talos
/
Dockerfile
1067 строк · 43.5 Кб
1# syntax = docker/dockerfile-upstream:1.8.1-labs
2
3# Meta args applied to stage base names.
4
5ARG TOOLS
6ARG PKGS
7ARG EXTRAS
8ARG INSTALLER_ARCH
9
10ARG PKGS_PREFIX
11ARG PKG_FHS
12ARG PKG_CA_CERTIFICATES
13ARG PKG_CRYPTSETUP
14ARG PKG_CONTAINERD
15ARG PKG_DOSFSTOOLS
16ARG PKG_EUDEV
17ARG PKG_GRUB
18ARG PKG_SD_BOOT
19ARG PKG_IPTABLES
20ARG PKG_IPXE
21ARG PKG_LIBINIH
22ARG PKG_LIBJSON_C
23ARG PKG_LIBPOPT
24ARG PKG_LIBURCU
25ARG PKG_OPENSSL
26ARG PKG_LIBSECCOMP
27ARG PKG_LINUX_FIRMWARE
28ARG PKG_LVM2
29ARG PKG_LIBAIO
30ARG PKG_MUSL
31ARG PKG_RUNC
32ARG PKG_XFSPROGS
33ARG PKG_APPARMOR
34ARG PKG_UTIL_LINUX
35ARG PKG_KMOD
36ARG PKG_KERNEL
37ARG PKG_TALOSCTL_CNI_BUNDLE_INSTALL
38
39# Resolve package images using ${PKGS} to be used later in COPY --from=.
40
41FROM ${PKG_FHS} AS pkg-fhs
42FROM ${PKG_CA_CERTIFICATES} AS pkg-ca-certificates
43
44FROM --platform=amd64 ${PKG_APPARMOR} AS pkg-apparmor-amd64
45FROM --platform=arm64 ${PKG_APPARMOR} AS pkg-apparmor-arm64
46
47FROM --platform=amd64 ${PKG_CRYPTSETUP} AS pkg-cryptsetup-amd64
48FROM --platform=arm64 ${PKG_CRYPTSETUP} AS pkg-cryptsetup-arm64
49
50FROM --platform=amd64 ${PKG_CONTAINERD} AS pkg-containerd-amd64
51FROM --platform=arm64 ${PKG_CONTAINERD} AS pkg-containerd-arm64
52
53FROM --platform=amd64 ${PKG_DOSFSTOOLS} AS pkg-dosfstools-amd64
54FROM --platform=arm64 ${PKG_DOSFSTOOLS} AS pkg-dosfstools-arm64
55
56FROM --platform=amd64 ${PKG_EUDEV} AS pkg-eudev-amd64
57FROM --platform=arm64 ${PKG_EUDEV} AS pkg-eudev-arm64
58
59FROM ${PKG_GRUB} AS pkg-grub
60FROM --platform=amd64 ${PKG_GRUB} AS pkg-grub-amd64
61FROM --platform=arm64 ${PKG_GRUB} AS pkg-grub-arm64
62
63FROM ${PKG_SD_BOOT} AS pkg-sd-boot
64FROM --platform=amd64 ${PKG_SD_BOOT} AS pkg-sd-boot-amd64
65FROM --platform=arm64 ${PKG_SD_BOOT} AS pkg-sd-boot-arm64
66
67FROM --platform=amd64 ${PKG_IPTABLES} AS pkg-iptables-amd64
68FROM --platform=arm64 ${PKG_IPTABLES} AS pkg-iptables-arm64
69
70FROM --platform=amd64 ${PKG_IPXE} AS pkg-ipxe-amd64
71FROM --platform=arm64 ${PKG_IPXE} AS pkg-ipxe-arm64
72
73FROM --platform=amd64 ${PKG_LIBINIH} AS pkg-libinih-amd64
74FROM --platform=arm64 ${PKG_LIBINIH} AS pkg-libinih-arm64
75
76FROM --platform=amd64 ${PKG_LIBJSON_C} AS pkg-libjson-c-amd64
77FROM --platform=arm64 ${PKG_LIBJSON_C} AS pkg-libjson-c-arm64
78
79FROM --platform=amd64 ${PKG_LIBPOPT} AS pkg-libpopt-amd64
80FROM --platform=arm64 ${PKG_LIBPOPT} AS pkg-libpopt-arm64
81
82FROM --platform=amd64 ${PKG_LIBURCU} AS pkg-liburcu-amd64
83FROM --platform=arm64 ${PKG_LIBURCU} AS pkg-liburcu-arm64
84
85FROM --platform=amd64 ${PKG_OPENSSL} AS pkg-openssl-amd64
86FROM --platform=arm64 ${PKG_OPENSSL} AS pkg-openssl-arm64
87
88FROM --platform=amd64 ${PKG_LIBSECCOMP} AS pkg-libseccomp-amd64
89FROM --platform=arm64 ${PKG_LIBSECCOMP} AS pkg-libseccomp-arm64
90
91# linux-firmware is not arch-specific
92FROM --platform=amd64 ${PKG_LINUX_FIRMWARE} AS pkg-linux-firmware
93
94FROM --platform=amd64 ${PKG_LVM2} AS pkg-lvm2-amd64
95FROM --platform=arm64 ${PKG_LVM2} AS pkg-lvm2-arm64
96
97FROM --platform=amd64 ${PKG_LIBAIO} AS pkg-libaio-amd64
98FROM --platform=arm64 ${PKG_LIBAIO} AS pkg-libaio-arm64
99
100FROM --platform=amd64 ${PKG_MUSL} AS pkg-musl-amd64
101FROM --platform=arm64 ${PKG_MUSL} AS pkg-musl-arm64
102
103FROM --platform=amd64 ${PKG_RUNC} AS pkg-runc-amd64
104FROM --platform=arm64 ${PKG_RUNC} AS pkg-runc-arm64
105
106FROM --platform=amd64 ${PKG_XFSPROGS} AS pkg-xfsprogs-amd64
107FROM --platform=arm64 ${PKG_XFSPROGS} AS pkg-xfsprogs-arm64
108
109FROM --platform=amd64 ${PKG_UTIL_LINUX} AS pkg-util-linux-amd64
110FROM --platform=arm64 ${PKG_UTIL_LINUX} AS pkg-util-linux-arm64
111
112FROM --platform=amd64 ${PKG_KMOD} AS pkg-kmod-amd64
113FROM --platform=arm64 ${PKG_KMOD} AS pkg-kmod-arm64
114
115FROM ${PKG_KERNEL} AS pkg-kernel
116FROM --platform=amd64 ${PKG_KERNEL} AS pkg-kernel-amd64
117FROM --platform=arm64 ${PKG_KERNEL} AS pkg-kernel-arm64
118
119# Resolve package images using ${EXTRAS} to be used later in COPY --from=.
120
121FROM ${PKG_TALOSCTL_CNI_BUNDLE_INSTALL} AS extras-talosctl-cni-bundle-install
122
123# The tools target provides base toolchain for the build.
124
125FROM --platform=${BUILDPLATFORM} $TOOLS AS tools
126ENV PATH=/toolchain/bin:/toolchain/go/bin
127ENV LD_LIBRARY_PATH=/toolchain/lib
128ENV GOTOOLCHAIN=local
129RUN ["/toolchain/bin/mkdir", "/bin", "/tmp"]
130RUN ["/toolchain/bin/ln", "-svf", "/toolchain/bin/bash", "/bin/sh"]
131RUN ["/toolchain/bin/ln", "-svf", "/toolchain/etc/ssl", "/etc/ssl"]
132ARG GOLANGCILINT_VERSION
133RUN --mount=type=cache,target=/.cache go install github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCILINT_VERSION} \
134&& mv /go/bin/golangci-lint /toolchain/go/bin/golangci-lint
135ARG GOIMPORTS_VERSION
136RUN --mount=type=cache,target=/.cache go install golang.org/x/tools/cmd/goimports@${GOIMPORTS_VERSION} \
137&& mv /go/bin/goimports /toolchain/go/bin/goimports
138ARG GOFUMPT_VERSION
139RUN --mount=type=cache,target=/.cache go install mvdan.cc/gofumpt@${GOFUMPT_VERSION} \
140&& mv /go/bin/gofumpt /toolchain/go/bin/gofumpt
141ARG DEEPCOPY_VERSION
142RUN --mount=type=cache,target=/.cache go install github.com/siderolabs/deep-copy@${DEEPCOPY_VERSION} \
143&& mv /go/bin/deep-copy /toolchain/go/bin/deep-copy
144ARG STRINGER_VERSION
145RUN --mount=type=cache,target=/.cache go install golang.org/x/tools/cmd/stringer@${STRINGER_VERSION} \
146&& mv /go/bin/stringer /toolchain/go/bin/stringer
147ARG ENUMER_VERSION
148RUN --mount=type=cache,target=/.cache go install github.com/dmarkham/enumer@${ENUMER_VERSION} \
149&& mv /go/bin/enumer /toolchain/go/bin/enumer
150ARG DEEPCOPY_GEN_VERSION
151RUN --mount=type=cache,target=/.cache go install k8s.io/code-generator/cmd/deepcopy-gen@${DEEPCOPY_GEN_VERSION} \
152&& mv /go/bin/deepcopy-gen /toolchain/go/bin/deepcopy-gen
153ARG VTPROTOBUF_VERSION
154RUN --mount=type=cache,target=/.cache go install github.com/planetscale/vtprotobuf/cmd/protoc-gen-go-vtproto@${VTPROTOBUF_VERSION} \
155&& mv /go/bin/protoc-gen-go-vtproto /toolchain/go/bin/protoc-gen-go-vtproto
156ARG IMPORTVET_VERSION
157RUN --mount=type=cache,target=/.cache go install github.com/siderolabs/importvet/cmd/importvet@${IMPORTVET_VERSION} \
158&& mv /go/bin/importvet /toolchain/go/bin/importvet
159RUN --mount=type=cache,target=/.cache go install golang.org/x/vuln/cmd/govulncheck@latest \
160&& mv /go/bin/govulncheck /toolchain/go/bin/govulncheck
161RUN --mount=type=cache,target=/.cache go install github.com/uber/prototool/cmd/prototool@v1.10.0 \
162&& mv /go/bin/prototool /toolchain/go/bin/prototool
163COPY ./hack/docgen /go/src/github.com/siderolabs/talos-hack-docgen
164RUN --mount=type=cache,target=/.cache cd /go/src/github.com/siderolabs/talos-hack-docgen \
165&& go build -o docgen . \
166&& mv docgen /toolchain/go/bin/
167COPY ./hack/gotagsrewrite /go/src/github.com/siderolabs/gotagsrewrite
168RUN --mount=type=cache,target=/.cache cd /go/src/github.com/siderolabs/gotagsrewrite \
169&& go build -o gotagsrewrite . \
170&& mv gotagsrewrite /toolchain/go/bin/
171COPY ./hack/structprotogen /go/src/github.com/siderolabs/structprotogen
172RUN --mount=type=cache,target=/.cache cd /go/src/github.com/siderolabs/structprotogen \
173&& go build -o structprotogen . \
174&& mv structprotogen /toolchain/go/bin/
175
176# The build target creates a container that will be used to build Talos source
177# code.
178
179FROM --platform=${BUILDPLATFORM} tools AS build
180SHELL ["/toolchain/bin/bash", "-c"]
181ENV PATH=/toolchain/bin:/toolchain/go/bin
182ENV GO111MODULE=on
183ENV GOPROXY=https://proxy.golang.org
184ARG CGO_ENABLED
185ENV CGO_ENABLED=${CGO_ENABLED}
186ENV GOCACHE=/.cache/go-build
187ENV GOMODCACHE=/.cache/mod
188ENV PROTOTOOL_CACHE_PATH=/.cache/prototool
189ARG SOURCE_DATE_EPOCH
190ENV SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}
191WORKDIR /src
192
193# The build-go target creates a container to build Go code with Go modules downloaded and verified.
194
195FROM build AS build-go
196COPY ./go.mod ./go.sum ./
197COPY ./pkg/machinery/go.mod ./pkg/machinery/go.sum ./pkg/machinery/
198WORKDIR /src/pkg/machinery
199RUN --mount=type=cache,target=/.cache go mod download
200WORKDIR /src
201RUN --mount=type=cache,target=/.cache go mod download
202RUN --mount=type=cache,target=/.cache go mod verify
203
204# The generate target generates code from protobuf service definitions and machinery config.
205
206# generate API descriptors
207FROM build AS api-descriptors-build
208WORKDIR /src/api
209COPY api .
210RUN --mount=type=cache,target=/.cache prototool format --overwrite --protoc-bin-path=/toolchain/bin/protoc --protoc-wkt-path=/toolchain/include
211RUN --mount=type=cache,target=/.cache prototool break descriptor-set --output-path=api.descriptors --protoc-bin-path=/toolchain/bin/protoc --protoc-wkt-path=/toolchain/include
212
213FROM --platform=${BUILDPLATFORM} scratch AS api-descriptors
214COPY --from=api-descriptors-build /src/api/api.descriptors /api/api.descriptors
215
216# format protobuf service definitions
217FROM build AS proto-format-build
218WORKDIR /src/api
219COPY api .
220RUN --mount=type=cache,target=/.cache prototool format --overwrite --protoc-bin-path=/toolchain/bin/protoc --protoc-wkt-path=/toolchain/include
221
222FROM --platform=${BUILDPLATFORM} scratch AS fmt-protobuf
223COPY --from=proto-format-build /src/api/ /api/
224
225# run docgen for machinery config
226FROM build-go AS go-generate
227COPY ./pkg ./pkg
228COPY ./hack/boilerplate.txt ./hack/boilerplate.txt
229RUN --mount=type=cache,target=/.cache go generate ./pkg/...
230RUN goimports -w -local github.com/siderolabs/talos ./pkg/
231RUN gofumpt -w ./pkg/
232WORKDIR /src/pkg/machinery
233RUN --mount=type=cache,target=/.cache go generate ./...
234RUN gotagsrewrite .
235RUN goimports -w -local github.com/siderolabs/talos ./
236RUN gofumpt -w ./
237
238FROM go-generate AS gen-proto-go
239WORKDIR /src/
240RUN --mount=type=cache,target=/.cache structprotogen github.com/siderolabs/talos/pkg/machinery/... /api/resource/definitions/
241
242# compile protobuf service definitions
243FROM build AS generate-build
244COPY --from=proto-format-build /src/api /api/
245# Common needs to be at or near the top to satisfy the subsequent imports
246COPY ./api/vendor/ /api/vendor/
247COPY ./api/common/common.proto /api/common/common.proto
248RUN protoc -I/api -I/api/vendor/ --go_out=paths=source_relative:/api --go-grpc_out=paths=source_relative:/api --go-vtproto_out=paths=source_relative:/api --go-vtproto_opt=features=marshal+unmarshal+size common/common.proto
249COPY ./api/security/security.proto /api/security/security.proto
250RUN protoc -I/api -I/api/vendor/ --go_out=paths=source_relative:/api --go-grpc_out=paths=source_relative:/api --go-vtproto_out=paths=source_relative:/api --go-vtproto_opt=features=marshal+unmarshal+size security/security.proto
251COPY ./api/storage/storage.proto /api/storage/storage.proto
252RUN protoc -I/api -I/api/vendor/ --go_out=paths=source_relative:/api --go-grpc_out=paths=source_relative:/api --go-vtproto_out=paths=source_relative:/api --go-vtproto_opt=features=marshal+unmarshal+size storage/storage.proto
253COPY ./api/machine/machine.proto /api/machine/machine.proto
254RUN protoc -I/api -I/api/vendor/ --go_out=paths=source_relative:/api --go-grpc_out=paths=source_relative:/api --go-vtproto_out=paths=source_relative:/api --go-vtproto_opt=features=marshal+unmarshal+size machine/machine.proto
255COPY ./api/time/time.proto /api/time/time.proto
256RUN protoc -I/api -I/api/vendor/ --go_out=paths=source_relative:/api --go-grpc_out=paths=source_relative:/api --go-vtproto_out=paths=source_relative:/api --go-vtproto_opt=features=marshal+unmarshal+size time/time.proto
257COPY ./api/cluster/cluster.proto /api/cluster/cluster.proto
258RUN protoc -I/api -I/api/vendor/ --go_out=paths=source_relative:/api --go-grpc_out=paths=source_relative:/api --go-vtproto_out=paths=source_relative:/api --go-vtproto_opt=features=marshal+unmarshal+size cluster/cluster.proto
259COPY ./api/resource/config/config.proto /api/resource/config/config.proto
260RUN protoc -I/api -I/api/vendor/ --go_out=paths=source_relative:/api --go-grpc_out=paths=source_relative:/api --go-vtproto_out=paths=source_relative:/api --go-vtproto_opt=features=marshal+unmarshal+size resource/config/config.proto
261COPY ./api/resource/network/device_config.proto /api/resource/network/device_config.proto
262RUN protoc -I/api -I/api/vendor/ --go_out=paths=source_relative:/api --go-grpc_out=paths=source_relative:/api --go-vtproto_out=paths=source_relative:/api --go-vtproto_opt=features=marshal+unmarshal+size resource/network/device_config.proto
263COPY ./api/inspect/inspect.proto /api/inspect/inspect.proto
264RUN protoc -I/api -I/api/vendor/ --go_out=paths=source_relative:/api --go-grpc_out=paths=source_relative:/api --go-vtproto_out=paths=source_relative:/api --go-vtproto_opt=features=marshal+unmarshal+size inspect/inspect.proto
265COPY --from=gen-proto-go /api/resource/definitions/ /api/resource/definitions/
266RUN find /api/resource/definitions/ -type f -name "*.proto" | xargs -I {} /bin/sh -c 'protoc -I/api -I/api/vendor/ --go_out=paths=source_relative:/api --go-grpc_out=paths=source_relative:/api --go-vtproto_out=paths=source_relative:/api --go-vtproto_opt=features=marshal+unmarshal+size {} && mkdir -p /api/resource/definitions_go/$(basename {} .proto) && mv /api/resource/definitions/$(basename {} .proto)/*.go /api/resource/definitions_go/$(basename {} .proto)'
267# Goimports and gofumpt generated files to adjust import order
268RUN goimports -w -local github.com/siderolabs/talos /api/
269RUN gofumpt -w /api/
270
271FROM build AS embed-generate
272ARG NAME
273ARG SHA
274ARG USERNAME
275ARG REGISTRY
276ARG TAG
277ARG ARTIFACTS
278ARG PKGS
279ARG EXTRAS
280RUN mkdir -p pkg/machinery/gendata/data && \
281echo -n ${NAME} > pkg/machinery/gendata/data/name && \
282echo -n ${SHA} > pkg/machinery/gendata/data/sha && \
283echo -n ${USERNAME} > pkg/machinery/gendata/data/username && \
284echo -n ${REGISTRY} > pkg/machinery/gendata/data/registry && \
285echo -n ${EXTRAS} > pkg/machinery/gendata/data/extras && \
286echo -n ${PKGS} > pkg/machinery/gendata/data/pkgs && \
287echo -n ${TAG} > pkg/machinery/gendata/data/tag && \
288echo -n ${ARTIFACTS} > pkg/machinery/gendata/data/artifacts
289
290FROM scratch AS embed
291COPY --from=embed-generate /src/pkg/machinery/gendata/data /pkg/machinery/gendata/data
292
293FROM embed-generate AS embed-abbrev-generate
294ARG ABBREV_TAG
295RUN echo -n "undefined" > pkg/machinery/gendata/data/sha && \
296echo -n ${ABBREV_TAG} > pkg/machinery/gendata/data/tag
297RUN mkdir -p _out && \
298echo PKGS=${PKGS} >> _out/talos-metadata && \
299echo TAG=${TAG} >> _out/talos-metadata && \
300echo EXTRAS=${EXTRAS} >> _out/talos-metadata
301COPY --from=pkg-kernel /certs/signing_key.x509 _out/signing_key.x509
302
303FROM scratch AS embed-abbrev
304COPY --from=embed-abbrev-generate /src/pkg/machinery/gendata/data /pkg/machinery/gendata/data
305COPY --from=embed-abbrev-generate /src/_out/talos-metadata /_out/talos-metadata
306COPY --from=embed-abbrev-generate /src/_out/signing_key.x509 /_out/signing_key.x509
307
308FROM scratch AS ipxe-generate
309COPY --from=pkg-ipxe-amd64 /usr/libexec/snp.efi /amd64/snp.efi
310COPY --from=pkg-ipxe-arm64 /usr/libexec/snp.efi /arm64/snp.efi
311
312FROM --platform=${BUILDPLATFORM} scratch AS generate
313COPY --from=proto-format-build /src/api /api/
314COPY --from=generate-build /api/common/*.pb.go /pkg/machinery/api/common/
315COPY --from=generate-build /api/resource/definitions/ /api/resource/definitions/
316COPY --from=generate-build /api/resource/definitions_go/ /pkg/machinery/api/resource/definitions/
317COPY --from=generate-build /api/security/*.pb.go /pkg/machinery/api/security/
318COPY --from=generate-build /api/machine/*.pb.go /pkg/machinery/api/machine/
319COPY --from=generate-build /api/time/*.pb.go /pkg/machinery/api/time/
320COPY --from=generate-build /api/cluster/*.pb.go /pkg/machinery/api/cluster/
321COPY --from=generate-build /api/storage/*.pb.go /pkg/machinery/api/storage/
322COPY --from=generate-build /api/resource/*.pb.go /pkg/machinery/api/resource/
323COPY --from=generate-build /api/resource/config/*.pb.go /pkg/machinery/api/resource/config/
324COPY --from=generate-build /api/resource/network/*.pb.go /pkg/machinery/api/resource/network/
325COPY --from=generate-build /api/inspect/*.pb.go /pkg/machinery/api/inspect/
326COPY --from=go-generate /src/pkg/flannel/ /pkg/flannel/
327COPY --from=go-generate /src/pkg/imager/profile/ /pkg/imager/profile/
328COPY --from=go-generate /src/pkg/machinery/resources/ /pkg/machinery/resources/
329COPY --from=go-generate /src/pkg/machinery/config/schemas/ /pkg/machinery/config/schemas/
330COPY --from=go-generate /src/pkg/machinery/config/types/ /pkg/machinery/config/types/
331COPY --from=go-generate /src/pkg/machinery/nethelpers/ /pkg/machinery/nethelpers/
332COPY --from=go-generate /src/pkg/machinery/extensions/ /pkg/machinery/extensions/
333COPY --from=ipxe-generate / /pkg/provision/providers/vm/internal/ipxe/data/ipxe/
334COPY --from=embed-abbrev / /
335
336# The base target provides a container that can be used to build all Talos
337# assets.
338
339FROM build-go AS base
340COPY ./cmd ./cmd
341COPY ./pkg ./pkg
342COPY ./internal ./internal
343COPY --from=generate /pkg/flannel/ ./pkg/flannel/
344COPY --from=generate /pkg/imager/ ./pkg/imager/
345COPY --from=generate /pkg/machinery/ ./pkg/machinery/
346COPY --from=embed / ./
347RUN --mount=type=cache,target=/.cache go list all >/dev/null
348WORKDIR /src/pkg/machinery
349RUN --mount=type=cache,target=/.cache go list all >/dev/null
350WORKDIR /src
351
352# The vulncheck target runs the vulnerability check tool.
353
354FROM base AS lint-vulncheck
355RUN --mount=type=cache,target=/.cache govulncheck ./...
356
357# The init target builds the init binary.
358
359FROM base AS init-build-amd64
360WORKDIR /src/internal/app/init
361ARG GO_BUILDFLAGS
362ARG GO_LDFLAGS
363RUN --mount=type=cache,target=/.cache GOOS=linux GOARCH=amd64 GOAMD64=v1 go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /init
364RUN chmod +x /init
365
366FROM base AS init-build-arm64
367WORKDIR /src/internal/app/init
368ARG GO_BUILDFLAGS
369ARG GO_LDFLAGS
370RUN --mount=type=cache,target=/.cache GOOS=linux GOARCH=arm64 go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /init
371RUN chmod +x /init
372
373FROM init-build-${TARGETARCH} AS init-build
374
375FROM scratch AS init
376COPY --from=init-build /init /init
377
378# The machined target builds the machined binary.
379
380FROM base AS machined-build-amd64
381WORKDIR /src/internal/app/machined
382ARG GO_BUILDFLAGS
383ARG GO_LDFLAGS
384ARG GOAMD64
385RUN --mount=type=cache,target=/.cache GOOS=linux GOARCH=amd64 GOAMD64=${GOAMD64} go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /machined
386RUN chmod +x /machined
387
388FROM base AS machined-build-arm64
389WORKDIR /src/internal/app/machined
390ARG GO_BUILDFLAGS
391ARG GO_LDFLAGS
392RUN --mount=type=cache,target=/.cache GOOS=linux GOARCH=arm64 go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /machined
393RUN chmod +x /machined
394
395FROM machined-build-${TARGETARCH} AS machined-build
396
397FROM scratch AS machined
398COPY --from=machined-build /machined /machined
399
400# The talosctl targets build the talosctl binaries.
401
402FROM base AS talosctl-linux-amd64-build
403WORKDIR /src/cmd/talosctl
404ARG GO_BUILDFLAGS
405ARG GO_LDFLAGS
406ARG GOAMD64
407RUN --mount=type=cache,target=/.cache GOOS=linux GOARCH=amd64 GOAMD64=${GOAMD64} go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /talosctl-linux-amd64
408RUN chmod +x /talosctl-linux-amd64
409RUN touch --date="@${SOURCE_DATE_EPOCH}" /talosctl-linux-amd64
410
411FROM base AS talosctl-linux-arm64-build
412WORKDIR /src/cmd/talosctl
413ARG GO_BUILDFLAGS
414ARG GO_LDFLAGS
415RUN --mount=type=cache,target=/.cache GOOS=linux GOARCH=arm64 go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /talosctl-linux-arm64
416RUN chmod +x /talosctl-linux-arm64
417RUN touch --date="@${SOURCE_DATE_EPOCH}" /talosctl-linux-arm64
418
419FROM base AS talosctl-linux-armv7-build
420WORKDIR /src/cmd/talosctl
421ARG GO_BUILDFLAGS
422ARG GO_LDFLAGS
423RUN --mount=type=cache,target=/.cache GOOS=linux GOARCH=arm GOARM=7 go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /talosctl-linux-armv7
424RUN chmod +x /talosctl-linux-armv7
425RUN touch --date="@${SOURCE_DATE_EPOCH}" /talosctl-linux-armv7
426
427FROM base AS talosctl-darwin-amd64-build
428WORKDIR /src/cmd/talosctl
429ARG GO_BUILDFLAGS
430ARG GO_LDFLAGS
431ARG GOAMD64
432RUN --mount=type=cache,target=/.cache GOOS=darwin GOARCH=amd64 GOAMD64=${GOAMD64} go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /talosctl-darwin-amd64
433RUN chmod +x /talosctl-darwin-amd64
434RUN touch --date="@${SOURCE_DATE_EPOCH}" /talosctl-darwin-amd64
435
436FROM base AS talosctl-darwin-arm64-build
437WORKDIR /src/cmd/talosctl
438ARG GO_BUILDFLAGS
439ARG GO_LDFLAGS
440RUN --mount=type=cache,target=/.cache GOOS=darwin GOARCH=arm64 go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /talosctl-darwin-arm64
441RUN chmod +x /talosctl-darwin-arm64
442RUN touch --date="@${SOURCE_DATE_EPOCH}" talosctl-darwin-arm64
443
444FROM base AS talosctl-windows-amd64-build
445WORKDIR /src/cmd/talosctl
446ARG GO_BUILDFLAGS
447ARG GO_LDFLAGS
448ARG GOAMD64
449RUN --mount=type=cache,target=/.cache GOOS=windows GOARCH=amd64 GOAMD64=${GOAMD64} go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /talosctl-windows-amd64.exe
450RUN touch --date="@${SOURCE_DATE_EPOCH}" /talosctl-windows-amd64.exe
451
452FROM base AS talosctl-freebsd-amd64-build
453WORKDIR /src/cmd/talosctl
454ARG GO_BUILDFLAGS
455ARG GO_LDFLAGS
456ARG GOAMD64
457RUN --mount=type=cache,target=/.cache GOOS=freebsd GOARCH=amd64 GOAMD64=${GOAMD64} go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /talosctl-freebsd-amd64
458RUN touch --date="@${SOURCE_DATE_EPOCH}" /talosctl-freebsd-amd64
459
460FROM base AS talosctl-freebsd-arm64-build
461WORKDIR /src/cmd/talosctl
462ARG GO_BUILDFLAGS
463ARG GO_LDFLAGS
464RUN --mount=type=cache,target=/.cache GOOS=freebsd GOARCH=arm64 go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /talosctl-freebsd-arm64
465RUN touch --date="@${SOURCE_DATE_EPOCH}" /talosctl-freebsd-arm64
466
467FROM scratch AS talosctl-linux-amd64
468COPY --from=talosctl-linux-amd64-build /talosctl-linux-amd64 /talosctl-linux-amd64
469
470FROM scratch AS talosctl-linux-arm64
471COPY --from=talosctl-linux-arm64-build /talosctl-linux-arm64 /talosctl-linux-arm64
472
473FROM scratch AS talosctl-linux-armv7
474COPY --from=talosctl-linux-armv7-build /talosctl-linux-armv7 /talosctl-linux-armv7
475
476FROM scratch AS talosctl-darwin-amd64
477COPY --from=talosctl-darwin-amd64-build /talosctl-darwin-amd64 /talosctl-darwin-amd64
478
479FROM scratch AS talosctl-darwin-arm64
480COPY --from=talosctl-darwin-arm64-build /talosctl-darwin-arm64 /talosctl-darwin-arm64
481
482FROM scratch AS talosctl-freebsd-amd64
483COPY --from=talosctl-freebsd-amd64-build /talosctl-freebsd-amd64 /talosctl-freebsd-amd64
484
485FROM scratch AS talosctl-freebsd-arm64
486COPY --from=talosctl-freebsd-arm64-build /talosctl-freebsd-arm64 /talosctl-freebsd-arm64
487
488FROM scratch AS talosctl-windows-amd64
489COPY --from=talosctl-windows-amd64-build /talosctl-windows-amd64.exe /talosctl-windows-amd64.exe
490
491FROM --platform=${BUILDPLATFORM} talosctl-${TARGETOS}-${TARGETARCH} AS talosctl-targetarch
492
493FROM scratch AS talosctl-all
494COPY --from=talosctl-linux-amd64 / /
495COPY --from=talosctl-linux-arm64 / /
496COPY --from=talosctl-linux-armv7 / /
497COPY --from=talosctl-darwin-amd64 / /
498COPY --from=talosctl-darwin-arm64 / /
499COPY --from=talosctl-freebsd-amd64 / /
500COPY --from=talosctl-freebsd-arm64 / /
501COPY --from=talosctl-windows-amd64 / /
502
503FROM scratch AS talosctl
504ARG TARGETARCH
505COPY --from=talosctl-all /talosctl-linux-${TARGETARCH} /talosctl
506ARG TAG
507ENV VERSION ${TAG}
508LABEL "alpha.talos.dev/version"="${VERSION}"
509LABEL org.opencontainers.image.source https://github.com/siderolabs/talos
510ENTRYPOINT ["/talosctl"]
511
512# The kernel target is the linux kernel.
513FROM scratch AS kernel
514ARG TARGETARCH
515COPY --from=pkg-kernel /boot/vmlinuz /vmlinuz-${TARGETARCH}
516
517# The sd-boot target is the systemd-boot asset.
518FROM scratch AS sd-boot
519ARG TARGETARCH
520COPY --from=pkg-sd-boot /*.efi /sd-boot-${TARGETARCH}.efi
521
522# The sd-stub target is the systemd-stub asset.
523FROM scratch AS sd-stub
524ARG TARGETARCH
525COPY --from=pkg-sd-boot /*.efi.stub /sd-stub-${TARGETARCH}.efi
526
527FROM tools AS depmod-amd64
528WORKDIR /staging
529COPY hack/modules-amd64.txt .
530COPY --from=pkg-kernel-amd64 /lib/modules lib/modules
531RUN <<EOF
532set -euo pipefail
533
534KERNEL_VERSION=$(ls lib/modules)
535
536xargs -a modules-amd64.txt -I {} install -D lib/modules/${KERNEL_VERSION}/{} /build/lib/modules/${KERNEL_VERSION}/{}
537
538depmod -b /build ${KERNEL_VERSION}
539EOF
540
541FROM scratch AS modules-amd64
542COPY --from=depmod-amd64 /build/lib/modules /lib/modules
543
544FROM tools AS depmod-arm64
545WORKDIR /staging
546COPY hack/modules-arm64.txt .
547COPY --from=pkg-kernel-arm64 /lib/modules lib/modules
548RUN <<EOF
549set -euo pipefail
550
551KERNEL_VERSION=$(ls lib/modules)
552
553xargs -a modules-arm64.txt -I {} install -D lib/modules/${KERNEL_VERSION}/{} /build/lib/modules/${KERNEL_VERSION}/{}
554
555depmod -b /build ${KERNEL_VERSION}
556EOF
557
558FROM scratch AS modules-arm64
559COPY --from=depmod-arm64 /build/lib/modules /lib/modules
560
561# The rootfs target provides the Talos rootfs.
562FROM build AS rootfs-base-amd64
563COPY --link --from=pkg-fhs / /rootfs
564COPY --link --from=pkg-ca-certificates / /rootfs
565COPY --link --from=pkg-apparmor-amd64 / /rootfs
566COPY --link --from=pkg-cryptsetup-amd64 / /rootfs
567COPY --link --from=pkg-containerd-amd64 / /rootfs
568COPY --link --from=pkg-dosfstools-amd64 / /rootfs
569COPY --link --from=pkg-eudev-amd64 / /rootfs
570COPY --link --from=pkg-iptables-amd64 / /rootfs
571COPY --link --from=pkg-libinih-amd64 / /rootfs
572COPY --link --from=pkg-libjson-c-amd64 / /rootfs
573COPY --link --from=pkg-libpopt-amd64 / /rootfs
574COPY --link --from=pkg-liburcu-amd64 / /rootfs
575COPY --link --from=pkg-openssl-amd64 / /rootfs
576COPY --link --from=pkg-libseccomp-amd64 / /rootfs
577COPY --link --from=pkg-lvm2-amd64 / /rootfs
578COPY --link --from=pkg-libaio-amd64 / /rootfs
579COPY --link --from=pkg-musl-amd64 / /rootfs
580COPY --link --from=pkg-runc-amd64 / /rootfs
581COPY --link --from=pkg-xfsprogs-amd64 / /rootfs
582COPY --link --from=pkg-util-linux-amd64 /lib/libblkid.* /rootfs/lib/
583COPY --link --from=pkg-util-linux-amd64 /lib/libuuid.* /rootfs/lib/
584COPY --link --from=pkg-util-linux-amd64 /lib/libmount.* /rootfs/lib/
585COPY --link --from=pkg-kmod-amd64 /usr/lib/libkmod.* /rootfs/lib/
586COPY --link --from=pkg-kmod-amd64 /usr/bin/kmod /rootfs/sbin/modprobe
587COPY --link --from=modules-amd64 /lib/modules /rootfs/lib/modules
588COPY --link --from=machined-build-amd64 /machined /rootfs/sbin/init
589RUN <<END
590# the orderly_poweroff call by the kernel will call '/sbin/poweroff'
591ln /rootfs/sbin/init /rootfs/sbin/poweroff
592chmod +x /rootfs/sbin/poweroff
593# some extensions like qemu-guest agent will call '/sbin/shutdown'
594ln /rootfs/sbin/init /rootfs/sbin/shutdown
595chmod +x /rootfs/sbin/shutdown
596ln /rootfs/sbin/init /rootfs/sbin/wrapperd
597chmod +x /rootfs/sbin/wrapperd
598ln /rootfs/sbin/init /rootfs/sbin/dashboard
599chmod +x /rootfs/sbin/dashboard
600END
601# NB: We run the cleanup step before creating extra directories, files, and
602# symlinks to avoid accidentally cleaning them up.
603COPY ./hack/cleanup.sh /toolchain/bin/cleanup.sh
604RUN <<END
605cleanup.sh /rootfs
606mkdir -pv /rootfs/{boot/EFI,etc/cri/conf.d/hosts,lib/firmware,usr/local/share,usr/share/zoneinfo/Etc,mnt,system,opt,.extra}
607mkdir -pv /rootfs/{etc/kubernetes/manifests,etc/cni/net.d,usr/libexec/kubernetes,/usr/local/lib/kubelet/credentialproviders}
608mkdir -pv /rootfs/opt/{containerd/bin,containerd/lib}
609END
610COPY --chmod=0644 hack/zoneinfo/Etc/UTC /rootfs/usr/share/zoneinfo/Etc/UTC
611COPY --chmod=0644 hack/nfsmount.conf /rootfs/etc/nfsmount.conf
612COPY --chmod=0644 hack/containerd.toml /rootfs/etc/containerd/config.toml
613COPY --chmod=0644 hack/cri-containerd.toml /rootfs/etc/cri/containerd.toml
614COPY --chmod=0644 hack/cri-plugin.part /rootfs/etc/cri/conf.d/00-base.part
615COPY --chmod=0644 hack/udevd/80-net-name-slot.rules /rootfs/usr/lib/udev/rules.d/
616COPY --chmod=0644 hack/lvm.conf /rootfs/etc/lvm/lvm.conf
617RUN <<END
618ln -s /usr/share/zoneinfo/Etc/UTC /rootfs/etc/localtime
619touch /rootfs/etc/{extensions.yaml,resolv.conf,hosts,os-release,machine-id,cri/conf.d/cri.toml,cri/conf.d/01-registries.part,cri/conf.d/20-customization.part}
620ln -s ca-certificates /rootfs/etc/ssl/certs/ca-certificates.crt
621ln -s /etc/ssl /rootfs/etc/pki
622ln -s /etc/ssl /rootfs/usr/share/ca-certificates
623ln -s /etc/ssl /rootfs/usr/local/share/ca-certificates
624ln -s /etc/ssl /rootfs/etc/ca-certificates
625END
626
627FROM build AS rootfs-base-arm64
628COPY --link --from=pkg-fhs / /rootfs
629COPY --link --from=pkg-ca-certificates / /rootfs
630COPY --link --from=pkg-apparmor-arm64 / /rootfs
631COPY --link --from=pkg-cryptsetup-arm64 / /rootfs
632COPY --link --from=pkg-containerd-arm64 / /rootfs
633COPY --link --from=pkg-dosfstools-arm64 / /rootfs
634COPY --link --from=pkg-eudev-arm64 / /rootfs
635COPY --link --from=pkg-iptables-arm64 / /rootfs
636COPY --link --from=pkg-libinih-arm64 / /rootfs
637COPY --link --from=pkg-libjson-c-arm64 / /rootfs
638COPY --link --from=pkg-libpopt-arm64 / /rootfs
639COPY --link --from=pkg-liburcu-arm64 / /rootfs
640COPY --link --from=pkg-openssl-arm64 / /rootfs
641COPY --link --from=pkg-libseccomp-arm64 / /rootfs
642COPY --link --from=pkg-lvm2-arm64 / /rootfs
643COPY --link --from=pkg-libaio-arm64 / /rootfs
644COPY --link --from=pkg-musl-arm64 / /rootfs
645COPY --link --from=pkg-runc-arm64 / /rootfs
646COPY --link --from=pkg-xfsprogs-arm64 / /rootfs
647COPY --link --from=pkg-util-linux-arm64 /lib/libblkid.* /rootfs/lib/
648COPY --link --from=pkg-util-linux-arm64 /lib/libuuid.* /rootfs/lib/
649COPY --link --from=pkg-util-linux-arm64 /lib/libmount.* /rootfs/lib/
650COPY --link --from=pkg-kmod-arm64 /usr/lib/libkmod.* /rootfs/lib/
651COPY --link --from=pkg-kmod-arm64 /usr/bin/kmod /rootfs/sbin/modprobe
652COPY --link --from=modules-arm64 /lib/modules /rootfs/lib/modules
653COPY --link --from=machined-build-arm64 /machined /rootfs/sbin/init
654RUN <<END
655# the orderly_poweroff call by the kernel will call '/sbin/poweroff'
656ln /rootfs/sbin/init /rootfs/sbin/poweroff
657chmod +x /rootfs/sbin/poweroff
658# some extensions like qemu-guest agent will call '/sbin/shutdown'
659ln /rootfs/sbin/init /rootfs/sbin/shutdown
660chmod +x /rootfs/sbin/shutdown
661ln /rootfs/sbin/init /rootfs/sbin/wrapperd
662chmod +x /rootfs/sbin/wrapperd
663ln /rootfs/sbin/init /rootfs/sbin/dashboard
664chmod +x /rootfs/sbin/dashboard
665END
666# NB: We run the cleanup step before creating extra directories, files, and
667# symlinks to avoid accidentally cleaning them up.
668COPY ./hack/cleanup.sh /toolchain/bin/cleanup.sh
669RUN <<END
670cleanup.sh /rootfs
671mkdir -pv /rootfs/{boot/EFI,etc/cri/conf.d/hosts,lib/firmware,usr/local/share,usr/share/zoneinfo/Etc,mnt,system,opt,.extra}
672mkdir -pv /rootfs/{etc/kubernetes/manifests,etc/cni/net.d,usr/libexec/kubernetes,/usr/local/lib/kubelet/credentialproviders}
673mkdir -pv /rootfs/opt/{containerd/bin,containerd/lib}
674END
675COPY --chmod=0644 hack/zoneinfo/Etc/UTC /rootfs/usr/share/zoneinfo/Etc/UTC
676COPY --chmod=0644 hack/nfsmount.conf /rootfs/etc/nfsmount.conf
677COPY --chmod=0644 hack/containerd.toml /rootfs/etc/containerd/config.toml
678COPY --chmod=0644 hack/cri-containerd.toml /rootfs/etc/cri/containerd.toml
679COPY --chmod=0644 hack/cri-plugin.part /rootfs/etc/cri/conf.d/00-base.part
680COPY --chmod=0644 hack/udevd/80-net-name-slot.rules /rootfs/usr/lib/udev/rules.d/
681COPY --chmod=0644 hack/lvm.conf /rootfs/etc/lvm/lvm.conf
682RUN <<END
683ln -s /usr/share/zoneinfo/Etc/UTC /rootfs/etc/localtime
684touch /rootfs/etc/{extensions.yaml,resolv.conf,hosts,os-release,machine-id,cri/conf.d/cri.toml,cri/conf.d/01-registries.part,cri/conf.d/20-customization.part}
685ln -s /etc/ssl /rootfs/etc/pki
686ln -s ca-certificates /rootfs/etc/ssl/certs/ca-certificates.crt
687ln -s /etc/ssl /rootfs/usr/share/ca-certificates
688ln -s /etc/ssl /rootfs/usr/local/share/ca-certificates
689ln -s /etc/ssl /rootfs/etc/ca-certificates
690END
691
692FROM rootfs-base-${TARGETARCH} AS rootfs-base
693RUN find /rootfs -print0 \
694| xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
695
696FROM rootfs-base-arm64 AS rootfs-squashfs-arm64
697ARG ZSTD_COMPRESSION_LEVEL
698RUN find /rootfs -print0 \
699| xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
700RUN mksquashfs /rootfs /rootfs.sqsh -all-root -noappend -comp zstd -Xcompression-level ${ZSTD_COMPRESSION_LEVEL} -no-progress
701
702FROM rootfs-base-amd64 AS rootfs-squashfs-amd64
703ARG ZSTD_COMPRESSION_LEVEL
704RUN find /rootfs -print0 \
705| xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
706RUN mksquashfs /rootfs /rootfs.sqsh -all-root -noappend -comp zstd -Xcompression-level ${ZSTD_COMPRESSION_LEVEL} -no-progress
707
708FROM scratch AS squashfs-arm64
709COPY --from=rootfs-squashfs-arm64 /rootfs.sqsh /
710
711FROM scratch AS squashfs-amd64
712COPY --from=rootfs-squashfs-amd64 /rootfs.sqsh /
713
714FROM scratch AS rootfs
715COPY --from=rootfs-base /rootfs /
716
717# The initramfs target provides the Talos initramfs image.
718
719FROM build AS initramfs-archive-arm64
720WORKDIR /initramfs
721ARG ZSTD_COMPRESSION_LEVEL
722COPY --from=squashfs-arm64 /rootfs.sqsh .
723COPY --from=init-build-arm64 /init .
724RUN find . -print0 \
725| xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
726RUN set -o pipefail \
727&& find . 2>/dev/null \
728| LC_ALL=c sort \
729| cpio --reproducible -H newc -o \
730| zstd -c -T0 -${ZSTD_COMPRESSION_LEVEL} \
731> /initramfs.xz
732
733FROM build AS initramfs-archive-amd64
734WORKDIR /initramfs
735ARG ZSTD_COMPRESSION_LEVEL
736COPY --from=squashfs-amd64 /rootfs.sqsh .
737COPY --from=init-build-amd64 /init .
738RUN find . -print0 \
739| xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
740RUN set -o pipefail \
741&& find . 2>/dev/null \
742| LC_ALL=c sort \
743| cpio --reproducible -H newc -o \
744| zstd -c -T0 -${ZSTD_COMPRESSION_LEVEL} \
745> /initramfs.xz
746
747FROM initramfs-archive-${TARGETARCH} AS initramfs-archive
748
749FROM scratch AS initramfs
750ARG TARGETARCH
751COPY --from=initramfs-archive /initramfs.xz /initramfs-${TARGETARCH}.xz
752
753# The talos target generates a docker image that can be used to run Talos
754# in containers.
