Publish RC container images (#7556)

* WIP

* Add missing checkout

* Add debuggin

* Fix VAR name

* Bug fix

* Rework jobs

* Revert "Rework jobs"

This reverts commit 2bfa79fd3ae633c17403b838f9a5025f0f7fc3f3.

* Add cache

* Add temp default for testing

* Add missing checkout

* Fix patch

* Comment out the GPG check for now

* Rename polkadot_injected_release into a more appropriate polkadot_injected_debian

* Refactoring / renaming

* Introduce a generic image for binary injection

* Flag files to be deleted and changes to be done

* WIP

* Fix multi binaries images

* Add test build scripts

* Remove old file, add polkadot build-injected script

* Fix doc

* Fix tagging

* Add build of the injected container

* Fix for docker

* Remove the need for TTY

* Handling container publishing

* Fix owner and registry

* Fix vars

* Fix repo

* Fix var naming

* Fix case when there is no tag

* Fix case with no tag

* Handle error

* Fix spacings

* Fix tags

* Remove unnecessary grep that may fail

* Add final check

* Clean up and introduce GPG check

* Add doc

* Add doc

* Update doc/docker.md

Co-authored-by: Mira Ressel <mira@parity.io>

* type

Co-authored-by: Mira Ressel <mira@parity.io>

* Fix used VAR

* Improve doc

* ci: Update .build-push-image jobs to use the new build-injected.sh

* ci: fix path to build-injected.sh script

* Rename the release artifacts folder to prevent confusion due to a similar folder in the gitlab CI

* ci: check out polkadot repo in .build-push-image

This seems far cleaner than copying the entire scripts/ folder into our
job artifacts.

* feat(build-injected.sh): make PROJECT_ROOT configurable

This lets us avoid a dependency on git in our CI image.

* ci: build injected images with buildah

* ci: pass full image names to zombienet

* Add missing ignore

---------

Co-authored-by: Mira Ressel <mira@parity.io>

polkadot/.github/workflows/check-licenses.yml

@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v3.3.0
+        uses: actions/checkout@v3
       - uses: actions/setup-node@v3.7.0
         with:
           node-version: '18.x'

polkadot/.github/workflows/release-40_publish-rc-image.yml

+name: Release - Publish RC Container image
+# see https://github.com/paritytech/release-engineering/issues/97#issuecomment-1651372277
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_id:
+        description: |
+          Release ID.
+          You can find it using the command:
+            curl -s \
+              -H "Authorization: Bearer ${GITHUB_TOKEN}" https://api.github.com/repos/$OWNER/$REPO/releases | \
+              jq '.[] | { name: .name, id: .id }'
+        required: true
+        type: string
+      registry:
+        description: "Container registry"
+        required: true
+        type: string
+        default: docker.io
+      owner:
+        description: Owner of the container image repo
+        required: true
+        type: string
+        default: parity
+
+env:
+  RELEASE_ID: ${{ inputs.release_id }}
+  ENGINE: docker
+  REGISTRY: ${{ inputs.registry }}
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  DOCKER_OWNER: ${{ inputs.owner || github.repository_owner }}
+  REPO: ${{ github.repository }}
+  ARTIFACT_FOLDER: release-artifacts
+
+jobs:
+  fetch-artifacts:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v3
+
+      - name: Fetch all artifacts
+        run: |
+          . ./scripts/ci/common/lib.sh
+          fetch_release_artifacts
+
+      - name: Cache the artifacts
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        with:
+          key: artifacts-${{ github.sha }}
+          path: |
+            ${ARTIFACT_FOLDER}/**/*
+
+  build-container:
+    runs-on: ubuntu-latest
+    needs: fetch-artifacts
+
+    strategy:
+      matrix:
+        binary: ["polkadot", "staking-miner"]
+
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v3
+
+      - name: Get artifacts from cache
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        with:
+          key: artifacts-${{ github.sha }}
+          path: |
+            ${ARTIFACT_FOLDER}/**/*
+
+      - name: Check sha256 ${{ matrix.binary }}
+        working-directory: ${ARTIFACT_FOLDER}
+        run: |
+          . ../scripts/ci/common/lib.sh
+
+          echo "Checking binary ${{ matrix.binary }}"
+          check_sha256 ${{ matrix.binary }} && echo "OK" || echo "ERR"
+
+      - name: Check GPG ${{ matrix.binary }}
+        working-directory: ${ARTIFACT_FOLDER}
+        run: |
+          . ../scripts/ci/common/lib.sh
+          import_gpg_keys
+          check_gpg ${{ matrix.binary }}
+
+      - name: Fetch commit and tag
+        id: fetch_refs
+        run: |
+          release=release-${{ inputs.release_id }} && \
+          echo "release=${release}" >> $GITHUB_OUTPUT
+
+          commit=$(git rev-parse --short HEAD) && \
+          echo "commit=${commit}" >> $GITHUB_OUTPUT
+
+          tag=$(git name-rev --tags --name-only $(git rev-parse HEAD)) && \
+          [ "${tag}" != "undefined" ] && echo "tag=${tag}" >> $GITHUB_OUTPUT || \
+          echo "No tag, doing without"
+
+      - name: Build Injected Container image for ${{ matrix.binary }}
+        env:
+            BIN_FOLDER: ${ARTIFACT_FOLDER}
+            BINARY: ${{ matrix.binary }}
+            TAGS: ${{join(steps.fetch_refs.outputs.*, ',')}}
+        run: |
+          echo "Building container for ${{ matrix.binary }}"
+          ./scripts/ci/dockerfiles/build-injected.sh
+
+      - name: Login to Dockerhub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ inputs.owner }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Push Container image for ${{ matrix.binary }}
+        id: docker_push
+        env:
+          BINARY: ${{ matrix.binary }}
+        run: |
+          $ENGINE images | grep ${BINARY}
+          $ENGINE push --all-tags ${REGISTRY}/${DOCKER_OWNER}/${BINARY}
+
+      - name: Check version for the published image for ${{ matrix.binary }}
+        env:
+          BINARY: ${{ matrix.binary }}
+          RELEASE_TAG: ${{ steps.fetch_refs.outputs.release }}
+        run: |
+          echo "Checking tag ${RELEASE_TAG} for image ${REGISTRY}/${DOCKER_OWNER}/${BINARY}"
+          $ENGINE run -i ${REGISTRY}/${DOCKER_OWNER}/${BINARY}:${RELEASE_TAG} --version

