-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathDockerfile
134 lines (116 loc) · 4.62 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
FROM public.ecr.aws/amazonlinux/amazonlinux:2 AS builder
# Install build dependencies for the package(s) below
RUN \
yum -y install \
autoconf \
automake \
bison \
gettext-devel \
libtool \
make \
pkgconfig \
tar \
xz
COPY ./sdk-fetch /usr/local/bin
ARG utillinux_version=2.38.1
ENV utillinux_version=$utillinux_version
ENV HOME=/root
WORKDIR ${HOME}/build
COPY ./hashes/util-linux ./hashes
RUN \
sdk-fetch hashes && \
tar -xf util-linux-${utillinux_version}.tar.xz && \
rm util-linux-${utillinux_version}.tar.xz hashes
# Build script for SSM session logging
WORKDIR ${HOME}/build/util-linux-${utillinux_version}
RUN \
./autogen.sh && ./configure \
--disable-makeinstall-chown \
--disable-nls \
--disable-rpath \
--prefix=/opt/util-linux \
--without-audit \
--without-python \
--without-readline \
--without-systemd \
--without-udev \
--without-utempter \
|| { cat config.log; exit 1; }
RUN make -j`nproc` lscpu script
RUN make install-strip
RUN \
mkdir -p /usr/share/licenses/util-linux && cp -p \
Documentation/licenses/COPYING.BSD-4-Clause-UC \
Documentation/licenses/COPYING.GPL-2.0-or-later \
Documentation/licenses/COPYING.LGPL-2.1-or-later \
/usr/share/licenses/util-linux
FROM public.ecr.aws/amazonlinux/amazonlinux:2
# IMAGE_VERSION is the assigned version from input for this image.
ARG IMAGE_VERSION
ENV IMAGE_VERSION=$IMAGE_VERSION
# SSM_AGENT_VERSION is the assigned agent version from input for this image.
ARG SSM_AGENT_VERSION
ENV SSM_AGENT_VERSION=$SSM_AGENT_VERSION
# Validation
RUN : \
"${IMAGE_VERSION:?IMAGE_VERSION is required to build}" \
"${SSM_AGENT_VERSION:?SSM Agent version required to build}"
LABEL "org.opencontainers.image.version"="$IMAGE_VERSION"
# Copy util-linux binaries and dependencies
COPY --from=builder /opt/util-linux/bin/lscpu /opt/util-linux/bin/script \
/opt/util-linux/bin/
COPY --from=builder /opt/util-linux/include/libsmartcols \
/opt/util-linux/include/libsmartcols
COPY --from=builder /opt/util-linux/lib/libsmartcols* \
/opt/util-linux/lib/
COPY --from=builder /usr/share/licenses/util-linux \
/usr/share/licenses/util-linux
RUN ln -s /opt/util-linux/bin/* /usr/bin
# Validate lscpu binary
RUN /usr/bin/lscpu &>/dev/null
# Validate script binary
RUN /usr/bin/script --version &>/dev/null
# Install the arch specific build of SSM agent *and confirm that it installed* -
# yum will allow architecture-mismatched packages to not install and consider
# the run successful.
# SSM Agent is downloaded from eu-north-1 as this region gets new releases of SSM Agent first.
COPY ./hashes/ssm ./hashes
COPY ./gpg-keys/amazon-ssm-agent.gpg ./amazon-ssm-agent.gpg
RUN \
ARCH=$(uname -m | sed 's/aarch64/arm64/' | sed 's/x86_64/amd64/') && \
curl -L "https://s3.eu-north-1.amazonaws.com/amazon-ssm-eu-north-1/${SSM_AGENT_VERSION}/linux_${ARCH}/amazon-ssm-agent.rpm" \
-o "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
grep "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" hashes \
| sha512sum --check - && \
rpm --import amazon-ssm-agent.gpg && \
rpm --checksig "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
yum update -y && yum install -y jq screen shadow-utils && \
yum install -y "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
rm "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
rm -rf /var/cache/yum ./hashes && \
rmdir /var/lib/amazon/ssm && \
ln -snf /.bottlerocket/host-containers/current/ssm /var/lib/amazon/ssm
# Add motd explaining the control container.
RUN rm -f /etc/motd /etc/issue
COPY --chown=root:root motd /etc/
# Add custom PS1 to show you are in the control container.
ARG CUSTOM_PS1='[\u@control]\$ '
RUN echo "PS1='$CUSTOM_PS1'" > "/etc/profile.d/bottlerocket-ps1.sh"
# Add bashrc that shows the motd.
COPY ./bashrc /etc/skel/.bashrc
# SSM starts sessions with 'sh', not 'bash', which for us is a link to bash.
# Furthermore, it starts sh as an interactive shell, but not a login shell.
# In this mode, the only startup file respected is the one pointed to by the
# ENV environment variable. Point it to our bashrc, which just prints motd.
ENV ENV=/etc/skel/.bashrc
# Add our helpers to quickly interact with the admin container.
COPY --chmod=755 \
./disable-admin-container \
./enable-admin-container \
./enter-admin-container \
/usr/bin/
# Create our user in the group that allows API access.
RUN groupadd -g 274 api
RUN useradd -m -G users,api ssm-user
COPY --chmod=755 start_control_ssm.sh /usr/sbin/
CMD ["/usr/sbin/start_control_ssm.sh"]