From f028e3a8f2da3aadec8cd5a639ce857b7bc645eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= Date: Fri, 11 Oct 2024 09:43:26 +0200 Subject: [PATCH 1/5] security: Upgrade dependencies --- .github/workflows/pipeline.yaml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 94eaa849..dbe232e7 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -21,13 +21,13 @@ env: CONTAINER_REGISTRY_GHCR: ghcr.io CONTAINER_REGISTRY_DOCKER_HUB: docker.io # https://github.com/sigstore/cosign/releases - COSIGN_VERSION: 2.4.0 + COSIGN_VERSION: 2.4.1 # https://npmjs.com/package/@microsoft/sarif-multitool?activeTab=versions SARIF_MULTITOOL_VERSION: 4.5.4 # https://npmjs.com/package/snyk?activeTab=versions - SNYK_VERSION: 1.1293.0 + SNYK_VERSION: 1.1293.1 # https://github.com/microsoft/azure-pipelines-agent/releases - AZP_AGENT_VERSION: 3.243.1 + AZP_AGENT_VERSION: 3.244.1 # https://github.com/PowerShell/PowerShell/releases POWERSHELL_VERSION: 7.2.23 # https://github.com/krallin/tini/releases @@ -35,43 +35,43 @@ env: # https://github.com/mikefarah/yq/releases YQ_VERSION: 4.44.3 # https://go.dev/dl - GO_VERSION: 1.23.0 + GO_VERSION: 1.23.2 # https://github.com/rootless-containers/rootlesskit/releases ROOTLESSKIT_VERSION: 2.3.1 # https://github.com/moby/buildkit/releases - BUILDKIT_VERSION: 0.15.2 + BUILDKIT_VERSION: 0.16.0 # https://github.com/Azure/azure-cli/releases - AZURE_CLI_VERSION: 2.63.0 + AZURE_CLI_VERSION: 2.65.0 # https://github.com/stedolan/jq/releases # Note: This version requires to be available from Debian and Ubuntu repositories (see https://packages.debian.org/bookworm/jq for example) JQ_VERSION: 1.6 # https://github.com/aws/aws-cli/tags - AWS_CLI_VERSION: 2.17.42 + AWS_CLI_VERSION: 2.18.4 # https://console.cloud.google.com/artifacts/docker/google.com:cloudsdktool/us/gcr.io/google-cloud-cli # Note: To get thhe version number, spot the version tag on the latest pushed container GCLOUD_CLI_VERSION: 490.0.0 # https://github.com/git-for-windows/git/releases - GIT_WIN_VERSION: 2.46.0 + GIT_WIN_VERSION: 2.47.0 # https://github.com/facebook/zstd/releases ZSTD_WIN_VERSION: 1.5.6 # https://www.python.org/downloads/windows - PYTHON_WIN_VERSION: 3.12.5 + PYTHON_WIN_VERSION: 3.12.7 # https://nodejs.org/en/download/releases - NODE_VERSION: 20.17.0 + NODE_VERSION: 20.18.0 # https://github.com/helm/helm/releases - HELM_VERSION: 3.15.4 + HELM_VERSION: 3.16.2 # https://github.com/oras-project/oras/releases - ORAS_VERSION: 1.1.0 + ORAS_VERSION: 1.2.0 # https://github.com/docker/buildx/releases - BUILDX_VERSION: 0.16.2 + BUILDX_VERSION: 0.17.1 # https://github.com/hadolint/hadolint/releases HADOLINT_VERSION: 2.12.0 # https://learn.microsoft.com/en-us/visualstudio/releases/2022/release-history#fixed-version-bootstrappers - VS_BUILDTOOLS_WIN_VERSION: 28626b4b-f88f-4b55-a0cf-f3eaa2c643fb/e6c43d4dfb36338d954cdb3ad9010ab2a479e712088f4f6b016eadcc721bab28 # LTSC 17.10 (17.10.35201.131) + VS_BUILDTOOLS_WIN_VERSION: 80c57218-b55f-4260-af46-a64ffd76e7a6/7fee719abc3ba9eced84ea258ccae39a7b0cc953b539c2ea3a98c3ff588b7870 # https://github.com/gohugoio/hugo/releases - HUGO_VERSION: 0.133.1 + HUGO_VERSION: 0.135.0 # See: https://github.com/getsops/sops/releases - SOPS_VERSION: 3.9.0 + SOPS_VERSION: 3.9.1 jobs: init: From a438c5f0a7b3864954e605ec91d10e597dad3500 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= Date: Fri, 11 Oct 2024 09:44:00 +0200 Subject: [PATCH 2/5] perf: Upgrade Ubuntu GitHub Actions workers to 24.04 --- .github/workflows/pipeline.yaml | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index dbe232e7..3f0470ce 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -76,7 +76,7 @@ env: jobs: init: name: Initialize - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 outputs: BRANCH: ${{ steps.branch.outputs.branch }} VERSION_FULL: ${{ steps.version.outputs.version_full }} @@ -104,7 +104,7 @@ jobs: sast-creds: name: SAST - Credentials - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@v4.1.7 @@ -128,7 +128,7 @@ jobs: - sast-creds - sast-semgrep - static-test - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@v4.1.7 @@ -206,6 +206,9 @@ jobs: # Fix issue "Error: Code Scanning could not process the submitted SARIF file: rejecting SARIF, as there are more runs than allowed (XX > 20)" # See: https://github.com/github/codeql-action/issues/220 - name: Merge SARIF files + env: + # See: https://github.com/dotnet/core/issues/2186#issuecomment-1935707348 + DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: "1" run: | npx --yes @microsoft/sarif-multitool@${{ env.SARIF_MULTITOOL_VERSION }} merge \ --automation-id ${{ github.run_id }} \ @@ -227,7 +230,7 @@ jobs: - build-helm # Only deploy on non-scheduled main branch, as there is only one Helm repo and we cannot override an existing version if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/main') - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@v4.1.7 @@ -257,7 +260,7 @@ jobs: static-test: name: Static test - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@v4.1.7 @@ -290,7 +293,7 @@ jobs: - sast-creds - sast-semgrep - static-test - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 strategy: fail-fast: false matrix: @@ -460,6 +463,9 @@ jobs: # Fix issue "Error: Code Scanning could not process the submitted SARIF file: rejecting SARIF, as there are more runs than allowed (XX > 20)" # See: https://github.com/github/codeql-action/issues/220 - name: Merge SARIF files + env: + # See: https://github.com/dotnet/core/issues/2186#issuecomment-1935707348 + DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: "1" run: | npx --yes @microsoft/sarif-multitool@${{ env.SARIF_MULTITOOL_VERSION }} merge \ --automation-id ${{ github.run_id }} \ @@ -670,7 +676,7 @@ jobs: sast-semgrep: name: SAST - Semgrep - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 container: image: returntocorp/semgrep steps: @@ -694,7 +700,7 @@ jobs: name: Deploy ArtifactHub metadata # Only deploy on main branch, as we don't want to break verification with a bad metadata file during development if: github.ref == 'refs/heads/main' - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@v4.1.7 @@ -737,7 +743,7 @@ jobs: - build-release-win # Only deploy on non-scheduled main branch, as there is only one Helm repo and we cannot override an existing version if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/main') - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@v4.1.7 @@ -753,7 +759,7 @@ jobs: build-hugo: name: Build Hugo site - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: - sast-creds - sast-semgrep @@ -803,7 +809,7 @@ jobs: - init # Only deploy on non-scheduled main branch, as there is only one Helm repo and we cannot override an existing version if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/main') - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Pull from gh-pages uses: actions/checkout@v4.1.7 @@ -837,7 +843,7 @@ jobs: integration-test: name: Integration test (Linux ${{ matrix.os }}) - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: - init - sast-creds From 35d6fecdaa9c6e935f0c43119b49188a7ee0bc66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= Date: Fri, 11 Oct 2024 10:28:52 +0200 Subject: [PATCH 3/5] breaking: Package Python 3.12 everywhere --- .github/workflows/pipeline.yaml | 7 +- cicd/docker-build-local.sh | 2 +- .../docs/advanced-topics/provided-software.md | 4 +- src/docker/Dockerfile-bookworm | 73 ++++++++++++++---- src/docker/Dockerfile-bullseye | 74 ++++++++++++++---- src/docker/Dockerfile-focal | 74 ++++++++++++++---- src/docker/Dockerfile-jammy | 75 +++++++++++++++---- src/docker/Dockerfile-ubi8 | 71 ++++++++++++++---- src/docker/Dockerfile-ubi9 | 75 ++++++++++++++----- 9 files changed, 360 insertions(+), 95 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 3f0470ce..c0fffea1 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -55,7 +55,7 @@ env: # https://github.com/facebook/zstd/releases ZSTD_WIN_VERSION: 1.5.6 # https://www.python.org/downloads/windows - PYTHON_WIN_VERSION: 3.12.7 + PYTHON_VERSION: 3.12.7 # https://nodejs.org/en/download/releases NODE_VERSION: 20.18.0 # https://github.com/helm/helm/releases @@ -405,13 +405,14 @@ jobs: with: build-args: | AWS_CLI_VERSION=${{ env.AWS_CLI_VERSION }} - GCLOUD_CLI_VERSION=${{ env.GCLOUD_CLI_VERSION }} AZP_AGENT_VERSION=${{ env.AZP_AGENT_VERSION }} AZURE_CLI_VERSION=${{ env.AZURE_CLI_VERSION }} BUILDKIT_VERSION=${{ env.BUILDKIT_VERSION }} + GCLOUD_CLI_VERSION=${{ env.GCLOUD_CLI_VERSION }} GO_VERSION=${{ env.GO_VERSION }} JQ_VERSION=${{ env.JQ_VERSION }} POWERSHELL_VERSION=${{ env.POWERSHELL_VERSION }} + PYTHON_VERSION=${{ env.PYTHON_VERSION }} ROOTLESSKIT_VERSION=${{ env.ROOTLESSKIT_VERSION }} TINI_VERSION=${{ env.TINI_VERSION }} YQ_VERSION=${{ env.YQ_VERSION }} @@ -582,7 +583,7 @@ jobs: "--build-arg", "GIT_VERSION=${{ env.GIT_WIN_VERSION }}", "--build-arg", "JQ_VERSION=${{ env.JQ_VERSION }}", "--build-arg", "POWERSHELL_VERSION=${{ env.POWERSHELL_VERSION }}", - "--build-arg", "PYTHON_VERSION=${{ env.PYTHON_WIN_VERSION }}", + "--build-arg", "PYTHON_VERSION=${{ env.PYTHON_VERSION }}", "--build-arg", "VS_BUILDTOOLS_VERSION=${{ env.VS_BUILDTOOLS_WIN_VERSION }}", "--build-arg", "YQ_VERSION=${{ env.YQ_VERSION }}", "--build-arg", "ZSTD_VERSION=${{ env.ZSTD_WIN_VERSION }}", diff --git a/cicd/docker-build-local.sh b/cicd/docker-build-local.sh index de4a95ad..eed86b5f 100644 --- a/cicd/docker-build-local.sh +++ b/cicd/docker-build-local.sh @@ -48,7 +48,7 @@ for suffix in ${SUFFIXES}; do --build-arg "GO_VERSION=${GO_VERSION}" \ --build-arg "JQ_VERSION=${JQ_VERSION}" \ --build-arg "POWERSHELL_VERSION=${POWERSHELL_VERSION}" \ - --build-arg "PYTHON_VERSION=${PYTHON_WIN_VERSION}" \ + --build-arg "PYTHON_VERSION=${PYTHON_VERSION}" \ --build-arg "ROOTLESSKIT_VERSION=${ROOTLESSKIT_VERSION}" \ --build-arg "TINI_VERSION=${TINI_VERSION}" \ --build-arg "VS_BUILDTOOLS_VERSION=${VS_BUILDTOOLS_WIN_VERSION}" \ diff --git a/docs/content/docs/advanced-topics/provided-software.md b/docs/content/docs/advanced-topics/provided-software.md index 87fe49dd..16e9ed17 100644 --- a/docs/content/docs/advanced-topics/provided-software.md +++ b/docs/content/docs/advanced-topics/provided-software.md @@ -18,7 +18,7 @@ Softwares are operating system specific. The following table lists the softwares - [zsh](https://www.zsh.org) - Programming languages - [ASP.NET Core Runtime](https://github.com/dotnet/aspnetcore) - - Python ([Python 3.8](https://www.python.org/downloads/release/python-380), [Python 3.9](https://www.python.org/downloads/release/python-390), [Python 3.10](https://www.python.org/downloads/release/python-3100), [Python 3.11](https://www.python.org/downloads/release/python-3110), depending of the system, plus C/Rust build tools for libs non pre-built on the platforms) + - [Python 3.12](https://docs.python.org/3/whatsnew/3.12.html) - Tools - [git](https://github.com/git-for-windows/git) - [gzip](https://www.gnu.org/software/gzip) @@ -43,7 +43,7 @@ Softwares are operating system specific. The following table lists the softwares - [Windows PowerShell](https://learn.microsoft.com/en-us/powershell/scripting/windows-powershell/install/installing-windows-powershell?view=powershell-7.3) - Programming languages - [.NET SDK](https://dotnet.microsoft.com) - - [Python 3.11](https://www.python.org/downloads/release/python-3110) + - [Python 3.12](https://docs.python.org/3/whatsnew/3.12.html) - [Visual Studio Build Tools](https://learn.microsoft.com/en-us/visualstudio/ide/?view=vs-2022) (with `AzureBuildTools`, `VCTools`, `WebBuildTools`, `ManagedDesktopBuildTools`, `OfficeBuildTools` workloads) - Tools - [git](https://github.com/git-for-windows/git) diff --git a/src/docker/Dockerfile-bookworm b/src/docker/Dockerfile-bookworm index 37f7d057..5dd65fcb 100644 --- a/src/docker/Dockerfile-bookworm +++ b/src/docker/Dockerfile-bookworm @@ -14,11 +14,11 @@ ENV PYTHONDONTWRITEBYTECODE=1 ENV PIP_BREAK_SYSTEM_PACKAGES=1 # Install: +# - Azure CLI system requirements (C/Rust build tools for libs non pre-built on this platform) # - Azure Pipelines agent system requirements -# - zsh, for inter-operability # - dbus-user-session, fuse-overlayfs, iptables, for BuildKit # - gzip, make, tar, unzip, wget, zip, zstd for developer ease-of-life -# - Azure CLI system requirements (Python 3.11, plus C/Rust build tools for libs non pre-built on this platform) +# - zsh, for inter-operability RUN rm -f /etc/apt/apt.conf.d/docker-clean \ && echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache ARG JQ_VERSION @@ -43,9 +43,6 @@ RUN --mount=target=/var/lib/apt/lists,type=cache,sharing=locked --mount=target=/ lsb-release \ make \ pkg-config \ - python3-dev=3.11.* \ - python3-pip \ - python3=3.11.