Add 'runtime' container and update build workflows

Added a new 'runtime' container in docker-compose.yml along with the necessary Dockerfile and scripts. Complemented with the addition of a new workflow to GitHub Actions to facilitate the building and testing of this new service. The recent changes help introduce a foundational layer in the Docker configuration and contribute to a more stable build flow.

.github/workflows/build-and-test.yml

@@ -0,0 +1,64 @@
+on:
+ workflow_call:
+ inputs:
+ image:
+ required: true
+ type: string
+ target:
+ required: true
+ type: string
+ tests:
+ required: false
+ type: string
+ default: ''
+
+jobs:
+ build-and-test:
+ runs-on: ubuntu-22.04
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v4
+
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@v3
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v3
+
+ - name: Log in to registry
+ uses: docker/login-action@v3
+ with:
+ registry: ghcr.io
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Get version from branch name
+ run: |
+ export BRANCH=${GITHUB_REF##*/}
+ echo "VERSION=v${BRANCH/.x/}" >> $GITHUB_ENV
+
+ - name: Build test image
+ uses: docker/build-push-action@v5
+ with:
+ context: ./src
+ load: true
+ pull: true
+ tags: ghcr.io/sitepilot/${{ inputs.image }}:build
+ target: ${{ inputs.target }}
+ cache-from: type=gha,scope=${{ inputs.image }}-${{ env.VERSION }}
+
+ - name: Run unit tests
+ run: ${{ inputs.tests }}
+ if: ${{ inputs.tests != '' }}
+
+ - name: Build and publish image
+ uses: docker/build-push-action@v5
+ with:
+ context: ./src
+ push: ${{ github.event_name != 'pull_request' }}
+ tags: ghcr.io/sitepilot/${{ inputs.image }}:${{ env.VERSION }}
+ platforms: linux/amd64, linux/arm64
+ target: ${{ inputs.target }}
+ provenance: false
+ cache-to: type=gha,mode=max,scope=${{ inputs.image }}-${{ env.VERSION }}

.github/workflows/build.yml

@@ -12,8 +12,20 @@ on:
  workflow_dispatch:
 
 jobs:
+ runtime:
+ uses: ./.github/workflows/build-and-test.yml
+ with:
+ image: runtime
+ target: runtime
+ tests: |
+ docker run ghcr.io/sitepilot/runtime:build id
+ docker run --user=root -e RUNTIME_PASSWORD=supersecret ghcr.io/sitepilot/runtime:build id app
+ docker run --user=root -e RUNTIME_UID=1001 -e RUNTIME_GID=1001 ghcr.io/sitepilot/runtime:build id app
+ docker run --user=root -e RUNTIME_USER=test-user -e RUNTIME_GROUP=test-group ghcr.io/sitepilot/runtime:build id test-user
+ secrets: inherit
+
  php-cli:
- uses: ./.github/workflows/build-and-test-job.yml
+ uses: ./.github/workflows/build-and-test-php.yml
  with:
  target: cli
  tests: |
@@ -23,15 +35,15 @@ jobs:
  secrets: inherit
 
  php-fpm:
- uses: ./.github/workflows/build-and-test-job.yml
+ uses: ./.github/workflows/build-and-test-php.yml
  with:
  target: fpm
  tests: |
  docker run ghcr.io/sitepilot/php-fpm:build php-fpm --version
  secrets: inherit
 
  php-nginx:
- uses: ./.github/workflows/build-and-test-job.yml
+ uses: ./.github/workflows/build-and-test-php.yml
  with:
  target: nginx
  tests: |
@@ -40,7 +52,7 @@ jobs:
  secrets: inherit
 
  php-ols:
- uses: ./.github/workflows/build-and-test-job.yml
+ uses: ./.github/workflows/build-and-test-php.yml
  with:
  target: ols
  tests: |

docker-compose.yml

@@ -1,4 +1,12 @@
 services:
+ runtime:
+ image: ghcr.io/sitepilot/runtime:v1
+ profiles:
+ - donotstart
+ build:
+ context: ./src
+ target: runtime
+
  php-cli:
  image: ghcr.io/sitepilot/php-cli:8.1
  profiles:

src/Dockerfile

@@ -1,6 +1,49 @@
+# --------------- [RUNTIME] --------------- #
+
+FROM ubuntu:22.04 AS runtime
+
+ARG TARGETARCH
+ARG DOCKERIZE_VERSION=v0.7.0
+
+LABEL org.opencontainers.image.source = "https://github.com/sitepilot/docker-runtime"
+
+ENV DEBIAN_FRONTEND="noninteractive" \
+ RUNTIME_UID=1000 \
+ RUNTIME_GID=1000 \
+ RUNTIME_USER=app \
+ RUNTIME_GROUP=app \
+ RUNTIME_PASSWORD="" \
+ RUNTIME_LOG_LEVEL=1 \
+ RUNTIME_DIR=/runtime \
+ RUNTIME_WORKDIR=/app \
+ RUNTIME_BIN_DIR=/runtime/bin \
+ RUNTIME_INC_DIR=/runtime/inc \
+ RUNTIME_RUN_DIR=/runtime/run \
+ RUNTIME_LOGS_DIR=/runtime/logs \
+ RUNTIME_TEMPLATES_DIR=/runtime/templates \
+ RUNTIME_ENTRYPOINT_DIR=/runtime/entrypoint.d \
+ RUNTIME_BOOTED_FILE=/runtime/booted
+
+ENV PATH="$PATH:$RUNTIME_BIN_DIR"
+
+ADD runtime/runtime/bin/rt-install $RUNTIME_BIN_DIR/rt-install
+
+RUN rt-install curl wget nano ca-certificates \
+ && groupadd -r -g ${RUNTIME_GID} ${RUNTIME_GROUP} \
+ && useradd --no-log-init -r -s /usr/bin/bash -m -d ${RUNTIME_WORKDIR} -u ${RUNTIME_UID} -g ${RUNTIME_GID} ${RUNTIME_USER} \
+ && wget -O - https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-$TARGETARCH-$DOCKERIZE_VERSION.tar.gz | tar xzf - -C /usr/local/bin
+
+COPY --chown=$RUNTIME_UID:$RUNTIME_GID runtime /
+
+USER $RUNTIME_UID
+
+WORKDIR $RUNTIME_WORKDIR
+
+ENTRYPOINT ["runtime"]
+
 # --------------- [PHP-CLI] --------------- #
 
-FROM ghcr.io/sitepilot/runtime:v1 AS cli
+FROM runtime AS cli
 
 USER root
 

src/runtime/runtime/bin/rt-install

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+set -e
+set -u
+
+export DEBIAN_FRONTEND=noninteractive
+
+n=0
+max=2
+
+until [ $n -gt $max ]; do
+ set +e
+ (
+ apt-get update -qq &&
+ apt-get install -y --no-install-recommends "$@"
+ )
+ CODE=$?
+ set -e
+ if [ $CODE -eq 0 ]; then
+ break
+ fi
+ if [ $n -eq $max ]; then
+ exit $CODE
+ fi
+ echo "Apt install failed, retrying..."
+ n=$(($n + 1))
+done
+
+apt-get clean
+
+rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*

src/runtime/runtime/bin/rt-rchown

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+set -e
+set -u
+
+chown -R $RUNTIME_UID:$RUNTIME_GID "${@}"

src/runtime/runtime/bin/runtime

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -e
+set -u
+
+source "$RUNTIME_INC_DIR/bash-functions"
+
+for file in "$RUNTIME_ENTRYPOINT_DIR"/*; do
+ if [ -f "$file" ]; then
+ source "$file"
+ fi
+done
+
+touch $RUNTIME_BOOTED_FILE
+
+exec "$@"

src/runtime/runtime/entrypoint.d/10-logo

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+if [ "$RUNTIME_LOG_LEVEL" -le 2 ]; then
+cat << EOF
+
+ _____ _ _ _ _ _
+ / ____(_) | (_) | | |
+| (___ _| |_ ___ _ __ _| | ___ | |_
+ \___ \| | __/ _ \ '_ \| | |/ _ \| __|
+ ____) | | || __/ |_) | | | (_) | |_
+|_____/|_|\__\___| .__/|_|_|\___/ \__|
+ | |
+ |_|
+
+EOF
+fi

