Update golang #16986
Merged
Update golang #16986
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Changes: - docker-library/golang@1a33f8b: Merge pull request docker-library/golang#521 from infosiftr/copy-link-redux - docker-library/golang@81c0d31: Work around `COPY --link` limitations by pre-creating full filesystem tree
Diff for 7bb6f52:diff --git a/_bashbrew-cat b/_bashbrew-cat
index 90fd530..3af3cea 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -4,23 +4,23 @@ Builder: buildkit
Tags: 1.21.11-alpine3.19, 1.21-alpine3.19
Architectures: amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le, s390x
-GitCommit: d92abc1f4a90239f955653f24f69a023d5d1d749
+GitCommit: 81c0d3115b37997c04828faba09440fd9fffce33
Directory: 1.21/alpine3.19
Tags: 1.21.11-alpine3.20, 1.21-alpine3.20, 1.21.11-alpine, 1.21-alpine
Architectures: amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le, riscv64, s390x
-GitCommit: d92abc1f4a90239f955653f24f69a023d5d1d749
+GitCommit: 81c0d3115b37997c04828faba09440fd9fffce33
Directory: 1.21/alpine3.20
Tags: 1.21.11-bookworm, 1.21-bookworm
SharedTags: 1.21.11, 1.21
Architectures: amd64, arm32v7, arm64v8, i386, mips64le, ppc64le, s390x
-GitCommit: d92abc1f4a90239f955653f24f69a023d5d1d749
+GitCommit: 81c0d3115b37997c04828faba09440fd9fffce33
Directory: 1.21/bookworm
Tags: 1.21.11-bullseye, 1.21-bullseye
Architectures: amd64, arm32v7, arm64v8, i386, mips64le, ppc64le, s390x
-GitCommit: d92abc1f4a90239f955653f24f69a023d5d1d749
+GitCommit: 81c0d3115b37997c04828faba09440fd9fffce33
Directory: 1.21/bullseye
Tags: 1.21.11-nanoserver-1809, 1.21-nanoserver-1809
@@ -57,23 +57,23 @@ Constraints: windowsservercore-ltsc2022
Tags: 1.22.4-alpine3.19, 1.22-alpine3.19, 1-alpine3.19, alpine3.19
Architectures: amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le, s390x
-GitCommit: 58bc678a838d467ca5afb7e0ee636cf5b8459da2
+GitCommit: 81c0d3115b37997c04828faba09440fd9fffce33
Directory: 1.22/alpine3.19
Tags: 1.22.4-alpine3.20, 1.22-alpine3.20, 1-alpine3.20, alpine3.20, 1.22.4-alpine, 1.22-alpine, 1-alpine, alpine
Architectures: amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le, riscv64, s390x
-GitCommit: 58bc678a838d467ca5afb7e0ee636cf5b8459da2
+GitCommit: 81c0d3115b37997c04828faba09440fd9fffce33
Directory: 1.22/alpine3.20
Tags: 1.22.4-bookworm, 1.22-bookworm, 1-bookworm, bookworm
SharedTags: 1.22.4, 1.22, 1, latest
Architectures: amd64, arm32v7, arm64v8, i386, mips64le, ppc64le, s390x
-GitCommit: 58bc678a838d467ca5afb7e0ee636cf5b8459da2
+GitCommit: 81c0d3115b37997c04828faba09440fd9fffce33
Directory: 1.22/bookworm
Tags: 1.22.4-bullseye, 1.22-bullseye, 1-bullseye, bullseye
Architectures: amd64, arm32v7, arm64v8, i386, mips64le, ppc64le, s390x
-GitCommit: 58bc678a838d467ca5afb7e0ee636cf5b8459da2
+GitCommit: 81c0d3115b37997c04828faba09440fd9fffce33
Directory: 1.22/bullseye
Tags: 1.22.4-nanoserver-1809, 1.22-nanoserver-1809, 1-nanoserver-1809, nanoserver-1809
diff --git a/golang_1.21-alpine/Dockerfile b/golang_1.21-alpine/Dockerfile
index 7feb716..fd065dc 100644
--- a/golang_1.21-alpine/Dockerfile
+++ b/golang_1.21-alpine/Dockerfile
@@ -11,6 +11,7 @@ ENV PATH /usr/local/go/bin:$PATH
ENV GOLANG_VERSION 1.21.11
RUN set -eux; \
+ now="$(date '+%s')"; \
apk add --no-cache --virtual .fetch-deps \
ca-certificates \
gnupg \
@@ -75,8 +76,11 @@ RUN set -eux; \
# save the timestamp from the tarball so we can restore it for reproducibility, if necessary (see below)
SOURCE_DATE_EPOCH="$(stat -c '%Y' /usr/local/go)"; \
export SOURCE_DATE_EPOCH; \
