Dockerfile: verify fetched binaries

Dockerfile

@@ -32,7 +32,7 @@ ARG IMGCRYPT_VERSION=1.1.0
 ARG ROOTLESSKIT_VERSION=0.14.1
 ARG SLIRP4NETNS_VERSION=1.1.9
 # Extra deps: FUSE-OverlayFS
-ARG FUSE_OVERLAYFS_VERSION=1.4.0
+ARG FUSE_OVERLAYFS_VERSION=1.5.0
 ARG CONTAINERD_FUSE_OVERLAYFS_VERSION=1.0.2
 
 # Test deps
@@ -48,33 +48,54 @@ RUN BINDIR=/out/bin make binaries install
 # We do not set CMD to `go test` here, because it requires systemd
 
 FROM build-minimal AS build-full
+WORKDIR /nowhere
 RUN apk add --no-cache curl
+COPY ./Dockerfile.d/SHA256SUMS.d/ /SHA256SUMS.d
 COPY README.md /out/share/doc/nerdctl/
 COPY docs /out/share/doc/nerdctl/docs
 RUN mkdir -p /out/share/doc/nerdctl-full && \
   echo "# nerdctl (full distribution)" > /out/share/doc/nerdctl-full/README.md && \
   echo "- nerdctl: $(cd /go/src/github.com/containerd/nerdctl && git describe --tags)" >> /out/share/doc/nerdctl-full/README.md
 ARG TARGETARCH
 ARG CONTAINERD_VERSION
-RUN curl -L https://github.com/containerd/containerd/releases/download/v${CONTAINERD_VERSION}/containerd-${CONTAINERD_VERSION}-linux-${TARGETARCH:-amd64}.tar.gz | tar xzvC /out && \
-  rm -f /out/bin/containerd-shim /out/bin/containerd-shim-runc-v1 && \
+RUN fname="containerd-${CONTAINERD_VERSION}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
+  curl -o "${fname}" -fsSL "https://github.com/containerd/containerd/releases/download/v${CONTAINERD_VERSION}/${fname}" && \
+  curl -o "containerd.service" -fsSL "https://raw.githubusercontent.com/containerd/containerd/v${CONTAINERD_VERSION}/containerd.service" && \
+  grep "${fname}" "/SHA256SUMS.d/containerd-${CONTAINERD_VERSION}" | sha256sum -c - && \
+  grep "containerd.service" "/SHA256SUMS.d/containerd-${CONTAINERD_VERSION}" | sha256sum -c - && \
+  tar xzf "${fname}" -C /out && \
+  rm -f "${fname}" /out/bin/containerd-shim /out/bin/containerd-shim-runc-v1 && \
   mkdir -p /out/lib/systemd/system && \
-  curl -L -o /out/lib/systemd/system/containerd.service https://raw.githubusercontent.com/containerd/containerd/v${CONTAINERD_VERSION}/containerd.service && \
+  mv containerd.service /out/lib/systemd/system/containerd.service && \
   echo "- containerd: v${CONTAINERD_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG RUNC_VERSION
-RUN curl -L -o /out/bin/runc https://github.com/opencontainers/runc/releases/download/v${RUNC_VERSION}/runc.${TARGETARCH:-amd64} && \
+RUN fname="runc.${TARGETARCH:-amd64}" && \
+  curl -o "${fname}" -fsSL "https://github.com/opencontainers/runc/releases/download/v${RUNC_VERSION}/${fname}" && \
+  grep "${fname}" "/SHA256SUMS.d/runc-${RUNC_VERSION}" | sha256sum -c && \
+  mv "${fname}" /out/bin/runc && \
   chmod +x /out/bin/runc && \
   echo "- runc: v${RUNC_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG CNI_PLUGINS_VERSION
-RUN mkdir -p /out/libexec/cni && \
-  curl -L https://github.com/containernetworking/plugins/releases/download/v${CNI_PLUGINS_VERSION}/cni-plugins-linux-${TARGETARCH:-amd64}-v${CNI_PLUGINS_VERSION}.tgz | tar xzvC /out/libexec/cni && \
+RUN fname="cni-plugins-${TARGETOS:-linux}-${TARGETARCH:-amd64}-v${CNI_PLUGINS_VERSION}.tgz" && \
+  curl -o "${fname}" -fsSL "https://github.com/containernetworking/plugins/releases/download/v${CNI_PLUGINS_VERSION}/${fname}" && \
+  grep "${fname}" "/SHA256SUMS.d/cni-plugins-${CNI_PLUGINS_VERSION}" | sha256sum -c && \
