frezbo · January 7, 2018 15:37
diff --git a/Dockerfile.first b/Dockerfile.first
 # will be further used by umoci to create an OCI complaint image
 FROM debian:stable-slim AS rootfs
 ARG WORKDIR=/opt/data
 RUN apt-get update && \
    apt-get install --no-install-recommends -y ansible python-pip curl

 # downloading and verifying umoci
 FROM alpine:3.7 AS umoci
 ARG UMOCI_URL=https://github.com/openSUSE/umoci/releases/download/v0.3.1/umoci.amd64
 ARG UMOCI_ASC=https://github.com/openSUSE/umoci/releases/download/v0.3.1/umoci.amd64.asc
 ARG UMOCI_SHA256=68a4d5864d936bf6e3826dc0147c45f081d1c0b047cbb30f97d13df7d890dc5d
 ARG GPG_KEYSERVER=keyserver.opensuse.org
 ARG GPG_KEY=9E18AA267DDB8DB4
 RUN apk update --no-cache && \
    apk add curl gnupg && \
    gpg --keyserver ${GPG_KEYSERVER} --recv-key ${GPG_KEY} && \
    curl -SL -o $(basename ${UMOCI_URL}) ${UMOCI_URL} && \
    curl -SL -o $(basename ${UMOCI_ASC}) ${UMOCI_ASC} && \
    echo "${UMOCI_SHA256}  $(basename  ${UMOCI_URL})" | sha256sum -c && \
    gpg --batch --verify $(basename ${UMOCI_ASC}) $(basename ${UMOCI_URL}) && \
    mv $(basename ${UMOCI_URL}) /usr/local/bin/umoci && \
    chmod +x /usr/local/bin/umoci

 # using umoci from OpenSUSE to create an OCI complaint image to be used by runc
 FROM alpine:3.7 AS oci-image-builder
 COPY --from=umoci /usr/local/bin/umoci /usr/local/bin/umoci
 RUN umoci init --layout runner && \
    umoci new --image runner:latest && \
    umoci unpack --image runner:latest runner-oci
 COPY --from=rootfs / runner-oci/rootfs/
 RUN rm -rf runner-oci/config.json

 # building runc from source, untill we have a latest release
 FROM alpine:3.7 AS runc-builder
 ARG GOPATH=/go
 ARG RUNC_REPO=github.com/opencontainers/runc
 RUN apk add --no-cache git make bash coreutils ca-certificates \
    go gcc musl-dev openssl linux-headers curl && \
    mkdir -p ${GOPATH}
 RUN go get -v -d github.com/opencontainers/runc
 WORKDIR ${GOPATH}/src/${RUNC_REPO}
 # fixes issue: https://github.com/opencontainers/runc/issues/1658
 # needed untill this is merged: https://github.com/opencontainers/runc/pull/1657
 RUN curl -SLo /tmp/cgroup.diff https://github.com/rutsky/runc/commit/05d4d1d14e82bdc68159fc8ee20e72ab63f5b3bf.diff
 RUN patch -p1 libcontainer/cgroups/fs/apply_raw.go /tmp/cgroup.diff
 RUN make static BUILDTAGS="" && \
    cp runc /usr/local/bin/

 FROM alpine:3.7
 COPY --from=runc-builder /usr/local/bin/runc /usr/local/bin/runc

 RUN apk add --no-cache su-exec bash && \
    mkdir -p /opt/test && \
    addgroup -S test && \
    adduser -G test -S -D -h /opt/test test && \
    chown test:test /opt/test && \
    # need the CAP_SYS_ADMIN capability untill below is fixed
    # mount proc to fix this: https://github.com/opencontainers/runc/issues/1658
    # the /mnt/proc path mentioned in OCI run spec file
    mkdir -p /mnt/proc && \
    echo "proc /mnt/proc proc rw,realtime 0 0" >> /etc/fstab
 COPY --from=oci-image-builder --chown=test:test /runner-oci/ /opt/runner/
 WORKDIR /opt/test
	# will be further used by umoci to create an OCI complaint image
	FROM debian:stable-slim AS rootfs
	ARG WORKDIR=/opt/data
	RUN apt-get update && \
	apt-get install --no-install-recommends -y ansible python-pip curl

