busybox/Dockerfile

FROM debian:jessie-slim as builder

ARG ARCH=x86_64
ARG DEBIAN_FRONTEND=noninteractive

ARG GLIBC_VER=2.25
ARG BUSYB_VER=1.26.2
ARG SU_EXEC_VER=v0.2
ARG TINI_VER=v0.14.0

ARG PREFIX=/output
WORKDIR $PREFIX

#Set up our dependencies, configure the output filesystem a bit
RUN apt-get update -qy && \
    apt-get install -qy curl build-essential gawk linux-libc-dev && \
    mkdir -p bin dev etc home lib proc root sbin tmp usr/bin usr/sbin usr/lib var && \
    # This is probably only relevant on 64bit systems?
    ln -sv lib lib64

# Pull busybox and some other utilities
RUN curl -L https://busybox.net/downloads/binaries/$BUSYB_VER-defconfig-multiarch/busybox-$ARCH > bin/busybox && \
    curl -L https://github.com/javabean/su-exec/releases/download/${SU_EXEC_VER}/su-exec.amd64 > sbin/su-exec && \
    curl -L https://github.com/krallin/tini/releases/download/${TINI_VER}/tini-amd64 > sbin/tini && \
    chmod +x bin/busybox sbin/su-exec sbin/tini && \
    # "Install" busybox, creating symlinks to all binaries it provides
    bin/busybox --list-full | xargs -i ln -s /bin/busybox "$PREFIX/{}"

WORKDIR /tmp

ARG CFLAGS="-Os -pipe -fstack-protector-strong"
ARG LDFLAGS="-Wl,-O1,--sort-common -Wl,-s"

# Download and build glibc from source
RUN curl -L https://ftp.gnu.org/gnu/glibc/glibc-$GLIBC_VER.tar.xz | tar xJ && \
    mkdir -p glibc-build && cd glibc-build && \
	\
    echo "slibdir=/lib" >> configparms && \
    echo "rtlddir=/lib" >> configparms && \
    echo "sbindir=/bin" >> configparms && \
    echo "rootsbindir=/bin" >> configparms && \
	\
    # Fix debian lib path weirdness
    rm -rf /usr/include/x86_64-linux-gnu/c++ && \
    ln -s /usr/include/x86_64-linux-gnu/* /usr/include && \
    \
    ../glibc-$GLIBC_VER/configure \
        --prefix="$(pwd)/root" \
        --libdir="$(pwd)/root/lib" \
        --libexecdir=/lib \
        --with-headers=/usr/include \
        --enable-add-ons \
        --enable-obsolete-rpc \
        --enable-kernel=3.10.0 \
        --enable-bind-now \
        --disable-profile \
        --enable-stackguard-randomization \
        --enable-stack-protector=strong \
        --enable-lock-elision \
        --enable-multi-arch \
        --disable-werror && \
    make && make install_root=$(pwd)/out install

# Copy glibc libs & generate ld cache
RUN cp -d glibc-build/out/lib/*.so "$PREFIX/lib" && \
    echo '/usr/lib' > "$PREFIX/etc/ld.so.conf" && \
    ldconfig -r "$PREFIX"

WORKDIR $PREFIX

# Add root user and group
RUN echo 'root:x:0:0:root:/root:/bin/sh'\\n\
         'nobody:x:65534:65534:nobody:/:/sbin/nologin' \
        > etc/passwd && \
    echo 'root:::0:::::\nnobody:!::0:::::' \
        > etc/shadow && \
    echo 'root:x:0:root\nnogroup:x:65533\nnobody:x:65544' \
        > etc/group

# =============

FROM scratch
WORKDIR /
COPY --from=builder /output/ /
CMD ["sh"]
Refactor from scratch, not busybox 2017-05-11 21:15:10 +00:00			`FROM debian:jessie-slim as builder`
Initial commit 2017-05-10 20:55:40 +00:00
Refactor from scratch, not busybox 2017-05-11 21:15:10 +00:00			`ARG ARCH=x86_64`
			`ARG DEBIAN_FRONTEND=noninteractive`
Initial commit 2017-05-10 20:55:40 +00:00
Build glibc from source- it produces smaller & cleaner libs 2017-05-12 10:50:24 +00:00			`ARG GLIBC_VER=2.25`
Add su-exec and tini 2017-05-12 00:30:49 +00:00			`ARG BUSYB_VER=1.26.2`
			`ARG SU_EXEC_VER=v0.2`
			`ARG TINI_VER=v0.14.0`

