Differences From Artifact [51328029eb]:
- File Dockerfile — part of check-in [09908ab058] at 2021-02-09 13:34:17 on branch trunk — The canonical Fossil homepage is now https://fossil-scm.org/home without the "www." in the domain and with the main path at /home, not /index.html or /fossil. Update all URLs in documentation to reflect this fact. (user: drh size: 1260) [more...]
To Artifact [73dfe01bb8]:
- File
Dockerfile
— part of check-in
[77d603c6a1]
at
2022-08-06 04:24:33
on branch trunk
— Replaced Jan Nijtman's Dockerfile with a new one that does a 2-stage
build. The first stage runs atop Alpine Linux instead of Fedora,
reducing the initial build from ~635 MiB to about 16.
Rather than stop there, I then made it multi-stage, copying two key static binaries — Fossil and Busybox — over from the first stage into a fresh-from-scratch container and set it up to run the former jailed away from the latter.
The result is under 9 MiB, and it's as secure as one can hope, given that it starts up in "PUBLIC" mode. The new build doesn't have all the extra features turned on that the old one did, but it seems right to build the container with Fossil in its default configuration. If you want something else, copy the Dockerfile, hack it, and make it do what you want instead.
Having done all this, I replaced the one-off Dockerfile inline in section 5.0 of the build doc with a reference to this new Dockerfile and rewrote the section in terms of the new capabilities.
Finally, this lets us brag on how small the container can be, as compared to the Gitlab-CE container. Before, we were comparing a standalone binary to the container, which wan't entirely fair. (The desire to produce such a container was the spark that kicked this project off.) (user: wyoung size: 1870)
|
| < | < < > > > | | > | < | > > > > > > > | > > | < < > < < > > > > | > > > > > < > > | | | > > > > | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
# STAGE 1: Build a static Fossil binary atop Alpine Linux
# Avoid the temptation to swap the wget call below out for an ADD URL
# directive. The URL is fixed for a given release tag, which triggers
# Docker's caching behavior, causing it to reuse that version as long
# as it remains in the cache. We prefer to rely on the caching of the
# server instance on fossil-scm.org, which will keep these trunk
# tarballs around until the next trunk commit.
FROM alpine:latest AS builder
WORKDIR /tmp
RUN apk update \
&& apk upgrade --no-cache \
&& apk add --no-cache \
busybox-static gcc make \
musl-dev \
openssl-dev openssl-libs-static \
zlib-dev zlib-static \
&& wget https://fossil-scm.org/home/tarball/src.tar.gz \
&& tar -xf src.tar.gz \
&& cd src \
&& ./configure --static CFLAGS='-Os -s' \
&& make -j
# STAGE 2: Pare that back to the bare essentials.
FROM scratch
ENV JAIL=/jail
WORKDIR ${JAIL}
COPY --from=builder /tmp/src/fossil ${JAIL}/bin/
COPY --from=builder /bin/busybox.static /bin/busybox
RUN [ "/bin/busybox", "--install", "/bin" ]
RUN mkdir -m 700 dev \
&& mknod -m 600 dev/null c 1 3 \
&& mknod -m 600 dev/urandom c 1 9
# Now we can run the stripped-down environment in a chroot jail, while
# leaving open the option to debug it live via the Busybox shell.
EXPOSE 8080/tcp
CMD [ \
"bin/fossil", "server", \
"--create", \
"--jsmode", "bundled", \
"--user", "admin", \
"repo.fossil"]
|