From cae1fc70c6c5d079f8b50bf00481d5522c0994e6 Mon Sep 17 00:00:00 2001 From: Andy Li Date: Tue, 4 Jun 2024 04:56:31 +0100 Subject: [PATCH] update devcontainer to use ubuntu 24.04 --- .devcontainer/docker-compose.yml | 2 +- .../library-scripts/common-debian.sh | 395 --------------- .../library-scripts/docker-debian.sh | 182 ------- .../docker-outside-of-docker.sh | 455 ++++++++++++++++++ .github/workflows/ci.yml | 2 +- .terraform.lock.hcl | 29 +- Earthfile | 71 +-- 7 files changed, 522 insertions(+), 614 deletions(-) delete mode 100644 .devcontainer/library-scripts/common-debian.sh delete mode 100644 .devcontainer/library-scripts/docker-debian.sh create mode 100644 .devcontainer/library-scripts/docker-outside-of-docker.sh diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index 1d2699f..fe7a240 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -1,7 +1,7 @@ version: '3' services: workspace: - image: haxe/terraform_devcontainer_workspace:20240527203536 + image: haxe/terraform_devcontainer_workspace:20240604034917 init: true volumes: - /var/run/docker.sock:/var/run/docker-host.sock diff --git a/.devcontainer/library-scripts/common-debian.sh b/.devcontainer/library-scripts/common-debian.sh deleted file mode 100644 index 1bb6a23..0000000 --- a/.devcontainer/library-scripts/common-debian.sh +++ /dev/null @@ -1,395 +0,0 @@ -#!/usr/bin/env bash -#------------------------------------------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. -#------------------------------------------------------------------------------------------------------------- -# -# Docs: https://github.com/microsoft/vscode-dev-containers/blob/master/script-library/docs/common.md -# Maintainer: The VS Code and Codespaces Teams -# -# Syntax: ./common-debian.sh [install zsh flag] [username] [user UID] [user GID] [upgrade packages flag] [install Oh My Zsh! flag] [Add non-free packages] - -INSTALL_ZSH=${1:-"true"} -USERNAME=${2:-"automatic"} -USER_UID=${3:-"automatic"} -USER_GID=${4:-"automatic"} -UPGRADE_PACKAGES=${5:-"true"} -INSTALL_OH_MYS=${6:-"true"} -ADD_NON_FREE_PACKAGES=${7:-"false"} - -set -e - -if [ "$(id -u)" -ne 0 ]; then - echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' - exit 1 -fi - -# Ensure that login shells get the correct path if the user updated the PATH using ENV. -rm -f /etc/profile.d/00-restore-env.sh -echo "export PATH=${PATH//$(sh -lc 'echo $PATH')/\$PATH}" > /etc/profile.d/00-restore-env.sh -chmod +x /etc/profile.d/00-restore-env.sh - -# If in automatic mode, determine if a user already exists, if not use vscode -if [ "${USERNAME}" = "auto" ] || [ "${USERNAME}" = "automatic" ]; then - USERNAME="" - POSSIBLE_USERS=("vscode" "node" "codespace" "$(awk -v val=1000 -F ":" '$3==val{print $1}' /etc/passwd)") - for CURRENT_USER in ${POSSIBLE_USERS[@]}; do - if id -u ${CURRENT_USER} > /dev/null 2>&1; then - USERNAME=${CURRENT_USER} - break - fi - done - if [ "${USERNAME}" = "" ]; then - USERNAME=vscode - fi -elif [ "${USERNAME}" = "none" ]; then - USERNAME=root - USER_UID=0 - USER_GID=0 -fi - -# Load markers to see which steps have already run -MARKER_FILE="/usr/local/etc/vscode-dev-containers/common" -if [ -f "${MARKER_FILE}" ]; then - echo "Marker file found:" - cat "${MARKER_FILE}" - source "${MARKER_FILE}" -fi - -# Ensure apt is in non-interactive to avoid prompts -export DEBIAN_FRONTEND=noninteractive - -# Function to call apt-get if needed -apt-get-update-if-needed() -{ - if [ ! -d "/var/lib/apt/lists" ] || [ "$(ls /var/lib/apt/lists/ | wc -l)" = "0" ]; then - echo "Running apt-get update..." - apt-get update - else - echo "Skipping apt-get update." - fi -} - -# Run install apt-utils to avoid debconf warning then verify presence of other common developer tools and dependencies -if [ "${PACKAGES_ALREADY_INSTALLED}" != "true" ]; then - - PACKAGE_LIST="apt-utils \ - git \ - openssh-client \ - gnupg2 \ - iproute2 \ - procps \ - lsof \ - htop \ - net-tools \ - psmisc \ - curl \ - wget \ - rsync \ - ca-certificates \ - unzip \ - zip \ - nano \ - vim-tiny \ - less \ - jq \ - lsb-release \ - apt-transport-https \ - dialog \ - libc6 \ - libgcc1 \ - libkrb5-3 \ - libgssapi-krb5-2 \ - libicu[0-9][0-9] \ - liblttng-ust0 \ - libstdc++6 \ - zlib1g \ - locales \ - sudo \ - ncdu \ - man-db \ - strace \ - manpages \ - manpages-dev " - - # Needed for adding manpages-posix and manpages-posix-dev which are non-free packages in Debian - if [ "${ADD_NON_FREE_PACKAGES}" = "true" ]; then - CODENAME="$(cat /etc/os-release | grep -oE '^VERSION_CODENAME=.+$' | cut -d'=' -f2)" - sed -i "s/deb http:\/\/deb\.debian\.org\/debian ${CODENAME} main/deb http:\/\/deb\.debian\.org\/debian ${CODENAME} main contrib non-free/" /etc/apt/sources.list - sed -i "s/deb-src http:\/\/deb\.debian\.org\/debian ${CODENAME} main/deb http:\/\/deb\.debian\.org\/debian ${CODENAME} main contrib non-free/" /etc/apt/sources.list - sed -i "s/deb http:\/\/deb\.debian\.org\/debian ${CODENAME}-updates main/deb http:\/\/deb\.debian\.org\/debian ${CODENAME}-updates main contrib non-free/" /etc/apt/sources.list - sed -i "s/deb-src http:\/\/deb\.debian\.org\/debian ${CODENAME}-updates main/deb http:\/\/deb\.debian\.org\/debian ${CODENAME}-updates main contrib non-free/" /etc/apt/sources.list - sed -i "s/deb http:\/\/security\.debian\.org\/debian-security ${CODENAME}\/updates main/deb http:\/\/security\.debian\.org\/debian-security ${CODENAME}\/updates main contrib non-free/" /etc/apt/sources.list - sed -i "s/deb-src http:\/\/security\.debian\.org\/debian-security ${CODENAME}\/updates main/deb http:\/\/security\.debian\.org\/debian-security ${CODENAME}\/updates main contrib non-free/" /etc/apt/sources.list - sed -i "s/deb http:\/\/deb\.debian\.org\/debian ${CODENAME}-backports main/deb http:\/\/deb\.debian\.org\/debian ${CODENAME}-backports main contrib non-free/" /etc/apt/sources.list - sed -i "s/deb-src http:\/\/deb\.debian\.org\/debian ${CODENAME}-backports main/deb http:\/\/deb\.debian\.org\/debian ${CODENAME}-backports main contrib non-free/" /etc/apt/sources.list - echo "Running apt-get update..." - apt-get update - PACKAGE_LIST="${PACKAGE_LIST} manpages-posix manpages-posix-dev" - else - apt-get-update-if-needed - fi - - # Install libssl1.1 if available - if [[ ! -z $(apt-cache --names-only search ^libssl1.1$) ]]; then - PACKAGE_LIST="${PACKAGE_LIST} libssl1.1" - fi - - # Install appropriate version of libssl1.0.x if available - LIBSSL=$(dpkg-query -f '${db:Status-Abbrev}\t${binary:Package}\n' -W 'libssl1\.0\.?' 2>&1 || echo '') - if [ "$(echo "$LIBSSL" | grep -o 'libssl1\.0\.[0-9]:' | uniq | sort | wc -l)" -eq 0 ]; then - if [[ ! -z $(apt-cache --names-only search ^libssl1.0.2$) ]]; then - # Debian 9 - PACKAGE_LIST="${PACKAGE_LIST} libssl1.0.2" - elif [[ ! -z $(apt-cache --names-only search ^libssl1.0.0$) ]]; then - # Ubuntu 18.04, 16.04, earlier - PACKAGE_LIST="${PACKAGE_LIST} libssl1.0.0" - fi - fi - - echo "Packages to verify are installed: ${PACKAGE_LIST}" - apt-get -y install --no-install-recommends ${PACKAGE_LIST} 2> >( grep -v 'debconf: delaying package configuration, since apt-utils is not installed' >&2 ) - - PACKAGES_ALREADY_INSTALLED="true" -fi - -# Get to latest versions of all packages -if [ "${UPGRADE_PACKAGES}" = "true" ]; then - apt-get-update-if-needed - apt-get -y upgrade --no-install-recommends - apt-get autoremove -y -fi - -# Ensure at least the en_US.UTF-8 UTF-8 locale is available. -# Common need for both applications and things like the agnoster ZSH theme. -if [ "${LOCALE_ALREADY_SET}" != "true" ] && ! grep -o -E '^\s*en_US.UTF-8\s+UTF-8' /etc/locale.gen > /dev/null; then - echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen - locale-gen - LOCALE_ALREADY_SET="true" -fi - -# Create or update a non-root user to match UID/GID. -if id -u ${USERNAME} > /dev/null 2>&1; then - # User exists, update if needed - if [ "${USER_GID}" != "automatic" ] && [ "$USER_GID" != "$(id -G $USERNAME)" ]; then - groupmod --gid $USER_GID $USERNAME - usermod --gid $USER_GID $USERNAME - fi - if [ "${USER_UID}" != "automatic" ] && [ "$USER_UID" != "$(id -u $USERNAME)" ]; then - usermod --uid $USER_UID $USERNAME - fi -else - # Create user - if [ "${USER_GID}" = "automatic" ]; then - groupadd $USERNAME - else - groupadd --gid $USER_GID $USERNAME - fi - if [ "${USER_UID}" = "automatic" ]; then - useradd -s /bin/bash --gid $USERNAME -m $USERNAME - else - useradd -s /bin/bash --uid $USER_UID --gid $USERNAME -m $USERNAME - fi -fi - -# Add add sudo support for non-root user -if [ "${USERNAME}" != "root" ] && [ "${EXISTING_NON_ROOT_USER}" != "${USERNAME}" ]; then - echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME - chmod 0440 /etc/sudoers.d/$USERNAME - EXISTING_NON_ROOT_USER="${USERNAME}" -fi - -# ** Shell customization section ** -if [ "${USERNAME}" = "root" ]; then - USER_RC_PATH="/root" -else - USER_RC_PATH="/home/${USERNAME}" -fi - -# .bashrc/.zshrc snippet -RC_SNIPPET="$(cat << 'EOF' - -if [ -z "${USER}" ]; then export USER=$(whoami); fi -if [[ "${PATH}" != *"$HOME/.local/bin"* ]]; then export PATH="${PATH}:$HOME/.local/bin"; fi - -# Display optional first run image specific notice if configured and terminal is interactive -if [ -t 1 ] && [ ! -f "$HOME/.config/vscode-dev-containers/first-run-notice-already-displayed" ]; then - if [ -f "/usr/local/etc/vscode-dev-containers/first-run-notice.txt" ]; then - cat "/usr/local/etc/vscode-dev-containers/first-run-notice.txt" - elif [ -f "/workspaces/.codespaces/shared/first-run-notice.txt" ]; then - cat "/workspaces/.codespaces/shared/first-run-notice.txt" - fi - mkdir -p "$HOME/.config/vscode-dev-containers" - # Mark first run notice as displayed after 10s to avoid problems with fast terminal refreshes hiding it - ((sleep 10s; touch "$HOME/.config/vscode-dev-containers/first-run-notice-already-displayed") &) -fi - -EOF -)" - -# code shim, it fallbacks to code-insiders if code is not available -cat << 'EOF' > /usr/local/bin/code -#!/bin/sh - -get_in_path_except_current() { - which -a "$1" | grep -A1 "$0" | grep -v "$0" -} - -code="$(get_in_path_except_current code)" - -if [ -n "$code" ]; then - exec "$code" "$@" -elif [ "$(command -v code-insiders)" ]; then - exec code-insiders "$@" -else - echo "code or code-insiders is not installed" >&2 - exit 127 -fi -EOF -chmod +x /usr/local/bin/code - -# Codespaces bash and OMZ themes - partly inspired by https://github.com/ohmyzsh/ohmyzsh/blob/master/themes/robbyrussell.zsh-theme -CODESPACES_BASH="$(cat \ -<<'EOF' - -# Codespaces bash prompt theme -__bash_prompt() { - local userpart='`export XIT=$? \ - && [ ! -z "${GITHUB_USER}" ] && echo -n "\[\033[0;32m\]@${GITHUB_USER} " || echo -n "\[\033[0;32m\]\u " \ - && [ "$XIT" -ne "0" ] && echo -n "\[\033[1;31m\]➜" || echo -n "\[\033[0m\]➜"`' - local gitbranch='`\ - export BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null); \ - if [ "${BRANCH}" = "HEAD" ]; then \ - export BRANCH=$(git describe --contains --all HEAD 2>/dev/null); \ - fi; \ - if [ "${BRANCH}" != "" ]; then \ - echo -n "\[\033[0;36m\](\[\033[1;31m\]${BRANCH}" \ - && if git ls-files --error-unmatch -m --directory --no-empty-directory -o --exclude-standard ":/*" > /dev/null 2>&1; then \ - echo -n " \[\033[1;33m\]✗"; \ - fi \ - && echo -n "\[\033[0;36m\]) "; \ - fi`' - local lightblue='\[\033[1;34m\]' - local removecolor='\[\033[0m\]' - PS1="${userpart} ${lightblue}\w ${gitbranch}${removecolor}\$ " - unset -f __bash_prompt -} -__bash_prompt - -EOF -)" -CODESPACES_ZSH="$(cat \ -<<'EOF' -__zsh_prompt() { - local prompt_username - if [ ! -z "${GITHUB_USER}" ]; then - prompt_username="@${GITHUB_USER}" - else - prompt_username="%n" - fi - PROMPT="%{$fg[green]%}${prompt_username} %(?:%{$reset_color%}➜ :%{$fg_bold[red]%}➜ )" - PROMPT+='%{$fg_bold[blue]%}%~%{$reset_color%} $(git_prompt_info)%{$fg[white]%}$ %{$reset_color%}' - unset -f __zsh_prompt -} -ZSH_THEME_GIT_PROMPT_PREFIX="%{$fg_bold[cyan]%}(%{$fg_bold[red]%}" -ZSH_THEME_GIT_PROMPT_SUFFIX="%{$reset_color%} " -ZSH_THEME_GIT_PROMPT_DIRTY=" %{$fg_bold[yellow]%}✗%{$fg_bold[cyan]%})" -ZSH_THEME_GIT_PROMPT_CLEAN="%{$fg_bold[cyan]%})" -__zsh_prompt -EOF -)" - -# Add notice that Oh My Bash! has been removed from images and how to provide information on how to install manually -OMB_README="$(cat \ -<<'EOF' -"Oh My Bash!" has been removed from this image in favor of a simple shell prompt. If you -still wish to use it, remove "~/.oh-my-bash" and install it from: https://github.com/ohmybash/oh-my-bash -You may also want to consider "Bash-it" as an alternative: https://github.com/bash-it/bash-it -See here for infomation on adding it to your image or dotfiles: https://aka.ms/codespaces/omb-remove -EOF -)" -OMB_STUB="$(cat \ -<<'EOF' -#!