Publish RC container images (#7556)

* WIP * Add missing checkout * Add debuggin * Fix VAR name * Bug fix * Rework jobs * Revert "Rework jobs" This reverts commit 2bfa79fd3ae633c17403b838f9a5025f0f7fc3f3. * Add cache * Add temp default for testing * Add missing checkout * Fix patch * Comment out the GPG check for now * Rename polkadot_injected_release into a more appropriate polkadot_injected_debian * Refactoring / renaming * Introduce a generic image for binary injection * Flag files to be deleted and changes to be done * WIP * Fix multi binaries images * Add test build scripts * Remove old file, add polkadot build-injected script * Fix doc * Fix tagging * Add build of the injected container * Fix for docker * Remove the need for TTY * Handling container publishing * Fix owner and registry * Fix vars * Fix repo * Fix var naming * Fix case when there is no tag * Fix case with no tag * Handle error * Fix spacings * Fix tags * Remove unnecessary grep that may fail * Add final check * Clean up and introduce GPG check * Add doc * Add doc * Update doc/docker.md Co-authored-by: Mira Ressel <mira@parity.io> * type Co-authored-by: Mira Ressel <mira@parity.io> * Fix used VAR * Improve doc * ci: Update .build-push-image jobs to use the new build-injected.sh * ci: fix path to build-injected.sh script * Rename the release artifacts folder to prevent confusion due to a similar folder in the gitlab CI * ci: check out polkadot repo in .build-push-image This seems far cleaner than copying the entire scripts/ folder into our job artifacts. * feat(build-injected.sh): make PROJECT_ROOT configurable This lets us avoid a dependency on git in our CI image. * ci: build injected images with buildah * ci: pass full image names to zombienet * Add missing ignore --------- Co-authored-by: Mira Ressel <mira@parity.io>
2026-06-13 07:01:05 +00:00 · 2023-08-11 15:28:39 +02:00
parent cf66819a19
commit 693a29da1a
35 changed files with 663 additions and 325 deletions
@@ -193,3 +193,73 @@ check_bootnode(){
    echo "    Bootnode appears unreachable"
    return 1
 }
+
+# Assumes the ENV are set:
+# - RELEASE_ID
+# - GITHUB_TOKEN
+# - REPO in the form paritytech/polkadot
+fetch_release_artifacts() {
+  echo "Release ID : $RELEASE_ID"
+  echo "Repo       : $REPO"
+  echo "ARTIFACT_FOLDER: $ARTIFACT_FOLDER"
+
+  curl -L -s \
+    -H "Accept: application/vnd.github+json" \
+    -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    https://api.github.com/repos/${REPO}/releases/$RELEASE_ID > release.json
+
+  # Get Asset ids
+  ids=($(jq -r '.assets[].id' < release.json ))
+  count=$(jq '.assets|length' < release.json )
+
+  # Fetch artifacts
+  mkdir -p ${ARTIFACT_FOLDER}
+  pushd ${ARTIFACT_FOLDER} > /dev/null
+
+  iter=1
+  for id in "${ids[@]}"
+  do
+      echo " - $iter/$count: downloading asset id: $id..."
+      curl -s -OJ -L -H "Accept: application/octet-stream" \
+          -H "Authorization: Token ${GITHUB_TOKEN}" \
+          "https://api.github.com/repos/${REPO}/releases/assets/$id"
+      iter=$((iter + 1))
+  done
+
+  ls -al --color
+  popd > /dev/null
+}
+
+# Check the checksum for a given binary
+function check_sha256() {
+    echo "Checking SHA256 for $1"
+    shasum -qc $1.sha256
+}
+
+# Import GPG keys of the release team members
+# This is done in parallel as it can take a while sometimes
+function import_gpg_keys() {
+  GPG_KEYSERVER=${GPG_KEYSERVER:-"keyserver.ubuntu.com"}
+  SEC="9D4B2B6EB8F97156D19669A9FF0812D491B96798"
+  WILL="2835EAF92072BC01D188AF2C4A092B93E97CE1E2"
