LogalDeveloper/owncast
LogalDeveloper/owncast
0
Fork 0
Code

set a non-root user for containers (#2496)

Browse Source 
* change root user in dockerfile

* build container on push/pr

* grab docker build params from env

* consolidate container build

* rm unused container build workflow/script

* cleanup ci

* set user for earthly container build

* rm ci docker build for develop branch

* checkout full repo for docker builds

* read earthly push from env

* cleanup ci

* rm unsupported option for actions/checkout@v3

* check dockerfile in ci

* add dockerfile build to earthfile

* authenticate to GH only on schedule builds

* accurate name for dev container builder script

* add note to the dockerfile about earthfile

* document dev build process more clearly
This commit is contained in:
Meisam 2023-01-04 23:15:12 +01:00 committed by GitHub
parent e748d8f765
commit 2c6fd67276
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 134 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
.github/workflows/container-lint.yml vendored Normal file
View File

@ -0,0 +1,28 @@
name: Lint
on:
push:
branches:
- webv2
paths:
- 'Dockerfile'
pull_request:
branches:
- webv2
paths:
- 'Dockerfile'
jobs:
trivy:
name: Dockerfile
runs-on: ubuntu-latest
container:
image: aquasec/trivy
steps:
- uses: actions/checkout@v3
- name: Check critical issues
run: trivy config --exit-code 1 --severity "HIGH,CRITICAL" ./Dockerfile
- name: Check non-critical issues
run: trivy config --severity "LOW,MEDIUM" ./Dockerfile

56
.github/workflows/container.yaml vendored Normal file
View File

@ -0,0 +1,56 @@
# See https://docs.earthly.dev/ci-integration/vendor-specific-guides/gh-actions-integration
# for details.
name: Build development container
on:
schedule:
- cron: '0 2 * * *'
push:
branches:
- webv2
pull_request:
branches:
- webv2
jobs:
Earthly:
runs-on: ubuntu-latest
steps:
- name: Set up Earthly
uses: earthly/actions-setup@v1
with:
version: 'latest' # or pin to an specific version, e.g. "v0.6.10"
- name: Log Earthly version
run: earthly --version
- name: Authenticate to GitHub Container Registry
if: ${{ github.event_name == 'schedule' && env.GH_CR_PAT != null }}
env:
GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
run: echo "${{ secrets.GH_CR_PAT }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
with:
image: tonistiigi/binfmt:latest
platforms: all
- name: Checkout repo
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Build and push
if: ${{ github.event_name == 'schedule' && env.GH_CR_PAT != null }}
env:
GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
EARTHLY_BUILD_TAG: 'webv2'
EARTHLY_BUILD_BRANCH: 'webv2'
EARTHLY_PUSH: true
run: ./build/develop/container.sh
- name: Build
if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' }}
run: ./build/develop/container.sh

41
.github/workflows/docker-nightly.yaml vendored
View File

@ -1,41 +0,0 @@
# See https://docs.earthly.dev/ci-integration/vendor-specific-guides/gh-actions-integration
# for details.
name: Build nightly docker
on:
workflow_dispatch:
schedule:
- cron: '0 2 * * *'
jobs:
Docker:
runs-on: ubuntu-latest
if: github.repository == 'owncast/owncast'
steps:
- uses: earthly/actions-setup@v1
with:
version: 'latest' # or pin to an specific version, e.g. "v0.6.10"
- name: Earthly version
run: earthly --version
- name: Log into GitHub Container Registry
env:
GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
run: echo "${{ secrets.GH_CR_PAT }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
if: env.GH_CR_PAT != null
- name: Set up QEMU
id: qemu
uses: docker/setup-qemu-action@v2
with:
image: tonistiigi/binfmt:latest
platforms: all
- uses: actions/checkout@v3
- name: Checkout and build
if: env.GH_CR_PAT != null
env:
GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
run: cd build/release && ./docker-nightly.sh

43
.github/workflows/docker-webv2.yaml vendored
View File

@ -1,43 +0,0 @@
# See https://docs.earthly.dev/ci-integration/vendor-specific-guides/gh-actions-integration
# for details.
name: Build webv2 docker
on:
workflow_dispatch:
schedule:
- cron: '0 0 * * *'
jobs:
Docker:
runs-on: ubuntu-latest
if: github.repository == 'owncast/owncast'
steps:
- uses: earthly/actions-setup@v1
with:
version: 'latest' # or pin to an specific version, e.g. "v0.6.10"
- name: Earthly version
run: earthly --version
- name: Log into GitHub Container Registry
env:
GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
run: echo "${{ secrets.GH_CR_PAT }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
if: env.GH_CR_PAT != null
- name: Set up QEMU
id: qemu
uses: docker/setup-qemu-action@v2
with:
image: tonistiigi/binfmt:latest
platforms: all
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Checkout and build
if: env.GH_CR_PAT != null
env:
GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
run: cd build/release && ./docker-webv2.sh

2
.github/workflows/shellcheck.yml vendored
View File

@ -18,7 +18,7 @@ jobs:
env:
LANG: C.UTF-8
container:
image: docker.io/ubuntu:22.10
image: docker.io/ubuntu:22.04
steps:
- uses: actions/checkout@v3

