FROM public.ecr.aws/amazonlinux/amazonlinux:2 as builder # Install build dependencies for the package(s) below RUN \ yum -y install \ autoconf automake bison gettext-devel libtool make pkgconfig tar xz COPY ./sdk-fetch /usr/local/bin ARG utillinux_version=2.38.1 WORKDIR ${HOME}/build COPY ./hashes/util-linux ./hashes RUN \ sdk-fetch hashes && \ tar -xf util-linux-${utillinux_version}.tar.xz && \ rm util-linux-${utillinux_version}.tar.xz hashes # Build script for SSM session logging WORKDIR ${HOME}/build/util-linux-${utillinux_version} RUN \ ./autogen.sh && ./configure \ --disable-makeinstall-chown \ --disable-nls \ --disable-rpath \ --prefix=/opt/util-linux \ --without-audit \ --without-python \ --without-readline \ --without-systemd \ --without-udev \ --without-utempter \ || { cat config.log; exit 1; } RUN make -j`nproc` lscpu script RUN make install-strip RUN \ mkdir -p /usr/share/licenses/util-linux && cp -p \ Documentation/licenses/COPYING.BSD-4-Clause-UC \ Documentation/licenses/COPYING.GPL-2.0-or-later \ Documentation/licenses/COPYING.LGPL-2.1-or-later \ /usr/share/licenses/util-linux FROM public.ecr.aws/amazonlinux/amazonlinux:2 # IMAGE_VERSION is the assigned version of inputs for this image. ARG IMAGE_VERSION ENV IMAGE_VERSION=$IMAGE_VERSION # IMAGE_VERSION is the assigned version of inputs for this image. ARG SSM_AGENT_VERSION ENV SSM_AGENT_VERSION=$SSM_AGENT_VERSION # Validation RUN : \ "${IMAGE_VERSION:?IMAGE_VERSION is required to build}" \ "${SSM_AGENT_VERSION:?SSM Agent version required to build}" LABEL "org.opencontainers.image.version"="$IMAGE_VERSION" # Copy util-linux binaries and dependencies COPY --from=builder /opt/util-linux/bin/lscpu /opt/util-linux/bin/script \ /opt/util-linux/bin/ COPY --from=builder /opt/util-linux/include/libsmartcols \ /opt/util-linux/include/libsmartcols COPY --from=builder /opt/util-linux/lib/libsmartcols* \ /opt/util-linux/lib/ COPY --from=builder /usr/share/licenses/util-linux \ /usr/share/licenses/util-linux RUN ln -s /opt/util-linux/bin/* /usr/bin # Validate lscpu binary RUN /usr/bin/lscpu &>/dev/null # Validate script binary RUN /usr/bin/script --version &>/dev/null # Install the arch specific build of SSM agent *and confirm that it installed* - # yum will allow architecture-mismatched packages to not install and consider # the run successful. # SSM Agent is downloaded from eu-north-1 as this region gets new releases of SSM Agent first. COPY ./hashes/ssm ./hashes COPY ./gpg-keys/amazon-ssm-agent.gpg ./amazon-ssm-agent.gpg RUN \ ARCH=$(uname -m | sed 's/aarch64/arm64/' | sed 's/x86_64/amd64/') && \ curl -L "https://s3.eu-north-1.amazonaws.com/amazon-ssm-eu-north-1/${SSM_AGENT_VERSION}/linux_${ARCH}/amazon-ssm-agent.rpm" \ -o "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \ grep "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" hashes \ | sha512sum --check - && \ rpm --import amazon-ssm-agent.gpg && \ rpm --checksig "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \ yum update -y && yum install -y jq screen shadow-utils && \ yum install -y "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \ rm "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \ rm -rf /var/cache/yum ./hashes && \ rmdir /var/lib/amazon/ssm && \ ln -snf /.bottlerocket/host-containers/current/ssm /var/lib/amazon/ssm # Add motd explaining the control container. RUN rm -f /etc/motd /etc/issue COPY --chown=root:root motd /etc/ # Add custom PS1 to show you are in the control container. ARG CUSTOM_PS1='[\u@control]\$ ' RUN echo "PS1='$CUSTOM_PS1'" > "/etc/profile.d/bottlerocket-ps1.sh" # Add bashrc that shows the motd. COPY ./bashrc /etc/skel/.bashrc # SSM starts sessions with 'sh', not 'bash', which for us is a link to bash. # Furthermore, it starts sh as an interactive shell, but not a login shell. # In this mode, the only startup file respected is the one pointed to by the # ENV environment variable. Point it to our bashrc, which just prints motd. ENV ENV /etc/skel/.bashrc # Add our helpers to quickly interact with the admin container. COPY --chmod=755 \ ./disable-admin-container \ ./enable-admin-container \ ./enter-admin-container \ /usr/bin/ # Create our user in the group that allows API access. RUN groupadd -g 274 api RUN useradd -m -G users,api ssm-user COPY --chmod=755 start_control_ssm.sh /usr/sbin/ CMD ["/usr/sbin/start_control_ssm.sh"]