polkadot/.github/workflows/release-50_publish-docker-release.yml

@@ -30,7 +30,7 @@ jobs:
         uses: docker/build-push-action@v4
         with:
           push: true
-          file: scripts/ci/dockerfiles/polkadot_injected_release.Dockerfile
+          file: scripts/ci/dockerfiles/polkadot/polkadot_injected_debian.Dockerfile
           tags: |
             parity/polkadot:latest
             parity/polkadot:${{ github.event.release.tag_name }}

polkadot/.github/workflows/release-51_publish-docker-manual.yml

@@ -37,7 +37,7 @@ jobs:
         uses: docker/build-push-action@v4
         with:
           push: true
-          file: scripts/ci/dockerfiles/polkadot_injected_release.Dockerfile
+          file: scripts/ci/dockerfiles/polkadot/polkadot_injected_debian.Dockerfile
           tags: |
             parity/polkadot:latest
             parity/polkadot:${{ github.event.inputs.version }}

polkadot/.gitignore

@@ -10,3 +10,7 @@ polkadot.*
 !polkadot.service
 .DS_Store
 .env
+
+artifacts
+release-artifacts
+release.json

polkadot/.gitlab-ci.yml

@@ -159,31 +159,39 @@ default:
     - if: $CI_COMMIT_REF_NAME =~ /^v[0-9]+\.[0-9]+.*$/ # i.e. v1.0, v2.1rc1
 
 .build-push-image:
+  variables:
+    CI_IMAGE: "${BUILDAH_IMAGE}"
+
+    REGISTRY: "docker.io"
+    DOCKER_OWNER: "paritypr"
+    DOCKER_USER: "${PARITYPR_USER}"
+    DOCKER_PASS: "${PARITYPR_PASS}"
+    IMAGE: "${REGISTRY}/${DOCKER_OWNER}/${IMAGE_NAME}"
+
+    ENGINE: "${BUILDAH_COMMAND}"
+    BUILDAH_FORMAT: "docker"
+    SKIP_IMAGE_VALIDATION: 1
+
+    PROJECT_ROOT: "."
+    BIN_FOLDER: "./artifacts"
+    VCS_REF: "${CI_COMMIT_SHA}"
+
   before_script:
     - !reference [.common-before-script, before_script]
     - test -s ./artifacts/VERSION || exit 1
     - test -s ./artifacts/EXTRATAG || exit 1
-    - VERSION="$(cat ./artifacts/VERSION)"
+    - export VERSION="$(cat ./artifacts/VERSION)"
     - EXTRATAG="$(cat ./artifacts/EXTRATAG)"
     - echo "Polkadot version = ${VERSION} (EXTRATAG = ${EXTRATAG})"
   script:
     - test "$DOCKER_USER" -a "$DOCKER_PASS" ||
       ( echo "no docker credentials provided"; exit 1 )
-    - cd ./artifacts
-    - $BUILDAH_COMMAND build
-      --format=docker
-      --build-arg VCS_REF="${CI_COMMIT_SHA}"
-      --build-arg BUILD_DATE="$(date -u '+%Y-%m-%dT%H:%M:%SZ')"
-      --build-arg IMAGE_NAME="${IMAGE_NAME}"
-      --tag "$IMAGE_NAME:$VERSION"
-      --tag "$IMAGE_NAME:$EXTRATAG"
-      --file ${DOCKERFILE} .
-    # The job will success only on the protected branch
+    - TAGS="${VERSION},${EXTRATAG}" scripts/ci/dockerfiles/build-injected.sh
     - echo "$DOCKER_PASS" |
-      buildah login --username "$DOCKER_USER" --password-stdin docker.io
+      buildah login --username "$DOCKER_USER" --password-stdin "${REGISTRY}"
     - $BUILDAH_COMMAND info
-    - $BUILDAH_COMMAND push --format=v2s2 "$IMAGE_NAME:$VERSION"
-    - $BUILDAH_COMMAND push --format=v2s2 "$IMAGE_NAME:$EXTRATAG"
+    - $BUILDAH_COMMAND push --format=v2s2 "$IMAGE:$VERSION"
+    - $BUILDAH_COMMAND push --format=v2s2 "$IMAGE:$EXTRATAG"
   after_script:
     - buildah logout --all
 

polkadot/doc/docker.md

-# Using Docker
+# Using Containers
+
+The following commands should work no matter if you use Docker or Podman. In general, Podman is recommended. All commands are "engine neutral" so you can use the container engine of your choice while still being able to copy/paste the commands below.
+
+Let's start defining Podman as our engine:
+```
+ENGINE=podman
+```
+
+If you prefer to stick with Docker, use:
+```
+ENGINE=docker
+```
 
 ## The easiest way
 
-The easiest/faster option to run Polkadot in Docker is to use the latest release images. These are small images that use the latest official release of the Polkadot binary, pulled from our package repository.
+The easiest/faster option to run Polkadot in Docker is to use the latest release images. These are small images that use the latest official release of the Polkadot binary, pulled from our Debian package.
 
-**_Following examples are running on westend chain and without SSL. They can be used to quick start and learn how Polkadot needs to be configured. Please find out how to secure your node, if you want to operate it on the internet. Do not expose RPC and WS ports, if they are not correctly configured._**
+**_The following examples are running on westend chain and without SSL. They can be used to quick start and learn how Polkadot needs to be configured. Please find out how to secure your node, if you want to operate it on the internet. Do not expose RPC and WS ports, if they are not correctly configured._**
 
 Let's first check the version we have. The first time you run this command, the Polkadot docker image will be downloaded. This takes a bit of time and bandwidth, be patient:
 
 ```bash
-docker run --rm -it parity/polkadot:latest --version
+$ENGINE run --rm -it parity/polkadot:latest --version
 ```
 
 You can also pass any argument/flag that Polkadot supports:
 
 ```bash
-docker run --rm -it parity/polkadot:latest --chain westend --name "PolkaDocker"
+$ENGINE run --rm -it parity/polkadot:latest --chain westend --name "PolkaDocker"
 ```
 
 ## Examples
 
-Once you are done experimenting and picking the best node name :) you can start Polkadot as daemon, exposes the Polkadot ports and mount a volume that will keep your blockchain data locally. Make sure that you set the ownership of your local directory to the Polkadot user that is used by the container. Set user id 1000 and group id 1000, by running `chown 1000.1000 /my/local/folder -R` if you use a bind mount.
-
-To start a Polkadot node on default rpc port 9933 and default p2p port 30333 use the following command. If you want to connect to rpc port 9933, then must add Polkadot startup parameter: `--rpc-external`.
+Once you are done experimenting and picking the best node name :) you can start Polkadot as daemon, exposes the Polkadot ports and mount a volume that will keep your blockchain data locally. Make sure that you set the ownership of your local directory to the Polkadot user that is used by the container.
 
-```bash
-docker run -d -p 30333:30333 -p 9933:9933 -v /my/local/folder:/polkadot parity/polkadot:latest --chain westend --rpc-external --rpc-cors all
-```
+Set user id 1000 and group id 1000, by running `chown 1000.1000 /my/local/folder -R` if you use a bind mount.
 
-Additionally if you want to have custom node name you can add the `--name "YourName"` at the end
+To start a Polkadot node on default rpc port 9933 and default p2p port 30333 use the following command. If you want to connect to rpc port 9933, then must add Polkadot startup parameter: `--rpc-external`.
 
 ```bash
-docker run -d -p 30333:30333 -p 9933:9933 -v /my/local/folder:/polkadot parity/polkadot:latest --chain westend --rpc-external --rpc-cors all --name "PolkaDocker"
+$ENGINE run -d -p 30333:30333 -p 9933:9933 \
+    -v /my/local/folder:/polkadot \
+    parity/polkadot:latest \
+    --chain westend --rpc-external --rpc-cors all \
+    --name "PolkaDocker
 ```
 
 If you also want to expose the webservice port 9944 use the following command:
 
 ```bash
-docker run -d -p 30333:30333 -p 9933:9933 -p 9944:9944 -v /my/local/folder:/polkadot parity/polkadot:latest --chain westend --ws-external --rpc-external --rpc-cors all --name "PolkaDocker"
+$ENGINE run -d -p 30333:30333 -p 9933:9933 -p 9944:9944 \
+    -v /my/local/folder:/polkadot \
+    parity/polkadot:latest \
+    --chain westend --ws-external --rpc-external --rpc-cors all --name "PolkaDocker"
 ```
 
 ## Using Docker compose
@@ -55,17 +70,19 @@ services:
       - 30333:30333 # p2p port
       - 9933:9933 # rpc port
       - 9944:9944 # ws port
+      - 9615:9615 # Prometheus port
     volumes:
       - /my/local/folder:/polkadot
     command: [
       "--name", "PolkaDocker",
       "--ws-external",
       "--rpc-external",
+      "--prometheus-external",
       "--rpc-cors", "all"
     ]
 ```
 
-With following docker-compose.yml you can set up a node and use polkadot-js-apps as the front end on port 80. After starting the node use a browser and enter your Docker host IP in the URL field: _<http://[YOUR_DOCKER_HOST_IP>_
+With following `docker-compose.yml` you can set up a node and use polkadot-js-apps as the front end on port 80. After starting the node use a browser and enter your Docker host IP in the URL field: _<http://[YOUR_DOCKER_HOST_IP]>_
 
 ```bash
 version: '2'
@@ -78,10 +95,12 @@ services:
       - 30333:30333 # p2p port
       - 9933:9933 # rpc port
       - 9944:9944 # ws port
+      - 9615:9615 # Prometheus port
     command: [
       "--name", "PolkaDocker",
       "--ws-external",
       "--rpc-external",
+      "--prometheus-external",
       "--rpc-cors", "all"
     ]
 
@@ -100,27 +119,30 @@ Chain syncing will utilize all available memory and CPU power your server has to
 
 If running on a low resource VPS, use `--memory` and `--cpus` to limit the resources used. E.g. To allow a maximum of 512MB memory and 50% of 1 CPU, use `--cpus=".5" --memory="512m"`. Read more about limiting a container's resources [here](https://docs.docker.com/config/containers/resource_constraints).
 
-Start a shell session with the daemon:
 
-```bash
-docker exec -it $(docker ps -q) bash;
-```
+## Build your own image
 
-Check the current version:
+There are 3 options to build a polkadot container image:
+- using the builder image
+- using the injected "Debian" image
+- using the generic injected image
 
-```bash
-polkadot --version
-```
+### Builder image
 
-## Build your own image
+To get up and running with the smallest footprint on your system, you may use an existing Polkadot Container image.
 
-To get up and running with the smallest footprint on your system, you may use the Polkadot Docker image.
-You can build it yourself (it takes a while...) in the shell session of the daemon:
+You may also build a polkadot container image yourself (it takes a while...) using the container specs `scripts/ci/dockerfiles/polkadot/polkadot_builder.Dockerfile`.
 
-```bash
-cd scripts/ci/dockerfiles/polkadot
-./build.sh
-```
+### Debian injected
+
+The Debian injected image is how the official polkadot container image is produced. It relies on the Debian package that is published upon each release. The Debian injected image is usually available a few minutes after a new release is published.
+It has the benefit of relying on the GPG signatures embedded in the Debian package.
+
+### Generic injected
+
+For simple testing purposes, the easiest option for polkadot and also random binaries, is to use the `binary_injected.Dockerfile` container spec. This option is less secure since the injected binary is not checked at all but it has the benefit to be simple. This option requires to already have a valid `polkadot` binary, compiled for Linux.
+
+This binary is then simply copied inside the `parity/base-bin` image.
 
 ## Reporting issues
 
@@ -128,8 +150,8 @@ If you run into issues with Polkadot when using docker, please run the following
 (replace the tag with the appropriate one if you do not use latest):
 
 ```bash
-docker run --rm -it parity/polkadot:latest --version
+$ENGINE run --rm -it parity/polkadot:latest --version
 ```
 
 This will show you the Polkadot version as well as the git commit ref that was used to build your container.
-Just paste that in the issue you create.
+You can now paste the version information in a [new issue](https://github.com/paritytech/polkadot/issues/new/choose).

polkadot/scripts/ci/common/lib.sh

@@ -193,3 +193,73 @@ check_bootnode(){
     echo "    Bootnode appears unreachable"
     return 1
 }
+
+# Assumes the ENV are set:
+# - RELEASE_ID
+# - GITHUB_TOKEN
+# - REPO in the form paritytech/polkadot
+fetch_release_artifacts() {
+  echo "Release ID : $RELEASE_ID"
+  echo "Repo       : $REPO"
+  echo "ARTIFACT_FOLDER: $ARTIFACT_FOLDER"
+
+  curl -L -s \
+    -H "Accept: application/vnd.github+json" \
+    -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    https://api.github.com/repos/${REPO}/releases/$RELEASE_ID > release.json
+
+  # Get Asset ids
+  ids=($(jq -r '.assets[].id' < release.json ))
+  count=$(jq '.assets|length' < release.json )
+
+  # Fetch artifacts
+  mkdir -p ${ARTIFACT_FOLDER}
+  pushd ${ARTIFACT_FOLDER} > /dev/null
+
+  iter=1
+  for id in "${ids[@]}"
+  do
+      echo " - $iter/$count: downloading asset id: $id..."
+      curl -s -OJ -L -H "Accept: application/octet-stream" \
+          -H "Authorization: Token ${GITHUB_TOKEN}" \
+          "https://api.github.com/repos/${REPO}/releases/assets/$id"
+      iter=$((iter + 1))
+  done
+
+  ls -al --color
+  popd > /dev/null
+}
+
+# Check the checksum for a given binary
+function check_sha256() {
+    echo "Checking SHA256 for $1"
+    shasum -qc $1.sha256
+}
+
+# Import GPG keys of the release team members
+# This is done in parallel as it can take a while sometimes
+function import_gpg_keys() {
+  GPG_KEYSERVER=${GPG_KEYSERVER:-"keyserver.ubuntu.com"}
+  SEC="9D4B2B6EB8F97156D19669A9FF0812D491B96798"
+  WILL="2835EAF92072BC01D188AF2C4A092B93E97CE1E2"
+  EGOR="E6FC4D4782EB0FA64A4903CCDB7D3555DD3932D3"
+  MARA="533C920F40E73A21EEB7E9EBF27AEA7E7594C9CF"
+  MORGAN="2E92A9D8B15D7891363D1AE8AF9E6C43F7F8C4CF"
+
+  echo "Importing GPG keys from $GPG_KEYSERVER in parallel"
+  for key in $SEC $WILL $EGOR $MARA $MORGAN; do
+    (
+      echo "Importing GPG key $key"
+      gpg --no-tty --quiet --keyserver $GPG_KEYSERVER --recv-keys $key
+      echo -e "5\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key $key trust;
+    ) &
+  done
+  wait
+}
+
+# Check the GPG signature for a given binary
+function check_gpg() {
+    echo "Checking GPG Signature for $1"
+    gpg --no-tty --verify -q $1.asc $1
+}

polkadot/scripts/ci/dockerfiles/adder-collator/build-injected.sh

+#!/usr/bin/env bash
+
+# Sample call:
+# $0 /path/to/folder_with_binary
+# This script replace the former dedicated Dockerfile
+# and shows how to use the generic binary_injected.dockerfile
+
+PROJECT_ROOT=`git rev-parse --show-toplevel`
+
+export BINARY=adder-collator,undying-collator
+export BIN_FOLDER=$1
+
+$PROJECT_ROOT/scripts/ci/dockerfiles/build-injected.sh

polkadot/scripts/ci/dockerfiles/adder-collator/test-build.sh

+#!/usr/bin/env bash
+
+TMP=$(mktemp -d)
+ENGINE=${ENGINE:-podman}
+
+# TODO: Switch to /bin/bash when the image is built from parity/base-bin
+
+# Fetch some binaries
+$ENGINE run --user root --rm -i \
+  --pull always \
+  -v "$TMP:/export" \
+  --entrypoint /usr/bin/bash \
+  paritypr/colander:master -c \
+  'cp "$(which adder-collator)" /export'
+
+$ENGINE run --user root --rm -i \
+  --pull always \
+  -v "$TMP:/export" \
+  --entrypoint /usr/bin/bash \
+  paritypr/colander:master -c \
+  'cp "$(which undying-collator)" /export'
+
+./build-injected.sh $TMP

polkadot/scripts/ci/dockerfiles/binary_injected.Dockerfile

+FROM docker.io/parity/base-bin
+
+# This file allows building a Generic container image
+# based on one or multiple pre-built Linux binaries.
+# Some defaults are set to polkadot but all can be overriden.
+
+SHELL ["/bin/bash", "-c"]
+
+# metadata
+ARG VCS_REF
+ARG BUILD_DATE
+ARG IMAGE_NAME
+
+# That can be a single one or a comma separated list
+ARG BINARY=polkadot
+
+ARG BIN_FOLDER=.
+ARG DOC_URL=https://github.com/paritytech/polkadot
+ARG DESCRIPTION="Polkadot: a platform for web3"
+ARG AUTHORS="devops-team@parity.io"
+ARG VENDOR="Parity Technologies"
+
+LABEL io.parity.image.authors=${AUTHORS} \
+	io.parity.image.vendor="${VENDOR}" \
+	io.parity.image.revision="${VCS_REF}" \
+	io.parity.image.title="${IMAGE_NAME}" \
+	io.parity.image.created="${BUILD_DATE}" \
+	io.parity.image.documentation="${DOC_URL}" \
+	io.parity.image.description="${DESCRIPTION}" \
+	io.parity.image.source="https://github.com/paritytech/polkadot/blob/${VCS_REF}/scripts/ci/dockerfiles/binary_injected.Dockerfile"
+
+USER root
+WORKDIR /app
+
+# add polkadot binary to docker image
+# sample for polkadot: COPY ./polkadot ./polkadot-*-worker /usr/local/bin/
+COPY entrypoint.sh .
+COPY "bin/*" "/usr/local/bin/"
+RUN chmod -R a+rx "/usr/local/bin"
+
+USER parity
+ENV BINARY=${BINARY}
+
+# ENTRYPOINT
+ENTRYPOINT ["/app/entrypoint.sh"]
+
+# We call the help by default
+CMD ["--help"]

polkadot/scripts/ci/dockerfiles/build-injected.sh

+#!/usr/bin/env bash
+set -e
+
+# This script allows building a Container Image from a Linux
+# binary that is injected into a base-image.
+
+ENGINE=${ENGINE:-podman}
+
+if [ "$ENGINE" == "podman" ]; then
+  PODMAN_FLAGS="--format docker"
+else
+  PODMAN_FLAGS=""
+fi
+
+CONTEXT=$(mktemp -d)
+REGISTRY=${REGISTRY:-docker.io}
+
+# The following line ensure we know the project root
+PROJECT_ROOT=${PROJECT_ROOT:-$(git rev-parse --show-toplevel)}
+DOCKERFILE=${DOCKERFILE:-$PROJECT_ROOT/scripts/ci/dockerfiles/binary_injected.Dockerfile}
+VERSION_TOML=$(grep "^version " $PROJECT_ROOT/Cargo.toml | grep -oE "([0-9\.]+-?[0-9]+)")
+
+#n The following VAR have default that can be overriden
+DOCKER_OWNER=${DOCKER_OWNER:-parity}
+
+# We may get 1..n binaries, comma separated
+BINARY=${BINARY:-polkadot}
+IFS=',' read -r -a BINARIES <<< "$BINARY"
+
+VERSION=${VERSION:-$VERSION_TOML}
+BIN_FOLDER=${BIN_FOLDER:-.}
+
+IMAGE=${IMAGE:-${REGISTRY}/${DOCKER_OWNER}/${BINARIES[0]}}
+DESCRIPTION_DEFAULT="Injected Container image built for ${BINARY}"
+DESCRIPTION=${DESCRIPTION:-$DESCRIPTION_DEFAULT}
+
+VCS_REF=${VCS_REF:-01234567}
+
+# Build the image
+echo "Using engine: $ENGINE"
+echo "Using Dockerfile: $DOCKERFILE"
+echo "Using context: $CONTEXT"
+echo "Building ${IMAGE}:latest container image for ${BINARY} v${VERSION} from ${BIN_FOLDER} hang on!"
+echo "BIN_FOLDER=$BIN_FOLDER"
+echo "CONTEXT=$CONTEXT"
+
+# We need all binaries and resources available in the Container build "CONTEXT"
+mkdir -p $CONTEXT/bin
+for bin in "${BINARIES[@]}"
+do
+  echo "Copying $BIN_FOLDER/$bin to context: $CONTEXT/bin"
+  cp "$BIN_FOLDER/$bin" "$CONTEXT/bin"
+done
+
+cp "$PROJECT_ROOT/scripts/ci/dockerfiles/entrypoint.sh" "$CONTEXT"
+
+echo "Building image: ${IMAGE}"
+
+TAGS=${TAGS[@]:-latest}
+IFS=',' read -r -a TAG_ARRAY <<< "$TAGS"
+TAG_ARGS=" "
+
+echo "The image ${IMAGE} will be tagged with ${TAG_ARRAY[*]}"
+for tag in "${TAG_ARRAY[@]}"; do
+  TAG_ARGS+="--tag ${IMAGE}:${tag} "
+done
+
+echo "$TAG_ARGS"
+
+# time \
+$ENGINE build \
+    ${PODMAN_FLAGS} \
+    --build-arg VCS_REF="${VCS_REF}" \
+    --build-arg BUILD_DATE=$(date -u '+%Y-%m-%dT%H:%M:%SZ') \
+    --build-arg IMAGE_NAME="${IMAGE}" \
+    --build-arg BINARY="${BINARY}" \
+    --build-arg BIN_FOLDER="${BIN_FOLDER}" \
+    --build-arg DESCRIPTION="${DESCRIPTION}" \
+    ${TAG_ARGS} \
+    -f "${DOCKERFILE}" \
+    ${CONTEXT}
+
+echo "Your Container image for ${IMAGE} is ready"
+$ENGINE images
+
+if [[ -z "${SKIP_IMAGE_VALIDATION}" ]]; then
+  echo "Check the image ${IMAGE}:${TAG_ARRAY[0]}"
+  $ENGINE run --rm -i "${IMAGE}:${TAG_ARRAY[0]}" --version
+
+  echo "Query binaries"
+  $ENGINE run --rm -i --entrypoint /bin/bash "${IMAGE}:${TAG_ARRAY[0]}" -c 'echo BINARY: $BINARY'
+fi