755
756FROM scratch AS talos
757COPY --from=rootfs / /
758LABEL org.opencontainers.image.source https://github.com/siderolabs/talos
759ENTRYPOINT ["/sbin/init"]
760
761# The installer target generates an image that can be used to install Talos to
762# various environments.
763FROM base AS installer-build
764ARG GO_BUILDFLAGS
765ARG GO_LDFLAGS
766WORKDIR /src/cmd/installer
767ARG TARGETARCH
768RUN --mount=type=cache,target=/.cache GOOS=linux GOARCH=${TARGETARCH} go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /installer
769RUN chmod +x /installer
770
771FROM alpine:3.18.4 AS unicode-pf2
772RUN apk add --no-cache --update --no-scripts grub
773
774FROM scratch AS install-artifacts-amd64
775COPY --from=pkg-kernel-amd64 /boot/vmlinuz /usr/install/amd64/vmlinuz
776COPY --from=initramfs-archive-amd64 /initramfs.xz /usr/install/amd64/initramfs.xz
777COPY --from=pkg-sd-boot-amd64 /linuxx64.efi.stub /usr/install/amd64/systemd-stub.efi
778COPY --from=pkg-sd-boot-amd64 /systemd-bootx64.efi /usr/install/amd64/systemd-boot.efi
779
780FROM scratch AS install-artifacts-arm64
781COPY --from=pkg-kernel-arm64 /boot/vmlinuz /usr/install/arm64/vmlinuz
782COPY --from=initramfs-archive-arm64 /initramfs.xz /usr/install/arm64/initramfs.xz
783COPY --from=pkg-sd-boot-arm64 /linuxaa64.efi.stub /usr/install/arm64/systemd-stub.efi
784COPY --from=pkg-sd-boot-arm64 /systemd-bootaa64.efi /usr/install/arm64/systemd-boot.efi
785
786FROM scratch AS install-artifacts-all
787COPY --from=install-artifacts-amd64 / /
788COPY --from=install-artifacts-arm64 / /
789
790FROM install-artifacts-${TARGETARCH} AS install-artifacts-targetarch
791
792FROM install-artifacts-${INSTALLER_ARCH} AS install-artifacts
793
794FROM alpine:3.18.4 AS installer-image
795ARG SOURCE_DATE_EPOCH
796ENV SOURCE_DATE_EPOCH ${SOURCE_DATE_EPOCH}
797RUN apk add --no-cache --update --no-scripts \
798bash \
799binutils-aarch64 \
800binutils-x86_64 \
801cpio \
802dosfstools \
803efibootmgr \
804kmod \
805mtools \
806pigz \
807qemu-img \
808squashfs-tools \
809tar \
810util-linux \
811xfsprogs \
812xorriso \
813xz \
814zstd
815ARG TARGETARCH
816ENV TARGETARCH ${TARGETARCH}
817COPY --from=installer-build /installer /bin/installer
818COPY --chmod=0644 hack/extra-modules.conf /etc/modules.d/10-extra-modules.conf
819COPY --from=pkg-grub / /
820COPY --from=pkg-grub-arm64 /usr/lib/grub /usr/lib/grub
821COPY --from=pkg-grub-amd64 /usr/lib/grub /usr/lib/grub
822COPY --from=unicode-pf2 /usr/share/grub/unicode.pf2 /usr/share/grub/unicode.pf2
823RUN ln /bin/installer /bin/imager
824RUN find /bin /etc /lib /usr /sbin | grep -Ev '/etc/hosts|/etc/resolv.conf' \
825| xargs -r touch --date="@${SOURCE_DATE_EPOCH}" --no-dereference
826
827FROM scratch AS installer-image-squashed
828COPY --from=installer-image / /
829ARG TAG
830ENV VERSION ${TAG}
831LABEL "alpha.talos.dev/version"="${VERSION}"
832LABEL org.opencontainers.image.source https://github.com/siderolabs/talos
833ENTRYPOINT ["/bin/installer"]
834
835FROM installer-image-squashed AS installer
836COPY --from=install-artifacts / /
837
838FROM installer-image-squashed AS imager
839COPY --from=install-artifacts / /
840ENTRYPOINT ["/bin/imager"]
841
842FROM imager AS iso-amd64-build
843ARG SOURCE_DATE_EPOCH
844ENV SOURCE_DATE_EPOCH ${SOURCE_DATE_EPOCH}
845RUN /bin/installer \
846iso \
847--arch amd64 \
848--output /out
849
850FROM imager AS iso-arm64-build
851ARG SOURCE_DATE_EPOCH
852ENV SOURCE_DATE_EPOCH ${SOURCE_DATE_EPOCH}
853RUN /bin/installer \
854iso \
855--arch arm64 \
856--output /out
857
858FROM scratch AS iso-amd64
859COPY --from=iso-amd64-build /out /
860
861FROM scratch AS iso-arm64
862COPY --from=iso-arm64-build /out /
863
864FROM --platform=${BUILDPLATFORM} iso-${TARGETARCH} AS iso
865
866# The test target performs tests on the source code.
867FROM base AS unit-tests-runner
868RUN unlink /etc/ssl
869COPY --from=rootfs / /
870ARG TESTPKGS
871ENV PLATFORM container
872ARG GO_LDFLAGS
873RUN --security=insecure --mount=type=cache,id=testspace,target=/tmp --mount=type=cache,target=/.cache go test -failfast -v \
874-ldflags "${GO_LDFLAGS}" \
875-covermode=atomic -coverprofile=coverage.txt -coverpkg=${TESTPKGS} -count 1 -p 4 ${TESTPKGS}
876FROM scratch AS unit-tests
877COPY --from=unit-tests-runner /src/coverage.txt /coverage.txt
878
879# The unit-tests-race target performs tests with race detector.
880
881FROM base AS unit-tests-race
882RUN unlink /etc/ssl
883COPY --from=rootfs / /
884ARG TESTPKGS
885ENV PLATFORM container
886ENV CGO_ENABLED 1
887ARG GO_LDFLAGS
888RUN --security=insecure --mount=type=cache,id=testspace,target=/tmp --mount=type=cache,target=/.cache go test -v \
889-ldflags "${GO_LDFLAGS}" \
890-race -count 1 -p 4 ${TESTPKGS}
891
892# The integration-test targets builds integration test binary.
893
894FROM base AS integration-test-linux-build
895ARG GO_BUILDFLAGS
896ARG GO_LDFLAGS
897ARG GOAMD64
898RUN --mount=type=cache,target=/.cache GOOS=linux GOARCH=amd64 GOAMD64=${GOAMD64} go test -v -c ${GO_BUILDFLAGS} \
899-ldflags "${GO_LDFLAGS}" \
900-tags integration,integration_api,integration_cli,integration_k8s \
901./internal/integration
902
903FROM scratch AS integration-test-linux
904COPY --from=integration-test-linux-build /src/integration.test /integration-test-linux-amd64
905
906FROM base AS integration-test-darwin-build
907ARG GO_BUILDFLAGS
908ARG GO_LDFLAGS
909ARG GOAMD64
910RUN --mount=type=cache,target=/.cache GOOS=darwin GOARCH=amd64 GOAMD64=${GOAMD64} go test -v -c ${GO_BUILDFLAGS} \
911-ldflags "${GO_LDFLAGS}" \
912-tags integration,integration_api,integration_cli,integration_k8s \
913./internal/integration
914
915FROM scratch AS integration-test-darwin
916COPY --from=integration-test-darwin-build /src/integration.test /integration-test-darwin-amd64
917
918# The integration-test-provision target builds integration test binary with provisioning tests.
