From 1212ad8e59e683306a5e34496b53c5361c3f785c Mon Sep 17 00:00:00 2001
From: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Date: Wed, 22 Mar 2023 22:13:18 +1300
Subject: [PATCH] refactor: Support syntax without BuildKit features

These have been available via opt-in prior to v23 of Docker Engine with `DOCKER_BUILDKIT=1` ENV as a prefix to running `docker build`, however it's been requested to avoid the syntax.

No HereDoc (multi-line RUN with EOF marker) or `RUN --mount` available. This makes the `busybox` approach a hassle, so I've brought back the explicit creation of user and home dir.

Without the cache mounts, bring back `zypper clean`. It's not doing much as the `--cache-dir` is still set, but should reduce disk space for the `builder` layer. Local builds will be slower as a result when this layer is invalidated.

AFAIK, this also makes it tricky to use the `ZYPPER_OPTIONS`? So no longer DRY.
---
 Dockerfile | 54 ++++++++++++++++++++++--------------------------------
 1 file changed, 22 insertions(+), 32 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index c041ccb..c4af7ce 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,44 +6,34 @@ ARG INSTALL_ROOT=/rootfs
 FROM opensuse/leap:${LEAP_VERSION} as builder
 ARG CACHE_ZYPPER=/tmp/cache/zypper
 ARG INSTALL_ROOT
-# --mount is only necessary for persisting the zypper cache on the build host,
-# Paired with --cache-dir below, RUN layer invalidation does not clear this cache.
-# Not useful for CI, only local builds that retain the storage.
-RUN --mount=type=cache,target="${CACHE_ZYPPER}",sharing=locked <<EOF
-  # Provides $VERSION_ID
-  source /etc/os-release
-  ZYPPER_OPTIONS=(
-    --releasever "${VERSION_ID}"
-    --installroot "${INSTALL_ROOT}"
-    --cache-dir "${CACHE_ZYPPER}"
-  )
-
-  # Sync package repos:
-  zypper ${ZYPPER_OPTIONS[@]} --gpg-auto-import-keys refresh
-
-  zypper ${ZYPPER_OPTIONS[@]} --non-interactive install \
-    --download-in-advance --no-recommends \
-    bash procps grep gawk sed coreutils busybox-util-linux busybox-vi ldns libidn2-0 socat openssl curl
-
-
-  ## Cleanup (reclaim approx 13 MiB):
-  # None of this content should be relevant to the container:
-  rm -r "${INSTALL_ROOT}/usr/share/"{licenses,man,locale,doc,help,info}
-  # Functionality that the container doesn't need:
-  rm "${INSTALL_ROOT}/usr/share/misc/termcap"
-  rm -r "${INSTALL_ROOT}/usr/lib/sysimage/rpm"
-EOF
+# Usually you could source this from /etc/os-release
+# Might not always match the image tag:
+ARG VERSION_ID=15.4
+RUN  zypper --releasever "${VERSION_ID}" --installroot "${INSTALL_ROOT}" --cache-dir "${CACHE_ZYPPER}" \
+       --gpg-auto-import-keys refresh \
+  && zypper --releasever "${VERSION_ID}" --installroot "${INSTALL_ROOT}" --cache-dir "${CACHE_ZYPPER}" \
+       --non-interactive install --download-in-advance --no-recommends \
+       bash procps grep gawk sed coreutils busybox-util-linux busybox-vi ldns libidn2-0 socat openssl curl \
+  && zypper --releasever "${VERSION_ID}" --installroot "${INSTALL_ROOT}" --cache-dir "${CACHE_ZYPPER}" \
+       clean --all
+## Cleanup (reclaim approx 13 MiB):
+# None of this content should be relevant to the container:
+RUN  rm -r "${INSTALL_ROOT}/usr/share/"{licenses,man,locale,doc,help,info}
+# Functionality that the container doesn't need:
+RUN  rm "${INSTALL_ROOT}/usr/share/misc/termcap" \
+  && rm -r "${INSTALL_ROOT}/usr/lib/sysimage/rpm"
 
 
 # Create a new image with the contents of $INSTALL_ROOT
 FROM scratch
 ARG INSTALL_ROOT
 COPY --link --from=builder ${INSTALL_ROOT} /
-WORKDIR /home/testssl
-RUN --mount=type=bind,from=busybox:latest,source=/bin,target=/bin <<EOF
-  /bin/adduser -D -s /bin/bash testssl
-  /bin/ln -s /home/testssl/testssl.sh /usr/local/bin/
-EOF
+# Create user + (home with SGID set):
+RUN  echo 'testssl:x:1000:1000::/home/testssl:/bin/bash' >> /etc/passwd \
+  && echo 'testssl:x:1000:' >> /etc/group \
+  && echo 'testssl:!::0:::::' >> /etc/shadow \
+  && install --mode 2755 --owner testssl --group testssl --directory /home/testssl \
+  && ln -s /home/testssl/testssl.sh /usr/local/bin/
 
 # Copy over build context (after filtered by .dockerignore): bin/ etc/ testssl.sh
 COPY --chown=testssl:testssl . /home/testssl/