-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathDockerfile.centos
More file actions
176 lines (147 loc) · 5.49 KB
/
Dockerfile.centos
File metadata and controls
176 lines (147 loc) · 5.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
# CentOS 7.9 has glibc 2.17
FROM public.ecr.aws/docker/library/centos:centos7.9.2009
# Set yum vault
RUN <<SHELL
set -eux
if [ "$(uname -m)" != "x86_64" ]; then
repo_version="altarch/7.9.2009"
else
repo_version="7.9.2009"
fi
cat <<EOF > /etc/yum.repos.d/CentOS-Base.repo
[base]
name=CentOS-\$releasever - Base
baseurl=http://vault.centos.org/${repo_version}/os/\$basearch/
gpgcheck=0
[updates]
name=CentOS-\$releasever - Updates
baseurl=http://vault.centos.org/${repo_version}/updates/\$basearch/
gpgcheck=0
[extras]
name=CentOS-\$releasever - Extras
baseurl=http://vault.centos.org/${repo_version}/extras/\$basearch/
gpgcheck=0
[centosplus]
name=CentOS-\$releasever - Plus
baseurl=http://vault.centos.org/${repo_version}/centosplus/\$basearch/
gpgcheck=0
enabled=0
EOF
SHELL
# A few RUN actions in Dockerfiles are subject to uncontrollable outside
# variability: an identical command would be the same from `docker build`'s
# point of view but does not indicate the result would be identical at
# different points in time.
#
# This causes two possible issues:
#
# - one wants to capture a new state and so wants the identical
# non-reproducible command to produce a new result. This could be achieved
# with --no-cache but this affects every single operation in a Dockerfile
# - one wants to identify a specific state and leverage caching at that
# specific state.
#
# To that end a BUILD_ARG is introduced to capture an arbitrary identifier of
# that state (typically time) that is introduced in non-reproducible commands
# to make them appear different to Docker.
#
# Of course it only works when caching data is available: two independent
# builds with the same value and no cache shared would produce different
# results.
ARG REPRO_RUN_KEY=0
# `yum` db fetching is uncontrolled and fetches whatever is today's index.
# For the sake of reproducibility subsequent steps (including in dependent
# images) should not perform `yum` db cache updates, instead this base image
# should be updated by changing the `REPRO_RUN_KEY`.
RUN true "${REPRO_RUN_KEY}" && yum makecache -y
# localedef has been forcefully removed by:
# rm -rf "$target"/usr/{{lib,share}/locale,{lib,lib64}/gconv,bin/localedef,sbin/build-locale-archive}
# fun: CentOS 8 has `yum list glibc-langpack-\*` but not CentOS 7 :'(
RUN yum reinstall -y glibc-common
RUN yum install -y curl gcc gcc-c++ gettext make patchutils patch libtool pkgconfig gettext file zip unzip git
# fun: this has to be after `yum install curl gcc make`... but only on aarch64; go figure
# extra fun: table is botched, localedef not happy, swallow result and test `locale` for errors
RUN <<SHELL
localedef -v -c -i en_US -f UTF-8 en_US.UTF-8 || true
if locale 2>&1 | grep -e 'locale: Cannot set LC_.* to default locale: No such file or directory'; then exit 1; fi
SHELL
# Skip installing gem documentation
COPY <<GEMRC /usr/local/etc/gemrc
install: --no-document
update: --no-document
GEMRC
ENV LANG="en_US.UTF-8" \
RUBY_MAJOR="2.1" \
RUBY_VERSION="2.1.10" \
RUBY_DOWNLOAD_SHA256="5be9f8d5d29d252cd7f969ab7550e31bbb001feb4a83532301c0dd3b5006e148"
# - Compile Ruby with `--disable-shared`
# - Update gem version
RUN <<SHELL
set -eux
yum install -y xz gcc automake bison zlib-devel libyaml-devel openssl-devel gdbm-devel readline-devel ncurses-devel libffi-devel
curl -o ruby.tar.xz "https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR%-rc}/ruby-$RUBY_VERSION.tar.xz"
echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum --check --strict
mkdir -p /usr/src/ruby
tar -xJf ruby.tar.xz -C /usr/src/ruby --strip-components=1
rm ruby.tar.xz
cd /usr/src/ruby
# hack in "ENABLE_PATH_CHECK" disabling to suppress:
# warning: Insecure world writable dir
{
echo '#define ENABLE_PATH_CHECK 0'
echo
cat file.c
} > file.c.new
mv file.c.new file.c
autoconf
gnuArch="$(gcc -dumpmachine)"
./configure \
--build="$gnuArch" \
--disable-install-doc \
--disable-shared
make -j "$(nproc)"
make install
# find /usr/local -type f -executable -not \( -name '*tkinter*' \) -exec ldd '{}' ';' \
# | awk '/=>/ { print $(NF-1) }' \
# | sort -u \
# | grep -vE '^/usr/local/lib/' \
# | xargs -r dpkg-query --search \
# | cut -d: -f1 \
# | sort -u \
# | xargs -r apt-mark manual \
#
# apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
#
# find /usr/local -type f -executable -not \( -name '*tkinter*' \) -exec ldd '{}' ';' \
# | awk '/=>/ { print $(NF-1) }' \
# | grep -v '=>' \
# | sort -u \
# | grep -vE '^/usr/local/lib/' \
# | xargs -r rpm -qf \
# | sort -u \
# | xargs -r yum ?mark-manual?
#
# yum autoremove -y
# yum remove --setopt=clean_requirements_on_remove=1
# package-cleanup --leaves && yum autoremove # yum-utils
# sudo yum history list pdftk
# sudo yum history undo 88
cd /
rm -r /usr/src/ruby
if yum list installed ruby; then exit 1; fi
# update gem version
gem update --system 2.7.11
gem install bundler --version 1.17.3 --force
# rough smoke test
ruby --version
gem --version
bundle --version
SHELL
# don't create ".bundle" in all our apps
ENV GEM_HOME=/usr/local/bundle
ENV BUNDLE_SILENCE_ROOT_WARNING=1 \
BUNDLE_APP_CONFIG="$GEM_HOME"
ENV PATH=$GEM_HOME/bin:$PATH
# adjust permissions of a few directories for running "gem install" as an arbitrary user
RUN mkdir -p "$GEM_HOME" && chmod 1777 "$GEM_HOME"
CMD [ "irb" ]