------------------------------------------------------------------- /debian11/test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | schemaVersion: '2.0.0' 16 | 17 | commandTests: 18 | - name: 'apt-get' 19 | command: 'apt-get' 20 | args: ['help'] 21 | excludedError: ['.*FAIL.*'] 22 | expectedOutput: ['.*Usage.*'] 23 | - name: 'apt-config' 24 | command: 'apt-config' 25 | args: ['dump'] 26 | expectedOutput: ['Acquire::Retries "3"'] 27 | 28 | fileContentTests: 29 | - name: 'Debian Sources' 30 | excludedContents: ['.*gce_debian_mirror.*'] 31 | expectedContents: ['.*deb\.debian\.org.*'] 32 | path: '/etc/apt/sources.list' 33 | - name: 'Retry Policy' 34 | expectedContents: ['Acquire::Retries 3;'] 35 | path: '/etc/apt/apt.conf.d/apt-retry' 36 | # Debian 11 specific tests. 37 | - name: 'Debian Sources Version' 38 | expectedContents: ['bullseye'] 39 | path: '/etc/apt/sources.list' 40 | 41 | fileExistenceTests: 42 | - name: 'Root' 43 | path: '/' 44 | shouldExist: true 45 | - name: 'Netbase' 46 | path: '/etc/protocols' 47 | shouldExist: true 48 | - name: 'Machine ID' 49 | path: '/etc/machine-id' 50 | shouldExist: true 51 | 52 | metadataTest: 53 | env: 54 | - key: PORT 55 | value: 8080 56 | - key: DEBIAN_FRONTEND 57 | value: noninteractive 58 | - key: PATH 59 | value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 60 | 61 | -------------------------------------------------------------------------------- /debian9/.bazelrc: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Google Inc. All rights reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | build --host_force_python=PY2 16 | test --host_force_python=PY2 17 | run --host_force_python=PY2 18 | -------------------------------------------------------------------------------- /debian9/README.md: -------------------------------------------------------------------------------- 1 | This is an experimental Debian 9 container. 2 | 3 | ## Reproducible Debian Builds 4 | 5 | This directory contains code and scripts for building reproducible 6 | Debian base images. 7 | 8 | The same git revision will result in a Docker image with the same digest, 9 | every time. 10 | 11 | ### Usage 12 | 13 | Use `gcloud builds submit --config=cloudbuild.yaml` 14 | to build the image in the cloud. 15 | To build locally, use: `bazel run :image`. 16 | To run tests locally, use: `bazel test :image-test`. 17 | 18 | ### Process 19 | 20 | We use debootstrap in a docker container to generate a debian rootfs tarball. 21 | See the `mkimage.sh` script for this portion of the process. This tarball can 22 | then be inserted into a tarball with the `container_image` rule. 23 | 24 | We archive the generated rootfs tarballs in a GCS bucket and use them in 25 | container releases to ensure containers are reproducible. 26 | -------------------------------------------------------------------------------- /debian9/WORKSPACE: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | workspace(name = "debian9") 16 | 17 | load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") 18 | 19 | http_archive( 20 | name = "io_bazel_rules_docker", 21 | sha256 = "4521794f0fba2e20f3bf15846ab5e01d5332e587e9ce81629c7f96c793bb7036", 22 | strip_prefix = "rules_docker-0.14.4", 23 | urls = ["https://github.com/bazelbuild/rules_docker/releases/download/v0.14.4/rules_docker-v0.14.4.tar.gz"], 24 | ) 25 | 26 | load( 27 | "@io_bazel_rules_docker//repositories:repositories.bzl", 28 | container_repositories = "repositories", 29 | ) 30 | 31 | container_repositories() 32 | 33 | load("@io_bazel_rules_docker//repositories:deps.bzl", container_deps = "deps") 34 | 35 | container_deps() 36 | 37 | load("@io_bazel_rules_docker//repositories:pip_repositories.bzl", "pip_deps") 38 | 39 | pip_deps() 40 | 41 | load( 42 | "@io_bazel_rules_docker//container:container.bzl", 43 | "container_pull", 44 | ) 45 | 46 | # Pull existing Debian base, only used to create builder image to debootstrap. 47 | container_pull( 48 | name = "debian_base", 49 | digest = "sha256:00109fa40230a081f5ecffe0e814725042ff62a03e2d1eae0563f1f82eaeae9b", 50 | registry = "gcr.io", 51 | repository = "google-appengine/debian9", 52 | ) 53 | 54 | load(":deps.bzl", "deps") 55 | 56 | deps() 57 | -------------------------------------------------------------------------------- /debian9/autogenerated_dus_timestamp.txt: -------------------------------------------------------------------------------- 1 | Tue Feb 7 14:01:56 UTC 2023 -------------------------------------------------------------------------------- /debian9/deps.bzl: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_file") 16 | load(":revisions.bzl", "DEBIAN9_TAR") 17 | 18 | def deps(): 19 | """Download dependencies required to use this layer.""" 20 | excludes = native.existing_rules().keys() 21 | 22 | # Base Ubuntu1604 tarball. 23 | if "debian9_tar" not in excludes: 24 | http_file( 25 | name = "debian9_tar", 26 | downloaded_file_path = DEBIAN9_TAR.revision + "_rootfs.tar.gz", 27 | sha256 = DEBIAN9_TAR.sha256, 28 | urls = [ 29 | "https://storage.googleapis.com/container-deps/debian9/tar/" + DEBIAN9_TAR.revision + "_rootfs.tar.gz", 30 | ], 31 | ) 32 | -------------------------------------------------------------------------------- /debian9/deps_spec.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | revisionsFilePath: "debian9/revisions.bzl" 16 | timestampFilePath: "debian9/autogenerated_dus_timestamp.txt" 17 | metadataSummaryFilePath: "debian9/metadata_summary.yaml" 18 | 19 | githubRepoDeps: 20 | 21 | # bazelbuild/rules_docker GitHub repo. 22 | - name: "RULES_DOCKER" 23 | repoSpec: 24 | owner: "bazelbuild" 25 | repository: "rules_docker" 26 | updateType: "release" 27 | releasePolicies: 28 | - tag: "default" 29 | # Every Wednesday at 5am. 30 | schedule: "0 0 5 * * Wed" 31 | 32 | gcsDeps: 33 | 34 | # Base Debian9 tarball. 35 | - name: "DEBIAN9_TAR" 36 | bucket: "container-deps" 37 | versionRegex: "\\d{8,}" 38 | fileRegex: "^debian9/tar/\\d{8,}_rootfs\\.tar\\.gz$" 39 | startsWith: "debian9/tar/" 40 | fusMetadataBucket: "container-deps" 41 | fusMetadataObject: "debian9/metadata/tar/metadata.yaml" 42 | releasePolicies: 43 | - tag: "default" 44 | # Weekly release schedule at 5am every Monday. 45 | # TODO (smukherj1): Change schedule to monthly once the automatic 46 | # updates infrastructure is deemed to be stable. 47 | schedule: "0 0 5 * * Mon" 48 | # Release immediate for security vulnerabilities with severity medium 49 | # or higher. 50 | - tag: "cveMedium" 51 | schedule: "* * * * * *" 52 | - tag: "cveHigh" 53 | schedule: "* * * * * *" 54 | - tag: "cveCritical" 55 | schedule: "* * * * * *" 56 | -------------------------------------------------------------------------------- /debian9/file_updates.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # This file is used by the File Update Service which continuously 16 | # checks for updates in the `triggerFile` listed here. If there is an update 17 | # in the `triggerFile`, the service will 18 | # 1. archive the new version of the `triggerFile` in its GCS bucket. 19 | # 2. for each one of `extraFiles`, generate a new version of it and archive it 20 | # in its GCS bucket. 21 | 22 | # ================================= Ubuntu1604 ================================= 23 | 24 | # Debian9 base image tarball. 25 | - triggerFile: 26 | target: "//:rootfs/workspace/rootfs.tar.gz" 27 | bucket: "container-deps" 28 | dir: "debian9/tar" 29 | metadata: 30 | target: "//:metadata.yaml" 31 | bucket: "container-deps" 32 | object: "debian9/metadata/tar/metadata.yaml" 33 | -------------------------------------------------------------------------------- /debian9/metadata_summary.yaml: -------------------------------------------------------------------------------- 1 | {} 2 | -------------------------------------------------------------------------------- /debian9/mkimage.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # shellcheck disable=SC2115 3 | set -ex 4 | 5 | usage() { 6 | echo "Usage: $0 [VARIANT] [DIST]" 7 | echo 8 | echo "[VARIANT]: The debian variant to use." 9 | echo "[DIST]: The debian dist to use." 10 | echo 11 | exit 1 12 | } 13 | 14 | if [ $# -ne 2 ]; then 15 | usage 16 | fi 17 | 18 | VARIANT=$1 19 | DIST=$2 20 | 21 | WORKDIR="/workspace/$DIST" 22 | mkdir -p "$WORKDIR" 23 | 24 | debootstrap --variant="$VARIANT" "$DIST" "$WORKDIR" http://httpredir.debian.org/debian 25 | 26 | rootfs_chroot() { 27 | PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \ 28 | chroot "$WORKDIR" "$@" 29 | } 30 | 31 | # Add some tools we need. 32 | rootfs_chroot apt-get install -y --no-install-recommends \ 33 | netbase \ 34 | ca-certificates 35 | 36 | # We have our own version of initctl, tell dpkg to not overwrite it. 37 | rootfs_chroot dpkg-divert --local --rename --add /sbin/initctl 38 | 39 | # Set the mirrors to distro-based ones 40 | cat << EOF > $WORKDIR/etc/apt/sources.list 41 | deb http://httpredir.debian.org/debian $DIST main 42 | deb http://httpredir.debian.org/debian $DIST-updates main 43 | deb http://security.debian.org $DIST/updates main 44 | EOF 45 | 46 | # Do a final upgrade. 47 | rootfs_chroot apt-get -o Acquire::Check-Valid-Until=false update 48 | rootfs_chroot apt-get -y -q upgrade 49 | 50 | # Clean some apt artifacts 51 | rootfs_chroot apt-get clean 52 | 53 | # Delete dirs we don't need, leaving the entries. 54 | rm -rf "${WORKDIR:?}"/dev "$WORKDIR"/proc 55 | mkdir -p "$WORKDIR"/dev "$WORKDIR"/proc 56 | 57 | rm -rf "$WORKDIR"/var/lib/apt/lists/httpredir* 58 | rm -rf "$WORKDIR"/etc/apt/apt.conf.d/01autoremove-kernels 59 | 60 | # These are showing up as broken symlinks? 61 | rm -rf "$WORKDIR"/usr/share/vim/vimrc 62 | rm -rf "$WORKDIR"/usr/share/vim/vimrc.tiny 63 | 64 | # Remove files with non-determinism 65 | rm -rf "$WORKDIR"/var/cache/man 66 | rm -rf "$WORKDIR"/var/cache/ldconfig/aux-cache 67 | rm -rf "$WORKDIR"/var/log/dpkg.log 68 | rm -rf "$WORKDIR"/var/log/bootstrap.log 69 | rm -rf "$WORKDIR"/var/log/alternatives.log 70 | rm -rf "$WORKDIR"/var/log/apt/history.log 71 | rm -rf "$WORKDIR"/var/log/apt/term.log 72 | 73 | # Hardcode this somewhere 74 | rm -f "$WORKDIR"/etc/machine-id 75 | 76 | # This gets overridden by Docker at runtime. 77 | rm -f "$WORKDIR"/etc/hostname 78 | 79 | # pass -n to gzip to strip timestamps 80 | # strip the '.' with --transform that tar includes at the root to build a real rootfs 81 | GZIP="-n" tar --numeric-owner -czf /workspace/rootfs.tar.gz -C "$WORKDIR" . --transform='s,^./,,' --mtime='1970-01-01' 82 | md5sum /workspace/rootfs.tar.gz 83 | -------------------------------------------------------------------------------- /debian9/overlay/etc/apt/apt.conf.d/apt-retry: -------------------------------------------------------------------------------- 1 | # Retry apt failures 3 times. See here for more information: https://linux.die.net/man/5/apt.conf 2 | Acquire::Retries 3; 3 | -------------------------------------------------------------------------------- /debian9/overlay/etc/apt/apt.conf.d/docker-autoremove-suggests: -------------------------------------------------------------------------------- 1 | # Since Docker users are looking for the smallest possible final images, the 2 | # following emerges as a very common pattern: 3 | 4 | # RUN apt-get update \ 5 | # && apt-get install -y \ 6 | # && \ 7 | # && apt-get purge -y --auto-remove 8 | 9 | # By default, APT will actually _keep_ packages installed via Recommends or 10 | # Depends if another package Suggests them, even and including if the package 11 | # that originally caused them to be installed is removed. Setting this to 12 | # "false" ensures that APT is appropriately aggressive about removing the 13 | # packages it added. 14 | 15 | # https://aptitude.alioth.debian.org/doc/en/ch02s05s05.html#configApt-AutoRemove-SuggestsImportant 16 | Apt::AutoRemove::SuggestsImportant "false"; 17 | -------------------------------------------------------------------------------- /debian9/overlay/etc/apt/apt.conf.d/docker-clean: -------------------------------------------------------------------------------- 1 | # Since for most Docker users, package installs happen in "docker build" steps, 2 | # they essentially become individual layers due to the way Docker handles 3 | # layering, especially using CoW filesystems. What this means for us is that 4 | # the caches that APT keeps end up just wasting space in those layers, making 5 | # our layers unnecessarily large (especially since we'll normally never use 6 | # these caches again and will instead just "docker build" again and make a brand 7 | # new image). 8 | 9 | # Ideally, these would just be invoking "apt-get clean", but in our testing, 10 | # that ended up being cyclic and we got stuck on APT's lock, so we get this fun 11 | # creation that's essentially just "apt-get clean". 12 | DPkg::Post-Invoke { "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"; }; 13 | APT::Update::Post-Invoke { "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"; }; 14 | 15 | Dir::Cache::pkgcache ""; 16 | Dir::Cache::srcpkgcache ""; 17 | 18 | # Note that we do realize this isn't the ideal way to do this, and are always 19 | # open to better suggestions (https://github.com/docker/docker/issues). 