Skip to content
Snippets Groups Projects
Unverified Commit 9a31f328 authored by Maxime Leroy's avatar Maxime Leroy Committed by GitHub
Browse files

chore(Dockerfile): best practices (#10708)

parent 45a070f1
No related branches found
No related tags found
No related merge requests found
# syntax=docker/dockerfile:1
# Use imutable image tags rather than mutable tags (like ubuntu:22.04) # Use imutable image tags rather than mutable tags (like ubuntu:22.04)
FROM ubuntu:jammy-20230308 FROM ubuntu:22.04@sha256:149d67e29f765f4db62aa52161009e99e389544e25a8f43c8c89d4a445a7ca37
# Some tools like yamllint need this # Some tools like yamllint need this
# Pip needs this as well at the moment to install ansible # Pip needs this as well at the moment to install ansible
# (and potentially other packages) # (and potentially other packages)
...@@ -7,20 +10,13 @@ FROM ubuntu:jammy-20230308 ...@@ -7,20 +10,13 @@ FROM ubuntu:jammy-20230308
ENV LANG=C.UTF-8 \ ENV LANG=C.UTF-8 \
DEBIAN_FRONTEND=noninteractive \ DEBIAN_FRONTEND=noninteractive \
PYTHONDONTWRITEBYTECODE=1 PYTHONDONTWRITEBYTECODE=1
WORKDIR /kubespray WORKDIR /kubespray
COPY *.yml ./
COPY *.cfg ./
COPY roles ./roles
COPY contrib ./contrib
COPY inventory ./inventory
COPY library ./library
COPY extra_playbooks ./extra_playbooks
COPY playbooks ./playbooks
COPY plugins ./plugins
RUN --mount=type=bind,source=requirements.txt,target=requirements.txt \ # hadolint ignore=DL3008
apt update -q \ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
&& apt install -yq --no-install-recommends \ apt-get update -q \
&& apt-get install -yq --no-install-recommends \
curl \ curl \
python3 \ python3 \
python3-pip \ python3-pip \
...@@ -28,10 +24,29 @@ RUN --mount=type=bind,source=requirements.txt,target=requirements.txt \ ...@@ -28,10 +24,29 @@ RUN --mount=type=bind,source=requirements.txt,target=requirements.txt \
vim \ vim \
rsync \ rsync \
openssh-client \ openssh-client \
&& pip install --no-compile --no-cache-dir -r requirements.txt \ && apt-get clean \
&& KUBE_VERSION=$(sed -n 's/^kube_version: //p' roles/kubespray-defaults/defaults/main/main.yml) \ && rm -rf /var/lib/apt/lists/* /var/log/*
&& curl -L https://dl.k8s.io/release/$KUBE_VERSION/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
&& echo $(curl -L https://dl.k8s.io/release/$KUBE_VERSION/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \ RUN --mount=type=bind,source=requirements.txt,target=requirements.txt \
&& chmod a+x /usr/local/bin/kubectl \ --mount=type=cache,sharing=locked,id=pipcache,mode=0777,target=/root/.cache/pip \
&& rm -rf /var/lib/apt/lists/* /var/log/* \ pip install --no-compile --no-cache-dir -r requirements.txt \
&& find /usr -type d -name '*__pycache__' -prune -exec rm -rf {} \; && find /usr -type d -name '*__pycache__' -prune -exec rm -rf {} \;
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN --mount=type=bind,source=roles/kubespray-defaults/defaults/main/main.yml,target=roles/kubespray-defaults/defaults/main/main.yml \
KUBE_VERSION=$(sed -n 's/^kube_version: //p' roles/kubespray-defaults/defaults/main/main.yml) \
OS_ARCHITECTURE=$(dpkg --print-architecture) \
&& curl -L "https://dl.k8s.io/release/${KUBE_VERSION}/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
&& echo "$(curl -L "https://dl.k8s.io/release/${KUBE_VERSION}/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
&& chmod a+x /usr/local/bin/kubectl
COPY *.yml ./
COPY *.cfg ./
COPY roles ./roles
COPY contrib ./contrib
COPY inventory ./inventory
COPY library ./library
COPY extra_playbooks ./extra_playbooks
COPY playbooks ./playbooks
COPY plugins ./plugins
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment