From 772193f0dffa9ee624ce5010d36a938e5b05c0ca Mon Sep 17 00:00:00 2001 From: Lukas Vogel Date: Tue, 17 Dec 2019 17:05:25 +0100 Subject: [PATCH] perapp: Simplify Makefile Remove debug_base it isn't used. Use bazel sig_debug base image for debug SIG image. Don't require scion.stamp for bazel builds. --- docker/perapp/Makefile | 12 ++++-------- docker/perapp/base/Dockerfile.debug | 22 ---------------------- docker/perapp/debug/Dockerfile.sig | 11 +++++++++-- 3 files changed, 13 insertions(+), 32 deletions(-) delete mode 100644 docker/perapp/base/Dockerfile.debug diff --git a/docker/perapp/Makefile b/docker/perapp/Makefile index ec9157c88a..ad71d348ed 100644 --- a/docker/perapp/Makefile +++ b/docker/perapp/Makefile @@ -18,7 +18,7 @@ clean: docker image prune -f # Base images -BASE_TARGETS = app_builder debug_base +BASE_TARGETS = app_builder .PHONY: $(BASE_TARGETS) base: $(BASE_TARGETS) @@ -26,16 +26,12 @@ app_builder: hashes/app_builder hashes/app_builder: base/Dockerfile.builder hashes/scion DOCKER_ARGS="$(DOCKER_ARGS)" ./docker_build $@ $< files/ -debug_base: hashes/debug_base -hashes/debug_base: base/Dockerfile.debug hashes/scion - DOCKER_ARGS="$(DOCKER_ARGS)" ./docker_build $@ $< files/ - # App images APP_TARGETS = bazel .PHONY: $(APP_TARGETS) apps: $(APP_TARGETS) -bazel: ../_build/scion.stamp +bazel: ./build-images.sh prod DOCKER_ARGS="$(DOCKER_ARGS)" ./docker_build hashes/sig app/Dockerfile.sig @@ -44,6 +40,6 @@ DEBUG_TARGETS = bazel_debug .PHONY: $(DEBUG_TARGETS) debug: $(DEBUG_TARGETS) -bazel_debug: ../_build/scion.stamp debug_base +bazel_debug: ./build-images.sh debug - DOCKER_ARGS="$(DOCKER_ARGS)" ./docker_build hashes/sig_debug app/Dockerfile.sig + DOCKER_ARGS="$(DOCKER_ARGS)" ./docker_build hashes/sig_debug debug/Dockerfile.sig diff --git a/docker/perapp/base/Dockerfile.debug b/docker/perapp/base/Dockerfile.debug deleted file mode 100644 index 2975c678d2..0000000000 --- a/docker/perapp/base/Dockerfile.debug +++ /dev/null @@ -1,22 +0,0 @@ -FROM scion:latest -USER root -WORKDIR /root/scion-docker -RUN DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y strace -COPY copy_package . -RUN ./copy_package strace '/usr/share' -ARG TOYBOX_VERSION=0.7.7 -ARG TOYBOX_SHA=62126936d400d6814c20ffe6153c5827397126b6df7cd81f54e18e7ac34a2d9f -RUN set -ex; \ - cd /rootfs; \ - mkdir bin; \ - curl -sSL "https://landley.net/toybox/downloads/binaries/${TOYBOX_VERSION}/toybox-x86_64" > bin/toybox; \ - echo "${TOYBOX_SHA} bin/toybox" | sha256sum -c -; \ - chmod +x bin/toybox; \ - for i in $(bin/toybox --long); do mkdir -p "$(dirname "$i")"; ln -s /bin/toybox $i; done -# Download LICENSE -RUN set -ex; \ - curl -sSL "https://github.com/landley/toybox/blob/${TOYBOX_VERSION}/LICENSE" --create-dirs -o /rootfs/LICENSES/toybox/LICENSE - -# Copy strace and toybox -FROM scratch -COPY --from=0 /rootfs / diff --git a/docker/perapp/debug/Dockerfile.sig b/docker/perapp/debug/Dockerfile.sig index ad70f76a0b..912581ae98 100644 --- a/docker/perapp/debug/Dockerfile.sig +++ b/docker/perapp/debug/Dockerfile.sig @@ -1,2 +1,9 @@ -FROM scion_sig:latest -COPY --from=scion_debug_base:latest / / +# Bazel doesn't have support for adding capabilities to binaries. +# Instead, we create a layer on top of bazel-generated image that +# adds the capabilities as needed. +# For alternative ideas on how to solve this see: +# https://github.com/bazelbuild/rules_docker/issues/752 +# NOTE: this process needs explicit CAP_NET_ADMIN from docker. +# E.g. with `cap_add: NET_ADMIN` from docker-compose. +FROM scion_sig_nocap_debug:latest +RUN ["setcap", "cap_net_admin+ei", "/app/sig"]