+  EGOR="E6FC4D4782EB0FA64A4903CCDB7D3555DD3932D3"
+  MARA="533C920F40E73A21EEB7E9EBF27AEA7E7594C9CF"
+  MORGAN="2E92A9D8B15D7891363D1AE8AF9E6C43F7F8C4CF"
+
+  echo "Importing GPG keys from $GPG_KEYSERVER in parallel"
+  for key in $SEC $WILL $EGOR $MARA $MORGAN; do
+    (
+      echo "Importing GPG key $key"
+      gpg --no-tty --quiet --keyserver $GPG_KEYSERVER --recv-keys $key
+      echo -e "5\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key $key trust;
+    ) &
+  done
+  wait
+}
+
+# Check the GPG signature for a given binary
+function check_gpg() {
+    echo "Checking GPG Signature for $1"
+    gpg --no-tty --verify -q $1.asc $1
+}
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+# Sample call:
+# $0 /path/to/folder_with_binary
+# This script replace the former dedicated Dockerfile
+# and shows how to use the generic binary_injected.dockerfile
+
+PROJECT_ROOT=`git rev-parse --show-toplevel`
+
+export BINARY=adder-collator,undying-collator
+export BIN_FOLDER=$1
+
+$PROJECT_ROOT/scripts/ci/dockerfiles/build-injected.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+TMP=$(mktemp -d)
+ENGINE=${ENGINE:-podman}
+
+# TODO: Switch to /bin/bash when the image is built from parity/base-bin
+
+# Fetch some binaries
+$ENGINE run --user root --rm -i \
+  --pull always \
+  -v "$TMP:/export" \
+  --entrypoint /usr/bin/bash \
+  paritypr/colander:master -c \
+  'cp "$(which adder-collator)" /export'
+
+$ENGINE run --user root --rm -i \
+  --pull always \
+  -v "$TMP:/export" \
+  --entrypoint /usr/bin/bash \
+  paritypr/colander:master -c \
+  'cp "$(which undying-collator)" /export'
+
+./build-injected.sh $TMP
@@ -0,0 +1,48 @@
+FROM docker.io/parity/base-bin
+
+# This file allows building a Generic container image
+# based on one or multiple pre-built Linux binaries.
+# Some defaults are set to polkadot but all can be overriden.
+
+SHELL ["/bin/bash", "-c"]
+
+# metadata
+ARG VCS_REF
+ARG BUILD_DATE
+ARG IMAGE_NAME
+
+# That can be a single one or a comma separated list
+ARG BINARY=polkadot
+
+ARG BIN_FOLDER=.
+ARG DOC_URL=https://github.com/paritytech/polkadot
+ARG DESCRIPTION="Polkadot: a platform for web3"
+ARG AUTHORS="devops-team@parity.io"
+ARG VENDOR="Parity Technologies"
+
+LABEL io.parity.image.authors=${AUTHORS} \
+	io.parity.image.vendor="${VENDOR}" \
+	io.parity.image.revision="${VCS_REF}" \
+	io.parity.image.title="${IMAGE_NAME}" \
+	io.parity.image.created="${BUILD_DATE}" \
+	io.parity.image.documentation="${DOC_URL}" \
+	io.parity.image.description="${DESCRIPTION}" \
+	io.parity.image.source="https://github.com/paritytech/polkadot/blob/${VCS_REF}/scripts/ci/dockerfiles/binary_injected.Dockerfile"
+
+USER root
+WORKDIR /app
+
+# add polkadot binary to docker image
+# sample for polkadot: COPY ./polkadot ./polkadot-*-worker /usr/local/bin/
+COPY entrypoint.sh .
+COPY "bin/*" "/usr/local/bin/"
+RUN chmod -R a+rx "/usr/local/bin"
+
+USER parity
+ENV BINARY=${BINARY}
+
+# ENTRYPOINT
+ENTRYPOINT ["/app/entrypoint.sh"]
+
+# We call the help by default
+CMD ["--help"]
@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+set -e
+
+# This script allows building a Container Image from a Linux
+# binary that is injected into a base-image.
+
+ENGINE=${ENGINE:-podman}
+
+if [ "$ENGINE" == "podman" ]; then
+  PODMAN_FLAGS="--format docker"
+else
+  PODMAN_FLAGS=""
+fi
+
+CONTEXT=$(mktemp -d)
+REGISTRY=${REGISTRY:-docker.io}
+
+# The following line ensure we know the project root
+PROJECT_ROOT=${PROJECT_ROOT:-$(git rev-parse --show-toplevel)}
