Fix ./hack/verify-docker-deps.sh script to run on build platform

Author: pwschuurman

Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM --platform=$BUILDPLATFORM golang:1.23.0 as builder
+FROM --platform=$BUILDPLATFORM golang:1.23.0 AS builder
 
 ARG STAGINGVERSION
 ARG TARGETPLATFORM
@@ -23,24 +23,24 @@ RUN GOARCH=$(echo $TARGETPLATFORM | cut -f2 -d '/') GCE_PD_CSI_STAGING_VERSION=$
 
 # Start from Kubernetes Debian base.
 
-FROM gke.gcr.io/debian-base:bookworm-v1.0.4-gke.2 as debian
+FROM gke.gcr.io/debian-base:bookworm-v1.0.4-gke.2 AS debian
 
 # Install necessary dependencies
 # google_nvme_id script depends on the following packages: nvme-cli, xxd, bash
 RUN clean-install util-linux e2fsprogs mount ca-certificates udev xfsprogs nvme-cli xxd bash
 
 # Since we're leveraging apt to pull in dependencies, we use `gcr.io/distroless/base` because it includes glibc.
-FROM gcr.io/distroless/base-debian12 as distroless-base
+FROM gcr.io/distroless/base-debian12 AS distroless-base
 
 # The distroless amd64 image has a target triplet of x86_64
 FROM distroless-base AS distroless-amd64
-ENV LIB_DIR_PREFIX x86_64
+ENV LIB_DIR_PREFIX=x86_64
 
 # The distroless arm64 image has a target triplet of aarch64
 FROM distroless-base AS distroless-arm64
-ENV LIB_DIR_PREFIX aarch64
+ENV LIB_DIR_PREFIX=aarch64
 
-FROM distroless-$TARGETARCH as output-image
+FROM distroless-$TARGETARCH
 
 # Copy necessary dependencies into distroless base.
 COPY --from=builder /go/src/sigs.k8s.io/gcp-compute-persistent-disk-csi-driver/bin/gce-pd-csi-driver /gce-pd-csi-driver
@@ -119,16 +119,4 @@ COPY --from=debian /usr/lib/${LIB_DIR_PREFIX}-linux-gnu/libblkid.so.1 \
 # Copy NVME support required script and rules into distroless base.
 COPY deploy/kubernetes/udev/google_nvme_id /lib/udev_containerized/google_nvme_id
 
-# Build stage used for validation of the output-image
-# See validate-container-linux-* targets in Makefile
-FROM output-image as validation-image
-
-COPY --from=debian /usr/bin/ldd /usr/bin/find /usr/bin/xargs /usr/bin/
-COPY --from=builder /go/src/sigs.k8s.io/gcp-compute-persistent-disk-csi-driver/hack/print-missing-deps.sh /print-missing-deps.sh
-SHELL ["/bin/bash", "-c"]
-RUN /print-missing-deps.sh
-
-# Final build stage, create the real Docker image with ENTRYPOINT
-FROM output-image
-
 ENTRYPOINT ["/gce-pd-csi-driver"]

Makefile

@@ -73,20 +73,24 @@ build-and-push-multi-arch-debug: build-and-push-container-linux-debug build-and-
 push-container: build-container
 
 # Used by hack/verify-docker-deps.sh, not used for building artifacts
-validate-container-linux-amd64: init-buildx
-	$(DOCKER) buildx build --platform=linux/amd64 \
-		-t validation_linux_amd64 \
-		--target validation-image \
-		--build-arg BUILDPLATFORM=linux \
-		--build-arg STAGINGVERSION=$(STAGINGVERSION) .
+validate-container-linux-amd64: build-and-load-container-linux-amd64
+	./hack/print-missing-deps.sh $(STAGINGIMAGE):$(STAGINGVERSION)_linux_amd64
 
