images: use buildkit again

The Toybox images had two issues:

1. Distroless does not support /bin -> /usr/bin so we needed to
create it manually to get /bin/bash for Toybox. However, with this
Openshift image validation complains that we are touching the "base"
image.

2. We could not use buildkit since it fails with /bin symlink
copied over /bin directory from Distroless.

The simple fix is just to move away from all /bin/sh and /bin/bash
and use "/usr/bin/env bash" to resolve the path instead. This allows
to keep /bin untouched.

Signed-off-by: Mikko Ylinen <[email protected]>

Author: mythi

build/docker/build-image.sh

@@ -31,7 +31,7 @@ fi
 
 BUILD_ARGS="${BUILD_ARGS} --build-arg FINAL_BASE=gcr.io/distroless/static"
 if [ -z "${BUILDER}" -o "${BUILDER}" = 'docker' -o "${BUILDER}" = 'podman' ] ; then
-    DOCKER_BUILDKIT=0 ${BUILDER} build --pull -t ${IMG}:${TAG} ${BUILD_ARGS} -f ${DOCKERFILE} .
+    ${BUILDER} build --pull -t ${IMG}:${TAG} ${BUILD_ARGS} -f ${DOCKERFILE} .
 elif [ "${BUILDER}" = 'buildah' ] ; then
     BUILDAH_RUNTIME=runc buildah bud --pull-always -t ${IMG}:${TAG} ${BUILD_ARGS} -f ${DOCKERFILE} .
 else

build/docker/intel-dlb-initcontainer.Dockerfile

@@ -51,7 +51,6 @@ RUN curl -SL https://github.com/landley/toybox/archive/refs/tags/$TOYBOX_VERSION
     && rm toybox.tar.gz \
     && cd toybox-$TOYBOX_VERSION \
     && KCONFIG_CONFIG=${DIR}/build/docker/toybox-config-$(echo ${FINAL_BASE} | xargs basename -s :latest) LDFLAGS="--static" CC=musl-gcc PREFIX=$ROOT/usr/bin V=2 make toybox install_flat \
-    && cd $ROOT && ln -fs usr/bin bin && cd - \
     && install -D LICENSE $ROOT/licenses/toybox \
     && cp -r /usr/share/doc/musl $ROOT/licenses/
 ###
@@ -61,4 +60,4 @@ LABEL version='devel'
 LABEL release='1'
 COPY --from=builder /install_root /
 COPY demo/dlb-init.sh /usr/local/bin/
-ENTRYPOINT [ "/bin/bash", "/usr/local/bin/dlb-init.sh"]
+ENTRYPOINT ["/usr/local/bin/dlb-init.sh"]

build/docker/intel-fpga-initcontainer.Dockerfile

@@ -85,7 +85,6 @@ RUN curl -SL https://github.com/landley/toybox/archive/refs/tags/$TOYBOX_VERSION
     && rm toybox.tar.gz \
     && cd toybox-$TOYBOX_VERSION \
     && KCONFIG_CONFIG=${DIR}/build/docker/toybox-config-$(echo ${FINAL_BASE} | xargs basename -s :latest) LDFLAGS="--static" CC=musl-gcc PREFIX=$ROOT/usr/bin V=2 make toybox install_flat \
-    && cd $ROOT && ln -fs usr/bin bin && cd - \
     && install -D LICENSE $ROOT/licenses/toybox \
     && cp -r /usr/share/doc/musl $ROOT/licenses/
 ###
@@ -97,4 +96,4 @@ LABEL name='intel-fpga-initcontainer'
 LABEL summary='Intel® FPGA programming CRI hook for Kubernetes'
 LABEL description='The FPGA prestart CRI-O hook performs discovery of the requested FPGA function bitstream and programs FPGA devices based on the environment variables in the workload description'
 COPY --from=builder /install_root /
-ENTRYPOINT [ "/bin/sh", "-c", "cp -a /usr/local/fpga-sw/* /opt/intel/fpga-sw/ && ln -sf /opt/intel/fpga-sw/intel-fpga-crihook.json /etc/containers/oci/hooks.d/" ]
+ENTRYPOINT [ "/usr/bin/sh", "-c", "cp -a /usr/local/fpga-sw/* /opt/intel/fpga-sw/ && ln -sf /opt/intel/fpga-sw/intel-fpga-crihook.json /etc/containers/oci/hooks.d/" ]

build/docker/intel-gpu-initcontainer.Dockerfile

@@ -68,7 +68,6 @@ RUN curl -SL https://github.com/landley/toybox/archive/refs/tags/$TOYBOX_VERSION
     && rm toybox.tar.gz \
     && cd toybox-$TOYBOX_VERSION \
     && KCONFIG_CONFIG=${DIR}/build/docker/toybox-config-$(echo ${FINAL_BASE} | xargs basename -s :latest) LDFLAGS="--static" CC=musl-gcc PREFIX=$ROOT/usr/bin V=2 make toybox install_flat \
-    && cd $ROOT && ln -fs usr/bin bin && cd - \
     && install -D LICENSE $ROOT/licenses/toybox \
     && cp -r /usr/share/doc/musl $ROOT/licenses/
 ###
@@ -80,4 +79,4 @@ LABEL name='intel-gpu-initcontainer'
 LABEL summary='Intel® GPU NFD hook for Kubernetes'
 LABEL description='The GPU fractional resources, such as GPU memory is registered as a kubernetes extended resource using node-feature-discovery (NFD). A custom NFD source hook is installed as part of GPU device plugin operator deployment and NFD is configured to register the GPU memory extended resource reported by the hook'
 COPY --from=builder /install_root /
-ENTRYPOINT [ "/bin/sh", "-c", "cp -a /usr/local/bin/gpu-sw/intel-gpu-nfdhook /etc/kubernetes/node-feature-discovery/source.d/" ]
+ENTRYPOINT [ "/usr/bin/sh", "-c", "cp -a /usr/local/bin/gpu-sw/intel-gpu-nfdhook /etc/kubernetes/node-feature-discovery/source.d/" ]

build/docker/intel-idxd-config-initcontainer.Dockerfile

@@ -21,4 +21,4 @@ COPY demo/dsa.conf /idxd-init/
 COPY demo/iaa.conf /idxd-init/
 RUN mkdir /idxd-init/scratch
 WORKDIR /idxd-init
-ENTRYPOINT ["bash", "/usr/local/bin/idxd-init.sh"]
+ENTRYPOINT ["/usr/local/bin/idxd-init.sh"]

build/docker/intel-qat-initcontainer.Dockerfile

@@ -51,7 +51,6 @@ RUN curl -SL https://github.com/landley/toybox/archive/refs/tags/$TOYBOX_VERSION
     && rm toybox.tar.gz \
     && cd toybox-$TOYBOX_VERSION \
     && KCONFIG_CONFIG=${DIR}/build/docker/toybox-config-$(echo ${FINAL_BASE} | xargs basename -s :latest) LDFLAGS="--static" CC=musl-gcc PREFIX=$ROOT/usr/bin V=2 make toybox install_flat \
-    && cd $ROOT && ln -fs usr/bin bin && cd - \
     && install -D LICENSE $ROOT/licenses/toybox \
     && cp -r /usr/share/doc/musl $ROOT/licenses/
 ###
@@ -65,4 +64,4 @@ LABEL description='Intel QAT initcontainer initializes devices'
 COPY --from=builder /install_root /
 COPY demo/qat-init.sh /usr/local/bin/
 WORKDIR /qat-init
-ENTRYPOINT [ "/bin/bash", "/usr/local/bin/qat-init.sh"]
+ENTRYPOINT ["/usr/local/bin/qat-init.sh"]

build/docker/intel-sgx-initcontainer.Dockerfile

@@ -68,7 +68,6 @@ RUN curl -SL https://github.com/landley/toybox/archive/refs/tags/$TOYBOX_VERSION
     && rm toybox.tar.gz \
     && cd toybox-$TOYBOX_VERSION \
     && KCONFIG_CONFIG=${DIR}/build/docker/toybox-config-$(echo ${FINAL_BASE} | xargs basename -s :latest) LDFLAGS="--static" CC=musl-gcc PREFIX=$ROOT/usr/bin V=2 make toybox install_flat \
-    && cd $ROOT && ln -fs usr/bin bin && cd - \
     && install -D LICENSE $ROOT/licenses/toybox \
     && cp -r /usr/share/doc/musl $ROOT/licenses/
 ###
@@ -80,4 +79,4 @@ LABEL name='intel-sgx-initcontainer'
 LABEL summary='Intel® SGX NFD hook for Kubernetes'
 LABEL description='The SGX EPC memory available on each node is registered as a Kubernetes extended resource using node-feature-discovery (NFD). A custom NFD source hook is installed as part of SGX device plugin operator deployment and NFD is configured to register the SGX EPC memory extended resource reported by the hook'
 COPY --from=builder /install_root /
-ENTRYPOINT [ "/bin/sh", "-c", "cp -a /usr/local/bin/sgx-sw/intel-sgx-epchook /etc/kubernetes/node-feature-discovery/source.d/" ]
+ENTRYPOINT [ "/usr/bin/sh", "-c", "cp -a /usr/local/bin/sgx-sw/intel-sgx-epchook /etc/kubernetes/node-feature-discovery/source.d/" ]

build/docker/lib/nfdhook_end.docker

@@ -3,4 +3,4 @@
 #define string(s) #s
 
 COPY --from=builder /install_root /
-ENTRYPOINT [ "/bin/sh", "-c", xstring(_ENTRYPOINT_) ]
+ENTRYPOINT [ "/usr/bin/sh", "-c", xstring(_ENTRYPOINT_) ]

build/docker/lib/toybox_build.docker

@@ -12,7 +12,6 @@ RUN curl -SL https://github.com/landley/toybox/archive/refs/tags/$TOYBOX_VERSION
     && rm toybox.tar.gz \N
     && cd toybox-$TOYBOX_VERSION \N
     && KCONFIG_CONFIG=${DIR}/build/docker/toybox-config-$(echo ${FINAL_BASE} | xargs basename -s :latest) LDFLAGS="--static" CC=musl-gcc PREFIX=$ROOT/usr/bin V=2 make toybox install_flat \N
-    && cd $ROOT && ln -fs usr/bin bin && cd - \N
     && install -D LICENSE $ROOT/licenses/toybox \N
     && cp -r /usr/share/doc/musl $ROOT/licenses/
 ###

build/docker/templates/intel-dlb-initcontainer.Dockerfile.in

@@ -16,4 +16,4 @@ FROM ${FINAL_BASE}
 COPY --from=builder /install_root /
 
 COPY demo/dlb-init.sh /usr/local/bin/
-ENTRYPOINT [ "/bin/bash", "/usr/local/bin/dlb-init.sh"]
+ENTRYPOINT ["/usr/local/bin/dlb-init.sh"]