Ensure output paths are relative for consistency 2017-05-22 16:06:05 +00:00			`ARG PREFIX=/output`
			`WORKDIR $PREFIX`
Add su-exec & tini 2017-05-11 09:36:22 +00:00
Refactor busybox install, rearrange dockerfile 2017-05-11 22:37:11 +00:00			`#Set up our dependencies, configure the output filesystem a bit`
Refactor from scratch, not busybox 2017-05-11 21:15:10 +00:00			`RUN apt-get update -qy && \`
Build glibc from source- it produces smaller & cleaner libs 2017-05-12 10:50:24 +00:00			`apt-get install -qy curl build-essential gawk linux-libc-dev && \`
Remove some symlinks, separating fs directories 2017-05-22 16:05:55 +00:00			`mkdir -p bin dev etc home lib proc root sbin tmp usr/bin usr/sbin usr/lib var && \`
Add some clarifying comments 2017-05-22 16:27:07 +00:00			`# This is probably only relevant on 64bit systems?`
Remove some symlinks, separating fs directories 2017-05-22 16:05:55 +00:00			`ln -sv lib lib64`
Refactor busybox install, rearrange dockerfile 2017-05-11 22:37:11 +00:00
Add su-exec and tini 2017-05-12 00:30:49 +00:00			`# Pull busybox and some other utilities`
Fix bin & sbin binary directories 2017-05-12 13:07:18 +00:00			`RUN curl -L https://busybox.net/downloads/binaries/$BUSYB_VER-defconfig-multiarch/busybox-$ARCH > bin/busybox && \`
Change to using relative paths for downloaded binaries 2017-05-12 12:43:42 +00:00			`curl -L https://github.com/javabean/su-exec/releases/download/${SU_EXEC_VER}/su-exec.amd64 > sbin/su-exec && \`
Fix bin & sbin binary directories 2017-05-12 13:07:18 +00:00			`curl -L https://github.com/krallin/tini/releases/download/${TINI_VER}/tini-amd64 > sbin/tini && \`
Change busybox --install to manual symlinks to remove second image layer 2017-05-12 13:08:17 +00:00			`chmod +x bin/busybox sbin/su-exec sbin/tini && \`
Add some clarifying comments 2017-05-22 16:27:07 +00:00			`# "Install" busybox, creating symlinks to all binaries it provides`
Ensure output paths are relative for consistency 2017-05-22 16:06:05 +00:00			`bin/busybox --list-full \| xargs -i ln -s /bin/busybox "$PREFIX/{}"`
Fix for busybox symlinks 2017-05-11 23:34:57 +00:00
Initial commit 2017-05-10 20:55:40 +00:00			`WORKDIR /tmp`

Build glibc from source- it produces smaller & cleaner libs 2017-05-12 10:50:24 +00:00			`ARG CFLAGS="-Os -pipe -fstack-protector-strong"`
			`ARG LDFLAGS="-Wl,-O1,--sort-common -Wl,-s"`

			`# Download and build glibc from source`
			`RUN curl -L https://ftp.gnu.org/gnu/glibc/glibc-$GLIBC_VER.tar.xz \| tar xJ && \`
			`mkdir -p glibc-build && cd glibc-build && \`
			`\`
			`echo "slibdir=/lib" >> configparms && \`
			`echo "rtlddir=/lib" >> configparms && \`
			`echo "sbindir=/bin" >> configparms && \`
			`echo "rootsbindir=/bin" >> configparms && \`
			`\`
Add some clarifying comments 2017-05-22 16:27:07 +00:00			`# Fix debian lib path weirdness`
Build glibc from source- it produces smaller & cleaner libs 2017-05-12 10:50:24 +00:00			`rm -rf /usr/include/x86_64-linux-gnu/c++ && \`
Remove verbose ln statements 2017-05-12 13:47:16 +00:00			`ln -s /usr/include/x86_64-linux-gnu/* /usr/include && \`
Add some clarifying comments 2017-05-22 16:27:07 +00:00			`\`
Build glibc from source- it produces smaller & cleaner libs 2017-05-12 10:50:24 +00:00			`../glibc-$GLIBC_VER/configure \`
			`--prefix="$(pwd)/root" \`
			`--libdir="$(pwd)/root/lib" \`
			`--libexecdir=/lib \`
			`--with-headers=/usr/include \`
			`--enable-add-ons \`
			`--enable-obsolete-rpc \`
			`--enable-kernel=3.10.0 \`
			`--enable-bind-now \`
			`--disable-profile \`
			`--enable-stackguard-randomization \`
			`--enable-stack-protector=strong \`
			`--enable-lock-elision \`
			`--enable-multi-arch \`
			`--disable-werror && \`
			`make && make install_root=$(pwd)/out install`

			`# Copy glibc libs & generate ld cache`
Ensure output paths are relative for consistency 2017-05-22 16:06:05 +00:00			`RUN cp -d glibc-build/out/lib/*.so "$PREFIX/lib" && \`
			`echo '/usr/lib' > "$PREFIX/etc/ld.so.conf" && \`
			`ldconfig -r "$PREFIX"`
Build glibc from source- it produces smaller & cleaner libs 2017-05-12 10:50:24 +00:00
Add root user and group 2017-05-22 17:09:32 +00:00			`WORKDIR $PREFIX`

			`# Add root user and group`
			`RUN echo 'root:x:0:0:root:/root:/bin/sh'\\n\`
			`'nobody:x:65534:65534:nobody:/:/sbin/nologin' \`
			`> etc/passwd && \`
			`echo 'root:::0:::::\nnobody:!::0:::::' \`
			`> etc/shadow && \`
			`echo 'root:x:0:root\nnogroup:x:65533\nnobody:x:65544' \`
			`> etc/group`

Refactor from scratch, not busybox 2017-05-11 21:15:10 +00:00			`# =============`

			`FROM scratch`
Initial commit 2017-05-10 20:55:40 +00:00			`WORKDIR /`
Fix for busybox symlinks 2017-05-11 23:34:57 +00:00			`COPY --from=builder /output/ /`
Refactor from scratch, not busybox 2017-05-11 21:15:10 +00:00			`CMD ["sh"]`