Base entrypoint image on distroless

The only reason it was based on busybox was to have access to `cp`, which it used to copy its binary to /tekton/tools for use in later steps. Instead of relying on `cp`, this adds a "cp mode" to the entrypoint binary itself. When invoked with the positional args `cp <src> <dst>`, it copies src to dst using Go's os and io packages.
tektoncd · May 7, 2020 · d51fa66 · d51fa66
1 parent 4280425
commit d51fa66
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 10 deletions.
diff --git a/.ko.yaml b/.ko.yaml
@@ -1,4 +1,3 @@
 baseImageOverrides:
   github.com/tektoncd/pipeline/cmd/creds-init: gcr.io/tekton-nightly/github.com/tektoncd/pipeline/build-base:latest
   github.com/tektoncd/pipeline/cmd/git-init: gcr.io/tekton-nightly/github.com/tektoncd/pipeline/build-base:latest
-  github.com/tektoncd/pipeline/cmd/entrypoint: busybox  # image must have `cp` in $PATH
diff --git a/cmd/entrypoint/main.go b/cmd/entrypoint/main.go
@@ -18,6 +18,7 @@ package main
 
 import (
 	"flag"
+	"io"
 	"log"
 	"os"
 	"os/exec"
@@ -39,9 +40,41 @@ var (
 	waitPollingInterval = time.Second
 )
 
+func cp(src, dst string) error {
+	s, err := os.Open(src)
+	if err != nil {
+		return err
+	}
+	defer s.Close()
+
+	// Owner has permission to write and execute, and anybody has
+	// permission to execute.
+	d, err := os.OpenFile(dst, os.O_WRONLY|os.O_CREATE, 0311)
+	if err != nil {
+		return err
+	}
+	defer d.Close()
+
+	_, err = io.Copy(d, s)
+	return err
+}
+
 func main() {
 	flag.Parse()
 
+	// If invoked in "cp mode" (`entrypoint cp <src> <dst>`), simply copy
+	// the src path to the dst path. This is used to place the entrypoint
+	// binary in the tools directory, without requiring the cp command to
+	// exist in the base image.
+	if len(flag.Args()) == 3 && flag.Args()[0] == "cp" {
+		src, dst := flag.Args()[1], flag.Args()[2]
+		if err := cp(src, dst); err != nil {
+			log.Fatal(err)
+		}
+		log.Println("Copied", src, "to", dst)
+		return
+	}
+
 	e := entrypoint.Entrypointer{
 		Entrypoint:      *ep,
 		WaitFiles:       strings.Split(*waitFiles, ","),

diff --git a/pkg/pod/entrypoint.go b/pkg/pod/entrypoint.go
@@ -88,9 +88,11 @@ var (
 // TODO(#1605): Also use entrypoint injection to order sidecar start/stop.
 func orderContainers(entrypointImage string, steps []corev1.Container, results []v1alpha1.TaskResult) (corev1.Container, []corev1.Container, error) {
 	initContainer := corev1.Container{
-		Name:         "place-tools",
-		Image:        entrypointImage,
-		Command:      []string{"cp", "/ko-app/entrypoint", entrypointBinary},
+		Name:  "place-tools",
+		Image: entrypointImage,
+		// Invoke the entrypoint binary in "cp mode" to copy itself
+		// into the correct location for later steps.
+		Command:      []string{"/ko-app/entrypoint", "cp", "/ko-app/entrypoint", entrypointBinary},
 		VolumeMounts: []corev1.VolumeMount{toolsMount},
 	}
 

diff --git a/pkg/pod/entrypoint_test.go b/pkg/pod/entrypoint_test.go
@@ -97,7 +97,7 @@ func TestOrderContainers(t *testing.T) {
 	wantInit := corev1.Container{
 		Name:         "place-tools",
 		Image:        images.EntrypointImage,
-		Command:      []string{"cp", "/ko-app/entrypoint", entrypointBinary},
+		Command:      []string{"/ko-app/entrypoint", "cp", "/ko-app/entrypoint", entrypointBinary},
 		VolumeMounts: []corev1.VolumeMount{toolsMount},
 	}
 	if d := cmp.Diff(wantInit, gotInit); d != "" {

diff --git a/pkg/pod/pod_test.go b/pkg/pod/pod_test.go
@@ -62,7 +62,7 @@ func TestMakePod(t *testing.T) {
 	placeToolsInit := corev1.Container{
 		Name:         "place-tools",
 		Image:        images.EntrypointImage,
-		Command:      []string{"cp", "/ko-app/entrypoint", "/tekton/tools/entrypoint"},
+		Command:      []string{"/ko-app/entrypoint", "cp", "/ko-app/entrypoint", "/tekton/tools/entrypoint"},
 		VolumeMounts: []corev1.VolumeMount{toolsMount},
 	}
 
@@ -609,7 +609,7 @@ script-heredoc-randomly-generated-78c5n
 				{
 					Name:         "place-tools",
 					Image:        images.EntrypointImage,
-					Command:      []string{"cp", "/ko-app/entrypoint", "/tekton/tools/entrypoint"},
+					Command:      []string{"/ko-app/entrypoint", "cp", "/ko-app/entrypoint", "/tekton/tools/entrypoint"},
 					VolumeMounts: []corev1.VolumeMount{toolsMount},
 				}},
 			Containers: []corev1.Container{{

diff --git a/pkg/reconciler/taskrun/taskrun_test.go b/pkg/reconciler/taskrun/taskrun_test.go
@@ -30,7 +30,6 @@ import (
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
-
 	podconvert "github.com/tektoncd/pipeline/pkg/pod"
 	"github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources/cloudevent"
 	ttesting "github.com/tektoncd/pipeline/pkg/reconciler/testing"
@@ -40,7 +39,6 @@ import (
 	test "github.com/tektoncd/pipeline/test/v1alpha1"
 	corev1 "k8s.io/api/core/v1"
 	k8sapierrors "k8s.io/apimachinery/pkg/api/errors"
-
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -241,7 +239,7 @@ var (
 
 	getPlaceToolsInitContainer = func(ops ...tb.ContainerOp) tb.PodSpecOp {
 		actualOps := []tb.ContainerOp{
-			tb.Command("cp", "/ko-app/entrypoint", entrypointLocation),
+			tb.Command("/ko-app/entrypoint", "cp", "/ko-app/entrypoint", entrypointLocation),
 			tb.VolumeMount("tekton-internal-tools", "/tekton/tools"),
 			tb.Args(),
 		}