Set shell options during docker builds

julienp · julienp · commit fab03c729461 · 2024-10-30T13:53:34.000+01:00
Set stricter options for shell commands, particulary `pipefail` so that commands like `curl … | bash` fail the build when the curl download fails. Without this option, the shell will only consider the exit code of the last command in the pipeline, which might erroneously succeed.
diff --git a/docker/base/Dockerfile b/docker/base/Dockerfile
@@ -1,5 +1,6 @@
 # syntax = docker/dockerfile:experimental
 FROM debian:bookworm-slim AS builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN apt-get update -y && \
   apt-get upgrade -y && \
@@ -14,6 +15,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 # The runtime container
 # This is our base container, so let's copy all the runtimes to .pulumi/bin
 FROM debian:bookworm-slim
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 LABEL org.opencontainers.image.description="Pulumi CLI container, bring your own SDK"
 WORKDIR /pulumi
 COPY --from=builder /root/.pulumi/bin bin
diff --git a/docker/base/Dockerfile.ubi b/docker/base/Dockerfile.ubi
@@ -1,5 +1,6 @@
 # syntax = docker/dockerfile:experimental
 FROM redhat/ubi8-minimal:latest as builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN microdnf install -y \
   curl \
@@ -14,6 +15,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 # The runtime container
 # This is our base container, so let's copy all the runtimes to .pulumi/bin
 FROM redhat/ubi8-minimal:latest
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 LABEL org.opencontainers.image.description="Pulumi CLI container, bring your own SDK"
 WORKDIR /pulumi
 COPY --from=builder /root/.pulumi/bin bin
diff --git a/docker/dotnet/Dockerfile b/docker/dotnet/Dockerfile
@@ -1,6 +1,7 @@
 # syntax = docker/dockerfile:experimental
 
 FROM debian:bookworm-slim AS builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN apt-get update -y && \
     apt-get upgrade -y && \
@@ -15,6 +16,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 
 # The runtime container
 FROM debian:bookworm-slim
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 LABEL org.opencontainers.image.description="Pulumi CLI container for dotnet"
 WORKDIR /pulumi/projects
 
diff --git a/docker/dotnet/Dockerfile.ubi b/docker/dotnet/Dockerfile.ubi
@@ -1,6 +1,7 @@
 # syntax = docker/dockerfile:experimental
 # Interim container so we can copy pulumi binaries
 FROM redhat/ubi8-minimal:latest as builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN microdnf install -y \
     curl \
@@ -11,6 +12,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 
 # The runtime container
 FROM redhat/ubi8-minimal:latest
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG LANGUAGE_VERSION
 LABEL org.opencontainers.image.description="Pulumi CLI container for dotnet"
 WORKDIR /pulumi/projects
diff --git a/docker/go/Dockerfile b/docker/go/Dockerfile
@@ -4,6 +4,7 @@
 
 # Build container
 FROM ubuntu:bionic AS builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 
 ARG PULUMI_VERSION
 ARG GO_RUNTIME_VERSION=1.21.1
@@ -52,6 +53,7 @@ RUN case $(uname -m) in \
 
 # The runtime container
 FROM debian:11-slim
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 LABEL org.opencontainers.image.description="Pulumi CLI container for go"
 WORKDIR /pulumi/projects
 
diff --git a/docker/go/Dockerfile.ubi b/docker/go/Dockerfile.ubi
@@ -1,6 +1,7 @@
 # syntax = docker/dockerfile:experimental
 # Interim container so we can copy pulumi binaries
 FROM redhat/ubi8-minimal:latest as builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN microdnf install -y \
     curl \
@@ -24,6 +25,7 @@ RUN curl -fsSLo /tmp/go.tgz https://golang.org/dl/go${RUNTIME_VERSION}.linux-amd
 