	# downloading and verifying umoci
	FROM alpine:3.7 AS umoci
	ARG UMOCI_URL=https://github.com/openSUSE/umoci/releases/download/v0.3.1/umoci.amd64
	ARG UMOCI_ASC=https://github.com/openSUSE/umoci/releases/download/v0.3.1/umoci.amd64.asc
	ARG UMOCI_SHA256=68a4d5864d936bf6e3826dc0147c45f081d1c0b047cbb30f97d13df7d890dc5d
	ARG GPG_KEYSERVER=keyserver.opensuse.org
	ARG GPG_KEY=9E18AA267DDB8DB4
	RUN apk update --no-cache && \
	apk add curl gnupg && \
	gpg --keyserver ${GPG_KEYSERVER} --recv-key ${GPG_KEY} && \
	curl -SL -o $(basename ${UMOCI_URL}) ${UMOCI_URL} && \
	curl -SL -o $(basename ${UMOCI_ASC}) ${UMOCI_ASC} && \
	echo "${UMOCI_SHA256} $(basename ${UMOCI_URL})" \| sha256sum -c && \
	gpg --batch --verify $(basename ${UMOCI_ASC}) $(basename ${UMOCI_URL}) && \
	mv $(basename ${UMOCI_URL}) /usr/local/bin/umoci && \
	chmod +x /usr/local/bin/umoci

	# using umoci from OpenSUSE to create an OCI complaint image to be used by runc
	FROM alpine:3.7 AS oci-image-builder
	COPY --from=umoci /usr/local/bin/umoci /usr/local/bin/umoci
	RUN umoci init --layout runner && \
	umoci new --image runner:latest && \
	umoci unpack --image runner:latest runner-oci
	COPY --from=rootfs / runner-oci/rootfs/
	RUN rm -rf runner-oci/config.json

	# building runc from source, untill we have a latest release
	FROM alpine:3.7 AS runc-builder
	ARG GOPATH=/go
	ARG RUNC_REPO=github.com/opencontainers/runc
	RUN apk add --no-cache git make bash coreutils ca-certificates \
	go gcc musl-dev openssl linux-headers curl && \
	mkdir -p ${GOPATH}
	RUN go get -v -d github.com/opencontainers/runc
	WORKDIR ${GOPATH}/src/${RUNC_REPO}
	# fixes issue: https://github.com/opencontainers/runc/issues/1658
	# needed untill this is merged: https://github.com/opencontainers/runc/pull/1657
	RUN curl -SLo /tmp/cgroup.diff https://github.com/rutsky/runc/commit/05d4d1d14e82bdc68159fc8ee20e72ab63f5b3bf.diff
	RUN patch -p1 libcontainer/cgroups/fs/apply_raw.go /tmp/cgroup.diff
	RUN make static BUILDTAGS="" && \
	cp runc /usr/local/bin/

	FROM alpine:3.7
	COPY --from=runc-builder /usr/local/bin/runc /usr/local/bin/runc

	RUN apk add --no-cache su-exec bash && \
	mkdir -p /opt/test && \
	addgroup -S test && \
	adduser -G test -S -D -h /opt/test test && \
	chown test:test /opt/test && \
	# need the CAP_SYS_ADMIN capability untill below is fixed
	# mount proc to fix this: https://github.com/opencontainers/runc/issues/1658
	# the /mnt/proc path mentioned in OCI run spec file
	mkdir -p /mnt/proc && \
	echo "proc /mnt/proc proc rw,realtime 0 0" >> /etc/fstab
	COPY --from=oci-image-builder --chown=test:test /runner-oci/ /opt/runner/
	WORKDIR /opt/test