Prebuild base images for testing images in docker (istio#27402)

* Prebuild base docker images * Use dockerx * Temporarily use my repo * Revert "Temporarily use my repo" This reverts commit 708bce9. * Add distroless * fix dockerx
u248 · Sep 21, 2020 · 75a656d · 75a656d
1 parent c2632e4
commit 75a656d
Show file tree

Hide file tree

Showing 7 changed files with 118 additions and 52 deletions.
diff --git a/Makefile.core.mk b/Makefile.core.mk
@@ -22,7 +22,7 @@ SHELL := /bin/bash -o pipefail
 export VERSION ?= 1.8-dev
 
 # Base version of Istio image to use
-BASE_VERSION ?= 1.8-dev.0
+BASE_VERSION ?= 1.8-dev.1
 
 export GO111MODULE ?= on
 export GOPROXY ?= https://proxy.golang.org

diff --git a/pkg/test/echo/docker/Dockerfile.app_sidecar b/pkg/test/echo/docker/Dockerfile.app_sidecar
@@ -1,34 +1,7 @@
 ARG VM_IMAGE_NAME=ubuntu
 ARG VM_IMAGE_VERSION=bionic
-FROM ${VM_IMAGE_NAME}:${VM_IMAGE_VERSION}
-# Dockerfile for different VM OS versions
-ENV DEBIAN_FRONTEND=noninteractive
-
-# Do not add more stuff to this list that isn't small or critically useful.
-# If you occasionally need something on the container do
-# sudo apt-get update && apt-get whichever
-
-# hadolint ignore=DL3005,DL3008
-RUN apt-get update && \
-    apt-get install --no-install-recommends -y \
-    iptables \
-    iproute2 \
-    sudo \
-    && apt-get upgrade -y \
-    && apt-get clean \
-    && rm -rf  /var/log/*log /var/lib/apt/lists/* /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old
-
-# Fix the bug of --to-ports not available.
-# Redeclare ARGs to acquire values declared outside of build stage
-ARG VM_IMAGE_NAME
-ARG VM_IMAGE_VERSION
-RUN if [ "$VM_IMAGE_NAME" = "debian" ] && [ "$VM_IMAGE_VERSION" = "10" ]; then \
-    update-alternatives --set iptables /usr/sbin/iptables-legacy && \
-    update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy; fi
-
-# Add a user that will run the application. This allows running as this user and capture iptables
-RUN useradd -m --uid 1338 application && \
-    echo "application ALL=NOPASSWD: ALL" >> /etc/sudoers
+ARG BASE_VERSION=latest
+FROM docker.io/istio/app_sidecar_base_${VM_IMAGE_NAME}_${VM_IMAGE_VERSION}:${BASE_VERSION}
 
 # Install the certs.
 COPY certs/                           /var/lib/istio/

diff --git a/pkg/test/echo/docker/Dockerfile.app_sidecar_base b/pkg/test/echo/docker/Dockerfile.app_sidecar_base
@@ -0,0 +1,31 @@
+ARG VM_IMAGE_NAME=ubuntu
+ARG VM_IMAGE_VERSION=bionic
+FROM ${VM_IMAGE_NAME}:${VM_IMAGE_VERSION}
+# Dockerfile for different VM OS versions
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Do not add more stuff to this list that isn't small or critically useful.
+# If you occasionally need something on the container do
+# sudo apt-get update && apt-get whichever
+
+# hadolint ignore=DL3005,DL3008
+RUN apt-get update && \
+    apt-get install --no-install-recommends -y \
+    iptables \
+    iproute2 \
+    sudo \
+    && apt-get upgrade -y \
+    && apt-get clean \
+    && rm -rf  /var/log/*log /var/lib/apt/lists/* /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old
+
+# Fix the bug of --to-ports not available.
+# Redeclare ARGs to acquire values declared outside of build stage
+ARG VM_IMAGE_NAME
+ARG VM_IMAGE_VERSION
+RUN if [ "$VM_IMAGE_NAME" = "debian" ] && [ "$VM_IMAGE_VERSION" = "10" ]; then \
+    update-alternatives --set iptables /usr/sbin/iptables-legacy && \
+    update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy; fi
+
+# Add a user that will run the application. This allows running as this user and capture iptables
+RUN useradd -m --uid 1338 application && \
+    echo "application ALL=NOPASSWD: ALL" >> /etc/sudoers
diff --git a/pkg/test/echo/docker/Dockerfile.app_sidecar_base_centos b/pkg/test/echo/docker/Dockerfile.app_sidecar_base_centos
@@ -0,0 +1,15 @@
+FROM centos:8
+
+# hadolint ignore=DL3005,DL3008
+RUN yum upgrade -y && \
+    yum install -y \
+    iptables \
+    iproute \
+    sudo \
+    && update-ca-trust \
+    yum clean all && \
+    rm -rf /var/cache/yum
+
+# Add a user that will run the application. This allows running as this user and capture iptables
+RUN useradd -m --uid 1338 application && \
+    echo "application ALL=NOPASSWD: ALL" >> /etc/sudoers
diff --git a/pkg/test/echo/docker/Dockerfile.app_sidecar_centos_8 b/pkg/test/echo/docker/Dockerfile.app_sidecar_centos_8
@@ -1,18 +1,5 @@
-FROM centos:8
-
-# hadolint ignore=DL3005,DL3008
-RUN yum upgrade -y && \
-    yum install -y \
-    iptables \
-    iproute \
-    sudo \
-    && update-ca-trust \
-    yum clean all && \
-    rm -rf /var/cache/yum
-
-# Add a user that will run the application. This allows running as this user and capture iptables
-RUN useradd -m --uid 1338 application && \
-    echo "application ALL=NOPASSWD: ALL" >> /etc/sudoers
+ARG BASE_VERSION=latest
+FROM docker.io/istio/app_sidecar_base_centos_8:${BASE_VERSION}
 
 # Install the certs.
 COPY certs/                           /var/lib/istio/

diff --git a/tools/build-base-images.sh b/tools/build-base-images.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script runs go tests in a package, but each test is run individually. This helps
+# isolate tests that are improperly depending on global state modification of other tests
+
+set -ex
+
+HUB="${HUB:-istio.io/docker}"
+TAG="${TAG:?specify a tag}"
+
+DOCKER_TARGETS="docker.base docker.distroless docker.app_sidecar_base_debian_9 docker.app_sidecar_base_debian_10 docker.app_sidecar_base_ubuntu_xenial docker.app_sidecar_base_ubuntu_bionic docker.app_sidecar_base_ubuntu_focal docker.app_sidecar_base_centos_8" make dockerx.pushx
diff --git a/tools/istio-docker.mk b/tools/istio-docker.mk
@@ -113,7 +113,7 @@ docker.app: $(ISTIO_DOCKER)/certs
 	$(DOCKER_RULE)
 
 # Test application bundled with the sidecar with ubuntu:xenial (for non-k8s).
-docker.app_sidecar_ubuntu_xenial: BUILD_ARGS=--build-arg VM_IMAGE_NAME=ubuntu --build-arg VM_IMAGE_VERSION=xenial
+docker.app_sidecar_ubuntu_xenial: BUILD_ARGS=--build-arg VM_IMAGE_NAME=ubuntu --build-arg VM_IMAGE_VERSION=xenial --build-arg BASE_VERSION=${BASE_VERSION}
 docker.app_sidecar_ubuntu_xenial: tools/packaging/common/envoy_bootstrap.json
 docker.app_sidecar_ubuntu_xenial: $(ISTIO_OUT_LINUX)/release/istio-sidecar.deb
 docker.app_sidecar_ubuntu_xenial: $(ISTIO_DOCKER)/certs
@@ -124,7 +124,7 @@ docker.app_sidecar_ubuntu_xenial: $(ISTIO_OUT_LINUX)/server
 	$(DOCKER_RULE)
 
 # Test application bundled with the sidecar with ubuntu:bionic (for non-k8s).
-docker.app_sidecar_ubuntu_bionic: BUILD_ARGS=--build-arg VM_IMAGE_NAME=ubuntu --build-arg VM_IMAGE_VERSION=bionic
+docker.app_sidecar_ubuntu_bionic: BUILD_ARGS=--build-arg VM_IMAGE_NAME=ubuntu --build-arg VM_IMAGE_VERSION=bionic --build-arg BASE_VERSION=${BASE_VERSION}
 docker.app_sidecar_ubuntu_bionic: tools/packaging/common/envoy_bootstrap.json
 docker.app_sidecar_ubuntu_bionic: $(ISTIO_OUT_LINUX)/release/istio-sidecar.deb
 docker.app_sidecar_ubuntu_bionic: $(ISTIO_DOCKER)/certs
@@ -135,7 +135,7 @@ docker.app_sidecar_ubuntu_bionic: $(ISTIO_OUT_LINUX)/server
 	$(DOCKER_RULE)
 
 # Test application bundled with the sidecar with ubuntu:focal (for non-k8s).
-docker.app_sidecar_ubuntu_focal: BUILD_ARGS=--build-arg VM_IMAGE_NAME=ubuntu --build-arg VM_IMAGE_VERSION=focal
+docker.app_sidecar_ubuntu_focal: BUILD_ARGS=--build-arg VM_IMAGE_NAME=ubuntu --build-arg VM_IMAGE_VERSION=focal --build-arg BASE_VERSION=${BASE_VERSION}
 docker.app_sidecar_ubuntu_focal: tools/packaging/common/envoy_bootstrap.json
 docker.app_sidecar_ubuntu_focal: $(ISTIO_OUT_LINUX)/release/istio-sidecar.deb
 docker.app_sidecar_ubuntu_focal: $(ISTIO_DOCKER)/certs
@@ -146,7 +146,7 @@ docker.app_sidecar_ubuntu_focal: $(ISTIO_OUT_LINUX)/server
 	$(DOCKER_RULE)
 
 # Test application bundled with the sidecar with debian 9 (for non-k8s).
-docker.app_sidecar_debian_9: BUILD_ARGS=--build-arg VM_IMAGE_NAME=debian --build-arg VM_IMAGE_VERSION=9
+docker.app_sidecar_debian_9: BUILD_ARGS=--build-arg VM_IMAGE_NAME=debian --build-arg VM_IMAGE_VERSION=9 --build-arg BASE_VERSION=${BASE_VERSION}
 docker.app_sidecar_debian_9: tools/packaging/common/envoy_bootstrap.json
 docker.app_sidecar_debian_9: $(ISTIO_OUT_LINUX)/release/istio-sidecar.deb
 docker.app_sidecar_debian_9: $(ISTIO_DOCKER)/certs
@@ -157,7 +157,7 @@ docker.app_sidecar_debian_9: $(ISTIO_OUT_LINUX)/server
 	$(DOCKER_RULE)
 
 # Test application bundled with the sidecar with debian 10 (for non-k8s).
-docker.app_sidecar_debian_10: BUILD_ARGS=--build-arg VM_IMAGE_NAME=debian --build-arg VM_IMAGE_VERSION=10
+docker.app_sidecar_debian_10: BUILD_ARGS=--build-arg VM_IMAGE_NAME=debian --build-arg VM_IMAGE_VERSION=10 --build-arg BASE_VERSION=${BASE_VERSION}
 docker.app_sidecar_debian_10: tools/packaging/common/envoy_bootstrap.json
 docker.app_sidecar_debian_10: $(ISTIO_OUT_LINUX)/release/istio-sidecar.deb
 docker.app_sidecar_debian_10: $(ISTIO_DOCKER)/certs
@@ -168,7 +168,7 @@ docker.app_sidecar_debian_10: $(ISTIO_OUT_LINUX)/server
 	$(DOCKER_RULE)
 
 # Test application bundled with the sidecar (for non-k8s).
-docker.app_sidecar_centos_8: BUILD_ARGS=--build-arg BASE_VERSION=${BASE_VERSION}
+docker.app_sidecar_centos_8: BUILD_ARGS=--build-arg BASE_VERSION=${BASE_VERSION} --build-arg BASE_VERSION=${BASE_VERSION}
 docker.app_sidecar_centos_8: tools/packaging/common/envoy_bootstrap.json
 docker.app_sidecar_centos_8: $(ISTIO_OUT_LINUX)/release/istio-sidecar.rpm
 docker.app_sidecar_centos_8: $(ISTIO_DOCKER)/certs
@@ -232,6 +232,41 @@ dockerx.%:
 docker.base: docker/Dockerfile.base
 	$(DOCKER_RULE)
 
+docker.app_sidecar_base_debian_9: BUILD_ARGS=--build-arg VM_IMAGE_NAME=debian --build-arg VM_IMAGE_VERSION=9
+docker.app_sidecar_base_debian_9: VM_OS_DOCKERFILE_TEMPLATE=Dockerfile.app_sidecar_base
+docker.app_sidecar_base_debian_9: pkg/test/echo/docker/Dockerfile.app_sidecar_base
+	$(RENAME_TEMPLATE)
+	$(DOCKER_RULE)
+
+docker.app_sidecar_base_debian_10: BUILD_ARGS=--build-arg VM_IMAGE_NAME=debian --build-arg VM_IMAGE_VERSION=10
+docker.app_sidecar_base_debian_10: VM_OS_DOCKERFILE_TEMPLATE=Dockerfile.app_sidecar_base
+docker.app_sidecar_base_debian_10: pkg/test/echo/docker/Dockerfile.app_sidecar_base
+	$(RENAME_TEMPLATE)
+	$(DOCKER_RULE)
+
+docker.app_sidecar_base_ubuntu_xenial: BUILD_ARGS=--build-arg VM_IMAGE_NAME=ubuntu --build-arg VM_IMAGE_VERSION=xenial
+docker.app_sidecar_base_ubuntu_xenial: VM_OS_DOCKERFILE_TEMPLATE=Dockerfile.app_sidecar_base
+docker.app_sidecar_base_ubuntu_xenial: pkg/test/echo/docker/Dockerfile.app_sidecar_base
+	$(RENAME_TEMPLATE)
+	$(DOCKER_RULE)
+
+docker.app_sidecar_base_ubuntu_bionic: BUILD_ARGS=--build-arg VM_IMAGE_NAME=ubuntu --build-arg VM_IMAGE_VERSION=bionic
+docker.app_sidecar_base_ubuntu_bionic: VM_OS_DOCKERFILE_TEMPLATE=Dockerfile.app_sidecar_base
+docker.app_sidecar_base_ubuntu_bionic: pkg/test/echo/docker/Dockerfile.app_sidecar_base
+	$(RENAME_TEMPLATE)
+	$(DOCKER_RULE)
+
+docker.app_sidecar_base_ubuntu_focal: BUILD_ARGS=--build-arg VM_IMAGE_NAME=ubuntu --build-arg VM_IMAGE_VERSION=focal
+docker.app_sidecar_base_ubuntu_focal: VM_OS_DOCKERFILE_TEMPLATE=Dockerfile.app_sidecar_base
+docker.app_sidecar_base_ubuntu_focal: pkg/test/echo/docker/Dockerfile.app_sidecar_base
+	$(RENAME_TEMPLATE)
+	$(DOCKER_RULE)
+
+docker.app_sidecar_base_centos_8: VM_OS_DOCKERFILE_TEMPLATE=Dockerfile.app_sidecar_base_centos
+docker.app_sidecar_base_centos_8: pkg/test/echo/docker/Dockerfile.app_sidecar_base_centos
+	$(RENAME_TEMPLATE)
+	$(DOCKER_RULE)
+
 docker.distroless: docker/Dockerfile.distroless
 	$(DOCKER_RULE)
 
@@ -281,7 +316,7 @@ dockerx.save: dockerx $(ISTIO_DOCKER_TAR)
 		   ); \
 	 ))
 
-docker.save: $(DOCKER_TAR_TARGETS)
+docker.save: dockerx.save
 
 # for each docker.XXX target create a push.docker.XXX target that pushes
 # the local docker image to another hub