Kezdőlap Felfedezés Súgó
Regisztráció Bejelentkezés
Apq
/
Docker-official-images
tükrözi: https://github.com/docker-library/official-images.git
1
0
Másolás 0
Fájlok Problémák 0 Wiki
Forráskód Böngészése

Add explicit "external-pins"

The goal of this directory is two-fold: to list the explicitly allowable external dependencies and to pin those external dependencies to a specific content-addressable digest such that we can update them in the same way we do everything else (and then trigger rebuilds properly based on them, too).
Tianon Gravi 2 éve
szülő
165ad0ac1f
commit
98575e0538
8 módosított fájl, 80 hozzáadás és 40 törlés
Osztott Nézet Diff Statisztika Mutatása
  1. 1 0
      .external-pins/mcr.microsoft.com/windows/nanoserver:1809
  2. 1 0
      .external-pins/mcr.microsoft.com/windows/nanoserver:ltsc2022
  3. 1 0
      .external-pins/mcr.microsoft.com/windows/servercore:1809
  4. 1 0
      .external-pins/mcr.microsoft.com/windows/servercore:ltsc2022
  5. 1 0
      .external-pins/redhat/ubi9-minimal:latest
  6. 2 2
      .github/workflows/.bashbrew/action.yml
  7. 55 38
      naughty-from.sh
  8. 18 0
      update-external-pins.sh

+ 1 - 0
.external-pins/mcr.microsoft.com/windows/nanoserver:1809
Fájl Megtekintése 

@@ -0,0 +1 @@
 
+sha256:5c9da3bfe1524eab610dfd41c79a0805c080f8307d810d62bba106b5df587698

+ 1 - 0
.external-pins/mcr.microsoft.com/windows/nanoserver:ltsc2022
Fájl Megtekintése 

@@ -0,0 +1 @@
 
+sha256:f1125cf932664b039a55afb666bdca7dc28d453a88430fe47be763e0270638b6

+ 1 - 0
.external-pins/mcr.microsoft.com/windows/servercore:1809
Fájl Megtekintése 

@@ -0,0 +1 @@
 
+sha256:cbb8b0a709b4e0868cd2e30b1485358197b1021bb0dd4261e36b3af3ca48fd0b

+ 1 - 0
.external-pins/mcr.microsoft.com/windows/servercore:ltsc2022
Fájl Megtekintése 

@@ -0,0 +1 @@
 
+sha256:8d862016bcfad6040cb9ae0f21b024fe71b058ddb42a077c32a24bcb5fc04628

+ 1 - 0
.external-pins/redhat/ubi9-minimal:latest
Fájl Megtekintése 

@@ -0,0 +1 @@
 
+sha256:ecebade89b064d33e6e1405e4ec6e9b904e7c573a52b52d0f38026bb8d1db1f8

+ 2 - 2
.github/workflows/.bashbrew/action.yml
Fájl Megtekintése 

@@ -10,8 +10,8 @@ runs:
 
 
     # these two version numbers are intentionally as close together as I could possibly get them because no matter what I tried, GitHub will not allow me to DRY them (can't have any useful variables in `uses:` and can't even have YAML references to steal it in `env:` or something)
 
     - shell: 'bash -Eeuo pipefail -x {0}'
 
-      run:    echo BASHBREW_VERSION=v0.1.5 >> "$GITHUB_ENV"
 
-    - uses: docker-library/[email protected].5
 
+      run:    echo BASHBREW_VERSION=v0.1.6 >> "$GITHUB_ENV"
 
+    - uses: docker-library/[email protected].6
 
       if: inputs.build == 'host'
 
 
     - run: docker build --pull --tag oisupport/bashbrew:base "https://github.com/docker-library/bashbrew.git#$BASHBREW_VERSION"

+ 55 - 38
naughty-from.sh
Fájl Megtekintése 

@@ -13,49 +13,66 @@ if [ "$#" -eq 0 ]; then
 
 	set -- '--all'
 
 fi
 
 
+externalPinsDir="$(dirname "$BASH_SOURCE")/.external-pins"
 
+declare -A externalPinsArchesCache=(
 
+	#[img:tag]='["arch","arch",...]' # (json array of strings)
 
+)
 
 _is_naughty() {
 
 	local from="$1"; shift
 
 
-	case "$BASHBREW_ARCH=$from" in
 
-		# a few images that no longer exist (and are thus not permissible)
 
-		# https://techcommunity.microsoft.com/t5/Containers/Removing-the-latest-Tag-An-Update-on-MCR/ba-p/393045
 
-		*=mcr.microsoft.com/windows/*:latest) return 0 ;;
 
-
 
-
 
-		# https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/base-image-lifecycle
 
-		#*=mcr.microsoft.com/windows/*:ltsc2022) return 0 ;; # "10/13/2026"
 
-		#*=mcr.microsoft.com/windows/*:20H2*)    return 0 ;; # "05/10/2022" *technically*, but its use is discouraged here given the existence of ltsc2022
 
-		*=mcr.microsoft.com/windows/*:2004*)    return 0 ;; # "12/14/2021"
 
-		*=mcr.microsoft.com/windows/*:1909*)    return 0 ;; # "05/11/2021"
 