+ touchy="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
# for logging validation/edification
date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
+# sanity check (detected value should be older than our wall clock)
+ [ "$SOURCE_DATE_EPOCH" -lt "$now" ]; \
\
if [ "$arch" = 'armv7' ]; then \
[ -s /usr/local/go/go.env ]; \
@@ -88,17 +92,23 @@ RUN set -eux; \
} >> /usr/local/go/go.env; \
after="$(go env GOARM)"; [ "$after" = '7' ]; \
# (re-)clamp timestamp for reproducibility (allows "COPY --link" to be more clever/useful)
- date="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
- touch -t "$date" /usr/local/go/go.env /usr/local/go; \
+ touch -t "$touchy" /usr/local/go/go.env /usr/local/go; \
fi; \
\
+# ideally at this point, we would just "COPY --link ... /usr/local/go/ /usr/local/go/" but BuildKit insists on creating the parent directories (perhaps related to https://github.com/opencontainers/image-spec/pull/970), and does so with unreproducible timestamps, so we instead create a whole new "directory tree" that we can "COPY --link" to accomplish what we want
+ mkdir /target /target/usr /target/usr/local; \
+ mv -vT /usr/local/go /target/usr/local/go; \
+ ln -svfT /target/usr/local/go /usr/local/go; \
+ touch -t "$touchy" /target/usr/local /target/usr /target; \
+ \
apk del --no-network .fetch-deps; \
\
# smoke test
go version; \
# make sure our reproducibile timestamp is probably still correct (best-effort inline reproducibility test)
- epoch="$(stat -c '%Y' /usr/local/go)"; \
- [ "$SOURCE_DATE_EPOCH" = "$epoch" ]
+ epoch="$(stat -c '%Y' /target/usr/local/go)"; \
+ [ "$SOURCE_DATE_EPOCH" = "$epoch" ]; \
+ find /target -newer /target/usr/local/go -exec sh -c 'ls -ld "$@" && exit "$#"' -- '{}' +
FROM alpine:3.20
@@ -112,6 +122,7 @@ ENV GOTOOLCHAIN=local
ENV GOPATH /go
ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
-COPY --from=build --link /usr/local/go/ /usr/local/go/
+# (see notes above about "COPY --link")
+COPY --from=build --link /target/ /
RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 1777 "$GOPATH"
WORKDIR $GOPATH
diff --git a/golang_1.21-alpine3.19/Dockerfile b/golang_1.21-alpine3.19/Dockerfile
index e728f57..63f7a74 100644
--- a/golang_1.21-alpine3.19/Dockerfile
+++ b/golang_1.21-alpine3.19/Dockerfile
@@ -11,6 +11,7 @@ ENV PATH /usr/local/go/bin:$PATH
ENV GOLANG_VERSION 1.21.11
RUN set -eux; \
+ now="$(date '+%s')"; \
apk add --no-cache --virtual .fetch-deps \
ca-certificates \
gnupg \
@@ -75,8 +76,11 @@ RUN set -eux; \
# save the timestamp from the tarball so we can restore it for reproducibility, if necessary (see below)
SOURCE_DATE_EPOCH="$(stat -c '%Y' /usr/local/go)"; \
export SOURCE_DATE_EPOCH; \
+ touchy="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
# for logging validation/edification
date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
+# sanity check (detected value should be older than our wall clock)
+ [ "$SOURCE_DATE_EPOCH" -lt "$now" ]; \
\
if [ "$arch" = 'armv7' ]; then \
[ -s /usr/local/go/go.env ]; \
@@ -88,17 +92,23 @@ RUN set -eux; \
} >> /usr/local/go/go.env; \
after="$(go env GOARM)"; [ "$after" = '7' ]; \
# (re-)clamp timestamp for reproducibility (allows "COPY --link" to be more clever/useful)
- date="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
- touch -t "$date" /usr/local/go/go.env /usr/local/go; \
+ touch -t "$touchy" /usr/local/go/go.env /usr/local/go; \
fi; \
\