20 | -------------------------------------------------------------------------------- /debian9/overlay/etc/apt/apt.conf.d/docker-gzip-indexes: -------------------------------------------------------------------------------- 1 | # Since Docker users using "RUN apt-get update && apt-get install -y ..." in 2 | # their Dockerfiles don't go delete the lists files afterwards, we want them to 3 | # be as small as possible on-disk, so we explicitly request "gz" versions and 4 | # tell Apt to keep them gzipped on-disk. 5 | 6 | # For comparison, an "apt-get update" layer without this on a pristine 7 | # "debian:wheezy" base image was "29.88 MB", where with this it was only 8 | # "8.273 MB". 9 | 10 | Acquire::GzipIndexes "true"; 11 | Acquire::CompressionTypes::Order:: "gz"; 12 | -------------------------------------------------------------------------------- /debian9/overlay/etc/apt/apt.conf.d/docker-no-languages: -------------------------------------------------------------------------------- 1 | # In Docker, we don't often need the "Translations" files, so we're just wasting 2 | # time and space by downloading them, and this inhibits that. For users that do 3 | # need them, it's a simple matter to delete this file and "apt-get update". :) 4 | 5 | Acquire::Languages "none"; 6 | -------------------------------------------------------------------------------- /debian9/overlay/etc/machine-id: -------------------------------------------------------------------------------- 1 | 793274e99ef692a48f77ea0eea7bd0cb 2 | -------------------------------------------------------------------------------- /debian9/overlay/etc/resolv.conf: -------------------------------------------------------------------------------- 1 | nameserver 8.8.8.8 2 | nameserver 8.8.4.4 3 | -------------------------------------------------------------------------------- /debian9/overlay/sbin/initctl: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # For most Docker users, "apt-get install" only happens during "docker build", 4 | # where starting services doesn't work and often fails in humorous ways. This 5 | # prevents those failures by stopping the services from attempting to start. 6 | 7 | exit 0 8 | -------------------------------------------------------------------------------- /debian9/overlay/usr/sbin/policy-rc.d: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # For most Docker users, "apt-get install" only happens during "docker build", 4 | # where starting services doesn't work and often fails in humorous ways. This 5 | # prevents those failures by stopping the services from attempting to start. 6 | 7 | exit 101 8 | -------------------------------------------------------------------------------- /debian9/revisions.bzl: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # This file is autogenerated by the dependency update service and should not be modified directly. 16 | # For more details, check the deps_spec.yaml file in the current folder. 17 | 18 | DEBIAN9_TAR = struct( 19 | revision = "1675776692", 20 | sha256 = "3223516ddd1242f03b6a70d0520d146b7fd4d597f116e4db976aadfff35f0983", 21 | ) 22 | 23 | RULES_DOCKER = struct( 24 | commit = "master", 25 | sha256 = "3fdae8c4571d6d3fc343f63c87b3fb030132ad091284b8cbdb7533cb063ded0a", 26 | ) 27 | -------------------------------------------------------------------------------- /debian9/test.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | schemaVersion: '2.0.0' 16 | 17 | commandTests: 18 | - name: 'apt-get' 19 | command: 'apt-get' 20 | args: ['help'] 21 | excludedError: ['.*FAIL.*'] 22 | expectedOutput: ['.*Usage.*'] 23 | - name: 'apt-config' 24 | command: 'apt-config' 25 | args: ['dump'] 26 | expectedOutput: ['Acquire::Retries "3"'] 27 | 28 | fileContentTests: 29 | - name: 'Debian Sources' 30 | excludedContents: ['.*gce_debian_mirror.*'] 31 | expectedContents: ['.*httpredir\.debian\.org.*'] 32 | path: '/etc/apt/sources.list' 33 | - name: 'Retry Policy' 34 | expectedContents: ['Acquire::Retries 3;'] 35 | path: '/etc/apt/apt.conf.d/apt-retry' 36 | # Debian 9 specific tests. 37 | - name: 'Debian Sources Version' 38 | expectedContents: ['stretch'] 39 | path: '/etc/apt/sources.list' 40 | 41 | fileExistenceTests: 42 | - name: 'Root' 43 | path: '/' 44 | shouldExist: true 45 | - name: 'Netbase' 46 | path: '/etc/protocols' 47 | shouldExist: true 48 | - name: 'Machine ID' 49 | path: '/etc/machine-id' 50 | shouldExist: true 51 | 52 | metadataTest: 53 | env: 54 | - key: PORT 55 | value: 8080 56 | - key: DEBIAN_FRONTEND 57 | value: noninteractive 58 | - key: PATH 59 | value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 60 | 61 | licenseTests: 62 | - debian: true 63 | files: 64 | -------------------------------------------------------------------------------- /dockerfile_build/BUILD: -------------------------------------------------------------------------------- 1 | package(default_visibility = ["//visibility:public"]) 2 | -------------------------------------------------------------------------------- /hack/hooks/pre-commit: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | make test 3 | -------------------------------------------------------------------------------- /package_managers/BUILD: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Google Inc. All rights reserved. 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package(default_visibility = ["//visibility:public"]) 16 | 17 | exports_files([ 18 | "installer.sh.tpl", 19 | ]) 20 | -------------------------------------------------------------------------------- /package_managers/apt_key.bzl: -------------------------------------------------------------------------------- 1 | #Copyright 2017 Google Inc. All rights reserved. 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Rule for configuring apt GPG keys""" 16 | 17 | load( 18 | "@io_bazel_rules_docker//docker/package_managers:apt_key.bzl", 19 | _add_apt_key = "add_apt_key", 20 | _key = "key", 21 | ) 22 | 23 | # Redirects all defs to implementation which has been refactored to 24 | # @io_bazel_rules_docker//docker/package_managers:apt_key.bzl 25 | 26 | key = _key 27 | add_apt_key = _add_apt_key 28 | -------------------------------------------------------------------------------- /package_managers/download_pkgs.bzl: -------------------------------------------------------------------------------- 1 | #Copyright 2017 Google Inc. All rights reserved. 