Merge branch 'docker-library:master' into krakend

.bin/bashbrew-buildkit-env-setup.sh

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+
+# this file is intended to be sourced before invocations of "bashbrew build" which might invoke "docker buildx" / BuildKit ("Builder: buildkit")
+
+_resolve_external_pins() {
+	local -
+	set -Eeuo pipefail
+
+	local binDir oiDir
+	binDir="$(dirname "$BASH_SOURCE")"
+	oiDir="$(dirname "$binDir")"
+
+	local image
+	for image; do
+		[ -n "$image" ]
+		local wc
+		wc="$(wc -l <<<"$image")"
+		[ "$wc" -eq 1 ]
+
+		local file digest
+		file="$("$oiDir/.external-pins/file.sh" "$image")"
+		digest="$(< "$file")"
+		[ -n "$digest" ]
+		image+="@$digest"
+
+		echo "$image"
+	done
+}
+
+_jq_setenv() {
+	local env="$1"; shift
+	local val="$1"; shift
+	jq -c --arg env "$env" --arg val "$val" '.[$env] = $val'
+}
+
+_bashbrew_buildkit_env_setup() {
+	local -
+	set -Eeuo pipefail
+
+	local binDir oiDir
+	binDir="$(dirname "$BASH_SOURCE")"
+	oiDir="$(dirname "$binDir")"
+
+	local externalPins
+	externalPins="$("$oiDir/.external-pins/list.sh")"
+
+	local vars='{}'
+
+	local dockerfileTag
+	dockerfileTag="$(grep <<<"$externalPins" -m1 '^tianon/buildkit:')"
+	dockerfileTag="$(_resolve_external_pins "$dockerfileTag")"
+	vars="$(_jq_setenv <<<"$vars" BASHBREW_BUILDKIT_SYNTAX "$dockerfileTag")"
+
+	case "${BASHBREW_ARCH:-}" in
+		windows-amd64) ;; # https://github.com/microsoft/Windows-Containers/issues/34
+		'') ;; # if BASHBREW_ARCH isn't set explicitly, we shouldn't do more here
+		*)
+			BASHBREW_BUILDKIT_IMAGE="$(grep <<<"$externalPins" -m1 '^tianon/buildkit:')"
+			BASHBREW_BUILDKIT_IMAGE="$(_resolve_external_pins "$BASHBREW_BUILDKIT_IMAGE")"
+			export BASHBREW_BUILDKIT_IMAGE
+
+			local buildxBuilder
+			buildxBuilder="$("$binDir/docker-buildx-ensure.sh")" # reminder: this script *requires* BASHBREW_ARCH (to avoid "accidental amd64" mistakes)
+			vars="$(_jq_setenv <<<"$vars" BUILDX_BUILDER "$buildxBuilder")"
+
+			local sbomGenerator
+			# https://hub.docker.com/r/docker/scout-sbom-indexer/tags
+			sbomGenerator="$(grep <<<"$externalPins" -m1 '^docker/scout-sbom-indexer:')"
+			sbomGenerator="$(_resolve_external_pins "$sbomGenerator")"
+			# https://github.com/moby/buildkit/pull/5372 - "EXTRA_SCANNERS" is an optional parameter to the Scout SBOM Indexer
+			sbomGenerator+=',"EXTRA_SCANNERS=php-composer-lock,erlang-otp-application,lua-rock-cataloger,swipl-pack-cataloger,opam-cataloger"'
+			vars="$(_jq_setenv <<<"$vars" BASHBREW_BUILDKIT_SBOM_GENERATOR "$sbomGenerator")"
+			;;
+	esac
+
+	if [ -t 1 ]; then
+		jq <<<"$vars"
+	else
+		cat <<<"$vars"
+	fi
+}
+_bashbrew_buildkit_env_setup

.bin/docker-buildx-ensure.sh

@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+: "${BASHBREW_ARCH:?missing explicit BASHBREW_ARCH}"
+: "${BASHBREW_BUILDKIT_IMAGE:?missing explicit BASHBREW_BUILDKIT_IMAGE (moby/buildkit:buildx-stable-1 ?)}"
+
+builderName="bashbrew-$BASHBREW_ARCH"
+container="buildx_buildkit_$builderName"
+
+# make sure the buildx builder name is the only thing that we print to stdout (so this script's output can be captured and used to set BUILDX_BUILDER)
+echo "$builderName"
+exec >&2
+
+if docker buildx inspect "$builderName" &> /dev/null; then
+	if containerImage="$(docker container inspect --format '{{ .Config.Image }}' "$container" 2>/dev/null)" && [ "$containerImage" = "$BASHBREW_BUILDKIT_IMAGE" ]; then
+		echo >&2
+		echo >&2 "note: '$container' container already exists and is running the correct image ('$BASHBREW_BUILDKIT_IMAGE'); bailing instead of recreating the '$builderName' builder (to avoid unnecessary churn)"
+		echo >&2
+		exit 0
+	fi
+
+	docker buildx rm --keep-state "$builderName"
+fi
+
+platform="$(bashbrew cat --format '{{ ociPlatform arch }}' <(echo 'Maintainers: empty hack (@example)'))"
+
+hubMirrors="$(docker info --format '{{ json .RegistryConfig.Mirrors }}' | jq -c '
+	[ env.DOCKERHUB_PUBLIC_PROXY // empty, .[]? ]
+	| map(select(startswith("https://")) | ltrimstr("https://") | rtrimstr("/") | select(contains("/") | not))
+	| reduce .[] as $item ( # "unique" but order-preserving (we want DOCKERHUB_PUBLIC_PROXY first followed by everything else set in the dockerd mirrors config without duplication)
+		[];
+		if index($item) then . else . + [ $item ] end
+	)
+')"
+
+read -r -d '' buildkitdConfig <<-EOF || :
+	# https://github.com/moby/buildkit/blob/v0.11.4/docs/buildkitd.toml.md
+
+	[worker.oci]
+		platforms = [ "$platform" ]
+
+	# this should be unused (for now?), but included for completeness/safety
+	[worker.containerd]
+		platforms = [ "$platform" ]
+		namespace = "buildkit-$builderName"
+
+	[registry."docker.io"]
+		mirrors = $hubMirrors
+EOF
+
+# Ideally, we would also disable BuildKit's garbage collection here too, especially because we happen to be able to know exactly the set of built images for whom cache should be kept (and everything else is ripe for deletion).
+# In practice however, this is far too cumbersome to manage correctly, especially as we have had to dramatically change the way we perform these builds over time such that this is no longer reasonable.
+# As such, we now rely on BuildKit's default policies instead: https://docs.docker.com/build/cache/garbage-collection/#default-policies
+
+# https://docs.docker.com/engine/reference/commandline/buildx_create/
+args=(
+	--name "$builderName"
+	--node "$builderName"
+	--platform "$platform"
+	--driver docker-container
+	--driver-opt image="$BASHBREW_BUILDKIT_IMAGE"
+	--bootstrap
+
+	# https://github.com/docker/buildx/issues/484#issuecomment-749352728
+	--driver-opt env.BUILDKIT_STEP_LOG_MAX_SIZE=-1
+	--driver-opt env.BUILDKIT_STEP_LOG_MAX_SPEED=-1
+
+	# https://github.com/docker/buildx/pull/1271
+	#--driver-opt 'restart-policy=always'
+	# ("ERROR: failed to initialize builder ...: invalid driver option restart-policy for docker-container driver" until we thread the needle of newer buildx to all our nodes 🙃)
+
+	# NOTE: --config has to be in the command invocation (because of "<(...)" creating a temporary file descriptor that otherwise won't last until we run the command)
+)
+docker buildx create "${args[@]}" \
+	--config <(printf '%s' "$buildkitdConfig") \
+
+# 👀
+docker update --restart=always "$container"

.buildkit-build-contexts.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+# given a list of image references, returns an appropriate list of "ref=docker-image://foo@sha256:xxx" for the current architecture
+
+dir="$(dirname "$BASH_SOURCE")"
+
+[ -n "$BASHBREW_ARCH" ]
+archNamespace=
+
+die() {
+	echo >&2 "error: $*"
+	exit 1
+}
+
+for img; do
+	lookup=
+	case "$img" in
+		*@sha256:*)
+			lookup="$img"
+			;;
+
+		*/*)
+			file="$("$dir/.external-pins/file.sh" "$img")" || die "'$img': failed to look up external pin file"
+			digest="$(< "$file")" || die "'$img': failed to read external pin file ('$file')"
+			[ -n "$digest" ] || die "'$img': empty external pin file ('$file')"
+			lookup="${img%@*}@$digest" # img should never have an @ in it here, but just in case
+			;;
+
+		*)
+			[ -n "$BASHBREW_ARCH_NAMESPACES" ] || die 'missing BASHBREW_ARCH_NAMESPACES'
+			archNamespace="${archNamespace:-$(bashbrew cat --format '{{ archNamespace arch }}' "$dir/library/hello-world")}"
+			[ -n "$archNamespace" ] || die "failed to get arch namespace for '$BASHBREW_ARCH'"
+			lookup="$archNamespace/$img"
+			;;
+	esac
+	[ -n "$lookup" ] || die "'$img': failed to determine what image to query"
+
+	json="$(bashbrew remote arches --json "$lookup" || die "'$img': failed lookup ('$lookup')")"
+	digests="$(jq <<<"$json" -r '.arches[env.BASHBREW_ARCH] // [] | map(.digest | @sh) | join(" ")')"
+	eval "digests=( $digests )"
+
+	if [ "${#digests[@]}" -gt 1 ]; then
+		echo >&2 "warning: '$lookup' has ${#digests[@]} images for '$BASHBREW_ARCH'; returning only the first"
+	fi
+
+	for digest in "${digests[@]}"; do
+		echo "$img=docker-image://${lookup%@*}@$digest"
+		continue 2
+	done
+
+	digest="$(jq <<<"$json" -r '.desc.digest')"
+	arches="$(jq <<<"$json" -r '.arches | keys | join(" ")')"
+	die "'$img': no appropriate digest for '$BASHBREW_ARCH' found in '$lookup' ('$digest'; arches '$arches')"
+done

.external-pins/docker/scout-sbom-indexer___1

@@ -0,0 +1 @@
+sha256:a383f8c6b54bfd91a9ad70fc34aab994d379514bf0f2601e225eed80213710c6

.external-pins/file.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+# given an image (name:tag), return the appropriate filename
+
+dir="$(dirname "$BASH_SOURCE")"
+
+for img; do
+	if [[ "$img" != *:* ]]; then
+		echo >&2 "error: '$img' does not contain ':' -- this violates our assumptions! (did you mean '$img:latest' ?)"
+		exit 1
+	fi
+
+	imgFile="$dir/${img/:/___}" # see ".external-pins/list.sh"
+	echo "$imgFile"
+done

.external-pins/list.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+dir="$(dirname "$BASH_SOURCE")"
+
+find "$dir" -mindepth 2 -type f -printf '%P\n' | sed -e 's/___/:/' | sort
+
+# assumptions which make the "___" -> ":" conversion ~safe (examples referencing "example.com/foo/bar:baz"):
+#
+#   1. we *always* specify a tag ("baz")
+#   2. the domain ("example.com") cannot contain underscores
+#   3. we do not pin to any registry with a non-443 port ("example.com:8443")
+#   4. the repository ("foo/bar") can only contain singular or double underscores (never triple underscore), and only between alphanumerics (thus never right up next to ":")
+#   5. we do *not* use the "g" regex modifier in our sed, which means only the first instance of triple underscore is replaced (in pure Bash, that's "${img/:/___}" or "${img/___/:}" depending on the conversion direction)
+#
+# see https://github.com/distribution/distribution/blob/411d6bcfd2580d7ebe6e346359fa16aceec109d5/reference/regexp.go
+# (see also https://github.com/docker-library/perl-bashbrew/blob/6685582f7889ef4806f0544b93f10640c7608b1a/lib/Bashbrew/RemoteImageRef.pm#L9-L26 for a condensed version)
+#
+# see https://github.com/docker-library/official-images/issues/13608 for why we can't just use ":" as-is (even though Linux, macOS, and even Windows via MSYS / WSL2 don't have any issues with it)

.external-pins/mcr.microsoft.com/windows/nanoserver___1809

@@ -0,0 +1 @@
+sha256:9f93d7a7eacdf9a6f7355a8bc3c0b3d46303ab13a519899d2927b1369e230b1f

.external-pins/mcr.microsoft.com/windows/nanoserver___ltsc2022

@@ -0,0 +1 @@
+sha256:f82cb05e20c4bfa93a007c9f073f83febd8bc6d16f98a3208f3baa486aafcdf4

.external-pins/mcr.microsoft.com/windows/nanoserver___ltsc2025

@@ -0,0 +1 @@
+sha256:d584aae93e84d61c8a3280ed3a5d5a6d397c0214a2902acadb8b17b0b00c70e8

.external-pins/mcr.microsoft.com/windows/servercore___1809

@@ -0,0 +1 @@
+sha256:2bacc4bdc5d1bd805587cb90a2fb2d58d1c775b02df1a19fd221cbfc639ff587

.external-pins/mcr.microsoft.com/windows/servercore___ltsc2022

@@ -0,0 +1 @@
+sha256:3cfddbce425e07cc658829098c29af86ff1a3ccc9b8d4735f5263a76ea4b7561

.external-pins/mcr.microsoft.com/windows/servercore___ltsc2025

@@ -0,0 +1 @@
+sha256:f6153b44882e7ada8fa17123cfca1da3f29ea7fbe062c9e931240dc837aa4256

.external-pins/redhat/ubi8-minimal___latest

@@ -0,0 +1 @@
+sha256:d16d4445b1567f29449fba3b6d2bc37db467dc3067d33e940477e55aecdf6e8e

.external-pins/redhat/ubi8___latest

@@ -0,0 +1 @@
+sha256:881aaf5fa0d1f85925a1b9668a1fc7f850a11ca30fd3e37ea194db4edff892a5

.external-pins/redhat/ubi9-minimal___latest

@@ -0,0 +1 @@
+sha256:14f14e03d68f7fd5f2b18a13478b6b127c341b346c86b6e0b886ed2b7573b8e0

.external-pins/redhat/ubi9___latest

@@ -0,0 +1 @@
+sha256:4495380286c97b9c2635b0b5d6f227bbd9003628be8383a37ff99984eefa42ed

.external-pins/tag.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+# given a filename, return the appropriate image (name:tag)
+
+origDir="$(dirname "$BASH_SOURCE")"
+dir="$(readlink -ve "$origDir")"
+
+for file; do
+	abs="$(readlink -vm "$file")"
+	rel="${abs#$dir/}"
+	rel="${rel##*.external-pins/}" # in case we weren't inside "$dir" but the path is legit
+	if [ "$rel" = "$abs" ]; then
+		echo >&2 "error: '$file' is not within '$origDir'"
+		echo >&2 "('$abs' vs '$dir')"
+		exit 1
+	fi
+
+	img="${rel/___/:}" # see ".external-pins/list.sh"
+	if [ "$img" = "$rel" ]; then
+		echo >&2 "error: '$file' does not contain ':' ('___') -- this violates our assumptions!"
+		exit 1
+	fi
+
+	echo "$img"
+done

.external-pins/tianon/buildkit___0.16

@@ -0,0 +1 @@
+sha256:52c0b22f58329ed337a9b949695c42963ab7cefe051796614c6e29e1ef24c39a

.external-pins/update.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+dir="$(dirname "$BASH_SOURCE")"
+
+if [ "$#" -eq 0 ]; then
+	images="$("$dir/list.sh")"
+	set -- $images
+fi
+
+for img; do
+	echo -n "$img -> "
+
+	if [[ "$img" != *:* ]]; then
+		echo >&2 "error: '$img' does not contain ':' -- this violates our assumptions! (did you mean '$img:latest' ?)"
+		exit 1
+	fi
+
+	digest="$(bashbrew remote arches --json "$img" | jq -r '.desc.digest')"
+
+	imgFile="$("$dir/file.sh" "$img")"
+	imgDir="$(dirname "$imgFile")"
+	mkdir -p "$imgDir"
+	echo "$digest" | tee "$imgFile"
+done

.github/CODEOWNERS

@@ -0,0 +1,26 @@
+*  @docker-library/maintainers
+
+# give Laurent a bit more responsibility / authority on images where he's comfortable and knowledgeable 🎉
+/library/bash             @LaurentGoderre  @docker-library/maintainers
+/library/docker           @LaurentGoderre  @docker-library/maintainers
+/library/express-gateway  @LaurentGoderre  @docker-library/maintainers
+/library/ghost            @LaurentGoderre  @docker-library/maintainers
+/library/httpd            @LaurentGoderre  @docker-library/maintainers
+/library/kong             @LaurentGoderre  @docker-library/maintainers
+/library/mongo            @LaurentGoderre  @docker-library/maintainers
+/library/mongo-express    @LaurentGoderre  @docker-library/maintainers
+/library/nginx            @LaurentGoderre  @docker-library/maintainers
+/library/node             @LaurentGoderre  @docker-library/maintainers
+/library/oraclelinux      @LaurentGoderre  @docker-library/maintainers
+/library/postgres         @LaurentGoderre  @docker-library/maintainers
+/library/python           @LaurentGoderre  @docker-library/maintainers
+/library/rabbitmq         @LaurentGoderre  @docker-library/maintainers
+/library/redis            @LaurentGoderre  @docker-library/maintainers
+/library/redmine          @LaurentGoderre  @docker-library/maintainers
+/library/registry         @LaurentGoderre  @docker-library/maintainers
+/library/ruby             @LaurentGoderre  @docker-library/maintainers
+/library/traefik          @LaurentGoderre  @docker-library/maintainers
+/library/ubuntu           @LaurentGoderre  @docker-library/maintainers
+
+# make sure we check with Laurent before we update our SBOM indexer (he follows and is involved in those releases more closely than the rest of us) 👀
+/.external-pins/docker/scout-sbom-indexer*  @LaurentGoderre

.github/workflows/.bashbrew/action.yml

@@ -10,8 +10,8 @@ runs:
 
     # these two version numbers are intentionally as close together as I could possibly get them because no matter what I tried, GitHub will not allow me to DRY them (can't have any useful variables in `uses:` and can't even have YAML references to steal it in `env:` or something)
     - shell: 'bash -Eeuo pipefail -x {0}'
-      run:    echo BASHBREW_VERSION=v0.1.5 >> "$GITHUB_ENV"
-    - uses: docker-library/[email protected].5
+      run:    echo BASHBREW_VERSION=v0.1.13 >> "$GITHUB_ENV"
+    - uses: docker-library/[email protected].13
       if: inputs.build == 'host'
 
     - run: docker build --pull --tag oisupport/bashbrew:base "https://github.com/docker-library/bashbrew.git#$BASHBREW_VERSION"