From 1eda348cde7bd0d78d5e406ba0c78003eb67aed0 Mon Sep 17 00:00:00 2001 From: Josh W Lewis Date: Thu, 30 May 2024 09:51:11 -0500 Subject: [PATCH 1/4] Update build.md directions (#310) --- BUILD.md | 61 +++++++++++++++++++++++++++++++------------------------- 1 file changed, 34 insertions(+), 27 deletions(-) diff --git a/BUILD.md b/BUILD.md index 86cc02e0..9aedf6df 100644 --- a/BUILD.md +++ b/BUILD.md @@ -2,57 +2,64 @@ ## Prepare your local environment -The build scripts in this repository require bash 4+. To update to newer bash on OS X, see: -https://johndjameson.com/blog/updating-your-shell-with-homebrew/ +The build scripts in this repository require: -## Adding packages to the base image +- bash 4+. To update to newer bash on OS X, see: https://johndjameson.com/blog/updating-your-shell-with-homebrew/ +- Docker Desktop. To build multi-arch images (heroku-24 and beyond), + the `containerd` snapshotter feature should be enabled. -Add the package you want to the appropriate `setup.sh` for example `heroku-22/setup.sh`: +## Build -```diff -+ libc6-dev \ -``` +To build the base images locally, run this from the repo root: -Once done, run the `bin/build.sh` locally to generate the corresponding `installed-packages.txt`. + bin/build.sh STACK_VERSION -The `*-build` variants include all the packages from the non-build variant by default. This means that if you're adding a package to both, you only need to add them to the non-build variant. The example above will add `libc6-dev` to both `heroku-22` and `heroku-22-build`. +For example: -The `*cnb*` variants inherit the installed packages from the non-`*cnb*` variant. Add packages to a non-`*cnb*` variant to add them to the `*cnb*` variant. + ./bin/build.sh 24 -## Build +### Multi-architecture images (heroku-24 and later) -To build the base images locally, run this from the repo root: +This script will build a family of 2 images: - bin/build.sh STACK_VERSION +* `heroku/heroku:{STACK_VERSION}` - A multi-architecture manifest list of Heroku base runtime images supporting `amd64` and `arm64` architectures +* `heroku/heroku:{STACK_VERSION}-build` - A multi-architecture manifest list of Heroku base build images supporting `amd64` and `arm64` architectures -For example: +### Single architecture images (heroku-22 and prior) + +This script will build a family of 4 images: + +* `heroku/heroku:{STACK_VERSION}` - The Heroku base run image supporting `amd64` architecture +* `heroku/heroku:{STACK_VERSION}-build` - The Heroku base build image supporting `amd64` architecture +* `heroku/heroku:{STACK_VERSION}-cnb` - The Heroku base run image for Cloud Native Buildpacks supporting `amd64` architecture +* `heroku/heroku:{STACK_VERSION}-cnb-build` - The Heroku base build image for Cloud Native Buildpacks supporting `amd64` architecture - ./bin/build.sh 22 +## Adding packages to the base image + +Add the package you want to the appropriate `setup.sh` for example `heroku-24/setup.sh`: -If you're building on a machine with an architecture other than amd64, set `DOCKER_DEFAULT_PLATFORM` to the appropriate "`linux/amd64`" value in the environment: +```diff ++ libc6-dev +``` - DOCKER_DEFAULT_PLATFORM=linux/amd64 ./bin/build.sh 22 +Once done, run `bin/build.sh` locally to generate the corresponding `installed-packages*` files. Multi-arch base images (heroku-24 and beyond) will produce an `installed-packages-$ARCH.txt` for each architecture, while single architecture images will produce a singular `installed-packages.txt`. -The supported stacks are: `20` and `22`. This script will build a family -of 4 images: +The `*-build` variants include all the packages from the non-build variant by default. This means that if you're adding a package to both, you only need to add them to the non-build variant. The example above will add `libc6-dev` to both `heroku-24` and `heroku-24-build`. -* `heroku/heroku:{STACK_VERSION}` - The base run image for the Heroku platform -* `heroku/heroku:{STACK_VERSION}-build` - The base build image for the Heroku platform -* `heroku/heroku:{STACK_VERSION}-cnb` - The base run image for Cloud Native Buildpacks -* `heroku/heroku:{STACK_VERSION}-cnb-build` - The base build image for Cloud Native Buildpacks +The `*cnb*` variants (which only exist for heroku-22 and prior) inherit the installed packages from the non-`*cnb*` variant. Add packages to a non-`*cnb*` variant to add them to the `*cnb*` variant. # Releasing Heroku Base Images We use GitHub Actions to build and release Heroku Base Images: -* Any push to `main` will build the images and push the nightly Docker tag variants (such as `heroku/heroku:22-build.nightly`). -* Any new Git tag will build the image and push the latest Docker tag (such as `heroku/heroku:22-build`), - as well as a versioned tag (such as `heroku/heroku:22-build.v123`). The Docker image will then also be +* Any push to `main` will build the images and push the nightly Docker tag variants (such as `heroku/heroku:24-build.nightly`). +* Any new Git tag will build the image and push the latest Docker tag (such as `heroku/heroku:24-build`), + as well as a versioned tag (such as `heroku/heroku:24-build.v123`). The `arm64` images will then also be converted to a Heroku-specific `.img` format and uploaded to S3 for consumption by the runtime hosts. # Generating `.img` format Base Images locally -To test the generation of the Heroku-specific `.img` file: +To test the generation of the Heroku-specific, amd64-only `.img` file: 1. Build the Docker images for your chosen stack as normal above. 2. `docker build --platform=linux/amd64 ./tools -t heroku-image-tools` From 7fc4c41b8f3eaff32ebb9e413c9ee2e1d44320bf Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Mon, 24 Jun 2024 17:29:16 +0100 Subject: [PATCH 2/4] Update status of Heroku-24 (#312) In readiness for GA. GUS-W-14688185. --- README.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 14ab9f1d..093b9851 100644 --- a/README.md +++ b/README.md @@ -5,18 +5,18 @@ This repository holds recipes for building the base images for [Heroku stacks](https://devcenter.heroku.com/articles/stack). The recipes are also rendered into Docker images that are available on Docker Hub: -| Image | Type | OS | Supported Architectures | Default `USER` | Status | -|-------------------------------------------|------------------------|--------------|-------------------------|----------------| ----------------| -| [heroku/heroku:20][heroku-tags] | Heroku Run Image | Ubuntu 20.04 | AMD64 | `root` | Available | -| [heroku/heroku:20-build][heroku-tags] | Heroku Build Image | Ubuntu 20.04 | AMD64 | `root` | Available | -| [heroku/heroku:20-cnb][heroku-tags] | CNB Run Image | Ubuntu 20.04 | AMD64 | `heroku` | Available | -| [heroku/heroku:20-cnb-build][heroku-tags] | CNB Build Image | Ubuntu 20.04 | AMD64 | `heroku` | Available | -| [heroku/heroku:22][heroku-tags] | Heroku Run Image | Ubuntu 22.04 | AMD64 | `root` | Recommended | -| [heroku/heroku:22-build][heroku-tags] | Heroku Build Image | Ubuntu 22.04 | AMD64 | `root` | Recommended | -| [heroku/heroku:22-cnb][heroku-tags] | CNB Run Image | Ubuntu 22.04 | AMD64 | `heroku` | Available | -| [heroku/heroku:22-cnb-build][heroku-tags] | CNB Build Image | Ubuntu 22.04 | AMD64 | `heroku` | Available | -| [heroku/heroku:24][heroku-tags] | Heroku/CNB Run Image | Ubuntu 24.04 | AMD64 + ARM64 | `heroku` | In Development | -| [heroku/heroku:24-build][heroku-tags] | Heroku/CNB Build Image | Ubuntu 24.04 | AMD64 + ARM64 | `heroku` | In