2022-08-03 22:36:13 +02:00
|
|
|
# syntax=docker/dockerfile:1
|
2020-08-17 16:20:02 +02:00
|
|
|
|
|
|
|
|
2020-09-22 12:13:00 +02:00
|
|
|
# Copyright 2020 Docker Compose CLI authors
|
2020-06-18 16:13:24 +02:00
|
|
|
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
# limitations under the License.
|
2020-09-22 12:13:00 +02:00
|
|
|
|
update to go1.21.12
go1.21.12 (released 2024-07-02) includes security fixes to the net/http package,
as well as bug fixes to the compiler, the go command, the runtime, and the
crypto/x509, net/http, net/netip, and os packages. See the Go 1.21.12 milestone
on our issue tracker for details:
- https://github.com/golang/go/issues?q=milestone%3AGo1.21.12+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.11...go1.21.12
From the security mailing:
> Hello gophers,
>
> We have just released Go versions 1.22.5 and 1.21.12, minor point releases.
>
> These minor releases include 1 security fixes following the security policy:
>
> * net/http: denial of service due to improper 100-continue handling
>
> The net/http HTTP/1.1 client mishandled the case where a server responds
> to a request with an “Expect: 100-continue” header with a non-informational
> (200 or higher) status. This mishandling could leave a client connection
> in an invalid state, where the next request sent on the connection will fail.
>
> An attacker sending a request to a net/http/httputil.ReverseProxy proxy can
> exploit this mishandling to cause a denial of service by sending
> “Expect: 100-continue” requests which elicit a non-informational response
> from the backend. Each such request leaves the proxy with an invalid connection,
> and causes one subsequent request using that connection to fail.
>
> Thanks to Geoff Franks for reporting this issue.
>
> This is CVE-2024-24791 and Go issue https://go.dev/issue/67555.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-24 21:59:35 +02:00
|
|
|
ARG GO_VERSION=1.21.12
|
2023-04-04 21:10:01 +02:00
|
|
|
ARG XX_VERSION=1.2.1
|
2024-01-10 18:56:48 +01:00
|
|
|
ARG GOLANGCI_LINT_VERSION=v1.55.2
|
2022-08-12 15:05:52 +02:00
|
|
|
ARG ADDLICENSE_VERSION=v1.0.0
|
|
|
|
|
2023-01-09 12:37:55 +01:00
|
|
|
ARG BUILD_TAGS="e2e"
|
2022-08-12 15:05:52 +02:00
|
|
|
ARG DOCS_FORMATS="md,yaml"
|
|
|
|
ARG LICENSE_FILES=".*\(Dockerfile\|Makefile\|\.go\|\.hcl\|\.sh\)"
|
|
|
|
|
|
|
|
# xx is a helper for cross-compilation
|
|
|
|
FROM --platform=${BUILDPLATFORM} tonistiigi/xx:${XX_VERSION} AS xx
|
|
|
|
|
2023-02-07 14:57:45 +01:00
|
|
|
# osxcross contains the MacOSX cross toolchain for xx
|
|
|
|
FROM crazymax/osxcross:11.3-alpine AS osxcross
|
|
|
|
|
2022-08-12 15:05:52 +02:00
|
|
|
FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION}-alpine AS golangci-lint
|
|
|
|
FROM ghcr.io/google/addlicense:${ADDLICENSE_VERSION} AS addlicense
|
|
|
|
|
|
|
|
FROM --platform=${BUILDPLATFORM} golang:${GO_VERSION}-alpine AS base
|
|
|
|
COPY --from=xx / /
|
|
|
|
RUN apk add --no-cache \
|
2023-02-07 14:57:45 +01:00
|
|
|
clang \
|
2022-08-12 15:05:52 +02:00
|
|
|
docker \
|
|
|
|
file \
|
2023-01-30 11:58:55 +01:00
|
|
|
findutils \
|
2022-08-12 15:05:52 +02:00
|
|
|
git \
|
2022-08-26 22:06:24 +02:00
|
|
|
make \
|
2022-08-12 15:05:52 +02:00
|
|
|
protoc \
|
|
|
|
protobuf-dev
|
|
|
|
WORKDIR /src
|
|
|
|
ENV CGO_ENABLED=0
|
|
|
|
|
|
|
|
FROM base AS build-base
|
2020-05-29 11:30:12 +02:00
|
|
|
COPY go.* .
|
2020-09-23 17:13:27 +02:00
|
|
|
RUN --mount=type=cache,target=/go/pkg/mod \
|
2021-05-19 16:59:21 +02:00
|
|
|
--mount=type=cache,target=/root/.cache/go-build \
|
2020-09-23 17:13:27 +02:00
|
|
|
go mod download
|
2020-05-04 23:49:40 +02:00
|
|
|
|
2022-08-12 15:05:52 +02:00
|
|
|
FROM build-base AS vendored
|
|
|
|
RUN --mount=type=bind,target=.,rw \
|
2020-09-23 17:13:27 +02:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2022-08-12 15:05:52 +02:00
|
|
|
go mod tidy && mkdir /out && cp go.mod go.sum /out
|
|
|
|
|
|
|
|
FROM scratch AS vendor-update
|
|
|
|
COPY --from=vendored /out /
|
|
|
|
|
|
|
|
FROM vendored AS vendor-validate
|
|
|
|
RUN --mount=type=bind,target=.,rw <<EOT
|
|
|
|
set -e
|
|
|
|
git add -A
|
|
|
|
cp -rf /out/* .
|
|
|
|
diff=$(git status --porcelain -- go.mod go.sum)
|
|
|
|
if [ -n "$diff" ]; then
|
|
|
|
echo >&2 'ERROR: Vendor result differs. Please vendor your package with "make go-mod-tidy"'
|
|
|
|
echo "$diff"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
EOT
|
|
|
|
|
|
|
|
FROM build-base AS build
|
2020-06-15 17:41:59 +02:00
|
|
|
ARG BUILD_TAGS
|
2023-03-10 10:08:24 +01:00
|
|
|
ARG BUILD_FLAGS
|
2022-08-12 15:05:52 +02:00
|
|
|
ARG TARGETPLATFORM
|
|
|
|
RUN --mount=type=bind,target=. \
|
|
|
|
--mount=type=cache,target=/root/.cache \
|
2020-09-23 17:13:27 +02:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2023-02-07 14:57:45 +01:00
|
|
|
--mount=type=bind,from=osxcross,src=/osxsdk,target=/xx-sdk \
|
|
|
|
xx-go --wrap && \
|
|
|
|
if [ "$(xx-info os)" == "darwin" ]; then export CGO_ENABLED=1; fi && \
|
2023-06-08 20:58:21 +02:00
|
|
|
make build GO_BUILDTAGS="$BUILD_TAGS" DESTDIR=/out && \
|
|
|
|
xx-verify --static /out/docker-compose
|
2021-05-27 12:10:37 +02:00
|
|
|
|
2022-08-12 15:05:52 +02:00
|
|
|
FROM build-base AS lint
|
|
|
|
ARG BUILD_TAGS
|
2023-08-21 20:52:13 +02:00
|
|
|
ENV GOLANGCI_LINT_CACHE=/cache/golangci-lint
|
2022-08-12 15:05:52 +02:00
|
|
|
RUN --mount=type=bind,target=. \
|
|
|
|
--mount=type=cache,target=/root/.cache \
|
2023-07-10 18:26:16 +02:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2023-08-21 20:52:13 +02:00
|
|
|
--mount=type=cache,target=/cache/golangci-lint \
|
2022-08-12 15:05:52 +02:00
|
|
|
--mount=from=golangci-lint,source=/usr/bin/golangci-lint,target=/usr/bin/golangci-lint \
|
2023-08-21 20:52:13 +02:00
|
|
|
golangci-lint cache status && \
|
2022-08-12 15:05:52 +02:00
|
|
|
golangci-lint run --build-tags "$BUILD_TAGS" ./...
|
2020-04-22 10:04:11 +02:00
|
|
|
|
2022-08-12 15:05:52 +02:00
|
|
|
FROM build-base AS test
|
|
|
|
ARG CGO_ENABLED=0
|
2020-07-07 15:48:09 +02:00
|
|
|
ARG BUILD_TAGS
|
2022-08-12 15:05:52 +02:00
|
|
|
RUN --mount=type=bind,target=. \
|
|
|
|
--mount=type=cache,target=/root/.cache \
|
2020-09-23 17:13:27 +02:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2023-06-08 20:58:21 +02:00
|
|
|
rm -rf /tmp/coverage && \
|
|
|
|
mkdir -p /tmp/coverage && \
|
2024-02-27 11:18:13 +01:00
|
|
|
rm -rf /tmp/report && \
|
|
|
|
mkdir -p /tmp/report && \
|
|
|
|
go run gotest.tools/gotestsum@latest --format testname --junitfile "/tmp/report/report.xml" -- -tags "$BUILD_TAGS" -v -cover -covermode=atomic $(go list $(TAGS) ./... | grep -vE 'e2e') -args -test.gocoverdir="/tmp/coverage" && \
|
2023-06-08 20:58:21 +02:00
|
|
|
go tool covdata percent -i=/tmp/coverage
|
2022-08-12 15:05:52 +02:00
|
|
|
|
|
|
|
FROM scratch AS test-coverage
|
2023-06-08 20:58:21 +02:00
|
|
|
COPY --from=test --link /tmp/coverage /
|
2024-02-27 11:18:13 +01:00
|
|
|
COPY --from=test --link /tmp/report /
|
2022-08-12 15:05:52 +02:00
|
|
|
|
|
|
|
FROM base AS license-set
|
|
|
|
ARG LICENSE_FILES
|
|
|
|
RUN --mount=type=bind,target=.,rw \
|
|
|
|
--mount=from=addlicense,source=/app/addlicense,target=/usr/bin/addlicense \
|
|
|
|
find . -regex "${LICENSE_FILES}" | xargs addlicense -c 'Docker Compose CLI' -l apache && \
|
|
|
|
mkdir /out && \
|
|
|
|
find . -regex "${LICENSE_FILES}" | cpio -pdm /out
