-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
140 lines (129 loc) · 5.59 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# syntax = docker/dockerfile:1.0-experimental
# Copyright 2020 - 2020, Raul E Rangel
# SPDX-License-Identifier: GPL-2.0-or-later
# name the portage image
FROM gentoo/portage:latest as portage
# base gentoo image
FROM gentoo/stage3:amd64-hardened-nomultilib as base
# We can't use any sandboxing in the container.
ENV FEATURES="-ipc-sandbox -mount-sandbox -network-sandbox -pid-sandbox -sandbox -usersandbox"
# Add make.conf to override the march.
# This allows packages to be optimized specifically for the host CPU.
COPY base/pre-build/ /
# Update the base image
#
# The portage snapshot image is updated daily, while the base image
# is updated occasionally. We want to make sure we are always up to date.
#
# Other distros require the build cache to be manually invalidated to perform
# a system update. i.e., apt update. The reason being that the build cache can
# only hash the inputs. It doesn't realize that `apt update` performed an HTTP
# request to an external server, so it thinks it can reuse the same layer.
# Genoo doesn't suffer from this limitation. Since the portage database is
# provided as an image the build cache is properly invalidated when the portage
# database is updated.
#
# In order to avoid rebuilding the same packages everytime there is a portage
# update, we generate bin packages and reuse the bin packages when regenerating
# the layer. It's questionable if using a bin package cache here is aceptable.
# The binpkgs don't take into account the CFLAGS, so the binpkgs won't be
# rebuilt when make.conf changes. If a rebuild is required, the bin package
# cache can be wiped.
#
# Additionally the distfiles are cached to avoid constantly downloading the
# package source on every rebuild. This is safe since each tarball is versioned
# and `should` never change.
RUN --mount=type=bind,target=/var/db/repos/gentoo,source=/var/db/repos/gentoo,from=portage \
--mount=type=cache,id=distfiles,target=/var/cache/distfiles \
--mount=type=cache,id=base-binpkgs,target=/var/cache/binpkgs \
emerge --buildpkg \
--usepkg \
--binpkg-respect-use=y \
--binpkg-changed-deps=y \
--tree \
-vj \
-Du @world
# Portage packages define build time and runtime dependencies. We don't want
# any of the build time dependencies in the final image. So we split the image
# creation into two steps.
# 1) emerge the app and generate bin packages for all dependencies. This has
# the advantage that we can also reuse the bin packages when regenerating
# this layer.
# 2) emerge the app using only bin packages. This allows us to drop all the
# build time dependencies and only install the runtime dependencies.
#
# TODO: It would be nice to generate the final image with only the runtime
# deps requires to run the app. i.e., emerge --destination /image <package>
# Then we don't need the gentoo base package at all at runtime, but this
# requires packages to migrate to EAPI 7 and correctly define their BDEPENDs.
FROM base as binpkgs
# Create a local overlay so we can provide our own ebuilds.
COPY binpkgs/pre-build/ /
# We use runit as our supervisor
FROM binpkgs as runit-binpkgs
COPY runit/pre-build/ /
# We don't reuse the runit binpkg we generate because we apply a custom patch.
# Portage doesn't take that into account when deciding to use the binpkg. If
# the patch is updated, then we end up with a stale binpkg installed.
RUN --mount=type=bind,target=/var/db/repos/gentoo,source=/var/db/repos/gentoo,from=portage \
--mount=type=cache,id=distfiles,target=/var/cache/distfiles \
digest-local && \
emerge --buildpkg -vt @runit
FROM base as runit
RUN --mount=type=bind,target=/var/db/repos/gentoo,source=/var/db/repos/gentoo,from=portage \
--mount=type=bind,target=/var/db/repos/local,source=/var/db/repos/local,from=runit-binpkgs \
--mount=type=bind,target=/etc/portage,source=/etc/portage,from=runit-binpkgs \
--mount=type=bind,target=/var/cache/binpkgs,source=/var/cache/binpkgs,from=runit-binpkgs \
emerge --usepkgonly \
--binpkg-respect-use=y \
--binpkg-changed-deps=y \
--tree \
-vj \
@runit && \
rm -rfv /etc/runit/* /etc/service/*
COPY runit/post-install/ /
STOPSIGNAL SIGINT
CMD ["/sbin/runit-init"]
HEALTHCHECK --interval=10s CMD ["/usr/local/sbin/runit-check"]
FROM binpkgs as samba-binpkgs
COPY samba/pre-build/ /
RUN --mount=type=bind,target=/var/db/repos/gentoo,source=/var/db/repos/gentoo,from=portage \
--mount=type=cache,id=distfiles,target=/var/cache/distfiles \
--mount=type=cache,id=samba-binpkgs,target=/var/cache/binpkgs \
digest-local && \
emerge --buildpkg \
--usepkg \
--binpkg-respect-use=y \
--binpkg-changed-deps=y \
--tree \
-vj \
@samba
FROM runit as samba
RUN --mount=type=bind,target=/var/db/repos/gentoo,source=/var/db/repos/gentoo,from=portage \
--mount=type=bind,target=/var/db/repos/local,source=/var/db/repos/local,from=samba-binpkgs \
--mount=type=bind,target=/etc/portage,source=/etc/portage,from=samba-binpkgs \
--mount=type=cache,id=samba-binpkgs,target=/var/cache/binpkgs \
emerge --usepkgonly \
--binpkg-respect-use=y \
--binpkg-changed-deps=y \
--tree \
-vj \
@samba
RUN \
mkdir /data && \
mv /home /data/home && \
useradd -D --base-dir /data/home && \
rm -f /etc/avahi/services/* \
rm -r /var/lib/samba/private && \
ln -Ts /config/samba/smb.conf /etc/samba/smb.conf && \
ln -Tfs /config/samba/private/ /var/lib/samba/private
COPY samba/post-install/ /
COPY util/passwd/post-install/ /
VOLUME /config
VOLUME /data
# Samba CIFS port
EXPOSE 445
# Avahi mDNS multicast
EXPOSE 5353/udp
# WSDD incoming and multicast
EXPOSE 5357/tcp 3702/udp