Dockerfile: switched to distroless, specified defaults environment variables for containerized kopia (kopia#897)

jkowalski · web-flow · commit 3a94c16678cd · 2021-03-19T21:54:48.000-07:00
* Dockerfile: specified reasonable defaults options for containerized kopia

* addressed pr comments, switched to gcr.io/distroless/static:nonroot

distroless has no executable code, so this requires KOPIA_PASSWORD
to always be provided via env, b/c distroless does not have
/bin/stty to disable TTY echo (we should not require that, BTW)

* site: added docker image documentation
diff --git a/cli/command_repository_connect.go b/cli/command_repository_connect.go
@@ -30,7 +30,7 @@ var (
 func setupConnectOptions(cmd *kingpin.CmdClause) {
 	// Set up flags shared between 'create' and 'connect'. Note that because those flags are used by both command
 	// we must use *Var() methods, otherwise one of the commands would always get default flag values.
-	cmd.Flag("persist-credentials", "Persist credentials").Default("true").BoolVar(&connectPersistCredentials)
+	cmd.Flag("persist-credentials", "Persist credentials").Default("true").Envar("KOPIA_PERSIST_CREDENTIALS_ON_CONNECT").BoolVar(&connectPersistCredentials)
 	cmd.Flag("cache-directory", "Cache directory").PlaceHolder("PATH").Envar("KOPIA_CACHE_DIRECTORY").StringVar(&connectCacheDirectory)
 	cmd.Flag("content-cache-size-mb", "Size of local content cache").PlaceHolder("MB").Default("5000").Int64Var(&connectMaxCacheSizeMB)
 	cmd.Flag("metadata-cache-size-mb", "Size of local metadata cache").PlaceHolder("MB").Default("5000").Int64Var(&connectMaxMetadataCacheSizeMB)
diff --git a/site/content/docs/Installation/_index.md b/site/content/docs/Installation/_index.md
@@ -4,14 +4,16 @@ linkTitle: "Installation"
 weight: 20
 ---
 
-### Installing Kopia 
+### Installing Kopia
 
 Kopia is an open source software (OSS) developed by a community on GitHub.
 
 The recommended way of installing Kopia is to use a package manager for your operating system (YUM or APT for Linux, Homebrew for macOS, Scoop for Windows). They offer quick and convenient way of installing and keeping Kopia up-to-date. See below for more information.
 
 You can also download the [Source Code](https://github.com/kopia/kopia/) or [Binary Releases](https://github.com/kopia/kopia/releases/latest) directly from GitHub. 
 
+Pre-built [Docker Images](#docker-images) are also available.
+
 Kopia is available in two variants:
 
 * `Command Line Interface (CLI)` which is a stand-alone binary called `kopia` and which can be used a terminal window or scripts. This is typically the preferred option for power users, system administrators, etc.
@@ -185,14 +187,55 @@ $ chmod u+x path/to/kopia
 $ sudo mv path/to/kopia /usr/local/bin/kopia
 ```
 
+### Docker Images
+
+Kopia provides pre-built Docker container images for `amd64`, `arm64` and `arm` on [DockerHub](https://hub.docker.com/r/kopia/kopia).
+
+The following tags are available:
+
+* `latest` - tracks latest stable release
+* `testing` - tracks latest stable or pre-release (such as a beta or release candidate)
+* `unstable` - tracks latest unstable nightly build
+* `major.minor` - latest patch release for a given major and minor version (e.g. `0.8`)
+* `major.minor.patch` - specific stable release
+
+In order to run Kopia in a container, you must:
+
+* provide repository password via `KOPIA_PASSWORD` environment variable
+* mount `/app/config` directory in which Kopia will look for `repository.config` file
+* (recommended) mount `/app/cache` directory in which Kopia will be keeping a cache of downloaded data
+* (optional) mount `/app/logs` directory in which Kopia will be writing logs
+* mount any data directory used for locally-attached repository
+
+Invocation of `kopia/kopia` in a container will be similar to the following example: 
+
+```shell
+$ docker pull kopia/kopia:testing
+$ docker run -e KOPIA_PASSWORD \
+    -v /path/to/config/dir:/app/config \
+    -v /path/to/cache/dir:/app/cache \
+    kopia/kopia:testing snapshot list
+```
+
+(Adjust `testing` tag to the appropriate version)
+
+>NOTE Kopia in container overrides default values of some environment variables, see https://github.com/kopia/kopia/blob/master/tools/docker/Dockerfile for more details.
+
+Because Docker environment uses random hostnames it is recommended to explicitly set them using `--override-hostname` and `--override-username` parameters to Kopia when connecting
+to a repository. The names will be persisted in a configuration file and used afterwards.
+
 ### Compilation From Source
 
-If you have [Go 1.15](https://golang.org/) or newer, you may download and build Kopia yourself. No special setup is necessary, other than the Go compiler. You can simply run:
+If you have [Go 1.16](https://golang.org/) or newer, you may download and build Kopia yourself. No special setup is necessary, other than the Go compiler. You can simply run:
 
 ```shell
 $ go get github.com/kopia/kopia
 ```
 
 The resulting binary will be available in `$HOME/go/bin`. Note that this will produce basic binary that has all the features except support for HTML-based UI. To build full binary, download the source from GitHub and run:
 
+```shell
+$ make install
+```
+
 Additional information about building Kopia from source is available at https://github.com/kopia/kopia/blob/master/BUILD.md
diff --git a/tools/docker-publish.sh b/tools/docker-publish.sh
@@ -2,7 +2,9 @@
 set -e
 DIST_DIR=dist
 DOCKER_BUILD_DIR=tools/docker
-DOCKERHUB_REPO=kopia/kopia
+if [ "$DOCKERHUB_REPO" == "" ]; then
+    DOCKERHUB_REPO=kopia/kopia
+fi
 
 cp -r "$DIST_DIR/kopia_linux_amd64/" "$DOCKER_BUILD_DIR/bin-amd64/"
 cp -r "$DIST_DIR/kopia_linux_arm64/" "$DOCKER_BUILD_DIR/bin-arm64/"
@@ -41,4 +43,4 @@ for t in $extra_tags; do
 done
 
 echo Building $versioned_image with tags [$tags]...
-docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v6 $tags --push $DOCKER_BUILD_DIR
+docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 $tags --push $DOCKER_BUILD_DIR
diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile
@@ -1,6 +1,18 @@
-FROM alpine
+FROM gcr.io/distroless/static:nonroot
 ARG TARGETARCH
-RUN apk add --no-cache --verbose ca-certificates && adduser -D kopia && addgroup kopia kopia
-USER kopia:kopia
-ENTRYPOINT ["/kopia"]
-COPY bin-${TARGETARCH}/kopia /
+
+# allow users to mount /app/config, /app/logs and /app/cache respectively
+ENV KOPIA_CONFIG_PATH=/app/config/repository.config
+ENV KOPIA_LOG_DIR=/app/logs
+ENV KOPIA_CACHE_DIRECTORY=/app/cache
+
+# this requires repository password to be passed via KOPIA_PASSWORD environment.
+ENV KOPIA_PERSIST_CREDENTIALS_ON_CONNECT=false
+ENV KOPIA_CHECK_FOR_UPDATES=false
+
+# this creates directories writable by the current user
+WORKDIR /app
+
+COPY bin-${TARGETARCH}/kopia .
+
+ENTRYPOINT ["/app/kopia"]
diff --git a/tools/docker/Makefile b/tools/docker/Makefile
