diff --git a/.github/workflows/images.yaml b/.github/workflows/images.yaml index 0c6448c..4116f2f 100644 --- a/.github/workflows/images.yaml +++ b/.github/workflows/images.yaml @@ -39,7 +39,7 @@ jobs: name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - # generated by ./test.sh for manual copy-paste to images.yaml + ### build steps below are generated ### - name: Build and push builder-base latest uses: docker/build-push-action@v5 @@ -238,6 +238,8 @@ jobs: push: true cache-from: type=gha cache-to: type=gha,mode=max + build-contexts: | + yolean/java:root=docker-image://ghcr.io/yolean/java:root - name: Build and push node root uses: docker/build-push-action@v5 @@ -266,6 +268,8 @@ jobs: push: true cache-from: type=gha cache-to: type=gha,mode=max + build-contexts: | + yolean/node:root=docker-image://ghcr.io/yolean/node:root - name: Build and push node-kafka root uses: docker/build-push-action@v5 @@ -296,6 +300,8 @@ jobs: push: true cache-from: type=gha cache-to: type=gha,mode=max + build-contexts: | + yolean/node-kafka:root=docker-image://ghcr.io/yolean/node-kafka:root - name: Build and push node-kafka-cache root uses: docker/build-push-action@v5 @@ -326,6 +332,8 @@ jobs: push: true cache-from: type=gha cache-to: type=gha,mode=max + build-contexts: | + yolean/node-kafka-cache:root=docker-image://ghcr.io/yolean/node-kafka-cache:root - name: Build and push node-watchexec root uses: docker/build-push-action@v5 @@ -354,6 +362,8 @@ jobs: push: true cache-from: type=gha cache-to: type=gha,mode=max + build-contexts: | + yolean/node-watchexec:root=docker-image://ghcr.io/yolean/node-watchexec:root - name: Build and push node-gcloud root uses: docker/build-push-action@v5 @@ -384,6 +394,8 @@ jobs: push: true cache-from: type=gha cache-to: type=gha,mode=max + build-contexts: | + yolean/node-gcloud:root=docker-image://ghcr.io/yolean/node-gcloud:root - name: Build and push runtime-quarkus-ubuntu root uses: docker/build-push-action@v5 @@ -412,6 +424,8 @@ jobs: push: true cache-from: type=gha cache-to: type=gha,mode=max + build-contexts: | + yolean/runtime-quarkus-ubuntu:root=docker-image://ghcr.io/yolean/runtime-quarkus-ubuntu:root - name: Build and push runtime-quarkus-ubuntu-jre root uses: docker/build-push-action@v5 @@ -443,6 +457,8 @@ jobs: push: true cache-from: type=gha cache-to: type=gha,mode=max + build-contexts: | + yolean/runtime-quarkus-ubuntu-jre:root=docker-image://ghcr.io/yolean/runtime-quarkus-ubuntu-jre:root - name: Build and push runtime-quarkus-dev root uses: docker/build-push-action@v5 @@ -474,6 +490,8 @@ jobs: push: true cache-from: type=gha cache-to: type=gha,mode=max + build-contexts: | + yolean/runtime-quarkus-dev:root=docker-image://ghcr.io/yolean/runtime-quarkus-dev:root - name: Build and push toil-storage root uses: docker/build-push-action@v5 @@ -505,3 +523,5 @@ jobs: push: true cache-from: type=gha cache-to: type=gha,mode=max + build-contexts: | + yolean/toil-storage:root=docker-image://ghcr.io/yolean/toil-storage:root diff --git a/.gitignore b/.gitignore index 7cd53fd..bbf31d0 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ **/node_modules/ +actions-generated.yaml diff --git a/hooks/build b/hooks/build deleted file mode 100755 index f354c0e..0000000 --- a/hooks/build +++ /dev/null @@ -1,99 +0,0 @@ -#!/usr/bin/env bash -[ -z "$DEBUG" ] || set -x -set -eo pipefail - -[ -n "$PLATFORMS" ] || PLATFORMS="linux/amd64,linux/arm64/v8" -[ -n "$PLATFORM" ] || PLATFORM="--platform=$PLATFORMS" - -[ -z "$REGISTRY" ] || PREFIX="$REGISTRY/" - -SOURCE_COMMIT=$(git rev-parse --verify HEAD 2>/dev/null || echo '') -if [[ ! -z "$SOURCE_COMMIT" ]]; then - GIT_STATUS=$(git status --untracked-files=normal --porcelain=v2 | grep -v ' hooks/build' || true) - if [[ ! -z "$GIT_STATUS" ]]; then - SOURCE_COMMIT="$SOURCE_COMMIT-dirty" - fi -fi - -MULTIARCH_NONROOT=" -builder-base -builder-base-gcc -builder-base-gcloud -builder-tooling -builder-node -builder-quarkus -git-init -toil -toil-network -node-distroless -blobs -" - -MULTIARCH_TONONROOT=" -java -node -node-kafka -node-kafka-cache -node-watchexec -node-gcloud -runtime-quarkus-ubuntu -runtime-quarkus-ubuntu-jre -runtime-quarkus-dev -toil-storage -" - -AMD64ONLY=" -runtime-quarkus -runtime-quarkus-deno -runtime-deno -git-http-readonly -headless-chrome -" - -XTAG="" - -[ -n "$NOPUSH" ] || BUILDX_PUSH="--push" - -export SOURCE_DATE_EPOCH=0 -OUTPUT="type=registry,oci-mediatypes=true" - -cat ./Dockerfile | \ - docker buildx build $BUILDX_PUSH --progress=plain $PLATFORM --output "$OUTPUT" \ - -t yolean/docker-base -t ${PREFIX}yolean/docker-base:$SOURCE_COMMIT$XTAG - - -for CONTEXT in $MULTIARCH_NONROOT; do - ! (grep -r FROM ./$CONTEXT | grep -v 'FROM --platform=') - cat ./$CONTEXT/Dockerfile | \ - docker buildx build $BUILDX_PUSH --progress=plain $PLATFORM -f - --output "$OUTPUT" \ - -t yolean/$CONTEXT -t ${PREFIX}yolean/$CONTEXT:$SOURCE_COMMIT$XTAG ./$CONTEXT -done - -for CONTEXT in $MULTIARCH_TONONROOT; do - ! (grep -r FROM ./$CONTEXT | grep -v 'FROM --platform=') - cat ./$CONTEXT/Dockerfile | \ - docker buildx build $BUILDX_PUSH --progress=plain $PLATFORM -f - --output "$OUTPUT" \ - -t yolean/$CONTEXT:root -t ${PREFIX}yolean/$CONTEXT:$SOURCE_COMMIT$XTAG-root ./$CONTEXT -done -for CONTEXT in $MULTIARCH_TONONROOT; do - cat ./$CONTEXT/Dockerfile ./nonroot-footer.Dockerfile | \ - docker buildx build $BUILDX_PUSH --progress=plain $PLATFORM -f - --output "$OUTPUT" \ - -t yolean/$CONTEXT -t ${PREFIX}yolean/$CONTEXT:$SOURCE_COMMIT$XTAG ./$CONTEXT -done - -PUSH="" - -for CONTEXT in $AMD64ONLY; do - IMAGE=${PREFIX}yolean/$CONTEXT:$SOURCE_COMMIT$XTAG - docker build --platform=linux/amd64 -t yolean/$CONTEXT -t $IMAGE ./$CONTEXT - PUSH="$PUSH $IMAGE" - if [ "" = "$(docker image inspect -f='{{.Config.User}}' $IMAGE)" ]; then - docker tag $IMAGE $IMAGE-root - PUSH="$PUSH $IMAGE-root" - cat ./$CONTEXT/Dockerfile ./nonroot-footer.Dockerfile | \ - docker build --platform=linux/amd64 -f - -t yolean/$CONTEXT -t $IMAGE ./$CONTEXT - fi -done - -echo "amd64-only PUSH list contains: $PUSH" -[ -z "$NOPUSH" ] || exit 0 -for P in $PUSH; do docker push $P; done diff --git a/test.sh b/test.sh new file mode 100755 index 0000000..2860659 --- /dev/null +++ b/test.sh @@ -0,0 +1,112 @@ +#!/usr/bin/env bash +[ -z "$DEBUG" ] || set -x +set -eo pipefail + +[ -n "$PLATFORMS" ] || PLATFORMS="linux/amd64,linux/arm64/v8" +[ -n "$PLATFORM" ] || PLATFORM="--platform=$PLATFORMS" + +[ -z "$REGISTRY" ] || PREFIX="$REGISTRY/" + +SOURCE_COMMIT=$(git rev-parse --verify HEAD 2>/dev/null || echo '') +if [[ ! -z "$SOURCE_COMMIT" ]]; then + GIT_STATUS=$(git status --untracked-files=normal --porcelain=v2 | grep -v ' hooks/build' || true) + if [[ ! -z "$GIT_STATUS" ]]; then + SOURCE_COMMIT="$SOURCE_COMMIT-dirty" + fi +fi + +MULTIARCH_NONROOT=" +builder-base +builder-base-gcc +builder-base-gcloud +builder-tooling +builder-node +builder-quarkus +git-init +toil +toil-network +node-distroless +blobs +" + +MULTIARCH_TONONROOT=" +java +node +node-kafka +node-kafka-cache +node-watchexec +node-gcloud +runtime-quarkus-ubuntu +runtime-quarkus-ubuntu-jre +runtime-quarkus-dev +toil-storage +" + +AMD64ONLY=" +runtime-quarkus +runtime-quarkus-deno +runtime-deno +git-http-readonly +headless-chrome +" + +BEGIN=" ### build steps below are generated ###" +CURRENT=.github/workflows/images.yaml +ACTIONS=$(mktemp) +sed "/^$BEGIN\$/q" $CURRENT > $ACTIONS + +function base_action { + local CONTEXT=$1 + local NAME=$2 + local TAG=$3 + local TAGSUFFIX="" + [ "$TAG" = "latest" ] || local TAGSUFFIX="-$TAG" + cat <> $ACTIONS + add_dependencies "$CONTEXT" >> $ACTIONS +done + +for CONTEXT in $MULTIARCH_TONONROOT; do + mkdir -p to-nonroot/$CONTEXT + echo "FROM --platform=\$TARGETPLATFORM yolean/$CONTEXT:root" > to-nonroot/$CONTEXT/Dockerfile + cat nonroot-footer.Dockerfile >> to-nonroot/$CONTEXT/Dockerfile + base_action "$CONTEXT" "$CONTEXT" root >> $ACTIONS + add_dependencies "$CONTEXT" >> $ACTIONS + base_action "to-nonroot/$CONTEXT" "$CONTEXT" latest >> $ACTIONS + add_dependencies "to-nonroot/$CONTEXT" >> $ACTIONS +done + +for CONTEXT in $AMD64ONLY; do + echo "# TODO does $CONTEXT really need to be amd64-only?" >&2 +done + +cp $ACTIONS $CURRENT +GIT_STATUS=$(git status --untracked-files=no --porcelain=v2) +[ -z "$GIT_STATUS" ] && echo "Done, no local diff" || echo "Done, with local diff" diff --git a/to-nonroot/java/Dockerfile b/to-nonroot/java/Dockerfile new file mode 100644 index 0000000..527b12f --- /dev/null +++ b/to-nonroot/java/Dockerfile @@ -0,0 +1,8 @@ +FROM --platform=$TARGETPLATFORM yolean/java:root + +# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot +# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot +RUN grep 'nonroot:x:65532' /etc/passwd || \ + echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \ + mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot +USER nonroot:nogroup diff --git a/to-nonroot/node-gcloud/Dockerfile b/to-nonroot/node-gcloud/Dockerfile new file mode 100644 index 0000000..fe0623c --- /dev/null +++ b/to-nonroot/node-gcloud/Dockerfile @@ -0,0 +1,8 @@ +FROM --platform=$TARGETPLATFORM yolean/node-gcloud:root + +# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot +# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot +RUN grep 'nonroot:x:65532' /etc/passwd || \ + echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \ + mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot +USER nonroot:nogroup diff --git a/to-nonroot/node-kafka-cache/Dockerfile b/to-nonroot/node-kafka-cache/Dockerfile new file mode 100644 index 0000000..202c485 --- /dev/null +++ b/to-nonroot/node-kafka-cache/Dockerfile @@ -0,0 +1,8 @@ +FROM --platform=$TARGETPLATFORM yolean/node-kafka-cache:root + +# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot +# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot +RUN grep 'nonroot:x:65532' /etc/passwd || \ + echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \ + mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot +USER nonroot:nogroup diff --git a/to-nonroot/node-kafka/Dockerfile b/to-nonroot/node-kafka/Dockerfile new file mode 100644 index 0000000..29916a4 --- /dev/null +++ b/to-nonroot/node-kafka/Dockerfile @@ -0,0 +1,8 @@ +FROM --platform=$TARGETPLATFORM yolean/node-kafka:root + +# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot +# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot +RUN grep 'nonroot:x:65532' /etc/passwd || \ + echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \ + mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot +USER nonroot:nogroup diff --git a/to-nonroot/node-watchexec/Dockerfile b/to-nonroot/node-watchexec/Dockerfile new file mode 100644 index 0000000..1c03b72 --- /dev/null +++ b/to-nonroot/node-watchexec/Dockerfile @@ -0,0 +1,8 @@ +FROM --platform=$TARGETPLATFORM yolean/node-watchexec:root + +# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot +# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot +RUN grep 'nonroot:x:65532' /etc/passwd || \ + echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \ + mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot +USER nonroot:nogroup diff --git a/to-nonroot/node/Dockerfile b/to-nonroot/node/Dockerfile new file mode 100644 index 0000000..e3427d3 --- /dev/null +++ b/to-nonroot/node/Dockerfile @@ -0,0 +1,8 @@ +FROM --platform=$TARGETPLATFORM yolean/node:root + +# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot +# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot +RUN grep 'nonroot:x:65532' /etc/passwd || \ + echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \ + mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot +USER nonroot:nogroup diff --git a/to-nonroot/runtime-quarkus-dev/Dockerfile b/to-nonroot/runtime-quarkus-dev/Dockerfile new file mode 100644 index 0000000..0fef915 --- /dev/null +++ b/to-nonroot/runtime-quarkus-dev/Dockerfile @@ -0,0 +1,8 @@ +FROM --platform=$TARGETPLATFORM yolean/runtime-quarkus-dev:root + +# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot +# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot +RUN grep 'nonroot:x:65532' /etc/passwd || \ + echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \ + mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot +USER nonroot:nogroup diff --git a/to-nonroot/runtime-quarkus-ubuntu-jre/Dockerfile b/to-nonroot/runtime-quarkus-ubuntu-jre/Dockerfile new file mode 100644 index 0000000..1ef38ad --- /dev/null +++ b/to-nonroot/runtime-quarkus-ubuntu-jre/Dockerfile @@ -0,0 +1,8 @@ +FROM --platform=$TARGETPLATFORM yolean/runtime-quarkus-ubuntu-jre:root + +# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot +# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot +RUN grep 'nonroot:x:65532' /etc/passwd || \ + echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \ + mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot +USER nonroot:nogroup diff --git a/to-nonroot/runtime-quarkus-ubuntu/Dockerfile b/to-nonroot/runtime-quarkus-ubuntu/Dockerfile new file mode 100644 index 0000000..c455af8 --- /dev/null +++ b/to-nonroot/runtime-quarkus-ubuntu/Dockerfile @@ -0,0 +1,8 @@ +FROM --platform=$TARGETPLATFORM yolean/runtime-quarkus-ubuntu:root + +# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot +# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot +RUN grep 'nonroot:x:65532' /etc/passwd || \ + echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \ + mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot +USER nonroot:nogroup diff --git a/to-nonroot/toil-storage/Dockerfile b/to-nonroot/toil-storage/Dockerfile new file mode 100644 index 0000000..4f43d6f --- /dev/null +++ b/to-nonroot/toil-storage/Dockerfile @@ -0,0 +1,8 @@ +FROM --platform=$TARGETPLATFORM yolean/toil-storage:root + +# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot +# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot +RUN grep 'nonroot:x:65532' /etc/passwd || \ + echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \ + mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot +USER nonroot:nogroup