# NOTE: this is a multi-platform image, so each step needs to work on both amd64 and arm64.
# See README for details.

# debian 11
FROM debian@sha256:5a87974e73c64b3fb161d444a84bdd47c0e6b6058eacaeea64342e7cbce1f04d

RUN apt-get update && \
    apt-get install -y \
    curl apt-transport-https ca-certificates gnupg-agent software-properties-common fuse && \
    rm -rf /var/lib/apt/lists/* && apt-get clean

RUN ARCH=$(dpkg --print-architecture) && \
    SHASUM=$(case $ARCH in \
        amd64) echo '93dcc18adc78c65a028a84799ecf8ad40c936fdfc5f2a57b1acda5a8117fa82c' ;; \
        arm64) echo '07952557df20bfd2a95f9bef198b445e006171969499a1d361bd9e6f8e5e0e81' ;; \
    esac) && \
    curl -o /tini -fsSL "https://github.com/krallin/tini/releases/download/v0.19.0/tini-${ARCH}" && \
    echo "$SHASUM /tini" | sha256sum -c && \
    chmod +x /tini

RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add - && \
    apt-key fingerprint 0EBFCD88 && \
    add-apt-repository "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/debian $(lsb_release -cs) stable" && \
    apt-get update && apt-get install -y docker-ce docker-ce-cli containerd.io && \
    rm -rf /var/lib/apt/lists/* && apt-get clean

# Install skopeo and umoci which we use to unpack OCI images when we're not using docker.
# Install iproute2 ("ip" command) to configure networking on host.
RUN apt-get update && \
    apt-get install -y skopeo umoci iproute2 amazon-ecr-credential-helper && \
    rm -rf /var/lib/apt/lists/* && apt-get clean

# Install gVisor
#RUN curl -fsSL https://gvisor.dev/archive.key | gpg --dearmor -o /usr/share/keyrings/gvisor-archive-keyring.gpg && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gvisor-archive-keyring.gpg] https://storage.googleapis.com/gvisor/releases release main" >>  /etc/apt/sources.list.d/gvisor.list && apt-get update && apt-get install -y runsc
# ALTERNATIVE non-apt method:
#RUN ARCH=$(uname -m); URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}; curl -LO ${URL}/runsc && curl -LO ${URL}/runsc.sha512 && sha512sum -c runsc.sha512 && rm -f *.sha512 && chmod a+rx runsc && mv runsc /usr/local/bin

# Configure docker credentials so we can pull marketplace.gcr.io images generated by rbe_autoconfig
RUN ARCH=$(dpkg --print-architecture) && \
    SHASUM=$(case $ARCH in \
        amd64) echo '1f98cbe13be7876b3a031540c48c04739ad22aa4b0c5d1b5b2c48d558eb44581' ;; \
        arm64) echo '8a563549e3559234402b802ee450cfd7817a908330ebf95ea72db00829145d59' ;; \
    esac) && \
    curl -o "docker-credential-gcr.tar.gz" -fsSL "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v2.0.0/docker-credential-gcr_linux_${ARCH}-2.0.0.tar.gz" && \
    echo "$SHASUM docker-credential-gcr.tar.gz" | sha256sum -c && \
    tar -xz -f docker-credential-gcr.tar.gz --to-stdout ./docker-credential-gcr > /usr/local/bin/docker-credential-gcr && \
    chmod +x /usr/local/bin/docker-credential-gcr && \
    rm docker-credential-gcr.tar.gz && \
    docker-credential-gcr configure-docker
