set a non-root user for containers (#2496)
* change root user in dockerfile * build container on push/pr * grab docker build params from env * consolidate container build * rm unused container build workflow/script * cleanup ci * set user for earthly container build * rm ci docker build for develop branch * checkout full repo for docker builds * read earthly push from env * cleanup ci * rm unsupported option for actions/checkout@v3 * check dockerfile in ci * add dockerfile build to earthfile * authenticate to GH only on schedule builds * accurate name for dev container builder script * add note to the dockerfile about earthfile * document dev build process more clearly
This commit is contained in:
parent
e748d8f765
commit
2c6fd67276
28
.github/workflows/container-lint.yml
vendored
Normal file
28
.github/workflows/container-lint.yml
vendored
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
name: Lint
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- webv2
|
||||||
|
paths:
|
||||||
|
- 'Dockerfile'
|
||||||
|
pull_request:
|
||||||
|
branches:
|
||||||
|
- webv2
|
||||||
|
paths:
|
||||||
|
- 'Dockerfile'
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
trivy:
|
||||||
|
name: Dockerfile
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
container:
|
||||||
|
image: aquasec/trivy
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
|
||||||
|
- name: Check critical issues
|
||||||
|
run: trivy config --exit-code 1 --severity "HIGH,CRITICAL" ./Dockerfile
|
||||||
|
|
||||||
|
- name: Check non-critical issues
|
||||||
|
run: trivy config --severity "LOW,MEDIUM" ./Dockerfile
|
56
.github/workflows/container.yaml
vendored
Normal file
56
.github/workflows/container.yaml
vendored
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
# See https://docs.earthly.dev/ci-integration/vendor-specific-guides/gh-actions-integration
|
||||||
|
# for details.
|
||||||
|
|
||||||
|
name: Build development container
|
||||||
|
|
||||||
|
on:
|
||||||
|
schedule:
|
||||||
|
- cron: '0 2 * * *'
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- webv2
|
||||||
|
pull_request:
|
||||||
|
branches:
|
||||||
|
- webv2
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
Earthly:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Set up Earthly
|
||||||
|
uses: earthly/actions-setup@v1
|
||||||
|
with:
|
||||||
|
version: 'latest' # or pin to an specific version, e.g. "v0.6.10"
|
||||||
|
|
||||||
|
- name: Log Earthly version
|
||||||
|
run: earthly --version
|
||||||
|
|
||||||
|
- name: Authenticate to GitHub Container Registry
|
||||||
|
if: ${{ github.event_name == 'schedule' && env.GH_CR_PAT != null }}
|
||||||
|
env:
|
||||||
|
GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
|
||||||
|
run: echo "${{ secrets.GH_CR_PAT }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
|
||||||
|
|
||||||
|
- name: Set up QEMU
|
||||||
|
uses: docker/setup-qemu-action@v2
|
||||||
|
with:
|
||||||
|
image: tonistiigi/binfmt:latest
|
||||||
|
platforms: all
|
||||||
|
|
||||||
|
- name: Checkout repo
|
||||||
|
uses: actions/checkout@v3
|
||||||
|
with:
|
||||||
|
fetch-depth: 0
|
||||||
|
|
||||||
|
- name: Build and push
|
||||||
|
if: ${{ github.event_name == 'schedule' && env.GH_CR_PAT != null }}
|
||||||
|
env:
|
||||||
|
GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
|
||||||
|
EARTHLY_BUILD_TAG: 'webv2'
|
||||||
|
EARTHLY_BUILD_BRANCH: 'webv2'
|
||||||
|
EARTHLY_PUSH: true
|
||||||
|
run: ./build/develop/container.sh
|
||||||
|
|
||||||
|
- name: Build
|
||||||
|
if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' }}
|
||||||
|
run: ./build/develop/container.sh
|
41
.github/workflows/docker-nightly.yaml
vendored
41
.github/workflows/docker-nightly.yaml
vendored
@ -1,41 +0,0 @@
|
|||||||
# See https://docs.earthly.dev/ci-integration/vendor-specific-guides/gh-actions-integration
|
|
||||||
# for details.
|
|
||||||
|
|
||||||
name: Build nightly docker
|
|
||||||
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
schedule:
|
|
||||||
- cron: '0 2 * * *'
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
Docker:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
if: github.repository == 'owncast/owncast'
|
|
||||||
steps:
|
|
||||||
- uses: earthly/actions-setup@v1
|
|
||||||
with:
|
|
||||||
version: 'latest' # or pin to an specific version, e.g. "v0.6.10"
|
|
||||||
|
|
||||||
- name: Earthly version
|
|
||||||
run: earthly --version
|
|
||||||
|
|
||||||
- name: Log into GitHub Container Registry
|
|
||||||
env:
|
|
||||||
GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
|
|
||||||
run: echo "${{ secrets.GH_CR_PAT }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
|
|
||||||
if: env.GH_CR_PAT != null
|
|
||||||
|
|
||||||
- name: Set up QEMU
|
|
||||||
id: qemu
|
|
||||||
uses: docker/setup-qemu-action@v2
|
|
||||||
with:
|
|
||||||
image: tonistiigi/binfmt:latest
|
|
||||||
platforms: all
|
|
||||||
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
- name: Checkout and build
|
|
||||||
if: env.GH_CR_PAT != null
|
|
||||||
env:
|
|
||||||
GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
|
|
||||||
run: cd build/release && ./docker-nightly.sh
|
|
43
.github/workflows/docker-webv2.yaml
vendored
43
.github/workflows/docker-webv2.yaml
vendored
@ -1,43 +0,0 @@
|
|||||||
# See https://docs.earthly.dev/ci-integration/vendor-specific-guides/gh-actions-integration
|
|
||||||
# for details.
|
|
||||||
|
|
||||||
name: Build webv2 docker
|
|
||||||
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
schedule:
|
|
||||||
- cron: '0 0 * * *'
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
Docker:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
if: github.repository == 'owncast/owncast'
|
|
||||||
steps:
|
|
||||||
- uses: earthly/actions-setup@v1
|
|
||||||
with:
|
|
||||||
version: 'latest' # or pin to an specific version, e.g. "v0.6.10"
|
|
||||||
|
|
||||||
- name: Earthly version
|
|
||||||
run: earthly --version
|
|
||||||
|
|
||||||
- name: Log into GitHub Container Registry
|
|
||||||
env:
|
|
||||||
GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
|
|
||||||
run: echo "${{ secrets.GH_CR_PAT }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
|
|
||||||
if: env.GH_CR_PAT != null
|
|
||||||
|
|
||||||
- name: Set up QEMU
|
|
||||||
id: qemu
|
|
||||||
uses: docker/setup-qemu-action@v2
|
|
||||||
with:
|
|
||||||
image: tonistiigi/binfmt:latest
|
|
||||||
platforms: all
|
|
||||||
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
with:
|
|
||||||
fetch-depth: 0
|
|
||||||
- name: Checkout and build
|
|
||||||
if: env.GH_CR_PAT != null
|
|
||||||
env:
|
|
||||||
GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
|
|
||||||
run: cd build/release && ./docker-webv2.sh
|
|
2
.github/workflows/shellcheck.yml
vendored
2
.github/workflows/shellcheck.yml
vendored
@ -18,7 +18,7 @@ jobs:
|
|||||||
env:
|
env:
|
||||||
LANG: C.UTF-8
|
LANG: C.UTF-8
|
||||||
container:
|
container:
|
||||||
image: docker.io/ubuntu:22.10
|
image: docker.io/ubuntu:22.04
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v3
|
||||||
|
|
||||||
|
22
Dockerfile
22
Dockerfile
@ -1,10 +1,17 @@
|
|||||||
# Perform a build
|
# IMPORTANT: This Dockerfile has been provided for the sake of convenience.
|
||||||
|
# Currently, functionality of the containers built based on this file
|
||||||
|
# is not a part of our continuous testing. Although, patches to keep it
|
||||||
|
# up to date are always welcome.
|
||||||
|
#
|
||||||
|
# See ‘Earthfile’ for the recipes used in official builds.
|
||||||
|
|
||||||
FROM golang:alpine AS build
|
FROM golang:alpine AS build
|
||||||
RUN mkdir /build
|
|
||||||
ADD . /build
|
|
||||||
WORKDIR /build
|
|
||||||
RUN apk update && apk add --no-cache git gcc build-base linux-headers
|
RUN apk update && apk add --no-cache git gcc build-base linux-headers
|
||||||
|
|
||||||
|
WORKDIR /build
|
||||||
|
COPY . /build
|
||||||
|
|
||||||
ARG VERSION=dev
|
ARG VERSION=dev
|
||||||
ENV VERSION=${VERSION}
|
ENV VERSION=${VERSION}
|
||||||
ARG GIT_COMMIT
|
ARG GIT_COMMIT
|
||||||
@ -15,13 +22,16 @@ ENV NAME=${NAME}
|
|||||||
RUN CGO_ENABLED=1 GOOS=linux go build -a -installsuffix cgo -ldflags "-extldflags \"-static\" -s -w -X github.com/owncast/owncast/config.GitCommit=$GIT_COMMIT -X github.com/owncast/owncast/config.VersionNumber=$VERSION -X github.com/owncast/owncast/config.BuildPlatform=$NAME" -o owncast .
|
RUN CGO_ENABLED=1 GOOS=linux go build -a -installsuffix cgo -ldflags "-extldflags \"-static\" -s -w -X github.com/owncast/owncast/config.GitCommit=$GIT_COMMIT -X github.com/owncast/owncast/config.VersionNumber=$VERSION -X github.com/owncast/owncast/config.BuildPlatform=$NAME" -o owncast .
|
||||||
|
|
||||||
# Create the image by copying the result of the build into a new alpine image
|
# Create the image by copying the result of the build into a new alpine image
|
||||||
FROM alpine
|
FROM alpine:3.15.5
|
||||||
RUN apk update && apk add --no-cache ffmpeg ffmpeg-libs ca-certificates && update-ca-certificates
|
RUN apk update && apk add --no-cache ffmpeg ffmpeg-libs ca-certificates && update-ca-certificates
|
||||||
|
|
||||||
|
RUN addgroup -g 101 -S owncast && adduser -u 101 -S owncast -G owncast
|
||||||
|
|
||||||
# Copy owncast assets
|
# Copy owncast assets
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
COPY --from=build /build/owncast /app/owncast
|
COPY --from=build /build/owncast /app/owncast
|
||||||
COPY --from=build /build/webroot /app/webroot
|
|
||||||
RUN mkdir /app/data
|
RUN mkdir /app/data
|
||||||
|
RUN chown -R owncast:owncast /app
|
||||||
|
USER owncast
|
||||||
ENTRYPOINT ["/app/owncast"]
|
ENTRYPOINT ["/app/owncast"]
|
||||||
EXPOSE 8080 1935
|
EXPOSE 8080 1935
|
||||||
|
@ -25,7 +25,6 @@ crosscompiler:
|
|||||||
code:
|
code:
|
||||||
FROM --platform=linux/amd64 +crosscompiler
|
FROM --platform=linux/amd64 +crosscompiler
|
||||||
COPY . /build
|
COPY . /build
|
||||||
#GIT CLONE --branch=$version git@github.com:owncast/owncast.git /build
|
|
||||||
|
|
||||||
build:
|
build:
|
||||||
ARG EARTHLY_GIT_HASH # provided by Earthly
|
ARG EARTHLY_GIT_HASH # provided by Earthly
|
||||||
@ -110,13 +109,19 @@ docker:
|
|||||||
ARG TARGETPLATFORM
|
ARG TARGETPLATFORM
|
||||||
FROM --platform=$TARGETPLATFORM alpine:3.15.5
|
FROM --platform=$TARGETPLATFORM alpine:3.15.5
|
||||||
RUN apk update && apk add --no-cache ffmpeg ffmpeg-libs ca-certificates unzip && update-ca-certificates
|
RUN apk update && apk add --no-cache ffmpeg ffmpeg-libs ca-certificates unzip && update-ca-certificates
|
||||||
|
RUN addgroup -g 101 -S owncast && adduser -u 101 -S owncast -G owncast
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
COPY --platform=$TARGETPLATFORM +package/owncast.zip /app
|
COPY --platform=$TARGETPLATFORM +package/owncast.zip /app
|
||||||
RUN unzip -x owncast.zip && mkdir data
|
RUN unzip -x owncast.zip && mkdir data
|
||||||
|
RUN chown -R owncast:owncast /app
|
||||||
|
USER owncast
|
||||||
ENTRYPOINT ["/app/owncast"]
|
ENTRYPOINT ["/app/owncast"]
|
||||||
EXPOSE 8080 1935
|
EXPOSE 8080 1935
|
||||||
SAVE IMAGE --push $image:$tag
|
SAVE IMAGE --push $image:$tag
|
||||||
|
|
||||||
|
dockerfile:
|
||||||
|
FROM DOCKERFILE -f Dockerfile .
|
||||||
|
|
||||||
unit-tests:
|
unit-tests:
|
||||||
FROM --platform=linux/amd64 bdwyertech/go-crosscompile
|
FROM --platform=linux/amd64 bdwyertech/go-crosscompile
|
||||||
COPY . /build
|
COPY . /build
|
||||||
|
27
build/develop/container.sh
Executable file
27
build/develop/container.sh
Executable file
@ -0,0 +1,27 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# Development container builder
|
||||||
|
#
|
||||||
|
# Must authenticate first: https://docs.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-docker-for-use-with-github-packages#authenticating-to-github-packages
|
||||||
|
# env vars:
|
||||||
|
# $EARTHLY_BUILD_BRANCH: git branch to checkout
|
||||||
|
# $EARTHLY_BUILD_TAG: tag for container image
|
||||||
|
|
||||||
|
|
||||||
|
EARTHLY_IMAGE_NAME="owncast"
|
||||||
|
BUILD_TAG=${EARTHLY_BUILD_TAG:-webv2}
|
||||||
|
DATE=$(date +"%Y%m%d")
|
||||||
|
VERSION="${DATE}-${BUILD_TAG}"
|
||||||
|
|
||||||
|
|
||||||
|
echo "Building container image ${EARTHLY_IMAGE_NAME}:${BUILD_TAG} ..."
|
||||||
|
|
||||||
|
# Change to the root directory of the repository
|
||||||
|
cd "$(git rev-parse --show-toplevel)" || exit
|
||||||
|
if [ -n "${EARTHLY_BUILD_BRANCH}" ]; then
|
||||||
|
git checkout "${EARTHLY_BUILD_BRANCH}" || exit
|
||||||
|
fi
|
||||||
|
|
||||||
|
earthly --ci +docker-all --image="ghcr.io/owncast/${EARTHLY_IMAGE_NAME}" --tag="${BUILD_TAG}" --version="${VERSION}"
|
||||||
|
earthly --ci +dockerfile
|
@ -1,14 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
# Docker build
|
|
||||||
# Must authenticate first: https://docs.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-docker-for-use-with-github-packages#authenticating-to-github-packages
|
|
||||||
DOCKER_IMAGE="owncast"
|
|
||||||
DATE=$(date +"%Y%m%d")
|
|
||||||
VERSION="${DATE}-nightly"
|
|
||||||
|
|
||||||
echo "Building Docker image ${DOCKER_IMAGE}..."
|
|
||||||
|
|
||||||
# Change to the root directory of the repository
|
|
||||||
cd "$(git rev-parse --show-toplevel)" || exit
|
|
||||||
|
|
||||||
earthly --ci --push +docker-all --image="ghcr.io/owncast/${DOCKER_IMAGE}" --tag=nightly --version="${VERSION}"
|
|
@ -1,15 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
# Docker build
|
|
||||||
# Must authenticate first: https://docs.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-docker-for-use-with-github-packages#authenticating-to-github-packages
|
|
||||||
DOCKER_IMAGE="owncast"
|
|
||||||
DATE=$(date +"%Y%m%d")
|
|
||||||
TAG="webv2"
|
|
||||||
VERSION="${DATE}-${TAG}"
|
|
||||||
echo "Building Docker image ${DOCKER_IMAGE}..."
|
|
||||||
|
|
||||||
# Change to the root directory of the repository
|
|
||||||
cd "$(git rev-parse --show-toplevel)" || exit
|
|
||||||
git checkout webv2
|
|
||||||
|
|
||||||
earthly --ci --push +docker-all --image="ghcr.io/owncast/${DOCKER_IMAGE}" --tag="${TAG}" --version="${VERSION}"
|
|
Loading…
x
Reference in New Issue
Block a user