+  mkdir -p /out/libexec/cni && \
+  tar xzf "${fname}" -C /out/libexec/cni && \
+  rm -f "${fname}" && \
   echo "- CNI plugins: v${CNI_PLUGINS_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG CNI_ISOLATION_VERSION
-RUN curl -L https://github.com/AkihiroSuda/cni-isolation/releases/download/v${CNI_ISOLATION_VERSION}/cni-isolation-${TARGETARCH:-amd64}.tgz | tar xzvC /out/libexec/cni && \
+RUN fname="cni-isolation-${TARGETARCH:-amd64}.tgz" && \
+  curl -o "${fname}" -fsSL "https://github.com/AkihiroSuda/cni-isolation/releases/download/v${CNI_ISOLATION_VERSION}/${fname}" && \
+  grep "${fname}" "/SHA256SUMS.d/cni-isolation-${CNI_ISOLATION_VERSION}" | sha256sum -c && \
+  tar xzf "${fname}" -C /out/libexec/cni && \
+  rm -f "${fname}" && \
   echo "- CNI isolation plugin: v${CNI_ISOLATION_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG BUILDKIT_VERSION
-RUN curl -L https://github.com/moby/buildkit/releases/download/v${BUILDKIT_VERSION}/buildkit-v${BUILDKIT_VERSION}.linux-${TARGETARCH:-amd64}.tar.gz | tar xzvC /out && \
-  rm -f /out/bin/buildkit-qemu-* /out/bin/buildkit-runc && \
+RUN fname="buildkit-v${BUILDKIT_VERSION}.${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
+  curl -o "${fname}" -fsSL "https://github.com/moby/buildkit/releases/download/v${BUILDKIT_VERSION}/${fname}" && \
+  grep "${fname}" "/SHA256SUMS.d/buildkit-${BUILDKIT_VERSION}" | sha256sum -c && \
+  tar xzf "${fname}" -C /out && \
+  rm -f "${fname}" /out/bin/buildkit-qemu-* /out/bin/buildkit-runc && \
   echo "- BuildKit: v${BUILDKIT_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 # NOTE: github.com/moby/buildkit/examples/systemd is not included in BuildKit v0.8.x, will be included in v0.9.x
 RUN cd /out/lib/systemd/system && \
@@ -83,28 +104,47 @@ RUN cd /out/lib/systemd/system && \
   echo "" >> buildkit.service && \
   echo "# This file was converted from containerd.service, with \`sed -E '${sedcomm}'\`" >> buildkit.service
 ARG STARGZ_SNAPSHOTTER_VERSION
-RUN curl -L https://github.com/containerd/stargz-snapshotter/releases/download/v${STARGZ_SNAPSHOTTER_VERSION}/stargz-snapshotter-v${STARGZ_SNAPSHOTTER_VERSION}-linux-${TARGETARCH:-amd64}.tar.gz | tar xzvC /out/bin && \
-  curl -L -o /out/lib/systemd/system/stargz-snapshotter.service https://raw.githubusercontent.com/containerd/stargz-snapshotter/v${STARGZ_SNAPSHOTTER_VERSION}/script/config/etc/systemd/system/stargz-snapshotter.service && \
+RUN fname="stargz-snapshotter-v${STARGZ_SNAPSHOTTER_VERSION}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
+  curl -o "${fname}" -fsSL "https://github.com/containerd/stargz-snapshotter/releases/download/v${STARGZ_SNAPSHOTTER_VERSION}/${fname}" && \
+  curl -o "stargz-snapshotter.service" -fsSL "https://raw.githubusercontent.com/containerd/stargz-snapshotter/v${STARGZ_SNAPSHOTTER_VERSION}/script/config/etc/systemd/system/stargz-snapshotter.service" && \
+  grep "${fname}" "/SHA256SUMS.d/stargz-snapshotter-${STARGZ_SNAPSHOTTER_VERSION}" | sha256sum -c - && \
+  grep "stargz-snapshotter.service" "/SHA256SUMS.d/stargz-snapshotter-${STARGZ_SNAPSHOTTER_VERSION}" | sha256sum -c - && \
+  tar xzf "${fname}" -C /out/bin && \
+  rm -f "${fname}" && \
+  mv stargz-snapshotter.service /out/lib/systemd/system/stargz-snapshotter.service && \
