Merge pull request #35 from theohbrothers/enhancement/improve-dockerf…

…ile-style-and-validate-sops Enhancement: Improve dockerfile style and validate `sops`
theohbrothers · Mar 11, 2023 · 97c02dc · 97c02dc
2 parents 5a71040 + c0a8f6f
commit 97c02dc
Show file tree

Hide file tree

Showing 7 changed files with 516 additions and 433 deletions.
diff --git a/generate/templates/Dockerfile.ps1 b/generate/templates/Dockerfile.ps1
@@ -8,22 +8,24 @@ RUN echo "I am running on `$BUILDPLATFORM, building for `$TARGETPLATFORM"
 ENV CHECKPOINT_DISABLE=1
 
 # Install apt dependencies
-RUN apt-get update \
-    && apt-get install -y apt-transport-https ca-certificates gnupg2 \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    apt-get update; \
+    apt-get install -y apt-transport-https ca-certificates gnupg2; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
 # Install packer
-RUN buildDeps="curl gnupg2 software-properties-common" \
-    && apt-get update \
-    && apt-get install --no-install-recommends -y `$buildDeps \
-    && curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - \
-    && apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com `$(lsb_release -cs) main" \
-    && apt-get update \
-    && apt-get install --no-install-recommends -y packer=$( $VARIANT['_metadata']['package_version'] ) \
-    && apt-get purge --auto-remove -y `$buildDeps \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    buildDeps="curl gnupg2 software-properties-common"; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y `$buildDeps; \
+    curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add -; \
+    apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com `$(lsb_release -cs) main"; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y packer=$( $VARIANT['_metadata']['package_version'] ); \
+    apt-get purge --auto-remove -y `$buildDeps; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
 
 "@
@@ -39,20 +41,25 @@ RUN apk add --no-cache libressl
 "@
         }
         @"
-# Install sops, gpg for sops
-RUN buildDeps="wget" \
-    && apt-get update \
-    && apt-get install --no-install-recommends -y `$buildDeps \
-    && wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops \
-    && chmod +x /usr/local/bin/sops \
-    && sha256sum /usr/local/bin/sops | grep 185348fd77fc160d5bdf3cd20ecbc796163504fd3df196d7cb29000773657b74 \
-    && apt-get purge --auto-remove -y `$buildDeps \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-RUN apt-get update \
-    && apt-get install --no-install-recommends -y gnupg2 \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+# Install sops
+RUN set -eux; \
+    buildDeps="wget"; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y `$buildDeps; \
+    wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops; \
+    chmod +x /usr/local/bin/sops; \
+    sha256sum /usr/local/bin/sops | grep '^185348fd77fc160d5bdf3cd20ecbc796163504fd3df196d7cb29000773657b74 '; \
+    sops --version; \
+    apt-get purge --auto-remove -y `$buildDeps; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
+
+# Install gnupg for sops
+RUN set -eux; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y gnupg2; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
 