* \ software-properties-common \ sudo \ tar \ @@ -62,15 +59,6 @@ COPY arch.sh . RUN chmod +x arch.sh \ && bash arch.sh -# Install Python build tools -RUN python3 -m pip \ - --disable-pip-version-check \ - --no-cache-dir \ - --quiet \ - install \ - setuptools wheel \ - && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null - FROM base AS rootlesskit # Install Go, then verify installation @@ -91,8 +79,65 @@ RUN git clone --depth 1 --branch v${ROOTLESSKIT_VERSION} https://github.com/root && rootlesskit --version \ && rootlessctl --version +FROM base AS python + +# Build Python 3.12 from source, then verify installation +ARG PYTHON_VERSION +ENV PYTHON_VERSION=${PYTHON_VERSION} +RUN --mount=target=/var/lib/apt/lists,type=cache,sharing=locked --mount=target=/var/cache,type=cache,sharing=locked \ + apt-get update -q \ + && apt-get install -y -q --no-install-recommends \ + g++ \ + lcov \ + libbz2-dev \ + libgdbm-compat-dev \ + libgdbm-dev \ + liblzma-dev \ + libncurses5-dev \ + libncursesw5-dev \ + libreadline-dev \ + libreadline6-dev \ + libsqlite3-dev \ + libxml2-dev \ + libxmlsec1-dev \ + lzma \ + lzma-dev \ + tk-dev \ + uuid-dev \ + xz-utils \ + zlib1g-dev \ + && curl -LsSf --retry 8 --retry-all-errors https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz -o python.tgz \ + && tar -xzf python.tgz \ + && cd Python-${PYTHON_VERSION} \ + && ./configure \ + --enable-optimizations \ + --with-ensurepip=install \ + --with-lto \ + && make -j$(nproc) \ + && make install \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null \ + && python3 --version \ + && python3 -m pip --version + FROM base +# Install Python, then verify installation +COPY --from=python /usr/local/bin/python3.12 /usr/local/bin/python3.12 +COPY --from=python /usr/local/lib/python3.12 /usr/local/lib/python3.12 +RUN ln -s /usr/local/bin/python3.12 /usr/local/bin/python3 \ + && ln -s /usr/local/bin/python3.12 /usr/local/bin/python \ + && python3 --version \ + && python3 -m pip --version + +# Install Python build tools +RUN python3 -m pip \ + --disable-pip-version-check \ + --no-cache-dir \ + --quiet \ + install \ + setuptools wheel \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null + # Install Azure CLI, then verify installation ARG AZURE_CLI_VERSION ENV AZURE_CLI_VERSION=${AZURE_CLI_VERSION} diff --git a/src/docker/Dockerfile-bullseye b/src/docker/Dockerfile-bullseye index 987b930e..3c0f4ffa 100644 --- a/src/docker/Dockerfile-bullseye +++ b/src/docker/Dockerfile-bullseye @@ -11,11 +11,11 @@ ENV HOME=/app-root ENV PYTHONDONTWRITEBYTECODE=1 # Install: +# - Azure CLI system requirements (C/Rust build tools for libs non pre-built on this platform) # - Azure Pipelines agent system requirements -# - zsh, for inter-operability # - dbus-user-session, fuse-overlayfs, iptables, for BuildKit # - gzip, make, tar, unzip, wget, zip, zstd for developer ease-of-life -# - Azure CLI system requirements (Python 3.9, plus C/Rust build tools for libs non pre-built on this platform) +# - zsh, for inter-operability RUN rm -f /etc/apt/apt.conf.d/docker-clean \ && echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache ARG JQ_VERSION @@ -40,9 +40,6 @@ RUN --mount=target=/var/lib/apt/lists,type=cache,sharing=locked --mount=target=/ lsb-release \ make \ pkg-config \ - python3-dev=3.9.* \ - python3-pip \ - python3=3.9.* \ software-properties-common \ sudo \ tar \ @@ -59,15 +56,6 @@ COPY arch.sh . RUN chmod +x arch.sh \ && bash arch.sh -# Install Python build tools -RUN python3 -m pip \ - --disable-pip-version-check \ - --no-cache-dir \ - --quiet \ - install \ - setuptools wheel \ - && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null - FROM base AS rootlesskit # Install Go, then verify installation @@ -88,8 +76,66 @@ RUN git clone --depth 1 --branch v${ROOTLESSKIT_VERSION} https://github.com/root && rootlesskit --version \ && rootlessctl --version +FROM base AS python + +# Build Python 3.12 from source, then verify installation +ARG PYTHON_VERSION +ENV PYTHON_VERSION=${PYTHON_VERSION} +RUN --mount=target=/var/lib/apt/lists,type=cache,sharing=locked --mount=target=/var/cache,type=cache,sharing=locked \ + apt-get update -q \ + && apt-get install -y -q --no-install-recommends \ + g++ \ + lcov \ + libbz2-dev \ + libgdbm-compat-dev \ + libgdbm-dev \ + liblzma-dev \ + libmpdec-dev \ + libncurses5-dev \ + libncursesw5-dev \ + libreadline-dev \ + libreadline6-dev \ + libsqlite3-dev \ + libxml2-dev \ + libxmlsec1-dev \ + lzma \ + lzma-dev \ + tk-dev \ + uuid-dev \ + xz-utils \ + zlib1g-dev \ + && curl -LsSf --retry 8 --retry-all-errors https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz -o python.tgz \ + && tar -xzf python.tgz \ + && cd Python-${PYTHON_VERSION} \ + && ./configure \ + --enable-optimizations \ + --with-ensurepip=install \ + --with-lto \ + && make -j$(nproc) \ + && make install \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null \ + && python3 --version \ + && python3 -m pip --version + FROM base +# Install Python, then verify installation +COPY --from=python /usr/local/bin/python3.12 /usr/local/bin/python3.12 +COPY --from=python /usr/local/lib/python3.12 /usr/local/lib/python3.12 +RUN ln -s /usr/local/bin/python3.12 /usr/local/bin/python3 \ + && ln -s /usr/local/bin/python3.12 /usr/local/bin/python \ + && python3 --version \ + && python3 -m pip --version + +# Install Python build tools +RUN python3 -m pip \ + --disable-pip-version-check \ + --no-cache-dir \ + --quiet \ + install \ + setuptools wheel \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null + # Install Azure CLI, then verify installation ARG AZURE_CLI_VERSION ENV AZURE_CLI_VERSION=${AZURE_CLI_VERSION} diff --git a/src/docker/Dockerfile-focal b/src/docker/Dockerfile-focal index 153422a5..627be55c 100644 --- a/src/docker/Dockerfile-focal +++ b/src/docker/Dockerfile-focal @@ -11,11 +11,11 @@ ENV HOME=/app-root ENV PYTHONDONTWRITEBYTECODE=1 # Install: +# - Azure CLI system requirements (C/Rust build tools for libs non pre-built on this platform) # - Azure Pipelines agent system requirements -# - zsh, for inter-operability # - dbus-user-session, iptables, uidmap, for BuildKit # - gzip, make, tar, unzip, wget, zip, zstd for developer ease-of-life -# - Azure CLI system requirements (Python 3.8, plus C/Rust build tools for libs non pre-built on this platform) +# - zsh, for inter-operability RUN rm -f /etc/apt/apt.conf.d/docker-clean \ && echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache ARG JQ_VERSION @@ -39,9 +39,6 @@ RUN --mount=target=/var/lib/apt/lists,type=cache,sharing=locked --mount=target=/ lsb-release \ make \ pkg-config \ - python3-dev=3.8.* \ - python3-pip \ - python3=3.8.