   echo "- Stargz Snapshotter: v${STARGZ_SNAPSHOTTER_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG IMGCRYPT_VERSION
 RUN git clone https://github.com/containerd/imgcrypt.git /go/src/github.com/containerd/imgcrypt && \
   cd /go/src/github.com/containerd/imgcrypt && \
   CGO_ENABLED=0 make && DESTDIR=/out make install && \
   echo "- imgcrypt: v${IMGCRYPT_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG ROOTLESSKIT_VERSION
-RUN curl -L https://github.com/rootless-containers/rootlesskit/releases/download/v${ROOTLESSKIT_VERSION}/rootlesskit-$(uname -m).tar.gz | tar xzvC /out/bin && \
-  rm -f /out/bin/rootlesskit-docker-proxy && \
+RUN fname="rootlesskit-$(uname -m).tar.gz" && \
+  curl -o "${fname}" -fsSL "https://github.com/rootless-containers/rootlesskit/releases/download/v${ROOTLESSKIT_VERSION}/${fname}" && \
+  grep "${fname}" "/SHA256SUMS.d/rootlesskit-${ROOTLESSKIT_VERSION}" | sha256sum -c && \
+  tar xzf "${fname}" -C /out/bin && \
+  rm -f "${fname}" /out/bin/rootlesskit-docker-proxy && \
   echo "- RootlessKit: v${ROOTLESSKIT_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG SLIRP4NETNS_VERSION
-RUN curl -L -o /out/bin/slirp4netns https://github.com/rootless-containers/slirp4netns/releases/download/v${SLIRP4NETNS_VERSION}/slirp4netns-$(uname -m) && \
+RUN fname="slirp4netns-$(uname -m)" && \
+  curl -o "${fname}" -fsSL "https://github.com/rootless-containers/slirp4netns/releases/download/v${SLIRP4NETNS_VERSION}/${fname}" && \
+  grep "${fname}" "/SHA256SUMS.d/slirp4netns-${SLIRP4NETNS_VERSION}" | sha256sum -c && \
+  mv "${fname}" /out/bin/slirp4netns && \
   chmod +x /out/bin/slirp4netns && \
   echo "- slirp4netns: v${SLIRP4NETNS_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG FUSE_OVERLAYFS_VERSION
-RUN curl -L -o /out/bin/fuse-overlayfs https://github.com/containers/fuse-overlayfs/releases/download/v${FUSE_OVERLAYFS_VERSION}/fuse-overlayfs-$(uname -m) && \
+RUN fname="fuse-overlayfs-$(uname -m)" && \
+  curl -o "${fname}" -fsSL "https://github.com/containers/fuse-overlayfs/releases/download/v${FUSE_OVERLAYFS_VERSION}/${fname}" && \
+  grep "${fname}" "/SHA256SUMS.d/fuse-overlayfs-${FUSE_OVERLAYFS_VERSION}" | sha256sum -c && \
+  mv "${fname}" /out/bin/fuse-overlayfs && \
   chmod +x /out/bin/fuse-overlayfs && \
   echo "- fuse-overlayfs: v${FUSE_OVERLAYFS_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG CONTAINERD_FUSE_OVERLAYFS_VERSION
-RUN curl -L https://github.com/containerd/fuse-overlayfs-snapshotter/releases/download/v${CONTAINERD_FUSE_OVERLAYFS_VERSION}/containerd-fuse-overlayfs-${CONTAINERD_FUSE_OVERLAYFS_VERSION}-linux-${TARGETARCH:-amd64}.tar.gz | tar xzvC /out/bin && \
+RUN fname="containerd-fuse-overlayfs-${CONTAINERD_FUSE_OVERLAYFS_VERSION}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
+  curl -o "${fname}" -fsSL "https://github.com/containerd/fuse-overlayfs-snapshotter/releases/download/v${CONTAINERD_FUSE_OVERLAYFS_VERSION}/${fname}" && \
+  grep "${fname}" "/SHA256SUMS.d/containerd-fuse-overlayfs-${CONTAINERD_FUSE_OVERLAYFS_VERSION}" | sha256sum -c && \
+  tar xzf "${fname}" -C /out/bin && \
+  rm -f "${fname}" && \
   echo "- containerd-fuse-overlayfs: v${CONTAINERD_FUSE_OVERLAYFS_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 RUN echo "" >> /out/share/doc/nerdctl-full/README.md && \
   echo "## License" >> /out/share/doc/nerdctl-full/README.md && \

Dockerfile.d/SHA256SUMS.d/buildkit-0.8.2

@@ -0,0 +1 @@
+d6d1ebc68806e626f31dd4ea17a406a93dcff14763971cd91b28cbaf3bfffcd4  buildkit-v0.8.2.linux-amd64.tar.gz

Dockerfile.d/SHA256SUMS.d/cni-isolation-0.0.3

@@ -0,0 +1,6 @@
+9f130b6c6d9fbcb8b962fe54f8c562efeb1b14686eb240125a1ab87e11ea5f21  cni-isolation-amd64.tgz
+9364977a91fffb086bdfd24de4a999c38eacf0bfa0a82e7d136d8c2341333619  cni-isolation-arm.tgz
+0fbc711e7338d0e7d195ed7cd52120a517182e4c2e9b9205db04ef36a145dc42  cni-isolation-arm64.tgz
+5e8b1a045dc3efe16a1d59134aaede9ad44496907e40d9fcc1c907db5838204b  cni-isolation-mips64le.tgz
+5807817f725deef71d152193e7bd6e6e8f93adf74eb0a56c18e108286da7bf31  cni-isolation-ppc64le.tgz
+aea168380eb7c80be16c97d843188121e2249f00b0cbbbba5179162a20ae389a  cni-isolation-s390x.tgz

Dockerfile.d/SHA256SUMS.d/cni-plugins-0.9.1

@@ -0,0 +1 @@
+962100bbc4baeaaa5748cdbfce941f756b1531c2eadb290129401498bfac21e7  cni-plugins-linux-amd64-v0.9.1.tgz

Dockerfile.d/SHA256SUMS.d/containerd-1.4.4

@@ -0,0 +1,2 @@
+2d93227ae882ce29671a863de124fe464a8b75387d69d8d618805572c8013ee8  containerd-1.4.4-linux-amd64.tar.gz
+5ed152bbf73b86c5c290f3755ecf7373a282866b7e1407a4102d5be36026a288  containerd.service

Dockerfile.d/SHA256SUMS.d/containerd-1.5.0-beta.4

@@ -0,0 +1,2 @@
+725ce7465b3c007a081e1292a839c8e7aec8d5f58a99a1317ed2d87c512d7811  containerd-1.5.0-beta.4-linux-amd64.tar.gz
+16a9e9fed866ad36246239582a1d72eb2f815b6b10298a8ae493dca72af71b31  containerd.service

Dockerfile.d/SHA256SUMS.d/containerd-fuse-overlayfs-1.0.2

@@ -0,0 +1,5 @@
+1f1e69f71b5ea568e93e40059af1b02a377ac0966d2acd27e4cce388a27af218  containerd-fuse-overlayfs-1.0.2-linux-amd64.tar.gz
+870aa3171f07709c8d901760b0b72221e4efcd6c1cf22b22d353bda34008ee7d  containerd-fuse-overlayfs-1.0.2-linux-arm-v7.tar.gz
+7ade1a44d880b3fb8eaa3c5ff7d3890a43b777d06ec80439c9a51ae35626c83c  containerd-fuse-overlayfs-1.0.2-linux-arm64.tar.gz
+eaf9bdd3de4514546945ea93119acea2b7bfa55ced43766e20adabddd5d20978  containerd-fuse-overlayfs-1.0.2-linux-ppc64le.tar.gz
+ab8e20a71a51506d485cd8ee3bd287e385eee0c81c3a7c4a1c2b5aa9bcf8ad84  containerd-fuse-overlayfs-1.0.2-linux-s390x.tar.gz