+# ideally at this point, we would just "COPY --link ... /usr/local/go/ /usr/local/go/" but BuildKit insists on creating the parent directories (perhaps related to https://github.com/opencontainers/image-spec/pull/970), and does so with unreproducible timestamps, so we instead create a whole new "directory tree" that we can "COPY --link" to accomplish what we want
+ mkdir /target /target/usr /target/usr/local; \
+ mv -vT /usr/local/go /target/usr/local/go; \
+ ln -svfT /target/usr/local/go /usr/local/go; \
+ touch -t "$touchy" /target/usr/local /target/usr /target; \
+ \
apk del --no-network .fetch-deps; \
\
# smoke test
go version; \
# make sure our reproducibile timestamp is probably still correct (best-effort inline reproducibility test)
- epoch="$(stat -c '%Y' /usr/local/go)"; \
- [ "$SOURCE_DATE_EPOCH" = "$epoch" ]
+ epoch="$(stat -c '%Y' /target/usr/local/go)"; \
+ [ "$SOURCE_DATE_EPOCH" = "$epoch" ]; \
+ find /target -newer /target/usr/local/go -exec sh -c 'ls -ld "$@" && exit "$#"' -- '{}' +
FROM alpine:3.19
@@ -112,6 +122,7 @@ ENV GOTOOLCHAIN=local
ENV GOPATH /go
ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
-COPY --from=build --link /usr/local/go/ /usr/local/go/
+# (see notes above about "COPY --link")
+COPY --from=build --link /target/ /
RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 1777 "$GOPATH"
WORKDIR $GOPATH
diff --git a/golang_1.21-bookworm/Dockerfile b/golang_1.21-bookworm/Dockerfile
index 560c454..82aeaa9 100644
--- a/golang_1.21-bookworm/Dockerfile
+++ b/golang_1.21-bookworm/Dockerfile
@@ -11,6 +11,7 @@ ENV PATH /usr/local/go/bin:$PATH
ENV GOLANG_VERSION 1.21.11
RUN set -eux; \
+ now="$(date '+%s')"; \
arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; \
url=; \
case "$arch" in \
@@ -69,8 +70,11 @@ RUN set -eux; \
# save the timestamp from the tarball so we can restore it for reproducibility, if necessary (see below)
SOURCE_DATE_EPOCH="$(stat -c '%Y' /usr/local/go)"; \
export SOURCE_DATE_EPOCH; \
+ touchy="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
# for logging validation/edification
date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
+# sanity check (detected value should be older than our wall clock)
+ [ "$SOURCE_DATE_EPOCH" -lt "$now" ]; \
\
if [ "$arch" = 'armhf' ]; then \
[ -s /usr/local/go/go.env ]; \
@@ -82,15 +86,21 @@ RUN set -eux; \
} >> /usr/local/go/go.env; \
after="$(go env GOARM)"; [ "$after" = '7' ]; \
# (re-)clamp timestamp for reproducibility (allows "COPY --link" to be more clever/useful)
- date="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
- touch -t "$date" /usr/local/go/go.env /usr/local/go; \
+ touch -t "$touchy" /usr/local/go/go.env /usr/local/go; \
fi; \
\
+# ideally at this point, we would just "COPY --link ... /usr/local/go/ /usr/local/go/" but BuildKit insists on creating the parent directories (perhaps related to https://github.com/opencontainers/image-spec/pull/970), and does so with unreproducible timestamps, so we instead create a whole new "directory tree" that we can "COPY --link" to accomplish what we want
+ mkdir /target /target/usr /target/usr/local; \
+ mv -vT /usr/local/go /target/usr/local/go; \
+ ln -svfT /target/usr/local/go /usr/local/go; \
+ touch -t "$touchy" /target/usr/local /target/usr /target; \
+ \
# smoke test
go version; \
# make sure our reproducibile timestamp is probably still correct (best-effort inline reproducibility test)
- epoch="$(stat -c '%Y' /usr/local/go)"; \
- [ "$SOURCE_DATE_EPOCH" = "$epoch" ]
+ epoch="$(stat -c '%Y' /target/usr/local/go)"; \
+ [ "$SOURCE_DATE_EPOCH" = "$epoch" ]; \
