Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft: Configure image to run as non-root by default #74

Draft
wants to merge 13 commits into
base: develop
Choose a base branch
from
Draft

Draft: Configure image to run as non-root by default #74

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
f91491c
Draft: Configure image to run as non-root by default
NiklasRosenstein Jan 17, 2024
2adb599
fix buf download url template
NiklasRosenstein Jan 17, 2024
24137ff
respect install_to in BufFormula
NiklasRosenstein Jan 18, 2024
59a0753
set default install_to in BufFormula
NiklasRosenstein Jan 18, 2024
122fc85
fix bind mount
NiklasRosenstein Jan 18, 2024
6725812
fix bind mount
NiklasRosenstein Jan 18, 2024
b8a1ccb
fix output_file template
NiklasRosenstein Jan 18, 2024
63f7724
add --no-root to helm install script;
NiklasRosenstein Jan 19, 2024
a0c41ca
set build secret uid
NiklasRosenstein Jan 19, 2024
72f9b75
remove main user from sudo,root groups
NiklasRosenstein Jan 19, 2024
d98862e
change workdir to /home/main
NiklasRosenstein Jan 19, 2024
a77629e
set RUSTUP_HOME
NiklasRosenstein Jan 20, 2024
4f796b0
use uid 10000 (https://github.com/dnaprawa/dockerfile-best-practices#…
NiklasRosenstein Jan 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
118 changes: 47 additions & 71 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,24 +2,24 @@
ARG BASE_IMAGE
FROM ${BASE_IMAGE}
ARG BASE_IMAGE

ENV DEBIAN_FRONTEND noninteractive
RUN : \
&& apt-get update \
&& apt-get install -y curl git wget libssl-dev libffi-dev llvm clang gcc g++ pkg-config build-essential jq sudo \
&& rm -rf /var/cache/apt/archives /var/lib/apt/lists/*

# Install Python versions with deadsnakes.
SHELL [ "/bin/bash", "-c" ]

RUN : \
&& set -x \
&& export DEBIAN_FRONTEND=noninteractive \
&& apt-get update \
&& apt-get install -y software-properties-common --no-install-recommends \
&& apt-get install -y curl \
&& curl -fsSL https://deb.nodesource.com/setup_18.x | bash - \
&& apt update \
&& apt-get install -y git wget libssl-dev libffi-dev llvm clang gcc g++ pkg-config build-essential jq sudo software-properties-common graphviz unzip lcov git-lfs docker.io nodejs xxd cmake --no-install-recommends \
&& add-apt-repository ppa:deadsnakes/ppa \
&& apt update \
&& apt-get install -y python{3.8,3.9,3.10,3.11,3.12}{,-venv,-dev} --no-install-recommends \
&& rm -rf /var/cache/apt/archives /var/lib/apt/lists/*

# Install docker-buildx
COPY --from=docker/buildx-bin:latest /buildx /usr/libexec/docker/cli-plugins/docker-buildx

RUN : \
# Install Pip for all other Python versions.
&& set -x \
Expand All @@ -32,14 +32,34 @@ RUN : \
&& ln -svf $(which python3.10) /usr/bin/python \
&& ln -svf $(which python3.10) /usr/bin/python3

ENV PATH="$PATH:/root/.cargo/bin:/root/.local/bin"

COPY formulae /tmp/formulae
COPY src /tmp/src
# Nix
RUN : \
#
# install from custom formulae
#
&& sh <(curl -L https://nixos.org/nix/install) --daemon \
&& echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf \
&& echo "max-jobs = auto" >> /etc/nix/nix.conf

# Setup the main user which can run apt-get.
RUN useradd -m -s /bin/bash -u 10000 main
RUN echo "main ALL=NOPASSWD: $(which apt-get)" >> /etc/sudoers
RUN chown main:main -R /usr/local /opt
USER main
WORKDIR /home/main

# Point CARGO_HOME and PIPX_HOME outside of the home directory as that may get overridden with a mount.
ENV RUSTUP_HOME=/opt/rustup
ENV CARGO_HOME=/opt/cargo
ENV PIPX_HOME=/opt/pipx
ENV PIPX_BIN_DIR=/usr/local/bin
ENV PIPX_MAN_DIR=/usr/local/share/man
ENV PATH="$PATH:/$CARGO_HOME/bin"

# At runtime many tools install to $HOME/.local/bin, but we don't as home may get overriden.
ENV PATH="$PATH:/$HOME/.local/bin"

RUN --mount=type=bind,src=formulae,target=/tmp/formulae \
--mount=type=bind,src=src,target=/tmp/src : \
&& set -x \
&& python /tmp/src/main.py /tmp/formulae/buf.py \
&& python /tmp/src/main.py /tmp/formulae/buildkit.py \
&& python /tmp/src/main.py /tmp/formulae/grcov.py \
&& python /tmp/src/main.py /tmp/formulae/kubectl.py \
Expand All @@ -48,37 +68,12 @@ RUN : \
&& python /tmp/src/main.py /tmp/formulae/sccache.py \
&& python /tmp/src/main.py /tmp/formulae/terraform.py \
&& python /tmp/src/main.py /tmp/formulae/yq.py \
#
# more APT packages
#
&& curl -fsSL https://deb.nodesource.com/setup_18.x | bash - \
&& apt-get update \
&& apt-get install -y docker.io nodejs graphviz unzip lcov git-lfs \
#
# Rust
#
&& apt-get install -y xxd cmake \
&& ( curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y ) \
#
# helm
#
&& ( curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash ) \
#
# [cleanup]
#
&& rm -r /tmp/src /tmp/formulae \
&& rm -rf ~/.cache /var/cache/apt/archives /var/lib/apt/lists/*

#
# docker-buildx
#
COPY --from=docker/buildx-bin:latest /buildx /usr/libexec/docker/cli-plugins/docker-buildx
&& ( curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 --no-root | bash ) \
&& ( curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y )

#
# Rust tools
#
# Rust tools, build with sccache and GHA cache to speed up builds.
ARG ACTIONS_CACHE_URL
RUN --mount=type=secret,id=ACTIONS_RUNTIME_TOKEN : \
RUN --mount=type=secret,id=ACTIONS_RUNTIME_TOKEN,uid=10000 : \
&& rustup toolchain install 1.75.0 \
&& rustup toolchain install nightly --component rustfmt \
&& rustup default 1.75.0 \
Expand All @@ -95,35 +90,16 @@ RUN --mount=type=secret,id=ACTIONS_RUNTIME_TOKEN : \
&& cargo install cargo-llvm-cov --version 0.5.39 \
&& cargo install cargo-hack --version 0.6.15 \
&& cargo install buffrs --version 0.7.5 \
&& sccache --stop-server
&& cargo install cargo-cache --version 0.8.3 \
&& sccache --stop-server \
&& cargo cache --autoclean

#
# Buf (for Buffrs)
#
RUN : \
&& BIN="/usr/bin" \
&& VERSION="1.17.0" \
&& curl -sSL \
"https://github.com/bufbuild/buf/releases/download/v${VERSION}/buf-$(uname -s)-$(uname -m)" \
-o "${BIN}/buf" && \
chmod +x "${BIN}/buf"

#
# Python tools
#
RUN : \
&& python -m pip install pipx==1.3.3 -v \
&& python -m pip install pipx==1.4.3 -v \
&& pipx install poetry==1.7.1 \
&& pipx install pdm==2.11.1 \
&& pipx install slap-cli==1.11.1 \
&& pipx install kraken-wrapper==0.32.4 \
&& pipx install pdm==2.12.1 \
&& pipx install slap-cli==1.11.2 \
&& pipx install kraken-wrapper==0.33.1 \
&& pipx install ansible-base==2.10.17 && pipx inject ansible-base ansible==9.1.0 \
&& rm -rf ~/.cache/pip

#
# Nix
#
RUN : \
&& sh <(curl -L https://nixos.org/nix/install) --daemon \
&& echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf \
&& echo "max-jobs = auto" >> /etc/nix/nix.conf
9 changes: 5 additions & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ the base image in that minor version range besides a higher minor having already
| buffrs | cargo | 0.7.5 |
| build-essential | apt-get | latest |
| BuildKit | GitHub Releases | 0.12.4 |
| cargo-cache | cargo | 0.8.3 |
| cargo-deny | cargo | 0.14.3 |
| cargo-hack | cargo | 0.6.15 |
| cargo-llvm-cov | cargo | 0.5.39 |
Expand All @@ -53,7 +54,7 @@ the base image in that minor version range besides a higher minor having already
| grcov | [GitHub releases](https://github.com/mozilla/grcov/releases) ([formula](formulae/grcov.py)) | 0.8.19 |
| jq | apt-get | latest |
| Helm | get-helm-3 | latest |
| kraken-wrapper | Pipx (Python 3.10) | 0.32.4 |
| kraken-wrapper | Pipx (Python 3.10) | 0.33.1 |
| Kubectl | apt-get (`apt.kubernetes.io`) | 1.28.4 |
| lcov | apt-get | latest |
| libffi | apt-get | latest |
Expand All @@ -62,8 +63,8 @@ the base image in that minor version range besides a higher minor having already
| manifest-tool | [GitHub releases](https://github.com/estesp/manifest-tool/releases) ([formula](formulae/manifest-tool.py)) | 2.1.5 |
| Nix | `https://nixos.org/nix/install` | latest |
| NodeJS | apt-get (via [nodesource install](https://github.com/nodesource/distributions#debinstall)) | 18 |
| PDM | Pipx (Python 3.10) | 2.11.1 |
| Pipx | Pip (Python 3.10) | 1.3.3 |
| PDM | Pipx (Python 3.10) | 2.12.1 |
| Pipx | Pip (Python 3.10) | 1.4.3 |
| pkg-config | apt-get | latest |
| Poetry | Pipx (Python 3.10) | 1.7.1 |
| protobuf-compiler | [GitHub releases](https://github.com/protocolbuffers/protobuf/releases) ([formula](formulae/protobuf-compiler.py)) | 3.20.1 |
Expand All @@ -72,7 +73,7 @@ the base image in that minor version range besides a higher minor having already
| Rustup | rustup.rs | latest |
| rustfmt | rustup | nightly (additionally) |
| sccache | [GitHub releases](https://github.com/mozilla/sccache/releases) ([formula](formulae/sccache.py)) | 0.7.4 |
| Slap ([link](https://github.com/python-slap/slap-cli)) | Pipx (Python 3.10) | 1.11.1 |
| Slap ([link](https://github.com/python-slap/slap-cli)) | Pipx (Python 3.10) | 1.11.2 |
| sqlx-cli | cargo | 0.7.3 |
| Terraform | Hashicorp releases | 1.6.6 |
| wget | apt-get | latest |
Expand Down
10 changes: 10 additions & 0 deletions formulae/buf.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
from formula import DownloadFileFormula


class BufFormula(DownloadFileFormula):

version = "1.17.0"
download_url = "https://github.com/bufbuild/buf/releases/download/v${version}/buf-Linux-${archv1}"
install_to = "/usr/local/bin"
output_file = "${install_to}/buf"
chmod = 0o755
Loading