From 2d4d3fd8fb2019e2cc0f2eeff4a9688b57968c90 Mon Sep 17 00:00:00 2001 From: Nathan Lacey Date: Tue, 25 Feb 2025 09:09:43 -0500 Subject: [PATCH] Remove gosu based CVE by building gosu with current golang image cleanup reference --- 13/alpine3.20/Dockerfile | 26 +++++++++++--------------- 13/alpine3.21/Dockerfile | 26 +++++++++++--------------- 13/bookworm/Dockerfile | 19 ++++++++++--------- 13/bullseye/Dockerfile | 19 ++++++++++--------- 14/alpine3.20/Dockerfile | 26 +++++++++++--------------- 14/alpine3.21/Dockerfile | 26 +++++++++++--------------- 14/bookworm/Dockerfile | 19 ++++++++++--------- 14/bullseye/Dockerfile | 19 ++++++++++--------- 15/alpine3.20/Dockerfile | 26 +++++++++++--------------- 15/alpine3.21/Dockerfile | 26 +++++++++++--------------- 15/bookworm/Dockerfile | 19 ++++++++++--------- 15/bullseye/Dockerfile | 19 ++++++++++--------- 16/alpine3.20/Dockerfile | 26 +++++++++++--------------- 16/alpine3.21/Dockerfile | 26 +++++++++++--------------- 16/bookworm/Dockerfile | 19 ++++++++++--------- 16/bullseye/Dockerfile | 19 ++++++++++--------- 17/alpine3.20/Dockerfile | 26 +++++++++++--------------- 17/alpine3.21/Dockerfile | 26 +++++++++++--------------- 17/bookworm/Dockerfile | 19 ++++++++++--------- 17/bullseye/Dockerfile | 19 ++++++++++--------- Dockerfile-alpine.template | 26 +++++++++++--------------- Dockerfile-debian.template | 19 ++++++++++--------- 22 files changed, 231 insertions(+), 264 deletions(-) diff --git a/13/alpine3.20/Dockerfile b/13/alpine3.20/Dockerfile index 6b90306dfa..3a6169fff2 100644 --- a/13/alpine3.20/Dockerfile +++ b/13/alpine3.20/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM alpine:3.20 # 70 is the standard uid/gid for "postgres" in Alpine @@ -16,29 +24,17 @@ RUN set -eux; \ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ \ - apk add --no-cache --virtual .gosu-deps \ + apk add --no-cache --virtual \ ca-certificates \ dpkg \ gnupg \ ; \ \ - dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - \ -# verify the signature - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - \ # clean up fetch dependencies - apk del --no-network .gosu-deps; \ \ chmod +x /usr/local/bin/gosu; \ # verify that the binary works diff --git a/13/alpine3.21/Dockerfile b/13/alpine3.21/Dockerfile index c2fd2016b6..5d010b3e74 100644 --- a/13/alpine3.21/Dockerfile +++ b/13/alpine3.21/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM alpine:3.21 # 70 is the standard uid/gid for "postgres" in Alpine @@ -16,29 +24,17 @@ RUN set -eux; \ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ \ - apk add --no-cache --virtual .gosu-deps \ + apk add --no-cache --virtual \ ca-certificates \ dpkg \ gnupg \ ; \ \ - dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - \ -# verify the signature - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - \ # clean up fetch dependencies - apk del --no-network .gosu-deps; \ \ chmod +x /usr/local/bin/gosu; \ # verify that the binary works diff --git a/13/bookworm/Dockerfile b/13/bookworm/Dockerfile index e19c54c943..da65a51183 100644 --- a/13/bookworm/Dockerfile +++ b/13/bookworm/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM debian:bookworm-slim # explicitly set user/group IDs @@ -27,21 +35,14 @@ RUN set -ex; \ rm -rf /var/lib/apt/lists/* # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ savedAptMark="$(apt-mark showmanual)"; \ apt-get update; \ apt-get install -y --no-install-recommends ca-certificates wget; \ rm -rf /var/lib/apt/lists/*; \ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ diff --git a/13/bullseye/Dockerfile b/13/bullseye/Dockerfile index fa5bce3769..cbfed1c568 100644 --- a/13/bullseye/Dockerfile +++ b/13/bullseye/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM debian:bullseye-slim # explicitly set user/group IDs @@ -27,21 +35,14 @@ RUN set -ex; \ rm -rf /var/lib/apt/lists/* # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ savedAptMark="$(apt-mark showmanual)"; \ apt-get update; \ apt-get install -y --no-install-recommends ca-certificates wget; \ rm -rf /var/lib/apt/lists/*; \ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ diff --git a/14/alpine3.20/Dockerfile b/14/alpine3.20/Dockerfile index 7a97933e5e..2e2dd3b4ee 100644 --- a/14/alpine3.20/Dockerfile +++ b/14/alpine3.20/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM alpine:3.20 # 70 is the standard uid/gid for "postgres" in Alpine @@ -16,29 +24,17 @@ RUN set -eux; \ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ \ - apk add --no-cache --virtual .gosu-deps \ + apk add --no-cache --virtual \ ca-certificates \ dpkg \ gnupg \ ; \ \ - dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - \ -# verify the signature - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - \ # clean up fetch dependencies - apk del --no-network .gosu-deps; \ \ chmod +x /usr/local/bin/gosu; \ # verify that the binary works diff --git a/14/alpine3.21/Dockerfile b/14/alpine3.21/Dockerfile index e6eaec1609..11bb540f20 100644 --- a/14/alpine3.21/Dockerfile +++ b/14/alpine3.21/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM alpine:3.21 # 70 is the standard uid/gid for "postgres" in Alpine @@ -16,29 +24,17 @@ RUN set -eux; \ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ \ - apk add --no-cache --virtual .gosu-deps \ + apk add --no-cache --virtual \ ca-certificates \ dpkg \ gnupg \ ; \ \ - dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - \ -# verify the signature - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - \ # clean up fetch dependencies - apk del --no-network .gosu-deps; \ \ chmod +x /usr/local/bin/gosu; \ # verify that the binary works diff --git a/14/bookworm/Dockerfile b/14/bookworm/Dockerfile index e97bad7808..856cff7886 100644 --- a/14/bookworm/Dockerfile +++ b/14/bookworm/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM debian:bookworm-slim # explicitly set user/group IDs @@ -27,21 +35,14 @@ RUN set -ex; \ rm -rf /var/lib/apt/lists/* # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ savedAptMark="$(apt-mark showmanual)"; \ apt-get update; \ apt-get install -y --no-install-recommends ca-certificates wget; \ rm -rf /var/lib/apt/lists/*; \ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ diff --git a/14/bullseye/Dockerfile b/14/bullseye/Dockerfile index b85e3deefd..c4422758ec 100644 --- a/14/bullseye/Dockerfile +++ b/14/bullseye/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM debian:bullseye-slim # explicitly set user/group IDs @@ -27,21 +35,14 @@ RUN set -ex; \ rm -rf /var/lib/apt/lists/* # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ savedAptMark="$(apt-mark showmanual)"; \ apt-get update; \ apt-get install -y --no-install-recommends ca-certificates wget; \ rm -rf /var/lib/apt/lists/*; \ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ diff --git a/15/alpine3.20/Dockerfile b/15/alpine3.20/Dockerfile index 1142617c31..c8d3f1ad93 100644 --- a/15/alpine3.20/Dockerfile +++ b/15/alpine3.20/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM alpine:3.20 # 70 is the standard uid/gid for "postgres" in Alpine @@ -16,29 +24,17 @@ RUN set -eux; \ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ \ - apk add --no-cache --virtual .gosu-deps \ + apk add --no-cache --virtual \ ca-certificates \ dpkg \ gnupg \ ; \ \ - dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - \ -# verify the signature - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - \ # clean up fetch dependencies - apk del --no-network .gosu-deps; \ \ chmod +x /usr/local/bin/gosu; \ # verify that the binary works diff --git a/15/alpine3.21/Dockerfile b/15/alpine3.21/Dockerfile index 48fedb00fa..778ada4214 100644 --- a/15/alpine3.21/Dockerfile +++ b/15/alpine3.21/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM alpine:3.21 # 70 is the standard uid/gid for "postgres" in Alpine @@ -16,29 +24,17 @@ RUN set -eux; \ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ \ - apk add --no-cache --virtual .gosu-deps \ + apk add --no-cache --virtual \ ca-certificates \ dpkg \ gnupg \ ; \ \ - dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - \ -# verify the signature - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - \ # clean up fetch dependencies - apk del --no-network .gosu-deps; \ \ chmod +x /usr/local/bin/gosu; \ # verify that the binary works diff --git a/15/bookworm/Dockerfile b/15/bookworm/Dockerfile index dcad9299c0..458553e89c 100644 --- a/15/bookworm/Dockerfile +++ b/15/bookworm/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM debian:bookworm-slim # explicitly set user/group IDs @@ -27,21 +35,14 @@ RUN set -ex; \ rm -rf /var/lib/apt/lists/* # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ savedAptMark="$(apt-mark showmanual)"; \ apt-get update; \ apt-get install -y --no-install-recommends ca-certificates wget; \ rm -rf /var/lib/apt/lists/*; \ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ diff --git a/15/bullseye/Dockerfile b/15/bullseye/Dockerfile index df8ca09ff9..db9d9211d4 100644 --- a/15/bullseye/Dockerfile +++ b/15/bullseye/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM debian:bullseye-slim # explicitly set user/group IDs @@ -27,21 +35,14 @@ RUN set -ex; \ rm -rf /var/lib/apt/lists/* # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ savedAptMark="$(apt-mark showmanual)"; \ apt-get update; \ apt-get install -y --no-install-recommends ca-certificates wget; \ rm -rf /var/lib/apt/lists/*; \ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ diff --git a/16/alpine3.20/Dockerfile b/16/alpine3.20/Dockerfile index f4a8eee4c6..3922099f82 100644 --- a/16/alpine3.20/Dockerfile +++ b/16/alpine3.20/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM alpine:3.20 # 70 is the standard uid/gid for "postgres" in Alpine @@ -16,29 +24,17 @@ RUN set -eux; \ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ \ - apk add --no-cache --virtual .gosu-deps \ + apk add --no-cache --virtual \ ca-certificates \ dpkg \ gnupg \ ; \ \ - dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - \ -# verify the signature - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - \ # clean up fetch dependencies - apk del --no-network .gosu-deps; \ \ chmod +x /usr/local/bin/gosu; \ # verify that the binary works diff --git a/16/alpine3.21/Dockerfile b/16/alpine3.21/Dockerfile index 2e4b935085..9644e33bd3 100644 --- a/16/alpine3.21/Dockerfile +++ b/16/alpine3.21/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM alpine:3.21 # 70 is the standard uid/gid for "postgres" in Alpine @@ -16,29 +24,17 @@ RUN set -eux; \ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ \ - apk add --no-cache --virtual .gosu-deps \ + apk add --no-cache --virtual \ ca-certificates \ dpkg \ gnupg \ ; \ \ - dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - \ -# verify the signature - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - \ # clean up fetch dependencies - apk del --no-network .gosu-deps; \ \ chmod +x /usr/local/bin/gosu; \ # verify that the binary works diff --git a/16/bookworm/Dockerfile b/16/bookworm/Dockerfile index c732ed0fdc..f1f19a114f 100644 --- a/16/bookworm/Dockerfile +++ b/16/bookworm/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM debian:bookworm-slim # explicitly set user/group IDs @@ -27,21 +35,14 @@ RUN set -ex; \ rm -rf /var/lib/apt/lists/* # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ savedAptMark="$(apt-mark showmanual)"; \ apt-get update; \ apt-get install -y --no-install-recommends ca-certificates wget; \ rm -rf /var/lib/apt/lists/*; \ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ diff --git a/16/bullseye/Dockerfile b/16/bullseye/Dockerfile index ed5027458f..1031d52685 100644 --- a/16/bullseye/Dockerfile +++ b/16/bullseye/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM debian:bullseye-slim # explicitly set user/group IDs @@ -27,21 +35,14 @@ RUN set -ex; \ rm -rf /var/lib/apt/lists/* # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ savedAptMark="$(apt-mark showmanual)"; \ apt-get update; \ apt-get install -y --no-install-recommends ca-certificates wget; \ rm -rf /var/lib/apt/lists/*; \ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ diff --git a/17/alpine3.20/Dockerfile b/17/alpine3.20/Dockerfile index 2db848ef04..15cbacf86e 100644 --- a/17/alpine3.20/Dockerfile +++ b/17/alpine3.20/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM alpine:3.20 # 70 is the standard uid/gid for "postgres" in Alpine @@ -16,29 +24,17 @@ RUN set -eux; \ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ \ - apk add --no-cache --virtual .gosu-deps \ + apk add --no-cache --virtual \ ca-certificates \ dpkg \ gnupg \ ; \ \ - dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - \ -# verify the signature - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - \ # clean up fetch dependencies - apk del --no-network .gosu-deps; \ \ chmod +x /usr/local/bin/gosu; \ # verify that the binary works diff --git a/17/alpine3.21/Dockerfile b/17/alpine3.21/Dockerfile index 1b9d0ee2c6..7fdff8586a 100644 --- a/17/alpine3.21/Dockerfile +++ b/17/alpine3.21/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM alpine:3.21 # 70 is the standard uid/gid for "postgres" in Alpine @@ -16,29 +24,17 @@ RUN set -eux; \ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ \ - apk add --no-cache --virtual .gosu-deps \ + apk add --no-cache --virtual \ ca-certificates \ dpkg \ gnupg \ ; \ \ - dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - \ -# verify the signature - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - \ # clean up fetch dependencies - apk del --no-network .gosu-deps; \ \ chmod +x /usr/local/bin/gosu; \ # verify that the binary works diff --git a/17/bookworm/Dockerfile b/17/bookworm/Dockerfile index fbc15ef4c3..9c565dbb42 100644 --- a/17/bookworm/Dockerfile +++ b/17/bookworm/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM debian:bookworm-slim # explicitly set user/group IDs @@ -27,21 +35,14 @@ RUN set -ex; \ rm -rf /var/lib/apt/lists/* # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ savedAptMark="$(apt-mark showmanual)"; \ apt-get update; \ apt-get install -y --no-install-recommends ca-certificates wget; \ rm -rf /var/lib/apt/lists/*; \ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ diff --git a/17/bullseye/Dockerfile b/17/bullseye/Dockerfile index 263bb9f1c3..c61f9bef32 100644 --- a/17/bullseye/Dockerfile +++ b/17/bullseye/Dockerfile @@ -4,6 +4,14 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM debian:bullseye-slim # explicitly set user/group IDs @@ -27,21 +35,14 @@ RUN set -ex; \ rm -rf /var/lib/apt/lists/* # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ savedAptMark="$(apt-mark showmanual)"; \ apt-get update; \ apt-get install -y --no-install-recommends ca-certificates wget; \ rm -rf /var/lib/apt/lists/*; \ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index 2d1e3957a8..4a2c35dd50 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -1,3 +1,11 @@ +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + {{ def alpine_version: env.variant | ltrimstr("alpine") @@ -14,29 +22,17 @@ RUN set -eux; \ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ \ - apk add --no-cache --virtual .gosu-deps \ + apk add --no-cache --virtual \ ca-certificates \ dpkg \ gnupg \ ; \ \ - dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - \ -# verify the signature - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - \ # clean up fetch dependencies - apk del --no-network .gosu-deps; \ \ chmod +x /usr/local/bin/gosu; \ # verify that the binary works diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template index 1ac04a725f..38acd193b8 100644 --- a/Dockerfile-debian.template +++ b/Dockerfile-debian.template @@ -1,3 +1,11 @@ +FROM golang:1.23.6 AS gosubuilder +ENV GOSU_VERSION=1.17 +WORKDIR /go/src/github.com/tianon +RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION +WORKDIR /go/src/github.com/tianon/gosu +RUN go mod download +RUN go build + FROM debian:{{ env.variant }}-slim # explicitly set user/group IDs @@ -21,21 +29,14 @@ RUN set -ex; \ rm -rf /var/lib/apt/lists/* # grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 +COPY --from=gosubuilder /go/src/github.com/tianon/gosu/gosu /usr/local/bin/gosu + RUN set -eux; \ savedAptMark="$(apt-mark showmanual)"; \ apt-get update; \ apt-get install -y --no-install-recommends ca-certificates wget; \ rm -rf /var/lib/apt/lists/*; \ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \