Switch to base image new tagging; Add multistage image building

cyberark · Aug 30, 2023 · 2b0ca6e · 2b0ca6e
1 parent 3530cc6
commit 2b0ca6e
Show file tree

Hide file tree

Showing 6 changed files with 59 additions and 42 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -36,6 +36,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Additive policy requests submitted via POST are rejected with a 400 status if
  they attempt to update an existing resource.
  [cyberark/conjur#2888](https://github.com/cyberark/conjur/pull/2888)
+- Changed base-image tagging strategy
+ [cyberark/conjur#2926](https://github.com/cyberark/conjur/pull/2926)
 
 ### Fixed
 - Support Authn-IAM regional requests when host value is missing from signed headers.

diff --git a/Dockerfile b/Dockerfile
@@ -1,12 +1,29 @@
+FROM cyberark/ubuntu-ruby-builder:latest as builder
+
+WORKDIR /opt/conjur-server
+
+COPY Gemfile \
+ Gemfile.lock ./
+COPY gems/ gems/
+
+RUN bundle --without test development && \
+ # Remove private keys brought in by gems in their test data
+ find / -name openid_connect -type d -exec find {} -name '*.pem' -type f -delete \; && \
+ find / -name 'httpclient-*' -type d -exec find {} -name '*.key' -type f -delete \; && \
+ find / -name httpclient -type d -exec find {} -name '*.pem' -type f -delete \;
+
 FROM cyberark/ubuntu-ruby-fips:latest
 
-ENV DEBIAN_FRONTEND=noninteractive \
- PORT=80 \
- LOG_DIR=/opt/conjur-server/log \
- TMP_DIR=/opt/conjur-server/tmp \
- SSL_CERT_DIRECTORY=/opt/conjur/etc/ssl
+ENV PORT=80 \
+ LOG_DIR=${CONJUR_HOME}/log \
+ TMP_DIR=${CONJUR_HOME}/tmp \
+ SSL_CERT_DIRECTORY=/opt/conjur/etc/ssl \
+ RAILS_ENV=production \
+ CONJUR_HOME=/opt/conjur-server
+
+ENV PATH="${PATH}:${CONJUR_HOME}/bin"
 
-EXPOSE 80
+WORKDIR ${CONJUR_HOME}
 
 RUN apt-get update -y && \
  apt-get -y dist-upgrade && \
@@ -19,30 +36,16 @@ RUN apt-get install -y build-essential \
  tzdata \
  && rm -rf /var/lib/apt/lists/*
 
-WORKDIR /opt/conjur-server
-
 # Ensure few required GID0-owned folders to run as a random UID (OpenShift requirement)
 RUN mkdir -p $TMP_DIR \
  $LOG_DIR \
  $SSL_CERT_DIRECTORY/ca \
  $SSL_CERT_DIRECTORY/cert \
  /run/authn-local
 
-COPY Gemfile \
- Gemfile.lock ./
-COPY gems/ gems/
-
-
-RUN bundle --without test development && \
- # Remove private keys brought in by gems in their test data
- find / -name openid_connect -type d -exec find {} -name '*.pem' -type f -delete \; && \
- find / -name 'httpclient-*' -type d -exec find {} -name '*.key' -type f -delete \; && \
- find / -name httpclient -type d -exec find {} -name '*.pem' -type f -delete \;
-
 COPY . .
+COPY --from=builder ${CONJUR_HOME} ${CONJUR_HOME}
 
-RUN ln -sf /opt/conjur-server/bin/conjurctl /usr/local/bin/
-
-ENV RAILS_ENV production
+EXPOSE ${PORT}
 
 ENTRYPOINT [ "conjurctl" ]
diff --git a/build.sh b/build.sh
@@ -26,26 +26,33 @@ shift # past argument or value
 done
 
 # Flatten resulting image.
+# This script will rewrite all properties of input image (PORT, ENV, WORKDIR, USER, ENTRYPOINT, CMD)
+# instead of hard-coding each of them.
+# shellcheck disable=SC2016
 function flatten() {
  local image="$1"
  echo "Flattening image '$image'..."
-
- # Since `--squash` is still experimental, we have to flatten the image
- # by exporting and importing a container based on the source image. By
- # doing this though, we lose a lot of the Dockerfile variables that are
- # required for running the image (ENV, EXPOSE, WORKDIR, etc) so we
- # manually rebuild them.
- # See here for more details: https://github.com/moby/moby/issues/8334
  local container
  container=$(docker create "$image")
+ local envs
+ envs=$(docker inspect -f '{{range $index, $value := .Config.Env}}{{$value}} {{end}}' "$container")
+ local workDir
+ workDir=$(docker inspect -f '{{ .Config.WorkingDir }}' "$container")
+ local user
+ user=$(docker inspect -f '{{ .Config.User }}' "$container")
+ local entrypoint
+ entrypoint=$(docker inspect -f '[{{range $index, $value := .Config.Entrypoint }}{{if $index}},{{end}}"{{$value}}"{{end}}]' "$container")
+ local cmd
+ cmd=$(docker inspect -f '[{{range $index, $value := .Config.Cmd }}{{if $index}},{{end}}"{{$value}}"{{end}}]' "$container")
+ local ports
+ IFS=":" read -r -a ports <<< "$(docker inspect -f '{{range $port, $empty := .Config.ExposedPorts}}--change:EXPOSE {{$port}}:{{end}}' "$container")"
  docker export "$container" | docker import \
- --change "ENV PATH /usr/local/pgsql/bin:/var/lib/ruby/bin:/usr/local/ssl/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
- --change "ENV LD_LIBRARY_PATH /usr/local/ssl/lib" \
- --change "ENV OPENSSL_FIPS 1" \
- --change "EXPOSE 80" \
- --change "ENV RAILS_ENV=production" \
- --change "WORKDIR /opt/conjur-server" \
- --change 'ENTRYPOINT ["conjurctl"]' \
+ "${ports[@]}" \
+ --change "ENV $envs" \
+ --change "WORKDIR $workDir" \
+ --change "USER ${user:=0}" \
+ --change "ENTRYPOINT $entrypoint" \
+ --change "CMD $cmd" \
  - "$image"
  docker rm "$container"
 }
@@ -82,4 +89,5 @@ fi
 if image_doesnt_exist "conjur-ubi:$TAG"; then
  echo "Building image conjur-ubi:$TAG container"
  docker build --build-arg "VERSION=$TAG" -t "conjur-ubi:$TAG" -f Dockerfile.ubi .
+ flatten "conjur-ubi:$TAG"
 fi
diff --git a/ci/test_suites/authenticators_k8s/Dockerfile.dev b/ci/test_suites/authenticators_k8s/Dockerfile.dev
@@ -1,4 +1,4 @@
-FROM registry2.itci.conjur.net/conjur-appliance-cuke-master:4.9-stable
+FROM registry.tld/conjur-appliance-cuke-master:4.9-stable
 
 RUN apt-get update && apt-get install -y zlib1g-dev
 

diff --git a/dev/Dockerfile.dev b/dev/Dockerfile.dev
@@ -1,6 +1,8 @@
-FROM cyberark/phusion-ruby-fips:latest
+FROM cyberark/ubuntu-ruby-fips:latest
 
 RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y \
+ libz-dev
+RUN DEBIAN_FRONTEND=noninteractive apt-get install -y \
  build-essential \
  ldap-utils \
  git \
@@ -30,9 +32,7 @@ RUN bundle
 # removing CA bundle of httpclient gem
 RUN find / -name httpclient -type d -exec find {} -name *.pem -type f -delete \;
 
-RUN rm /etc/service/sshd/down
 RUN ln -sf /src/conjur-server/bin/conjurctl /usr/local/bin/
-RUN rm /etc/my_init.d/10_syslog-ng.init
 
 ENV PORT 3000
 ENV TERM xterm

diff --git a/package.sh b/package.sh
@@ -8,14 +8,16 @@ chmod +x docker-debify
 docker run --rm \
  -v "$(pwd)":"$(pwd)" \
  --workdir "$(pwd)" \
- cyberark/phusion-ruby-fips:latest \
- sh -c "apt-get update -y && apt-get install -y git && bundle lock --update=conjur-api"
+ cyberark/ubuntu-ruby-builder:latest \
+ sh -c "bundle lock --update=conjur-api"
 
 # Create possum deb
 ./docker-debify package \
  --dockerfile=Dockerfile.fpm \
  --output=deb \
  --version "$(<VERSION)" \
+ --image="cyberark/ubuntu-ruby-builder" \
+ --image-tag="latest" \
  possum \
  -- \
  --depends tzdata
@@ -27,6 +29,8 @@ docker run --rm \
  --dockerfile=Dockerfile.fpm \
  --output=rpm \
  --version "$(<VERSION)" \
+ --image="cyberark/ubuntu-ruby-builder" \
+ --image-tag="latest" \
  possum \
  -- \
  --depends tzdata \