Add target for static builds

.dockerignore

@@ -4,6 +4,7 @@
 /archive
 /build
 /common/*.mk
+/dockerfiles
 /*.md
 /Jenkinsfile
 /Makefile

Jenkinsfile

@@ -41,6 +41,10 @@ def generatePackageStep(opts, arch) {
                     sh 'make clean'
                     withDockerRegistry([url: "", credentialsId: "dockerbuildbot-index.docker.io"]) {
                         sh "make CREATE_ARCHIVE=1 ${opts.image}"
+                        if (opts.image == "docker.io/library/ubuntu:focal") {
+                            // also build static packages
+                            sh "make CREATE_ARCHIVE=1 ${opts.image} static"
+                        }
                     }
                     archiveArtifacts(artifacts: 'archive/*.tar.gz', onlyIfSuccessful: true)
                 } finally {

Makefile

@@ -76,6 +76,18 @@ checkout: src
 	./scripts/checkout.sh src/github.com/containerd/containerd "$(REF)"
 	./scripts/checkout.sh src/github.com/opencontainers/runc "$$(./scripts/determine-runc-version)"
 
+# NOTE: building static binaries currently only works when using an
+#       ubuntu/debian BUILD_IMAGE, because build-dependencies are not
+#       installed beforehand.
+.PHONY: static
+static: TARGET=binaries
+static: build
+
+# This target is used for building rpm, deb, and static packages:
+#
+# - If TARGET=binaries, static binaries are built
+# - If TARGET is not specified, the default is either "rpm" or "deb",
+#   depending on the BUILD_IMAGE
 .PHONY: build
 build: checkout common/containerd.service
 build:

README.md

@@ -15,6 +15,13 @@ make docker.io/library/<distro>:<version> [docker.io/library/<distro>:<version>
 
 After build completes, packages can be found in the `build` directory.
 
+To build static binaries:
+
+```bash
+make clean
+make static
+```
+
 ## Building a package from a local source directory
 
 Specify the path to the local source directory using `CONTAINERD_DIR` and/or

dockerfiles/deb.dockerfile

@@ -90,6 +90,7 @@ COPY debian/ debian/
 RUN apt-get update -q \
  && mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i debian/control
 COPY scripts/build-deb    /root/
+COPY scripts/build-static /root/
 COPY scripts/.helpers     /root/
 
 ARG PACKAGE
@@ -128,6 +129,26 @@ FROM scratch AS packages
 COPY --from=build-packages  /archive /archive
 COPY --from=verify-packages /build   /build
 
+FROM build-env AS build-binaries
+# NOTE: not using a cache-mount for /root/.cache/go-build, to prevent issues
+#       with CGO when building multiple distros on the same machine / build-cache
+RUN --mount=type=bind,from=golang,source=/usr/local/go/,target=/usr/local/go/ \
+    --mount=type=bind,source=/src,target=/go/src,rw \
+    /root/build-static
+ARG UID=0
+ARG GID=0
+RUN chown -R ${UID}:${GID} /build
+
+FROM distro-image AS verify-binaries
+COPY --from=build-binaries /build /build
+RUN tar -C /usr/local/bin/ --strip-components 1 -xzf "$(find /build/static -type f -name containerd.io*.tar.gz)"
+RUN containerd --version
+RUN ctr --version
+RUN runc --version
+
+FROM scratch AS binaries
+COPY --from=verify-binaries /build /build
+
 # This stage is mainly for debugging (running the build interactively with mounted source)
 FROM build-env AS runtime
 COPY --from=golang /usr/local/go/ /usr/local/go/

scripts/build-static

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+#   Copyright 2018-2022 Docker Inc.
+
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+
+#       http://www.apache.org/licenses/LICENSE-2.0
+
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+
+set -e
+
+REF=$(git --git-dir "${GO_SRC_PATH}/.git" rev-parse --verify "HEAD^{commit}")
+VERSION="$(git --git-dir "${GO_SRC_PATH}/.git" describe --tags | sed 's/^v//')"
+# Check if we're on a tagged version, change VERSION to dev build if not
+if ! git --git-dir "${GO_SRC_PATH}/.git" describe --exact-match HEAD >/dev/null 2>&1; then
+	git_date=$(date --date "@$(git --git-dir "${GO_SRC_PATH}/.git" log -1 --pretty='%at')" +'%Y%m%d.%H%M%S')
+	git_sha=$(git --git-dir "${GO_SRC_PATH}/.git" log -1 --pretty='%h')
+	VERSION="${git_date}~${git_sha}"
+fi
+
+ARCH=$(uname -m)
+DEST_DIR="/build/static/${ARCH}/"
+BIN_DIR="usr/local/bin"
+
+# Build containerd
+(
+	set -x
+	# see https://github.com/containerd/containerd/blob/main/BUILDING.md#static-binaries
+	make -C "/go/src/github.com/containerd/containerd" STATIC=1 VERSION="${VERSION}" REVISION="${REF}" PACKAGE="${PACKAGE}"
+
+	# containerd installs in ${DESTDIR}${PREFIX}/bin (${DESTDIR}/usr/local/bin)
+	make -C "/go/src/github.com/containerd/containerd" DESTDIR="${DEST_DIR}" install
+)
+
+# Build runc
+(
+	set -x
+	# runc installs in ${DEST_DIR}${BINDIR}
+	make -C "/go/src/github.com/opencontainers/runc" DESTDIR="${DEST_DIR}" BINDIR="${BIN_DIR}" static install
+)
+
+# Create archive and checksum
+(
+	set -x
+
+	archive_name="containerd.io-${VERSION}.linux-${ARCH}.tar.gz"
+
+	cd "${DEST_DIR:?}"
+	tar --exclude=containerd-stress --transform "s,^${BIN_DIR},containerd.io," -czf "${archive_name}" "${BIN_DIR}"
+	sha256sum "${archive_name}" > "${archive_name}".sha256sum
+	rm -r "${BIN_DIR}"
+)