forked from bottlerocket-os/bottlerocket-control-container
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
122 lines (106 loc) · 4.5 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
FROM public.ecr.aws/amazonlinux/amazonlinux:2 as builder
# Install build dependencies for the package(s) below
RUN \
yum -y install \
autoconf automake bison gettext-devel libtool make pkgconfig tar xz
COPY ./sdk-fetch /usr/local/bin
ARG utillinux_version=2.38.1
WORKDIR ${HOME}/build
COPY ./hashes/util-linux ./hashes
RUN \
sdk-fetch hashes && \
tar -xf util-linux-${utillinux_version}.tar.xz && \
rm util-linux-${utillinux_version}.tar.xz hashes
# Build script for SSM session logging
WORKDIR ${HOME}/build/util-linux-${utillinux_version}
RUN \
./autogen.sh && ./configure \
--disable-makeinstall-chown \
--disable-nls \
--disable-rpath \
--prefix=/opt/util-linux \
--without-audit \
--without-python \
--without-readline \
--without-systemd \
--without-udev \
--without-utempter \
|| { cat config.log; exit 1; }
RUN make -j`nproc` lscpu script
RUN make install-strip
RUN \
mkdir -p /usr/share/licenses/util-linux && cp -p \
Documentation/licenses/COPYING.BSD-4-Clause-UC \
Documentation/licenses/COPYING.GPL-2.0-or-later \
Documentation/licenses/COPYING.LGPL-2.1-or-later \
/usr/share/licenses/util-linux
FROM public.ecr.aws/amazonlinux/amazonlinux:2
# IMAGE_VERSION is the assigned version of inputs for this image.
ARG IMAGE_VERSION
ENV IMAGE_VERSION=$IMAGE_VERSION
# IMAGE_VERSION is the assigned version of inputs for this image.
ARG SSM_AGENT_VERSION
ENV SSM_AGENT_VERSION=$SSM_AGENT_VERSION
# Validation
RUN : \
"${IMAGE_VERSION:?IMAGE_VERSION is required to build}" \
"${SSM_AGENT_VERSION:?SSM Agent version required to build}"
LABEL "org.opencontainers.image.version"="$IMAGE_VERSION"
# Copy util-linux binaries and dependencies
COPY --from=builder /opt/util-linux/bin/lscpu /opt/util-linux/bin/script \
/opt/util-linux/bin/
COPY --from=builder /opt/util-linux/include/libsmartcols \
/opt/util-linux/include/libsmartcols
COPY --from=builder /opt/util-linux/lib/libsmartcols* \
/opt/util-linux/lib/
COPY --from=builder /usr/share/licenses/util-linux \
/usr/share/licenses/util-linux
RUN ln -s /opt/util-linux/bin/* /usr/bin
# Validate lscpu binary
RUN /usr/bin/lscpu &>/dev/null
# Validate script binary
RUN /usr/bin/script --version &>/dev/null
# Install the arch specific build of SSM agent *and confirm that it installed* -
# yum will allow architecture-mismatched packages to not install and consider
# the run successful.
# SSM Agent is downloaded from eu-north-1 as this region gets new releases of SSM Agent first.
COPY ./hashes/ssm ./hashes
COPY ./gpg-keys/amazon-ssm-agent.gpg ./amazon-ssm-agent.gpg
RUN \
ARCH=$(uname -m | sed 's/aarch64/arm64/' | sed 's/x86_64/amd64/') && \
curl -L "https://s3.eu-north-1.amazonaws.com/amazon-ssm-eu-north-1/${SSM_AGENT_VERSION}/linux_${ARCH}/amazon-ssm-agent.rpm" \
-o "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
grep "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" hashes \
| sha512sum --check - && \
rpm --import amazon-ssm-agent.gpg && \
rpm --checksig "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
yum update -y && yum install -y jq screen shadow-utils && \
yum install -y "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
rm "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
rm -rf /var/cache/yum ./hashes && \
rmdir /var/lib/amazon/ssm && \
ln -snf /.bottlerocket/host-containers/current/ssm /var/lib/amazon/ssm
# Add motd explaining the control container.
RUN rm -f /etc/motd /etc/issue
COPY --chown=root:root motd /etc/
# Add custom PS1 to show you are in the control container.
ARG CUSTOM_PS1='[\u@control]\$ '
RUN echo "PS1='$CUSTOM_PS1'" > "/etc/profile.d/bottlerocket-ps1.sh"
# Add bashrc that shows the motd.
COPY ./bashrc /etc/skel/.bashrc
# SSM starts sessions with 'sh', not 'bash', which for us is a link to bash.
# Furthermore, it starts sh as an interactive shell, but not a login shell.
# In this mode, the only startup file respected is the one pointed to by the
# ENV environment variable. Point it to our bashrc, which just prints motd.
ENV ENV /etc/skel/.bashrc
# Add our helpers to quickly interact with the admin container.
COPY --chmod=755 \
./disable-admin-container \
./enable-admin-container \
./enter-admin-container \
/usr/bin/
# Create our user in the group that allows API access.
RUN groupadd -g 274 api
RUN useradd -m -G users,api ssm-user
COPY --chmod=755 start_control_ssm.sh /usr/sbin/
CMD ["/usr/sbin/start_control_ssm.sh"]