 # The runtime container
 FROM redhat/ubi8-minimal:latest
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 LABEL org.opencontainers.image.description="Pulumi CLI container for go"
 WORKDIR /pulumi/projects
 
diff --git a/docker/java/Dockerfile b/docker/java/Dockerfile
@@ -2,6 +2,7 @@
 # Interim container so we can copy pulumi binaries
 # Must be defined first
 FROM debian:bookworm-slim AS builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN apt-get update -y && \
     apt-get upgrade -y && \
@@ -16,6 +17,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 
 # The runtime container
 FROM debian:bookworm-slim
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 LABEL org.opencontainers.image.description="Pulumi CLI container for java"
 WORKDIR /pulumi/projects
 
diff --git a/docker/java/Dockerfile.ubi b/docker/java/Dockerfile.ubi
@@ -2,6 +2,7 @@
 # Interim container so we can copy pulumi binaries
 # Must be defined first
 FROM redhat/ubi8-minimal:latest as builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN microdnf install -y \
     curl \
@@ -14,6 +15,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 
 # The runtime container
 FROM redhat/ubi8-minimal:latest
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 LABEL org.opencontainers.image.description="Pulumi CLI container for Java"
 WORKDIR /pulumi/projects
 
diff --git a/docker/nodejs/Dockerfile b/docker/nodejs/Dockerfile
@@ -4,6 +4,7 @@
 ARG LANGUAGE_VERSION
 
 FROM debian:bookworm-slim AS builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN apt-get update -y && \
     apt-get upgrade -y && \
@@ -18,6 +19,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 
 # The runtime container
 FROM node:${LANGUAGE_VERSION}-bookworm-slim
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 LABEL org.opencontainers.image.description="Pulumi CLI container for nodejs"
 WORKDIR /pulumi/projects
 
diff --git a/docker/nodejs/Dockerfile.ubi b/docker/nodejs/Dockerfile.ubi
@@ -1,6 +1,7 @@
 # syntax = docker/dockerfile:experimental
 # Interim container so we can copy pulumi binaries
 FROM redhat/ubi8-minimal:latest as builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN microdnf install -y \
     curl \
@@ -11,6 +12,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 
 # The runtime container
 FROM redhat/ubi8-minimal:latest
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG LANGUAGE_VERSION
 LABEL org.opencontainers.image.description="Pulumi CLI container for nodejs"
 WORKDIR /pulumi/projects
diff --git a/docker/pulumi/Dockerfile b/docker/pulumi/Dockerfile
@@ -1,4 +1,5 @@
 FROM debian:12 AS base
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 
 # These values are passed in by the build system automatically. The options are: arm64, amd64
 # See: https://docs.docker.com/build/building/variables/#pre-defined-build-arguments
@@ -170,6 +171,7 @@ ENTRYPOINT ["pulumi"]
 ########################################################################
 
 FROM base AS nonroot
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 
 LABEL "repository"="https://github.com/pulumi/pulumi"
 LABEL "homepage"="https://pulumi.com"
@@ -199,6 +201,7 @@ RUN helm repo add stable https://charts.helm.sh/stable && \
 ########################################################################
 
 FROM base AS build-environment
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 
 ARG TARGETARCH
 
diff --git a/docker/python/Dockerfile b/docker/python/Dockerfile
@@ -4,6 +4,7 @@
 ARG LANGUAGE_VERSION
 
 FROM debian:bookworm-slim AS builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN apt-get update -y && \
     apt-get upgrade -y && \
@@ -17,6 +18,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 
 # The runtime container
 FROM python:${LANGUAGE_VERSION}-slim-bookworm
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 LABEL org.opencontainers.image.description="Pulumi CLI container for python"
 WORKDIR /pulumi/projects
 
diff --git a/docker/python/Dockerfile.ubi b/docker/python/Dockerfile.ubi
@@ -1,6 +1,7 @@
 # syntax = docker/dockerfile:experimental
 # Interim container so we can copy pulumi binaries
 FROM redhat/ubi8-minimal:latest as builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN microdnf install -y \
     gzip \
@@ -10,6 +11,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 
 # The runtime container
 FROM redhat/ubi8-minimal:latest
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG LANGUAGE_VERSION
 LABEL org.opencontainers.image.description="Pulumi CLI container for python"
 WORKDIR /pulumi/projects
