From d8c52619936c55a5bf28db9d9b164ec1acd3e8af Mon Sep 17 00:00:00 2001
From: Mikko Ylinen <mikko.ylinen@intel.com>
Date: Wed, 6 Dec 2023 13:45:22 +0200
Subject: [PATCH] support usrmerged /bin and /sbin

Distros are adopting the merged /usr directories scheme where the /{bin,sbin,lib}/
directories are made symbolic links to /usr/{bin,sbin,lib}/.

There are use cases where this could be justified for Distroless
as well. For example, a statically built Busybox/Toybox w/ built-in
shell can be installed to /usr/bin and still have the typical
shellscript shebangs (/bin/sh or /bin/bash) working.

However, Debian 11/12 base packages (base-files, libc6 etc) do not
support the merged /usr so it's not very straightfoward to enable
for Distroless.

One approach to support this for /bin/ and /sbin is to create a
layer with whiteouts and symlinks. Tests are also added to ensure
any Distroless image flavor does not overwrite the symlinks created
in that lower layer.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
---
 base/base.bzl                      |   1 +
 base/testdata/base.yaml            |  14 +++++++++++++-
 base/usrmerge.tar                  | Bin 0 -> 10240 bytes
 examples/cc/BUILD                  |  10 ++++++++--
 examples/cc/testdata/usrmerge.yaml |  14 ++++++++++++++
 java/BUILD                         |   5 ++++-
 java/testdata/usrmerge.yaml        |  14 ++++++++++++++
 nodejs/BUILD                       |   1 +
 nodejs/testdata/usrmerge.yaml      |  14 ++++++++++++++
 python3/BUILD                      |   5 ++++-
 python3/testdata/usrmerge.yaml     |  14 ++++++++++++++
 11 files changed, 87 insertions(+), 5 deletions(-)
 create mode 100644 base/usrmerge.tar
 create mode 100644 examples/cc/testdata/usrmerge.yaml
 create mode 100644 java/testdata/usrmerge.yaml
 create mode 100644 nodejs/testdata/usrmerge.yaml
 create mode 100644 python3/testdata/usrmerge.yaml

diff --git a/base/base.bzl b/base/base.bzl
index b4b602e9b..ec72034a4 100644
--- a/base/base.bzl
+++ b/base/base.bzl
@@ -96,6 +96,7 @@ def distro_components(distro):
                     # directory with specific permissions.
                     ":tmp.tar",
                     ":nsswitch.tar",
+                    ":usrmerge.tar",
                     "//os_release:os_release_" + distro + ".tar",
                     ":cacerts_" + arch + "_" + distro + ".tar",
                 ],
diff --git a/base/testdata/base.yaml b/base/testdata/base.yaml
index dc51619ec..b389fb65e 100644
--- a/base/testdata/base.yaml
+++ b/base/testdata/base.yaml
@@ -1,4 +1,4 @@
-schemaVersion: "1.0.0"
+schemaVersion: "2.0.0"
 fileExistenceTests:
 # Basic FS sanity checks.
 - name: root
@@ -7,6 +7,18 @@ fileExistenceTests:
 - name: tmp
   path: '/tmp'
   shouldExist: true
+- name: '/bin -> /usr/bin'
+  path: '/bin'
+  shouldExist: true
+  permissions: 'Lrwxrwxrwx'
+  uid: 0
+  gid: 0
+- name: '/sbin -> /usr/sbin'
+  path: '/sbin'
+  shouldExist: true
+  permissions: 'Lrwxrwxrwx'
+  uid: 0
+  gid: 0
 - name: passwd
   path: '/etc/passwd'
   shouldExist: true
diff --git a/base/usrmerge.tar b/base/usrmerge.tar
new file mode 100644
index 0000000000000000000000000000000000000000..8b1c8dffa9b8f5a24302facad6d45db35935d1d0
GIT binary patch
literal 10240
zcmeIzO%B2!5Qbrn!U-r~Va}r~-DuLEczvNsyQro{lQAZJ+0d30CeH`0Ym9pHrHLd{
z`_k6^^eh}g>vN7d)^U+=FgB@IRu&lh;n-Pgy4!8oTJPQX*1LZ^<{EcDyVK>WSYr)1
z=XRa@eE*z(2tJFkUa_WSYVt4n_o^G<i~M7X<iG4u#S7P{Mn6?v^B0l%ys!IL=U;p>
zHjaI#Uf%A{zwX(u8{qT&V@&1$Kjp7o-p=z^{IoDN0tg_000IagfB*srAb<b@2q1s}
V0tg_000IagfB*srAb`LR1s+EqUZem3