|
|
|
|
|
|
|
|
FROM scratch AS license-update
|
|
|
|
COPY --from=set /out /
|
|
|
|
|
|
|
|
FROM base AS license-validate
|
|
|
|
ARG LICENSE_FILES
|
|
|
|
RUN --mount=type=bind,target=. \
|
|
|
|
--mount=from=addlicense,source=/app/addlicense,target=/usr/bin/addlicense \
|
|
|
|
find . -regex "${LICENSE_FILES}" | xargs addlicense -check -c 'Docker Compose CLI' -l apache -ignore validate -ignore testdata -ignore resolvepath -v
|
|
|
|
|
|
|
|
FROM base AS docsgen
|
|
|
|
WORKDIR /src
|
2020-08-17 15:18:47 +02:00
|
|
|
RUN --mount=target=. \
|
2022-08-12 15:05:52 +02:00
|
|
|
--mount=target=/root/.cache,type=cache \
|
2023-07-10 18:26:16 +02:00
|
|
|
--mount=type=cache,target=/go/pkg/mod \
|
2022-08-12 15:05:52 +02:00
|
|
|
go build -o /out/docsgen ./docs/yaml/main/generate.go
|
|
|
|
|
|
|
|
FROM --platform=${BUILDPLATFORM} alpine AS docs-build
|
|
|
|
RUN apk add --no-cache rsync git
|
|
|
|
WORKDIR /src
|
|
|
|
COPY --from=docsgen /out/docsgen /usr/bin
|
|
|
|
ARG DOCS_FORMATS
|
|
|
|
RUN --mount=target=/context \
|
|
|
|
--mount=target=.,type=tmpfs <<EOT
|
|
|
|
set -e
|
|
|
|
rsync -a /context/. .
|
|
|
|
docsgen --formats "$DOCS_FORMATS" --source "docs/reference"
|
|
|
|
mkdir /out
|
|
|
|
cp -r docs/reference /out
|
|
|
|
EOT
|
|
|
|
|
|
|
|
FROM scratch AS docs-update
|
|
|
|
COPY --from=docs-build /out /out
|
|
|
|
|
|
|
|
FROM docs-build AS docs-validate
|
|
|
|
RUN --mount=target=/context \
|
|
|
|
--mount=target=.,type=tmpfs <<EOT
|
|
|
|
set -e
|
|
|
|
rsync -a /context/. .
|
|
|
|
git add -A
|
|
|
|
rm -rf docs/reference/*
|
|
|
|
cp -rf /out/* ./docs/
|
|
|
|
if [ -n "$(git status --porcelain -- docs/reference)" ]; then
|
|
|
|
echo >&2 'ERROR: Docs result differs. Please update with "make docs"'
|
|
|
|
git status --porcelain -- docs/reference
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
EOT
|
|
|
|
|
|
|
|
FROM scratch AS binary-unix
|
2023-06-08 20:58:21 +02:00
|
|
|
COPY --link --from=build /out/docker-compose /
|
2022-08-12 15:05:52 +02:00
|
|
|
FROM binary-unix AS binary-darwin
|
|
|
|
FROM binary-unix AS binary-linux
|
|
|
|
FROM scratch AS binary-windows
|
2023-06-08 20:58:21 +02:00
|
|
|
COPY --link --from=build /out/docker-compose /docker-compose.exe
|
2022-08-12 15:05:52 +02:00
|
|
|
FROM binary-$TARGETOS AS binary
|
2023-03-14 11:08:04 +01:00
|
|
|
# enable scanning for this stage
|
|
|
|
ARG BUILDKIT_SBOM_SCAN_STAGE=true
|
2022-08-12 15:05:52 +02:00
|
|
|
|
|
|
|
FROM --platform=$BUILDPLATFORM alpine AS releaser
|
|
|
|
WORKDIR /work
|
|
|
|
ARG TARGETOS
|
|
|
|
ARG TARGETARCH
|
|
|
|
ARG TARGETVARIANT
|
|
|
|
RUN --mount=from=binary \
|
|
|
|
mkdir -p /out && \
|
|
|
|
# TODO: should just use standard arch
|
|
|
|
TARGETARCH=$([ "$TARGETARCH" = "amd64" ] && echo "x86_64" || echo "$TARGETARCH"); \
|
|
|
|
TARGETARCH=$([ "$TARGETARCH" = "arm64" ] && echo "aarch64" || echo "$TARGETARCH"); \
|
2022-08-14 22:29:57 +02:00
|
|
|
cp docker-compose* "/out/docker-compose-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}$(ls docker-compose* | sed -e 's/^docker-compose//')"
|
2022-08-12 15:05:52 +02:00
|
|
|
|
|
|
|
FROM scratch AS release
|
|
|
|
COPY --from=releaser /out/ /
|