* \ software-properties-common \ sudo \ tar \ @@ -58,15 +55,6 @@ COPY arch.sh . RUN chmod +x arch.sh \ && bash arch.sh -# Install Python build tools -RUN python3 -m pip \ - --disable-pip-version-check \ - --no-cache-dir \ - --quiet \ - install \ - setuptools wheel \ - && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null - FROM base AS rootlesskit # Install Go, then verify installation @@ -87,8 +75,66 @@ RUN git clone --depth 1 --branch v${ROOTLESSKIT_VERSION} https://github.com/root && rootlesskit --version \ && rootlessctl --version +FROM base AS python + +# Build Python 3.12 from source, then verify installation +ARG PYTHON_VERSION +ENV PYTHON_VERSION=${PYTHON_VERSION} +RUN --mount=target=/var/lib/apt/lists,type=cache,sharing=locked --mount=target=/var/cache,type=cache,sharing=locked \ + apt-get update -q \ + && apt-get install -y -q --no-install-recommends \ + g++ \ + lcov \ + libbz2-dev \ + libgdbm-compat-dev \ + libgdbm-dev \ + liblzma-dev \ + libmpdec-dev \ + libncurses5-dev \ + libncursesw5-dev \ + libreadline-dev \ + libreadline6-dev \ + libsqlite3-dev \ + libxml2-dev \ + libxmlsec1-dev \ + lzma \ + lzma-dev \ + tk-dev \ + uuid-dev \ + xz-utils \ + zlib1g-dev \ + && curl -LsSf --retry 8 https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz -o python.tgz \ + && tar -xzf python.tgz \ + && cd Python-${PYTHON_VERSION} \ + && ./configure \ + --enable-optimizations \ + --with-ensurepip=install \ + --with-lto \ + && make -j$(nproc) \ + && make install \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null \ + && python3 --version \ + && python3 -m pip --version + FROM base +# Install Python, then verify installation +COPY --from=python /usr/local/bin/python3.12 /usr/local/bin/python3.12 +COPY --from=python /usr/local/lib/python3.12 /usr/local/lib/python3.12 +RUN ln -s /usr/local/bin/python3.12 /usr/local/bin/python3 \ + && ln -s /usr/local/bin/python3.12 /usr/local/bin/python \ + && python3 --version \ + && python3 -m pip --version + +# Install Python build tools +RUN python3 -m pip \ + --disable-pip-version-check \ + --no-cache-dir \ + --quiet \ + install \ + setuptools wheel \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null + # Install Azure CLI, then verify installation ARG AZURE_CLI_VERSION ENV AZURE_CLI_VERSION=${AZURE_CLI_VERSION} diff --git a/src/docker/Dockerfile-jammy b/src/docker/Dockerfile-jammy index 45715ed5..fe444dc4 100644 --- a/src/docker/Dockerfile-jammy +++ b/src/docker/Dockerfile-jammy @@ -11,11 +11,11 @@ ENV HOME=/app-root ENV PYTHONDONTWRITEBYTECODE=1 # Install: +# - Azure CLI system requirements (C/Rust build tools for libs non pre-built on this platform) # - Azure Pipelines agent system requirements -# - zsh, for inter-operability # - dbus-user-session, iptables, uidmap, for BuildKit # - gzip, make, tar, unzip, wget, zip, zstd for developer ease-of-life -# - Azure CLI system requirements (Python 3.10, plus C/Rust build tools for libs non pre-built on this platform) +# - zsh, for inter-operability RUN rm -f /etc/apt/apt.conf.d/docker-clean \ && echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache ARG JQ_VERSION @@ -39,9 +39,6 @@ RUN --mount=target=/var/lib/apt/lists,type=cache,sharing=locked --mount=target=/ lsb-release \ make \ pkg-config \ - python3-dev=3.10.* \ - python3-pip \ - python3=3.10.* \ software-properties-common \ sudo \ tar \ @@ -58,15 +55,6 @@ COPY arch.sh . RUN chmod +x arch.sh \ && bash arch.sh -# Install Python build tools -RUN python3 -m pip \ - --disable-pip-version-check \ - --no-cache-dir \ - --quiet \ - install \ - setuptools wheel \ - && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null - FROM base AS rootlesskit # Install Go, then verify installation @@ -87,7 +75,66 @@ RUN git clone --depth 1 --branch v${ROOTLESSKIT_VERSION} https://github.com/root && rootlesskit --version \ && rootlessctl --version +FROM base AS python + +# Build Python 3.12 from source, then verify installation +ARG PYTHON_VERSION +ENV PYTHON_VERSION=${PYTHON_VERSION} +RUN --mount=target=/var/lib/apt/lists,type=cache,sharing=locked --mount=target=/var/cache,type=cache,sharing=locked \ + apt-get update -q \ + && apt-get install -y -q --no-install-recommends \ + g++ \ + lcov \ + libbz2-dev \ + libgdbm-compat-dev \ + libgdbm-dev \ + liblzma-dev \ + libmpdec-dev \ + libncurses5-dev \ + libncursesw5-dev \ + libreadline-dev \ + libreadline6-dev \ + libsqlite3-dev \ + libxml2-dev \ + libxmlsec1-dev \ + lzma \ + lzma-dev \ + tk-dev \ + uuid-dev \ + xz-utils \ + zlib1g-dev \ + && curl -LsSf --retry 8 --retry-all-errors https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz -o python.tgz \ + && tar -xzf python.tgz \ + && cd Python-${PYTHON_VERSION} \ + && ./configure \ + --enable-optimizations \ + --with-ensurepip=install \ + --with-lto \ + && make -j$(nproc) \ + && make install \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null \ + && python3 --version \ + && python3 -m pip --version + FROM base + +# Install Python, then verify installation +COPY --from=python /usr/local/bin/python3.12 /usr/local/bin/python3.12 +COPY --from=python /usr/local/lib/python3.12 /usr/local/lib/python3.12 +RUN ln -s /usr/local/bin/python3.12 /usr/local/bin/python3 \ + && ln -s /usr/local/bin/python3.12 /usr/local/bin/python \ + && python3 --version \ + && python3 -m pip --version + +# Install Python build tools +RUN python3 -m pip \ + --disable-pip-version-check \ + --no-cache-dir \ + --quiet \ + install \ + setuptools wheel \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null + # Install Azure CLI, then verify installation ARG AZURE_CLI_VERSION ENV AZURE_CLI_VERSION=${AZURE_CLI_VERSION} diff --git a/src/docker/Dockerfile-ubi8 b/src/docker/Dockerfile-ubi8 index 014bca01..5174a7d4 100644 --- a/src/docker/Dockerfile-ubi8 +++ b/src/docker/Dockerfile-ubi8 @@ -8,12 +8,12 @@ ENV HOME=/app-root ENV PYTHONDONTWRITEBYTECODE=1 # Install: -# - Azure Pipelines agent system requirements -# - Azure CLI system requirements (Python 3.9, plus C/Rust build tools for libs non pre-built on this platform) # - ASP.NET Core runtime -# - zsh, for inter-operability +# - Azure CLI system requirements (C/Rust build tools for libs non pre-built on this platform) +# - Azure Pipelines agent system requirements # - fuse-overlayfs, iptables, shadow-utils, for BuildKit # - gzip, make, tar, unzip, wget, zip, zstd for developer ease-of-life +# - zsh, for inter-operability ARG JQ_VERSION RUN --mount=target=/var/cache/yum,type=cache,sharing=locked \ microdnf install -y --nodocs --setopt=install_weak_deps=0 \ @@ -37,9 +37,6 @@ RUN --mount=target=/var/cache/yum,type=cache,sharing=locked \ openssl \ openssl-devel \ pkg-config \ - python39 \ - python39-devel \ - python39-pip \ shadow-utils \ sudo \ tar \ @@ -55,15 +52,6 @@ COPY arch.sh . RUN chmod +x arch.sh \ && bash arch.sh -# Install Python build tools -RUN python3 -m pip \ - --disable-pip-version-check \ - --no-cache-dir \ - --quiet \ - install \ - setuptools wheel \ - && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null - FROM base AS rootlesskit # Install Go, then verify installation @@ -84,8 +72,61 @@ RUN git clone --depth 1 --branch v${ROOTLESSKIT_VERSION} https://github.com/root && rootlesskit --version \ && rootlessctl --version +FROM base AS python + +# Build Python 3.12 from source, then verify installation +ARG PYTHON_VERSION +ENV PYTHON_VERSION=${PYTHON_VERSION} +RUN --mount=target=/var/cache/yum,type=cache,sharing=locked \ + microdnf install -y --nodocs --setopt=install_weak_deps=0 \ + bzip2 \ + bzip2-devel \ + expat \ + expat-devel \ + gdb \ + gdbm-libs \ + glibc-devel \ + libffi-devel \ + libstdc++-devel \ + libuuid-devel \ + mpdecimal \ + sqlite \ + sqlite-devel \ + sqlite-libs \ + xz-devel \ + zlib-devel \ + && curl -LsSf --retry 8 https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz -o python.tgz \ + && tar -xzf python.tgz \ + && cd Python-${PYTHON_VERSION} \ + && ./configure \ + --enable-optimizations \ + --with-ensurepip=install \ + --with-lto \ + && make -j$(nproc) \ + && make install \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null \ + && python3 --version \ + && python3 -m pip --version + FROM base +# Install Python, then verify installation +COPY --from=python /usr/local/bin/python3.12 /usr/local/bin/python3.12 +COPY --from=python /usr/local/lib/python3.12 /usr/local/lib/python3.12 +RUN ln -s /usr/local/bin/python3.12 /usr/local/bin/python3 \ + && ln -s /usr/local/bin/python3.12 /usr/local/bin/python \ + && python3 --version \ + && python3 -m pip --version + +# Install Python build tools +RUN python3 -m pip \ + --disable-pip-version-check \ + --no-cache-dir \ + --quiet \ + install \ + setuptools wheel \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null + # Install Azure CLI, then verify installation ARG AZURE_CLI_VERSION ENV AZURE_CLI_VERSION=${AZURE_CLI_VERSION} diff --git a/src/docker/Dockerfile-ubi9 b/src/docker/Dockerfile-ubi9 index 76f05ab5..fc98031b 100644 --- a/src/docker/Dockerfile-ubi9 +++ b/src/docker/Dockerfile-ubi9 @@ -8,12 +8,12 @@ ENV HOME=/app-root ENV PYTHONDONTWRITEBYTECODE=1 # Install: -# - Azure Pipelines agent system requirements -# - Azure CLI system requirements (Python 3.11, plus C/Rust build tools for libs non pre-built on this platform) # - ASP.NET Core runtime -# - zsh, for inter-operability +# - Azure CLI system requirements (Python 3.11, C/Rust build tools for libs non pre-built on this platform) +# - Azure Pipelines agent system requirements # - fuse-overlayfs, iptables, shadow-utils, for BuildKit # - gzip, make, tar, unzip, wget, zip, zstd for developer ease-of-life +# - zsh, for inter-operability ARG JQ_VERSION RUN --mount=target=/var/cache/yum,type=cache,sharing=locked \ microdnf install -y --nodocs --setopt=install_weak_deps=0 \ @@ -36,9 +36,6 @@ RUN --mount=target=/var/cache/yum,type=cache,sharing=locked \ openssl \ openssl-devel \ pkg-config \ - python3.11 \ - python3.11-devel \ - python3.11-pip \ shadow-utils \ sudo \ tar \ @@ -47,8 +44,6 @@ RUN --mount=target=/var/cache/yum,type=cache,sharing=locked \ zip \ zsh \ zstd \ - && ln -s /usr/bin/python3.11 /usr/bin/python3 \ - && ln -s /usr/bin/python3.11 /usr/bin/python \ && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null # Copy helper script, then verify installation @@ -56,22 +51,13 @@ COPY arch.sh . RUN chmod +x arch.sh \ && bash arch.sh -# Install Python build tools -RUN python3 -m pip \ - --disable-pip-version-check \ - --no-cache-dir \ - --quiet \ - install \ - setuptools wheel \ - && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null - FROM base AS rootlesskit # Install Go, then verify installation ARG GO_VERSION ENV GO_VERSION=${GO_VERSION} RUN rm -rf /usr/local/go \ - && curl -LsSf --retry 8 --retry-all-errors https://go.dev/dl/go${GO_VERSION}.linux-$(ARCH_X64=amd64 bash arch.sh).tar.gz | tar -xz -C /usr/local + && curl -LsSf --retry 8 https://go.dev/dl/go${GO_VERSION}.linux-$(ARCH_X64=amd64 bash arch.sh).tar.gz | tar -xz -C /usr/local ENV PATH="${PATH}:/usr/local/go/bin" RUN go version @@ -85,8 +71,61 @@ RUN git clone --depth 1 --branch v${ROOTLESSKIT_VERSION} https://github.com/root && rootlesskit --version \ && rootlessctl --version +FROM base AS python + +# Build Python 3.12 from source, then verify installation +ARG PYTHON_VERSION +ENV PYTHON_VERSION=${PYTHON_VERSION} +RUN --mount=target=/var/cache/yum,type=cache,sharing=locked \ + microdnf install -y --nodocs --setopt=install_weak_deps=0 \ + bzip2 \ + bzip2-devel \ + expat \ + expat-devel \ + gdb \ + gdbm-libs \ + glibc-devel \ + libffi-devel \ + libstdc++-devel \ + libuuid-devel \ + mpdecimal \ + sqlite \ + sqlite-devel \ + sqlite-libs \ + xz-devel \ + zlib-devel \ + && curl -LsSf --retry 8 --retry-all-errors https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz -o python.tgz \ + && tar -xzf python.tgz \ + && cd Python-${PYTHON_VERSION} \ + && ./configure \ + --enable-optimizations \ + --with-ensurepip=install \ + --with-lto \ + && make -j$(nproc) \ + && make install \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null \ + && python3 --version \ + && python3 -m pip --version + FROM base +# Install Python, then verify installation +COPY --from=python /usr/local/bin/python3.12 /usr/local/bin/python3.12 +COPY --from=python /usr/local/lib/python3.12 /usr/local/lib/python3.12 +RUN ln -s /usr/local/bin/python3.12 /usr/local/bin/python3 \ + && ln -s /usr/local/bin/python3.12 /usr/local/bin/python \ + && python3 --version \ + && python3 -m pip --version + +# Install Python build tools +RUN python3 -m pip \ + --disable-pip-version-check \ + --no-cache-dir \ + --quiet \ + install \ + setuptools wheel \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null + # Install Azure CLI, then verify installation ARG AZURE_CLI_VERSION ENV AZURE_CLI_VERSION=${AZURE_CLI_VERSION} From 6e586ba1955e96f1b5861efac372d95770d89fd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= Date: Fri, 11 Oct 2024 13:45:42 +0200 Subject: [PATCH 4/5] feat: Add Ubuntu 24.04 base image --- .github/workflows/pipeline.yaml | 10 +- docs/content/docs/getting-started.md | 7 +- src/bicep/main.bicep | 1 + src/docker/Dockerfile-bookworm | 3 +- src/docker/Dockerfile-bullseye | 3 +- src/docker/Dockerfile-focal | 3 +- src/docker/Dockerfile-jammy | 3 +- src/docker/Dockerfile-noble | 253 +++++++++++++++++++++++++++ src/docker/Dockerfile-ubi8 | 3 +- src/docker/Dockerfile-ubi9 | 3 +- 10 files changed, 269 insertions(+), 20 deletions(-) create mode 100644 src/docker/Dockerfile-noble diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index c0fffea1..bc2b7112 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -43,8 +43,7 @@ env: # https://github.com/Azure/azure-cli/releases AZURE_CLI_VERSION: 2.65.0 # https://github.com/stedolan/jq/releases - # Note: This version requires to be available from Debian and Ubuntu repositories (see https://packages.debian.org/bookworm/jq for example) - JQ_VERSION: 1.6 + JQ_WIN_VERSION: 1.7.1 # https://github.com/aws/aws-cli/tags AWS_CLI_VERSION: 2.18.4 # https://console.cloud.google.com/artifacts/docker/google.com:cloudsdktool/us/gcr.io/google-cloud-cli @@ -306,6 +305,8 @@ jobs: arch: linux/amd64,linux/arm64 - os: jammy arch: linux/amd64,linux/arm64 + - os: noble + arch: linux/amd64,linux/arm64 - os: ubi8 arch: linux/amd64,linux/arm64 - os: ubi9 @@ -410,7 +411,6 @@ jobs: BUILDKIT_VERSION=${{ env.BUILDKIT_VERSION }} GCLOUD_CLI_VERSION=${{ env.GCLOUD_CLI_VERSION }} GO_VERSION=${{ env.GO_VERSION }} - JQ_VERSION=${{ env.JQ_VERSION }} POWERSHELL_VERSION=${{ env.POWERSHELL_VERSION }} PYTHON_VERSION=${{ env.PYTHON_VERSION }} ROOTLESSKIT_VERSION=${{ env.ROOTLESSKIT_VERSION }} @@ -581,7 +581,7 @@ jobs: "--build-arg", "AZURE_CLI_VERSION=${{ env.AZURE_CLI_VERSION }}", "--build-arg", "GCLOUD_CLI_VERSION=${{ env.GCLOUD_CLI_VERSION }}", "--build-arg", "GIT_VERSION=${{ env.GIT_WIN_VERSION }}", - "--build-arg", "JQ_VERSION=${{ env.JQ_VERSION }}", + "--build-arg", "JQ_VERSION=${{ env.JQ_WIN_VERSION }}", "--build-arg", "POWERSHELL_VERSION=${{ env.POWERSHELL_VERSION }}", "--build-arg", "PYTHON_VERSION=${{ env.PYTHON_VERSION }}", "--build-arg", "VS_BUILDTOOLS_VERSION=${{ env.VS_BUILDTOOLS_WIN_VERSION }}", @@ -858,7 +858,7 @@ jobs: # Rate limiting on Azure DevOps SaaS APIs is triggered quickluy by integration tests, so we need to limit the number of parallel jobs max-parallel: 3 matrix: - os: [bookworm, bullseye, focal, jammy, ubi8, ubi9] + os: [bookworm, bullseye, focal, jammy, noble, ubi8, ubi9] steps: - name: Checkout uses: actions/checkout@v4.1.7 diff --git a/docs/content/docs/getting-started.md b/docs/content/docs/getting-started.md index 8a39cd58..ae9f7f1f 100644 --- a/docs/content/docs/getting-started.md +++ b/docs/content/docs/getting-started.md @@ -86,12 +86,13 @@ OS support is generally called "flavor" in this documentation. The following tab | ------------------------------------------------ | ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | `ghcr.io/clemlesne/blue-agent:bookworm-main` | [Debian Bookworm (12)](https://www.debian.org/releases/bookworm) slim | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/bookworm-main?label=) | `amd64`, `arm64/v8` | [See Debian LTS wiki.](https://wiki.debian.org/LTS) | | `ghcr.io/clemlesne/blue-agent:bullseye-main` | [Debian Bullseye (11)](https://www.debian.org/releases/bullseye) slim | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/bullseye-main?label=) | `amd64`, `arm64/v8` | [See Debian LTS wiki.](https://wiki.debian.org/LTS) | -| `ghcr.io/clemlesne/blue-agent:focal-main` | [Ubuntu Focal (20.04)](https://www.releases.ubuntu.com/focal) minimal | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/focal-main?label=) | `amd64`, `arm64/v8` | [See Ubuntu LTS wiki.](https://wiki.ubuntu.com/Releases) | +| `ghcr.io/clemlesne/blue-agent:noble-main` | [Ubuntu Noble (24.04)](https://www.releases.ubuntu.com/noble) minimal | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/noble-main?label=) | `amd64`, `arm64/v8` | [See Ubuntu LTS wiki.](https://wiki.ubuntu.com/Releases) | | `ghcr.io/clemlesne/blue-agent:jammy-main` | [Ubuntu Jammy (22.04)](https://www.releases.ubuntu.com/jammy) minimal | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/jammy-main?label=) | `amd64`, `arm64/v8` | [See Ubuntu LTS wiki.](https://wiki.ubuntu.com/Releases) | -| `ghcr.io/clemlesne/blue-agent:ubi8-main` | [Red Hat UBI 8](https://developers.redhat.com/articles/ubi-faq) minimal | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/ubi8-main?label=) | `amd64`, `arm64/v8` | [See Red Hat product life cycles.](https://access.redhat.com/product-life-cycles/?product=Red%20Hat%20Enterprise%20Linux) | +| `ghcr.io/clemlesne/blue-agent:focal-main` | [Ubuntu Focal (20.04)](https://www.releases.ubuntu.com/focal) minimal | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/focal-main?label=) | `amd64`, `arm64/v8` | [See Ubuntu LTS wiki.](https://wiki.ubuntu.com/Releases) | | `ghcr.io/clemlesne/blue-agent:ubi9-main` | [Red Hat UBI 9](https://developers.redhat.com/articles/ubi-faq) minimal | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/ubi9-main?label=) | `amd64`, `arm64/v8` | [See Red Hat product life cycles.](https://access.redhat.com/product-life-cycles/?product=Red%20Hat%20Enterprise%20Linux) | -| `ghcr.io/clemlesne/blue-agent:win-ltsc2019-main` | [Windows Server 2019](https://learn.microsoft.com/en-us/windows-server) Core | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/win-ltsc2019-main?label=) | `amd64` | [See base image servicing lifecycles.](https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/base-image-lifecycle) | +| `ghcr.io/clemlesne/blue-agent:ubi8-main` | [Red Hat UBI 8](https://developers.redhat.com/articles/ubi-faq) minimal | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/ubi8-main?label=) | `amd64`, `arm64/v8` | [See Red Hat product life cycles.](https://access.redhat.com/product-life-cycles/?product=Red%20Hat%20Enterprise%20Linux) | | `ghcr.io/clemlesne/blue-agent:win-ltsc2022-main` | [Windows Server 2022](https://learn.microsoft.com/en-us/windows-server) Core | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/win-ltsc2022-main?label=) | `amd64` | [See base image servicing lifecycles.](https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/base-image-lifecycle) | +| `ghcr.io/clemlesne/blue-agent:win-ltsc2019-main` | [Windows Server 2019](https://learn.microsoft.com/en-us/windows-server) Core | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/win-ltsc2019-main?label=) | `amd64` | [See base image servicing lifecycles.](https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/base-image-lifecycle) | ## Docker Hub images diff --git a/src/bicep/main.bicep b/src/bicep/main.bicep index 3a4faec9..5107b960 100644 --- a/src/bicep/main.bicep +++ b/src/bicep/main.bicep @@ -12,6 +12,7 @@ param extraEnv array = [] 'bullseye' 'focal' 'jammy' + 'noble' 'ubi8' 'ubi9' ]) diff --git a/src/docker/Dockerfile-bookworm b/src/docker/Dockerfile-bookworm index 5dd65fcb..d1d8b0e4 100644 --- a/src/docker/Dockerfile-bookworm +++ b/src/docker/Dockerfile-bookworm @@ -21,7 +21,6 @@ ENV PIP_BREAK_SYSTEM_PACKAGES=1 # - zsh, for inter-operability RUN rm -f /etc/apt/apt.conf.d/docker-clean \ && echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache -ARG JQ_VERSION RUN --mount=target=/var/lib/apt/lists,type=cache,sharing=locked --mount=target=/var/cache,type=cache,sharing=locked \ apt-get update -q \ && apt-get install -y -q --no-install-recommends \ @@ -37,7 +36,7 @@ RUN --mount=target=/var/lib/apt/lists,type=cache,sharing=locked --mount=target=/ gzip \ iptables \ iputils-ping \ - jq=${JQ_VERSION}-* \ + jq \ libffi-dev \ libssl-dev \ lsb-release \ diff --git a/src/docker/Dockerfile-bullseye b/src/docker/Dockerfile-bullseye index 3c0f4ffa..8ba1981e 100644 --- a/src/docker/Dockerfile-bullseye +++ b/src/docker/Dockerfile-bullseye @@ -18,7 +18,6 @@ ENV PYTHONDONTWRITEBYTECODE=1 # - zsh, for inter-operability RUN rm -f /etc/apt/apt.conf.d/docker-clean \ && echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache -ARG JQ_VERSION RUN --mount=target=/var/lib/apt/lists,type=cache,sharing=locked --mount=target=/var/cache,type=cache,sharing=locked \ apt-get update -q \ && apt-get install -y -q --no-install-recommends \ @@ -34,7 +33,7 @@ RUN --mount=target=/var/lib/apt/lists,type=cache,sharing=locked --mount=target=/ gzip \ iptables \ iputils-ping \ - jq=${JQ_VERSION}-* \ + jq \ libffi-dev \ libssl-dev \ lsb-release \ diff --git a/src/docker/Dockerfile-focal b/src/docker/Dockerfile-focal index 627be55c..48e8c1cd 100644 --- a/src/docker/Dockerfile-focal +++ b/src/docker/Dockerfile-focal @@ -18,7 +18,6 @@ ENV PYTHONDONTWRITEBYTECODE=1 # - zsh, for inter-operability RUN rm -f /etc/apt/apt.conf.d/docker-clean \ && echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache -ARG JQ_VERSION RUN --mount=target=/var/lib/apt/lists,type=cache,sharing=locked --mount=target=/var/cache,type=cache,sharing=locked \ apt-get update -q \ && apt-get install -y -q --no-install-recommends \ @@ -33,7 +32,7 @@ RUN --mount=target=/var/lib/apt/lists,type=cache,sharing=locked --mount=target=/ gzip \ iptables \ iputils-ping \ - jq=${JQ_VERSION}-* \ + jq \ libffi-dev \ libssl-dev \ lsb-release \ diff --git a/src/docker/Dockerfile-jammy b/src/docker/Dockerfile-jammy index fe444dc4..e99acdb6 100644 --- a/src/docker/Dockerfile-jammy +++ b/src/docker/Dockerfile-jammy @@ -18,7 +18,6 @@ ENV PYTHONDONTWRITEBYTECODE=1 # - zsh, for inter-operability RUN rm -f /etc/apt/apt.conf.d/docker-clean \ && echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache -ARG JQ_VERSION RUN --mount=target=/var/lib/apt/lists,type=cache,sharing=locked --mount=target=/var/cache,type=cache,sharing=locked \ apt-get update -q \ && apt-get install -y -q --no-install-recommends \ @@ -33,7 +32,7 @@ RUN --mount=target=/var/lib/apt/lists,type=cache,sharing=locked --mount=target=/ gzip \ iptables \ iputils-ping \ - jq=${JQ_VERSION}-* \ + jq \ libffi-dev \ libssl-dev \ lsb-release \ diff --git a/src/docker/Dockerfile-noble b/src/docker/Dockerfile-noble new file mode 100644 index 00000000..c7cdcb4a --- /dev/null +++ b/src/docker/Dockerfile-noble @@ -0,0 +1,253 @@ +FROM mcr.microsoft.com/dotnet/aspnet:8.0-noble@sha256:a516b80935ab07dc415244dcdb8c52f4592644282127ecfa37c77561d26d25d5 AS base + +# Force apt-get to not use TTY +ENV DEBIAN_FRONTEND=noninteractive + +# Configure local user +ENV USER=root +ENV HOME=/app-root + +# Avoid Python cache during build +ENV PYTHONDONTWRITEBYTECODE=1 + +# Allow install Python system packages +ENV PIP_BREAK_SYSTEM_PACKAGES=1 + +# Install: +# - Azure CLI system requirements (C/Rust build tools for libs non pre-built on this platform) +# - Azure Pipelines agent system requirements +# - dbus-user-session, fuse-overlayfs, iptables, for BuildKit +# - gzip, make, tar, unzip, wget, zip, zstd for developer ease-of-life +# - zsh, for inter-operability +RUN rm -f /etc/apt/apt.conf.d/docker-clean \ + && echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache +RUN --mount=target=/var/lib/apt/lists,type=cache,sharing=locked --mount=target=/var/cache,type=cache,sharing=locked \ + apt-get update -q \ + && apt-get install -y -q --no-install-recommends \ + build-essential \ + ca-certificates \ + cargo \ + curl \ + dbus-user-session \ + fuse-overlayfs \ + git \ + git-lfs \ + gnupg \ + gzip \ + iptables \ + iputils-ping \ + jq \ + libffi-dev \ + libssl-dev \ + lsb-release \ + make \ + pkg-config \ + software-properties-common \ + sudo \ + tar \ + uidmap \ + unzip \ + wget \ + zip \ + zsh \ + zstd \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null + +# Copy helper script, then verify installation +COPY arch.sh . +RUN chmod +x arch.sh \ + && bash arch.sh + +FROM base AS rootlesskit + +# Install Go, then verify installation +ARG GO_VERSION +ENV GO_VERSION=${GO_VERSION} +RUN rm -rf /usr/local/go \ + && curl -LsSf --retry 8 --retry-all-errors https://go.dev/dl/go${GO_VERSION}.linux-$(ARCH_X64=amd64 bash arch.sh).tar.gz | tar -xz -C /usr/local +ENV PATH="${PATH}:/usr/local/go/bin" +RUN go version + +# Install RootlessKit, then verify installation +ARG ROOTLESSKIT_VERSION +ENV ROOTLESSKIT_VERSION=${ROOTLESSKIT_VERSION} +RUN git clone --depth 1 --branch v${ROOTLESSKIT_VERSION} https://github.com/rootless-containers/rootlesskit.git rootlesskit \ + && make --directory rootlesskit \ + && make --directory rootlesskit install \ + && rm -rf rootlesskit \ + && rootlesskit --version \ + && rootlessctl --version + +FROM base AS python + +# Build Python 3.12 from source, then verify installation +ARG PYTHON_VERSION +ENV PYTHON_VERSION=${PYTHON_VERSION} +RUN --mount=target=/var/lib/apt/lists,type=cache,sharing=locked --mount=target=/var/cache,type=cache,sharing=locked \ + apt-get update -q \ + && apt-get install -y -q --no-install-recommends \ + g++ \ + lcov \ + libbz2-dev \ + libgdbm-compat-dev \ + libgdbm-dev \ + liblzma-dev \ + libncurses5-dev \ + libncursesw5-dev \ + libreadline-dev \ + libreadline6-dev \ + libsqlite3-dev \ + libxml2-dev \ + libxmlsec1-dev \ + lzma \ + lzma-dev \ + tk-dev \ + uuid-dev \ + xz-utils \ + zlib1g-dev \ + && curl -LsSf --retry 8 --retry-all-errors https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz -o python.tgz \ + && tar -xzf python.tgz \ + && cd Python-${PYTHON_VERSION} \ + && ./configure \ + --enable-optimizations \ + --with-ensurepip=install \ + --with-lto \ + && make -j$(nproc) \ + && make install \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null \ + && python3 --version \ + && python3 -m pip --version + +FROM base + +# Install Python, then verify installation +COPY --from=python /usr/local/bin/python3.12 /usr/local/bin/python3.12 +COPY --from=python /usr/local/lib/python3.12 /usr/local/lib/python3.12 +RUN ln -s /usr/local/bin/python3.12 /usr/local/bin/python3 \ + && ln -s /usr/local/bin/python3.12 /usr/local/bin/python \ + && python3 --version \ + && python3 -m pip --version + +# Install Python build tools +RUN python3 -m pip \ + --disable-pip-version-check \ + --no-cache-dir \ + --quiet \ + install \ + setuptools wheel \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null + +# Install Azure CLI, then verify installation +ARG