/usr/bin/env bash -if [ -t 1 ]; then - cat $HOME/.oh-my-bash/README.md -fi -EOF -)" - -# Add RC snippet and custom bash prompt -if [ "${RC_SNIPPET_ALREADY_ADDED}" != "true" ]; then - echo "${RC_SNIPPET}" >> /etc/bash.bashrc - echo "${CODESPACES_BASH}" >> "${USER_RC_PATH}/.bashrc" - if [ "${USERNAME}" != "root" ]; then - echo "${CODESPACES_BASH}" >> "/root/.bashrc" - fi - chown ${USERNAME}:${USERNAME} "${USER_RC_PATH}/.bashrc" - RC_SNIPPET_ALREADY_ADDED="true" -fi - -# Add stub for Oh My Bash! -if [ ! -d "${USER_RC_PATH}/.oh-my-bash}" ] && [ "${INSTALL_OH_MYS}" = "true" ]; then - mkdir -p "${USER_RC_PATH}/.oh-my-bash" "/root/.oh-my-bash" - echo "${OMB_README}" >> "${USER_RC_PATH}/.oh-my-bash/README.md" - echo "${OMB_STUB}" >> "${USER_RC_PATH}/.oh-my-bash/oh-my-bash.sh" - chmod +x "${USER_RC_PATH}/.oh-my-bash/oh-my-bash.sh" - if [ "${USERNAME}" != "root" ]; then - echo "${OMB_README}" >> "/root/.oh-my-bash/README.md" - echo "${OMB_STUB}" >> "/root/.oh-my-bash/oh-my-bash.sh" - chmod +x "/root/.oh-my-bash/oh-my-bash.sh" - fi - chown -R "${USERNAME}:${USERNAME}" "${USER_RC_PATH}/.oh-my-bash" -fi - -# Optionally install and configure zsh and Oh My Zsh! -if [ "${INSTALL_ZSH}" = "true" ]; then - if ! type zsh > /dev/null 2>&1; then - apt-get-update-if-needed - apt-get install -y zsh - fi - if [ "${ZSH_ALREADY_INSTALLED}" != "true" ]; then - echo "${RC_SNIPPET}" >> /etc/zsh/zshrc - ZSH_ALREADY_INSTALLED="true" - fi - - # Adapted, simplified inline Oh My Zsh! install steps that adds, defaults to a codespaces theme. - # See https://github.com/ohmyzsh/ohmyzsh/blob/master/tools/install.sh for offical script. - OH_MY_INSTALL_DIR="${USER_RC_PATH}/.oh-my-zsh" - if [ ! -d "${OH_MY_INSTALL_DIR}" ] && [ "${INSTALL_OH_MYS}" = "true" ]; then - TEMPLATE_PATH="${OH_MY_INSTALL_DIR}/templates/zshrc.zsh-template" - USER_RC_FILE="${USER_RC_PATH}/.zshrc" - umask g-w,o-w - mkdir -p ${OH_MY_INSTALL_DIR} - git clone --depth=1 \ - -c core.eol=lf \ - -c core.autocrlf=false \ - -c fsck.zeroPaddedFilemode=ignore \ - -c fetch.fsck.zeroPaddedFilemode=ignore \ - -c receive.fsck.zeroPaddedFilemode=ignore \ - "https://github.com/ohmyzsh/ohmyzsh" "${OH_MY_INSTALL_DIR}" 2>&1 - echo -e "$(cat "${TEMPLATE_PATH}")\nDISABLE_AUTO_UPDATE=true\nDISABLE_UPDATE_PROMPT=true" > ${USER_RC_FILE} - sed -i -e 's/ZSH_THEME=.*/ZSH_THEME="codespaces"/g' ${USER_RC_FILE} - mkdir -p ${OH_MY_INSTALL_DIR}/custom/themes - echo "${CODESPACES_ZSH}" > "${OH_MY_INSTALL_DIR}/custom/themes/codespaces.zsh-theme" - # Shrink git while still enabling updates - cd "${OH_MY_INSTALL_DIR}" - git repack -a -d -f --depth=1 --window=1 - # Copy to non-root user if one is specified - if [ "${USERNAME}" != "root" ]; then - cp -rf "${USER_RC_FILE}" "${OH_MY_INSTALL_DIR}" /root - chown -R ${USERNAME}:${USERNAME} "${USER_RC_PATH}" - fi - fi -fi - -# Write marker file -mkdir -p "$(dirname "${MARKER_FILE}")" -echo -e "\ - PACKAGES_ALREADY_INSTALLED=${PACKAGES_ALREADY_INSTALLED}\n\ - LOCALE_ALREADY_SET=${LOCALE_ALREADY_SET}\n\ - EXISTING_NON_ROOT_USER=${EXISTING_NON_ROOT_USER}\n\ - RC_SNIPPET_ALREADY_ADDED=${RC_SNIPPET_ALREADY_ADDED}\n\ - ZSH_ALREADY_INSTALLED=${ZSH_ALREADY_INSTALLED}" > "${MARKER_FILE}" - -echo "Done!" diff --git a/.devcontainer/library-scripts/docker-debian.sh b/.devcontainer/library-scripts/docker-debian.sh deleted file mode 100644 index 11fc35c..0000000 --- a/.devcontainer/library-scripts/docker-debian.sh +++ /dev/null @@ -1,182 +0,0 @@ -#!/usr/bin/env bash -#------------------------------------------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. -#------------------------------------------------------------------------------------------------------------- -# -# Docs: https://github.com/microsoft/vscode-dev-containers/blob/master/script-library/docs/docker.md -# Maintainer: The VS Code and Codespaces Teams -# -# Syntax: ./docker-debian.sh [enable non-root docker socket access flag] [source socket] [target socket] [non-root user] [use moby] - -ENABLE_NONROOT_DOCKER=${1:-"true"} -SOURCE_SOCKET=${2:-"/var/run/docker-host.sock"} -TARGET_SOCKET=${3:-"/var/run/docker.sock"} -USERNAME=${4:-"automatic"} -USE_MOBY=${5:-"true"} - -set -e - -if [ "$(id -u)" -ne 0 ]; then - echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' - exit 1 -fi - -# Determine the appropriate non-root user -if [ "${USERNAME}" = "auto" ] || [ "${USERNAME}" = "automatic" ]; then - USERNAME="" - POSSIBLE_USERS=("vscode" "node" "codespace" "$(awk -v val=1000 -F ":" '$3==val{print $1}' /etc/passwd)") - for CURRENT_USER in ${POSSIBLE_USERS[@]}; do - if id -u ${CURRENT_USER} > /dev/null 2>&1; then - USERNAME=${CURRENT_USER} - break - fi - done - if [ "${USERNAME}" = "" ]; then - USERNAME=root - fi -elif [ "${USERNAME}" = "none" ] || ! id -u ${USERNAME} > /dev/null 2>&1; then - USERNAME=root -fi - -# Function to run apt-get if needed -apt-get-update-if-needed() -{ - if [ ! -d "/var/lib/apt/lists" ] || [ "$(ls /var/lib/apt/lists/ | wc -l)" = "0" ]; then - echo "Running apt-get update..." - apt-get update - else - echo "Skipping apt-get update." - fi -} - -# Ensure apt is in non-interactive to avoid prompts -export DEBIAN_FRONTEND=noninteractive - -# Install apt-transport-https, curl, lsb-release, gpg if missing -if ! dpkg -s apt-transport-https curl ca-certificates lsb-release > /dev/null 2>&1 || ! type gpg > /dev/null 2>&1; then - apt-get-update-if-needed - apt-get -y install --no-install-recommends apt-transport-https curl ca-certificates lsb-release gnupg2 -fi - -# Install Docker / Moby CLI if not already installed -if type docker > /dev/null 2>&1; then - echo "Docker / Moby CLI already installed." -else - if [ "${USE_MOBY}" = "true" ]; then - DISTRO=$(lsb_release -is | tr '[:upper:]' '[:lower:]') - CODENAME=$(lsb_release -cs) - curl -s https://packages.microsoft.com/keys/microsoft.asc | (OUT=$(apt-key add - 2>&1) || echo $OUT) - echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-${DISTRO}-${CODENAME}-prod ${CODENAME} main" > /etc/apt/sources.list.d/microsoft.list - apt-get update - apt-get -y install --no-install-recommends moby-cli - else - curl -fsSL https://download.docker.com/linux/$(lsb_release -is | tr '[:upper:]' '[:lower:]')/gpg | (OUT=$(apt-key add - 2>&1) || echo $OUT) - echo "deb [arch=amd64] https://download.docker.com/linux/$(lsb_release -is | tr '[:upper:]' '[:lower:]') $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list - apt-get update - apt-get -y install --no-install-recommends docker-ce-cli - fi -fi - -# Install Docker Compose if not already installed -if type docker-compose > /dev/null 2>&1; then - echo "Docker Compose already installed." -else - LATEST_COMPOSE_VERSION=$(curl -sSL "https://api.github.com/repos/docker/compose/releases/latest" | grep -o -P '(?<="tag_name": ").+(?