literal 0
HcmV?d00001

diff --git a/examples/cc/BUILD b/examples/cc/BUILD
index 8d02b90cd..ba0b9f2a9 100644
--- a/examples/cc/BUILD
+++ b/examples/cc/BUILD
@@ -22,7 +22,10 @@ package(default_visibility = ["//visibility:public"])
 [structure_test(
     name = "hello_" + distro + "_test",
     size = "small",
-    config = ["testdata/hello_" + distro + ".yaml"],
+    config = [
+        "testdata/hello_" + distro + ".yaml",
+        "testdata/usrmerge.yaml",
+    ],
     image = ":hello_" + distro,
     tags = [
         "amd64",
@@ -33,7 +36,10 @@ package(default_visibility = ["//visibility:public"])
 [structure_test(
     name = "hello_cc_" + distro + "_test",
     size = "small",
-    config = ["testdata/hello_cc_" + distro + ".yaml"],
+    config = [
+        "testdata/hello_cc_" + distro + ".yaml",
+        "testdata/usrmerge.yaml",
+    ],
     image = ":hello_cc_" + distro,
     tags = [
         "amd64",
diff --git a/examples/cc/testdata/usrmerge.yaml b/examples/cc/testdata/usrmerge.yaml
new file mode 100644
index 000000000..3af2f0599
--- /dev/null
+++ b/examples/cc/testdata/usrmerge.yaml
@@ -0,0 +1,14 @@
+schemaVersion: "2.0.0"
+fileExistenceTests:
+  - name: '/bin -> /usr/bin'
+    path: '/bin'
+    shouldExist: true
+    permissions: 'Lrwxrwxrwx'
+    uid: 0
+    gid: 0
+  - name: '/sbin -> /usr/sbin'
+    path: '/sbin'
+    shouldExist: true
+    permissions: 'Lrwxrwxrwx'
+    uid: 0
+    gid: 0
diff --git a/java/BUILD b/java/BUILD
index 9466d9419..a9f2dbee9 100644
--- a/java/BUILD
+++ b/java/BUILD
@@ -325,7 +325,10 @@ DISTRO_SPECIFIC_LIBRARIES = {
 [
     structure_test(
         name = "java_base" + mode + "_" + user + "_" + arch + "_" + distro + "_test",
-        config = ["testdata/java_base" + mode + ".yaml"],
+        config = [
+            "testdata/java_base" + mode + ".yaml",
+            "testdata/usrmerge.yaml",
+        ],
         image = ":java_base" + mode + "_" + user + "_" + arch + "_" + distro,
         tags = [
             arch,
diff --git a/java/testdata/usrmerge.yaml b/java/testdata/usrmerge.yaml
new file mode 100644
index 000000000..3af2f0599
--- /dev/null
+++ b/java/testdata/usrmerge.yaml
@@ -0,0 +1,14 @@
+schemaVersion: "2.0.0"
+fileExistenceTests:
+  - name: '/bin -> /usr/bin'
+    path: '/bin'
+    shouldExist: true
+    permissions: 'Lrwxrwxrwx'
+    uid: 0
+    gid: 0
+  - name: '/sbin -> /usr/sbin'
+    path: '/sbin'
+    shouldExist: true
+    permissions: 'Lrwxrwxrwx'
+    uid: 0
+    gid: 0
diff --git a/nodejs/BUILD b/nodejs/BUILD
index 9d88158b5..1051b0bb1 100644
--- a/nodejs/BUILD
+++ b/nodejs/BUILD
@@ -53,6 +53,7 @@ USER = [
         config = [
             "testdata/nodejs" + major_version + ".yaml",
             "testdata/check_npm.yaml",
+            "testdata/usrmerge.yaml",
         ],
         image = "nodejs" + major_version + ("" if (not mode) else mode) + "_" + user + "_" + arch + "_" + distro,
         tags = [
diff --git a/nodejs/testdata/usrmerge.yaml b/nodejs/testdata/usrmerge.yaml
new file mode 100644
index 000000000..bb53d7985
--- /dev/null
+++ b/nodejs/testdata/usrmerge.yaml
@@ -0,0 +1,14 @@
+schemaVersion: "2.0.0"
+fileExistenceTests:
+  - name: '/bin -> /usr/bin'
+    path: '/bin'
+    shouldExist: true
+    permissions: 'Lrwxrwxrwx'
+    uid: 0
+    gid: 0
+  - name: '/bin -> /usr/bin'
+    path: '/sbin'
+    shouldExist: true
+    permissions: 'Lrwxrwxrwx'
+    uid: 0
+    gid: 0
diff --git a/python3/BUILD b/python3/BUILD
index ae50c50e7..3b0b2ab7e 100644
--- a/python3/BUILD
+++ b/python3/BUILD
@@ -96,7 +96,10 @@ DISTRO_VERSION = {
     structure_test(
         name = "python3_" + user + "_" + arch + "_" + distro + "_test",
         size = "medium",
-        config = ["testdata/python3.yaml"],
+        config = [
+            "testdata/python3.yaml",
+            "testdata/usrmerge.yaml",
+        ],
         image = ":python3_" + user + "_" + arch + "_" + distro,
         tags = [
             "manual",
diff --git a/python3/testdata/usrmerge.yaml b/python3/testdata/usrmerge.yaml
new file mode 100644
index 000000000..3af2f0599
--- /dev/null
+++ b/python3/testdata/usrmerge.yaml
@@ -0,0 +1,14 @@
+schemaVersion: "2.0.0"
+fileExistenceTests:
+  - name: '/bin -> /usr/bin'
+    path: '/bin'
+    shouldExist: true
+    permissions: 'Lrwxrwxrwx'
+    uid: 0
+    gid: 0
+  - name: '/sbin -> /usr/sbin'
+    path: '/sbin'
+    shouldExist: true
+    permissions: 'Lrwxrwxrwx'
+    uid: 0
+    gid: 0