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Rule for downloading apt packages and tar them in a .tar file.""" 16 | 17 | load( 18 | "@io_bazel_rules_docker//docker/package_managers:download_pkgs.bzl", 19 | _download = "download", 20 | _download_pkgs = "download_pkgs", 21 | ) 22 | 23 | # Redirects all defs to implementation which has been refactored to 24 | # @io_bazel_rules_docker//docker/package_managers:download_pkgs.bzl 25 | 26 | download = _download 27 | download_pkgs = _download_pkgs 28 | -------------------------------------------------------------------------------- /package_managers/install_pkgs.bzl: -------------------------------------------------------------------------------- 1 | #Copyright 2017 Google Inc. All rights reserved. 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Rule for installing apt packages from a tar file into a docker image. 16 | 17 | In addition to the base install_pkgs rule, we expose its constituents 18 | (attr, outputs, implementation) directly so that others can use them 19 | in their rules' implementation. The expectation in such cases is that 20 | users will write something like: 21 | 22 | load( 23 | "@base_images_docker//package_managers:install_pkgs.bzl", 24 | _install = "install", 25 | ) 26 | 27 | def _impl(ctx): 28 | ... 29 | return _install.implementation(ctx, ... kwarg overrides ...) 30 | 31 | _my_rule = rule( 32 | attrs = _install.attrs + { 33 | # My attributes, or overrides of _install.attrs defaults. 34 | ... 35 | }, 36 | outputs = _install.outputs, 37 | implementation = _impl, 38 | ) 39 | 40 | """ 41 | 42 | load( 43 | "@io_bazel_rules_docker//docker/package_managers:install_pkgs.bzl", 44 | _install = "install", 45 | _install_pkgs = "install_pkgs", 46 | ) 47 | 48 | # Redirects all defs to implementation which has been refactored to 49 | # @io_bazel_rules_docker//docker/package_managers:install_pkgs.bzl 50 | 51 | install = _install 52 | install_pkgs = _install_pkgs 53 | -------------------------------------------------------------------------------- /release/release.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -ex 3 | 4 | # shellcheck source=/dev/null 5 | source "$KOKORO_GFILE_DIR/common.sh" 6 | sudo chmod +x "$KOKORO_GFILE_DIR/verify-commits.sh" 7 | "$KOKORO_GFILE_DIR"/verify-commits.sh 8 | cd github/debian-docker 9 | ./build.sh -r "$DOCKER_NAMESPACE" -v "$DEBIAN_SUITE" 10 | 11 | -------------------------------------------------------------------------------- /store/BUILD: -------------------------------------------------------------------------------- 1 | #Copyright 2017 Google Inc. All rights reserved. 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package(default_visibility = ["//visibility:public"]) 16 | -------------------------------------------------------------------------------- /store/git/BUILD: -------------------------------------------------------------------------------- 1 | #Copyright 2017 Google Inc. All rights reserved. 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package(default_visibility = ["//visibility:public"]) 16 | 17 | py_binary( 18 | name = "git", 19 | srcs = ["git.py"], 20 | srcs_version = "PY2AND3", 21 | visibility = ["//visibility:public"], 22 | deps = [ 23 | "@bazel_tools//third_party/py/gflags", 24 | ], 25 | ) 26 | -------------------------------------------------------------------------------- /store/git/git.bzl: -------------------------------------------------------------------------------- 1 | #Copyright 2017 Google Inc. All rights reserved. 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | def git_store_get(ctx, store_location, key, artifact, suppress_error="True"): 16 | """Create an action to get artifact from fs store.""" 17 | status = ctx.actions.declare_file("{0}_get.status".format(ctx.label.name)) 18 | args = ["--store_location", store_location, 19 | "--dest", artifact, 20 | "--method", "get", 21 | "--key", key, 22 | "--suppress_error", suppress_error, 23 | "--status_file", status.path, 24 | ] 25 | ctx.actions.run( 26 | executable = ctx.executable.git_store, 27 | arguments = args, 28 | outputs = [status], 29 | use_default_shell_env = True, 30 | mnemonic = "GetArtifact") 31 | return status 32 | 33 | def git_store_put(ctx, store_location, artifact, key): 34 | """Create an action to put artifact in fs store.""" 35 | status = ctx.actions.declare_file("{0}_put.status".format(ctx.label.name)) 36 | args = ["--store_location", store_location, 37 | "--src", artifact.path, 38 | "--method", "put", 39 | "--key", key, 40 | "--status_file", status.path, 41 | ] 42 | ctx.actions.run( 43 | outputs = [status], 44 | executable = ctx.executable.git_store, 45 | arguments = args, 46 | use_default_shell_env = True, 47 | inputs = [artifact], 48 | mnemonic = "PutArtifact") 49 | return status 50 | 51 | tools = { 52 | "git_store": attr.label( 53 | default = Label("//store/git:git"), 54 | cfg = "host", 55 | executable = True, 56 | allow_files = True, 57 | ), 58 | } 59 | -------------------------------------------------------------------------------- /tests/BUILD: -------------------------------------------------------------------------------- 1 | package(default_visibility = ["//visibility:public"]) 2 | -------------------------------------------------------------------------------- /tests/debian/BUILD: -------------------------------------------------------------------------------- 1 | package(default_visibility = ["//visibility:public"]) 2 | 3 | load("@io_bazel_rules_docker//contrib:test.bzl", "container_test") 4 | 5 | exports_files(glob(["*.yaml"])) 6 | 7 | DEBIAN_MAP = { 8 | 9: "stretch", 9 | 10: "buster", 10 | 11: "bullseye", 11 | } 12 | 13 | [container_test( 14 | name = "debian%s_test" % num, 15 | configs = [":debian_test.yaml"], 16 | image = "//debian/reproducible:debian%s" % num, 17 | ) for num, distro in DEBIAN_MAP.items()] 18 | 19 | [container_test( 20 | name = "debian%s_version_test" % num, 21 | configs = [":debian_%s_test.yaml" % num], 22 | image = "//debian/reproducible:debian%s" % num, 23 | ) for num, distro in DEBIAN_MAP.items()] 24 | -------------------------------------------------------------------------------- /tests/debian/debian_10_test.yaml: -------------------------------------------------------------------------------- 1 | schemaVersion: '2.0.0' 2 | commandTests: 3 | fileContentTests: 4 | - name: 'Debian Sources Version' 5 | expectedContents: ['buster'] 6 | path: '/etc/apt/sources.list' 7 | -------------------------------------------------------------------------------- /tests/debian/debian_11_test.yaml: -------------------------------------------------------------------------------- 1 | schemaVersion: '2.0.0' 2 | commandTests: 3 | fileContentTests: 4 | - name: 'Debian Sources Version' 5 | expectedContents: ['bullseye'] 6 | path: '/etc/apt/sources.list' 7 | -------------------------------------------------------------------------------- /tests/debian/debian_9_test.yaml: -------------------------------------------------------------------------------- 1 | schemaVersion: '2.0.0' 2 | commandTests: 3 | fileContentTests: 4 | - name: 'Debian Sources Version' 5 | expectedContents: ['stretch'] 6 | path: '/etc/apt/sources.list' 7 | -------------------------------------------------------------------------------- /tests/debian/debian_test.yaml: -------------------------------------------------------------------------------- 1 | schemaVersion: '2.0.0' 2 | commandTests: 3 | - name: 'apt-get' 4 | command: 'apt-get' 5 | args: ['help'] 6 | excludedError: ['.