Dockerfile: install criu from binary repo

[kolyshkin]

closes #42362

- What I did

We were compiling criu from sources for quite a long time (in CI it is to run checkpoint/restore tests).

It takes a long time and is not really needed, since now we have a repo maintained by criu.

Use it.

- How I did it

vim Dockerfile

- How to verify it

- Description for the changelog

not needed

- A picture of a cute animal (not mandatory but encouraged)

[kolyshkin]

Cc @adrianreber

[adrianreber]

CI probably fails because this needs to be /usr/sbin/criu

[rst0git]

I tested this patch (with make BIND_DIR=. shell) and it works with the following change:

-COPY --from=criu          /usr/bin/criu /usr/local/bin
+COPY --from=criu          /usr/sbin/criu /usr/local/bin

[kolyshkin]

Ah, so stupid of me; fixed now.

[kolyshkin]

@thaJeztah PTAL (this simplifies and speeds up build)

[thaJeztah]

Somewhat confusing the the "debian" packages are on a "opensuse" repository 😅

Do we need to replace the use of apt-key add here @tianon ? (recalling I was in the middle of reviewing docker/docs#11990)

[tianon]

We don't immediately "need" to, but we will soon and definitely should.

If we don't actually care about the provenance, we can just download the file straight to /etc/apt/trusted.gpg.d/something.gpg.asc (probably criu.gpg.asc) and it will work in this instance (and be at least as secure as piping to apt-key add -...)

[thaJeztah]

I gave it a quick try, and that works; tried to use ADD instead of curl (so that cache would be invalidated would the key change), but ran into a bug, LOL (opened moby/buildkit#2114)

ADD --chmod=0644 https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_10/Release.key /etc/apt/trusted.gpg.d/criu.gpg.asc
# FIXME: workaround for https://github.com/moby/buildkit/issues/2114
RUN chmod 0644 /etc/apt/trusted.gpg.d/criu.gpg.asc
RUN --mount=type=cache,sharing=locked,id=moby-criu-aptlib,target=/var/lib/apt \
    --mount=type=cache,sharing=locked,id=moby-criu-aptcache,target=/var/cache/apt \
        echo 'deb https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_10/ /' > /etc/apt/sources.list.d/criu.list \
        && apt-get update \
        && apt-get install -y --no-install-recommends criu \
        && install -D /usr/sbin/criu /build/

Let me know what you think @tianon @kolyshkin

[thaJeztah]

Actually, let me add install -D /usr/sbin/criu /build/ so that we can revert the change to the COPY --from as well

[thaJeztah]

I guess apt-get install does not have a --prefix option (unless compiling form source) 😓 (would've been nice if we could keep the same paths)

[tianon]

We could do something cute like criu="$(which criu)"; ln "$criu" /build/ after the apt-get install

[thaJeztah]

Given that we don't run the intermediate criu stage, and only use it to download the package, I took a different approach in https://github.com/moby/moby/pull/41739/files#r634478731

[cpuguy83]

We can literally have images in ghcr or hub for all of these things we currently build in the Dockerfile..
Speed things up a lot.

[thaJeztah]

But then we'd have to maintain (multi-arch) images for each of those stages?

[cpuguy83]

Shouldn't be terribly difficult.
We only need to add the versions we pull in here.

[thaJeztah]

Thanks! Overall looks good, but left a question for Tianon (probably not a blocker anyway, but could make upgrading to newer versions of Debian easier once Debian 11 becomes the new "stable")

[thaJeztah]

LGTM

[thaJeztah]

Hitting this on s390x (we were discussing this issue on slack) https://ci-next.docker.com/public/blue/rest/organizations/jenkins/pipelines/moby/branches/PR-41739/runs/3/nodes/168/log/?start=0

/cc @cpuguy83 @tonistiigi

+ docker build --force-rm --build-arg APT_MIRROR -t docker:1f5fd57c83e50e1cf26596d9338ed7d8f516dabf .
#2 [internal] load build definition from Dockerfile
#2 ERROR: proto: illegal wireType 6

#1 [internal] load .dockerignore
#1 transferring context: 87B done
#1 DONE 0.0s
------
 > [internal] load build definition from Dockerfile:
------
failed to solve with frontend dockerfile.v0: failed to resolve dockerfile: failed to build LLB: proto: illegal wireType 6
script returned exit code 1

Details of that machine:

Details

+ docker version
Client: Docker Engine - Community
 Version:           19.03.7
 API version:       1.40
 Go version:        go1.12.17
 Git commit:        7141c199a2
 Built:             Sat Mar  7 16:48:47 2020
 OS/Arch:           linux/s390x
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.7
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.17
  Git commit:       7141c199a2
  Built:            Sat Mar  7 16:47:46 2020
  OS/Arch:          linux/s390x
  Experimental:     true
 containerd:
  Version:          1.2.13
  GitCommit:        7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

 + docker info
 Client:
  Debug Mode: false

 Server:
  Containers: 0
   Running: 0
   Paused: 0
   Stopped: 0
  Images: 2
  Server Version: 19.03.7
  Storage Driver: overlay2
   Backing Filesystem: <unknown>
   Supports d_type: true
   Native Overlay Diff: true
  Logging Driver: json-file
  Cgroup Driver: cgroupfs
  Plugins:
   Volume: local
   Network: bridge host ipvlan macvlan null overlay
   Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
  Swarm: inactive
  Runtimes: runc
  Default Runtime: runc
  Init Binary: docker-init
  containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
  runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
  init version: fec3683
  Security Options:
   apparmor
   seccomp
    Profile: default
  Kernel Version: 4.15.0-88-generic
  Operating System: Ubuntu 18.04.4 LTS
  OSType: linux
  Architecture: s390x
  CPUs: 2
  Total Memory: 7.861GiB
  Name: s390x-ubuntu-29
  ID: KX4W:OISZ:E4EJ:3QOX:GCSE:TDK3:6NVC:NGLB:7US2:36DL:6NT2:YLOM
  Docker Root Dir: /var/lib/docker
  Debug Mode: false
  Registry: https://index.docker.io/v1/
  Labels:
  Experimental: true
  Insecure Registries:
   127.0.0.0/8
  Live Restore Enabled: false

 WARNING: No swap limit support