polkadot/scripts/ci/dockerfiles/collator_injected.Dockerfile

-# this file copies from scripts/ci/dockerfiles/Dockerfile and changes only the binary name
-FROM docker.io/library/ubuntu:20.04
-
-# metadata
-ARG VCS_REF
-ARG BUILD_DATE
-ARG IMAGE_NAME
-
-LABEL io.parity.image.authors="devops-team@parity.io" \
-	io.parity.image.vendor="Parity Technologies" \
-	io.parity.image.title="${IMAGE_NAME}" \
-	io.parity.image.description="Injected adder-collator Docker image" \
-	io.parity.image.source="https://github.com/paritytech/polkadot/blob/${VCS_REF}/scripts/ci/dockerfiles/collator_injected.Dockerfile" \
-	io.parity.image.revision="${VCS_REF}" \
-	io.parity.image.created="${BUILD_DATE}" \
-	io.parity.image.documentation="https://github.com/paritytech/polkadot/"
-
-# show backtraces
-ENV RUST_BACKTRACE 1
-
-# install tools and dependencies
-RUN apt-get update && \
-	DEBIAN_FRONTEND=noninteractive apt-get install -y \
-		libssl1.1 \
-		ca-certificates && \
-# apt cleanup
-	apt-get autoremove -y && \
-	apt-get clean && \
-	find /var/lib/apt/lists/ -type f -not -name lock -delete; \
-# add user and link ~/.local/share/adder-collator to /data
-	useradd -m -u 1000 -U -s /bin/sh -d /adder-collator adder-collator && \
-	mkdir -p /data /adder-collator/.local/share && \
-	chown -R adder-collator:adder-collator /data && \
-	ln -s /data /adder-collator/.local/share/polkadot
-
-# add adder-collator binary to docker image
-COPY ./adder-collator /usr/local/bin
-COPY ./undying-collator /usr/local/bin
-
-USER adder-collator
-
-# check if executable works in this container
-RUN /usr/local/bin/adder-collator --version
-RUN /usr/local/bin/undying-collator --version
-
-EXPOSE 30333 9933 9944
-VOLUME ["/adder-collator"]
-
-ENTRYPOINT ["/usr/local/bin/adder-collator"]

polkadot/scripts/ci/dockerfiles/entrypoint.sh

+#!/usr/bin/env bash
+
+# Sanity check
+if [ -z "$BINARY" ]
+then
+    echo "BINARY ENV not defined, this should never be the case. Aborting..."
+    exit 1
+fi
+
+# If the user built the image with multiple binaries,
+# we consider the first one to be the canonical one
+# To start with another binary, the user can either:
+#  - use the --entrypoint option
+#  - pass the ENV BINARY with a single binary
+IFS=',' read -r -a BINARIES <<< "$BINARY"
+BIN0=${BINARIES[0]}
+echo "Starting binary $BIN0"
+$BIN0 $@

polkadot/scripts/ci/dockerfiles/malus/build-injected.sh

+#!/usr/bin/env bash
+
+# Sample call:
+# $0 /path/to/folder_with_binary
+# This script replace the former dedicated Dockerfile
+# and shows how to use the generic binary_injected.dockerfile
+
+PROJECT_ROOT=`git rev-parse --show-toplevel`
+
+export BINARY=malus,polkadot-execute-worker,polkadot-prepare-worker
+export BIN_FOLDER=$1
+# export TAGS=...
+
+$PROJECT_ROOT/scripts/ci/dockerfiles/build-injected.sh