=")') - curl -sSL "https://github.com/docker/compose/releases/download/${LATEST_COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose - chmod +x /usr/local/bin/docker-compose -fi - -# If init file already exists, exit -if [ -f "/usr/local/share/docker-init.sh" ]; then - exit 0 -fi - -# By default, make the source and target sockets the same -if [ "${SOURCE_SOCKET}" != "${TARGET_SOCKET}" ]; then - touch "${SOURCE_SOCKET}" - ln -s "${SOURCE_SOCKET}" "${TARGET_SOCKET}" -fi - -# Add a stub if not adding non-root user access, user is root -if [ "${ENABLE_NONROOT_DOCKER}" = "false" ] || [ "${USERNAME}" = "root" ]; then - echo '/usr/bin/env bash -c "\$@"' > /usr/local/share/docker-init.sh - chmod +x /usr/local/share/docker-init.sh - exit 0 -fi - -# If enabling non-root access and specified user is found, setup socat and add script -chown -h "${USERNAME}":root "${TARGET_SOCKET}" -if ! dpkg -s socat > /dev/null 2>&1; then - apt-get-update-if-needed - apt-get -y install socat -fi -tee /usr/local/share/docker-init.sh > /dev/null \ -<< EOF -#!/usr/bin/env bash -#------------------------------------------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. -#------------------------------------------------------------------------------------------------------------- - -set -e - -SOCAT_PATH_BASE=/tmp/vscr-docker-from-docker -SOCAT_LOG=\${SOCAT_PATH_BASE}.log -SOCAT_PID=\${SOCAT_PATH_BASE}.pid - -# Wrapper function to only use sudo if not already root -sudoIf() -{ - if [ "\$(id -u)" -ne 0 ]; then - sudo "\$@" - else - "\$@" - fi -} - -# Log messages -log() -{ - echo -e "[\$(date)] \$@" | sudoIf tee -a \${SOCAT_LOG} > /dev/null -} - -echo -e "\n** \$(date) **" | sudoIf tee -a \${SOCAT_LOG} > /dev/null -log "Ensuring ${USERNAME} has access to ${SOURCE_SOCKET} via ${TARGET_SOCKET}" - -# If enabled, try to add a docker group with the right GID. If the group is root, -# fall back on using socat to forward the docker socket to another unix socket so -# that we can set permissions on it without affecting the host. -if [ "${ENABLE_NONROOT_DOCKER}" = "true" ] && [ "${SOURCE_SOCKET}" != "${TARGET_SOCKET}" ] && [ "${USERNAME}" != "root" ] && [ "${USERNAME}" != "0" ]; then - SOCKET_GID=\$(stat -c '%g' ${SOURCE_SOCKET}) - if [ "\${SOCKET_GID}" != "0" ]; then - log "Adding user to group with GID \${SOCKET_GID}." - if [ "\$(cat /etc/group | grep :\${SOCKET_GID}:)" = "" ]; then - sudoIf groupadd --gid \${SOCKET_GID} docker-host - fi - # Add user to group if not already in it - if [ "\$(id ${USERNAME} | grep -E "groups.*(=|,)\${SOCKET_GID}\(")" = "" ]; then - sudoIf usermod -aG \${SOCKET_GID} ${USERNAME} - fi - else - # Enable proxy if not already running - if [ ! -f "\${SOCAT_PID}" ] || ! ps -p \$(cat \${SOCAT_PID}) > /dev/null; then - log "Enabling socket proxy." - log "Proxying ${SOURCE_SOCKET} to ${TARGET_SOCKET} for vscode" - sudoIf rm -rf ${TARGET_SOCKET} - (sudoIf socat UNIX-LISTEN:${TARGET_SOCKET},fork,mode=660,user=${USERNAME} UNIX-CONNECT:${SOURCE_SOCKET} 2>&1 | sudoIf tee -a \${SOCAT_LOG} > /dev/null & echo "\$!" | sudoIf tee \${SOCAT_PID} > /dev/null) - else - log "Socket proxy already running." - fi - fi - log "Success" -fi - -# Execute whatever commands were passed in (if any). This allows us -# to set this script to ENTRYPOINT while still executing the default CMD. -set +e -exec "\$@" -EOF -chmod +x /usr/local/share/docker-init.sh -chown ${USERNAME}:root /usr/local/share/docker-init.sh -echo "Done!" \ No newline at end of file diff --git a/.devcontainer/library-scripts/docker-outside-of-docker.sh b/.devcontainer/library-scripts/docker-outside-of-docker.sh new file mode 100644 index 0000000..de5212f --- /dev/null +++ b/.devcontainer/library-scripts/docker-outside-of-docker.sh @@ -0,0 +1,455 @@ +#!/usr/bin/env bash +#------------------------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. +#------------------------------------------------------------------------------------------------------------- +# +# Docs: https://github.com/microsoft/vscode-dev-containers/blob/main/script-library/docs/docker.md +# Maintainer: The VS Code and Codespaces Teams + +DOCKER_VERSION="${VERSION:-"latest"}" +USE_MOBY="${MOBY:-"true"}" +MOBY_BUILDX_VERSION="${MOBYBUILDXVERSION:-"latest"}" +DOCKER_DASH_COMPOSE_VERSION="${DOCKERDASHCOMPOSEVERSION:-"v2"}" # v1 or v2 or none + +ENABLE_NONROOT_DOCKER="${ENABLE_NONROOT_DOCKER:-"true"}" +SOURCE_SOCKET="${SOURCE_SOCKET:-"/var/run/docker-host.sock"}" +TARGET_SOCKET="${TARGET_SOCKET:-"/var/run/docker.sock"}" +USERNAME="${USERNAME:-"${_REMOTE_USER:-"automatic"}"}" +INSTALL_DOCKER_BUILDX="${INSTALLDOCKERBUILDX:-"true"}" + +MICROSOFT_GPG_KEYS_URI="https://packages.microsoft.com/keys/microsoft.asc" +DOCKER_MOBY_ARCHIVE_VERSION_CODENAMES="bookworm buster bullseye bionic focal jammy noble" +DOCKER_LICENSED_ARCHIVE_VERSION_CODENAMES="bookworm buster bullseye bionic focal hirsute impish jammy noble" + +set -e + +# Clean up +rm -rf /var/lib/apt/lists/* + +if [ "$(id -u)" -ne 0 ]; then + echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' + exit 1 +fi + +# Determine the appropriate non-root user +if [ "${USERNAME}" = "auto" ] || [ "${USERNAME}" = "automatic" ]; then + USERNAME="" + POSSIBLE_USERS=("vscode" "node" "codespace" "$(awk -v val=1000 -F ":" '$3==val{print $1}' /etc/passwd)") + for CURRENT_USER in "${POSSIBLE_USERS[@]}"; do + if id -u ${CURRENT_USER} > /dev/null 2>&1; then + USERNAME=${CURRENT_USER} + break + fi + done + if [ "${USERNAME}" = "" ]; then + USERNAME=root + fi +elif [ "${USERNAME}" = "none" ] || ! id -u ${USERNAME} > /dev/null 2>&1; then + USERNAME=root +fi + +apt_get_update() +{ + if [ "$(find /var/lib/apt/lists/* | wc -l)" = "0" ]; then + echo "Running apt-get update..." + apt-get update -y + fi +} + +# Checks if packages are installed and installs them if not +check_packages() { + if ! dpkg -s "$@" > /dev/null 2>&1; then + apt_get_update + apt-get -y install --no-install-recommends "$@" + fi +} + +# Figure out correct version of a three part version number is not passed +find_version_from_git_tags() { + local variable_name=$1 + local requested_version=${!variable_name} + if [ "${requested_version}" = "none" ]; then return; fi + local repository=$2 + local prefix=${3:-"tags/v"} + local separator=${4:-"."} + local last_part_optional=${5:-"false"} + if [ "$(echo "${requested_version}" | grep -o "." | wc -l)" != "2" ]; then + local escaped_separator=${separator//./\\.} + local last_part + if [ "${last_part_optional}" = "true" ]; then + last_part="(${escaped_separator}[0-9]+)?" + else + last_part="${escaped_separator}[0-9]+" + fi + local regex="${prefix}\\K[0-9]+${escaped_separator}[0-9]+${last_part}$" + local version_list="$(git ls-remote --tags ${repository} | grep -oP "${regex}" | tr -d ' ' | tr "${separator}" "." | sort -rV)" + if [ "${requested_version}" = "latest" ] || [ "${requested_version}" = "current" ] || [ "${requested_version}" = "lts" ]; then + declare -g ${variable_name}="$(echo "${version_list}" | head -n 1)" + else + set +e + declare -g ${variable_name}="$(echo "${version_list}" | grep -E -m 1 "^${requested_version//./\\.