Update Alpine base to 3.13; go-compile rebuilt with mod=vendor option, go bumped to 1.16

Signed-off-by: Avi Deitcher <[email protected]>

Author: deitch

.gitignore

@@ -19,3 +19,4 @@ Dockerfile.media
 *-cmdline
 *-state
 artifacts/*
+tools/alpine/iid

docs/releasing.md

@@ -112,6 +112,7 @@ other packages:
 cd $LK_ROOT/tools
 ../scripts/update-component-sha.sh --image linuxkit/alpine:$LK_ALPINE
 git checkout alpine/versions.aarch64 alpine/versions.s390x
+git checkout grub/Dockerfile
 
 git commit -a -s -m "tools: Update to the latest linuxkit/alpine"
 git push $LK_REMOTE rel_$LK_RELEASE
@@ -122,6 +123,8 @@ make forcepush
 Note, the `git checkout` reverts the changes made by
 `update-component-sha.sh` to files which are accidentally updated and
 the `make forcepush` will skip building the alpine base.
+Also, `git checkout` of `grub`. This is a bit old and only can be built with specific
+older versions of packages like `gcc`, and should not be updated.
 
 Then, on the other build machines in turn:
 
@@ -275,5 +278,3 @@ This completes the release, but you are not done, one more step is required.
 Create a PR which bumps the version number in the top-level `Makefile`
 to `$LK_RELEASE+` to make sure that the version reported by `linuxkit
 version` gets updated.
-
-

tools/alpine/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.12 AS mirror
+FROM alpine:3.13 AS mirror
 
 # update base image
 RUN apk update && apk upgrade -a
@@ -7,11 +7,30 @@ RUN apk update && apk upgrade -a
 COPY Dockerfile /Dockerfile
 COPY packages* /tmp/
 
-# mirror packages
+# mirror packages - both generic and repository specific ones
 RUN cat /tmp/packages.$(uname -m) >> /tmp/packages && \
    mkdir -p /mirror/$(apk --print-arch) && \
    apk fetch --recursive -o /mirror/$(apk --print-arch) $(apk info; cat /tmp/packages)
 
+# these are the repository-specific ones, if they exist
+RUN for repopkgs in /tmp/packages.repo.*; do \
+        repo=${repopkgs##*repo.} && archspecific=/tmp/packages.$(uname -m).repo.${repo} && mergedfile=/tmp/packages.merged.${repo} && repofile=/tmp/repositories.${repo} && \
+	cachedir=/tmp/cache/${repo} && \
+	mkdir -p ${cachedir} && \
+        cp ${repopkgs} ${mergedfile} && \
+        if [ -f ${archspecific} ]; then cat ${archspecific} >> ${mergedfile}; fi && \
+        sed "s#alpine/[^\/]*/#alpine/${repo}/#g" /etc/apk/repositories > ${repofile} && \
+        apk update --repositories-file=${repofile} --cache-dir ${cachedir} && \
+        apk fetch --repositories-file=${repofile} --cache-dir ${cachedir} --recursive -o /mirror/$(apk --print-arch) $(cat ${mergedfile}); done
+
+# we CANNOT allow musl-dev or musl > 1.2.2-r0, which ships with alpine:3.13, because 1.2.2-r2, which ships with alpine:edge / alpine:3.14
+#   uses the new faccessat2 system call which gives errors, see https://wiki.alpinelinux.org/wiki/Draft_Release_Notes_for_Alpine_3.14.0#faccessat2
+RUN target="1.2.2-r0" && \
+    verlte() { [  "$1" = $(printf '%s\n%s' "$1" "$2" | sort -V | head -n1) ] ; } && \
+    for file in /mirror/$(apk --print-arch)/musl-*.apk; do \
+    version=$(tar -xf ${file}  -O .PKGINFO | awk '$1 == "pkgver" {print $3}') && \
+    if ! verlte ${version} ${target} ; then echo "removing ${file}" && rm ${file}; fi; done
+
 # install abuild and sudo for signing
 RUN apk add --no-cache abuild sudo
 
@@ -39,16 +58,18 @@ RUN go get -u github.com/LK4D4/vndr
 # checkout and compile containerd
 # Update `FROM` in `pkg/containerd/Dockerfile`, `pkg/init/Dockerfile` and
 # `test/pkg/containerd/Dockerfile` when changing this.
+# when building, note that containerd does not use go modules in the below commit,
+# while go1.16 defaults to using it, so must disable with GO111MODULE=off
 ENV CONTAINERD_REPO=https://github.com/containerd/containerd.git
-ENV CONTAINERD_COMMIT=v1.4.1
+ENV CONTAINERD_COMMIT=v1.4.4
 RUN mkdir -p $GOPATH/src/github.com/containerd && \
   cd $GOPATH/src/github.com/containerd && \
   git clone https://github.com/containerd/containerd.git && \
   cd $GOPATH/src/github.com/containerd/containerd && \
   git checkout $CONTAINERD_COMMIT
 RUN apk add --no-cache btrfs-progs-dev gcc libc-dev linux-headers make libseccomp-dev
 RUN cd $GOPATH/src/github.com/containerd/containerd && \
-  make binaries EXTRA_FLAGS="-buildmode pie" EXTRA_LDFLAGS='-extldflags "-fno-PIC -static"' BUILDTAGS="static_build no_devmapper"
+  GO111MODULE=off make binaries EXTRA_FLAGS="-buildmode pie" EXTRA_LDFLAGS='-extldflags "-fno-PIC -static"' BUILDTAGS="static_build no_devmapper"
 
 # Checkout and compile iucode-tool for Intel CPU microcode
 # On non-x86_64 create a dummy file to copy below.
@@ -70,7 +91,7 @@ RUN set -e && \
         cp iucode_tool /iucode_tool; \
     fi
 
-FROM alpine:3.11
+FROM alpine:3.13
 
 COPY --from=mirror /etc/apk/repositories /etc/apk/repositories
 COPY --from=mirror /etc/apk/repositories.upstream /etc/apk/repositories.upstream

tools/alpine/README.md

@@ -0,0 +1,43 @@
+# LinuxKit Alpine
+
+`linuxkit/alpine` is the base image for almost all other packages built by linuxkit, including builders, tools and actual container images
+that are used in various parts of linuxkit yaml files.
+
+This provides a reliable, consistent and repetable build.
+
+This directory contains the source of `linuxkit/alpine`.
+
+## Building
+
+To build, run:
+
+```
+make build
+```
+
+## Pushing
+
+To push, run:
+
+```
+make push
+```
+
+For a proper release process, see [docs/releasing.md](../../docs/releasing.md).
+
+## Updating Sources and Packages
+
+The base build for `linuxkit/alpine` is [library/alpine](https://hub.docker.io/_/alpine). The specific version is set in two `FROM` lines in
+the [Dockerfile](./Dockerfile) in this directory.
+
+The packages installed come from several sources:
+
+* [packages](./packages) - this file contains the list of packages to mirror locally in `linuxkit/alpine`, and will be available to all downstream users of `linuxkit/alpine`. These are installed using the default `apk` package version for the specific version of alpine. For example, if the line starts with `FROM alpine:3.13` and `packages` contains `file`, then it will run simply `apk add file`. The packages listed in [packages](./packages) are installed on all architectures.
+* `packages.<arch>` - these files contain the list of packages to mirror locally in `linuxkit/alpine`, like `packages`, but only for the specified architecture. For example, [packages.x86_64](./packages.x86_64) contains packages to be installed only on `linuxkit/alpine` for `x84_64`.
+* `packages.repo.<name>` - these files contain the list of packages to mirror locally in `linuxkit/alpine`, like `packages`, but to pull those packages from the provided `<name>` of Alpine's `apk` repo. For example, `packages.repo.edge` installs packages from Alpine's `edge` package repository.
+* `packages.<arch>.repo.<name>` - these files contain the list of packages to mirror locally in `linuxkit/alpine` for a specific architecture, like `packages.<arch>`, but to pull those packages from the provided `<name>` of Alpine's `apk` repor. For example, `packages.x86_64.repo.edge` installs packages from Alpine's `edge` package repository, hut only when building for `86_64`.
+
+In addition, the [Dockerfile](./Dockerfile) may install certain packages directly from source, if they are not available in the `apk` repositories, or the versions are
+insufficient.
+
+The final versions of packages installed are available in `versions.<arch>`.

tools/alpine/go-compile.sh

@@ -13,6 +13,9 @@ dir="$1"
 
 cd "$dir"
 
+# Use '-mod=vendor' for builds which have switched to go modules
+[ -f go.mod -a -d vendor ] && export GOFLAGS="-mod=vendor"
+
 # lint before building
 >&2 echo "gofmt..."
 test -z $(gofmt -s -l .| grep -v .pb. | grep -v vendor/ | tee /dev/stderr)
@@ -33,4 +36,5 @@ go test
 
 [ "${REQUIRE_CGO}" = 1 ] || export CGO_ENABLED=0
 
-go install -buildmode pie -ldflags "-s -w ${ldflags} -extldflags \"-fno-PIC -static\""
+go install -buildmode pie -ldflags "-linkmode=external -s -w ${ldflags} -extldflags \"-fno-PIC -static\""
+

tools/alpine/packages

@@ -49,7 +49,6 @@ gettext-dev
 git
 gmp-dev
 gnupg
-go
 grep
 hvtools
 installkernel
@@ -68,6 +67,7 @@ libcap-ng-dev
 libedit-dev
 libressl-dev
 libseccomp-dev
+libseccomp-static
 libtirpc-dev
 libtool
 linux-headers

tools/alpine/packages.repo.edge

@@ -0,0 +1 @@
+go