+ find /target -newer /target/usr/local/go -exec sh -c 'ls -ld "$@" && exit "$#"' -- '{}' +
FROM buildpack-deps:bookworm-scm
@@ -114,6 +124,7 @@ ENV GOTOOLCHAIN=local
ENV GOPATH /go
ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
-COPY --from=build --link /usr/local/go/ /usr/local/go/
+# (see notes above about "COPY --link")
+COPY --from=build --link /target/ /
RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 1777 "$GOPATH"
WORKDIR $GOPATH
diff --git a/golang_1.21-bullseye/Dockerfile b/golang_1.21-bullseye/Dockerfile
index 052a5f7..7b8f394 100644
--- a/golang_1.21-bullseye/Dockerfile
+++ b/golang_1.21-bullseye/Dockerfile
@@ -11,6 +11,7 @@ ENV PATH /usr/local/go/bin:$PATH
ENV GOLANG_VERSION 1.21.11
RUN set -eux; \
+ now="$(date '+%s')"; \
arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; \
url=; \
case "$arch" in \
@@ -69,8 +70,11 @@ RUN set -eux; \
# save the timestamp from the tarball so we can restore it for reproducibility, if necessary (see below)
SOURCE_DATE_EPOCH="$(stat -c '%Y' /usr/local/go)"; \
export SOURCE_DATE_EPOCH; \
+ touchy="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
# for logging validation/edification
date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
+# sanity check (detected value should be older than our wall clock)
+ [ "$SOURCE_DATE_EPOCH" -lt "$now" ]; \
\
if [ "$arch" = 'armhf' ]; then \
[ -s /usr/local/go/go.env ]; \
@@ -82,15 +86,21 @@ RUN set -eux; \
} >> /usr/local/go/go.env; \
after="$(go env GOARM)"; [ "$after" = '7' ]; \
# (re-)clamp timestamp for reproducibility (allows "COPY --link" to be more clever/useful)
- date="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
- touch -t "$date" /usr/local/go/go.env /usr/local/go; \
+ touch -t "$touchy" /usr/local/go/go.env /usr/local/go; \
fi; \
\
+# ideally at this point, we would just "COPY --link ... /usr/local/go/ /usr/local/go/" but BuildKit insists on creating the parent directories (perhaps related to https://github.com/opencontainers/image-spec/pull/970), and does so with unreproducible timestamps, so we instead create a whole new "directory tree" that we can "COPY --link" to accomplish what we want
+ mkdir /target /target/usr /target/usr/local; \
+ mv -vT /usr/local/go /target/usr/local/go; \
+ ln -svfT /target/usr/local/go /usr/local/go; \
+ touch -t "$touchy" /target/usr/local /target/usr /target; \
+ \
# smoke test
go version; \
# make sure our reproducibile timestamp is probably still correct (best-effort inline reproducibility test)
- epoch="$(stat -c '%Y' /usr/local/go)"; \
- [ "$SOURCE_DATE_EPOCH" = "$epoch" ]
+ epoch="$(stat -c '%Y' /target/usr/local/go)"; \
+ [ "$SOURCE_DATE_EPOCH" = "$epoch" ]; \
+ find /target -newer /target/usr/local/go -exec sh -c 'ls -ld "$@" && exit "$#"' -- '{}' +
FROM buildpack-deps:bullseye-scm
@@ -114,6 +124,7 @@ ENV GOTOOLCHAIN=local
ENV GOPATH /go
ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
-COPY --from=build --link /usr/local/go/ /usr/local/go/
+# (see notes above about "COPY --link")
+COPY --from=build --link /target/ /
RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 1777 "$GOPATH"
WORKDIR $GOPATH
diff --git a/golang_alpine/Dockerfile b/golang_alpine/Dockerfile
index 609daa5..6390488 100644
--- a/golang_alpine/Dockerfile
+++ b/golang_alpine/Dockerfile
@@ -11,6 +11,7 @@ ENV PATH /usr/local/go/bin:$PATH
ENV GOLANG_VERSION 1.22.4
RUN set -eux; \
+ now="$(date '+%s')"; \
apk add --no-cache --virtual .fetch-deps \
ca-certificates \
gnupg \
@@ -75,8 +76,11 @@ RUN set -eux; \