}([\\.\\s]|$)")" + set -e + fi + fi + if [ -z "${!variable_name}" ] || ! echo "${version_list}" | grep "^${!variable_name//./\\.}$" > /dev/null 2>&1; then + echo -e "Invalid ${variable_name} value: ${requested_version}\nValid values:\n${version_list}" >&2 + exit 1 + fi + echo "${variable_name}=${!variable_name}" +} + +# Use semver logic to decrement a version number then look for the closest match +find_prev_version_from_git_tags() { + local variable_name=$1 + local current_version=${!variable_name} + local repository=$2 + # Normally a "v" is used before the version number, but support alternate cases + local prefix=${3:-"tags/v"} + # Some repositories use "_" instead of "." for version number part separation, support that + local separator=${4:-"."} + # Some tools release versions that omit the last digit (e.g. go) + local last_part_optional=${5:-"false"} + # Some repositories may have tags that include a suffix (e.g. actions/node-versions) + local version_suffix_regex=$6 + # Try one break fix version number less if we get a failure. Use "set +e" since "set -e" can cause failures in valid scenarios. + set +e + major="$(echo "${current_version}" | grep -oE '^[0-9]+' || echo '')" + minor="$(echo "${current_version}" | grep -oP '^[0-9]+\.\K[0-9]+' || echo '')" + breakfix="$(echo "${current_version}" | grep -oP '^[0-9]+\.[0-9]+\.\K[0-9]+' 2>/dev/null || echo '')" + + if [ "${minor}" = "0" ] && [ "${breakfix}" = "0" ]; then + ((major=major-1)) + declare -g ${variable_name}="${major}" + # Look for latest version from previous major release + find_version_from_git_tags "${variable_name}" "${repository}" "${prefix}" "${separator}" "${last_part_optional}" + # Handle situations like Go's odd version pattern where "0" releases omit the last part + elif [ "${breakfix}" = "" ] || [ "${breakfix}" = "0" ]; then + ((minor=minor-1)) + declare -g ${variable_name}="${major}.${minor}" + # Look for latest version from previous minor release + find_version_from_git_tags "${variable_name}" "${repository}" "${prefix}" "${separator}" "${last_part_optional}" + else + ((breakfix=breakfix-1)) + if [ "${breakfix}" = "0" ] && [ "${last_part_optional}" = "true" ]; then + declare -g ${variable_name}="${major}.${minor}" + else + declare -g ${variable_name}="${major}.${minor}.${breakfix}" + fi + fi + set -e +} + +# Function to fetch the version released prior to the latest version +get_previous_version() { + local url=$1 + local repo_url=$2 + local variable_name=$3 + prev_version=${!variable_name} + + output=$(curl -s "$repo_url"); + + check_packages jq + + message=$(echo "$output" | jq -r '.message') + + if [[ $message == "API rate limit exceeded"* ]]; then + echo -e "\nAn attempt to find latest version using GitHub Api Failed... \nReason: ${message}" + echo -e "\nAttempting to find latest version using GitHub tags." + find_prev_version_from_git_tags prev_version "$url" "tags/v" + declare -g ${variable_name}="${prev_version}" + else + echo -e "\nAttempting to find latest version using GitHub Api." + version=$(echo "$output" | jq -r '.tag_name') + declare -g ${variable_name}="${version#v}" + fi + echo "${variable_name}=${!variable_name}" +} + +get_github_api_repo_url() { + local url=$1 + echo "${url/https:\/\/github.com/https:\/\/api.github.com\/repos}/releases/latest" +} + +install_compose_switch_fallback() { + compose_switch_url=$1 + repo_url=$(get_github_api_repo_url "${compose_switch_url}") + echo -e "\n(!) Failed to fetch the latest artifacts for compose-switch v${compose_switch_version}..." + get_previous_version "${compose_switch_url}" "${repo_url}" compose_switch_version + echo -e "\nAttempting to install v${compose_switch_version}" + curl -fsSL "https://github.com/docker/compose-switch/releases/download/v${compose_switch_version}/docker-compose-linux-${architecture}" -o /usr/local/bin/docker-compose +} + +# Ensure apt is in non-interactive to avoid prompts +export DEBIAN_FRONTEND=noninteractive + +# Install dependencies +check_packages apt-transport-https curl ca-certificates gnupg2 dirmngr wget +if ! type git > /dev/null 2>&1; then + check_packages git +fi + +# Source /etc/os-release to get OS info +. /etc/os-release +# Fetch host/container arch. +architecture="$(dpkg --print-architecture)" + +# Check if distro is supported +if [ "${USE_MOBY}" = "true" ]; then + if [[ "${DOCKER_MOBY_ARCHIVE_VERSION_CODENAMES}" != *"${VERSION_CODENAME}"* ]]; then + err "Unsupported distribution version '${VERSION_CODENAME}'. To resolve, either: (1) set feature option '\"moby\": false' , or (2) choose a compatible OS distribution" + err "Support distributions include: ${DOCKER_MOBY_ARCHIVE_VERSION_CODENAMES}" + exit 1 + fi + echo "Distro codename '${VERSION_CODENAME}' matched filter '${DOCKER_MOBY_ARCHIVE_VERSION_CODENAMES}'" +else + if [[ "${DOCKER_LICENSED_ARCHIVE_VERSION_CODENAMES}" != *"${VERSION_CODENAME}"* ]]; then + err "Unsupported distribution version '${VERSION_CODENAME}'. To resolve, please choose a compatible OS distribution" + err "Support distributions include: ${DOCKER_LICENSED_ARCHIVE_VERSION_CODENAMES}" + exit 1 + fi + echo "Distro codename '${VERSION_CODENAME}' matched filter '${DOCKER_LICENSED_ARCHIVE_VERSION_CODENAMES}'" +fi + +# Set up the necessary apt repos (either Microsoft's or Docker's) +if [ "${USE_MOBY}" = "true" ]; then + + cli_package_name="moby-cli" + + # Import key safely and import Microsoft apt repo + curl -sSL ${MICROSOFT_GPG_KEYS_URI} | gpg --dearmor > /usr/share/keyrings/microsoft-archive-keyring.gpg + echo "deb [arch=${architecture} signed-by=/usr/share/keyrings/microsoft-archive-keyring.gpg] https://packages.microsoft.com/repos/microsoft-${ID}-${VERSION_CODENAME}-prod ${VERSION_CODENAME} main" > /etc/apt/sources.list.d/microsoft.list +else + # Name of proprietary engine package + cli_package_name="docker-ce-cli" + + # Import key safely and import Docker apt repo + curl -fsSL https://download.docker.com/linux/${ID}/gpg | gpg --dearmor > /usr/share/keyrings/docker-archive-keyring.gpg + echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/${ID} ${VERSION_CODENAME} stable" > /etc/apt/sources.list.d/docker.list +fi + +# Refresh apt lists +apt-get update + +# Soft version matching for CLI +if [ "${DOCKER_VERSION}" = "latest" ] || [ "${DOCKER_VERSION}" = "lts" ] || [ "${DOCKER_VERSION}" = "stable" ]; then + # Empty, meaning grab whatever "latest" is in apt repo + cli_version_suffix="" +else + # Fetch a valid version from the apt-cache (eg: the Microsoft repo appends +azure, breakfix, etc...) + docker_version_dot_escaped="${DOCKER_VERSION//./\\.