load("@rules_pkg//pkg:pkg.bzl", "pkg_tar") load("@io_bazel_rules_docker//contrib:passwd.bzl", "passwd_entry", "passwd_file") load("@io_bazel_rules_docker//container:container.bzl", "container_image") load("//tools:build_settings.bzl", "base_image") ################################################################################ ## Docker images as non-root user ## ################################################################################ # Create a passwd file with a root and nonroot user and uid. passwd_entry( name = "root_user", gid = 0, tags = ["manual"], uid = 0, username = "root", ) passwd_entry( name = "nonroot_user", info = "nonroot", tags = ["manual"], uid = 1001, username = "nonroot", ) passwd_file( name = "passwd", entries = [ ":root_user", ":nonroot_user", ], tags = ["manual"], ) # Create a tar file containing the created passwd file pkg_tar( name = "passwd_tar", srcs = [":passwd"], mode = "0o644", package_dir = "etc", tags = ["manual"], visibility = ["//visibility:public"], ) CC_DEFAULT_BASE = select({ "@io_bazel_rules_docker//:debug": "@cc_debug_image_base_amd64//image", "@io_bazel_rules_docker//:fastbuild": "@cc_image_base_amd64//image", "@io_bazel_rules_docker//:optimized": "@cc_image_base_amd64//image", "//conditions:default": "@cc_image_base_amd64//image", }) GO_DEFAULT_BASE = select({ "@io_bazel_rules_docker//:debug": "@go_debug_image_base_amd64//image", "@io_bazel_rules_docker//:fastbuild": "@go_image_base_amd64//image", "@io_bazel_rules_docker//:optimized": "@go_image_base_amd64//image", "//conditions:default": "@go_image_base_amd64//image", }) # Include it in our base image as a tar. container_image( name = "cc_image", base = CC_DEFAULT_BASE, tags = ["manual"], tars = [":passwd_tar"], user = "root", visibility = ["//visibility:public"], ) container_image( name = "go_image", base = GO_DEFAULT_BASE, tags = ["manual"], tars = [":passwd_tar"], user = "root", visibility = ["//visibility:public"], ) base_image( name = "base_image", build_setting_default = "cc_image", tags = ["manual"], ) config_setting( name = "base_image_alpine", flag_values = {"//tools:base_image": "alpine"}, ) config_setting( name = "base_image_cc", flag_values = {"//tools:base_image": "cc_image"}, ) container_image( name = "alpine_cc_image", base = "@alpine_cc_linux_amd64//image", tags = ["manual"], tars = [":passwd_tar"], user = "root", visibility = ["//visibility:public"], ) # Create a bash tar layer for docker images. This allows docker images to have access to the "bash" # command and improves debugging abilities on the image. genrule( name = "bash_tar", srcs = select({ "@platforms//cpu:x86_64": ["@bash_amd64//file"], "@platforms//cpu:arm64": ["@bash_arm64//file"], }), outs = ["bash.tar"], cmd = "ar x $< && xz -d data.tar.xz -c >> $@", visibility = ["//visibility:public"], ) # libtinfo6 is required for terminal activity and contains terminfo library. genrule( name = "libtinfo6_tar", srcs = select({ "@platforms//cpu:x86_64": ["@libtinfo6_amd64//file"], "@platforms//cpu:arm64": ["@libtinfo6_arm64//file"], }), outs = ["libtinfo6.tar"], cmd = "ar x $< && xz -d data.tar.xz -c >> $@", visibility = ["//visibility:public"], )