Development | +| Image | Type | OS | Supported Architectures | Default `USER` | Status | +|-------------------------------------------|------------------------|--------------|-------------------------|----------------| -------------| +| [heroku/heroku:20][heroku-tags] | Heroku Run Image | Ubuntu 20.04 | AMD64 | `root` | Available | +| [heroku/heroku:20-build][heroku-tags] | Heroku Build Image | Ubuntu 20.04 | AMD64 | `root` | Available | +| [heroku/heroku:20-cnb][heroku-tags] | CNB Run Image | Ubuntu 20.04 | AMD64 | `heroku` | Available | +| [heroku/heroku:20-cnb-build][heroku-tags] | CNB Build Image | Ubuntu 20.04 | AMD64 | `heroku` | Available | +| [heroku/heroku:22][heroku-tags] | Heroku Run Image | Ubuntu 22.04 | AMD64 | `root` | Available | +| [heroku/heroku:22-build][heroku-tags] | Heroku Build Image | Ubuntu 22.04 | AMD64 | `root` | Available | +| [heroku/heroku:22-cnb][heroku-tags] | CNB Run Image | Ubuntu 22.04 | AMD64 | `heroku` | Available | +| [heroku/heroku:22-cnb-build][heroku-tags] | CNB Build Image | Ubuntu 22.04 | AMD64 | `heroku` | Available | +| [heroku/heroku:24][heroku-tags] | Heroku/CNB Run Image | Ubuntu 24.04 | AMD64 + ARM64 | `heroku` | Recommended | +| [heroku/heroku:24-build][heroku-tags] | Heroku/CNB Build Image | Ubuntu 24.04 | AMD64 + ARM64 | `heroku` | Recommended | The build image variants use the run images as their base, but include additional packages needed at build time such as development headers and compilation toolchains. From 2323b38c808bb4eb555bf5965148f6882b987bd8 Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Tue, 25 Jun 2024 14:36:28 +0100 Subject: [PATCH 3/4] Mark Heroku-20 as deprecated (#313) Per: https://devcenter.heroku.com/changelog-items/2895 GUS-W-14701074. --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 093b9851..8024c9cd 100644 --- a/README.md +++ b/README.md @@ -7,10 +7,10 @@ The recipes are also rendered into Docker images that are available on Docker Hu | Image | Type | OS | Supported Architectures | Default `USER` | Status | |-------------------------------------------|------------------------|--------------|-------------------------|----------------| -------------| -| [heroku/heroku:20][heroku-tags] | Heroku Run Image | Ubuntu 20.04 | AMD64 | `root` | Available | -| [heroku/heroku:20-build][heroku-tags] | Heroku Build Image | Ubuntu 20.04 | AMD64 | `root` | Available | -| [heroku/heroku:20-cnb][heroku-tags] | CNB Run Image | Ubuntu 20.04 | AMD64 | `heroku` | Available | -| [heroku/heroku:20-cnb-build][heroku-tags] | CNB Build Image | Ubuntu 20.04 | AMD64 | `heroku` | Available | +| [heroku/heroku:20][heroku-tags] | Heroku Run Image | Ubuntu 20.04 | AMD64 | `root` | Deprecated | +| [heroku/heroku:20-build][heroku-tags] | Heroku Build Image | Ubuntu 20.04 | AMD64 | `root` | Deprecated | +| [heroku/heroku:20-cnb][heroku-tags] | CNB Run Image | Ubuntu 20.04 | AMD64 | `heroku` | Deprecated | +| [heroku/heroku:20-cnb-build][heroku-tags] | CNB Build Image | Ubuntu 20.04 | AMD64 | `heroku` | Deprecated | | [heroku/heroku:22][heroku-tags] | Heroku Run Image | Ubuntu 22.04 | AMD64 | `root` | Available | | [heroku/heroku:22-build][heroku-tags] | Heroku Build Image | Ubuntu 22.04 | AMD64 | `root` | Available | | [heroku/heroku:22-cnb][heroku-tags] | CNB Run Image | Ubuntu 22.04 | AMD64 | `heroku` | Available | From 2f750b2f887b54f7296fcc9bfd7a6ed19c9f7e87 Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Mon, 8 Jul 2024 16:17:24 +0100 Subject: [PATCH 4/4] Add `heroku` user to Heroku-20 and Heroku-22 (#314) This moves the `heroku` user creation step from the CNB-only image variants down into the main Heroku-20/22 base image, for parity with the Heroku-24 base-image: https://github.com/heroku/base-images/blob/2323b38c808bb4eb555bf5965148f6882b987bd8/heroku-24/setup.sh#L141-L142 This: - Improves consistency across all of our images. - Means users that wish to switch to a non-root user for security best practices can do so across all stacks without having to create their own non-root user first. The default user for each image remains unchanged (see table in README), as changing that would be a more significant breaking change. GUS-W-16186022. --- heroku-20-cnb-build/Dockerfile | 5 +---- heroku-20-cnb/Dockerfile | 4 +--- heroku-20/setup.sh | 3 +++ heroku-22-cnb-build/Dockerfile | 5 +---- heroku-22-cnb/Dockerfile | 4 +--- heroku-22/setup.sh | 3 +++ 6 files changed, 10 insertions(+), 14 deletions(-) diff --git a/heroku-20-cnb-build/Dockerfile b/heroku-20-cnb-build/Dockerfile index c5a62f7c..6f29af34 100644 --- a/heroku-20-cnb-build/Dockerfile +++ b/heroku-20-cnb-build/Dockerfile @@ -1,10 +1,7 @@ ARG BASE_IMAGE=heroku/heroku:20-build FROM $BASE_IMAGE -RUN groupadd heroku --gid 1000 \ - && useradd heroku --uid 1000 --gid 1000 --shell /bin/bash --create-home \ - && mkdir /app \ - && chown heroku:heroku /app +RUN mkdir /app && chown heroku:heroku /app # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#build-image USER heroku diff --git a/heroku-20-cnb/Dockerfile b/heroku-20-cnb/Dockerfile index 1e829420..a4718690 100644 --- a/heroku-20-cnb/Dockerfile +++ b/heroku-20-cnb/Dockerfile @@ -1,9 +1,7 @@ ARG BASE_IMAGE=heroku/heroku:20 FROM $BASE_IMAGE -RUN groupadd heroku --gid 1000 \ - && useradd heroku --uid 1000 --gid 1000 --shell /bin/bash --create-home \ - && ln -s /workspace /app +RUN ln -s /workspace /app # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#run-image USER heroku diff --git a/heroku-20/setup.sh b/heroku-20/setup.sh index de17bba2..629b8363 100755 --- a/heroku-20/setup.sh +++ b/heroku-20/setup.sh @@ -176,6 +176,9 @@ apt-get remove -y --purge --auto-remove openjdk-8-jre-headless # https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1771363 test "$(file --brief /etc/ssl/certs/java/cacerts)" = "Java KeyStore" +groupadd heroku --gid 1000 +useradd heroku --uid 1000 --gid 1000 --shell /bin/bash --create-home + rm -rf /root/* rm -rf /tmp/* rm -rf /var/cache/apt/archives/*.deb diff --git a/heroku-22-cnb-build/Dockerfile b/heroku-22-cnb-build/Dockerfile index b1c018ac..3dca30db 100644 --- a/heroku-22-cnb-build/Dockerfile +++ b/heroku-22-cnb-build/Dockerfile @@ -1,10 +1,7 @@ ARG BASE_IMAGE=heroku/heroku:22-build FROM $BASE_IMAGE -RUN groupadd heroku --gid 1000 \ - && useradd heroku --uid 1000 --gid 1000 --shell /bin/bash --create-home \ - && mkdir /app \ - && chown heroku:heroku /app +RUN mkdir /app && chown heroku:heroku /app # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#build-image USER heroku diff --git a/heroku-22-cnb/Dockerfile b/heroku-22-cnb/Dockerfile index 0eda9154..599185e9 100644 --- a/heroku-22-cnb/Dockerfile +++ b/heroku-22-cnb/Dockerfile @@ -1,9 +1,7 @@ ARG BASE_IMAGE=heroku/heroku:22 FROM $BASE_IMAGE -RUN groupadd heroku --gid 1000 \ - && useradd heroku --uid 1000 --gid 1000 --shell /bin/bash --create-home \ - && ln -s /workspace /app +RUN ln -s /workspace /app # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#run-image USER heroku diff --git a/heroku-22/setup.sh b/heroku-22/setup.sh index 34cc3313..886417e1 100755 --- a/heroku-22/setup.sh +++ b/heroku-22/setup.sh @@ -178,6 +178,9 @@ apt-get remove -y --purge --auto-remove openjdk-8-jre-headless # https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1771363 test "$(file --brief /etc/ssl/certs/java/cacerts)" = "Java KeyStore" +groupadd heroku --gid 1000 +useradd heroku --uid 1000 --gid 1000 --shell /bin/bash --create-home + rm -rf /root/* rm -rf /tmp/* rm -rf /var/cache/apt/archives/*.deb