# save the timestamp from the tarball so we can restore it for reproducibility, if necessary (see below)
SOURCE_DATE_EPOCH="$(stat -c '%Y' /usr/local/go)"; \
export SOURCE_DATE_EPOCH; \
+ touchy="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
# for logging validation/edification
date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
+# sanity check (detected value should be older than our wall clock)
+ [ "$SOURCE_DATE_EPOCH" -lt "$now" ]; \
\
if [ "$arch" = 'armv7' ]; then \
[ -s /usr/local/go/go.env ]; \
@@ -88,17 +92,23 @@ RUN set -eux; \
} >> /usr/local/go/go.env; \
after="$(go env GOARM)"; [ "$after" = '7' ]; \
# (re-)clamp timestamp for reproducibility (allows "COPY --link" to be more clever/useful)
- date="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
- touch -t "$date" /usr/local/go/go.env /usr/local/go; \
+ touch -t "$touchy" /usr/local/go/go.env /usr/local/go; \
fi; \
\
+# ideally at this point, we would just "COPY --link ... /usr/local/go/ /usr/local/go/" but BuildKit insists on creating the parent directories (perhaps related to https://github.com/opencontainers/image-spec/pull/970), and does so with unreproducible timestamps, so we instead create a whole new "directory tree" that we can "COPY --link" to accomplish what we want
+ mkdir /target /target/usr /target/usr/local; \
+ mv -vT /usr/local/go /target/usr/local/go; \
+ ln -svfT /target/usr/local/go /usr/local/go; \
+ touch -t "$touchy" /target/usr/local /target/usr /target; \
+ \
apk del --no-network .fetch-deps; \
\
# smoke test
go version; \
# make sure our reproducibile timestamp is probably still correct (best-effort inline reproducibility test)
- epoch="$(stat -c '%Y' /usr/local/go)"; \
- [ "$SOURCE_DATE_EPOCH" = "$epoch" ]
+ epoch="$(stat -c '%Y' /target/usr/local/go)"; \
+ [ "$SOURCE_DATE_EPOCH" = "$epoch" ]; \
+ find /target -newer /target/usr/local/go -exec sh -c 'ls -ld "$@" && exit "$#"' -- '{}' +
FROM alpine:3.20
@@ -112,6 +122,7 @@ ENV GOTOOLCHAIN=local
ENV GOPATH /go
ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
-COPY --from=build --link /usr/local/go/ /usr/local/go/
+# (see notes above about "COPY --link")
+COPY --from=build --link /target/ /
RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 1777 "$GOPATH"
WORKDIR $GOPATH
diff --git a/golang_alpine3.19/Dockerfile b/golang_alpine3.19/Dockerfile
index 3811734..e0232f3 100644
--- a/golang_alpine3.19/Dockerfile
+++ b/golang_alpine3.19/Dockerfile
@@ -11,6 +11,7 @@ ENV PATH /usr/local/go/bin:$PATH
ENV GOLANG_VERSION 1.22.4
RUN set -eux; \
+ now="$(date '+%s')"; \
apk add --no-cache --virtual .fetch-deps \
ca-certificates \
gnupg \
@@ -75,8 +76,11 @@ RUN set -eux; \
# save the timestamp from the tarball so we can restore it for reproducibility, if necessary (see below)
SOURCE_DATE_EPOCH="$(stat -c '%Y' /usr/local/go)"; \
export SOURCE_DATE_EPOCH; \
+ touchy="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
# for logging validation/edification
date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
+# sanity check (detected value should be older than our wall clock)
+ [ "$SOURCE_DATE_EPOCH" -lt "$now" ]; \
\
if [ "$arch" = 'armv7' ]; then \
[ -s /usr/local/go/go.env ]; \
@@ -88,17 +92,23 @@ RUN set -eux; \
} >> /usr/local/go/go.env; \
after="$(go env GOARM)"; [ "$after" = '7' ]; \
# (re-)clamp timestamp for reproducibility (allows "COPY --link" to be more clever/useful)
- date="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
- touch -t "$date" /usr/local/go/go.env /usr/local/go; \
+ touch -t "$touchy" /usr/local/go/go.env /usr/local/go; \
fi; \
\
+# ideally at this point, we would just "COPY --link ... /usr/local/go/ /usr/local/go/" but BuildKit insists on creating the parent directories (perhaps related to https://github.com/opencontainers/image-spec/pull/970), and does so with unreproducible timestamps, so we instead create a whole new "directory tree" that we can "COPY --link" to accomplish what we want
+ mkdir /target /target/usr /target/usr/local; \
+ mv -vT /usr/local/go /target/usr/local/go; \
+ ln -svfT /target/usr/local/go /usr/local/go; \
+ touch -t "$touchy" /target/usr/local /target/usr /target; \
+ \
apk del --no-network .fetch-deps; \
\
# smoke test
go version; \
# make sure our reproducibile timestamp is probably still correct (best-effort inline reproducibility test)
- epoch="$(stat -c '%Y' /usr/local/go)"; \
- [ "$SOURCE_DATE_EPOCH" = "$epoch" ]
+ epoch="$(stat -c '%Y' /target/usr/local/go)"; \
+ [ "$SOURCE_DATE_EPOCH" = "$epoch" ]; \
+ find /target -newer /target/usr/local/go -exec sh -c 'ls -ld "$@" && exit "$#"' -- '{}' +
FROM alpine:3.19
@@ -112,6 +122,7 @@ ENV GOTOOLCHAIN=local
ENV GOPATH /go
ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
-COPY --from=build --link /usr/local/go/ /usr/local/go/
+# (see notes above about "COPY --link")
+COPY --from=build --link /target/ /
RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 1777 "$GOPATH"
WORKDIR $GOPATH
diff --git a/golang_bookworm/Dockerfile b/golang_bookworm/Dockerfile
index 306b5b0..d7f129e 100644
--- a/golang_bookworm/Dockerfile
+++ b/golang_bookworm/Dockerfile
@@ -11,6 +11,7 @@ ENV PATH /usr/local/go/bin:$PATH
ENV GOLANG_VERSION 1.22.4
RUN set -eux; \
+ now="$(date '+%s')"; \
arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; \
url=; \
case "$arch" in \
@@ -69,8 +70,11 @@ RUN set -eux; \
# save the timestamp from the tarball so we can restore it for reproducibility, if necessary (see below)
SOURCE_DATE_EPOCH="$(stat -c '%Y' /usr/local/go)"; \
export SOURCE_DATE_EPOCH; \
+ touchy="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
# for logging validation/edification
date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
+# sanity check (detected value should be older than our wall clock)
+ [ "$SOURCE_DATE_EPOCH" -lt "$now" ]; \
\
if [ "$arch" = 'armhf' ]; then \
[ -s /usr/local/go/go.env ]; \
@@ -82,15 +86,21 @@ RUN set -eux; \
} >> /usr/local/go/go.env; \
after="$(go env GOARM)"; [ "$after" = '7' ]; \
# (re-)clamp timestamp for reproducibility (allows "COPY --link" to be more clever/useful)
- date="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
- touch -t "$date" /usr/local/go/go.env /usr/local/go; \
+ touch -t "$touchy" /usr/local/go/go.env /usr/local/go; \
fi; \
\
+# ideally at this point, we would just "COPY --link ... /usr/local/go/ /usr/local/go/" but BuildKit insists on creating the parent directories (perhaps related to https://github.com/opencontainers/image-spec/pull/970), and does so with unreproducible timestamps, so we instead create a whole new "directory tree" that we can "COPY --link" to accomplish what we want
+ mkdir /target /target/usr /target/usr/local; \
+ mv -vT /usr/local/go /target/usr/local/go; \
+ ln -svfT /target/usr/local/go /usr/local/go; \
+ touch -t "$touchy" /target/usr/local /target/usr /target; \
+ \
# smoke test
go version; \
# make sure our reproducibile timestamp is probably still correct (best-effort inline reproducibility test)
- epoch="$(stat -c '%Y' /usr/local/go)"; \
- [ "$SOURCE_DATE_EPOCH" = "$epoch" ]
+ epoch="$(stat -c '%Y' /target/usr/local/go)"; \
+ [ "$SOURCE_DATE_EPOCH" = "$epoch" ]; \
+ find /target -newer /target/usr/local/go -exec sh -c 'ls -ld "$@" && exit "$#"' -- '{}' +
FROM buildpack-deps:bookworm-scm
@@ -114,6 +124,7 @@ ENV GOTOOLCHAIN=local
ENV GOPATH /go
ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
-COPY --from=build --link /usr/local/go/ /usr/local/go/
+# (see notes above about "COPY --link")
+COPY --from=build --link /target/ /
RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 1777 "$GOPATH"
WORKDIR $GOPATH
diff --git a/golang_bullseye/Dockerfile b/golang_bullseye/Dockerfile
index 4e59645..32c9bea 100644
--- a/golang_bullseye/Dockerfile
+++ b/golang_bullseye/Dockerfile
@@ -11,6 +11,7 @@ ENV PATH /usr/local/go/bin:$PATH
ENV GOLANG_VERSION 1.22.4
RUN set -eux; \
+ now="$(date '+%s')"; \
arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; \
url=; \
case "$arch" in \
@@ -69,8 +70,11 @@ RUN set -eux; \
# save the timestamp from the tarball so we can restore it for reproducibility, if necessary (see below)
SOURCE_DATE_EPOCH="$(stat -c '%Y' /usr/local/go)"; \
export SOURCE_DATE_EPOCH; \
+ touchy="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
# for logging validation/edification
date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
+# sanity check (detected value should be older than our wall clock)
+ [ "$SOURCE_DATE_EPOCH" -lt "$now" ]; \
\
if [ "$arch" = 'armhf' ]; then \
[ -s /usr/local/go/go.env ]; \
@@ -82,15 +86,21 @@ RUN set -eux; \
} >> /usr/local/go/go.env; \
after="$(go env GOARM)"; [ "$after" = '7' ]; \
# (re-)clamp timestamp for reproducibility (allows "COPY --link" to be more clever/useful)
- date="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
- touch -t "$date" /usr/local/go/go.env /usr/local/go; \
+ touch -t "$touchy" /usr/local/go/go.env /usr/local/go; \
fi; \
\
+# ideally at this point, we would just "COPY --link ... /usr/local/go/ /usr/local/go/" but BuildKit insists on creating the parent directories (perhaps related to https://github.com/opencontainers/image-spec/pull/970), and does so with unreproducible timestamps, so we instead create a whole new "directory tree" that we can "COPY --link" to accomplish what we want
+ mkdir /target /target/usr /target/usr/local; \
+ mv -vT /usr/local/go /target/usr/local/go; \
+ ln -svfT /target/usr/local/go /usr/local/go; \
+ touch -t "$touchy" /target/usr/local /target/usr /target; \
+ \
# smoke test
go version; \
# make sure our reproducibile timestamp is probably still correct (best-effort inline reproducibility test)
- epoch="$(stat -c '%Y' /usr/local/go)"; \
- [ "$SOURCE_DATE_EPOCH" = "$epoch" ]
+ epoch="$(stat -c '%Y' /target/usr/local/go)"; \
+ [ "$SOURCE_DATE_EPOCH" = "$epoch" ]; \
+ find /target -newer /target/usr/local/go -exec sh -c 'ls -ld "$@" && exit "$#"' -- '{}' +
FROM buildpack-deps:bullseye-scm
@@ -114,6 +124,7 @@ ENV GOTOOLCHAIN=local
ENV GOPATH /go
ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
-COPY --from=build --link /usr/local/go/ /usr/local/go/
+# (see notes above about "COPY --link")
+COPY --from=build --link /target/ /
RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 1777 "$GOPATH"
WORKDIR $GOPATHRelevant Maintainers: |
yosifkit
approved these changes
Jun 14, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes:
COPY --linklimitations by pre-creating full filesystem tree golang#521 from infosiftr/copy-link-reduxCOPY --linklimitations by pre-creating full filesystem tree