From 64956e3bbfc48179cdafce31402e090902850256 Mon Sep 17 00:00:00 2001 From: Mitsuru Kariya Date: Wed, 19 Jun 2024 15:37:52 +0900 Subject: [PATCH 1/5] Simplify registry build 1. `make/photon/Makefile` Remove `cd` command since the current directory is changed in `make/photon/registry/builder`. 2. `make/photon/registry/Dockerfile.base` Change the owner of `/etc/pki/tls/certs` when building the base image. (Since files under `/etc/pki/tls/certs` are not affected by binary build.) 3. `make/photon/registry/Dockerfile` - Remove changing the owner of `/etc/pki/tls/certs` since the change has been moved to the base image. - The owner/permission changes of files copied from the context are now performed simultaneously when the `COPY` command is executed. (If `COPY` and the owner/permission changes were separated, both image layers before and after change would be created, making the image unnecessarily large.) - Add `--link` option to `COPY` command. (This will improve image build efficiency since the base image will not be extracted at build time.) 4. `make/photon/registry/builder`. - Move `set -e` (exit immediately on error) to the top. - There is no `error` command, so change it to the `echo` command. - Remove `cur` variables that are no longer used by using `~-` and `cd -`. - Add `--depth 1` option to `git clone` command. (Since we only need the specified version of the source to build, we don't need the whole history, and this reduces the amount of transfer at clone time.) - Change the `docker build` command to specify the source file directly with the `-f` option instead of copying `Dockerfile.binary`. - Change the `docker build` command to directly output the binary file without creating a container image and container by specifying the output directory with the `-o` option. 5. `make/photon/registry/Dockerfile.binary`. - Remove `PREFIX` variable specified at `make` command line, since it is not used. - Change `make` build target from `binaries` to `bin/registry`. (Since `binaries` other than `bin/registry` are not used.) - Add a stage to extract only binary files, since `make/photon/registry/builder` now outputs binary files directly. Signed-off-by: Mitsuru Kariya --- make/photon/Makefile | 2 +- make/photon/registry/Dockerfile | 11 +++-------- make/photon/registry/Dockerfile.base | 3 ++- make/photon/registry/Dockerfile.binary | 7 +++++-- make/photon/registry/builder | 24 ++++++------------------ 5 files changed, 17 insertions(+), 30 deletions(-) diff --git a/make/photon/Makefile b/make/photon/Makefile index c6de67da341..5dc24cfa914 100644 --- a/make/photon/Makefile +++ b/make/photon/Makefile @@ -178,7 +178,7 @@ _build_registry: rm -rf $(DOCKERFILEPATH_REG)/binary && mkdir -p $(DOCKERFILEPATH_REG)/binary && \ $(call _get_binary, $(REGISTRYURL), $(DOCKERFILEPATH_REG)/binary/registry); \ else \ - cd $(DOCKERFILEPATH_REG) && $(DOCKERFILEPATH_REG)/builder $(REGISTRY_SRC_TAG) && cd - ; \ + $(DOCKERFILEPATH_REG)/builder $(REGISTRY_SRC_TAG) ; \ fi @echo "building registry container for photon..." @chmod 655 $(DOCKERFILEPATH_REG)/binary/registry && $(DOCKERBUILD_WITH_PULL_PARA) --build-arg harbor_base_image_version=$(BASEIMAGETAG) --build-arg harbor_base_namespace=$(BASEIMAGENAMESPACE) -f $(DOCKERFILEPATH_REG)/$(DOCKERFILENAME_REG) -t $(DOCKERIMAGENAME_REG):$(VERSIONTAG) . diff --git a/make/photon/registry/Dockerfile b/make/photon/registry/Dockerfile index f6565ff386e..adda282c22e 100644 --- a/make/photon/registry/Dockerfile +++ b/make/photon/registry/Dockerfile @@ -2,14 +2,9 @@ ARG harbor_base_image_version ARG harbor_base_namespace FROM ${harbor_base_namespace}/harbor-registry-base:${harbor_base_image_version} -COPY ./make/photon/common/install_cert.sh /home/harbor -COPY ./make/photon/registry/entrypoint.sh /home/harbor -COPY ./make/photon/registry/binary/registry /usr/bin/registry_DO_NOT_USE_GC - -RUN chown -R harbor:harbor /etc/pki/tls/certs \ - && chown harbor:harbor /home/harbor/entrypoint.sh && chmod u+x /home/harbor/entrypoint.sh \ - && chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh \ - && chown harbor:harbor /usr/bin/registry_DO_NOT_USE_GC && chmod u+x /usr/bin/registry_DO_NOT_USE_GC +COPY --link --chown=10000:10000 --chmod=755 ./make/photon/common/install_cert.sh /home/harbor/ +COPY --link --chown=10000:10000 --chmod=744 ./make/photon/registry/entrypoint.sh /home/harbor/ +COPY --link --chown=10000:10000 --chmod=755 ./make/photon/registry/binary/registry /usr/bin/registry_DO_NOT_USE_GC HEALTHCHECK CMD curl --fail -s http://localhost:5000 || curl -k --fail -s https://localhost:5443 || exit 1 diff --git a/make/photon/registry/Dockerfile.base b/make/photon/registry/Dockerfile.base index 3c4a465e6ac..6cf180f3b62 100644 --- a/make/photon/registry/Dockerfile.base +++ b/make/photon/registry/Dockerfile.base @@ -3,4 +3,5 @@ FROM photon:5.0 RUN tdnf install -y shadow >> /dev/null \ && tdnf clean all \ && mkdir -p /etc/registry \ - && groupadd -r -g 10000 harbor && useradd --no-log-init -m -g 10000 -u 10000 harbor + && groupadd -r -g 10000 harbor && useradd --no-log-init -m -g 10000 -u 10000 harbor \ + && chown -R harbor:harbor /etc/pki/tls/certs diff --git a/make/photon/registry/Dockerfile.binary b/make/photon/registry/Dockerfile.binary index 0098691bef3..43540ecc544 100644 --- a/make/photon/registry/Dockerfile.binary +++ b/make/photon/registry/Dockerfile.binary @@ -1,4 +1,4 @@ -FROM golang:1.22.3 +FROM golang:1.22.3 as build ENV DISTRIBUTION_DIR /go/src/github.com/docker/distribution ENV BUILDTAGS include_oss include_gcs @@ -7,4 +7,7 @@ ENV GO111MODULE auto WORKDIR $DISTRIBUTION_DIR COPY . $DISTRIBUTION_DIR -RUN CGO_ENABLED=0 make PREFIX=/go clean binaries +RUN CGO_ENABLED=0 make clean bin/registry + +FROM scratch +COPY --from=build /go/src/github.com/docker/distribution/bin/registry / diff --git a/make/photon/registry/builder b/make/photon/registry/builder index e076f8565d3..7c030f8016d 100755 --- a/make/photon/registry/builder +++ b/make/photon/registry/builder @@ -1,44 +1,32 @@ #!/bin/bash -set +e +set -e if [ -z $1 ]; then - error "Please set the 'version' variable" + echo "Please set the 'version' variable" exit 1 fi VERSION="$1" -set -e - # the temp folder to store binary file... mkdir -p binary rm -rf binary/registry || true cd `dirname $0` -cur=$PWD # the temp folder to store distribution source code... TEMP=`mktemp -d ${TMPDIR-/tmp}/distribution.XXXXXX` -git clone -b $VERSION https://github.com/distribution/distribution.git $TEMP +git clone -b $VERSION --depth 1 https://github.com/distribution/distribution.git $TEMP # add