From 5ed4436043c26523668b3c6f9887825cf719f5ea Mon Sep 17 00:00:00 2001 From: Scott Crooks Date: Sat, 31 Aug 2019 16:49:41 +0200 Subject: [PATCH] Move to Quay; build improvements --- .dockerignore | 2 +- .gitlab-ci.yml | 46 ++++++++++++++-------------------- Dockerfile | 49 +++++++++++++++++++++++++++++++++---- build-env.sh | 0 build-linux.sh | 5 ++-- build-mac.sh | 5 ++-- init.sh | 22 ----------------- rootfs/docker-entrypoint.sh | 20 +++++++++++++++ 8 files changed, 90 insertions(+), 59 deletions(-) mode change 100644 => 120000 .dockerignore mode change 100644 => 100755 build-env.sh delete mode 100755 init.sh create mode 100755 rootfs/docker-entrypoint.sh diff --git a/.dockerignore b/.dockerignore deleted file mode 100644 index 5da2aba..0000000 --- a/.dockerignore +++ /dev/null @@ -1 +0,0 @@ -.go diff --git a/.dockerignore b/.dockerignore new file mode 120000 index 0000000..3e4e48b --- /dev/null +++ b/.dockerignore @@ -0,0 +1 @@ +.gitignore \ No newline at end of file diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 33e3031..b848138 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,33 +1,27 @@ variables: + CI_REGISTRY: quay.io GL_URL: github.com/rb3ckers GO_PROJECT_NAMESPACE: trafficmirror IMAGE_FAMILY: stackstate/trafficmirror - CI_REGISTRY: docker.io - -.prep_go: &prep_go - before_script: - - echo export GO_PROJECT_PATH="$GOPATH/src/$GL_URL/$GO_PROJECT_NAMESPACE" - - export GO_PROJECT_PATH="$GOPATH/src/$GL_URL/$GO_PROJECT_NAMESPACE" - - rm -rf $GOPATH/src/$GL_URL - - mkdir -p $GOPATH/src/$GL_URL - - echo ln -s $(pwd) $GO_PROJECT_PATH - - ln -s $(pwd) $GO_PROJECT_PATH - - cd $GO_PROJECT_PATH stages: - build - docker_build go_build: - <<: *prep_go stage: build - image: golang:1.11 + image: docker:stable script: - - go get github.com/golang/dep/cmd/dep - - dep ensure - - mkdir -p build - - env GOOS=linux GOARCH=amd64 go build -o build/trafficmirror - - ls -la $GO_PROJECT_PATH/ + - docker build + --tag "${CI_REGISTRY}/${IMAGE_FAMILY}:${CI_BUILD_REF:-dirty}" + --target builder + ${PWD} + - docker run + --volume ${PWD}/build:/opt/copy + --rm + --entrypoint cp + "${CI_REGISTRY}/${IMAGE_FAMILY}:${CI_BUILD_REF:-dirty}" + /build/trafficmirror /opt/copy/ artifacts: paths: - build @@ -35,13 +29,11 @@ go_build: docker_build: stage: docker_build - image: docker:latest - dependencies: - - go_build - services: - - docker:dind + image: docker:stable script: - - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY - - docker build -t $IMAGE_FAMILY:${CI_BUILD_REF:-dirty} . - - echo docker push $IMAGE_FAMILY:${CI_BUILD_REF:-dirty} - - docker push $IMAGE_FAMILY:${CI_BUILD_REF:-dirty} + - echo "${quay_password}" | docker login --username=${quay_user} --password-stdin ${CI_REGISTRY} + - docker build + --tag ${CI_REGISTRY}/${IMAGE_FAMILY}:${CI_BUILD_REF:-dirty + --target app + ${PWD} + - docker push "${CI_REGISTRY}/${IMAGE_FAMILY}:${CI_BUILD_REF:-dirty}" diff --git a/Dockerfile b/Dockerfile index 51a4207..52c9fc3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,49 @@ -FROM debian:stretch +########### +# Builder # +########### -ADD ./init.sh /init.sh -RUN chmod +x /init.sh && apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/* +FROM golang:1.11-alpine AS builder -ADD build/trafficmirror /trafficmirror +RUN apk add --no-cache git -CMD ["/init.sh"] +COPY . $GOPATH/src/github.com/rb3ckers/trafficmirror + +WORKDIR $GOPATH/src/github.com/rb3ckers/trafficmirror + +RUN set -ex \ + && go get -u -v github.com/golang/dep/cmd/dep \ + && dep ensure -v \ + && GOOS=linux GOARCH=amd64 go build -o /build/trafficmirror + +RUN /build/trafficmirror --help + +####### +# App # +####### + +FROM alpine:latest AS app + +ENV PERSISTENT_PACKAGES="ca-certificates tini" + +# Copy support files +COPY rootfs / + +# Upgrade OS packages for security +RUN apk upgrade --no-cache --available \ + && apk add --no-cache ${PERSISTENT_PACKAGES} + +# Copy artifacts from builder container +COPY --from=builder /build/trafficmirror /trafficmirror + +# Create non-root user +RUN addgroup -S -g 1000 stackstate && \ + adduser -S -u 1000 -G stackstate -s /bin/sh stackstate + +# Switch to non-root user +USER stackstate EXPOSE 8080 + +ENTRYPOINT ["/sbin/tini", "--"] + +CMD ["/docker-entrypoint.sh"] diff --git a/build-env.sh b/build-env.sh old mode 100644 new mode 100755 diff --git a/build-linux.sh b/build-linux.sh index 3096fb7..d9c36cd 100755 --- a/build-linux.sh +++ b/build-linux.sh @@ -1,2 +1,3 @@ -#! /bin/bash -env GOOS=linux GOARCH=amd64 go build \ No newline at end of file +#!/bin/bash + +env GOOS=linux GOARCH=amd64 go build diff --git a/build-mac.sh b/build-mac.sh index a9001c3..b50e673 100755 --- a/build-mac.sh +++ b/build-mac.sh @@ -1,2 +1,3 @@ -#! /bin/bash -env GOOS=darwin GOARCH=386 go build \ No newline at end of file +#!/bin/bash + +env GOOS=darwin GOARCH=386 go build diff --git a/init.sh b/init.sh deleted file mode 100755 index 696c156..0000000 --- a/init.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh - -# Takes these environment variables: -# -# LISTEN_PORT: port to listen on (defaults to 8080) -# MAIN: reverse proxy to this address (defaults to localhost:8888) -# USERNAME & PASSWORD: if USERNAME is set protect targets endpoint with basic auth (default to empty) - -listen_port=${LISTEN_PORT:-8080} -main=${MAIN:-localhost:8888} -extra_params=$1 - -if [ ! -z "${USERNAME}" ] -then - printf "${USERNAME}:${PASSWORD}" > /password.file - extra_params="${extra_params} -password /password.file" -fi - -cmd="/trafficmirror -listen ":${listen_port}" -main=${main} $extra_params" - -echo "$cmd" -eval "$cmd" diff --git a/rootfs/docker-entrypoint.sh b/rootfs/docker-entrypoint.sh new file mode 100755 index 0000000..0cc2fc3 --- /dev/null +++ b/rootfs/docker-entrypoint.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Takes these environment variables: +# +# LISTEN_PORT: port to listen on (defaults to 8080) +# MAIN: reverse proxy to this address (defaults to localhost:8888) +# USERNAME & PASSWORD: if USERNAME is set protect targets endpoint with basic auth (default to empty) + +extraParams="${1}" +listenPort="${LISTEN_PORT:-8080}" +main="${MAIN:-localhost:8888}" + +if [ -n "${USERNAME}" ]; then + echo "${USERNAME}:${PASSWORD}" > /password.file + extraParams="${extraParams} -password /password.file" +fi + +cmd="/trafficmirror -listen ":${listenPort}" -main=${main} ${extraParams}" + +exec "${cmd}"