# Copyright 2016 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ## The curl, jq and toybox containers build the corresponding binaries. FROM alpine:3.21 AS curl COPY third_party/curl /curl-src COPY third_party/static-curl/build.sh /build.sh RUN /build.sh FROM alpine:3.21 AS jq COPY third_party/jq /jq-src COPY build-jq.sh /build-jq.sh RUN /build-jq.sh FROM alpine:3.21 AS toybox COPY third_party/toybox /toybox-src COPY build-toybox.sh /build-toybox.sh RUN /build-toybox.sh FROM alpine:3.21 AS inotify COPY inotify /inotify RUN /inotify/build.sh ## The extras container extracts licenses and package data from Alpine packages. FROM alpine:3.21 AS extras COPY third_party/license-list-data /license-list-data-src COPY alpine-extractor.sh /alpine-extractor.sh # All dependencies used in build scripts above should be listed. RUN /alpine-extractor.sh musl openssl-dev openssl-libs-static linux-headers ## The bash container fetches bash-static (to be used as bash) from Debian repo. FROM debian:bookworm-slim AS bash RUN apt-get update RUN apt-get install -y --no-install-recommends --no-install-suggests bash-static RUN dpkg -s bash-static > /tmp/status_bash-static ## The stuff container pulls all pieces together from containers above. ## We use this and copy all of them as a whole to reduce the number of layers in the final image. ## The base image is delibrately made separated so it can be shared with other images. FROM scratch AS stuff COPY --from=curl /tmp/release/curl /usr/bin/curl COPY status.d/curl /var/lib/dpkg/status.d/curl COPY --from=jq /tmp/release/jq /usr/bin/jq COPY status.d/jq /var/lib/dpkg/status.d/jq # Both toybox binary and symlinks COPY --from=toybox /tmp/release/ /bin/ COPY status.d/toybox /var/lib/dpkg/status.d/toybox COPY --from=inotify /tmp/release/inotify /usr/bin/inotify # Licenses and package info COPY --from=extras /tmp/extras/ / COPY --from=bash /bin/bash-static /bin/bash COPY --from=bash /tmp/status_bash-static /var/lib/dpkg/status.d/bash-static # When building, we can pass a unique value (e.g. `date +%s`) for this arg, # which will force a rebuild from here (by invalidating docker's cache). ARG FORCE_REBUILD=0 # When building, we can pass a hash of the licenses tree, which docker checks # against its cache and can force a rebuild from here. ARG HASH_LICENSES=0 # Add third-party licenses. COPY .licenses/ /LICENSES/ COPY --from=bash /usr/share/doc/bash-static/copyright /LICENSES/copyright.bash-static # When building, we can pass a hash of the binary, which docker checks against # its cache and can force a rebuild from here. ARG HASH_BINARY=0 # Add the platform-specific binary. COPY bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN} ## Start building the final image. FROM {ARG_FROM} COPY --from=stuff / / # This container has to run as root for iptables. Be explicit here. USER 0:0 ENV HOME=/ ENTRYPOINT ["/{ARG_BIN}"]