}" + docker_version_dot_plus_escaped="${docker_version_dot_escaped//+/\\+}" + # Regex needs to handle debian package version number format: https://www.systutorials.com/docs/linux/man/5-deb-version/ + docker_version_regex="^(.+:)?${docker_version_dot_plus_escaped}([\\.\\+ ~:-]|$)" + set +e # Don't exit if finding version fails - will handle gracefully + cli_version_suffix="=$(apt-cache madison ${cli_package_name} | awk -F"|" '{print $2}' | sed -e 's/^[ \t]*//' | grep -E -m 1 "${docker_version_regex}")" + set -e + if [ -z "${cli_version_suffix}" ] || [ "${cli_version_suffix}" = "=" ]; then + echo "(!) No full or partial Docker / Moby version match found for \"${DOCKER_VERSION}\" on OS ${ID} ${VERSION_CODENAME} (${architecture}). Available versions:" + apt-cache madison ${cli_package_name} | awk -F"|" '{print $2}' | grep -oP '^(.+:)?\K.+' + exit 1 + fi + echo "cli_version_suffix ${cli_version_suffix}" +fi + +# Version matching for moby-buildx +if [ "${USE_MOBY}" = "true" ]; then + if [ "${MOBY_BUILDX_VERSION}" = "latest" ]; then + # Empty, meaning grab whatever "latest" is in apt repo + buildx_version_suffix="" + else + buildx_version_dot_escaped="${MOBY_BUILDX_VERSION//./\\.}" + buildx_version_dot_plus_escaped="${buildx_version_dot_escaped//+/\\+}" + buildx_version_regex="^(.+:)?${buildx_version_dot_plus_escaped}([\\.\\+ ~:-]|$)" + set +e + buildx_version_suffix="=$(apt-cache madison moby-buildx | awk -F"|" '{print $2}' | sed -e 's/^[ \t]*//' | grep -E -m 1 "${buildx_version_regex}")" + set -e + if [ -z "${buildx_version_suffix}" ] || [ "${buildx_version_suffix}" = "=" ]; then + err "No full or partial moby-buildx version match found for \"${MOBY_BUILDX_VERSION}\" on OS ${ID} ${VERSION_CODENAME} (${architecture}). Available versions:" + apt-cache madison moby-buildx | awk -F"|" '{print $2}' | grep -oP '^(.+:)?\K.+' + exit 1 + fi + echo "buildx_version_suffix ${buildx_version_suffix}" + fi +fi + +# Install Docker / Moby CLI if not already installed +if type docker > /dev/null 2>&1; then + echo "Docker / Moby CLI already installed." +else + if [ "${USE_MOBY}" = "true" ]; then + buildx=() + if [ "${INSTALL_DOCKER_BUILDX}" = "true" ]; then + buildx=(moby-buildx${buildx_version_suffix}) + fi + apt-get -y install --no-install-recommends ${cli_package_name}${cli_version_suffix} "${buildx[@]}" + apt-get -y install --no-install-recommends moby-compose || echo "(*) Package moby-compose (Docker Compose v2) not available for OS ${ID} ${VERSION_CODENAME} (${architecture}). Skipping." + else + buildx=() + if [ "${INSTALL_DOCKER_BUILDX}" = "true" ]; then + buildx=(docker-buildx-plugin) + fi + apt-get -y install --no-install-recommends ${cli_package_name}${cli_version_suffix} "${buildx[@]}" docker-compose-plugin + buildx_path="/usr/libexec/docker/cli-plugins/docker-buildx" + # Older versions of Docker CE installs buildx as part of the CLI package + if [ "${INSTALL_DOCKER_BUILDX}" = "false" ] && [ -f "${buildx_path}" ]; then + echo "(*) Removing docker-buildx installed from docker-ce-cli since installDockerBuildx is disabled..." + rm -f "${buildx_path}" + fi + fi + unset buildx buildx_path +fi + +# If 'docker-compose' command is to be included +if [ "${DOCKER_DASH_COMPOSE_VERSION}" != "none" ]; then + # Install Docker Compose if not already installed and is on a supported architecture + if type docker-compose > /dev/null 2>&1; then + echo "Docker Compose already installed." + elif [ "${DOCKER_DASH_COMPOSE_VERSION}" = "v1" ]; then + TARGET_COMPOSE_ARCH="$(uname -m)" + if [ "${TARGET_COMPOSE_ARCH}" = "amd64" ]; then + TARGET_COMPOSE_ARCH="x86_64" + fi + if [ "${TARGET_COMPOSE_ARCH}" != "x86_64" ]; then + # Use pip to get a version that runs on this architecture + check_packages python3-minimal python3-pip libffi-dev python3-venv + export PIPX_HOME=/usr/local/pipx + mkdir -p ${PIPX_HOME} + export PIPX_BIN_DIR=/usr/local/bin + export PYTHONUSERBASE=/tmp/pip-tmp + export PIP_CACHE_DIR=/tmp/pip-tmp/cache + pipx_bin=pipx + if ! type pipx > /dev/null 2>&1; then + pip3 install --disable-pip-version-check --no-cache-dir --user pipx + pipx_bin=/tmp/pip-tmp/bin/pipx + fi + ${pipx_bin} install --pip-args '--no-cache-dir --force-reinstall' docker-compose + rm -rf /tmp/pip-tmp + else + compose_v1_version="1" + find_version_from_git_tags compose_v1_version "https://github.com/docker/compose" "tags/" + echo "(*) Installing docker-compose ${compose_v1_version}..." + curl -fsSL "https://github.com/docker/compose/releases/download/${compose_v1_version}/docker-compose-Linux-x86_64" -o /usr/local/bin/docker-compose + chmod +x /usr/local/bin/docker-compose + fi + else + echo "(*) Installing compose-switch as docker-compose..." + compose_switch_version="latest" + compose_switch_url="https://github.com/docker/compose-switch" + find_version_from_git_tags compose_switch_version "${compose_switch_url}" + curl -fsSL "https://github.com/docker/compose-switch/releases/download/v${compose_switch_version}/docker-compose-linux-${architecture}" -o /usr/local/bin/docker-compose || install_compose_switch_fallback "${compose_switch_url}" + chmod +x /usr/local/bin/docker-compose + # TODO: Verify checksum once available: https://github.com/docker/compose-switch/issues/11 + fi +fi + +# Setup a docker group in the event the docker socket's group is not root +if ! grep -qE '^docker:' /etc/group; then + echo "(*) Creating missing docker group..." + groupadd --system docker +fi + +# Remarking this out to restore functionality in Azure VMs. ID 999 is a reserved group ID +# Ensure docker group gid is 999 +# if [ "$(getent group docker | cut -d: -f3)" != "999" ]; then +# echo "(*) Updating docker group gid to 999..." +# groupmod -g 999 docker +# fi + + +usermod -aG docker "${USERNAME}" + +# If init file already exists, exit +if [ -f "/usr/local/share/docker-init.sh" ]; then + # Clean up + rm -rf /var/lib/apt/lists/* + exit 0 +fi +echo "docker-init doesn't exist, adding..." + +# By default, make the source and target sockets the same +if [ "${SOURCE_SOCKET}" != "${TARGET_SOCKET}" ]; then + touch "${SOURCE_SOCKET}" + ln -s "${SOURCE_SOCKET}" "${TARGET_SOCKET}" +fi + +# Add a stub if not adding non-root user access, user is root +if [ "${ENABLE_NONROOT_DOCKER}" = "false" ] || [ "${USERNAME}" = "root" ]; then + echo -e '#!