Set shell options during docker builds

Set stricter options for shell commands, particulary `pipefail` so that commands like `curl … | bash` fail the build when the curl download fails. Without this option, the shell will only consider the exit code of the last command in the pipeline, which might erroneously succeed.
pulumi · Oct 30, 2024 · fab03c7 · fab03c7
1 parent a9584c0
commit fab03c7
Show file tree

Hide file tree

Showing 13 changed files with 27 additions and 0 deletions.
diff --git a/docker/base/Dockerfile b/docker/base/Dockerfile
@@ -1,5 +1,6 @@
 # syntax = docker/dockerfile:experimental
 FROM debian:bookworm-slim AS builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN apt-get update -y && \
   apt-get upgrade -y && \
@@ -14,6 +15,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 # The runtime container
 # This is our base container, so let's copy all the runtimes to .pulumi/bin
 FROM debian:bookworm-slim
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 LABEL org.opencontainers.image.description="Pulumi CLI container, bring your own SDK"
 WORKDIR /pulumi
 COPY --from=builder /root/.pulumi/bin bin

diff --git a/docker/base/Dockerfile.ubi b/docker/base/Dockerfile.ubi
@@ -1,5 +1,6 @@
 # syntax = docker/dockerfile:experimental
 FROM redhat/ubi8-minimal:latest as builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN microdnf install -y \
   curl \
@@ -14,6 +15,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 # The runtime container
 # This is our base container, so let's copy all the runtimes to .pulumi/bin
 FROM redhat/ubi8-minimal:latest
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 LABEL org.opencontainers.image.description="Pulumi CLI container, bring your own SDK"
 WORKDIR /pulumi
 COPY --from=builder /root/.pulumi/bin bin

diff --git a/docker/dotnet/Dockerfile b/docker/dotnet/Dockerfile
@@ -1,6 +1,7 @@
 # syntax = docker/dockerfile:experimental
 
 FROM debian:bookworm-slim AS builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN apt-get update -y && \
     apt-get upgrade -y && \
@@ -15,6 +16,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 
 # The runtime container
 FROM debian:bookworm-slim
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 LABEL org.opencontainers.image.description="Pulumi CLI container for dotnet"
 WORKDIR /pulumi/projects
 

diff --git a/docker/dotnet/Dockerfile.ubi b/docker/dotnet/Dockerfile.ubi
@@ -1,6 +1,7 @@
 # syntax = docker/dockerfile:experimental
 # Interim container so we can copy pulumi binaries
 FROM redhat/ubi8-minimal:latest as builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN microdnf install -y \
     curl \
@@ -11,6 +12,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 
 # The runtime container
 FROM redhat/ubi8-minimal:latest
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG LANGUAGE_VERSION
 LABEL org.opencontainers.image.description="Pulumi CLI container for dotnet"
 WORKDIR /pulumi/projects

diff --git a/docker/go/Dockerfile b/docker/go/Dockerfile
@@ -4,6 +4,7 @@
 
 # Build container
 FROM ubuntu:bionic AS builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 
 ARG PULUMI_VERSION
 ARG GO_RUNTIME_VERSION=1.21.1
@@ -52,6 +53,7 @@ RUN case $(uname -m) in \
 
 # The runtime container
 FROM debian:11-slim
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 LABEL org.opencontainers.image.description="Pulumi CLI container for go"
 WORKDIR /pulumi/projects
 

diff --git a/docker/go/Dockerfile.ubi b/docker/go/Dockerfile.ubi
@@ -1,6 +1,7 @@
 # syntax = docker/dockerfile:experimental
 # Interim container so we can copy pulumi binaries
 FROM redhat/ubi8-minimal:latest as builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN microdnf install -y \
     curl \
@@ -24,6 +25,7 @@ RUN curl -fsSLo /tmp/go.tgz https://golang.org/dl/go${RUNTIME_VERSION}.linux-amd
 