*FAIL.*'] 7 | expectedOutput: ['.*Usage.*'] 8 | - name: 'apt-config' 9 | command: 'apt-config' 10 | args: ['dump'] 11 | expectedOutput: ['Acquire::Retries "3"'] 12 | metadataTest: 13 | env: 14 | - key: PORT 15 | value: 8080 16 | - key: DEBIAN_FRONTEND 17 | value: noninteractive 18 | - key: PATH 19 | value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 20 | fileContentTests: 21 | - name: 'Debian Sources' 22 | excludedContents: ['.*gce_debian_mirror.*'] 23 | expectedContents: ['.*httpredir\.debian\.org.*'] 24 | path: '/etc/apt/sources.list' 25 | - name: 'Retry Policy' 26 | expectedContents: ['Acquire::Retries 3;'] 27 | path: '/etc/apt/apt.conf.d/apt-retry' 28 | fileExistenceTests: 29 | - name: 'Root' 30 | path: '/' 31 | shouldExist: true 32 | - name: 'Netbase' 33 | path: '/etc/protocols' 34 | shouldExist: true 35 | - name: 'Machine ID' 36 | path: '/etc/machine-id' 37 | shouldExist: true 38 | licenseTests: 39 | - debian: true 40 | files: 41 | -------------------------------------------------------------------------------- /tests/dockerfile_build/BUILD: -------------------------------------------------------------------------------- 1 | package(default_visibility = ["//visibility:public"]) 2 | 3 | load("//dockerfile_build:dockerfile_build.bzl", "dockerfile_build") 4 | load("@bazel_tools//tools/build_defs/pkg:pkg.bzl", "pkg_tar") 5 | load("@io_bazel_rules_docker//contrib:test.bzl", "container_test") 6 | 7 | pkg_tar( 8 | name = "context", 9 | srcs = glob(["context/**/*"]), 10 | package_dir = "/", 11 | strip_prefix = "context/", 12 | ) 13 | 14 | dockerfile_build( 15 | name = "test_image", 16 | base = "//debian/reproducible:debian9", 17 | context = ":context.tar", 18 | dockerfile = ":Dockerfile", 19 | ) 20 | 21 | container_test( 22 | name = "dockerfile_build_test", 23 | configs = [":test.yaml"], 24 | image = ":test_image", 25 | ) 26 | 27 | dockerfile_build( 28 | name = "test_image_2", 29 | base_tar = ":test_image.tar", 30 | dockerfile = ":Dockerfile.2", 31 | ) 32 | 33 | container_test( 34 | name = "dockerfile_build_test_2", 35 | configs = [":test2.yaml"], 36 | image = ":test_image_2", 37 | ) 38 | -------------------------------------------------------------------------------- /tests/dockerfile_build/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM bazel/reproducible:debian9 2 | RUN apt-get update && apt-get -y -q install curl 3 | ADD bat /bat 4 | ADD bar /foo/bar/baz 5 | -------------------------------------------------------------------------------- /tests/dockerfile_build/Dockerfile.2: -------------------------------------------------------------------------------- 1 | FROM test_image 2 | RUN cp -r /bat /baz 3 | -------------------------------------------------------------------------------- /tests/dockerfile_build/context/bar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleContainerTools/base-images-docker/690c304c5c7b4f83e731f2c47bb7a94519dbb463/tests/dockerfile_build/context/bar -------------------------------------------------------------------------------- /tests/dockerfile_build/context/bat/hey: -------------------------------------------------------------------------------- 1 | yo 2 | -------------------------------------------------------------------------------- /tests/dockerfile_build/context/baz: -------------------------------------------------------------------------------- 1 | hey 2 | -------------------------------------------------------------------------------- /tests/dockerfile_build/test.yaml: -------------------------------------------------------------------------------- 1 | schemaVersion: '2.0.0' 2 | fileExistenceTests: 3 | - name: 'Bat' 4 | path: '/bat' 5 | shouldExist: true 6 | - name: 'Baz' 7 | path: '/foo/bar/baz' 8 | shouldExist: true 9 | fileContentTests: 10 | - name: 'Curl' 11 | path: '/var/lib/dpkg/status' 12 | expectedContents: ['.*curl.*'] 13 | -------------------------------------------------------------------------------- /tests/dockerfile_build/test2.yaml: -------------------------------------------------------------------------------- 1 | schemaVersion: '2.0.0' 2 | fileExistenceTests: 3 | - name: 'Bat' 4 | path: '/bat' 5 | shouldExist: true 6 | - name: 'Baz' 7 | path: '/baz' 8 | shouldExist: true 9 | - name: 'Baz' 10 | path: '/foo/bar/baz' 11 | shouldExist: true 12 | fileContentTests: 13 | - name: 'Curl' 14 | path: '/var/lib/dpkg/status' 15 | expectedContents: ['.*curl.*'] 16 | -------------------------------------------------------------------------------- /tests/package_managers/.gitignore: -------------------------------------------------------------------------------- 1 | # These files are generated by test_complex_packages.sh 2 | # We don't want them in source control. 3 | BUILD.bazel 4 | Dockerfile.test 5 | test_complex_download_pkgs.tar 6 | test_complex_install_pkgs.tar 7 | test_complex_pkgs.dockerfile.tar 8 | -------------------------------------------------------------------------------- /tests/package_managers/BUILD: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Google Inc. All rights reserved. 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package(default_visibility = ["//visibility:public"]) 16 | 17 | load( 18 | "@bazel_tools//tools/build_rules:test_rules.bzl", 19 | "rule_test", 20 | ) 21 | load("//package_managers:bootstrap_image.bzl", "bootstrap_image_macro") 22 | 23 | bootstrap_image_macro( 24 | name = "bootstrap_ubuntu", 25 | date = "20190301", 26 | image_tar = "//ubuntu:ubuntu_16_0_4_vanilla.tar", 27 | output_image_name = "ubuntu", 28 | packages = [ 29 | "curl", 30 | "netbase", 31 | ], 32 | store_location = "ubuntu/16_0_4/builds", 33 | ) 34 | 35 | rule_test( 36 | name = "test_bootstrap_ubuntu", 37 | generates = [ 38 | "bootstrap_ubuntu-layer.tar", 39 | ], 40 | rule = "bootstrap_ubuntu", 41 | ) 42 | -------------------------------------------------------------------------------- /tests/package_managers/test_bootstrap_image_macro.