Skip to content

Commit

Permalink
build: use build secrets in Dockerfile
Browse files Browse the repository at this point in the history
Signed-off-by: Viet Nguyen Duc <nguyenducviet4496@gmail.com>
  • Loading branch information
VietND96 committed Aug 22, 2024
1 parent d26a433 commit 49eb45d
Show file tree
Hide file tree
Showing 4 changed files with 16 additions and 15 deletions.
7 changes: 3 additions & 4 deletions Base/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ ARG CS_VERSION=2.1.10
#Arguments to define the user running Selenium
ARG SEL_USER=seluser
ARG SEL_GROUP=${SEL_USER}
ARG SEL_PASSWD=secret
ARG HOME=/home/${SEL_USER}
ARG UID=1200
ARG GID=1201
Expand All @@ -39,7 +38,8 @@ ENV DEBIAN_FRONTEND=noninteractive \
# Miscellaneous packages
# Includes minimal runtime used for executing non GUI Java programs
#========================
RUN if [ "$(dpkg --print-architecture)" = "amd64" ]; then \
RUN --mount=type=secret,id=SEL_PASSWD \
if [ "$(dpkg --print-architecture)" = "amd64" ]; then \
echo "deb http://archive.ubuntu.com/ubuntu noble main universe\n" > /etc/apt/sources.list \
&& echo "deb http://archive.ubuntu.com/ubuntu noble-updates main universe\n" >> /etc/apt/sources.list \
&& echo "deb http://security.ubuntu.com/ubuntu noble-security main universe\n" >> /etc/apt/sources.list ; \
Expand Down Expand Up @@ -86,7 +86,7 @@ RUN if [ "$(dpkg --print-architecture)" = "amd64" ]; then \
--uid ${SEL_UID} \
&& usermod -a -G sudo ${SEL_USER} \
&& echo 'ALL ALL = (ALL) NOPASSWD: ALL' >> /etc/sudoers \
&& echo "${SEL_USER}:${SEL_PASSWD}" | chpasswd \
&& echo "${SEL_USER}:$(cat /run/secrets/SEL_PASSWD)" | chpasswd \
#==========
# Selenium & relaxing permissions for OpenShift and other non-sudo environments
#==========
Expand All @@ -99,7 +99,6 @@ RUN if [ "$(dpkg --print-architecture)" = "amd64" ]; then \
&& chmod -R 775 /opt/selenium /var/run/supervisor /var/log/supervisor /etc/passwd ${HOME} \
&& wget --no-verbose https://github.com/${AUTHORS}/selenium/releases/download/${RELEASE}/selenium-server-${VERSION}.jar \
-O /opt/selenium/selenium-server.jar \
&& echo "${SEL_PASSWD}" > /opt/selenium/initialPasswd \
&& chgrp -R 0 /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor \
&& chmod -R g=u /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor \
&& setfacl -Rm u:${SEL_USER}:rwx /opt /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor \
Expand Down
8 changes: 5 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ FFMPEG_TAG_VERSION := $(or $(FFMPEG_TAG_VERSION),$(FFMPEG_TAG_VERSION),ffmpeg-7.
FFMPEG_BASED_NAME := $(or $(FFMPEG_BASED_NAME),$(FFMPEG_BASED_NAME),linuxserver)
FFMPEG_BASED_TAG := $(or $(FFMPEG_BASED_TAG),$(FFMPEG_BASED_TAG),7.0.1)
PLATFORMS := $(or $(PLATFORMS),$(shell echo $$PLATFORMS),linux/amd64)
SEL_PASSWD := $(or $(SEL_PASSWD),$(SEL_PASSWD),secret)

all: hub \
distributor \
Expand Down Expand Up @@ -75,7 +76,8 @@ gen_certs:
./Base/certs/gen-cert-helper.sh -d ./Base/certs

base: prepare_resources gen_certs
cd ./Base && docker buildx build --platform $(PLATFORMS) $(BUILD_ARGS) --build-arg VERSION=$(BASE_VERSION) --build-arg RELEASE=$(BASE_RELEASE) --build-arg AUTHORS=$(AUTHORS) --sbom=true --attest type=provenance,mode=max -t $(NAME)/base:$(TAG_VERSION) .
cd ./Base && SEL_PASSWD=$(SEL_PASSWD) docker buildx build --platform $(PLATFORMS) $(BUILD_ARGS) --build-arg VERSION=$(BASE_VERSION) --build-arg RELEASE=$(BASE_RELEASE) --build-arg AUTHORS=$(AUTHORS) \
--secret id=SEL_PASSWD --sbom=true --attest type=provenance,mode=max -t $(NAME)/base:$(TAG_VERSION) .

base_nightly:
BASE_VERSION=$(BASE_VERSION_NIGHTLY) BASE_RELEASE=$(BASE_RELEASE_NIGHTLY) make base
Expand All @@ -99,7 +101,7 @@ event_bus: base
cd ./EventBus && docker buildx build --platform $(PLATFORMS) $(BUILD_ARGS) $(FROM_IMAGE_ARGS) -t $(NAME)/event-bus:$(TAG_VERSION) .

node_base: base
cd ./NodeBase && docker buildx build --platform $(PLATFORMS) $(BUILD_ARGS) $(FROM_IMAGE_ARGS) -t $(NAME)/node-base:$(TAG_VERSION) .
cd ./NodeBase && SEL_PASSWD=$(SEL_PASSWD) docker buildx build --platform $(PLATFORMS) $(BUILD_ARGS) $(FROM_IMAGE_ARGS) --secret id=SEL_PASSWD -t $(NAME)/node-base:$(TAG_VERSION) .

chrome: node_base
case "$(PLATFORMS)" in \
Expand Down Expand Up @@ -200,7 +202,7 @@ standalone_edge_beta: edge_beta
cd ./Standalone && docker buildx build --platform $(PLATFORMS) $(BUILD_ARGS) --build-arg NAMESPACE=$(NAME) --build-arg VERSION=beta --build-arg BASE=node-edge -t $(NAME)/standalone-edge:beta .

video:
cd ./Video && docker buildx build --platform $(PLATFORMS) $(BUILD_ARGS) --build-arg NAMESPACE=$(FFMPEG_BASED_NAME) --build-arg BASED_TAG=$(FFMPEG_BASED_TAG) -t $(NAME)/video:$(FFMPEG_TAG_VERSION)-$(BUILD_DATE) .
cd ./Video && SEL_PASSWD=$(SEL_PASSWD) docker buildx build --platform $(PLATFORMS) $(BUILD_ARGS) --build-arg NAMESPACE=$(FFMPEG_BASED_NAME) --build-arg BASED_TAG=$(FFMPEG_BASED_TAG) --secret id=SEL_PASSWD --sbom=true --attest type=provenance,mode=max -t $(NAME)/video:$(FFMPEG_TAG_VERSION)-$(BUILD_DATE) .

count_image_layers:
docker history $(NAME)/base:$(TAG_VERSION) -q | wc -l
Expand Down
5 changes: 3 additions & 2 deletions NodeBase/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,8 @@ ENV LANG_WHICH=${LANG_WHICH} \
# Following line fixes https://github.com/SeleniumHQ/docker-selenium/issues/87
DBUS_SESSION_BUS_ADDRESS=/dev/null

RUN apt-get update -qqy \
RUN --mount=type=secret,id=SEL_PASSWD \
apt-get update -qqy \
&& apt-get -qqy --no-install-recommends install \
#==============
# Xvfb
Expand Down Expand Up @@ -130,7 +131,7 @@ RUN apt-get update -qqy \
# Generating the VNC password using initial password in Base image
# Changing ownership to ${SEL_USER}, so the service can be started
#==============================
&& x11vnc -storepasswd $(cat /opt/selenium/initialPasswd) ${HOME}/.vnc/passwd \
&& x11vnc -storepasswd $(cat /run/secrets/SEL_PASSWD) ${HOME}/.vnc/passwd \
&& chown -R "${SEL_USER}:${SEL_GROUP}" ${HOME}/.vnc \
&& chmod -R 775 ${HOME} /tmp/.X11-unix \
&& chgrp -R 0 ${HOME} /tmp/.X11-unix \
Expand Down
11 changes: 5 additions & 6 deletions Video/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ ARG RCLONE_VERSION=current
#Arguments to define the user running the container
ARG SEL_USER=seluser
ARG SEL_GROUP=${SEL_USER}
ARG SEL_PASSWD=secret
ARG HOME=/home/${SEL_USER}
ARG UID=1200
ARG GID=1201
Expand All @@ -34,7 +33,7 @@ ENV DEBIAN_FRONTEND=noninteractive \
RUN apt-get -qqy update \
&& apt-get upgrade -yq \
&& apt-get -qqy --no-install-recommends install \
supervisor x11-xserver-utils x11-utils libxcb1-dev curl jq python3-pip tzdata acl unzip python3-psutil \
supervisor x11-xserver-utils x11-utils libxcb1-dev curl jq python3-pip tzdata acl unzip python3-psutil python3-setuptools \
&& rm -rf /var/lib/apt/lists/* /var/cache/apt/*

#===================
Expand All @@ -57,7 +56,8 @@ ENV SEL_USER=${SEL_USER} \
#========================================
# Add normal user and group with passwordless sudo
#========================================
RUN groupadd ${SEL_GROUP} \
RUN --mount=type=secret,id=SEL_PASSWD \
groupadd ${SEL_GROUP} \
--gid ${SEL_GID} \
&& useradd ${SEL_USER} \
--create-home \
Expand All @@ -66,7 +66,7 @@ RUN groupadd ${SEL_GROUP} \
--uid ${SEL_UID} \
&& usermod -a -G sudo ${SEL_USER} \
&& echo 'ALL ALL = (ALL) NOPASSWD: ALL' >> /etc/sudoers \
&& echo "${SEL_USER}:${SEL_PASSWD}" | chpasswd
&& echo "${SEL_USER}:$(cat /run/secrets/SEL_PASSWD)" | chpasswd

#======================================
# Add Supervisor configuration files
Expand All @@ -83,9 +83,8 @@ RUN curl -fLo /tmp/rclone.zip https://downloads.rclone.org/rclone-${RCLONE_VERSI
&& rm -rf /tmp/rclone-*
COPY --chown="${SEL_UID}:${SEL_GID}" upload.sh upload.conf /opt/bin/
ENV SE_VIDEO_UPLOAD_ENABLED=false \
SE_UPLOAD_DESTINATION_PREFIX="" \
SE_VIDEO_INTERNAL_UPLOAD=false \
UPLOAD_OPTS="-P"
SE_UPLOAD_DESTINATION_PREFIX=""

RUN mkdir -p /var/run/supervisor /var/log/supervisor ${VIDEO_FOLDER} \
&& chown -R ${SEL_USER}:${SEL_GROUP} /var/run/supervisor /var/log/supervisor ${VIDEO_FOLDER} ${HOME} \
Expand Down

0 comments on commit 49eb45d

Please sign in to comment.