 "@
@@ -77,21 +84,22 @@ RUN apt-get update \
 # Virtualbox: https://www.virtualbox.org/wiki/Linux_Downloads
 # Dynamically determine the package, using the SHA256SUMS file, because there is a 5 digit number suffix in the version that is unknown
 # E.g. https://download.virtualbox.org/virtualbox/6.1.22/virtualbox-6.1_6.1.22-144080~Ubuntu~eoan_amd64.deb
-RUN export DEBIAN_FRONTEND=noninteractive \
-    buildDeps="curl build-essential dkms" \
-    && apt-get update \
-    && apt-get install --no-install-recommends -y `$buildDeps \
-    && curl -sSLO "https://download.virtualbox.org/virtualbox/$version/SHA256SUMS" \
-    && FILE="`$( cat SHA256SUMS | grep 'Ubuntu~${codename}_amd64.deb' | awk '{print `$2}' | cut -d '*' -f2 )" \
-    && PACKAGE="https://download.virtualbox.org/virtualbox/$version/`$FILE" \
-    && curl -sSLO "`$PACKAGE" \
-    && cat SHA256SUMS | grep "`$FILE" | sha256sum -c \
-    && apt-get install --no-install-recommends -y "./`$FILE" \
-    && vboxmanage --version \
-    && rm -f "`$FILE" \
-    && apt-get purge --auto-remove -y `$buildDeps \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    export DEBIAN_FRONTEND=noninteractive \
+    buildDeps="curl build-essential dkms"; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y `$buildDeps; \
+    curl -sSLO "https://download.virtualbox.org/virtualbox/$version/SHA256SUMS"; \
+    FILE="`$( cat SHA256SUMS | grep 'Ubuntu~${codename}_amd64.deb' | awk '{print `$2}' | cut -d '*' -f2 )"; \
+    PACKAGE="https://download.virtualbox.org/virtualbox/$version/`$FILE"; \
+    curl -sSLO "`$PACKAGE"; \
+    cat SHA256SUMS | grep "`$FILE" | sha256sum -c; \
+    apt-get install --no-install-recommends -y "./`$FILE"; \
+    vboxmanage --version; \
+    rm -f "`$FILE"; \
+    apt-get purge --auto-remove -y `$buildDeps; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
 # Virtualbox extension pack: https://www.virtualbox.org/wiki/Downloads
 # E.g. https://download.virtualbox.org/virtualbox/6.1.22/Oracle_VM_VirtualBox_Extension_Pack-6.1.22.vbox-extpack
@@ -108,40 +116,44 @@ RUN export DEBIAN_FRONTEND=noninteractive \
 
 @"
 # Install basic tools
-RUN apt-get update \
-    && apt-get install --no-install-recommends -y sudo ca-certificates wget curl git rsync \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y sudo ca-certificates wget curl git rsync; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
 # Install tools for .vhd, .vmdk
 # Fix apt dialog: https://github.com/moby/moby/issues/27988#issuecomment-462809153
 # Fix guestmount error 'supermin: failed to find a suitable kernel (host_cpu=x86_64)': https://github.com/steigr/docker-hipchat-server/issues/1
-RUN apt-get update \
+RUN set -eux; \
+    apt-get update; \
     \
-    && echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections \
-    && apt-get install --no-install-recommends -y libguestfs-tools \
+    echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections; \
+    apt-get install --no-install-recommends -y libguestfs-tools; \
     \
-    && apt-get install --no-install-recommends -y linux-image-generic \
+    apt-get install --no-install-recommends -y linux-image-generic; \
     \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
 # Install tools for .iso
-RUN apt-get update \
-    && apt-get install --no-install-recommends -y sudo isolinux squashfs-tools xorriso mkisofs \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y sudo isolinux squashfs-tools xorriso mkisofs; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
 # Install tools for storage
 # s3fs: https://github.com/s3fs-fuse/s3fs-fuse
 # mc: https://min.io/download#/linux
-RUN apt-get update \
-    && apt-get install --no-install-recommends -y s3fs \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* \
+RUN set -eux; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y s3fs; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*; \
     \
-    && wget -qO- https://dl.min.io/client/mc/release/linux-amd64/archive/mc.RELEASE.2021-10-07T04-19-58Z > /usr/local/bin/mc \
-    && chmod +x /usr/local/bin/mc \
-    && sha256sum /usr/local/bin/mc | grep aa58e16c74c38bc05ecf73bedee476eafb3a1c42ea1ac95635853b530a36be93
+    wget -qO- https://dl.min.io/client/mc/release/linux-amd64/archive/mc.RELEASE.2021-10-07T04-19-58Z > /usr/local/bin/mc; \
+    chmod +x /usr/local/bin/mc; \
+    sha256sum /usr/local/bin/mc | grep '^aa58e16c74c38bc05ecf73bedee476eafb3a1c42ea1ac95635853b530a36be93 '
 
 "@
diff --git a/variants/1.7.7-sops-ubuntu-20.04/Dockerfile b/variants/1.7.7-sops-ubuntu-20.04/Dockerfile
@@ -7,71 +7,82 @@ RUN echo "I am running on $BUILDPLATFORM, building for $TARGETPLATFORM"
 ENV CHECKPOINT_DISABLE=1
 