AZURE_CLI_VERSION +ENV AZURE_CLI_VERSION=${AZURE_CLI_VERSION} +RUN python3 -m pip \ + --disable-pip-version-check \ + --no-cache-dir \ + --quiet \ + install \ + azure-cli==${AZURE_CLI_VERSION} \ + && az version \ + && rm -rf ${HOME}/.azure ${HOME}/.cache/pip \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null + +# Install AWS CLI, then verify installation +ARG AWS_CLI_VERSION +ENV AWS_CLI_VERSION=${AWS_CLI_VERSION} +RUN curl -LsSf --retry 8 --retry-all-errors https://awscli.amazonaws.com/awscli-exe-linux-$(ARCH_X64=x86_64 ARCH_ARM64=aarch64 bash arch.sh)-${AWS_CLI_VERSION}.zip -o awscli.zip \ + && unzip -q awscli.zip \ + && ./aws/install \ + && rm -rf awscli.zip aws \ + && aws --version + +# Install Google Cloud CLI, then verify installation +ARG GCLOUD_CLI_VERSION +ENV GCLOUD_CLI_VERSION=${GCLOUD_CLI_VERSION} +RUN curl -LsSf --retry 8 --retry-all-errors https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-${GCLOUD_CLI_VERSION}-linux-$(ARCH_X64=x86_64 ARCH_ARM64=arm bash arch.sh).tar.gz | tar -xz -C /usr/local \ + && /usr/local/google-cloud-sdk/install.sh \ + --additional-components beta \ + --quiet \ + && ln -s /usr/local/google-cloud-sdk/bin/gcloud /usr/bin/gcloud \ + && ln -s /usr/local/google-cloud-sdk/bin/gsutil /usr/bin/gsutil \ + && gcloud version \ + && rm -rf /usr/local/google-cloud-sdk/.install ${HOME}/.config/gcloud \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null + +# Install Powershell, then verify installation +ARG POWERSHELL_VERSION +ENV POWERSHELL_VERSION=${POWERSHELL_VERSION} +RUN mkdir -p /opt/microsoft/powershell \ + && curl -LsSf --retry 8 --retry-all-errors https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-$(bash arch.sh).tar.gz | tar -xz -C /opt/microsoft/powershell \ + && chmod +x /opt/microsoft/powershell/pwsh \ + && ln -s /opt/microsoft/powershell/pwsh /usr/bin/pwsh \ + && pwsh -Version \ + && rm -rf ${HOME}/.config/powershell ${HOME}/.cache/powershell + +# Install YQ, then verify installation +ARG YQ_VERSION +ENV YQ_VERSION=${YQ_VERSION} +RUN curl -LsSf --retry 8 --retry-all-errors https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_$(ARCH_X64=amd64 bash arch.sh) -o /usr/bin/yq \ + && chmod +x /usr/bin/yq \ + && yq --version + +# Install Tini, then verify installation +ARG TINI_VERSION +ENV TINI_VERSION=${TINI_VERSION} +RUN curl -LsSf --retry 8 --retry-all-errors https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-$(ARCH_X64=amd64 bash arch.sh) -o /tini \ + && chmod +x /tini \ + && /tini --version +ENTRYPOINT ["/tini", "--"] + +# Install BuildKit, then verify installation +ARG BUILDKIT_VERSION +ENV BUILDKIT_VERSION=${BUILDKIT_VERSION} +RUN mkdir buildkit \ + && curl -LsSf --retry 8 --retry-all-errors https://github.com/moby/buildkit/releases/download/v${BUILDKIT_VERSION}/buildkit-v${BUILDKIT_VERSION}.linux-$(ARCH_X64=amd64 bash arch.sh).tar.gz | tar -xz -C buildkit \ + && mv buildkit/bin/* /usr/local/bin \ + && rm -rf buildkit \ + && buildctl --version \ + && buildkitd --version + +# Install RootlessKit, then verify installation +COPY --from=rootlesskit /usr/local/bin/rootless* /usr/bin/ +RUN rootlesskit --version \ + && rootlessctl --version + +# Install Azure Pipelines Agent sources, then verify installation +ARG AZP_AGENT_VERSION +ENV AZP_AGENT_VERSION=${AZP_AGENT_VERSION} +ENV AZP_HOME=${HOME}/azp-agent +# Disable agent auto-updates +# See: https://github.com/microsoft/azure-pipelines-agent/blob/b5ff4408239f3e938560f8b2e3848df76489a8d0/src/Agent.Listener/Agent.cs#L354C24-L354C24 +ENV agent.disableupdate="1" +RUN mkdir -p ${AZP_HOME} \ + && curl -LsSf --retry 8 --retry-all-errors https://vstsagentpackage.azureedge.net/agent/${AZP_AGENT_VERSION}/pipelines-agent-linux-$(bash arch.sh)-${AZP_AGENT_VERSION}.tar.gz | tar -xz -C ${AZP_HOME} \ + && cd ${AZP_HOME} \ + && chmod +x run-docker.sh config.sh \ + && AGENT_ALLOW_RUNASROOT="1" bash run-docker.sh --version \ + && rm -rf _diag \ + # Allow local user to R/W to agent home + && chmod -R a+w . +ENV AZP_WORK=${HOME}/azp-work +ENV AZP_CUSTOM_CERT_PEM=${HOME}/azp-custom-certs + +# Cleanup helper script +RUN rm arch.sh + +# Reset Python configs to default +ENV PYTHONDONTWRITEBYTECODE= +ENV PIP_BREAK_SYSTEM_PACKAGES= + +# Configure local user +RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \ + && chown -R ${USER} /run/user/0 ${HOME} \ + && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid +USER 0:0 +ENV XDG_RUNTIME_DIR=/run/user/0 +ENV TMPDIR=${HOME}/.local/tmp +ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock + +# Install Azure Pipelines Agent startup script +WORKDIR ${AZP_HOME} +COPY start.sh . +# Run as exec form, so that it can receive signals from Tini +CMD ["bash", "start.sh"] diff --git a/src/docker/Dockerfile-ubi8 b/src/docker/Dockerfile-ubi8 index 5174a7d4..9fd1334f 100644 --- a/src/docker/Dockerfile-ubi8 +++ b/src/docker/Dockerfile-ubi8 @@ -14,7 +14,6 @@ ENV PYTHONDONTWRITEBYTECODE=1 # - fuse-overlayfs, iptables, shadow-utils, for BuildKit # - gzip, make, tar, unzip, wget, zip, zstd for developer ease-of-life # - zsh, for inter-operability -ARG JQ_VERSION RUN --mount=target=/var/cache/yum,type=cache,sharing=locked \ microdnf install -y --nodocs --setopt=install_weak_deps=0 \ aspnetcore-runtime-8.0 \ @@ -32,7 +31,7 @@ RUN --mount=target=/var/cache/yum,type=cache,sharing=locked \ hostname \ iptables \ iputils \ - jq-${JQ_VERSION} \ + jq \ make \ openssl \ openssl-devel \ diff --git a/src/docker/Dockerfile-ubi9 b/src/docker/Dockerfile-ubi9 index fc98031b..0cec0737 100644 --- a/src/docker/Dockerfile-ubi9 +++ b/src/docker/Dockerfile-ubi9 @@ -14,7 +14,6 @@ ENV PYTHONDONTWRITEBYTECODE=1 # - fuse-overlayfs, iptables, shadow-utils, for BuildKit # - gzip, make, tar, unzip, wget, zip, zstd for developer ease-of-life # - zsh, for inter-operability -ARG JQ_VERSION RUN --mount=target=/var/cache/yum,type=cache,sharing=locked \ microdnf install -y --nodocs --setopt=install_weak_deps=0 \ aspnetcore-runtime-8.0 \ @@ -31,7 +30,7 @@ RUN --mount=target=/var/cache/yum,type=cache,sharing=locked \ hostname \ iptables \ iputils \ - jq-${JQ_VERSION} \ + jq \ make \ openssl \ openssl-devel \ From b3ff51a458ce2777700e3d904a9ca38ff465b651 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= Date: Fri, 11 Oct 2024 19:33:58 +0200 Subject: [PATCH 5/5] fix: Oras GitHub Action to use v1.2.0 --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index bc2b7112..8e680927 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -707,7 +707,7 @@ jobs: uses: actions/checkout@v4.1.7 - name: Setup ORAS - uses: oras-project/setup-oras@v1.1.0 + uses: oras-project/setup-oras@v1.2.0 with: version: ${{ env.ORAS_VERSION }}