patch redis cd $TEMP -git apply $cur/redis.patch -cd $cur +git apply ~-/redis.patch +cd - echo 'build the registry binary ...' -cp Dockerfile.binary $TEMP -docker build -f $TEMP/Dockerfile.binary -t registry-golang $TEMP - -echo 'copy the registry binary to local...' -ID=$(docker create registry-golang) -docker cp $ID:/go/src/github.com/docker/distribution/bin/registry binary/registry - -docker rm -f $ID -docker rmi -f registry-golang +docker build -f Dockerfile.binary -o binary/ $TEMP echo "Build registry binary success, then to build photon image..." -cd $cur cp $TEMP/cmd/registry/config-example.yml config.yml rm -rf $TEMP From c0c2265c1b45d496c0cfa24185d4095dabd81ab9 Mon Sep 17 00:00:00 2001 From: Mitsuru Kariya Date: Thu, 8 Aug 2024 01:02:36 +0900 Subject: [PATCH 2/5] Revert make/photon/registry/Dockerfile.base Signed-off-by: Mitsuru Kariya --- make/photon/registry/Dockerfile | 2 ++ make/photon/registry/Dockerfile.base | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/make/photon/registry/Dockerfile b/make/photon/registry/Dockerfile index adda282c22e..83100c582eb 100644 --- a/make/photon/registry/Dockerfile +++ b/make/photon/registry/Dockerfile @@ -6,6 +6,8 @@ COPY --link --chown=10000:10000 --chmod=755 ./make/photon/common/install_cert.sh COPY --link --chown=10000:10000 --chmod=744 ./make/photon/registry/entrypoint.sh /home/harbor/ COPY --link --chown=10000:10000 --chmod=755 ./make/photon/registry/binary/registry /usr/bin/registry_DO_NOT_USE_GC +RUN chown -R harbor:harbor /etc/pki/tls/certs + HEALTHCHECK CMD curl --fail -s http://localhost:5000 || curl -k --fail -s https://localhost:5443 || exit 1 USER harbor diff --git a/make/photon/registry/Dockerfile.base b/make/photon/registry/Dockerfile.base index 6cf180f3b62..3c4a465e6ac 100644 --- a/make/photon/registry/Dockerfile.base +++ b/make/photon/registry/Dockerfile.base @@ -3,5 +3,4 @@ FROM photon:5.0 RUN tdnf install -y shadow >> /dev/null \ && tdnf clean all \ && mkdir -p /etc/registry \ - && groupadd -r -g 10000 harbor && useradd --no-log-init -m -g 10000 -u 10000 harbor \ - && chown -R harbor:harbor /etc/pki/tls/certs + && groupadd -r -g 10000 harbor && useradd --no-log-init -m -g 10000 -u 10000 harbor From 584df978d389889f63127a7fb549501b903ce921 Mon Sep 17 00:00:00 2001 From: Mitsuru Kariya Date: Thu, 8 Aug 2024 01:02:41 +0900 Subject: [PATCH 3/5] Use RUN with bind mount instead of COPY Signed-off-by: Mitsuru Kariya --- make/photon/registry/Dockerfile | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/make/photon/registry/Dockerfile b/make/photon/registry/Dockerfile index 83100c582eb..f2e3873309d 100644 --- a/make/photon/registry/Dockerfile +++ b/make/photon/registry/Dockerfile @@ -2,11 +2,14 @@ ARG harbor_base_image_version ARG harbor_base_namespace FROM ${harbor_base_namespace}/harbor-registry-base:${harbor_base_image_version} -COPY --link --chown=10000:10000 --chmod=755 ./make/photon/common/install_cert.sh /home/harbor/ -COPY --link --chown=10000:10000 --chmod=744 ./make/photon/registry/entrypoint.sh /home/harbor/ -COPY --link --chown=10000:10000 --chmod=755 ./make/photon/registry/binary/registry /usr/bin/registry_DO_NOT_USE_GC - -RUN chown -R harbor:harbor /etc/pki/tls/certs +RUN --mount=type=bind,source=make/photon,target=/root \ + chown -R