Change containerd-snapshotter-base to alpine based

This was done to use a smaller base image which makes us less prone to
security issues.

Additionally, this commit switches to using raw image URLs instead of
inserting in the version via a variable, so that dependabot can track
new versions.

The Dockerfile line that pulls the registry  was moved up to allow
proper tagging when building locally instead of with Docker Compose.

Signed-off-by: Austin Vazquez <[email protected]>

Author: austinvazquez

Dockerfile

@@ -15,21 +15,27 @@
 ARG CONTAINERD_VERSION=1.6.30
 ARG RUNC_VERSION=1.1.12
 ARG NERDCTL_VERSION=1.7.1
-ARG GO_VERSION=1.21.10
-ARG REGISTRY_VERSION=3.0.0-alpha.1
 
-FROM public.ecr.aws/docker/library/golang:${GO_VERSION}-bookworm AS golang-base
+FROM public.ecr.aws/docker/library/registry:3.0.0-alpha.1 AS registry
+
+FROM public.ecr.aws/docker/library/golang:1.21.9-alpine AS containerd-snapshotter-base
 
-FROM golang-base AS containerd-snapshotter-base
 ARG CONTAINERD_VERSION
 ARG RUNC_VERSION
 ARG NERDCTL_VERSION
-ARG GO_VERSION
 ARG TARGETARCH
 COPY ./integ_entrypoint.sh /integ_entrypoint.sh
 COPY . $GOPATH/src/github.com/awslabs/soci-snapshotter
 ENV GOPROXY direct
-RUN apt-get update -y && apt-get install -y libbtrfs-dev libseccomp-dev libz-dev gcc fuse pigz
+RUN apk add --no-cache \
+    btrfs-progs-libs \
+    curl \
+    fuse \
+    gcc \
+    libc6-compat \
+    libseccomp-dev \
+    pigz \
+    zlib-dev
 RUN cp $GOPATH/src/github.com/awslabs/soci-snapshotter/out/soci /usr/local/bin/ && \
     cp $GOPATH/src/github.com/awslabs/soci-snapshotter/out/soci-snapshotter-grpc /usr/local/bin/ && \
     mkdir /etc/soci-snapshotter-grpc && \
@@ -46,5 +52,3 @@ RUN curl -sSL --output /tmp/runc https://github.com/opencontainers/runc/releases
 RUN curl -sSL --output /tmp/nerdctl.tgz https://github.com/containerd/nerdctl/releases/download/v${NERDCTL_VERSION}/nerdctl-${NERDCTL_VERSION}-linux-${TARGETARCH:-amd64}.tar.gz && \
     tar zxvf /tmp/nerdctl.tgz -C /usr/local/bin/ && \
     rm -f /tmp/nerdctl.tgz
-
-FROM public.ecr.aws/docker/library/registry:${REGISTRY_VERSION} AS registry

integ_entrypoint.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 #
 #   Copyright The Soci Snapshotter Authors.
 

integration/pull_test.go

@@ -739,7 +739,7 @@ insecure = true
 		t.Fatalf("failed to write %v: %v", caCertDir, err)
 	}
 	sh.
-		X("apt-get", "--no-install-recommends", "install", "-y", "iptables").
+		X("apk", "add", "--no-cache", "iptables").
 		X("update-ca-certificates").
 		Retry(100, "nerdctl", "login", "-u", regConfig.user, "-p", regConfig.pass, regConfig.host)
 

integration/run_test.go

@@ -297,7 +297,8 @@ disable = true
 			rebootContainerd(t, sh, getContainerdConfigToml(t, false), getSnapshotterConfigToml(t, false, config))
 			// Re-pull image from our local registry mirror
 			sh.X(append(imagePullCmd, "--soci-index-digest", indexDigest, regConfig.mirror(containerImage).ref)...)
-			sh.X("apt-get", "-qq", "--no-install-recommends", "install", "-y", "iptables")
+			sh.X("apk", "add", "--no-cache", "--quiet", "iptables")
+
 			// Block network access to the registry
 			if tt.config.networkDisableMsec > 0 {
 				sh.X("iptables", "-A", "OUTPUT", "-d", registryHostIP, "-j", "DROP")
@@ -392,7 +393,7 @@ func TestRootFolderPermission(t *testing.T) {
 func TestRestartAfterSigint(t *testing.T) {
 	const containerImage = alpineImage
 	const killTimeout = 5
-	const startTimeout = "5s"
+	const startTimeout = "5"
 
 	regConfig := newRegistryConfig()
 	sh, done := newShellWithRegistry(t, regConfig)
@@ -402,7 +403,7 @@ func TestRestartAfterSigint(t *testing.T) {
 	copyImage(sh, dockerhub(containerImage), regConfig.mirror(containerImage))
 	indexDigest := buildIndex(sh, regConfig.mirror(containerImage), withMinLayerSize(0), withSpanSize(100*1024))
 	sh.X(append(imagePullCmd, "--soci-index-digest", indexDigest, regConfig.mirror(containerImage).ref)...)
-	sh.X("pkill", "-SIGINT", "soci-snapshotte") // pkill can only take up to 15 chars
+	testutil.KillMatchingProcess(sh, "soci-snapshotter-grpc")
 
 	var buffer []byte
 	timedOut := true
@@ -419,16 +420,14 @@ func TestRestartAfterSigint(t *testing.T) {
 		t.Fatalf("failed to kill snapshotter daemon")
 	}
 
-	timeoutCmd := []string{"timeout", "--preserve-status", startTimeout}
+	timeoutCmd := []string{"timeout", "-s", "SIGKILL", startTimeout}
 	cmd := shell.C("/usr/local/bin/soci-snapshotter-grpc", "--log-level", sociLogLevel,
 		"--address", "/run/soci-snapshotter-grpc/soci-snapshotter-grpc.sock")
 	cmd = addConfig(t, sh, getSnapshotterConfigToml(t, false, tcpMetricsConfig), cmd...)
 	cmd = append(timeoutCmd, cmd...)
 
-	// exit status 0 — command timed out, so server is running — PASS
-	// exit status 1 — server crashed before time limit — FAIL
 	if _, err := sh.OLog(cmd...); err != nil {
-		if err.Error() != "exit status 0" {
+		if err.Error() != "exit status 137" { // Killed by SIGKILL
 			t.Fatalf("error starting snapshotter daemon: %v", err)
 		}
 	}

util/testutil/shell.go

@@ -357,7 +357,7 @@ func KillMatchingProcess(sh *shell.Shell, psLinePattern string) error {
 			if len(es) < 2 {
 				continue
 			}
-			pid, err := strconv.ParseInt(es[1], 10, 32)
+			pid, err := strconv.ParseInt(es[0], 10, 32)
 			if err != nil {
 				continue
 			}