 # Install apt dependencies
-RUN apt-get update \
-    && apt-get install -y apt-transport-https ca-certificates gnupg2 \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    apt-get update; \
+    apt-get install -y apt-transport-https ca-certificates gnupg2; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
 # Install packer
-RUN buildDeps="curl gnupg2 software-properties-common" \
-    && apt-get update \
-    && apt-get install --no-install-recommends -y $buildDeps \
-    && curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - \
-    && apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
-    && apt-get update \
-    && apt-get install --no-install-recommends -y packer=1.7.7 \
-    && apt-get purge --auto-remove -y $buildDeps \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    buildDeps="curl gnupg2 software-properties-common"; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y $buildDeps; \
+    curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add -; \
+    apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y packer=1.7.7; \
+    apt-get purge --auto-remove -y $buildDeps; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
-# Install sops, gpg for sops
-RUN buildDeps="wget" \
-    && apt-get update \
-    && apt-get install --no-install-recommends -y $buildDeps \
-    && wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops \
-    && chmod +x /usr/local/bin/sops \
-    && sha256sum /usr/local/bin/sops | grep 185348fd77fc160d5bdf3cd20ecbc796163504fd3df196d7cb29000773657b74 \
-    && apt-get purge --auto-remove -y $buildDeps \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-RUN apt-get update \
-    && apt-get install --no-install-recommends -y gnupg2 \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+# Install sops
+RUN set -eux; \
+    buildDeps="wget"; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y $buildDeps; \
+    wget -qO- https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux > /usr/local/bin/sops; \
+    chmod +x /usr/local/bin/sops; \
+    sha256sum /usr/local/bin/sops | grep '^185348fd77fc160d5bdf3cd20ecbc796163504fd3df196d7cb29000773657b74 '; \
+    sops --version; \
+    apt-get purge --auto-remove -y $buildDeps; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
+
+# Install gnupg for sops
+RUN set -eux; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y gnupg2; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
 # Install basic tools
-RUN apt-get update \
-    && apt-get install --no-install-recommends -y sudo ca-certificates wget curl git rsync \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y sudo ca-certificates wget curl git rsync; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
 # Install tools for .vhd, .vmdk
 # Fix apt dialog: https://github.com/moby/moby/issues/27988#issuecomment-462809153
 # Fix guestmount error 'supermin: failed to find a suitable kernel (host_cpu=x86_64)': https://github.com/steigr/docker-hipchat-server/issues/1
-RUN apt-get update \
+RUN set -eux; \
+    apt-get update; \
     \
-    && echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections \
-    && apt-get install --no-install-recommends -y libguestfs-tools \
+    echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections; \
+    apt-get install --no-install-recommends -y libguestfs-tools; \
     \
-    && apt-get install --no-install-recommends -y linux-image-generic \
+    apt-get install --no-install-recommends -y linux-image-generic; \
     \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
 # Install tools for .iso
-RUN apt-get update \
-    && apt-get install --no-install-recommends -y sudo isolinux squashfs-tools xorriso mkisofs \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y sudo isolinux squashfs-tools xorriso mkisofs; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
 # Install tools for storage
 # s3fs: https://github.com/s3fs-fuse/s3fs-fuse
 # mc: https://min.io/download#/linux
-RUN apt-get update \
-    && apt-get install --no-install-recommends -y s3fs \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* \
+RUN set -eux; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y s3fs; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*; \
     \
-    && wget -qO- https://dl.min.io/client/mc/release/linux-amd64/archive/mc.RELEASE.2021-10-07T04-19-58Z > /usr/local/bin/mc \
-    && chmod +x /usr/local/bin/mc \
-    && sha256sum /usr/local/bin/mc | grep aa58e16c74c38bc05ecf73bedee476eafb3a1c42ea1ac95635853b530a36be93
+    wget -qO- https://dl.min.io/client/mc/release/linux-amd64/archive/mc.RELEASE.2021-10-07T04-19-58Z > /usr/local/bin/mc; \
+    chmod +x /usr/local/bin/mc; \
+    sha256sum /usr/local/bin/mc | grep '^aa58e16c74c38bc05ecf73bedee476eafb3a1c42ea1ac95635853b530a36be93 '