diff options
| author |   Manuel Rüger <mrueg@gentoo.org> | 2017-04-24 17:11:23 +0200 |
|---|---|---|
| committer |   Manuel Rüger <manuel@rueg.eu> | 2017-05-07 16:50:28 +0200 |
| commit | 64f150f16c0eb0f549dd8381914f7b7e1cdd195b (patch) | |
| tree | 9c1f6dbbb31abad3d45ddac2664b24cfbf8ef264 /stage3.Dockerfile | |
| parent | Merge pull request #36 from mrueg/rc_sys (diff) | |
| download | docker-images-64f150f16c0eb0f549dd8381914f7b7e1cdd195b.tar.gz docker-images-64f150f16c0eb0f549dd8381914f7b7e1cdd195b.tar.bz2 docker-images-64f150f16c0eb0f549dd8381914f7b7e1cdd195b.zip | |
Utilize multi-stage builds
* Multi-Stage builds (docker-engine >=17.05.0 required)
* Bootstrap image changed from busybox to alpine
* Verifies the GPG signatures during bootstrap
* Single build.sh to define builds via a TARGET environment variable
* Add x86-hardened
* Travis CI integration
Diffstat (limited to 'stage3.Dockerfile')
| -rw-r--r-- | stage3.Dockerfile | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/stage3.Dockerfile b/stage3.Dockerfile new file mode 100644 index 0000000..20fdf32 --- /dev/null +++ b/stage3.Dockerfile @@ -0,0 +1,39 @@ +# This Dockerfile creates a gentoo stage3 container image. By default it +# creates a stage3-amd64 image. It utilizes a multi-stage build and requires +# docker-17.05.0 or later. It fetches a daily snapshot from the official +# sources and verifies its checksum as well as its gpg signature. + +# As gpg keyservers sometimes are unreliable, we use multiple gpg server pools +# to fetch the signing key. + + +FROM ${BOOTSTRAP:-alpine:3.5} as builder + +WORKDIR /gentoo + +ARG ARCH=amd64 +ARG MICROARCH=amd64 +ARG SUFFIX +ARG DIST="http://distfiles.gentoo.org/releases/${ARCH}/autobuilds/" +ARG SIGNING_KEY="0xBB572E0E2D182910" + +RUN echo "Building Gentoo Container image for ${ARCH} ${SUFFIX} fetching from ${DIST}" \ + && apk --no-cache add gnupg tar wget \ + && STAGE3PATH="$(wget -q -O- "${DIST}/latest-stage3-${MICROARCH}${SUFFIX}.txt" | tail -n 1 | cut -f 1 -d ' ')" \ + && STAGE3="$(basename ${STAGE3PATH})" \ + && wget -q -c "${DIST}/${STAGE3PATH}" "${DIST}/${STAGE3PATH}.CONTENTS" "${DIST}/${STAGE3PATH}.DIGESTS.asc" \ + && gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys ${SIGNING_KEY} \ + || gpg --keyserver keys.gnupg.net --recv-keys ${SIGNING_KEY} \ + || gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys ${SIGNING_KEY} \ + && gpg --verify "${STAGE3}.DIGESTS.asc" \ + && awk '/# SHA512 HASH/{getline; print}' ${STAGE3}.DIGESTS.asc | sha512sum -c \ + && tar xjpf "${STAGE3}" --xattrs --numeric-owner \ + && sed -i -e 's/#rc_sys=""/rc_sys="docker"/g' etc/rc.conf \ + && echo 'UTC' > etc/timezone \ + && rm ${STAGE3}.DIGESTS.asc ${STAGE3}.CONTENTS ${STAGE3} + +FROM scratch + +WORKDIR / +COPY --from=builder /gentoo/ / +CMD ["/bin/bash"] |