src/runtime/runtime/entrypoint.d/20-init

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+if [ "$EUID" -eq 0 ]; then
+ warning "Container is running as root"
+
+ if [[ ! -f $RUNTIME_BOOTED_FILE ]]; then
+ if [[ $RUNTIME_USER != "app" ]]; then
+ info "Updating user name to $RUNTIME_USER"
+ usermod -l $RUNTIME_USER app
+ fi
+
+ if [[ $RUNTIME_GROUP != "app" ]]; then
+ info "Updating group name to $RUNTIME_GROUP"
+ groupmod -n $RUNTIME_GROUP app
+ fi
+
+ if [[ $RUNTIME_UID != 1000 ]]; then
+ info "Updating UID to $RUNTIME_UID"
+ usermod -o -u "$RUNTIME_UID" "$RUNTIME_USER"
+ fi
+
+ if [[ $RUNTIME_GID != 1000 ]]; then
+ info "Updating GID to $RUNTIME_UID"
+ groupmod -o -g "$RUNTIME_GID" "$RUNTIME_GROUP"
+ fi
+
+ if [[ ! -z "$RUNTIME_PASSWORD" ]]; then
+ info "Updating user password"
+ echo "$RUNTIME_USER:$RUNTIME_PASSWORD" | chpasswd
+ fi
+ fi
+
+ rt-rchown $RUNTIME_DIR
+ rt-chown $RUNTIME_WORKDIR
+else
+ if [[ $RUNTIME_USER != "app" ]] \
+ || [[ $RUNTIME_GROUP != "app" ]] \
+ || [[ $RUNTIME_UID != 1000 ]] \
+ || [[ $RUNTIME_GID != 1000 ]]; then
+ throw "Container is not running as root, user cannot be changed."
+ fi
+fi

src/runtime/runtime/entrypoint.d/30-info

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+debug "Container user: ${RUNTIME_USER} (uid: $(id -u $RUNTIME_USER))"
+debug "Container group: ${RUNTIME_GROUP} (gid: $(id -g $RUNTIME_USER))"
+debug "Container workdir: $PWD"

src/runtime/runtime/inc/bash-functions

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+function to_bool()
+{
+ if [[ $1 == 'true' || $1 == true || $1 == 1 || $1 == 'Y' || $1 == 'y' ]]; then
+ true
+ else
+ false
+ fi
+}
+
+function debug()
+{
+ if [ "$RUNTIME_LOG_LEVEL" -eq 1 ]; then
+ echo "✳️ $1" >&2
+ fi
+}
+
+function info()
+{
+ if [ "$RUNTIME_LOG_LEVEL" -le 2 ]; then
+ echo "ℹ️ $1" >&2
+ fi
+}
+
+function warning()
+{
+ if [ "$RUNTIME_LOG_LEVEL" -le 3 ]; then
+ echo "⚠️ $1" >&2
+ fi
+}
+
+function error()
+{
+ if [ "$RUNTIME_LOG_LEVEL" -le 4 ]; then
+ echo "‼️ $1" 1>&2
+ fi
+}
+
+function throw()
+{
+ EXIT_CODE=${2:-1}
+ echo "‼️ $1" 1>&2
+ exit $EXIT_CODE
+}
+
+function template()
+{
+ info "Generating $1 to $2"
+ dockerize -template $RUNTIME_TEMPLATES_DIR/$1:$2
+}
+
+function generate_certs()
+{
+ if [ ! -f $1/ssl.key ]; then
+ info "Generating self-signed SSL certificate to $1"
+ openssl req -x509 -subj "/C=NL/ST=Gelderland/L=Doetinchem/O=Sitepilot/CN=app.test" -nodes -newkey rsa:2048 -keyout $1/ssl.key -out $1/ssl.crt -days 365 &> /dev/null
+ fi
+}