+DOCKERFILE=${DOCKERFILE:-$PROJECT_ROOT/scripts/ci/dockerfiles/binary_injected.Dockerfile}
+VERSION_TOML=$(grep "^version " $PROJECT_ROOT/Cargo.toml | grep -oE "([0-9\.]+-?[0-9]+)")
+
+#n The following VAR have default that can be overriden
+DOCKER_OWNER=${DOCKER_OWNER:-parity}
+
+# We may get 1..n binaries, comma separated
+BINARY=${BINARY:-polkadot}
+IFS=',' read -r -a BINARIES <<< "$BINARY"
+
+VERSION=${VERSION:-$VERSION_TOML}
+BIN_FOLDER=${BIN_FOLDER:-.}
+
+IMAGE=${IMAGE:-${REGISTRY}/${DOCKER_OWNER}/${BINARIES[0]}}
+DESCRIPTION_DEFAULT="Injected Container image built for ${BINARY}"
+DESCRIPTION=${DESCRIPTION:-$DESCRIPTION_DEFAULT}
+
+VCS_REF=${VCS_REF:-01234567}
+
+# Build the image
+echo "Using engine: $ENGINE"
+echo "Using Dockerfile: $DOCKERFILE"
+echo "Using context: $CONTEXT"
+echo "Building ${IMAGE}:latest container image for ${BINARY} v${VERSION} from ${BIN_FOLDER} hang on!"
+echo "BIN_FOLDER=$BIN_FOLDER"
+echo "CONTEXT=$CONTEXT"
+
+# We need all binaries and resources available in the Container build "CONTEXT"
+mkdir -p $CONTEXT/bin
+for bin in "${BINARIES[@]}"
+do
+  echo "Copying $BIN_FOLDER/$bin to context: $CONTEXT/bin"
+  cp "$BIN_FOLDER/$bin" "$CONTEXT/bin"
+done
+
+cp "$PROJECT_ROOT/scripts/ci/dockerfiles/entrypoint.sh" "$CONTEXT"
+
+echo "Building image: ${IMAGE}"
+
+TAGS=${TAGS[@]:-latest}
+IFS=',' read -r -a TAG_ARRAY <<< "$TAGS"
+TAG_ARGS=" "
+
+echo "The image ${IMAGE} will be tagged with ${TAG_ARRAY[*]}"
+for tag in "${TAG_ARRAY[@]}"; do
+  TAG_ARGS+="--tag ${IMAGE}:${tag} "
+done
+
+echo "$TAG_ARGS"
+
+# time \
+$ENGINE build \
+    ${PODMAN_FLAGS} \
+    --build-arg VCS_REF="${VCS_REF}" \
+    --build-arg BUILD_DATE=$(date -u '+%Y-%m-%dT%H:%M:%SZ') \
+    --build-arg IMAGE_NAME="${IMAGE}" \
+    --build-arg BINARY="${BINARY}" \
+    --build-arg BIN_FOLDER="${BIN_FOLDER}" \
+    --build-arg DESCRIPTION="${DESCRIPTION}" \
+    ${TAG_ARGS} \
+    -f "${DOCKERFILE}" \
+    ${CONTEXT}
+
+echo "Your Container image for ${IMAGE} is ready"
+$ENGINE images
+
+if [[ -z "${SKIP_IMAGE_VALIDATION}" ]]; then
+  echo "Check the image ${IMAGE}:${TAG_ARRAY[0]}"
+  $ENGINE run --rm -i "${IMAGE}:${TAG_ARRAY[0]}" --version
+
+  echo "Query binaries"
+  $ENGINE run --rm -i --entrypoint /bin/bash "${IMAGE}:${TAG_ARRAY[0]}" -c 'echo BINARY: $BINARY'
+fi
@@ -1,49 +0,0 @@
-# this file copies from scripts/ci/dockerfiles/Dockerfile and changes only the binary name
-FROM docker.io/library/ubuntu:20.04
-
-# metadata
-ARG VCS_REF
-ARG BUILD_DATE
-ARG IMAGE_NAME
-
-LABEL io.parity.image.authors="devops-team@parity.io" \
-	io.parity.image.vendor="Parity Technologies" \
-	io.parity.image.title="${IMAGE_NAME}" \
-	io.parity.image.description="Injected adder-collator Docker image" \
-	io.parity.image.source="https://github.com/paritytech/polkadot/blob/${VCS_REF}/scripts/ci/dockerfiles/collator_injected.Dockerfile" \
-	io.parity.image.revision="${VCS_REF}" \
-	io.parity.image.created="${BUILD_DATE}" \
-	io.parity.image.documentation="https://github.com/paritytech/polkadot/"
-
-# show backtraces
-ENV RUST_BACKTRACE 1
-
-# install tools and dependencies
-RUN apt-get update && \
-	DEBIAN_FRONTEND=noninteractive apt-get install -y \
-		libssl1.1 \
-		ca-certificates && \
-# apt cleanup
-	apt-get autoremove -y && \
-	apt-get clean && \
-	find /var/lib/apt/lists/ -type f -not -name lock -delete; \
-# add user and link ~/.local/share/adder-collator to /data
-	useradd -m -u 1000 -U -s /bin/sh -d /adder-collator adder-collator && \
