-
Notifications
You must be signed in to change notification settings - Fork 29
Expand file tree
/
Copy pathDockerfile
More file actions
133 lines (110 loc) · 5.09 KB
/
Dockerfile
File metadata and controls
133 lines (110 loc) · 5.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
ARG SDK_IMAGE
FROM ${SDK_IMAGE} as rust-builder
ARG UNAME_ARCH
USER root
ENV CARGO_HOME=/src/.cargo
# Add sources
ADD ./sources /src/
# Fetch dependencies
RUN cargo fetch --locked --manifest-path /src/corgid/Cargo.toml
# Set bindgen clang arguments for musl compilation
ENV BINDGEN_EXTRA_CLANG_ARGS="--target=${UNAME_ARCH}-bottlerocket-linux-musl --sysroot=/${UNAME_ARCH}-bottlerocket-linux-musl/sys-root"
# Build corgid statically linked with musl
RUN cargo install --offline --locked --target ${UNAME_ARCH}-bottlerocket-linux-musl --path /src/corgid --root /output
# Build corgid with FIPS crypto
RUN cargo install --offline --locked --target ${UNAME_ARCH}-bottlerocket-linux-musl --features fips --path /src/corgid --root /output-fips
# Gather licenses of dependencies
RUN /usr/libexec/tools/bottlerocket-license-scan \
--clarify /src/clarify.toml \
--spdx-data /usr/libexec/tools/spdx-data \
--out-dir /licenses \
cargo --offline --locked /src/corgid/Cargo.toml
FROM public.ecr.aws/amazonlinux/amazonlinux:2023 AS builder
RUN dnf upgrade -y --releasever=latest && \
dnf install -y \
'dnf-command(download)' \
cpio
WORKDIR /root/build/util-linux
RUN dnf download util-linux && \
rpm2cpio util-linux-*.rpm | cpio -idmv
FROM public.ecr.aws/amazonlinux/amazonlinux:2023
# IMAGE_VERSION is the assigned version from input for this image.
ARG IMAGE_VERSION
ENV IMAGE_VERSION=$IMAGE_VERSION
# SSM_AGENT_VERSION is the assigned agent version from input for this image.
ARG SSM_AGENT_VERSION
ENV SSM_AGENT_VERSION=$SSM_AGENT_VERSION
# Validation
RUN : \
"${IMAGE_VERSION:?IMAGE_VERSION is required to build}" \
"${SSM_AGENT_VERSION:?SSM Agent version required to build}"
LABEL "org.opencontainers.image.version"="$IMAGE_VERSION"
# Install the arch specific build of SSM agent *and confirm that it installed* -
# dnf will allow architecture-mismatched packages to not install and consider
# the run successful.
# SSM Agent is downloaded from eu-north-1 as this region gets new releases of SSM Agent first.
COPY ./hashes/ssm ./hashes
COPY ./gpg-keys/amazon-ssm-agent.gpg ./amazon-ssm-agent.gpg
RUN dnf upgrade -y --releasever=latest && \
dnf install -y \
crypto-policies-scripts \
jq \
libutempter \
screen \
shadow-utils \
&& \
dnf remove -y amazon-ssm-agent && \
ARCH=$(uname -m | sed 's/aarch64/arm64/' | sed 's/x86_64/amd64/') && \
curl -L "https://s3.eu-north-1.amazonaws.com/amazon-ssm-eu-north-1/${SSM_AGENT_VERSION}/linux_${ARCH}/amazon-ssm-agent.rpm" \
-o "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
grep "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" hashes \
| sha512sum --check - && \
rpm --import amazon-ssm-agent.gpg && \
rpm --checksig "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
dnf install -y "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
rm "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
rm -rf /var/cache/dnf ./hashes && \
rmdir /var/lib/amazon/ssm && \
ln -snf /.bottlerocket/host-containers/current/ssm /var/lib/amazon/ssm
# Copy util-linux binaries and dependencies
COPY --from=builder /root/build/util-linux/usr/bin/lscpu /root/build/util-linux/usr/bin/script \
/opt/util-linux/bin/
COPY --from=builder /root/build/util-linux/usr/share/licenses/util-linux/COPYING.BSD-4-Clause-UC \
/root/build/util-linux/usr/share/licenses/util-linux/COPYING.GPL-2.0-or-later \
/root/build/util-linux/usr/share/licenses/util-linux/COPYING.LGPL-2.1-or-later \
/usr/share/licenses/util-linux/
RUN ln -s /opt/util-linux/bin/* /usr/bin
# Copy corgid binaries and licenses
COPY --from=rust-builder /output/bin/corgid /usr/sbin/corgid
COPY --from=rust-builder /output-fips/bin/corgid /usr/sbin/corgid-fips
COPY --from=rust-builder /licenses /usr/share/licenses/corgid
# Validate amazon-ssm-agent binary
RUN /usr/bin/amazon-ssm-agent -version
# Validate lscpu binary
RUN /usr/bin/lscpu
# Validate script binary
RUN /usr/bin/script --version
# Add motd explaining the control container.
RUN rm -f /etc/motd /etc/issue
COPY --chown=root:root motd /etc/
# Add custom PS1 to show you are in the control container.
ARG CUSTOM_PS1='[\u@control]\$ '
RUN echo "PS1='$CUSTOM_PS1'" > "/etc/profile.d/bottlerocket-ps1.sh"
# Add bashrc that shows the motd.
COPY ./bashrc /etc/skel/.bashrc
# SSM starts sessions with 'sh', not 'bash', which for us is a link to bash.
# Furthermore, it starts sh as an interactive shell, but not a login shell.
# In this mode, the only startup file respected is the one pointed to by the
# ENV environment variable. Point it to our bashrc, which just prints motd.
ENV ENV=/etc/skel/.bashrc
# Add our helpers to quickly interact with the admin container.
COPY --chmod=755 \
./disable-admin-container \
./enable-admin-container \
./enter-admin-container \
/usr/bin/
# Create our user in the group that allows API access.
RUN groupadd -g 274 api && \
useradd -m -G users,api ssm-user
COPY --chmod=755 start_control_ssm.sh /usr/sbin/
CMD ["/usr/sbin/start_control_ssm.sh"]