-
Notifications
You must be signed in to change notification settings - Fork 2
/
Dockerfile.debian
64 lines (56 loc) · 2.09 KB
/
Dockerfile.debian
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
ARG PACKAGES="gcc neofetch"
# PKG_CACHE defaults to the "pkg-cache-local" stage in this image.
# Can be overridden to a custom image for reproducible builds.
ARG PKG_CACHE=pkg-cache-local
# The base image can be Ubuntu too.
ARG BASE=debian:bookworm-20230904-slim
FROM ${BASE} AS base
FROM base AS pkg-cache-local-base
ARG PACKAGES
ENV DEBIAN_FRONTEND=noninteractive
RUN rm -f /etc/apt/apt.conf.d/docker-clean && \
echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' >/etc/apt/apt.conf.d/keep-cache && \
apt-get update && \
apt-get install -y --download-only ${PACKAGES}
FROM scratch AS pkg-cache-local
COPY --from=pkg-cache-local-base /var/cache/apt /var/cache/apt
COPY --from=pkg-cache-local-base /var/lib/apt /var/lib/apt
# pkg-cache is the stage to collect package cache files.
# This stage can be pushed for the sake of reproducible builds.
FROM ${PKG_CACHE} AS pkg-cache
FROM base
ADD --chmod=0755 <<-"EOT" /usr/local/bin/verify-var-lib-apt-lists.sh
#!/bin/bash
set -eux -o pipefail
for ir in /var/lib/apt/lists/*InRelease; do
verified=0
for keyring in /usr/share/keyrings/*.gpg; do
if gpgv --keyring "${keyring}" "${ir}"; then
verified=1
break
fi
done
if [ "${verified}" != "1" ]; then
echo >&2 "Failed to verify ${ir}"
exit 1
fi
echo "Verified: gpgv --keyring ${keyring} ${ir}"
done
EOT
ENV DEBIAN_FRONTEND=noninteractive
ARG PACKAGES
RUN \
--mount=from=pkg-cache,source=/var/cache/apt,target=/var/cache/apt,rw \
--mount=from=pkg-cache,source=/var/lib/apt,target=/var/lib/apt,rw \
--network=none \
verify-var-lib-apt-lists.sh && \
apt-get install -y --no-download ${PACKAGES}
# WARNING: the repository signatures (`/var/lib/apt/lists/*InRelease`)
# are only verified on running `apt-get update`.
# The signatures are just ignored on running `apt-get install --no-download`.
#
# As a workaround, the signatures are verified with the `verify-var-lib-apt-lists.sh`
# script above, however, this script might not be as robust as `apt-get update`.
#
# For Debian and Ubuntu, consider using https://github.com/reproducible-containers/repro-sources-list.sh
# instead.