-	mkdir -p /data /adder-collator/.local/share && \
-	chown -R adder-collator:adder-collator /data && \
-	ln -s /data /adder-collator/.local/share/polkadot
-
-# add adder-collator binary to docker image
-COPY ./adder-collator /usr/local/bin
-COPY ./undying-collator /usr/local/bin
-
-USER adder-collator
-
-# check if executable works in this container
-RUN /usr/local/bin/adder-collator --version
-RUN /usr/local/bin/undying-collator --version
-
-EXPOSE 30333 9933 9944
-VOLUME ["/adder-collator"]
-
-ENTRYPOINT ["/usr/local/bin/adder-collator"]
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+# Sanity check
+if [ -z "$BINARY" ]
+then
+    echo "BINARY ENV not defined, this should never be the case. Aborting..."
+    exit 1
+fi
+
+# If the user built the image with multiple binaries,
+# we consider the first one to be the canonical one
+# To start with another binary, the user can either:
+#  - use the --entrypoint option
+#  - pass the ENV BINARY with a single binary
+IFS=',' read -r -a BINARIES <<< "$BINARY"
+BIN0=${BINARIES[0]}
+echo "Starting binary $BIN0"
+$BIN0 $@
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+# Sample call:
+# $0 /path/to/folder_with_binary
+# This script replace the former dedicated Dockerfile
+# and shows how to use the generic binary_injected.dockerfile
+
+PROJECT_ROOT=`git rev-parse --show-toplevel`
+
+export BINARY=malus,polkadot-execute-worker,polkadot-prepare-worker
+export BIN_FOLDER=$1
+# export TAGS=...
+
+$PROJECT_ROOT/scripts/ci/dockerfiles/build-injected.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+TMP=$(mktemp -d)
+ENGINE=${ENGINE:-podman}
+
+export TAGS=latest,beta,7777,1.0.2-rc23
+
+# Fetch some binaries
+$ENGINE run --user root --rm -i \
+  --pull always \
+  -v "$TMP:/export" \
+  --entrypoint /bin/bash \
+  paritypr/malus:7217 -c \
+  'cp "$(which malus)" /export'
+
+echo "Checking binaries we got:"
+ls -al $TMP
+
+./build-injected.sh $TMP
@@ -1,50 +0,0 @@
-FROM debian:bullseye-slim
-
-# metadata
-ARG VCS_REF
-ARG BUILD_DATE
-ARG IMAGE_NAME
-
-LABEL io.parity.image.authors="devops-team@parity.io" \
-	io.parity.image.vendor="Parity Technologies" \
-	io.parity.image.title="${IMAGE_NAME}" \
-	io.parity.image.description="Malus - the nemesis of polkadot" \
-	io.parity.image.source="https://github.com/paritytech/polkadot/blob/${VCS_REF}/scripts/ci/dockerfiles/malus.Dockerfile" \
-	io.parity.image.revision="${VCS_REF}" \
-	io.parity.image.created="${BUILD_DATE}" \
-	io.parity.image.documentation="https://github.com/paritytech/polkadot/"
-
-# show backtraces
-ENV RUST_BACKTRACE 1
-
-# install tools and dependencies
-RUN apt-get update && \
-	DEBIAN_FRONTEND=noninteractive apt-get install -y \
-    ca-certificates \
-    curl \
-    libssl1.1 \
-    tini && \
-# apt cleanup
-	apt-get autoremove -y && \
-	apt-get clean && \
-	find /var/lib/apt/lists/ -type f -not -name lock -delete; \
-# add user
-  groupadd --gid 10000 nonroot && \
-  useradd  --home-dir /home/nonroot \
-           --create-home \
-           --shell /bin/bash \
-           --gid nonroot \
-           --groups nonroot \
-           --uid 10000 nonroot
-
-
-# add malus binary to docker image
-COPY ./malus ./polkadot-execute-worker ./polkadot-prepare-worker /usr/local/bin
-
-USER nonroot
-
-# check if executable works in this container
-RUN /usr/local/bin/malus --version
-
-# Tini allows us to avoid several Docker edge cases, see https://github.com/krallin/tini.
-ENTRYPOINT ["tini", "--", "/bin/bash"]
@@ -1,7 +1,9 @@
 # Self built Docker image

