# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 FROM public.ecr.aws/q3k3q7c1/aws-iot-greengrass-v2:2.5.3-0 RUN yum install -y ca-certificates \ # Workaround for golang not producing a static ctr binary on Go 1.15 and up https://github.com/containerd/containerd/issues/5824 yum install -y libc6-compat \ # DOCKER_HOST=ssh://... -- https://github.com/docker/cli/pull/1014 yum install -y openssh-client ENV DOCKER_VERSION 20.10.12 RUN set -eux; \ \ apkArch="$(arch)"; \ case "$apkArch" in \ 'x86_64') \ url='https://download.docker.com/linux/static/stable/x86_64/docker-20.10.12.tgz'; \ ;; \ 'armhf') \ url='https://download.docker.com/linux/static/stable/armel/docker-20.10.12.tgz'; \ ;; \ 'armv7') \ url='https://download.docker.com/linux/static/stable/armhf/docker-20.10.12.tgz'; \ ;; \ 'aarch64') \ url='https://download.docker.com/linux/static/stable/aarch64/docker-20.10.12.tgz'; \ ;; \ *) echo >&2 "error: unsupported architecture ($apkArch)"; exit 1 ;; \ esac; \ \ wget -O docker.tgz "$url"; \ \ tar --extract \ --file docker.tgz \ --strip-components 1 \ --directory /usr/local/bin/ \ ; \ rm docker.tgz; \ \ dockerd --version; \ docker --version COPY "modprobe.sh" /usr/local/bin/modprobe COPY docker-entrypoint.sh /usr/local/bin/ COPY dockerd-entrypoint.sh /usr/local/bin/ # https://github.com/docker-library/docker/pull/166 # dockerd-entrypoint.sh uses DOCKER_TLS_CERTDIR for auto-generating TLS certificates # docker-entrypoint.sh uses DOCKER_TLS_CERTDIR for auto-setting DOCKER_TLS_VERIFY and DOCKER_CERT_PATH # (For this to work, at least the "client" subdirectory of this path needs to be shared between the client and server containers via a volume, "docker cp", or other means of data sharing.) ENV DOCKER_TLS_CERTDIR=/certs # also, ensure the directory pre-exists and has wide enough permissions for "dockerd-entrypoint.sh" to create subdirectories, even when run in "rootless" mode RUN mkdir /certs /certs/client && chmod 1777 /certs /certs/client # (doing both /certs and /certs/client so that if Docker does a "copy-up" into a volume defined on /certs/client, it will "do the right thing" by default in a way that still works for rootless users) RUN set -eux; \ yum install -y btrfs-progs \ yum install -y e2fsprogs \ yum install -y e2fsprogs-extra \ yum install -y ip6tables \ yum install -y iptables \ yum install -y openssl \ yum install -y shadow-uidmap \ yum install -y xfsprogs \ yum install -y xz \ yum install -y pigz \ yum install shadow-utils.x86_64 -y \ yum install shadow-utils -y \ ; \ # only install zfs if it's available for the current architecture # https://git.alpinelinux.org/cgit/aports/tree/main/zfs/APKBUILD?h=3.6-stable#n9 ("all !armhf !ppc64le" as of 2017-11-01) # "apk info XYZ" exits with a zero exit code but no output when the package exists but not for this arch if zfs="$(yum info --quiet zfs)" && [ -n "$zfs" ]; then \ yum install -y --no-cache zfs; \ fi # set up subuid/subgid so that "--userns-remap=default" works out-of-the-box RUN set -eux; \ groupadd -r dockremap; \ useradd -g dockremap dockremap; \ echo 'dockremap:165536:65536' >> /etc/subuid; \ echo 'dockremap:165536:65536' >> /etc/subgid # https://github.com/docker/docker/tree/master/hack/dind ENV DIND_COMMIT 42b1175eda071c0e9121e1d64345928384a93df1 RUN set -eux; \ wget -O /usr/local/bin/dind "https://raw.githubusercontent.com/docker/docker/${DIND_COMMIT}/hack/dind"; \ chmod +x /usr/local/bin/dind VOLUME /var/lib/docker EXPOSE 2375 2376 #RUN chmod +x /usr/local/bin/docker-entrypoint.sh && /usr/local/bin/dockerd-entrypoint.sh ENTRYPOINT ["/bin/sh", "-c"] CMD ["docker-entrypoint.sh && dockerd-entrypoint.sh & exec /greengrass-entrypoint.sh"]