Update busybox tarballs (newer buildroot, newer libcs, add libpthread in glibc, https, fixed GPG) #2954
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… in glibc, https, fixed GPG)
Diff:diff --git a/busybox_glibc/Dockerfile.builder b/busybox_glibc/Dockerfile.builder
index 952bc54..a79fb7b 100644
--- a/busybox_glibc/Dockerfile.builder
+++ b/busybox_glibc/Dockerfile.builder
@@ -11,22 +11,24 @@ RUN apt-get update && apt-get install -y \
# Key fingerprint = C9E9 416F 76E6 10DB D09D 040F 47B7 0C55 ACC9 965B
# uid Denis Vlasenko <vda.linux@googlemail.com>
# sub 1024g/2C766641 2006-12-12
-RUN gpg --keyserver pool.sks-keyservers.net --recv-keys C9E9416F76E610DBD09D040F47B70C55ACC9965B
+RUN gpg --keyserver ha.pool.sks-keyservers.net --recv-keys C9E9416F76E610DBD09D040F47B70C55ACC9965B
ENV BUSYBOX_VERSION 1.26.2
-RUN set -x \
- && curl -fsSL "http://busybox.net/downloads/busybox-${BUSYBOX_VERSION}.tar.bz2" -o busybox.tar.bz2 \
- && curl -fsSL "http://busybox.net/downloads/busybox-${BUSYBOX_VERSION}.tar.bz2.sign" -o busybox.tar.bz2.sign \
- && gpg --verify busybox.tar.bz2.sign \
- && tar -xjf busybox.tar.bz2 \
- && mkdir -p /usr/src \
- && mv "busybox-${BUSYBOX_VERSION}" /usr/src/busybox \
- && rm busybox.tar.bz2*
+RUN set -ex; \
+ tarball="busybox-${BUSYBOX_VERSION}.tar.bz2"; \
+ curl -fL -o busybox.tar.bz2 "https://busybox.net/downloads/$tarball"; \
+ curl -fL -o busybox.tar.bz2.sign "https://busybox.net/downloads/$tarball.sign"; \
+ gpg --batch --decrypt --output busybox.tar.bz2.txt busybox.tar.bz2.sign; \
+ awk '$1 == "SHA1:" && $2 ~ /^[0-9a-f]+$/ && $3 == "'"$tarball"'" { print $2, "*busybox.tar.bz2" }' busybox.tar.bz2.txt > busybox.tar.bz2.sha1; \
+ test -s busybox.tar.bz2.sha1; \
+ sha1sum -c busybox.tar.bz2.sha1; \
+ mkdir -p /usr/src/busybox; \
+ tar -xf busybox.tar.bz2 -C /usr/src/busybox --strip-components 1; \
+ rm busybox.tar.bz2*
WORKDIR /usr/src/busybox
-# TODO remove CONFIG_FEATURE_SYNC_FANCY from this explicit list after the next release of busybox (since it's disabled by default upstream now)
# CONFIG_LAST_SUPPORTED_WCHAR: see https://github.com/docker-library/busybox/issues/13 (UTF-8 input)
# As long as we rely on libnss, we have to have libc.so anyhow, so
# we've removed CONFIG_STATIC here for now... :cry:
@@ -72,8 +74,6 @@ RUN set -ex; \
grep -q "^$confV\$" .config; \
done;
-# hack hack hack hack hack
-# with glibc, static busybox uses libnss for DNS resolution :(
RUN set -ex \
&& make -j "$(nproc)" \
busybox \
@@ -82,6 +82,9 @@ RUN set -ex \
&& ln -vL busybox rootfs/bin/ \
\
&& ln -vL "$(which getconf)" rootfs/bin/getconf \
+ \
+# hack hack hack hack hack
+# with glibc, static busybox uses libnss for DNS resolution :(
&& mkdir -p rootfs/etc \
&& cp /etc/nsswitch.conf rootfs/etc/ \
&& mkdir -p rootfs/lib \
@@ -90,6 +93,8 @@ RUN set -ex \
rootfs/bin/busybox \
rootfs/bin/getconf \
/lib/"$(gcc -print-multiarch)"/libnss*.so.* \
+# libpthread is part of glibc: http://stackoverflow.com/a/11210463/433558
+ /lib/"$(gcc -print-multiarch)"/libpthread*.so.* \
&& while [ "$#" -gt 0 ]; do \
f="$1"; shift; \
fn="$(basename "$f")"; \
@@ -106,17 +111,16 @@ RUN set -ex \