 The Polkadot repo contains several options to build Docker images for Polkadot.
+
 This folder contains a self-contained image that does not require a Linux pre-built binary.
+
 Instead, building the image is possible on any host having docker installed and will
 build Polkadot inside Docker. That also means that no Rust toolchain is required on the host
 machine for the build to succeed.
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+# Sample call:
+# $0 /path/to/folder_with_binary
+# This script replace the former dedicated Dockerfile
+# and shows how to use the generic binary_injected.dockerfile
+
+PROJECT_ROOT=`git rev-parse --show-toplevel`
+
+export BINARY=polkadot,polkadot-execute-worker,polkadot-prepare-worker
+export BIN_FOLDER=$1
+
+$PROJECT_ROOT/scripts/ci/dockerfiles/build-injected.sh
@@ -1,27 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-pushd .
-
-# The following line ensure we run from the project root
-PROJECT_ROOT=`git rev-parse --show-toplevel`
-cd $PROJECT_ROOT
-
-# Find the current version from Cargo.toml
-VERSION=`grep "^version" ./cli/Cargo.toml | egrep -o "([0-9\.]+-?[0-9]+)"`
-GITUSER=parity
-GITREPO=polkadot
-
-# Build the image
-echo "Building ${GITUSER}/${GITREPO}:latest docker image, hang on!"
-time docker build \
-    -f ./scripts/ci/dockerfiles/polkadot/polkadot_builder.Dockerfile \
-    -t ${GITUSER}/${GITREPO}:latest \
-    -t ${GITUSER}/${GITREPO}:v${VERSION} \
-    .
-
-# Show the list of available images for this repo
-echo "Your Docker image for $GITUSER/$GITREPO is ready"
-docker images | grep ${GITREPO}
-
-popd
@@ -1,23 +1,22 @@
 version: '3'
 services:
  polkadot:
+    image: parity/polkadot:latest
+
    ports:
      - "127.0.0.1:30333:30333/tcp"
      - "127.0.0.1:9933:9933/tcp"
-    image: parity/polkadot:latest
+      - "127.0.0.1:9944:9944/tcp"
+      - "127.0.0.1:9615:9615/tcp"
+
    volumes:
      - "polkadot-data:/data"
+
    command: |
      --unsafe-rpc-external
      --unsafe-ws-external
      --rpc-cors all
      --prometheus-external