919
920FROM base AS integration-test-provision-linux-build
921ARG GO_BUILDFLAGS
922ARG GO_LDFLAGS
923ARG GOAMD64
924RUN --mount=type=cache,target=/.cache GOOS=linux GOARCH=amd64 GOAMD64=${GOAMD64} go test -v -c ${GO_BUILDFLAGS} \
925-ldflags "${GO_LDFLAGS}" \
926-tags integration,integration_provision \
927./internal/integration
928
929FROM scratch AS integration-test-provision-linux
930COPY --from=integration-test-provision-linux-build /src/integration.test /integration-test-provision-linux-amd64
931
932# The module-sig-verify targets builds module-sig-verify binary.
933FROM build-go AS module-sig-verify-linux-build
934ARG GO_BUILDFLAGS
935ARG GO_LDFLAGS
936ARG GOAMD64
937WORKDIR /src/module-sig-verify
938COPY ./hack/module-sig-verify/go.mod ./hack/module-sig-verify/go.sum ./
939RUN --mount=type=cache,target=/.cache go mod download
940COPY ./hack/module-sig-verify/main.go .
941RUN --mount=type=cache,target=/.cache GOOS=linux GOARCH=amd64 GOAMD64=${GOAMD64} go build -o module-sig-verify .
942
943FROM scratch AS module-sig-verify-linux
944COPY --from=module-sig-verify-linux-build /src/module-sig-verify/module-sig-verify /module-sig-verify-linux-amd64
945
946# The lint target performs linting on the source code.
947FROM base AS lint-go
948COPY .golangci.yml .
949ENV GOGC=50
950ENV GOLANGCI_LINT_CACHE=/.cache/lint
951RUN golangci-lint config verify --config .golangci.yml
952RUN --mount=type=cache,target=/.cache golangci-lint run --config .golangci.yml
953WORKDIR /src/pkg/machinery
954RUN --mount=type=cache,target=/.cache golangci-lint run --config ../../.golangci.yml
955COPY ./hack/cloud-image-uploader /src/hack/cloud-image-uploader
956WORKDIR /src/hack/cloud-image-uploader
957RUN --mount=type=cache,target=/.cache golangci-lint run --config ../../.golangci.yml
958WORKDIR /src
959RUN --mount=type=cache,target=/.cache importvet github.com/siderolabs/talos/...
960
961# The protolint target performs linting on protobuf files.
962
963FROM base AS lint-protobuf
964WORKDIR /src/api
965COPY api .
966RUN --mount=type=cache,target=/.cache prototool lint --protoc-bin-path=/toolchain/bin/protoc --protoc-wkt-path=/toolchain/include
967RUN --mount=type=cache,target=/.cache prototool break check --descriptor-set-path=api.descriptors --protoc-bin-path=/toolchain/bin/protoc --protoc-wkt-path=/toolchain/include
968
969# The markdownlint target performs linting on Markdown files.
970
971FROM oven/bun:1-alpine AS lint-markdown
972ARG MARKDOWNLINTCLI_VERSION
973ARG TEXTLINT_VERSION
974ARG TEXTLINT_FILTER_RULE_COMMENTS_VERSION
975ARG TEXTLINT_RULE_ONE_SENTENCE_PER_LINE_VERSION
976RUN apk add --no-cache findutils
977RUN bun i -g markdownlint-cli@${MARKDOWNLINTCLI_VERSION} textlint@${TEXTLINT_VERSION} textlint-filter-rule-comments@${TEXTLINT_FILTER_RULE_COMMENTS_VERSION} textlint-rule-one-sentence-per-line@${TEXTLINT_RULE_ONE_SENTENCE_PER_LINE_VERSION}
978WORKDIR /src
979COPY . .
980RUN bun run --bun markdownlint \
981--ignore '**/LICENCE.md' \
982--ignore '**/CHANGELOG.md' \
983--ignore '**/CODE_OF_CONDUCT.md' \
984--ignore '**/node_modules/**' \
985--ignore '**/hack/chglog/**' \
986--ignore 'website/content/*/reference/*' \
987--ignore 'website/themes/**' \
988--disable MD045 MD056 -- \
989.
990RUN find . \
991-name '*.md' \
992-not -path './LICENCE.md' \
993-not -path './CHANGELOG.md' \
994-not -path './CODE_OF_CONDUCT.md' \
995-not -path '*/node_modules/*' \
996-not -path './hack/chglog/**' \
997-not -path './website/content/*/reference/*' \
998-not -path './website/themes/**' \
999-print0 \
1000| xargs -0 bun run --bun textlint
1001
1002# The docs target generates documentation.
1003
1004FROM base AS docs-build
1005ARG TARGETOS
1006ARG TARGETARCH
1007WORKDIR /src
1008COPY --from=talosctl-targetarch /talosctl-${TARGETOS}-${TARGETARCH} /bin/talosctl
1009RUN env HOME=/home/user TAG=latest /bin/talosctl docs --config /tmp/configuration \
1010&& env HOME=/home/user TAG=latest /bin/talosctl docs --cli /tmp
1011COPY ./pkg/machinery/config/schemas/*.schema.json /tmp/schemas/
1012
1013FROM pseudomuto/protoc-gen-doc AS proto-docs-build
1014COPY --from=generate-build /api /protos
1015COPY ./hack/protoc-gen-doc/markdown.tmpl /tmp/markdown.tmpl
1016RUN protoc \
1017-I/protos \
1018-I/protos/common \
1019-I/protos/resource/definitions \
1020-I/protos/inspect \
1021-I/protos/machine \
1022-I/protos/resource \
1023-I/protos/security \
1024-I/protos/storage \
1025-I/protos/time \
1026-I/protos/vendor \
1027--doc_opt=/tmp/markdown.tmpl,api.md \
1028--doc_out=/tmp \
1029/protos/common/*.proto \
1030/protos/resource/definitions/**/*.proto \
1031/protos/inspect/*.proto \
1032/protos/machine/*.proto \
1033/protos/security/*.proto \
1034/protos/storage/*.proto \
1035/protos/time/*.proto
1036
1037FROM scratch AS docs
1038COPY --from=docs-build /tmp/configuration/ /website/content/v1.8/reference/configuration/
1039COPY --from=docs-build /tmp/cli.md /website/content/v1.8/reference/
1040COPY --from=docs-build /tmp/schemas /website/content/v1.8/schemas/
1041COPY --from=proto-docs-build /tmp/api.md /website/content/v1.8/reference/
1042
1043# The talosctl-cni-bundle builds the CNI bundle for talosctl.
1044
1045FROM scratch AS talosctl-cni-bundle
1046ARG TARGETARCH
1047COPY --from=extras-talosctl-cni-bundle-install /opt/cni/bin/ /talosctl-cni-bundle-${TARGETARCH}/
1048
1049# The go-mod-outdated target lists all outdated modules.
1050
1051FROM base AS go-mod-outdated
1052RUN --mount=type=cache,target=/.cache go install github.com/psampaz/go-mod-outdated@latest \
1053&& mv /go/bin/go-mod-outdated /toolchain/go/bin/go-mod-outdated
1054COPY ./hack/cloud-image-uploader ./hack/cloud-image-uploader
1055COPY ./hack/docgen ./hack/docgen
1056COPY ./hack/gotagsrewrite ./hack/gotagsrewrite
1057COPY ./hack/module-sig-verify ./hack/module-sig-verify
1058COPY ./hack/structprotogen ./hack/structprotogen
1059# fail always to get the output back
1060RUN --mount=type=cache,target=/.cache <<EOF
1061for project in pkg/machinery . hack/cloud-image-uploader hack/docgen hack/gotagsrewrite hack/module-sig-verify hack/structprotogen; do
1062echo -e "\n>>>> ${project}:" && \
1063(cd "${project}" && go list -u -m -json all | go-mod-outdated -update -direct)
1064done
1065
1066exit 1
1067EOF
1068