/usr/bin/env bash\nexec "$@"' > /usr/local/share/docker-init.sh + chmod +x /usr/local/share/docker-init.sh + # Clean up + rm -rf /var/lib/apt/lists/* + exit 0 +fi + +DOCKER_GID="$(grep -oP '^docker:x:\K[^:]+' /etc/group)" + +# If enabling non-root access and specified user is found, setup socat and add script +chown -h "${USERNAME}":root "${TARGET_SOCKET}" +check_packages socat +tee /usr/local/share/docker-init.sh > /dev/null \ +<< EOF +#!/usr/bin/env bash +#------------------------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. +#------------------------------------------------------------------------------------------------------------- + +set -e + +SOCAT_PATH_BASE=/tmp/vscr-docker-from-docker +SOCAT_LOG=\${SOCAT_PATH_BASE}.log +SOCAT_PID=\${SOCAT_PATH_BASE}.pid + +# Wrapper function to only use sudo if not already root +sudoIf() +{ + if [ "\$(id -u)" -ne 0 ]; then + sudo "\$@" + else + "\$@" + fi +} + +# Log messages +log() +{ + echo -e "[\$(date)] \$@" | sudoIf tee -a \${SOCAT_LOG} > /dev/null +} + +echo -e "\n** \$(date) **" | sudoIf tee -a \${SOCAT_LOG} > /dev/null +log "Ensuring ${USERNAME} has access to ${SOURCE_SOCKET} via ${TARGET_SOCKET}" + +# If enabled, try to update the docker group with the right GID. If the group is root, +# fall back on using socat to forward the docker socket to another unix socket so +# that we can set permissions on it without affecting the host. +if [ "${ENABLE_NONROOT_DOCKER}" = "true" ] && [ "${SOURCE_SOCKET}" != "${TARGET_SOCKET}" ] && [ "${USERNAME}" != "root" ] && [ "${USERNAME}" != "0" ]; then + SOCKET_GID=\$(stat -c '%g' ${SOURCE_SOCKET}) + if [ "\${SOCKET_GID}" != "0" ] && [ "\${SOCKET_GID}" != "${DOCKER_GID}" ] && ! grep -E ".+:x:\${SOCKET_GID}" /etc/group; then + sudoIf groupmod --gid "\${SOCKET_GID}" docker + else + # Enable proxy if not already running + if [ ! -f "\${SOCAT_PID}" ] || ! ps -p \$(cat \${SOCAT_PID}) > /dev/null; then + log "Enabling socket proxy." + log "Proxying ${SOURCE_SOCKET} to ${TARGET_SOCKET} for vscode" + sudoIf rm -rf ${TARGET_SOCKET} + (sudoIf socat UNIX-LISTEN:${TARGET_SOCKET},fork,mode=660,user=${USERNAME},backlog=128 UNIX-CONNECT:${SOURCE_SOCKET} 2>&1 | sudoIf tee -a \${SOCAT_LOG} > /dev/null & echo "\$!" | sudoIf tee \${SOCAT_PID} > /dev/null) + else + log "Socket proxy already running." + fi + fi + log "Success" +fi + +# Execute whatever commands were passed in (if any). This allows us +# to set this script to ENTRYPOINT while still executing the default CMD. +set +e +exec "\$@" +EOF +chmod +x /usr/local/share/docker-init.sh +chown ${USERNAME}:root /usr/local/share/docker-init.sh + +# Clean up +rm -rf /var/lib/apt/lists/* + +echo "Done!" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 24ed0bc..5922bd0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,7 +7,7 @@ on: jobs: plan: runs-on: ubuntu-latest - container: "haxe/terraform_devcontainer_workspace:20240527203536" + container: "haxe/terraform_devcontainer_workspace:20240604034917" env: TF_INPUT: 0 TF_IN_AUTOMATION: 1 diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index fffc5b4..95e6980 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -6,6 +6,9 @@ provider "registry.terraform.io/cloudflare/cloudflare" { constraints = "~> 4.34" hashes = [ "h1:7vluN2wmw8D9nI11YwTgoGv3hGDXlkt8xqQ4L/JABeQ=", + "h1:GrxZhEb+5HzmHF/BvZBdGKBJy6Wyjme0+ABVDz/63to=", + "h1:TKxunXCiS/z105sN/kBNFwU6tIKD67JKJ3ZKjwzoCuI=", + "h1:V+3Qs0Reb6r+8p4XjE5ZFDWYrOIN0x5SwORz4wvHOJ4=", "zh:02aa46743c1585ada8faa7db23af68ea614053a506f88f05d1090ff5e0e68076", "zh:1e1a545e83e6457a0e15357b23139bc288fb4fbd5e9a5ddfedc95a6a0216b08c", "zh:29eef2621e0b1501f620e615bf73b1b90d5417d745e38af63634bc03250faf87", @@ -28,7 +31,10 @@ provider "registry.terraform.io/digitalocean/digitalocean" { version = "2.39.1" constraints = "~> 2.39" hashes = [ + "h1:Btl0gVvB4JuZn6uQwcuhokLk4IPlequrjFQsx16/hH0=", "h1:T0ba6cJET134IiJdXSfnIK2H0JKEXqZMrdsNFQ5RDbw=", + "h1:Unj0iCj3SONPgaPHtAdFzhEw86U13JBz1nqjG1kMuc0=", + "h1:Zs2tBLlbjQZvg5ZJ9BwJKjPM6CtG+c9EiNgv1o/5qy8=", "zh:424f1e26e30ca53d5540a5055a7fff7e337b1d97223eca1be687cdb211dfed43", "zh:44ebade28553bf014519a3431070c758e1e06724cc3a37544c334540704664a0", "zh:5609831d7d546efd2fc50993114a6c218f440344c45625db6e70d54780f42f16", @@ -53,6 +59,9 @@ provider "registry.terraform.io/go-gandi/gandi" { constraints = "~> 2.3" hashes = [ "h1:9kqWL+eFk/ogrQSltL9zVqjMcOqbvs3EgIJEeyNPb8U=", + "h1:PH6KI61eli5OL/aN3Oi7NV9qkNbjGLoOYjJK3gvULj4=", + "h1:ZYWkA1hdIjQySftM5bWAQjiH50V5qMl9nJroYzCoqb0=", + "h1:iTw/xbYXtScXLdhbjzF15Bf9wWu/r41ZertHYl9vDec=", "zh:0936d011cf75bb5162c6027d00575a586807adc9008f4152def157b6ad22bae9", "zh:2170e671f04d3346ea416fcc404be6d05f637eab7df77e289a6898a928885f0b", "zh:250329baae3cb09cfb88dd004d45f003ba76fbe7b8daf9d18fd640b93a2b7252", @@ -72,7 +81,10 @@ provider "registry.terraform.io/grafana/grafana" { version = "2.19.0" constraints = "~> 2.19" hashes = [ + "h1:AZ1NffecT+y7dZdeFLKoKEQMvYn/i9o8RkQe6xtembM=", "h1:L9A5My0gdANUlMsjuN15MGtoiHmDgxwbtWMolRYkNQE=", + "h1:Rqn7cIJs9cU+V7Dus2cQwl5HaFhnUAZoZrly3oz9UlM=", + "h1:rgXooJIdkoQqpeoR6KHAMHzkEjQCnmlfEH0QAvaWe20=", "zh:0f85e0602ccf119a203f47ee18524a8172457e82b8cbffca7b6b4d7f474639ad", "zh:1a626e0d04dedd48cb5b0bdf8a68f428fdf0f7080128928dfaa293a4db78b9b3", "zh:2a4de32569e070de38faa3d3224ab7fe0a837809d70d75dedc8f1f1f8d9dc227", @@ -92,9 +104,12 @@ provider "registry.terraform.io/grafana/grafana" { provider "registry.terraform.io/hashicorp/aws" { version = "5.52.0" - constraints = ">= 4.9.0, >= 4.29.0, ~> 5.52" + constraints = ">= 5.12.0, >= 5.27.0, ~> 5.52" hashes = [ + "h1:J3LWKMuD1JwXmlleW3vJ7FHk/Dc+gCLgrpRtjBxZ5Ro=", + "h1:LEJSEOCO8LPIO6uxJDYrFXdr+Y9hSmTWVcSgG6EdGvw=", "h1:Z+mvggOAJJdEwf2p2fxT6WUW0Pch8Ky+LhsZa1TdqFg=", + "h1:ucZxfJtHMHBp4Amnk0K3Bdr7Umbk6he8byey/+u41Lc=", "zh:22c4599d47cd59e5519c52afc528fa2aec43b4434f369870ee2806daa071449d", "zh:3c2edc482662a654f84db4cd3f2cdd8f200147207d053d2e95082744b7814e6d", "zh:57edc36f908c64de37e92a978f3d675604315a725268da936fcd1e270199db47", @@ -117,6 +132,9 @@ provider "registry.terraform.io/hashicorp/helm" { version = "2.13.2" constraints = "~> 2.13" hashes = [ + "h1:8Fuh4tL7C6vxe8/JQDCM5J3MQxEhd9XNXYBCgqeuyww=", + "h1:Gg4LNanV0uqXlq3IKNsymvI4gi7FgwAD4wnODQFcv8Q=", + "h1:KHLdE3Xb4XbLCWwCSArYcXulYyBJKTFizaIzBiYVJxQ=", "h1:nlSqCo0PajJzjSlx0lXNUq1YcOr8p9b3ahcUUYN2pEg=", "zh:06c0663031ef5aa19e238fe50be5d3cbf5fb00548d2b26e779c607dfd2dc69a7", "zh:1850b8f2e729553ba8b96d69dce035b814ce959c6805c25484f407c4e720c497", @@ -137,7 +155,10 @@ provider "registry.terraform.io/hashicorp/kubernetes" { version = "2.30.0" constraints = "~> 2.7, ~> 2.30" hashes = [ + "h1:+Je5UPTWMmO4eG5ep1WfujkXQI9tDk0OsMU4olU76Bg=", + "h1:UNl9l/iN6mrImpC7PNxdx93ycl3iLQdBKoYmCw8rYDc=", "h1:wRVWY3sK32BNInDOlQnoGSmL638f3jjLFypCAotwpc8=", + "h1:z0Gy1p59XfS9MawIqCck7m2eeEEhAj6D7n8Ngglu8vE=", "zh:06531333a72fe6d2829f37a328e08a3fc4ed66226344a003b62418a834ac6c69", "zh:34480263939ef5007ce65c9f4945df5cab363f91e5260ae552bcd9f2ffeed444", "zh:59e71f9177da570c33507c44828288264c082d512138c5755800f2cd706c62bc", @@ -157,6 +178,9 @@ provider "registry.terraform.io/hashicorp/random" { version = "3.6.2" constraints = "~> 3.6" hashes = [ + "h1:R5qdQjKzOU16TziCN1vR3Exr/B+8WGK80glLTT4ZCPk=", + "h1:UQlmHGddu39vVzG8kruMsde4GHlG+1S7OLqFApbJvtc=", + "h1:VavG5unYCa3SYISMKF9pzc3718M0bhPlcbUZZGl7wuo=", "h1:wmG0QFjQ2OfyPy6BB7mQ57WtoZZGGV07uAPQeDmIrAE=", "zh:0ef01a4f81147b32c1bea3429974d4d104bbc4be2ba3cfa667031a8183ef88ec", "zh:1bcd2d8161e89e39886119965ef0f37fcce2da9c1aca34263dd3002ba05fcb53", @@ -177,7 +201,10 @@ provider "registry.terraform.io/integrations/github" { version = "6.2.1" constraints = "~> 6.2" hashes = [ + "h1:TxhB0pHZ4QD6lGMws4wVmS5JHtNyuQ5m6WrvN4qtHa8=", "h1:ip7024qn1ewDqlNucxh07DHvuhSLZSqtTGewxNLeYYU=", + "h1:rY+q+OhJm90R900HvO05YNH7Tl0EOnbCLAoG+5niLX8=", + "h1:uDerb9YJo3vAO+wKw+Z064InX5aXom+nKLDry2eGf14=", "zh:172aa5141c525174f38504a0d2e69d0d16c0a0b941191b7170fe6ae4d7282e30", "zh:1a098b731fa658c808b591d030cc17cc7dfca1bf001c3c32e596f8c1bf980e9f", "zh:245d6a1c7e632d8ae4bdd2da2516610c50051e81505cf420a140aa5fa076ea90", diff --git a/Earthfile b/Earthfile index 6b116b7..b925366 100644 --- a/Earthfile +++ b/Earthfile @@ -1,40 +1,37 @@ VERSION 0.8 -ARG --global UBUNTU_RELEASE=jammy -FROM mcr.microsoft.com/vscode/devcontainers/base:0-$UBUNTU_RELEASE + +# https://github.com/devcontainers/images/tree/main/src/base-ubuntu +FROM mcr.microsoft.com/devcontainers/base:ubuntu-24.04 + ARG --global DEVCONTAINER_IMAGE_NAME_DEFAULT=haxe/terraform_devcontainer_workspace ARG --global USERNAME=vscode -ARG --global USER_UID=1000 +ARG --global USER_UID=1001 ARG --global USER_GID=$USER_UID -# https://github.com/docker-library/mysql/blob/master/5.7/Dockerfile.debian -mysql-public-key: - ARG KEY=B7B3B788A8D3785C - RUN gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$KEY" - RUN gpg --batch --armor --export "$KEY" > mysql-public-key - SAVE ARTIFACT mysql-public-key AS LOCAL .devcontainer/mysql-public-key +WORKDIR /tmp -devcontainer-base: +docker-compose: ARG TARGETARCH + ARG VERSION=2.27.1 # https://github.com/docker/compose/releases/ + RUN curl -fsSL https://github.com/docker/compose/releases/download/v${VERSION}/docker-compose-linux-$(uname -m) -o /usr/local/bin/docker-compose \ + && chmod +x /usr/local/bin/docker-compose + SAVE ARTIFACT /usr/local/bin/docker-compose + +devcontainer-library-scripts: + RUN curl -fsSL https://raw.githubusercontent.com/devcontainers/features/main/src/docker-outside-of-docker/install.sh -o docker-outside-of-docker.sh + SAVE ARTIFACT *.sh AS LOCAL .devcontainer/library-scripts/ + +devcontainer-base: + # Maunally install docker-compose to avoid the following error: + # pip seemed to fail to build package: PyYAML<6,>=3.10 + COPY +docker-compose/docker-compose /usr/local/bin/ # Avoid warnings by switching to noninteractive ENV DEBIAN_FRONTEND=noninteractive - ARG INSTALL_ZSH="false" - ARG UPGRADE_PACKAGES="true" - ARG ENABLE_NONROOT_DOCKER="true" - ARG USE_MOBY="true" COPY .devcontainer/library-scripts/*.sh /tmp/library-scripts/ - RUN apt-get update \ - && /bin/bash /tmp/library-scripts/common-debian.sh "${INSTALL_ZSH}" "${USERNAME}" "${USER_UID}" "${USER_GID}" "${UPGRADE_PACKAGES}" "true" "true" \ - # Use Docker script from script library to set things up - && /bin/bash /tmp/library-scripts/docker-debian.sh "${ENABLE_NONROOT_DOCKER}" "/var/run/docker-host.sock" "/var/run/docker.sock" "${USERNAME}" \ - # Clean up - && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* /tmp/library-scripts/ - - # +mysql-public-key - COPY .devcontainer/mysql-public-key /tmp/mysql-public-key - RUN apt-key add /tmp/mysql-public-key + RUN /bin/bash /tmp/library-scripts/docker-outside-of-docker.sh # Configure apt and install packages RUN apt-get update \ @@ -52,20 +49,12 @@ devcontainer-base: tzdata \ python3-pip \ jq \ - && add-apt-repository ppa:git-core/ppa \ - && apt-get install -y git \ - && add-apt-repository ppa:haxe/haxe4.2 \ && apt-get install -y neko haxe \ # install helm && curl -fsSL https://baltocdn.com/helm/signing.asc | apt-key add - \ && echo "deb https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list \ && apt-get update \ && apt-get -y install --no-install-recommends helm \ - # Install mysql-client - # https://github.com/docker-library/mysql/blob/master/5.7/Dockerfile.debian - && echo 'deb http://repo.mysql.com/apt/ubuntu/ bionic mysql-5.7' > /etc/apt/sources.list.d/mysql.list \ - && apt-get update \ - && apt-get -y install mysql-client=5.7.* \ # # Clean up && apt-get autoremove -y \ @@ -192,16 +181,18 @@ devcontainer: ARG DEVCONTAINER_IMAGE_NAME="$DEVCONTAINER_IMAGE_NAME_DEFAULT" ARG DEVCONTAINER_IMAGE_TAG=latest - SAVE IMAGE --push "$DEVCONTAINER_IMAGE_NAME:$DEVCONTAINER_IMAGE_TAG" "$DEVCONTAINER_IMAGE_NAME:latest" + SAVE IMAGE --push "$DEVCONTAINER_IMAGE_NAME:$DEVCONTAINER_IMAGE_TAG" devcontainer-rebuild: RUN --no-cache date +%Y%m%d%H%M%S | tee buildtime ARG DEVCONTAINER_IMAGE_NAME="$DEVCONTAINER_IMAGE_NAME_DEFAULT" BUILD \ --platform=linux/amd64 \ + --platform=linux/arm64 \ +devcontainer \ --DEVCONTAINER_IMAGE_NAME="$DEVCONTAINER_IMAGE_NAME" \ - --DEVCONTAINER_IMAGE_TAG="$(cat buildtime)" + --DEVCONTAINER_IMAGE_TAG="$(cat buildtime)" \ + --DEVCONTAINER_IMAGE_TAG=latest BUILD +devcontainer-update-refs \ --DEVCONTAINER_IMAGE_NAME="$DEVCONTAINER_IMAGE_NAME" \ --DEVCONTAINER_IMAGE_TAG="$(cat buildtime)" @@ -242,3 +233,15 @@ mysql-operator.crds: COPY mysql-operator/helm/mysql-operator/crds/*.yaml . RUN find . -name '*.yaml' -exec tfk8s --strip --file {} --output {}.tf \; SAVE ARTIFACT --keep-ts *.tf AS LOCAL mysql-operator.crds/ + +terraform.lock: + FROM +devcontainer + COPY --dir cert-manager.crds kube-prometheus-stack.crds grafana mysql-operator mysql-operator.crds . + COPY *.tf .terraform.lock.hcl . + + # We need to run `terraform init` locally to generate the .terraform directory. + # It's not done in Earthly because it requires the provider credentials. + COPY --dir .terraform . + + RUN terraform providers lock -platform=linux_amd64 -platform=linux_arm64 -platform=darwin_amd64 -platform=darwin_arm64 + SAVE ARTIFACT --keep-ts .terraform.lock.hcl AS LOCAL .terraform.lock.hcl