# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # *NOTE* we have to limit our number of layers heres because in presubmits there # is no overlay fs and we will run out of space quickly ################# BUILDER ###################### ARG BASE_IMAGE=unused ARG BUILDER_IMAGE=unused ARG BUILT_BUILDER_IMAGE=unused FROM ${BUILDER_IMAGE} as builder ARG OUTPUT_DEBUG_LOG ARG TARGETARCH ARG TARGETOS COPY scripts/ /usr/bin ENV DOWNLOAD_DIR /tmp/download ENV NEWROOT / RUN set -x && \ clean_install binutils \ cpio \ findutils \ shadow-utils \ yum-utils && \ if grep -q "2023" "/etc/os-release"; then \ # by default al23 installs coreutils-single which uses a single binary # where each individual util (ex: ln) is a bash script that calls the single binary # this does not place nice with the way we handle preinstall scriptlet deps, such as ln # force installing all the individual bins yum install -y --allowerasing coreutils; \ fi && \ # restorecon is needed for the filesystem scriptlet, but it comes from # policycoreutils which bloats the builder image, just pull the bin and the necessary libs instead install_binary /usr/sbin/restorecon && \ clean_yum ENV NEWROOT /newroot WORKDIR $NEWROOT # non root user RUN mkdir -p $NEWROOT/home/nonroot && \ chown 65532:65532 $NEWROOT/home/nonroot && \ # tmp directory with correct permissions mkdir -p -m 1777 $NEWROOT/tmp COPY ${TARGETOS}-${TARGETARCH}/ / ENV FILESYSTEM_SCRIPTLET_REQS="/usr/sbin/restorecon" ENV CA_CERTIFICATES_SCRIPTLET_REQS="/usr/bin/p11-kit /usr/bin/trust /usr/share/p11-kit/modules/p11-kit-trust.module /usr/lib64/pkcs11/p11-kit-trust.so" # there is a circular dep between ca-certs and openssl, we do not include openssl in the base # and can safely remove these symlinks ENV CLEANUP_UNNECESSARY_FILES="/usr/lib/debug/usr/.dwz /etc/ssl/ct_log_list.cnf /etc/ssl/openssl.cnf" RUN set -x && \ export OUTPUT_DEBUG_LOG=${OUTPUT_DEBUG_LOG} && \ rpm --root $NEWROOT --import /etc/pki/rpm-gpg/* && \ install_rpm system-release \ setup \ filesystem \ basesystem \ tzdata \ ca-certificates && \ if grep -q "2023" "/etc/os-release"; then \ install_rpm amazon-linux-repo-cdn; \ # to ensure all downstream yum commands always resolve using the latest releasever # available at that time echo latest > /etc/dnf/vars/releasever; \ fi && \ cleanup "base" COPY files/ $NEWROOT RUN set -x && \ if grep -q "2023" "/etc/os-release"; then \ mv $NEWROOT/etc/os-release-2023 $NEWROOT/etc/os-release; \ else \ rm $NEWROOT/etc/os-release-2023; \ fi ################# BASE ######################## FROM ${BUILT_BUILDER_IMAGE} as base-builder FROM ${BASE_IMAGE} as final ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin USER 0 COPY --from=base-builder /newroot /