-
Notifications
You must be signed in to change notification settings - Fork 1
/
Dockerfile
100 lines (90 loc) · 4.43 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
FROM rockylinux:9
# Renovate "style" is used for some versioning. See https://docs.renovatebot.com/modules/manager/regex/#advanced-capture
# Make all shells run in a safer way. Ref: https://vaneyckt.io/posts/safer_bash_scripts_with_set_euxo_pipefail/
SHELL [ "/bin/bash", "-euxo", "pipefail", "-c" ]
# Install rpm packages that we need. AWS Session Manager Plugin is not published in any repo that we can use, so we grab it directly from where they publish it in S3.
# hadolint ignore=DL3041
RUN ARCH_STRING=$(uname -m) \
&& if [ "$ARCH_STRING" = "x86_64" ]; then \
SSM_PLUGIN_URL="https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm"; \
elif [ "$ARCH_STRING" = "aarch64" ]; then \
SSM_PLUGIN_URL="https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_arm64/session-manager-plugin.rpm"; \
fi \
&& dnf install -y --refresh \
bind-utils \
bzip2 \
bzip2-devel \
'dnf-command(config-manager)' \
findutils \
gcc \
gcc-c++ \
gettext \
git \
iptables-nft \
jq \
libffi-devel \
libxslt-devel \
make \
nc \
ncurses-devel \
openldap-clients \
openssl-devel \
perl-Digest-SHA \
procps-ng \
python3-pip \
readline-devel \
sqlite-devel \
sshpass \
unzip \
wget \
which \
xz \
"${SSM_PLUGIN_URL}" \
&& dnf clean all \
&& rm -rf /var/cache/yum/
# Install Docker. To use Docker you need to run the 'docker run' command with '-v /var/run/docker.sock:/var/run/docker.sock' to mount the docker socket into the container.
# WARNING: This is a security risk that requires other mitigations to be in place. See https://stackoverflow.com/a/41822163. Doing so will give the container root access to the host machine.
# No additional security risk is posed if this container is run without mounting the docker socket.
# It is our belief that this is safe to do on GitHub Actions hosted runners, since it is GitHub's own infrastructure that would be at risk if they didn't mitigate what would otherwise be an incredibly easy to exploit security hole.
# This is NOT regarded as safe to do on self-hosted runners without having taken some other mitigation step first.
RUN dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo \
&& dnf install -y docker-ce docker-ce-cli containerd.io \
&& dnf clean all \
&& rm -rf /var/cache/yum/
# Install asdf. Get versions from https://github.com/asdf-vm/asdf/releases
# hadolint ignore=SC2016
# renovate: datasource=github-tags depName=asdf-vm/asdf
ENV ASDF_VERSION=0.14.1
RUN git clone https://github.com/asdf-vm/asdf.git --branch v${ASDF_VERSION} --depth 1 "${HOME}/.asdf" \
&& echo -e '\nsource $HOME/.asdf/asdf.sh' >> "${HOME}/.bashrc" \
&& echo -e '\nsource $HOME/.asdf/asdf.sh' >> "${HOME}/.profile" \
&& source "${HOME}/.asdf/asdf.sh"
ENV PATH="/root/.asdf/shims:/root/.asdf/bin:${PATH}"
# Copy our .tool-versions file into the container
COPY .tool-versions /root/.tool-versions
# Zarf needs to be added separately since it doesn't have a "shortform" option in the asdf registry yet
RUN asdf plugin add zarf https://github.com/defenseunicorns/asdf-zarf.git
# git-xargs needs to be added separately since it doesn't have a "shortform" option in the asdf registry yet
RUN asdf plugin add git-xargs https://github.com/defenseunicorns/asdf-git-xargs.git
# opentofu needs to be added separately since it doesn't have a "shortform" option in the asdf registry yet
RUN asdf plugin add opentofu https://github.com/defenseunicorns/asdf-opentofu.git
# uds-cli (uds) needs to be added separately since it doesn't have a "shortform" option in the asdf registry yet
RUN asdf plugin add uds-cli https://github.com/defenseunicorns/asdf-uds-cli.git
# Install all other ASDF plugins that are present in the .tool-versions file.
RUN cat /root/.tool-versions | \
cut -d' ' -f1 | \
grep "^[^\#]" | \
grep -v "zarf" | \
grep -v "git-xargs" | \
grep -v "opentofu" | \
grep -v "uds-cli" | \
xargs -i asdf plugin add {}
# Install all ASDF versions that are present in the .tool-versions file
RUN asdf install
# Install sshuttle. Get versions by running `pip index versions sshuttle`
# renovate: datasource=pypi depName=sshuttle
ENV SSHUTTLE_VERSION=1.1.1
RUN pip install --force-reinstall -v "sshuttle==${SSHUTTLE_VERSION}"
# Support tools installed as root when running as any other user
ENV ASDF_DATA_DIR="/root/.asdf"
CMD ["/bin/bash"]