polkadot/scripts/ci/dockerfiles/malus/test-build.sh

+#!/usr/bin/env bash
+
+TMP=$(mktemp -d)
+ENGINE=${ENGINE:-podman}
+
+export TAGS=latest,beta,7777,1.0.2-rc23
+
+# Fetch some binaries
+$ENGINE run --user root --rm -i \
+  --pull always \
+  -v "$TMP:/export" \
+  --entrypoint /bin/bash \
+  paritypr/malus:7217 -c \
+  'cp "$(which malus)" /export'
+
+echo "Checking binaries we got:"
+ls -al $TMP
+
+./build-injected.sh $TMP

polkadot/scripts/ci/dockerfiles/malus_injected.Dockerfile

-FROM debian:bullseye-slim
-
-# metadata
-ARG VCS_REF
-ARG BUILD_DATE
-ARG IMAGE_NAME
-
-LABEL io.parity.image.authors="devops-team@parity.io" \
-	io.parity.image.vendor="Parity Technologies" \
-	io.parity.image.title="${IMAGE_NAME}" \
-	io.parity.image.description="Malus - the nemesis of polkadot" \
-	io.parity.image.source="https://github.com/paritytech/polkadot/blob/${VCS_REF}/scripts/ci/dockerfiles/malus.Dockerfile" \
-	io.parity.image.revision="${VCS_REF}" \
-	io.parity.image.created="${BUILD_DATE}" \
-	io.parity.image.documentation="https://github.com/paritytech/polkadot/"
-
-# show backtraces
-ENV RUST_BACKTRACE 1
-
-# install tools and dependencies
-RUN apt-get update && \
-	DEBIAN_FRONTEND=noninteractive apt-get install -y \
-    ca-certificates \
-    curl \
-    libssl1.1 \
-    tini && \
-# apt cleanup
-	apt-get autoremove -y && \
-	apt-get clean && \
-	find /var/lib/apt/lists/ -type f -not -name lock -delete; \
-# add user
-  groupadd --gid 10000 nonroot && \
-  useradd  --home-dir /home/nonroot \
-           --create-home \
-           --shell /bin/bash \
-           --gid nonroot \
-           --groups nonroot \
-           --uid 10000 nonroot
-
-
-# add malus binary to docker image
-COPY ./malus ./polkadot-execute-worker ./polkadot-prepare-worker /usr/local/bin
-
-USER nonroot
-
-# check if executable works in this container
-RUN /usr/local/bin/malus --version
-
-# Tini allows us to avoid several Docker edge cases, see https://github.com/krallin/tini.
-ENTRYPOINT ["tini", "--", "/bin/bash"]

polkadot/scripts/ci/dockerfiles/polkadot/README.md

 # Self built Docker image
 
 The Polkadot repo contains several options to build Docker images for Polkadot.
+
 This folder contains a self-contained image that does not require a Linux pre-built binary.
+
 Instead, building the image is possible on any host having docker installed and will
 build Polkadot inside Docker. That also means that no Rust toolchain is required on the host
 machine for the build to succeed.

polkadot/scripts/ci/dockerfiles/polkadot/build-injected.sh

+#!/usr/bin/env bash
+
+# Sample call:
+# $0 /path/to/folder_with_binary
+# This script replace the former dedicated Dockerfile
+# and shows how to use the generic binary_injected.dockerfile
+
+PROJECT_ROOT=`git rev-parse --show-toplevel`
+
+export BINARY=polkadot,polkadot-execute-worker,polkadot-prepare-worker
+export BIN_FOLDER=$1
+
+$PROJECT_ROOT/scripts/ci/dockerfiles/build-injected.sh

polkadot/scripts/ci/dockerfiles/polkadot/build.sh

-#!/usr/bin/env bash
-set -e
-
-pushd .
-
-# The following line ensure we run from the project root
-PROJECT_ROOT=`git rev-parse --show-toplevel`
-cd $PROJECT_ROOT
-
-# Find the current version from Cargo.toml
-VERSION=`grep "^version" ./cli/Cargo.toml | egrep -o "([0-9\.]+-?[0-9]+)"`
-GITUSER=parity
-GITREPO=polkadot
-
-# Build the image
-echo "Building ${GITUSER}/${GITREPO}:latest docker image, hang on!"
-time docker build \
-    -f ./scripts/ci/dockerfiles/polkadot/polkadot_builder.Dockerfile \
-    -t ${GITUSER}/${GITREPO}:latest \
-    -t ${GITUSER}/${GITREPO}:v${VERSION} \
-    .
-
-# Show the list of available images for this repo
-echo "Your Docker image for $GITUSER/$GITREPO is ready"
-docker images | grep ${GITREPO}
-
-popd