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -ex 4 | 5 | trap __cleanup EXIT 6 | 7 | #Clean up functions 8 | __cleanup () 9 | { 10 | [[ -d "$TEST_DIR" ]] && rm -rf "$TEST_DIR" 11 | [[ -f "$TEST_BUILD_FILE" ]] && rm "$TEST_BUILD_FILE" 12 | } 13 | 14 | function die(){ 15 | echo "$1" 16 | exit 1 17 | } 18 | 19 | PWD=$(pwd) 20 | GIT_ROOT=$(git rev-parse --show-toplevel) 21 | 22 | if [ "$PWD" != "$GIT_ROOT" ]; then 23 | echo "Please run this script from bazel root workspace" 24 | exit 1 25 | fi 26 | 27 | TEST_TARGET="tests/package_managers:test_bootstrap_ubuntu" 28 | TEST_DIR="tests/package_managers/tmp_git" 29 | TEST_STORE="$TEST_DIR/ubuntu/16_0_4/builds" 30 | TEST_SCRIPT_CMD="./bootstrap_image.sh -t $TEST_TARGET" 31 | DATE="20190301" 32 | 33 | TEST_BUILD_FILE="tests/package_managers/BUILD.bazel" 34 | # Build new BUILD file with bootstrap_image_macro target 35 | cat > "$TEST_BUILD_FILE" <<- EOM 36 | load("//package_managers:bootstrap_image.bzl", "bootstrap_image_macro") 37 | bootstrap_image_macro( 38 | name = "test_bootstrap_ubuntu", 39 | date = "$DATE", 40 | image_tar = "//ubuntu:ubuntu_16_0_4_vanilla.tar", 41 | output_image_name = "ubuntu", 42 | packages = [ 43 | "curl", 44 | "netbase", 45 | ], 46 | store_location = "$TEST_STORE", 47 | ) 48 | EOM 49 | 50 | # Create a Temporary store in this directory 51 | mkdir -p "$TEST_STORE" 52 | 53 | # Run Bazel build target for first time 54 | bazel clean 55 | OUTPUT=$($TEST_SCRIPT_CMD) 56 | 57 | # Check if download_pkgs output was ran 58 | EXPECTED_OUTPUT="*Running download_pkgs script*" 59 | if [ "${OUTPUT/$EXPECTED_OUTPUT}" = "$OUTPUT" ] ; then 60 | die "Expected download_pkgs script to run. However it did not" 61 | else 62 | echo "download_pkgs script ran as expected" 63 | fi 64 | 65 | # Test if downloaded pakcages.tar is copied to the store 66 | PUT_FILE="$GIT_ROOT/$TEST_STORE/$DATE/packages.tar" 67 | if [ ! -f "$PUT_FILE" ]; then 68 | die "Expected file $PUT_FILE to be present. However its not." 69 | fi 70 | 71 | # Run Bazel build target once again and this time download_pkgs script should 72 | # not run 73 | bazel clean 74 | OUTPUT=$($TEST_SCRIPT_CMD) 75 | # Check if download_pkgs output was ran 76 | if [ "${OUTPUT/$EXPECTED_OUTPUT}" = "$OUTPUT" ] ; then 77 | echo "download_pkgs script did not run as expected" 78 | else 79 | die "download_pkgs script ran. However it should not have!" 80 | fi 81 | 82 | -------------------------------------------------------------------------------- /tests/presubmit/presubmit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -ex 3 | # shellcheck source=/dev/null 4 | source "$KOKORO_GFILE_DIR/common.sh" 5 | sudo chmod +x "$KOKORO_GFILE_DIR/verify-commits.sh" 6 | 7 | # Grab the latest version of shellcheck and add it to PATH 8 | sudo cp "$KOKORO_GFILE_DIR"/shellcheck-latest.linux /usr/local/bin/shellcheck 9 | sudo chmod +x /usr/local/bin/shellcheck 10 | 11 | pushd github/debian-docker 12 | # This is what travis currently does. Let's test what's faster. 13 | make test 14 | popd 15 | 16 | "$KOKORO_GFILE_DIR"/verify-commits.sh 17 | -------------------------------------------------------------------------------- /tests/store/BUILD: -------------------------------------------------------------------------------- 1 | package(default_visibility = ["//visibility:public"]) 2 | -------------------------------------------------------------------------------- /tests/store/git/BUILD: -------------------------------------------------------------------------------- 1 | package(default_visibility = ["//visibility:public"]) 2 | 3 | py_test( 4 | name = "git_test", 5 | srcs = ["git_test.py"], 6 | deps = [ 7 | "//store/git", 8 | ], 9 | ) 10 | -------------------------------------------------------------------------------- /tests/ubuntu/BUILD: -------------------------------------------------------------------------------- 1 | package(default_visibility = ["//visibility:public"]) 2 | 3 | exports_files(glob(["*.yaml"])) 4 | 5 | load("@io_bazel_rules_docker//contrib:test.bzl", "container_test") 6 | 7 | container_test( 8 | name = "ubuntu_test", 9 | configs = [":ubuntu_test.yaml"], 10 | image = "//ubuntu:ubuntu_16_0_4", 11 | ) 12 | 13 | container_test( 14 | name = "ubuntu_18_test", 15 | configs = [":ubuntu_18_test.yaml"], 16 | image = "//ubuntu:bootstrap_ubuntu_18_0_4", 17 | ) 18 | -------------------------------------------------------------------------------- /tests/ubuntu/ubuntu_18_test.yaml: -------------------------------------------------------------------------------- 1 | schemaVersion: '2.0.0' 2 | commandTests: 3 | - name: 'path' 4 | command: 'sh' 5 | args: ['-c', 'echo $PATH'] 6 | expectedOutput: ['/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'] 7 | - name: 'curl installed' 8 | command: 'dpkg' 9 | args: ['-l', 'curl'] 10 | excludedOutput: ['.*no packages found matching.*'] 11 | - name: 'ca-certificates installed' 12 | command: 'dpkg' 13 | args: ['-l', 'ca-certificates'] 14 | excludedOutput: ['.*no packages found matching.*'] 15 | - name: 'netbase installed' 16 | command: 'dpkg' 17 | args: ['-l', 'netbase'] 18 | excludedOutput: ['.*no packages found matching.*'] 19 | fileContentTests: 20 | - name: 'Ubuntu Distro Check' 21 | expectedContents: ['.*NAME="Ubuntu".*', '.*VERSION="18.04.2 LTS \(Bionic Beaver\)".*'] 22 | path: '/etc/os-release' 23 | fileExistenceTests: 24 | - name: 'Root' 25 | path: '/' 26 | shouldExist: true 27 | permissions: 'drwxr-xr-x' 28 | metadataTest: 29 | cmd: ["/bin/sh", "-c"] 30 | -------------------------------------------------------------------------------- /tests/ubuntu/ubuntu_test.yaml: -------------------------------------------------------------------------------- 1 | schemaVersion: '2.0.0' 2 | commandTests: 3 | - name: 'curl installed' 4 | command: 'dpkg' 5 | args: ['-l', 'curl'] 6 | excludedOutput: ['.*no packages found matching.*'] 7 | - name: 'ca-certificates installed' 8 | command: 'dpkg' 9 | args: ['-l', 'ca-certificates'] 10 | excludedOutput: ['.*no packages found matching.*'] 11 | - name: 'netbase installed' 12 | command: 'dpkg' 13 | args: ['-l', 'netbase'] 14 | excludedOutput: ['.*no packages found matching.*'] 15 | fileContentTests: 16 | - name: 'Ubuntu Distro Check' 17 | expectedContents: ['.*ubuntu.*'] 18 | path: '/etc/os-release' 19 | fileExistenceTests: 20 | - name: 'Root' 21 | path: '/' 22 | shouldExist: true 23 | permissions: 'drwxr-xr-x' 24 | metadataTest: 25 | cmd: [] 26 | env: 27 | - key: PATH 28 | value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 29 | - key: DEBIAN_FRONTEND 30 | value: noninteractive 31 | -------------------------------------------------------------------------------- /ubuntu/16_0_4/builds/20190301/packages.