ci: docker build example

Author: revant

.github/workflows/build.yaml

@@ -50,31 +50,60 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      ### Comment start - when not using docker build actions
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      ### Comment end - when not using docker build actions
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ inputs.registry || env.REGISTRY }}
+          username: ${{ inputs.registry-user || github.actor }}
+          password: ${{ secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
+
       - name: Source Build Env
         id: source-build-env
         run: |
           cat ./ci/build.env >> $GITHUB_ENV
           echo "VERSION=$(cat ./ci/version.txt)" >> $GITHUB_ENV
           echo "APPS_JSON_BASE64=$(base64 -w 0 ./ci/apps.json)" >> $GITHUB_ENV
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+      ### Using Kaniko (https://github.com/GoogleContainerTools/kaniko)
+      # - uses: int128/kaniko-action@v1
+      #   with:
+      #     push: true
+      #     cache: true
+      #     kaniko-args: |
+      #       --build-arg=FRAPPE_PATH=${{ inputs.frappe-repo || env.FRAPPE_REPO }}
+      #       --build-arg=FRAPPE_BRANCH=${{ inputs.frappe-version || env.FRAPPE_VERSION }}
+      #       --build-arg=PYTHON_VERSION=${{ inputs.py-version || env.PY_VERSION }}
+      #       --build-arg=NODE_VERSION=${{ inputs.nodejs-version || env.NODEJS_VERSION }}
+      #       --build-arg=APPS_JSON_BASE64=${{ inputs.apps-json-base64 || env.APPS_JSON_BASE64 }}
+      #       --context=${{ inputs.context || env.CONTEXT }}
+      #       --destination=ghcr.io/${{ github.repository }}/${{ inputs.image || env.IMAGE }}:${{ inputs.version || env.VERSION }}
+      #       --destination=ghcr.io/${{ github.repository }}/${{ inputs.image || env.IMAGE }}:latest
+      #     file: ${{ inputs.dockerfile || env.DOCKERFILE }}
+
+      ### Using docker build
+      - uses: actions/checkout@v4
         with:
-          registry: ${{ inputs.registry || env.REGISTRY }}
-          username: ${{ inputs.registry-user || github.actor }}
-          password: ${{ secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
+          repository: frappe/frappe_docker
+          path: builds
 
-      - uses: int128/kaniko-action@v1
+      - name: Build and push
+        uses: docker/build-push-action@v5
         with:
           push: true
-          cache: true
-          kaniko-args: |
-            --build-arg=FRAPPE_PATH=${{ inputs.frappe-repo || env.FRAPPE_REPO }}
-            --build-arg=FRAPPE_BRANCH=${{ inputs.frappe-version || env.FRAPPE_VERSION }}
-            --build-arg=PYTHON_VERSION=${{ inputs.py-version || env.PY_VERSION }}
-            --build-arg=NODE_VERSION=${{ inputs.nodejs-version || env.NODEJS_VERSION }}
-            --build-arg=APPS_JSON_BASE64=${{ inputs.apps-json-base64 || env.APPS_JSON_BASE64 }}
-            --context=${{ inputs.context || env.CONTEXT }}
-            --destination=ghcr.io/${{ github.repository }}/${{ inputs.image || env.IMAGE }}:${{ inputs.version || env.VERSION }}
-            --destination=ghcr.io/${{ github.repository }}/${{ inputs.image || env.IMAGE }}:latest
-          file: ${{ inputs.dockerfile || env.DOCKERFILE }}
+          context: builds
+          file: builds/${{ inputs.dockerfile || env.DOCKERFILE }}
+          tags: ghcr.io/${{ github.repository }}/${{ inputs.image || env.IMAGE }}:${{ inputs.version || env.VERSION }},ghcr.io/${{ github.repository }}/${{ inputs.image || env.IMAGE }}:latest
+          build-args: |
+            "FRAPPE_PATH=${{ inputs.frappe-repo || env.FRAPPE_REPO }}"
+            "FRAPPE_BRANCH=${{ inputs.frappe-version || env.FRAPPE_VERSION }}"
+            "PYTHON_VERSION=${{ inputs.py-version || env.PY_VERSION }}"
+            "NODE_VERSION=${{ inputs.nodejs-version || env.NODEJS_VERSION }}"
+            "APPS_JSON_BASE64=${{ inputs.apps-json-base64 || env.APPS_JSON_BASE64 }}"

