use multistage build to setcap on binary in dockerfile for ydbd_slice (#3857)

kobzonega · web-flow · commit 98d7fc848ae8 · 2024-04-18T16:39:19.000+03:00
diff --git a/ydb/tools/ydbd_slice/image/Dockerfile b/ydb/tools/ydbd_slice/image/Dockerfile
@@ -1,26 +1,28 @@
-FROM cr.yandex/mirror/ubuntu:focal
+# syntax=docker/dockerfile:1
+FROM cr.yandex/mirror/ubuntu:focal as base
 
-ARG ARC_COMMIT_ID
-LABEL arc_commit_id=$ARC_COMMIT_ID
-
-RUN \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
   apt-get -yqq update && \
   apt-get -yqq install libcap2-bin dnsutils telnet netcat-openbsd iputils-ping gdb atop strace curl linux-tools-generic && \
   apt-get -yqq clean all && \
   rm -rf /var/lib/apt/lists/* && \
   groupadd -r ydb && \
   useradd --no-log-init -r -m -g ydb -G disk ydb
 
-WORKDIR /opt/ydb/bin
-
-COPY ydb ./ydb
+FROM base as ydbd-setcap
 
-COPY libiconv.so /lib/libiconv.so
-COPY liblibidn-dynamic.so /lib/liblibidn-dynamic.so
-COPY liblibaio-dynamic.so /lib/liblibaio-dynamic.so
+COPY --link ydbd /ydbd
+RUN /sbin/setcap CAP_SYS_RAWIO=ep /ydbd
 
-COPY ydbd ./ydbd
+FROM base
 
-RUN /sbin/setcap CAP_SYS_RAWIO=ep /opt/ydb/bin/ydbd
+ARG ARC_COMMIT_ID
+LABEL arc_commit_id=$ARC_COMMIT_ID
 
+WORKDIR /opt/ydb/bin
+COPY --chmod=0755 --chown=ydb:ydb --link ydb /opt/ydb/bin/ydb
+COPY --chmod=0644 --link libiconv.so /lib/libiconv.so
+COPY --chmod=0644 --link liblibidn-dynamic.so /lib/liblibidn-dynamic.so
+COPY --chmod=0644 --link liblibaio-dynamic.so /lib/liblibaio-dynamic.so
+COPY --chmod=0755 --chown=ydb:ydb --link --from=ydbd-setcap /ydbd /opt/ydb/bin/ydbd
 USER ydb