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleContainerTools/base-images-docker/690c304c5c7b4f83e731f2c47bb7a94519dbb463/ubuntu/16_0_4/builds/20190301/packages.tar -------------------------------------------------------------------------------- /ubuntu/18_0_4/builds/20190301/packages.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleContainerTools/base-images-docker/690c304c5c7b4f83e731f2c47bb7a94519dbb463/ubuntu/18_0_4/builds/20190301/packages.tar -------------------------------------------------------------------------------- /ubuntu/Dockerfile.ubuntu: -------------------------------------------------------------------------------- 1 | FROM bazel/reproducible:ubuntu_vanilla 2 | RUN apt-get update -y && \ 3 | apt-get upgrade -y && \ 4 | apt-get install --no-install-recommends -y -q \ 5 | curl \ 6 | netbase \ 7 | ca-certificates && \ 8 | apt-get clean && \ 9 | rm /var/lib/apt/lists/*_* 10 | -------------------------------------------------------------------------------- /ubuntu/README.md: -------------------------------------------------------------------------------- 1 | Ubuntu Image 2 | =========================== 3 | 4 | Source for the Google-maintained Ubuntu container images. 5 | This [docker](https://docker.io) image bundles the stable 6 | [Ubuntu](https://www.ubuntu.com) distribution suite, 7 | with a few essential packages installed. 8 | 9 | This image is available at `gcr.io/gcp-runtimes/ubuntu_16_0_4:latest`. 10 | -------------------------------------------------------------------------------- /ubuntu/images_release.yaml: -------------------------------------------------------------------------------- 1 | steps: 2 | - name: 'ubuntu' 3 | args: ['chmod', 'a+rx', '-R', '/workspace'] 4 | # Run the bazel image with docker run to ensure workspace gets mounted in correctly. 5 | - name: 'gcr.io/cloud-builders/docker:latest' 6 | args: ['run', '-w', '/workspace', 7 | '-v', '/workspace:/workspace', 8 | '-v', '/var/run:/var/run', 9 | 'gcr.io/cloud-builders/bazel:latest', 10 | 'run', '//ubuntu:bootstrap_${_IMAGE}', 11 | '--incompatible_disable_deprecated_attr_params=false', 12 | '--incompatible_new_actions_api=false', 13 | '--incompatible_no_support_tools_in_action_inputs=false', 14 | '--host_force_python=PY2', 15 | '--action_env=GIT_ROOT=/workspace', 16 | '--sandbox_writable_path=/workspace'] 17 | - name: gcr.io/cloud-builders/docker:latest 18 | args: ['tag', 'bazel/ubuntu:bootstrap_${_IMAGE}', 19 | 'gcr.io/gcp-runtimes/${_IMAGE}:${COMMIT_SHA}'] 20 | images: ['gcr.io/gcp-runtimes/${_IMAGE}'] 21 | -------------------------------------------------------------------------------- /ubuntu/overlay/etc/apt/apt.conf.d/apt-retry: -------------------------------------------------------------------------------- 1 | # Retry apt failures 3 times. See here for more information: https://linux.die.net/man/5/apt.conf 2 | Acquire::Retries 3; 3 | -------------------------------------------------------------------------------- /ubuntu/overlay/etc/apt/apt.conf.d/docker-autoremove-suggests: -------------------------------------------------------------------------------- 1 | # Since Docker users are looking for the smallest possible final images, the 2 | # following emerges as a very common pattern: 3 | 4 | # RUN apt-get update \ 5 | # && apt-get install -y \ 6 | # && \ 7 | # && apt-get purge -y --auto-remove 8 | 9 | # By default, APT will actually _keep_ packages installed via Recommends or 10 | # Depends if another package Suggests them, even and including if the package 11 | # that originally caused them to be installed is removed. Setting this to 12 | # "false" ensures that APT is appropriately aggressive about removing the 13 | # packages it added. 14 | 15 | # https://aptitude.alioth.debian.org/doc/en/ch02s05s05.html#configApt-AutoRemove-SuggestsImportant 16 | Apt::AutoRemove::SuggestsImportant "false"; 17 | -------------------------------------------------------------------------------- /ubuntu/overlay/etc/apt/apt.conf.d/docker-clean: -------------------------------------------------------------------------------- 1 | # Since for most Docker users, package installs happen in "docker build" steps, 2 | # they essentially become individual layers due to the way Docker handles 3 | # layering, especially using CoW filesystems. What this means for us is that 4 | # the caches that APT keeps end up just wasting space in those layers, making 5 | # our layers unnecessarily large (especially since we'll normally never use 6 | # these caches again and will instead just "docker build" again and make a brand 7 | # new image). 8 | 9 | # Ideally, these would just be invoking "apt-get clean", but in our testing, 10 | # that ended up being cyclic and we got stuck on APT's lock, so we get this fun 11 | # creation that's essentially just "apt-get clean". 12 | DPkg::Post-Invoke { "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"; }; 13 | APT::Update::Post-Invoke { "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"; }; 14 | 15 | Dir::Cache::pkgcache ""; 16 | Dir::Cache::srcpkgcache ""; 17 | 18 | # Note that we do realize this isn't the ideal way to do this, and are always 19 | # open to better suggestions (https://github.com/docker/docker/issues). 20 | -------------------------------------------------------------------------------- /ubuntu/overlay/etc/apt/apt.conf.d/docker-gzip-indexes: -------------------------------------------------------------------------------- 1 | # Since Docker users using "RUN apt-get update && apt-get install -y ..." in 2 | # their Dockerfiles don't go delete the lists files afterwards, we want them to 3 | # be as small as possible on-disk, so we explicitly request "gz" versions and 4 | # tell Apt to keep them gzipped on-disk. 5 | 6 | # For comparison, an "apt-get update" layer without this on a pristine 7 | # "debian:wheezy" base image was "29.88 MB", where with this it was only 8 | # "8.273 MB". 