Dockerfile.amd64

FROM calico/bpftool:v5.3-amd64 as bpftool

FROM goboring/golang:1.16.7b7
MAINTAINER Shaun Crampton <shaun@projectcalico.org>

# Override the go boring version in the image with the latest release. There is currently no 1.17 container image,
# so starting with 1.16 and then overwriting with 1.17.
ARG GO_BORING_VERSION=1.17.5b7
ARG QEMU_VERSION=4.2.0-6

# we need these two distinct lists. The first one is the names used by the qemu distributions
# these second is the names used by golang see https://github.com/golang/go/blob/master/src/go/build/syslist.go
# the primary difference as of this writing is that qemu uses aarch64 and golang uses arm64
ARG QEMU_ARCHS="arm aarch64 ppc64le s390x"
ARG CROSS_ARCHS="arm arm64 ppc64le s390x"

ARG MANIFEST_TOOL_VERSION=v1.0.2

# Install su-exec for use in the entrypoint.sh (so processes run as the right user)
# Install bash for the entry script (and because it's generally useful)
# Install curl
# Install git for fetching Go dependencies
# Install ssh for fetching Go dependencies
# Install mercurial for fetching go dependencies
# Install wget since it's useful for fetching
# Install make for building things
# Install util-linux for column command (used for output formatting).
# Install grep, sed, zip, and jq for use in some Makefiles
# Install gcc for cgo.
# Install clang, libbpf and newer kernel headers for building BPF binaries.
# Install apt-utils, libpcre++-dev and libraries for ModSecurity dependencies.
RUN echo 'APT::Default-Release "buster";' > /etc/apt/apt.conf.d/99defaultrelease && \
    echo 'deb     http://ftp.am.debian.org/debian/    buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list && \
    apt-get -y update &&  \
    apt-get -y upgrade && \
    apt-get install --no-install-recommends -y -t buster-backports \
        libbpf-dev linux-headers-5.10.0-0.bpo.9-amd64  && \
    apt-get install --no-install-recommends -y \
        curl bash git openssh-client mercurial make wget util-linux file grep sed jq zip \
        llvm-11 clang-11 binutils file iproute2 \
        ca-certificates gcc mingw-w64 libc-dev bsdmainutils strace libpcap-dev \
        apt-utils autoconf automake build-essential \
        libcurl4-openssl-dev libgeoip-dev liblmdb-dev \
        libpcre++-dev libtool libxml2-dev libyajl-dev \
        pkgconf zlib1g-dev && \
    rm -rf /var/lib/apt/lists/*

RUN wget https://storage.googleapis.com/go-boringcrypto/go${GO_BORING_VERSION}.linux-amd64.tar.gz
RUN rm -rf /usr/local/go && tar -C /usr/local -xzf go${GO_BORING_VERSION}.linux-amd64.tar.gz
RUN rm go${GO_BORING_VERSION}.linux-amd64.tar.gz

# su-exec is used by the entrypoint script to execute the user's command with the right UID/GID.
# (sudo doesn't work easily in a container.)  The version was current master at the time of writing.
ARG SU_EXEC_VER=212b75144bbc06722fbd7661f651390dc47a43d1
RUN  set -ex; \
     curl -o /sbin/su-exec.c https://raw.githubusercontent.com/ncopa/su-exec/${SU_EXEC_VER}/su-exec.c; \
     gcc -Wall /sbin/su-exec.c -o/sbin/su-exec; \
     chown root:root /sbin/su-exec; \
     chmod 0755 /sbin/su-exec; \
     rm /sbin/su-exec.c

# Install fossa for foss license checks
ARG FOSSA_VER=1.0.1
RUN curl -L https://github.com/fossas/fossa-cli/releases/download/v${FOSSA_VER}/fossa-cli_${FOSSA_VER}_linux_amd64.tar.gz | tar zxvf - -C /usr/local/bin --extract fossa
RUN chmod +x /usr/local/bin/fossa

ARG MOCKERY_VER=2.3.0
RUN curl -L https://github.com/vektra/mockery/releases/download/v${MOCKERY_VER}/mockery_${MOCKERY_VER}_Linux_x86_64.tar.gz | tar zxvf - -C /usr/local/bin --extract mockery
RUN chmod +x /usr/local/bin/mockery

# Disable ssh host key checking
RUN echo 'Host *' >> /etc/ssh/ssh_config \
  && echo '    StrictHostKeyChecking no' >> /etc/ssh/ssh_config

# We want to be able to do both cgo and non-cgo builds.  That's awkward because toggling cgo
# results in parts of the stdlib getting rebuilt (which fails due to the container's read-only
# filesystem).  As a workaround: take a copy of the go root for cgo builds and have the
# entrypoint script swap it into the path if it detects CGO_ENABLED=1.
ENV GOROOT=/usr/local/go
ENV GOCGO=/usr/local/go-cgo

# Disable cgo by default so that binaries we build will be fully static by default.
ENV CGO_ENABLED=0

RUN cp -a $GOROOT $GOCGO && \
  go install -v std && \
  rm -rf /go/src/* /root/.cache

# Install go programs that we rely on
RUN go get github.com/onsi/ginkgo/ginkgo && \
  go get golang.org/x/tools/cmd/goimports && \
  wget -O - -q https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s v1.27.0 && \
  golangci-lint --version && \
  go get github.com/pmezard/licenses && \
  go get github.com/wadey/gocovmerge && \
  GO111MODULE=on go get github.com/mikefarah/yq/v3 && \
  go get -u github.com/jstemmer/go-junit-report && \
  go get -u golang.org/x/tools/cmd/stringer && \
  GO111MODULE=on go get k8s.io/code-generator/cmd/openapi-gen@v0.21.0 && \
  GO111MODULE=on go get k8s.io/code-generator/cmd/deepcopy-gen@v0.21.0 && \
  GO111MODULE=on go get k8s.io/code-generator/cmd/client-gen@v0.21.0 && \
  GO111MODULE=on go get k8s.io/code-generator/cmd/lister-gen@v0.21.0 && \
  GO111MODULE=on go get k8s.io/code-generator/cmd/informer-gen@v0.21.0 && \
  GO111MODULE=on go get k8s.io/code-generator/cmd/defaulter-gen@v0.21.0 && \
  GO111MODULE=on go get k8s.io/code-generator/cmd/conversion-gen@v0.21.0 && \
  rm -rf /go/src/* /root/.cache

# Install necessary Kubernetes binaries used in tests.
RUN wget https://dl.k8s.io/v1.22.2/bin/linux/amd64/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \
	wget https://dl.k8s.io/release/v1.22.2/bin/linux/amd64/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
	wget https://dl.k8s.io/v1.22.2/bin/linux/amd64/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager

# Used for generating CRD files.
# Download a version of controller-gen that has been hacked to support additional types (e.g., float).
# We can remove this once we update the Calico v3 APIs to use only types which are supported by the upstream controller-gen
# tooling. Example: float, all the types in the numorstring package, etc.
RUN wget -O ${GOPATH}/bin/controller-gen https://github.com/projectcalico/controller-tools/releases/download/calico-0.1/controller-gen && chmod +x ${GOPATH}/bin/controller-gen

# Enable non-native runs on amd64 architecture hosts
RUN for i in ${QEMU_ARCHS}; do curl -L https://github.com/multiarch/qemu-user-static/releases/download/v${QEMU_VERSION}/qemu-${i}-static.tar.gz | tar zxvf - -C /usr/bin; done
RUN chmod +x /usr/bin/qemu-*

# When running cross built binaries run-times will be auto-installed,
# ensure the install directory is writable by everyone.
RUN for arch in ${CROSS_ARCHS}; do mkdir -m +w -p /usr/local/go/pkg/linux_${arch}; GOARCH=${arch} go install -v std; done

# Ensure that everything under the GOPATH is writable by everyone
RUN chmod -R 777 $GOPATH

RUN curl -sSL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-amd64 > manifest-tool && \
    chmod +x manifest-tool && \
    mv manifest-tool /usr/bin/

# crane is needed for our release targets to copy images from the dev registries to the release registries.
RUN wget https://github.com/google/go-containerregistry/releases/download/v0.4.1/go-containerregistry_Linux_x86_64.tar.gz && \
    tar -xvf go-containerregistry_Linux_x86_64.tar.gz && \
    chmod +x crane && \
    mv crane /usr/bin

# Add bpftool for Felix UT/FV.
COPY --from=bpftool /bpftool /usr/bin

# Build ModSecurity for Dikastes.
COPY scripts/modsec.sh /usr/local/bin/scripts/modsec.sh
RUN /usr/local/bin/scripts/modsec.sh

COPY entrypoint.sh /usr/local/bin/entrypoint.sh
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]