diff --git a/docker/Dockerfile.flux b/docker/Dockerfile.flux index 4ee0c8f24c..8eaa522607 100644 --- a/docker/Dockerfile.flux +++ b/docker/Dockerfile.flux @@ -1,8 +1,38 @@ -FROM alpine:3.9 +FROM debian:stable-slim WORKDIR /home/flux -RUN apk add --no-cache openssh ca-certificates tini 'git>=2.12.0' 'gnutls>=3.6.7' gnupg +RUN echo "deb http://deb.debian.org/debian stretch-backports main" | tee -a /etc/apt/sources.list.d/stretch-backports.list && \ + apt-get update && apt-get install -y --no-install-recommends \ + openssh-client \ + ca-certificates \ + dirmngr \ + gnupg && \ + apt-get install -t stretch-backports -y --no-install-recommends git && \ + rm -rf /var/lib/apt/lists/* + +ENV TINI_VERSION 0.18.0 +ENV TINI_GPG_KEY 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 +ENV GPG_KEY_SERVERS_LIST ha.pool.sks-keyservers.net \ + hkp://p80.pool.sks-keyservers.net:80 \ + keyserver.ubuntu.com \ + hkp://keyserver.ubuntu.com:80 \ + pgp.mit.edu + +RUN cd /tmp && \ + apt-get update && apt-get install -y --no-install-recommends curl && \ + export GNUPGHOME="$(mktemp -d)" && \ + for server in $(shuf -e $GPG_KEY_SERVERS_LIST); do \ + gpg --keyserver "$server" --recv-keys $TINI_GPG_KEY && break || : ; \ + done && \ + gpg --fingerprint $TINI_GPG_KEY | grep -q "6380 DC42 8747 F6C3 93FE ACA5 9A84 159D 7001 A4E5" && \ + curl -sSL "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini_${TINI_VERSION}.deb" -o tini.deb && \ + curl -sSL "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini_${TINI_VERSION}.deb.asc" -o tini.deb.asc && \ + gpg --verify tini.deb.asc tini.deb && \ + apt-get install /tmp/tini.deb && \ + apt-get purge --auto-remove -y curl && \ + rm -rf "$GNUPGHOME" tini.deb* && \ + rm -rf /var/lib/apt/lists/* # Add git hosts to known hosts file so we can use # StrickHostKeyChecking with git+ssh @@ -29,21 +59,12 @@ LABEL maintainer="Weaveworks " \ org.label-schema.vcs-url="git@github.com:weaveworks/flux" \ org.label-schema.vendor="Weaveworks" -ENTRYPOINT [ "/sbin/tini", "--", "fluxd" ] +ENTRYPOINT [ "tini", "--", "fluxd" ] # Get the kubeyaml binary (files) and put them on the path COPY --from=quay.io/squaremo/kubeyaml:0.5.2 /usr/lib/kubeyaml /usr/lib/kubeyaml/ ENV PATH=/bin:/usr/bin:/usr/local/bin:/usr/lib/kubeyaml -# Create minimal nsswitch.conf file to prioritize the usage of /etc/hosts over DNS queries. -# This resolves the conflict between: -# * fluxd using netgo for static compilation. netgo reads nsswitch.conf to mimic glibc, -# defaulting to prioritize DNS queries over /etc/hosts if nsswitch.conf is missing: -# https://github.com/golang/go/issues/22846 -# * Alpine not including a nsswitch.conf file. Since Alpine doesn't use glibc -# (it uses musl), maintainers argue that the need of nsswitch.conf is a Go bug: -# https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-354316460 -RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf COPY ./kubeconfig /root/.kube/config COPY ./fluxd /usr/local/bin/ diff --git a/docker/Dockerfile.helm-operator b/docker/Dockerfile.helm-operator index acf6165a12..8620e4d44c 100644 --- a/docker/Dockerfile.helm-operator +++ b/docker/Dockerfile.helm-operator @@ -1,8 +1,36 @@ -FROM alpine:3.9 +FROM debian:stable-slim WORKDIR /home/flux -RUN apk add --no-cache openssh ca-certificates tini 'git>=2.12.0' +RUN echo "deb http://deb.debian.org/debian stretch-backports main" | tee -a /etc/apt/sources.list.d/stretch-backports.list && \ + apt-get update && apt-get install -y --no-install-recommends \ + openssh-client \ + ca-certificates && \ + apt-get install -t stretch-backports -y --no-install-recommends git && \ + rm -rf /var/lib/apt/lists/* + +ENV TINI_VERSION 0.18.0 +ENV TINI_GPG_KEY 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 +ENV GPG_KEY_SERVERS_LIST ha.pool.sks-keyservers.net \ + hkp://p80.pool.sks-keyservers.net:80 \ + keyserver.ubuntu.com \ + hkp://keyserver.ubuntu.com:80 \ + pgp.mit.edu + +RUN cd /tmp && \ + apt-get update && apt-get install -y curl gnupg && \ + export GNUPGHOME="$(mktemp -d)" && \ + for server in $(shuf -e $GPG_KEY_SERVERS_LIST); do \ + gpg --keyserver "$server" --recv-keys $TINI_GPG_KEY && break || : ; \ + done && \ + gpg --fingerprint $TINI_GPG_KEY | grep -q "6380 DC42 8747 F6C3 93FE ACA5 9A84 159D 7001 A4E5" && \ + curl -sSL "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini_${TINI_VERSION}.deb" -o tini.deb && \ + curl -sSL "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini_${TINI_VERSION}.deb.asc" -o tini.deb.asc && \ + gpg --verify tini.deb.asc tini.deb && \ + apt-get install /tmp/tini.deb && \ + apt-get purge --auto-remove -y curl gnupg && \ + rm -rf "$GNUPGHOME" tini.deb* && \ + rm -rf /var/lib/apt/lists/* # Add git hosts to known hosts file so we can use # StrickHostKeyChecking with git+ssh @@ -31,7 +59,7 @@ LABEL maintainer="Weaveworks " \ org.label-schema.vcs-url="git@github.com:weaveworks/flux" \ org.label-schema.vendor="Weaveworks" -ENTRYPOINT [ "/sbin/tini", "--", "helm-operator" ] +ENTRYPOINT [ "tini", "--", "helm-operator" ] ENV HELM_HOME=/var/fluxd/helm COPY ./helm-repositories.yaml /var/fluxd/helm/repository/repositories.yaml diff --git a/docker/known_hosts.sh b/docker/known_hosts.sh index 379f6a9d3b..f1cd76fe62 100755 --- a/docker/known_hosts.sh +++ b/docker/known_hosts.sh @@ -56,7 +56,7 @@ wait=2 until ${ok}; do generate && validate && ok=true || ok=false count=$(($count + 1)) - if [[ ${count} -eq ${retries} ]]; then + if [ ${count} -eq ${retries} ]; then echo "ssh-keyscan failed, no more retries left" exit 1 fi