9 | 10 | Acquire::GzipIndexes "true"; 11 | Acquire::CompressionTypes::Order:: "gz"; 12 | -------------------------------------------------------------------------------- /ubuntu/overlay/etc/apt/apt.conf.d/docker-no-languages: -------------------------------------------------------------------------------- 1 | # In Docker, we don't often need the "Translations" files, so we're just wasting 2 | # time and space by downloading them, and this inhibits that. For users that do 3 | # need them, it's a simple matter to delete this file and "apt-get update". :) 4 | 5 | Acquire::Languages "none"; 6 | -------------------------------------------------------------------------------- /ubuntu/overlay/etc/apt/dpkg/dpkg.cfg.d/docker-apt-speedup: -------------------------------------------------------------------------------- 1 | force-unsafe-io 2 | -------------------------------------------------------------------------------- /ubuntu/overlay/etc/apt/sources.list: -------------------------------------------------------------------------------- 1 | # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to 2 | # newer versions of the distribution. 3 | deb http://archive.ubuntu.com/ubuntu/ xenial main restricted 4 | # deb-src http://archive.ubuntu.com/ubuntu/ xenial main restricted 5 | 6 | ## Major bug fix updates produced after the final release of the 7 | ## distribution. 8 | deb http://archive.ubuntu.com/ubuntu/ xenial-updates main restricted 9 | # deb-src http://archive.ubuntu.com/ubuntu/ xenial-updates main restricted 10 | 11 | ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu 12 | ## team. Also, please note that software in universe WILL NOT receive any 13 | ## review or updates from the Ubuntu security team. 14 | deb http://archive.ubuntu.com/ubuntu/ xenial universe 15 | deb-src http://archive.ubuntu.com/ubuntu/ xenial universe 16 | deb http://archive.ubuntu.com/ubuntu/ xenial-updates universe 17 | deb-src http://archive.ubuntu.com/ubuntu/ xenial-updates universe 18 | 19 | ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu 20 | ## team, and may not be under a free licence. Please satisfy yourself as to 21 | ## your rights to use the software. Also, please note that software in 22 | ## multiverse WILL NOT receive any review or updates from the Ubuntu 23 | ## security team. 24 | deb http://archive.ubuntu.com/ubuntu/ xenial multiverse 25 | # deb-src http://archive.ubuntu.com/ubuntu/ xenial multiverse 26 | deb http://archive.ubuntu.com/ubuntu/ xenial-updates multiverse 27 | # deb-src http://archive.ubuntu.com/ubuntu/ xenial-updates multiverse 28 | 29 | ## N.B. software from this repository may not have been tested as 30 | ## extensively as that contained in the main release, although it includes 31 | ## newer versions of some applications which may provide useful features. 32 | ## Also, please note that software in backports WILL NOT receive any review 33 | ## or updates from the Ubuntu security team. 34 | deb http://archive.ubuntu.com/ubuntu/ xenial-backports main restricted universe multiverse 35 | # deb-src http://archive.ubuntu.com/ubuntu/ xenial-backports main restricted universe multiverse 36 | 37 | ## Uncomment the following two lines to add software from Canonical's 38 | ## 'partner' repository. 39 | ## This software is not part of Ubuntu, but is offered by Canonical and the 40 | ## respective vendors as a service to Ubuntu users. 41 | # deb http://archive.canonical.com/ubuntu xenial partner 42 | # deb-src http://archive.canonical.com/ubuntu xenial partner 43 | 44 | deb http://security.ubuntu.com/ubuntu/ xenial-security main restricted 45 | # deb-src http://security.ubuntu.com/ubuntu/ xenial-security main restricted 46 | deb http://security.ubuntu.com/ubuntu/ xenial-security universe 47 | deb-src http://security.ubuntu.com/ubuntu/ xenial-security universe 48 | deb http://security.ubuntu.com/ubuntu/ xenial-security multiverse 49 | # deb-src http://security.ubuntu.com/ubuntu/ xenial-security multiverse 50 | -------------------------------------------------------------------------------- /ubuntu/overlay/etc/machine-id: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleContainerTools/base-images-docker/690c304c5c7b4f83e731f2c47bb7a94519dbb463/ubuntu/overlay/etc/machine-id -------------------------------------------------------------------------------- /ubuntu/overlay/etc/resolv.conf: -------------------------------------------------------------------------------- 1 | nameserver 8.8.8.8 2 | nameserver 8.8.4.4 3 | -------------------------------------------------------------------------------- /ubuntu/overlay/run/systemd/container: -------------------------------------------------------------------------------- 1 | docker 2 | -------------------------------------------------------------------------------- /ubuntu/overlay/sbin/initctl: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # For most Docker users, "apt-get install" only happens during "docker build", 4 | # where starting services doesn't work and often fails in humorous ways. This 5 | # prevents those failures by stopping the services from attempting to start. 6 | 7 | exit 0 8 | -------------------------------------------------------------------------------- /ubuntu/overlay/usr/sbin/policy-rc.d: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # For most Docker users, "apt-get install" only happens during "docker build", 4 | # where starting services doesn't work and often fails in humorous ways. This 5 | # prevents those failures by stopping the services from attempting to start. 6 | 7 | exit 101 8 | -------------------------------------------------------------------------------- /ubuntu/scripts/upload-latest.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Safely copy the latest image for an Ubuntu version to GCS 4 | # 5 | # Usage: 6 | # upload_latest.sh 16_0_4 7 | # 8 | # Debugging Usage: 9 | # bash -x upload_latest.sh 16_0_4 10 | # 11 | set -eu -o pipefail 12 | 13 | readonly VERSION=$1 14 | readonly GCS_BUCKET="ubuntu_tar" 15 | 16 | case $VERSION in 17 | 16_0_4) 18 | readonly release="xenial" 19 | ;; 20 | 18_0_4) 21 | readonly release="bionic" 22 | ;; 23 | *) 24 | echo "Unknown version: $VERSION" 25 | exit 1 26 | ;; 27 | esac 28 | 29 | readonly TMP_DIR=/tmp/${release}/$(date '+%Y-%m-%d') 30 | mkdir -p "${TMP_DIR}" 31 | cd "${TMP_DIR}" 32 | echo "Temp directory: ${TMP_DIR}" 33 | 34 | 35 | readonly base_url="https://partner-images.canonical.com/core/${release}/current" 36 | curl -OR "${base_url}/SHA256SUMS" 37 | readonly archive="ubuntu-${release}-core-cloudimg-amd64-root.tar.gz" 38 | curl -OR "${base_url}/${archive}" 39 | 40 | sha256sum --ignore-missing -c SHA256SUMS || exit 9 41 | checksum=$(sha256sum ${archive} | awk '{ print $1 }') 42 | 43 | # NOTE: Build dates are in GMT 44 | readonly build=$(TZ=Z stat -c '%y' "${archive}" | cut -d" " -f1 | sed s/-//g) 45 | readonly dest="${GCS_BUCKET}/${build}/${archive}" 46 | 47 | gsutil cp "${archive}" "gs://${dest}" 48 | 49 | echo "Copy completed! Here is an updated WORKSPACE entry for you:" 50 | cat <