 # The runtime container
 FROM redhat/ubi8-minimal:latest
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 LABEL org.opencontainers.image.description="Pulumi CLI container for go"
 WORKDIR /pulumi/projects
 

diff --git a/docker/java/Dockerfile b/docker/java/Dockerfile
@@ -2,6 +2,7 @@
 # Interim container so we can copy pulumi binaries
 # Must be defined first
 FROM debian:bookworm-slim AS builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN apt-get update -y && \
     apt-get upgrade -y && \
@@ -16,6 +17,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 
 # The runtime container
 FROM debian:bookworm-slim
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 LABEL org.opencontainers.image.description="Pulumi CLI container for java"
 WORKDIR /pulumi/projects
 

diff --git a/docker/java/Dockerfile.ubi b/docker/java/Dockerfile.ubi
@@ -2,6 +2,7 @@
 # Interim container so we can copy pulumi binaries
 # Must be defined first
 FROM redhat/ubi8-minimal:latest as builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN microdnf install -y \
     curl \
@@ -14,6 +15,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 
 # The runtime container
 FROM redhat/ubi8-minimal:latest
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 LABEL org.opencontainers.image.description="Pulumi CLI container for Java"
 WORKDIR /pulumi/projects
 

diff --git a/docker/nodejs/Dockerfile b/docker/nodejs/Dockerfile
@@ -4,6 +4,7 @@
 ARG LANGUAGE_VERSION
 
 FROM debian:bookworm-slim AS builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN apt-get update -y && \
     apt-get upgrade -y && \
@@ -18,6 +19,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 
 # The runtime container
 FROM node:${LANGUAGE_VERSION}-bookworm-slim
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 LABEL org.opencontainers.image.description="Pulumi CLI container for nodejs"
 WORKDIR /pulumi/projects
 

diff --git a/docker/nodejs/Dockerfile.ubi b/docker/nodejs/Dockerfile.ubi
@@ -1,6 +1,7 @@
 # syntax = docker/dockerfile:experimental
 # Interim container so we can copy pulumi binaries
 FROM redhat/ubi8-minimal:latest as builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN microdnf install -y \
     curl \
@@ -11,6 +12,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 
 # The runtime container
 FROM redhat/ubi8-minimal:latest
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG LANGUAGE_VERSION
 LABEL org.opencontainers.image.description="Pulumi CLI container for nodejs"
 WORKDIR /pulumi/projects

diff --git a/docker/pulumi/Dockerfile b/docker/pulumi/Dockerfile
@@ -1,4 +1,5 @@
 FROM debian:12 AS base
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 
 # These values are passed in by the build system automatically. The options are: arm64, amd64
 # See: https://docs.docker.com/build/building/variables/#pre-defined-build-arguments
@@ -170,6 +171,7 @@ ENTRYPOINT ["pulumi"]
 ########################################################################
 
 FROM base AS nonroot
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 
 LABEL "repository"="https://github.com/pulumi/pulumi"
 LABEL "homepage"="https://pulumi.com"
@@ -199,6 +201,7 @@ RUN helm repo add stable https://charts.helm.sh/stable && \
 ########################################################################
 
 FROM base AS build-environment
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 
 ARG TARGETARCH
 

diff --git a/docker/python/Dockerfile b/docker/python/Dockerfile
@@ -4,6 +4,7 @@
 ARG LANGUAGE_VERSION
 
 FROM debian:bookworm-slim AS builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN apt-get update -y && \
     apt-get upgrade -y && \
@@ -17,6 +18,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 
 # The runtime container
 FROM python:${LANGUAGE_VERSION}-slim-bookworm
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 LABEL org.opencontainers.image.description="Pulumi CLI container for python"
 WORKDIR /pulumi/projects
 

diff --git a/docker/python/Dockerfile.ubi b/docker/python/Dockerfile.ubi
@@ -1,6 +1,7 @@
 # syntax = docker/dockerfile:experimental
 # Interim container so we can copy pulumi binaries
 FROM redhat/ubi8-minimal:latest as builder
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG PULUMI_VERSION
 RUN microdnf install -y \
     gzip \
@@ -10,6 +11,7 @@ RUN curl -fsSL https://get.pulumi.com/ | bash -s -- --version $PULUMI_VERSION
 
 # The runtime container
 FROM redhat/ubi8-minimal:latest
+SHELL ["/bin/bash", "-o", "errexit", "-o", "nounset", "-o", "pipefail", "-c"]
 ARG LANGUAGE_VERSION
 LABEL org.opencontainers.image.description="Pulumi CLI container for python"
 WORKDIR /pulumi/projects