 # Used by hack/verify-docker-deps.sh, not used for building artifacts
-validate-container-linux-arm64: init-buildx
-	$(DOCKER) buildx build --platform=linux/arm64 \
-		-t validation_linux_arm64 \
-		--target validation-image \
-		--build-arg BUILDPLATFORM=linux \
-		--build-arg STAGINGVERSION=$(STAGINGVERSION) .
+validate-container-linux-arm64: build-and-load-container-linux-arm64
+	./hack/print-missing-deps.sh $(STAGINGIMAGE):$(STAGINGVERSION)_linux_arm64
+
+validate-container-linux: validate-container-linux-amd64 validate-container-linux-arm64
+
+build-and-load-container-linux-amd64: require-GCE_PD_CSI_STAGING_IMAGE init-buildx
+	$(DOCKER) buildx build --platform=linux/amd64 \
+		-t $(STAGINGIMAGE):$(STAGINGVERSION)_linux_amd64 \
+		--build-arg STAGINGVERSION=$(STAGINGVERSION) --load .
+
+build-and-load-container-linux-arm64: require-GCE_PD_CSI_STAGING_IMAGE init-buildx
+	$(DOCKER) buildx build --file=Dockerfile --platform=linux/arm64 \
+		-t $(STAGINGIMAGE):$(STAGINGVERSION)_linux_arm64 \
+		--build-arg STAGINGVERSION=$(STAGINGVERSION) --load .
 
 build-and-push-container-linux-amd64: require-GCE_PD_CSI_STAGING_IMAGE init-buildx
 	$(DOCKER) buildx build --platform=linux/amd64 \

hack/print-missing-deps.sh

@@ -20,13 +20,33 @@ set -o pipefail
 
 echo "Verifying Docker Executables have appropriate dependencies"
 
+TEMP_DIR="$(mktemp -d)"
+trap 'rm -rf -- "$TEMP_DIR"' EXIT
+
+export CONTAINER_IMAGE="$1"
+export CONTAINER_EXPORT_DIR="$TEMP_DIR/image_dir"
+
+extractContainerImage() {
+  CONTAINER_ID="$(docker create "$CONTAINER_IMAGE")"
+  CONTAINER_EXPORT_TAR="$TEMP_DIR/image.tar"
+  docker export "$CONTAINER_ID" -o "$CONTAINER_EXPORT_TAR"
+  mkdir -p "$CONTAINER_EXPORT_DIR"
+  tar xf "$CONTAINER_EXPORT_TAR" -C "$CONTAINER_EXPORT_DIR"
+}
+
+printNeededDeps() {
+  readelf -d "$@" 2>&1 | grep NEEDED | awk '{print $5}' | sed -e 's@\[@@g' -e 's@\]@@g'
+}
+
 printMissingDep() {
-  if /usr/bin/ldd "$@" | grep "not found"; then
+  if ! find "$CONTAINER_EXPORT_DIR" -name "$@" > /dev/null; then
     echo "!!! Missing deps for $@ !!!"
     exit 1
   fi
 }
 
+export -f printNeededDeps
 export -f printMissingDep
 
-/usr/bin/find / -type f -executable -print | /usr/bin/xargs -I {} /bin/bash -c 'printMissingDep "{}"'
+extractContainerImage
+/usr/bin/find "$CONTAINER_EXPORT_DIR" -type f -executable -print | /usr/bin/xargs -I {} /bin/bash -c 'printNeededDeps "{}"' | sort | uniq | /usr/bin/xargs -I {} /bin/bash -c 'printMissingDep "{}"'

hack/verify-docker-deps.sh

@@ -22,4 +22,5 @@ echo "Verifying Docker Image Dependencies"
 
 PKG_ROOT=$(git rev-parse --show-toplevel)
 
-make -C "${PKG_ROOT}" validate-container-linux-amd64 validate-container-linux-arm64
+export GCE_PD_CSI_STAGING_IMAGE=validation-image
+make -C "${PKG_ROOT}" validate-container-linux