22
Dockerfile
View File

@ -1,10 +1,17 @@
# Perform a build
# IMPORTANT: This Dockerfile has been provided for the sake of convenience.
# Currently, functionality of the containers built based on this file
# is not a part of our continuous testing. Although, patches to keep it
# up to date are always welcome.
#
# See Earthfile for the recipes used in official builds.
FROM golang:alpine AS build
RUN mkdir /build
ADD . /build
WORKDIR /build
RUN apk update && apk add --no-cache git gcc build-base linux-headers
WORKDIR /build
COPY . /build
ARG VERSION=dev
ENV VERSION=${VERSION}
ARG GIT_COMMIT
@ -15,13 +22,16 @@ ENV NAME=${NAME}
RUN CGO_ENABLED=1 GOOS=linux go build -a -installsuffix cgo -ldflags "-extldflags \"-static\" -s -w -X github.com/owncast/owncast/config.GitCommit=$GIT_COMMIT -X github.com/owncast/owncast/config.VersionNumber=$VERSION -X github.com/owncast/owncast/config.BuildPlatform=$NAME" -o owncast .
# Create the image by copying the result of the build into a new alpine image
FROM alpine
FROM alpine:3.15.5
RUN apk update && apk add --no-cache ffmpeg ffmpeg-libs ca-certificates && update-ca-certificates
RUN addgroup -g 101 -S owncast && adduser -u 101 -S owncast -G owncast
# Copy owncast assets
WORKDIR /app
COPY --from=build /build/owncast /app/owncast
COPY --from=build /build/webroot /app/webroot
RUN mkdir /app/data
RUN chown -R owncast:owncast /app
USER owncast
ENTRYPOINT ["/app/owncast"]
EXPOSE 8080 1935

7
Earthfile
View File

@ -25,7 +25,6 @@ crosscompiler:
code:
FROM --platform=linux/amd64 +crosscompiler
COPY . /build
#GIT CLONE --branch=$version git@github.com:owncast/owncast.git /build
build:
ARG EARTHLY_GIT_HASH # provided by Earthly
@ -110,13 +109,19 @@ docker:
ARG TARGETPLATFORM
FROM --platform=$TARGETPLATFORM alpine:3.15.5
RUN apk update && apk add --no-cache ffmpeg ffmpeg-libs ca-certificates unzip && update-ca-certificates
RUN addgroup -g 101 -S owncast && adduser -u 101 -S owncast -G owncast
WORKDIR /app
COPY --platform=$TARGETPLATFORM +package/owncast.zip /app
RUN unzip -x owncast.zip && mkdir data
RUN chown -R owncast:owncast /app
USER owncast
ENTRYPOINT ["/app/owncast"]
EXPOSE 8080 1935
SAVE IMAGE --push $image:$tag
dockerfile:
FROM DOCKERFILE -f Dockerfile .
unit-tests:
FROM --platform=linux/amd64 bdwyertech/go-crosscompile
COPY . /build

27
build/develop/container.sh Executable file
View File

@ -0,0 +1,27 @@
#!/bin/sh
set -e
# Development container builder
#
# Must authenticate first: https://docs.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-docker-for-use-with-github-packages#authenticating-to-github-packages
# env vars:
# $EARTHLY_BUILD_BRANCH: git branch to checkout
# $EARTHLY_BUILD_TAG: tag for container image
EARTHLY_IMAGE_NAME="owncast"
BUILD_TAG=${EARTHLY_BUILD_TAG:-webv2}
DATE=$(date +"%Y%m%d")
VERSION="${DATE}-${BUILD_TAG}"
echo "Building container image ${EARTHLY_IMAGE_NAME}:${BUILD_TAG} ..."
# Change to the root directory of the repository
cd "$(git rev-parse --show-toplevel)" || exit
if [ -n "${EARTHLY_BUILD_BRANCH}" ]; then
git checkout "${EARTHLY_BUILD_BRANCH}" || exit
fi
earthly --ci +docker-all --image="ghcr.io/owncast/${EARTHLY_IMAGE_NAME}" --tag="${BUILD_TAG}" --version="${VERSION}"
earthly --ci +dockerfile

14
build/release/docker-nightly.sh
View File

@ -1,14 +0,0 @@
#!/bin/sh
# Docker build
# Must authenticate first: https://docs.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-docker-for-use-with-github-packages#authenticating-to-github-packages
DOCKER_IMAGE="owncast"
DATE=$(date +"%Y%m%d")
VERSION="${DATE}-nightly"
echo "Building Docker image ${DOCKER_IMAGE}..."
# Change to the root directory of the repository
cd "$(git rev-parse --show-toplevel)" || exit
earthly --ci --push +docker-all --image="ghcr.io/owncast/${DOCKER_IMAGE}" --tag=nightly --version="${VERSION}"

15
build/release/docker-webv2.sh
View File

@ -1,15 +0,0 @@
#!/bin/sh
# Docker build
# Must authenticate first: https://docs.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-docker-for-use-with-github-packages#authenticating-to-github-packages
DOCKER_IMAGE="owncast"
DATE=$(date +"%Y%m%d")
TAG="webv2"
VERSION="${DATE}-${TAG}"
echo "Building Docker image ${DOCKER_IMAGE}..."
# Change to the root directory of the repository
cd "$(git rev-parse --show-toplevel)" || exit
git checkout webv2
earthly --ci --push +docker-all --image="ghcr.io/owncast/${DOCKER_IMAGE}" --tag="${TAG}" --version="${VERSION}"