Dockerfile.d/SHA256SUMS.d/fuse-overlayfs-1.5.0

@@ -0,0 +1,5 @@
+7cb4ec0269a6adf2bf8d89baadf5335e139d5d7c534c6f9cdd2e9ca71afbd784  fuse-overlayfs-aarch64
+d177e182d8080f44eb28c7874720b6c0bb6133fe16d1d506e7aac8650649c798  fuse-overlayfs-armv7l
+dd15032d33cef20a535608f416f877ff5c7a70b11b38d222e87f3bf1e3a89656  fuse-overlayfs-ppc64le
+55dabf52c26a08d7a1d56d4800317db4410ae1027833b6d510a89b59e867e406  fuse-overlayfs-s390x
+53e54b2febf39ba6e67018294a7162bd6b4d18cb544ed7aff54c29ffb2791606  fuse-overlayfs-x86_64

Dockerfile.d/SHA256SUMS.d/rootlesskit-0.14.1

@@ -0,0 +1,5 @@
+1591b81b9f290b3d09c2ae608524bd5b474939ae56dd71a25d7756a22265de1f  rootlesskit-aarch64.tar.gz
+4d3794080a37b900ae7b14c32e625ae5a3c40f735d0698212c1149173fb29e62  rootlesskit-armv7l.tar.gz
+34e14b2cf76324f227d1e5f5239a4620c51ec78fef7d342151c9812791725023  rootlesskit-ppc64le.tar.gz
+ab31a2eda0746781c2c031149662a8cb0bde21df93904efff3bd09ab10d395f5  rootlesskit-s390x.tar.gz
+8ce5a87fb7bee0a320a570a8467be7ec786893d3ad532c9a53396e430c445d5f  rootlesskit-x86_64.tar.gz

Dockerfile.d/SHA256SUMS.d/runc-1.0.0-rc93

@@ -0,0 +1 @@
+9feaa82be15cb190cf0ed76fcb6d22841abd18088d275a47e894cd1e3a0ee4b6  runc.amd64

Dockerfile.d/SHA256SUMS.d/slirp4netns-1.1.9

@@ -0,0 +1,5 @@
+74253478ab5e18d5e2a1199f0f011454bdd3fa48112ef89c771a85c5c514e317  slirp4netns-aarch64
+9e74d2bc8f07dbc53376aeca6cb015b45c0cc89a139f95e51853f3168ae1a5ac  slirp4netns-armv7l
+85557a232cb78b5a4fd969f0af56424cd8bab4c9f4a594d2ed4b7e7dac0b44b5  slirp4netns-ppc64le
+b707992edbd194143ca3bf7a031a1d2bc984ddbd3ca372d970e7257cd9cf31a3  slirp4netns-s390x
+69c80cd0f8abc9618472958d238f15561da6a767472b11d022b86d3c33a42715  slirp4netns-x86_64

Dockerfile.d/SHA256SUMS.d/stargz-snapshotter-0.5.0

@@ -0,0 +1,2 @@
+a800f1ef707443260df6ea2b0627edb404ecad67bbbefea81b997c4499555b02  stargz-snapshotter-v0.5.0-linux-amd64.tar.gz
+f1cf855870af16a653d8acb9daa3edf84687c2c05323cb958f078fb148af3eec  stargz-snapshotter.service

pkg/testutil/testutil.go

@@ -273,10 +273,10 @@ func NewBase(t *testing.T) *Base {
 	return base
 }
 
-// use GCR mirror to avoid hitting Docker Hub rate limit
+// TODO: do not use Docker Hub nor GCR mirror: https://github.com/containerd/nerdctl/issues/146
 const (
-	AlpineImage                 = "mirror.gcr.io/library/alpine:3.13"
-	NginxAlpineImage            = "mirror.gcr.io/library/nginx:1.19-alpine"
+	AlpineImage                 = "alpine:3.13"
+	NginxAlpineImage            = "nginx:1.19-alpine"
 	NginxAlpineIndexHTMLSnippet = "<title>Welcome to nginx!</title>"
-	RegistryImage               = "mirror.gcr.io/library/registry:2"
+	RegistryImage               = "registry:2"
 )