- docker.internal.networkradius.com/self-hosted
dockerfile: scripts/ci/Dockerfile
+ #
+ # Custom dind image used as the services: sidecar by the
+ # dind-based workflows (docker.yml, crossbuild.yml, multi-
+ # server-tests). Bakes in registry-mirror -> internal cache
+ # and trusts the internal CA, so per-job apt-installing and
+ # daemon.json wiring goes away.
+ #
+ - base_image: docker:24-dind
+ image_name: docker.internal.networkradius.com/fr-dind
+ dockerfile: scripts/ci/Dockerfile.dind
+ needs_internal_ca: true
+
- base_image: mariadb
- base_image: postgres
- base_image: 4teamwork/389ds
${{ matrix.os.base_image }} \
sh -c './build-dep-pkg.sh'
+ #
+ # Stage the internal CA cert into the build context for any
+ # matrix entry that asks for it (currently the dind sidecar
+ # image, which needs to trust docker.internal.networkradius.com).
+ # The cert lives on the self-hosted runner host outside the
+ # repo, so we copy it in just before the build.
+ #
+ - name: Stage internal CA into build context
+ if: ${{ matrix.os.needs_internal_ca }}
+ shell: bash
+ run: |
+ cp /usr/local/share/ca-certificates/networkradius.com.crt \
+ scripts/ci/networkradius.com.crt
+
- name: Build main Docker image
if: ${{ matrix.os.image_name && matrix.os.dockerfile }}
shell: bash
apt-get dist-upgrade -y
#
-# Install packages needed by the build
+# Install packages needed by the build.
+#
+# docker.io, docker-buildx and m4 are needed when this image is used
+# as the job container of a dind-based workflow (docker.yml,
+# crossbuild.yml, multi-server-tests): the in-container docker CLI
+# talks to the dind sidecar over DOCKER_HOST, and m4 regenerates the
+# per-distro Dockerfiles from the m4 templates.
#
RUN apt-get install -y --no-install-recommends \
apt-transport-https \
ca-certificates \
curl \
devscripts \
+ docker-buildx \
+ docker.io \
equivs \
gawk \
git \
gnupg \
libasan6 \
lsb-release \
+ m4 \
python3-pip \
quilt \
ruby-dev \
# samba \
+#
+# Trust any workspace path. The job container runs as root but the
+# bind-mounted runner workspace is owned by the runner user; without
+# this, git refuses with "dubious ownership" the moment a Makefile
+# runs `git rev-parse`. system-level so it applies to every shell.
+#
+RUN git config --system --add safe.directory '*'
+
#
# Additional improvements
# - install eapol_test
--- /dev/null
+FROM docker:24-dind
+
+#
+# Pre-bake the registry-mirror config so the dockerd inside this
+# container pulls public base images via the internal NetworkRADIUS
+# registry (which acts as a Docker Hub pull-through cache). Without
+# this, every CI job's fresh dockerd anonymously pulls from
+# registry-1.docker.io and the 31 self-hosted runners share egress
+# IPs that quickly blow through Docker Hub's 100/6h anonymous limit.
+#
+RUN mkdir -p /etc/docker && cat > /etc/docker/daemon.json <<'EOF'
+{
+ "registry-mirrors": ["https://docker.internal.networkradius.com"]
+}
+EOF
+
+#
+# Trust the internal CA so dockerd can talk HTTPS to the mirror at
+# docker.internal.networkradius.com. The base docker:dind image only
+# has Alpine's default CA bundle, which doesn't include the internal
+# NR root.
+#
+# The cert file is staged into the build context by docker-refresh.yml
+# from /usr/local/share/ca-certificates/networkradius.com.crt on the
+# runner host before this image is built.
+#
+COPY scripts/ci/networkradius.com.crt /usr/local/share/ca-certificates/networkradius.com.crt
+RUN apk add --no-cache ca-certificates && \
+ update-ca-certificates && \
+ mkdir -p /etc/docker/certs.d/docker.internal.networkradius.com && \
+ cp /usr/local/share/ca-certificates/networkradius.com.crt \
+ /etc/docker/certs.d/docker.internal.networkradius.com/ca.crt
projects / thirdparty / freeradius-server.git / commitdiff