docs/docker-swarm.md

@@ -38,6 +38,15 @@ usermod -aG docker ubuntu
 su - ubuntu
 ```
 
+Clone this repo
+
+```shell
+git clone https://github.com/castlecraft/custom_containers
+cd custom_containers
+```
+
+Note: traefik and portainer yamls specified in the further commands are in `compose` directory.
+
 ### Setup Docker Swarm
 
 Initialize swarm

kerberos-ldap-devcontainer/Dockerfile

@@ -0,0 +1,38 @@
+FROM debian:bookworm-slim
+# This Dockerfile adds a non-root user with sudo access. Use the "remoteUser"
+# property in devcontainer.json to use it. On Linux, the container user's GID/UIDs
+# will be updated to match your local UID/GID (when using the dockerFile property).
+# See https://aka.ms/vscode-remote/containers/non-root-user for details.
+ARG USERNAME=vscode
+ARG USER_UID=1000
+ARG USER_GID=$USER_UID
+
+ENV NVM_DIR=/home/vscode/.nvm
+ENV NODE_VERSION=20.13.1
+ENV PATH="/home/vscode/.nvm/versions/node/v${NODE_VERSION}/bin/:${PATH}"
+
+# Install sudo
+RUN apt-get update && apt-get install -y \
+  sudo \
+  python3 \
+  python3-requests \
+  curl \
+  git \
+  procps \
+  krb5-user \
+  wait-for-it \
+  wget \
+  # Add user, group, and add user to sudoer group
+  && groupadd --gid $USER_GID $USERNAME \
+  && useradd --no-log-init -r -m -u $USER_UID -g $USER_GID -G sudo -s /bin/bash $USERNAME \
+  && echo "${USERNAME} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers \
+  && wget -q https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb \
+  && apt-get install -y ./google-chrome-stable_current_amd64.deb \
+  && rm ./google-chrome-stable_current_amd64.deb
+
+USER $USERNAME
+
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash \
+  && npm install lerna @nestjs/cli yarn @angular/cli -g
+
+CMD [ "tail", "-f", "/dev/null" ]

kerberos-ldap-devcontainer/README.md

@@ -0,0 +1,29 @@
+### Add to kerberos
+
+In `kerberos` container:
+
+```shell
+kadmin.local -q 'addprinc -x dn=cn=Posix" "User,ou=Users,dc=example,dc=com posix.user'
+```
+
+In `development` container:
+
+```shell
+wait-for-it kerberos:749
+
+kadmin -p admin -q "addprinc -randkey HTTP/localhost" <<EOF
+admin
+admin
+EOF
+
+sudo kadmin -p admin -q "ktadd HTTP/localhost" <<EOF
+admin
+admin
+EOF
+
+sudo chown -R vscode:root /etc/krb5.keytab
+
+kinit -k HTTP/localhost
+
+klist
+```

kerberos-ldap-devcontainer/compose.yml

@@ -0,0 +1,160 @@
+services:
+  # LDAP
+  kerberos:
+    container_name: kerberos
+    image: nugaon/kerberos-with-ldap:latest
+    volumes:
+      - /dev/urandom:/dev/random
+    ports:
+      - 8800:88
+      - 4640:464
+      - 7490:749
+  ldap:
+    image: nugaon/openldap-with-kerberos:latest
+    container_name: ldap
+    domainname: "example.com" # important: same as hostname
+    hostname: "example.com"
+    environment:
+        LDAP_LOG_LEVEL: "256"
+        LDAP_ORGANISATION: "Example"
+        LDAP_DOMAIN: "example.com"
+        LDAP_BASE_DN: ""
+        LDAP_ADMIN_PASSWORD: "admin"
+        LDAP_CONFIG_PASSWORD: "config"
+        LDAP_READONLY_USER: "false"
+        LDAP_READONLY_USER_USERNAME: "readonly"
+        LDAP_READONLY_USER_PASSWORD: "readonly"
+        LDAP_RFC2307BIS_SCHEMA: "false"
+        LDAP_BACKEND: "mdb"
+        LDAP_TLS: "true"
+        LDAP_TLS_CRT_FILENAME: "ldap.crt"
+        LDAP_TLS_KEY_FILENAME: "ldap.key"
+        LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
+        LDAP_TLS_ENFORCE: "false"
+        LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
+        LDAP_TLS_PROTOCOL_MIN: "3.1"
+        LDAP_TLS_VERIFY_CLIENT: "demand"
+        LDAP_REPLICATION: "false"
+        #LDAP_REPLICATION_CONFIG_SYNCPROV: "binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical"
+        #LDAP_REPLICATION_DB_SYNCPROV: "binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical"
+        #docker-compose.ymlLDAP_REPLICATION_HOSTS: "#PYTHON2BASH:['ldap://ldap.example.com','ldap://ldap2.example.com']"
+        KEEP_EXISTING_CONFIG: "false"
+        LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
+        LDAP_SSL_HELPER_PREFIX: "ldap"
+    tty: true
+    stdin_open: true
+    volumes:
+      - ldap-data:/var/lib/ldap
+      - ldap-config:/etc/ldap/slapd.d
+      - ldap-certs:/container/service/slapd/assets/certs/
+      - ./ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/
+    ports:
+      - "389:389"
+      - "636:636"
+
+  phpldapadmin:
+    image: osixia/phpldapadmin:latest
+    container_name: ldapadmin
+    environment:
+      PHPLDAPADMIN_LDAP_HOSTS: ldap
+      PHPLDAPADMIN_HTTPS: "false"
+    ports:
+      - "8888:80"
+    depends_on:
+      - ldap
+
+  # Services
+  event-bus:
+    image: emqx/emqx:latest
+    environment:
+      - EMQX_ALLOW_ANONYMOUS=true
+      - EMQX_LOADED_PLUGINS=emqx_management,emqx_auth_mnesia,emqx_recon,emqx_retainer,emqx_dashboard
+    ports:
+      - 1883:1883
+      - 18083:18083
+      - 8081:8081
+
+  mongo:
+    image: bitnami/mongodb:latest
+    environment:
+      - "MONGODB_ROOT_PASSWORD=admin"
+      - "MONGODB_DATABASE=authorization-server"
+      - "MONGODB_USERNAME=authorization-server"
+      - "MONGODB_PASSWORD=admin"
+    volumes:
+      - mongodb-vol:/bitnami/mongodb
+    ports:
+      - 27017:27017
+
+  mongo-configuration:
+    image: bitnami/mongodb:latest
+    user: root
+    volumes:
+      - mongodb-vol:/bitnami
+    command:
+      - bash
+      - -c
+      - >
+        chown -R 1001:1001 /bitnami;
+        sleep 10;
+        mongosh identity-provider \
+          --host mongo \
+          --port 27017 \
+          --username root \
+          --password admin \
+          --authenticationDatabase admin \
+          --eval "db.createUser({user: 'identity-provider', pwd: 'admin', roles:[{role:'dbOwner', db: 'identity-provider'}]});";
+
+        mongosh infrastructure-console \
+          --host mongo \
+          --port 27017 \
+          --username root \
+          --password admin \
+          --authenticationDatabase admin \
+          --eval "db.createUser({user: 'infrastructure-console', pwd: 'admin', roles:[{role:'dbOwner', db: 'infrastructure-console'}]});";
+
+        mongosh communication-server \
+          --host mongo \
+          --port 27017 \
+          --username root \
+          --password admin \
+          --authenticationDatabase admin \
+          --eval "db.createUser({user: 'communication-server', pwd: 'admin', roles:[{role:'dbOwner', db: 'communication-server'}]});";
+
+        mongosh test_authorization-server \
+          --host mongo \
+          --port 27017 \
+          --username root \
+          --password admin \
+          --authenticationDatabase admin \
+          --eval "db.createUser({user: 'authorization-server', pwd: 'admin', roles:[{role:'dbOwner', db: 'test_authorization-server'}]});"
+
+  development:
+    environment:
+      - SHELL=/bin/bash
+      # - XDG_RUNTIME_DIR=/tmp
+      # - WAYLAND_DISPLAY=${WAYLAND_DISPLAY}
+      # - DISPLAY=:14
+      # - LIBGL_ALWAYS_INDIRECT=0
+    extra_hosts:
+      example.com: 172.17.0.1
+      www.example.com: 172.17.0.1
+      accounts.localhost: 127.0.0.1
+      admin.localhost: 127.0.0.1
+      connect.localhost: 127.0.0.1
+      myaccount.localhost: 127.0.0.1
+      accounts.example.com: 172.17.0.1
+      admin.example.com: 172.17.0.1
+      connect.example.com: 172.17.0.1
+      myaccount.example.com: 172.17.0.1
+    build: .
+    volumes:
+      - ..:/workspace
+      - ./krb5-client.conf:/etc/krb5.conf
+    working_dir: /workspace
+
+volumes:
+  mongodb-vol:
+  ldap-data:
+  ldap-config:
+  ldap-certs:

kerberos-ldap-devcontainer/devcontainer.json

@@ -0,0 +1,22 @@
+{
+    "name": "development",
+    "remoteEnv": {
+        "SYNC_LOCALHOST_KUBECONFIG": "true"
+    },
+    "dockerComposeFile": "./compose.yml",
+    "service": "development",
+    "workspaceFolder": "/workspace",
+    "shutdownAction": "stopCompose",
+    "remoteUser": "vscode",
+    "customizations": {
+        "vscode": {
+            "extensions": [
+                "streetsidesoftware.code-spell-checker",
+                "dbaeumer.vscode-eslint",
+                "eamodio.gitlens",
+                "esbenp.prettier-vscode",
+                "prettier.prettier-vscode"
+            ]
+        }
+    }
+}

kerberos-ldap-devcontainer/krb5-client.conf

@@ -0,0 +1,19 @@
+[libdefaults]
+	default_realm = EXAMPLE.COM
+# The following krb5.conf variables are only for MIT Kerberos.
+	kdc_timesync = 1
+	ccache_type = 4
+	forwardable = true
+	proxiable = true
+# The following libdefaults parameters are only for Heimdal Kerberos.
+	fcc-mit-ticketflags = true
+
+[realms]
+	EXAMPLE.COM = {
+		kdc = kerberos
+		admin_server = kerberos
+	}
+
+[domain_realm]
+  example.com = EXAMPLE.COM
+  .example.com = EXAMPLE.COM