diff --git a/images/ubuntu/scripts/build/install-docker.sh b/images/ubuntu/scripts/build/install-docker.sh index 73ed38e57..8c759d8df 100644 --- a/images/ubuntu/scripts/build/install-docker.sh +++ b/images/ubuntu/scripts/build/install-docker.sh @@ -2,7 +2,7 @@ ################################################################################ ## File: install-docker.sh ## Desc: Install docker onto the image -## Supply chain security: Docker Compose v2, amazon-ecr-credential-helper - checksum validation +## Supply chain security: amazon-ecr-credential-helper - dynamic checksum validation ################################################################################ # Source the helpers for use with the script @@ -17,34 +17,36 @@ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o $GPG_ echo "deb [arch=amd64 signed-by=$GPG_KEY] $REPO_URL ${os_codename} stable" > $REPO_PATH apt-get update -for pkg in containerd.io docker-ce-cli docker-ce docker-buildx-plugin; do - version=$(get_toolset_value ".docker.components.\"$pkg\"") +# Install docker components which available via apt-get +# Using toolsets keep installation order to install dependencies before the package in order to control versions + +components=$(get_toolset_value '.docker.components[] .package') +for package in $components; do + version=$(get_toolset_value ".docker.components[] | select(.package == \"$package\") | .version") if [[ $version == "latest" ]]; then - components_to_install+="${pkg} " + apt-get install -y --no-install-recommends "$package" else - version_string=$(apt-cache madison "${pkg}" | awk '{ print $3 }' | grep "${version}" | grep "${os_codename}" | head -1) - components_to_install+="${pkg}=${version_string} " + version_string=$(apt-cache madison "$package" | awk '{ print $3 }' | grep "$version" | grep "$os_codename" | head -1) + apt-get install -y --no-install-recommends "${package}=${version_string}" fi done -apt-get install -y --no-install-recommends $components_to_install -# Download docker compose v2 from releases -# Temporaty pinned to v2.23.3 due https://github.com/actions/runner-images/issues/9172 -compose_version=$(get_toolset_value ".docker.components.compose") -URL=$(resolve_github_release_asset_url "docker/compose" "endswith(\"compose-linux-x86_64\")" "${compose_version}") -compose_binary_path=$(download_with_retry "${URL}" "/tmp/docker-compose-v2") +# Install plugins that are best installed from the GitHub repository +# Be aware that `url` built from github repo name and plugin name because of current repo naming for those plugins -# Supply chain security - Docker Compose v2 -compose_hash_url=$(resolve_github_release_asset_url "docker/compose" "endswith(\"checksums.txt\")" "${compose_version}") -compose_external_hash=$(get_checksum_from_url "${compose_hash_url}" "compose-linux-x86_64" "SHA256") -use_checksum_comparison "${compose_binary_path}" "${compose_external_hash}" - -# Install docker compose v2 -install "${compose_binary_path}" /usr/libexec/docker/cli-plugins/docker-compose +plugins=$(get_toolset_value '.docker.plugins[] .plugin') +for plugin in $plugins; do + version=$(get_toolset_value ".docker.plugins[] | select(.plugin == \"$plugin\") | .version") + filter=$(get_toolset_value ".docker.plugins[] | select(.plugin == \"$plugin\") | .asset") + url=$(resolve_github_release_asset_url "docker/$plugin" "endswith(\"$filter\")" "$version") + binary_path=$(download_with_retry "$url" "/tmp/docker-$plugin") + mkdir -pv "/usr/libexec/docker/cli-plugins" + install "$binary_path" "/usr/libexec/docker/cli-plugins/docker-$plugin" +done # docker from official repo introduced different GID generation: https://github.com/actions/runner-images/issues/8157 gid=$(cut -d ":" -f 3 /etc/group | grep "^1..$" | sort -n | tail -n 1 | awk '{ print $1+1 }') -groupmod -g $gid docker +groupmod -g "$gid" docker chgrp -hR docker /run/docker.sock # Enable docker.service diff --git a/images/ubuntu/scripts/tests/Tools.Tests.ps1 b/images/ubuntu/scripts/tests/Tools.Tests.ps1 index 3e42763fc..a58f052e9 100644 --- a/images/ubuntu/scripts/tests/Tools.Tests.ps1 +++ b/images/ubuntu/scripts/tests/Tools.Tests.ps1 @@ -65,16 +65,31 @@ Describe "Rust" { } Describe "Docker" { - It "docker" { - "docker --version" | Should -ReturnZeroExitCode + It "docker client" { + $version=(Get-ToolsetContent).docker.components | Where-Object { $_.package -eq 'docker-ce-cli' } | Select-Object -ExpandProperty version + If ($version -ne "latest") { + $(docker version --format '{{.Client.Version}}') | Should -BeLike "*$version*" + }else{ + "docker version --format '{{.Client.Version}}'" | Should -ReturnZeroExitCode + } } It "docker buildx" { - "docker buildx" | Should -ReturnZeroExitCode + $version=(Get-ToolsetContent).docker.plugins | Where-Object { $_.plugin -eq 'buildx' } | Select-Object -ExpandProperty version + If ($version -ne "latest") { + $(docker buildx version) | Should -BeLike "*$version*" + }else{ + "docker buildx" | Should -ReturnZeroExitCode + } } It "docker compose v2" { - "docker compose" | Should -ReturnZeroExitCode + $version=(Get-ToolsetContent).docker.plugins | Where-Object { $_.plugin -eq 'compose' } | Select-Object -ExpandProperty version + If ($version -ne "latest") { + $(docker compose version --short) | Should -BeLike "*$version*" + }else{ + "docker compose version --short" | Should -ReturnZeroExitCode + } } It "docker-credential-ecr-login" { diff --git a/images/ubuntu/toolsets/toolset-2004.json b/images/ubuntu/toolsets/toolset-2004.json index bbf28474d..203e620ac 100644 --- a/images/ubuntu/toolsets/toolset-2004.json +++ b/images/ubuntu/toolsets/toolset-2004.json @@ -237,13 +237,32 @@ "node:20-alpine", "ubuntu:20.04" ], - "components": { - "docker-ce": "24.0.7", - "docker-ce-cli": "24.0.7", - "containerd.io": "latest", - "docker-buildx-plugin": "latest", - "compose": "2.23.3" - } + "components": [ + { + "package": "containerd.io", + "version": "latest" + }, + { + "package": "docker-ce-cli", + "version": "24.0.7" + }, + { + "package": "docker-ce", + "version": "24.0.7" + } + ], + "plugins": [ + { + "plugin": "buildx", + "version": "latest", + "asset": "linux-amd64" + }, + { + "plugin": "compose", + "version": "2.23.3", + "asset": "linux-x86_64" + } + ] }, "pipx": [ { diff --git a/images/ubuntu/toolsets/toolset-2204.json b/images/ubuntu/toolsets/toolset-2204.json index 57a741ac3..23df32a66 100644 --- a/images/ubuntu/toolsets/toolset-2204.json +++ b/images/ubuntu/toolsets/toolset-2204.json @@ -228,13 +228,32 @@ "ubuntu:20.04", "ubuntu:22.04" ], - "components": { - "docker-ce": "24.0.7", - "docker-ce-cli": "24.0.7", - "containerd.io": "latest", - "docker-buildx-plugin": "latest", - "compose": "2.23.3" - } + "components": [ + { + "package": "containerd.io", + "version": "latest" + }, + { + "package": "docker-ce-cli", + "version": "24.0.7" + }, + { + "package": "docker-ce", + "version": "24.0.7" + } + ], + "plugins": [ + { + "plugin": "buildx", + "version": "latest", + "asset": "linux-amd64" + }, + { + "plugin": "compose", + "version": "2.23.3", + "asset": "linux-x86_64" + } + ] }, "pipx": [ {