-    ports:
-      - "30333:30333"
-      - "9933:9933"
-      - "9944:9944"
-      - "9615:9615"
-
 volumes:
  polkadot-data:
@@ -7,7 +7,7 @@ COPY . /polkadot
 RUN cargo build --locked --release

 # This is the 2nd stage: a very small image where we copy the Polkadot binary."
-FROM docker.io/library/ubuntu:20.04
+FROM docker.io/parity/base-bin:latest

 LABEL description="Multistage Docker image for Polkadot: a platform for web3" \
 	io.parity.image.type="builder" \
@@ -11,7 +11,7 @@ LABEL io.parity.image.authors="devops-team@parity.io" \
 	io.parity.image.vendor="Parity Technologies" \
 	io.parity.image.title="parity/polkadot" \
 	io.parity.image.description="Polkadot: a platform for web3. This is the official Parity image with an injected binary." \
-	io.parity.image.source="https://github.com/paritytech/polkadot/blob/${VCS_REF}/scripts/ci/dockerfiles/polkadot_injected_release.Dockerfile" \
+	io.parity.image.source="https://github.com/paritytech/polkadot/blob/${VCS_REF}/scripts/ci/dockerfiles/polkadot/polkadot_injected_debian.Dockerfile" \
 	io.parity.image.revision="${VCS_REF}" \
 	io.parity.image.created="${BUILD_DATE}" \
 	io.parity.image.documentation="https://github.com/paritytech/polkadot/"
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+TMP=$(mktemp -d)
+ENGINE=${ENGINE:-podman}
+
+# You need to build an injected image first
+
+# Fetch some binaries
+$ENGINE run --user root --rm -i \
+  -v "$TMP:/export" \
+  --entrypoint /bin/bash \
+  parity/polkadot -c \
+  'cp "$(which polkadot)" /export'
+
+echo "Checking binaries we got:"
+tree $TMP
+
+./build-injected.sh $TMP
@@ -1,48 +0,0 @@
-FROM docker.io/library/ubuntu:20.04
-
-# metadata
-ARG VCS_REF
-ARG BUILD_DATE
-ARG IMAGE_NAME
-
-LABEL io.parity.image.authors="devops-team@parity.io" \
-	io.parity.image.vendor="Parity Technologies" \
-	io.parity.image.title="${IMAGE_NAME}" \
-	io.parity.image.description="Polkadot: a platform for web3" \
-	io.parity.image.source="https://github.com/paritytech/polkadot/blob/${VCS_REF}/scripts/ci/dockerfiles/polkadot_injected_debug.Dockerfile" \
-	io.parity.image.revision="${VCS_REF}" \
-	io.parity.image.created="${BUILD_DATE}" \
-	io.parity.image.documentation="https://github.com/paritytech/polkadot/"
-
-# show backtraces
-ENV RUST_BACKTRACE 1
-
-# install tools and dependencies
-RUN apt-get update && \
-	DEBIAN_FRONTEND=noninteractive apt-get install -y \
-		libssl1.1 \
-		ca-certificates && \
-# apt cleanup
-	apt-get autoremove -y && \
-	apt-get clean && \
-	find /var/lib/apt/lists/ -type f -not -name lock -delete; \
-# add user and link ~/.local/share/polkadot to /data
-	useradd -m -u 1000 -U -s /bin/sh -d /polkadot polkadot && \
-	mkdir -p /data /polkadot/.local/share && \
-	chown -R polkadot:polkadot /data && \
-	ln -s /data /polkadot/.local/share/polkadot
-
-# add polkadot binary to docker image
-COPY ./polkadot ./polkadot-execute-worker ./polkadot-prepare-worker /usr/local/bin
-
-USER polkadot
-
-# check if executable works in this container
-RUN /usr/local/bin/polkadot --version
-RUN /usr/local/bin/polkadot-execute-worker --version
-RUN /usr/local/bin/polkadot-prepare-worker --version
-
-EXPOSE 30333 9933 9944
-VOLUME ["/polkadot"]
-
-ENTRYPOINT ["/usr/local/bin/polkadot"]
@@ -0,0 +1,37 @@
+# staking-miner container image
+
+## Build using the Builder
+
+```
+./build.sh
+```
+
+## Build the injected Image
+
+You first need a valid Linux binary to inject. Let's assume this binary is located in `BIN_FOLDER`.
+
+```
+./build-injected.sh "$BIN_FOLDER"
+```
+
+## Test
+
+Here is how to test the image. We can generate a valid seed but the staking-miner will quickly notice that our
+account is not funded and "does not exist".
+
+You may pass any ENV supported by the binary and must provide at least a few such as `SEED` and `URI`:
+```
+ENV SEED=""
+ENV URI="wss://rpc.polkadot.io:443"
+ENV RUST_LOG="info"
+```
+
+```
+export SEED=$(subkey generate -n polkadot --output-type json  | jq -r .secretSeed)
+podman run --rm -it \
+    -e URI="wss://rpc.polkadot.io:443" \
+    -e RUST_LOG="info" \
+    -e SEED \
+    localhost/parity/staking-miner \
+        dry-run seq-phragmen
+```
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+# Sample call:
+# $0 /path/to/folder_with_staking-miner_binary
+# This script replace the former dedicated staking-miner "injected" Dockerfile
+# and shows how to use the generic binary_injected.dockerfile
+
+PROJECT_ROOT=`git rev-parse --show-toplevel`
+
+export BINARY=staking-miner
+export BIN_FOLDER=$1
+
+$PROJECT_ROOT/scripts/ci/dockerfiles/build-injected.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+# Sample call:
+# $0 /path/to/folder_with_staking-miner_binary
+# This script replace the former dedicated staking-miner "injected" Dockerfile
+# and shows how to use the generic binary_injected.dockerfile
+
+PROJECT_ROOT=`git rev-parse --show-toplevel`
+ENGINE=podman
+
+echo "Building the staking-miner using the Builder image"
+echo "PROJECT_ROOT=$PROJECT_ROOT"
+$ENGINE build -t staking-miner -f staking-miner_builder.Dockerfile "$PROJECT_ROOT"
@@ -4,17 +4,17 @@ FROM paritytech/ci-linux:production as builder
 ARG VCS_REF
 ARG BUILD_DATE
 ARG IMAGE_NAME="staking-miner"
-ARG PROFILE=release
+ARG PROFILE=production

 LABEL description="This is the build stage. Here we create the binary."

 WORKDIR /app
 COPY . /app
-RUN cargo build --locked --$PROFILE --package staking-miner
+RUN cargo build --locked --profile $PROFILE --package staking-miner

 # ===== SECOND STAGE ======

-FROM docker.io/library/ubuntu:20.04
+FROM docker.io/parity/base-bin:latest
 LABEL description="This is the 2nd stage: a very small image where we copy the binary."
 LABEL io.parity.image.authors="devops-team@parity.io" \
 	io.parity.image.vendor="Parity Technologies" \
@@ -28,13 +28,10 @@ LABEL io.parity.image.authors="devops-team@parity.io" \
 ARG PROFILE=release
 COPY --from=builder /app/target/$PROFILE/staking-miner /usr/local/bin

-RUN useradd -u 1000 -U -s /bin/sh miner && \
-	rm -rf /usr/bin /usr/sbin
-
 # show backtraces
 ENV RUST_BACKTRACE 1

-USER miner
+USER parity

 ENV SEED=""
 ENV URI="wss://rpc.polkadot.io"
@@ -1,43 +0,0 @@
-FROM docker.io/library/ubuntu:20.04
-
-# metadata
-ARG VCS_REF
-ARG BUILD_DATE
-ARG IMAGE_NAME="staking-miner"
-
-LABEL io.parity.image.authors="devops-team@parity.io" \
-	io.parity.image.vendor="Parity Technologies" \
-	io.parity.image.title="${IMAGE_NAME}" \
-	io.parity.image.description="${IMAGE_NAME} for substrate based chains" \
-	io.parity.image.source="https://github.com/paritytech/polkadot/blob/${VCS_REF}/scripts/ci/dockerfiles/${IMAGE_NAME}/${IMAGE_NAME}_injected.Dockerfile" \
-	io.parity.image.revision="${VCS_REF}" \
-	io.parity.image.created="${BUILD_DATE}" \
-	io.parity.image.documentation="https://github.com/paritytech/polkadot/"
-
-# show backtraces
-ENV RUST_BACKTRACE 1
-
-# install tools and dependencies
-RUN apt-get update && \
-	DEBIAN_FRONTEND=noninteractive apt-get install -y \
-		libssl1.1 \
-		ca-certificates && \
-# apt cleanup
-	apt-get autoremove -y && \
-	apt-get clean && \
-	find /var/lib/apt/lists/ -type f -not -name lock -delete; \
-	useradd -u 1000 -U -s /bin/sh miner
-
-# add binary to docker image
-COPY ./staking-miner /usr/local/bin
-
-USER miner
-
-ENV SEED=""
-ENV URI="wss://rpc.polkadot.io"
-ENV RUST_LOG="info"
-
-# check if the binary works in this container
-RUN /usr/local/bin/staking-miner --version
-
-ENTRYPOINT [ "/usr/local/bin/staking-miner" ]
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+TMP=$(mktemp -d)
+ENGINE=${ENGINE:-podman}
+
+# You need to build an injected image first
+
+# Fetch some binaries
+$ENGINE run --user root --rm -i \
+  -v "$TMP:/export" \
+  --entrypoint /bin/bash \
+  parity/staking-miner -c \
+  'cp "$(which staking-miner)" /export'
+
+echo "Checking binaries we got:"
+tree $TMP
+
+./build-injected.sh $TMP
@@ -39,7 +39,6 @@ build-linux-stable:
    - echo -n ${CI_JOB_ID} > ./artifacts/BUILD_LINUX_JOB_ID
    - RELEASE_VERSION=$(./artifacts/polkadot -V | awk '{print $2}'| awk -F "-" '{print $1}')
    - echo -n "v${RELEASE_VERSION}" > ./artifacts/BUILD_RELEASE_VERSION
-    - cp -r scripts/* ./artifacts

 build-test-collators:
  stage: build
@@ -64,7 +63,6 @@ build-test-collators:
    - echo -n "${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHORT_SHA}" > ./artifacts/EXTRATAG
    - echo "adder-collator version = $(cat ./artifacts/VERSION) (EXTRATAG = $(cat ./artifacts/EXTRATAG))"
    - echo "undying-collator version = $(cat ./artifacts/VERSION) (EXTRATAG = $(cat ./artifacts/EXTRATAG))"
-    - cp -r ./scripts/* ./artifacts

 build-malus:
  stage: build
@@ -88,7 +86,6 @@ build-malus:
    - echo -n "${CI_COMMIT_REF_NAME}" > ./artifacts/VERSION
    - echo -n "${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHORT_SHA}" > ./artifacts/EXTRATAG
    - echo "polkadot-test-malus = $(cat ./artifacts/VERSION) (EXTRATAG = $(cat ./artifacts/EXTRATAG))"
-    - cp -r ./scripts/* ./artifacts

 build-staking-miner:
  stage: build
@@ -110,7 +107,6 @@ build-staking-miner:
    - echo -n "${CI_COMMIT_REF_NAME}" > ./artifacts/VERSION
    - echo -n "${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHORT_SHA}" > ./artifacts/EXTRATAG
    - echo "staking-miner = $(cat ./artifacts/VERSION) (EXTRATAG = $(cat ./artifacts/EXTRATAG))"
-    - cp -r ./scripts/* ./artifacts