-		*=mcr.microsoft.com/windows/*:1903*)    return 0 ;; # "12/08/2020"
 
-		#*=mcr.microsoft.com/windows/*:1809*)    return 0 ;; # "01/09/2024"
 
-		*=mcr.microsoft.com/windows/*:1803*)    return 0 ;; # "11/12/2019"
 
-		*=mcr.microsoft.com/windows/*:1709*)    return 0 ;; # "04/09/2019"
 
-		*=mcr.microsoft.com/windows/*:ltsc2016) return 0 ;; # "01/11/2022"
 
-		*=mcr.microsoft.com/windows/*:sac2016)  return 0 ;; # "10/09/2018"
 
-		*=mcr.microsoft.com/windows/*:1607*)    return 0 ;; # "10/09/2018"
 
-
 
-		# a few explicitly permissible exceptions to Santa's naughty list
 
-		*=scratch \
 
-		| amd64=docker.elastic.co/elasticsearch/elasticsearch:* \
 
-		| amd64=docker.elastic.co/kibana/kibana:* \
 
-		| amd64=docker.elastic.co/logstash/logstash:* \
 
-		| arm64v8=docker.elastic.co/elasticsearch/elasticsearch:* \
 
-		| arm64v8=docker.elastic.co/kibana/kibana:* \
 
-		| arm64v8=docker.elastic.co/logstash/logstash:* \
 
-		| windows-*=mcr.microsoft.com/windows/nanoserver:* \
 
-		| windows-*=mcr.microsoft.com/windows/servercore:* \
 
-		) return 1 ;;
 
-
 
-		# "x/y" and not an approved exception
 
-		*/*) return 0 ;;
 
+	case "$from" in
 
+		# "scratch" isn't a real image and is always permissible (on non-Windows)
 
+		scratch)
 
+			case "$BASHBREW_ARCH" in
 
+				windows-*) return 0 ;; # can't use "FROM scratch" on Windows
 
+				*)         return 1 ;; # can use "FROM scratch" everywhere else
 
+			esac
 
+			;;
 
+
 
+		# https://github.com/docker-library/official-images/pull/4916#issuecomment-427437270
 
+		  docker.elastic.co/elasticsearch/elasticsearch:*@sha256:* \
 
+		| docker.elastic.co/kibana/kibana:*@sha256:* \
 
+		| docker.elastic.co/logstash/logstash:*@sha256:* \
 
+		) ;; # *technically* we should only whitelist these for "elasticsearch", "kibana", and "logstash" respectively, but the chances of other folks trying to use them in their images (*and* doing so without us noticing) seems low
 
+
 
+		*/*)
 
+			# must be external, let's check our pins for acceptability
 
+			if [ -s "$externalPinsDir/$from" ]; then
 
+				local digest
 
+				digest="$(< "$externalPinsDir/$from")"
 
+				from+="@$digest"
 
+			else
 
+				# not pinned, must not be acceptable
 
+				return 0
 
+			fi
 
+			;;
 
 	esac
 
 
-	# must be some other official image AND support our current architecture
 
-	local archSupported
 
-	if archSupported="$(bashbrew cat --format '{{ .TagEntry.HasArchitecture arch | ternary arch "" }}' "$from")" && [ -n "$archSupported" ]; then
 
-		return 1
 
-	fi
 
+	case "$from" in
 
+		*/*@sha256:*)
 
+			if [ -z "${externalPinsArchesCache["$from"]:-}" ]; then
 
+				local remoteArches
 
+				if remoteArches="$(bashbrew remote arches --json "$from" | jq -c '.arches | keys')"; then
 
+					externalPinsArchesCache["$from"]="$remoteArches"
 
+				else
 
+					echo >&2 "warning: failed to query supported architectures of '$from'"
 
+					externalPinsArchesCache["$from"]='[]'
 
+				fi
 
+			fi
 
+			if jq <<<"${externalPinsArchesCache["$from"]}" -e 'index(env.BASHBREW_ARCH)' > /dev/null; then
 
+				# hooray, a supported architecture!
 
+				return 1
 
+			fi
 
+			;;
 
+
 
+		*)
 
+			# must be some other official image AND support our current architecture
 
+			local archSupported
 
+			if archSupported="$(bashbrew cat --format '{{ .TagEntry.HasArchitecture arch | ternary arch "" }}' "$from")" && [ -n "$archSupported" ]; then
 
+				return 1
 
+			fi
 
+			;;
 
+	esac
 
 
 	return 0
 
 }

+ 18 - 0
update-external-pins.sh
Fájl Megtekintése 

@@ -0,0 +1,18 @@
 
+#!/usr/bin/env bash
 
+set -Eeuo pipefail
 
+
 
+dir='.external-pins'
 
+
 
+if [ "$#" -eq 0 ]; then
 
+	images="$(find "$dir" -type f -printf '%P\n' | sort)"
 
+	set -- $images
 
+fi
 
+
 
+for img; do
 
+	echo -n "$img -> "
 
+	digest="$(bashbrew remote arches --json "$img" | jq -r '.desc.digest')"
 
+
 
+	imgDir="$(dirname "$dir/$img")"
 
+	mkdir -p "$imgDir"
 
+	echo "$digest" | tee "$dir/$img"
 
+done