harbor:harbor /etc/pki/tls/certs \ + && cp /root/common/install_cert.sh /home/harbor \ + && cp /root/registry/entrypoint.sh /home/harbor \ + && cp /root/registry/binary/registry /usr/bin/registry_DO_NOT_USE_GC \ + && chown harbor:harbor /home/harbor/entrypoint.sh && chmod u+x /home/harbor/entrypoint.sh \ + && chown harbor:harbor /home/harbor/install_cert.sh && chmod u+x /home/harbor/install_cert.sh \ + && chown harbor:harbor /usr/bin/registry_DO_NOT_USE_GC && chmod u+x /usr/bin/registry_DO_NOT_USE_GC HEALTHCHECK CMD curl --fail -s http://localhost:5000 || curl -k --fail -s https://localhost:5443 || exit 1 From 28a35bae49bc21208426ab468bc893e7c2626986 Mon Sep 17 00:00:00 2001 From: Mitsuru Kariya Date: Thu, 8 Aug 2024 01:02:46 +0900 Subject: [PATCH 4/5] Capitalize `FROM AS` Modify `FROM as` to `FROM AS` to suppress Docker warnings Signed-off-by: Mitsuru Kariya --- make/photon/registry/Dockerfile.binary | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/make/photon/registry/Dockerfile.binary b/make/photon/registry/Dockerfile.binary index 43540ecc544..ab353b1d234 100644 --- a/make/photon/registry/Dockerfile.binary +++ b/make/photon/registry/Dockerfile.binary @@ -1,4 +1,4 @@ -FROM golang:1.22.3 as build +FROM golang:1.22.3 AS build ENV DISTRIBUTION_DIR /go/src/github.com/docker/distribution ENV BUILDTAGS include_oss include_gcs From 13121ec970a188f16791d662b444b2477420eb25 Mon Sep 17 00:00:00 2001 From: Mitsuru Kariya Date: Tue, 1 Oct 2024 01:43:00 +0900 Subject: [PATCH 5/5] Add DOCKER_BUILDKIT=1 to docker build command Add DOCKER_BUILDKIT=1 to the docker build command because the -o option of the docker build command and the --mount option of the RUN instruction require buildkit. Signed-off-by: Mitsuru Kariya --- make/photon/Makefile | 2 +- make/photon/registry/builder | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/make/photon/Makefile b/make/photon/Makefile index ec9c0b75cb5..2c279d42ff6 100644 --- a/make/photon/Makefile +++ b/make/photon/Makefile @@ -181,7 +181,7 @@ _build_registry: $(DOCKERFILEPATH_REG)/builder $(REGISTRY_SRC_TAG) $(DISTRIBUTION_SRC) ; \ fi @echo "building registry container for photon..." - @chmod 655 $(DOCKERFILEPATH_REG)/binary/registry && $(DOCKERBUILD_WITH_PULL_PARA) --build-arg harbor_base_image_version=$(BASEIMAGETAG) --build-arg harbor_base_namespace=$(BASEIMAGENAMESPACE) -f $(DOCKERFILEPATH_REG)/$(DOCKERFILENAME_REG) -t $(DOCKERIMAGENAME_REG):$(VERSIONTAG) . + @chmod 655 $(DOCKERFILEPATH_REG)/binary/registry && DOCKER_BUILDKIT=1 $(DOCKERBUILD_WITH_PULL_PARA) --build-arg harbor_base_image_version=$(BASEIMAGETAG) --build-arg harbor_base_namespace=$(BASEIMAGENAMESPACE) -f $(DOCKERFILEPATH_REG)/$(DOCKERFILENAME_REG) -t $(DOCKERIMAGENAME_REG):$(VERSIONTAG) . @echo "Done." _build_registryctl: diff --git a/make/photon/registry/builder b/make/photon/registry/builder index 0c748e1de5d..ecb31e9e829 100755 --- a/make/photon/registry/builder +++ b/make/photon/registry/builder @@ -31,7 +31,7 @@ git apply ~-/redis.patch cd - echo 'build the registry binary ...' -docker build -f Dockerfile.binary -o binary/ $TEMP +DOCKER_BUILDKIT=1 docker build -f Dockerfile.binary -o binary/ $TEMP echo "Build registry binary success, then to build photon image..." cp $TEMP/cmd/registry/config-example.yml config.yml