 build-rustdoc:
  stage: build
@@ -19,20 +19,16 @@ publish-polkadot-debug-image:
    - if: $CI_COMMIT_REF_NAME =~ /^[0-9]+$/ # PRs
    - if: $CI_COMMIT_REF_NAME =~ /^v[0-9]+\.[0-9]+.*$/ # i.e. v1.0, v2.1rc1
  variables:
-    CI_IMAGE: ${BUILDAH_IMAGE}
-    GIT_STRATEGY: none
-    DOCKER_USER: ${PARITYPR_USER}
-    DOCKER_PASS: ${PARITYPR_PASS}
-    # scripts/ci/dockerfiles/polkadot_injected_debug.Dockerfile
-    DOCKERFILE: ci/dockerfiles/polkadot_injected_debug.Dockerfile
-    IMAGE_NAME: docker.io/paritypr/polkadot-debug
+    IMAGE_NAME: "polkadot-debug"
+    BINARY: "polkadot,polkadot-execute-worker,polkadot-prepare-worker"
  needs:
    - job: build-linux-stable
      artifacts: true
  after_script:
+    - !reference [.build-push-image, after_script]
    # pass artifacts to the zombienet-tests job
    # https://docs.gitlab.com/ee/ci/multi_project_pipelines.html#with-variable-inheritance
-    - echo "PARACHAINS_IMAGE_NAME=${IMAGE_NAME}" > ./artifacts/parachains.env
+    - echo "PARACHAINS_IMAGE_NAME=${IMAGE}" > ./artifacts/parachains.env
    - echo "PARACHAINS_IMAGE_TAG=$(cat ./artifacts/EXTRATAG)" >> ./artifacts/parachains.env
  artifacts:
    reports:
@@ -48,20 +44,15 @@ publish-test-collators-image:
    - .build-push-image
    - .zombienet-refs
  variables:
-    CI_IMAGE: ${BUILDAH_IMAGE}
-    GIT_STRATEGY: none
-    DOCKER_USER: ${PARITYPR_USER}
-    DOCKER_PASS: ${PARITYPR_PASS}
-    # scripts/ci/dockerfiles/collator_injected.Dockerfile
-    DOCKERFILE: ci/dockerfiles/collator_injected.Dockerfile
-    IMAGE_NAME: docker.io/paritypr/colander
+    IMAGE_NAME: "colander"
+    BINARY: "adder-collator,undying-collator"
  needs:
    - job: build-test-collators
      artifacts: true
  after_script:
-    - buildah logout --all
+    - !reference [.build-push-image, after_script]
    # pass artifacts to the zombienet-tests job
-    - echo "COLLATOR_IMAGE_NAME=${IMAGE_NAME}" > ./artifacts/collator.env
+    - echo "COLLATOR_IMAGE_NAME=${IMAGE}" > ./artifacts/collator.env
    - echo "COLLATOR_IMAGE_TAG=$(cat ./artifacts/EXTRATAG)" >> ./artifacts/collator.env
  artifacts:
    reports:
@@ -76,20 +67,15 @@ publish-malus-image:
    - .build-push-image
    - .zombienet-refs
  variables:
-    CI_IMAGE: ${BUILDAH_IMAGE}
-    GIT_STRATEGY: none
-    DOCKER_USER: ${PARITYPR_USER}
-    DOCKER_PASS: ${PARITYPR_PASS}
-    # scripts/ci/dockerfiles/malus_injected.Dockerfile
-    DOCKERFILE: ci/dockerfiles/malus_injected.Dockerfile
-    IMAGE_NAME: docker.io/paritypr/malus
+    IMAGE_NAME: "malus"
+    BINARY: "malus,polkadot-execute-worker,polkadot-prepare-worker"
  needs:
    - job: build-malus
      artifacts: true
  after_script:
-    - buildah logout "$IMAGE_NAME"
+    - !reference [.build-push-image, after_script]
    # pass artifacts to the zombienet-tests job
-    - echo "MALUS_IMAGE_NAME=${IMAGE_NAME}" > ./artifacts/malus.env
+    - echo "MALUS_IMAGE_NAME=${IMAGE}" > ./artifacts/malus.env
    - echo "MALUS_IMAGE_TAG=$(cat ./artifacts/EXTRATAG)" >> ./artifacts/malus.env
  artifacts:
    reports:
@@ -103,13 +89,11 @@ publish-staking-miner-image:
    - .build-push-image
    - .publish-refs
  variables:
-    CI_IMAGE: ${BUILDAH_IMAGE}
-    # scripts/ci/dockerfiles/staking-miner/staking-miner_injected.Dockerfile
-    DOCKERFILE: ci/dockerfiles/staking-miner/staking-miner_injected.Dockerfile
-    IMAGE_NAME: docker.io/paritytech/staking-miner
-    GIT_STRATEGY: none
-    DOCKER_USER: ${Docker_Hub_User_Parity}
-    DOCKER_PASS: ${Docker_Hub_Pass_Parity}
+    IMAGE_NAME: "staking-miner"
+    BINARY: "staking-miner"
+    DOCKER_OWNER: "paritytech"
+    DOCKER_USER: "${Docker_Hub_User_Parity}"
+    DOCKER_PASS: "${Docker_Hub_Pass_Parity}"
  needs:
    - job: build-staking-miner
      artifacts: true
@@ -122,11 +106,11 @@ publish-polkadot-image-description:
    DOCKER_PASSWORD: ${Docker_Hub_Pass_Parity}
    DOCKERHUB_REPOSITORY: parity/polkadot
    SHORT_DESCRIPTION: "Polkadot Official Docker Image"
-    README_FILEPATH: $CI_PROJECT_DIR/scripts/ci/dockerfiles/polkadot_Dockerfile.README.md
+    README_FILEPATH: $CI_PROJECT_DIR/scripts/ci/dockerfiles/polkadot/polkadot_Dockerfile.README.md
  rules:
    - if: $CI_COMMIT_REF_NAME == "master"
      changes:
-        - scripts/ci/dockerfiles/polkadot_Dockerfile.README.md
+        - scripts/ci/dockerfiles/polkadot/polkadot_Dockerfile.README.md
    - if: $CI_PIPELINE_SOURCE == "schedule"
      when: never
  script: