From 2c6fd67276380124027e2e839d6508c8b015a4d1 Mon Sep 17 00:00:00 2001 From: Meisam <39205857+MFTabriz@users.noreply.github.com> Date: Wed, 4 Jan 2023 23:15:12 +0100 Subject: [PATCH] set a non-root user for containers (#2496) * change root user in dockerfile * build container on push/pr * grab docker build params from env * consolidate container build * rm unused container build workflow/script * cleanup ci * set user for earthly container build * rm ci docker build for develop branch * checkout full repo for docker builds * read earthly push from env * cleanup ci * rm unsupported option for actions/checkout@v3 * check dockerfile in ci * add dockerfile build to earthfile * authenticate to GH only on schedule builds * accurate name for dev container builder script * add note to the dockerfile about earthfile * document dev build process more clearly --- .github/workflows/container-lint.yml | 28 ++++++++++++++ .github/workflows/container.yaml | 56 +++++++++++++++++++++++++++ .github/workflows/docker-nightly.yaml | 41 -------------------- .github/workflows/docker-webv2.yaml | 43 -------------------- .github/workflows/shellcheck.yml | 2 +- Dockerfile | 22 ++++++++--- Earthfile | 7 +++- build/develop/container.sh | 27 +++++++++++++ build/release/docker-nightly.sh | 14 ------- build/release/docker-webv2.sh | 15 ------- 10 files changed, 134 insertions(+), 121 deletions(-) create mode 100644 .github/workflows/container-lint.yml create mode 100644 .github/workflows/container.yaml delete mode 100644 .github/workflows/docker-nightly.yaml delete mode 100644 .github/workflows/docker-webv2.yaml create mode 100755 build/develop/container.sh delete mode 100755 build/release/docker-nightly.sh delete mode 100755 build/release/docker-webv2.sh diff --git a/.github/workflows/container-lint.yml b/.github/workflows/container-lint.yml new file mode 100644 index 000000000..0703ff8d0 --- /dev/null +++ b/.github/workflows/container-lint.yml @@ -0,0 +1,28 @@ +name: Lint + +on: + push: + branches: + - webv2 + paths: + - 'Dockerfile' + pull_request: + branches: + - webv2 + paths: + - 'Dockerfile' + +jobs: + trivy: + name: Dockerfile + runs-on: ubuntu-latest + container: + image: aquasec/trivy + steps: + - uses: actions/checkout@v3 + + - name: Check critical issues + run: trivy config --exit-code 1 --severity "HIGH,CRITICAL" ./Dockerfile + + - name: Check non-critical issues + run: trivy config --severity "LOW,MEDIUM" ./Dockerfile diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml new file mode 100644 index 000000000..61b4843c1 --- /dev/null +++ b/.github/workflows/container.yaml @@ -0,0 +1,56 @@ +# See https://docs.earthly.dev/ci-integration/vendor-specific-guides/gh-actions-integration +# for details. + +name: Build development container + +on: + schedule: + - cron: '0 2 * * *' + push: + branches: + - webv2 + pull_request: + branches: + - webv2 + +jobs: + Earthly: + runs-on: ubuntu-latest + steps: + - name: Set up Earthly + uses: earthly/actions-setup@v1 + with: + version: 'latest' # or pin to an specific version, e.g. "v0.6.10" + + - name: Log Earthly version + run: earthly --version + + - name: Authenticate to GitHub Container Registry + if: ${{ github.event_name == 'schedule' && env.GH_CR_PAT != null }} + env: + GH_CR_PAT: ${{ secrets.GH_CR_PAT }} + run: echo "${{ secrets.GH_CR_PAT }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + with: + image: tonistiigi/binfmt:latest + platforms: all + + - name: Checkout repo + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Build and push + if: ${{ github.event_name == 'schedule' && env.GH_CR_PAT != null }} + env: + GH_CR_PAT: ${{ secrets.GH_CR_PAT }} + EARTHLY_BUILD_TAG: 'webv2' + EARTHLY_BUILD_BRANCH: 'webv2' + EARTHLY_PUSH: true + run: ./build/develop/container.sh + + - name: Build + if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' }} + run: ./build/develop/container.sh \ No newline at end of file diff --git a/.github/workflows/docker-nightly.yaml b/.github/workflows/docker-nightly.yaml deleted file mode 100644 index 3b4bce7cd..000000000 --- a/.github/workflows/docker-nightly.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# See https://docs.earthly.dev/ci-integration/vendor-specific-guides/gh-actions-integration -# for details. - -name: Build nightly docker - -on: - workflow_dispatch: - schedule: - - cron: '0 2 * * *' - -jobs: - Docker: - runs-on: ubuntu-latest - if: github.repository == 'owncast/owncast' - steps: - - uses: earthly/actions-setup@v1 - with: - version: 'latest' # or pin to an specific version, e.g. "v0.6.10" - - - name: Earthly version - run: earthly --version - - - name: Log into GitHub Container Registry - env: - GH_CR_PAT: ${{ secrets.GH_CR_PAT }} - run: echo "${{ secrets.GH_CR_PAT }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin - if: env.GH_CR_PAT != null - - - name: Set up QEMU - id: qemu - uses: docker/setup-qemu-action@v2 - with: - image: tonistiigi/binfmt:latest - platforms: all - - - uses: actions/checkout@v3 - - name: Checkout and build - if: env.GH_CR_PAT != null - env: - GH_CR_PAT: ${{ secrets.GH_CR_PAT }} - run: cd build/release && ./docker-nightly.sh diff --git a/.github/workflows/docker-webv2.yaml b/.github/workflows/docker-webv2.yaml deleted file mode 100644 index 47dad0b10..000000000 --- a/.github/workflows/docker-webv2.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# See https://docs.earthly.dev/ci-integration/vendor-specific-guides/gh-actions-integration -# for details. - -name: Build webv2 docker - -on: - workflow_dispatch: - schedule: - - cron: '0 0 * * *' - -jobs: - Docker: - runs-on: ubuntu-latest - if: github.repository == 'owncast/owncast' - steps: - - uses: earthly/actions-setup@v1 - with: - version: 'latest' # or pin to an specific version, e.g. "v0.6.10" - - - name: Earthly version - run: earthly --version - - - name: Log into GitHub Container Registry - env: - GH_CR_PAT: ${{ secrets.GH_CR_PAT }} - run: echo "${{ secrets.GH_CR_PAT }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin - if: env.GH_CR_PAT != null - - - name: Set up QEMU - id: qemu - uses: docker/setup-qemu-action@v2 - with: - image: tonistiigi/binfmt:latest - platforms: all - - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - name: Checkout and build - if: env.GH_CR_PAT != null - env: - GH_CR_PAT: ${{ secrets.GH_CR_PAT }} - run: cd build/release && ./docker-webv2.sh diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 94b1de1fb..bf8f8bf59 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -18,7 +18,7 @@ jobs: env: LANG: C.UTF-8 container: - image: docker.io/ubuntu:22.10 + image: docker.io/ubuntu:22.04 steps: - uses: actions/checkout@v3 diff --git a/Dockerfile b/Dockerfile index bcc36db22..049f55ffc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,17 @@ -# Perform a build +# IMPORTANT: This Dockerfile has been provided for the sake of convenience. +# Currently, functionality of the containers built based on this file +# is not a part of our continuous testing. Although, patches to keep it +# up to date are always welcome. +# +# See ‘Earthfile’ for the recipes used in official builds. + FROM golang:alpine AS build -RUN mkdir /build -ADD . /build -WORKDIR /build + RUN apk update && apk add --no-cache git gcc build-base linux-headers +WORKDIR /build +COPY . /build + ARG VERSION=dev ENV VERSION=${VERSION} ARG GIT_COMMIT @@ -15,13 +22,16 @@ ENV NAME=${NAME} RUN CGO_ENABLED=1 GOOS=linux go build -a -installsuffix cgo -ldflags "-extldflags \"-static\" -s -w -X github.com/owncast/owncast/config.GitCommit=$GIT_COMMIT -X github.com/owncast/owncast/config.VersionNumber=$VERSION -X github.com/owncast/owncast/config.BuildPlatform=$NAME" -o owncast . # Create the image by copying the result of the build into a new alpine image -FROM alpine +FROM alpine:3.15.5 RUN apk update && apk add --no-cache ffmpeg ffmpeg-libs ca-certificates && update-ca-certificates +RUN addgroup -g 101 -S owncast && adduser -u 101 -S owncast -G owncast + # Copy owncast assets WORKDIR /app COPY --from=build /build/owncast /app/owncast -COPY --from=build /build/webroot /app/webroot RUN mkdir /app/data +RUN chown -R owncast:owncast /app +USER owncast ENTRYPOINT ["/app/owncast"] EXPOSE 8080 1935 diff --git a/Earthfile b/Earthfile index 73a25c769..43b3aeb9d 100644 --- a/Earthfile +++ b/Earthfile @@ -25,7 +25,6 @@ crosscompiler: code: FROM --platform=linux/amd64 +crosscompiler COPY . /build - #GIT CLONE --branch=$version git@github.com:owncast/owncast.git /build build: ARG EARTHLY_GIT_HASH # provided by Earthly @@ -110,13 +109,19 @@ docker: ARG TARGETPLATFORM FROM --platform=$TARGETPLATFORM alpine:3.15.5 RUN apk update && apk add --no-cache ffmpeg ffmpeg-libs ca-certificates unzip && update-ca-certificates + RUN addgroup -g 101 -S owncast && adduser -u 101 -S owncast -G owncast WORKDIR /app COPY --platform=$TARGETPLATFORM +package/owncast.zip /app RUN unzip -x owncast.zip && mkdir data + RUN chown -R owncast:owncast /app + USER owncast ENTRYPOINT ["/app/owncast"] EXPOSE 8080 1935 SAVE IMAGE --push $image:$tag +dockerfile: + FROM DOCKERFILE -f Dockerfile . + unit-tests: FROM --platform=linux/amd64 bdwyertech/go-crosscompile COPY . /build diff --git a/build/develop/container.sh b/build/develop/container.sh new file mode 100755 index 000000000..a1bb0c7cc --- /dev/null +++ b/build/develop/container.sh @@ -0,0 +1,27 @@ +#!/bin/sh +set -e + +# Development container builder +# +# Must authenticate first: https://docs.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-docker-for-use-with-github-packages#authenticating-to-github-packages +# env vars: +# $EARTHLY_BUILD_BRANCH: git branch to checkout +# $EARTHLY_BUILD_TAG: tag for container image + + +EARTHLY_IMAGE_NAME="owncast" +BUILD_TAG=${EARTHLY_BUILD_TAG:-webv2} +DATE=$(date +"%Y%m%d") +VERSION="${DATE}-${BUILD_TAG}" + + +echo "Building container image ${EARTHLY_IMAGE_NAME}:${BUILD_TAG} ..." + +# Change to the root directory of the repository +cd "$(git rev-parse --show-toplevel)" || exit +if [ -n "${EARTHLY_BUILD_BRANCH}" ]; then + git checkout "${EARTHLY_BUILD_BRANCH}" || exit +fi + +earthly --ci +docker-all --image="ghcr.io/owncast/${EARTHLY_IMAGE_NAME}" --tag="${BUILD_TAG}" --version="${VERSION}" +earthly --ci +dockerfile diff --git a/build/release/docker-nightly.sh b/build/release/docker-nightly.sh deleted file mode 100755 index d171bce14..000000000 --- a/build/release/docker-nightly.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh - -# Docker build -# Must authenticate first: https://docs.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-docker-for-use-with-github-packages#authenticating-to-github-packages -DOCKER_IMAGE="owncast" -DATE=$(date +"%Y%m%d") -VERSION="${DATE}-nightly" - -echo "Building Docker image ${DOCKER_IMAGE}..." - -# Change to the root directory of the repository -cd "$(git rev-parse --show-toplevel)" || exit - -earthly --ci --push +docker-all --image="ghcr.io/owncast/${DOCKER_IMAGE}" --tag=nightly --version="${VERSION}" diff --git a/build/release/docker-webv2.sh b/build/release/docker-webv2.sh deleted file mode 100755 index a5ca31ca2..000000000 --- a/build/release/docker-webv2.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh - -# Docker build -# Must authenticate first: https://docs.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-docker-for-use-with-github-packages#authenticating-to-github-packages -DOCKER_IMAGE="owncast" -DATE=$(date +"%Y%m%d") -TAG="webv2" -VERSION="${DATE}-${TAG}" -echo "Building Docker image ${DOCKER_IMAGE}..." - -# Change to the root directory of the repository -cd "$(git rev-parse --show-toplevel)" || exit -git checkout webv2 - -earthly --ci --push +docker-all --image="ghcr.io/owncast/${DOCKER_IMAGE}" --tag="${TAG}" --version="${VERSION}"