$2 == "=>" && $3 ~ /^\// { print $3; next } \
'); \
done \
+ \
&& chroot rootfs /bin/getconf _NPROCESSORS_ONLN \
\
&& chroot rootfs /bin/busybox --install /bin
-RUN set -ex \
- && buildrootVersion='2015.11.1' \
- && mkdir -p rootfs/etc \
- && for f in passwd shadow group; do \
- curl -fSL \
- "http://git.busybox.net/buildroot/plain/system/skeleton/etc/$f?id=$buildrootVersion" \
- -o "rootfs/etc/$f"; \
+RUN set -ex; \
+ buildrootVersion='2017.02.2'; \
+ mkdir -p rootfs/etc; \
+ for f in passwd shadow group; do \
+ curl -fL -o "rootfs/etc/$f" "https://git.busybox.net/buildroot/plain/system/skeleton/etc/$f?id=$buildrootVersion"; \
done
# create /tmp
diff --git a/busybox_glibc/busybox.tar.xz b/busybox_glibc/busybox.tar.xz
index b6c763d..7f3310a 100644
Binary files a/busybox_glibc/busybox.tar.xz and b/busybox_glibc/busybox.tar.xz differ
diff --git a/busybox_glibc/busybox.tar.xz 'tar -t' b/busybox_glibc/busybox.tar.xz 'tar -t'
index c0aeca1..6890e1c 100644
--- a/busybox_glibc/busybox.tar.xz 'tar -t'
+++ b/busybox_glibc/busybox.tar.xz 'tar -t'
@@ -394,6 +394,7 @@
./lib/libnss_hesiod.so.2
./lib/libnss_nisplus.so.2
./lib/libnss_nis.so.2
+./lib/libpthread.so.0
./lib/libresolv.so.2
./root/
./tmp/
diff --git a/busybox_latest/Dockerfile.builder b/busybox_latest/Dockerfile.builder
index 2ea8479..63cc975 100644
--- a/busybox_latest/Dockerfile.builder
+++ b/busybox_latest/Dockerfile.builder
@@ -9,6 +9,7 @@ RUN apt-get update && apt-get install -y \
# buildroot
bc \
cpio \
+ dpkg-dev \
g++ \
patch \
perl \
@@ -26,16 +27,21 @@ RUN apt-get update && apt-get install -y \
# sub 2048g/45428075 2009-01-15
RUN gpg --keyserver ha.pool.sks-keyservers.net --recv-keys AB07D806D2CE741FB886EE50B025BA8B59C36319
-ENV BUILDROOT_VERSION 2015.11.1
+# https://buildroot.uclibc.org/download.html
+# https://buildroot.uclibc.org/downloads/?C=M;O=D
+ENV BUILDROOT_VERSION 2017.02.2
-RUN set -x \
- && mkdir -p /usr/src/buildroot \
- && cd /usr/src/buildroot \
- && curl -fsSL "http://buildroot.uclibc.org/downloads/buildroot-${BUILDROOT_VERSION}.tar.bz2" -o buildroot.tar.bz2 \
- && curl -fsSL "http://buildroot.uclibc.org/downloads/buildroot-${BUILDROOT_VERSION}.tar.bz2.sign" -o buildroot.tar.bz2.sign \
- && gpg --verify buildroot.tar.bz2.sign \
- && tar -xf buildroot.tar.bz2 --strip-components 1 \
- && rm buildroot.tar.bz2*
+RUN set -ex; \
+ tarball="buildroot-${BUILDROOT_VERSION}.tar.bz2"; \
+ curl -fL -o buildroot.tar.bz2 "https://buildroot.uclibc.org/downloads/$tarball"; \
+ curl -fL -o buildroot.tar.bz2.sign "https://buildroot.uclibc.org/downloads/$tarball.sign"; \
+ gpg --batch --decrypt --output buildroot.tar.bz2.txt buildroot.tar.bz2.sign; \
+ awk '$1 == "SHA1:" && $2 ~ /^[0-9a-f]+$/ && $3 == "'"$tarball"'" { print $2, "*buildroot.tar.bz2" }' buildroot.tar.bz2.txt > buildroot.tar.bz2.sha1; \
+ test -s buildroot.tar.bz2.sha1; \
+ sha1sum -c buildroot.tar.bz2.sha1; \
+ mkdir -p /usr/src/buildroot; \
+ tar -xf buildroot.tar.bz2 -C /usr/src/buildroot --strip-components 1; \
+ rm buildroot.tar.bz2*
RUN set -ex; \
\
@@ -46,14 +52,39 @@ RUN set -ex; \
BR2_TOOLCHAIN_BUILDROOT_INET_RPC=y \
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y \
BR2_TOOLCHAIN_BUILDROOT_WCHAR=y \
- BR2_x86_64=y \
'; \
\
unsetConfs=' \
BR2_SHARED_LIBS \
- BR2_i386 \
'; \
\
+# buildroot arches: https://git.busybox.net/buildroot/tree/arch
+# buildroot+uclibc arches: https://git.busybox.net/buildroot/tree/toolchain/toolchain-buildroot/Config.in (config BR2_TOOLCHAIN_BUILDROOT_UCLIBC)
+ dpkgArch="$(dpkg --print-architecture)"; \
+ case "$dpkgArch" in \
+ amd64) \
+ setConfs="$setConfs \
+ BR2_x86_64=y \
+ "; \
+ unsetConfs="$unsetConfs BR2_i386"; \
+ ;; \
+ arm64) \
+ setConfs="$setConfs \
+ BR2_aarch64=y \
+ "; \
+ unsetConfs="$unsetConfs BR2_i386"; \
+ ;; \
+ i386) \
+ setConfs="$setConfs \
+ BR2_i386=y \
+ "; \
+ ;; \
+ *) \
+ echo >&2 "error: unsupported architecture '$dpkgArch'!"; \
+ exit 1; \
+ ;; \
+ esac; \
+ \
make defconfig; \
\
for conf in $unsetConfs; do \
@@ -83,39 +114,35 @@ RUN set -ex; \
grep -q "^$confV\$" .config; \
done;
-ENV UCLIBC_NG_VERSION 1.0.13
-ENV UCLIBC_NG_SHA256 7baae61e243da3ab85e219fead68406995be5eabf889001c0d41676546b19317
-
-RUN set -xe \
- && cd /usr/src/buildroot \
- && sed -i 's!^BR2_UCLIBC_VERSION_STRING=.*!BR2_UCLIBC_VERSION_STRING="'"$UCLIBC_NG_VERSION"'"!' .config \
- && grep -q '^BR2_UCLIBC_VERSION_STRING="'"$UCLIBC_NG_VERSION"'"$' .config \
- && echo "sha256 $UCLIBC_NG_SHA256 uClibc-ng-${UCLIBC_NG_VERSION}.tar.xz" > package/uclibc/uclibc.hash
-
# http://www.finnie.org/2014/02/13/compiling-busybox-with-uclibc/
-RUN make -C /usr/src/buildroot -j$(nproc) toolchain
+RUN set -ex; \
+# force a particular GNU arch for "host-gmp" (otherwise it fails on some arches)
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ make -C /usr/src/buildroot HOST_GMP_CONF_OPTS="--build='"$gnuArch"'" -j "$(nproc)" toolchain
ENV PATH /usr/src/buildroot/output/host/usr/bin:$PATH
# pub 1024D/ACC9965B 2006-12-12
# Key fingerprint = C9E9 416F 76E6 10DB D09D 040F 47B7 0C55 ACC9 965B
# uid Denis Vlasenko <vda.linux@googlemail.com>
# sub 1024g/2C766641 2006-12-12
-RUN gpg --keyserver pool.sks-keyservers.net --recv-keys C9E9416F76E610DBD09D040F47B70C55ACC9965B
+RUN gpg --keyserver ha.pool.sks-keyservers.net --recv-keys C9E9416F76E610DBD09D040F47B70C55ACC9965B
ENV BUSYBOX_VERSION 1.26.2
-RUN set -x \
- && curl -fsSL "http://busybox.net/downloads/busybox-${BUSYBOX_VERSION}.tar.bz2" -o busybox.tar.bz2 \
- && curl -fsSL "http://busybox.net/downloads/busybox-${BUSYBOX_VERSION}.tar.bz2.sign" -o busybox.tar.bz2.sign \
- && gpg --verify busybox.tar.bz2.sign \
- && tar -xjf busybox.tar.bz2 \
- && mkdir -p /usr/src \
- && mv "busybox-${BUSYBOX_VERSION}" /usr/src/busybox \
- && rm busybox.tar.bz2*
+RUN set -ex; \
+ tarball="busybox-${BUSYBOX_VERSION}.tar.bz2"; \
+ curl -fL -o busybox.tar.bz2 "https://busybox.net/downloads/$tarball"; \
+ curl -fL -o busybox.tar.bz2.sign "https://busybox.net/downloads/$tarball.sign"; \
+ gpg --batch --decrypt --output busybox.tar.bz2.txt busybox.tar.bz2.sign; \
+ awk '$1 == "SHA1:" && $2 ~ /^[0-9a-f]+$/ && $3 == "'"$tarball"'" { print $2, "*busybox.tar.bz2" }' busybox.tar.bz2.txt > busybox.tar.bz2.sha1; \
+ test -s busybox.tar.bz2.sha1; \
+ sha1sum -c busybox.tar.bz2.sha1; \
+ mkdir -p /usr/src/busybox; \
+ tar -xf busybox.tar.bz2 -C /usr/src/busybox --strip-components 1; \
+ rm busybox.tar.bz2*
WORKDIR /usr/src/busybox
-# TODO remove CONFIG_FEATURE_SYNC_FANCY from this explicit list after the next release of busybox (since it's disabled by default upstream now)
# CONFIG_LAST_SUPPORTED_WCHAR: see https://github.com/docker-library/busybox/issues/13 (UTF-8 input)
RUN set -ex; \
\
@@ -170,11 +197,13 @@ RUN set -ex \
\
&& ln -vL ../buildroot/output/target/usr/bin/getconf rootfs/bin/ \
\
+ && chroot rootfs /bin/getconf _NPROCESSORS_ONLN \
+ \
&& chroot rootfs /bin/busybox --install /bin
-RUN set -ex \
- && mkdir -p rootfs/etc \
- && for f in passwd shadow group; do \
+RUN set -ex; \
+ mkdir -p rootfs/etc; \
+ for f in passwd shadow group; do \
ln -vL \
"../buildroot/system/skeleton/etc/$f" \
"rootfs/etc/$f"; \
diff --git a/busybox_latest/busybox.tar.xz b/busybox_latest/busybox.tar.xz
index a5c9958..9e5d0eb 100644
Binary files a/busybox_latest/busybox.tar.xz and b/busybox_latest/busybox.tar.xz differ
diff --git a/busybox_musl/Dockerfile.builder b/busybox_musl/Dockerfile.builder
index cd7135b..b30d0b1 100644
--- a/busybox_musl/Dockerfile.builder
+++ b/busybox_musl/Dockerfile.builder
@@ -2,30 +2,33 @@ FROM alpine:3.5
RUN apk add --no-cache \
bzip2 \
+ coreutils \
curl \
gcc \
- make \
- \
gnupg \
linux-headers \
+ make \
musl-dev
# pub 1024D/ACC9965B 2006-12-12
# Key fingerprint = C9E9 416F 76E6 10DB D09D 040F 47B7 0C55 ACC9 965B
# uid Denis Vlasenko <vda.linux@googlemail.com>
# sub 1024g/2C766641 2006-12-12
-RUN gpg --keyserver pool.sks-keyservers.net --recv-keys C9E9416F76E610DBD09D040F47B70C55ACC9965B
+RUN gpg --keyserver ha.pool.sks-keyservers.net --recv-keys C9E9416F76E610DBD09D040F47B70C55ACC9965B
ENV BUSYBOX_VERSION 1.26.2
-RUN set -x \
- && curl -fsSL "http://busybox.net/downloads/busybox-${BUSYBOX_VERSION}.tar.bz2" -o busybox.tar.bz2 \
- && curl -fsSL "http://busybox.net/downloads/busybox-${BUSYBOX_VERSION}.tar.bz2.sign" -o busybox.tar.bz2.sign \
- && gpg --verify busybox.tar.bz2.sign \
- && tar -xjf busybox.tar.bz2 \
- && mkdir -p /usr/src \
- && mv "busybox-${BUSYBOX_VERSION}" /usr/src/busybox \
- && rm busybox.tar.bz2*
+RUN set -ex; \
+ tarball="busybox-${BUSYBOX_VERSION}.tar.bz2"; \
+ curl -fL -o busybox.tar.bz2 "https://busybox.net/downloads/$tarball"; \
+ curl -fL -o busybox.tar.bz2.sign "https://busybox.net/downloads/$tarball.sign"; \
+ gpg --batch --decrypt --output busybox.tar.bz2.txt busybox.tar.bz2.sign; \
+ awk '$1 == "SHA1:" && $2 ~ /^[0-9a-f]+$/ && $3 == "'"$tarball"'" { print $2, "*busybox.tar.bz2" }' busybox.tar.bz2.txt > busybox.tar.bz2.sha1; \
+ test -s busybox.tar.bz2.sha1; \
+ sha1sum -c busybox.tar.bz2.sha1; \
+ mkdir -p /usr/src/busybox; \
+ tar -xf busybox.tar.bz2 -C /usr/src/busybox --strip-components 1; \
+ rm busybox.tar.bz2*
WORKDIR /usr/src/busybox
@@ -33,7 +36,6 @@ WORKDIR /usr/src/busybox
# https://www.mail-archive.com/toybox@lists.landley.net/msg02526.html
RUN sed -i 's/^struct kconf_id \*$/static &/g' scripts/kconfig/zconf.hash.c_shipped
-# TODO remove CONFIG_FEATURE_SYNC_FANCY from this explicit list after the next release of busybox (since it's disabled by default upstream now)
# CONFIG_LAST_SUPPORTED_WCHAR: see https://github.com/docker-library/busybox/issues/13 (UTF-8 input)
# see http://wiki.musl-libc.org/wiki/Building_Busybox
RUN set -ex; \
@@ -85,11 +87,11 @@ RUN set -ex; \
done;
RUN set -ex \
- && make -j "$(getconf _NPROCESSORS_ONLN)" \
+ && make -j "$(nproc)" \
busybox \
&& ./busybox --help \
&& mkdir -p rootfs/bin \
- && ln -v busybox rootfs/bin/ \
+ && ln -vL busybox rootfs/bin/ \
&& chroot rootfs /bin/busybox --install /bin
# grab a simplified getconf port from Alpine we can statically compile
@@ -99,15 +101,13 @@ RUN set -x \
"http://git.alpinelinux.org/cgit/aports/plain/main/musl/getconf.c?h=${aportsVersion}" \
-o /usr/src/getconf.c \
&& gcc -o rootfs/bin/getconf -static -Os /usr/src/getconf.c \
- && chroot rootfs /bin/sh -xec 'getconf _NPROCESSORS_ONLN'
+ && chroot rootfs /bin/getconf _NPROCESSORS_ONLN
-RUN set -ex \
- && buildrootVersion='2015.11.1' \
- && mkdir -p rootfs/etc \
- && for f in passwd shadow group; do \
- curl -fSL \
- "http://git.busybox.net/buildroot/plain/system/skeleton/etc/$f?id=$buildrootVersion" \
- -o "rootfs/etc/$f"; \
+RUN set -ex; \
+ buildrootVersion='2017.02.2'; \
+ mkdir -p rootfs/etc; \
+ for f in passwd shadow group; do \
+ curl -fL -o "rootfs/etc/$f" "https://git.busybox.net/buildroot/plain/system/skeleton/etc/$f?id=$buildrootVersion"; \
done
# create /tmp
diff --git a/busybox_musl/busybox.tar.xz b/busybox_musl/busybox.tar.xz
index a204beb..5e88aeb 100644
Binary files a/busybox_musl/busybox.tar.xz and b/busybox_musl/busybox.tar.xz differ |
|
Build test of #2954; 822be9a ( $ bashbrew build busybox:1.26.2-glibc
Building bashbrew/cache:bf073b3b94957b727a06e2e0dfb6f96f0de12316f2712269de344e1375b8891e (busybox:1.26.2-glibc)
Tagging busybox:1.26.2-glibc
Tagging busybox:1.26-glibc
Tagging busybox:1-glibc
Tagging busybox:glibc
$ test/run.sh busybox:1.26.2-glibc
testing busybox:1.26.2-glibc
'utc' [1/4]...passed
'cve-2014--shellshock' [2/4]...passed
'no-hard-coded-passwords' [3/4]...passed
'override-cmd' [4/4]...passed
$ bashbrew build busybox:1.26.2-musl
Building bashbrew/cache:772838d756783ffbc332786e0c41ac0a3baedd30305e10958227c610acb6b3ce (busybox:1.26.2-musl)
Tagging busybox:1.26.2-musl
Tagging busybox:1.26-musl
Tagging busybox:1-musl
Tagging busybox:musl
$ test/run.sh busybox:1.26.2-musl
testing busybox:1.26.2-musl
'utc' [1/4]...passed
'cve-2014--shellshock' [2/4]...passed
'no-hard-coded-passwords' [3/4]...passed
'override-cmd' [4/4]...passed
$ bashbrew build busybox:1.26.2-uclibc
Building bashbrew/cache:7648a53bd870b77707ba73ff2ee45b03a09822d3fd45b7bdb76439bfd6588dcb (busybox:1.26.2-uclibc)
Tagging busybox:1.26.2-uclibc
Tagging busybox:1.26-uclibc
Tagging busybox:1-uclibc
Tagging busybox:uclibc
Tagging busybox:1.26.2
Tagging busybox:1.26
Tagging busybox:1
Tagging busybox:latest
$ test/run.sh busybox:1.26.2-uclibc
testing busybox:1.26.2-uclibc
'utc' [1/4]...passed
'cve-2014--shellshock' [2/4]...passed
'no-hard-coded-passwords' [3/4]...passed
'override-cmd' [4/4]...passed
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
(This is the update to #2953)