Differences From Artifact [9e10f936e1]:
- File Dockerfile — part of check-in [81c30ab97d] at 2023-03-24 10:21:41 on branch trunk — Comment and whitespace tweaks (user: wyoung size: 5279)
To Artifact [9dbc61acce]:
- File
Dockerfile
— part of check-in
[79ac06a540]
at
2023-03-27 04:59:27
on branch trunk
— The container now uses BusyBox only in the build and setup stages,
leaving just the static Fossil binary in the final stage, plus absolute
necessities like a /tmp directory.
This removes the justification for the custom BusyBox configuration, which then means we can use Alpine's busybox-static package in the second stage, saving a bunch of network I/O and build time.
That in turn means we no longer have any justification for jailing the Fossil binary, since there's nothing extra left inside the container for it to play with. Doing this required bumping the Dockerfile syntax back up from 1.0 to 1.3 to get the "COPY --chmod" feature; tested it in Podman, which has had it for two years now.
Doing all of this simplifies the Dockerfile and its documentation considerably. As a bonus, it builds quicker, and it's nearly a meg lighter in compressed image form. Especially for the case of using the container as a static "fossil" binary builder, this is nothing but win. (user: wyoung size: 4393)
|
| | | > > > > > | | < < | | < < < < < < < < < | < < < | > | | | < | > < < | | > | | | | | | < | | > < | > > > > | < < < < < < < > > < | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 |
# syntax=docker/dockerfile:1.3
# See www/containers.md for documentation on how to use this file.
## ---------------------------------------------------------------------
## STAGE 1: Build static Fossil binary
## ---------------------------------------------------------------------
### We aren't pinning to a more stable version of Alpine because we want
### to build with the latest tools and libraries available in case they
### fixed something that matters to us since the last build. Everything
### below depends on this layer, and so, alas, we toss this container's
### cache on Alpine's release schedule, roughly once a month.
FROM alpine:latest AS builder
WORKDIR /tmp
### Bake the basic Alpine Linux into a base layer so it only changes
### when the upstream image is updated or we change the package set.
RUN set -x \
&& apk update \
&& apk upgrade --no-cache \
&& apk add --no-cache \
busybox-static gcc make \
linux-headers musl-dev \
openssl-dev openssl-libs-static \
zlib-dev zlib-static
### Build Fossil as a separate layer so we don't have to rebuild the
### Alpine environment for each iteration of Fossil's dev cycle.
###
### We must cope with a bizarre ADD misfeature here: it unpacks tarballs
### automatically when you give it a local file name but not if you give
### it a /tarball URL! It matters because we default to a URL in case
### you're building outside a Fossil checkout, but when building via the
### container-image target, we avoid a costly hit on fossil-scm.org
### by leveraging its DVCS nature via the "tarball" command and passing
### the resulting file's name in.
ARG FSLCFG=""
ARG FSLVER="trunk"
ARG FSLURL="https://fossil-scm.org/home/tarball/src?r=${FSLVER}"
ENV FSLSTB=/tmp/fsl/src.tar.gz
ADD $FSLURL $FSLSTB
RUN set -x \
&& if [ -d $FSLSTB ] ; then mv $FSLSTB/src fsl ; \
else tar -C fsl -xzf fsl/src.tar.gz ; fi \
&& m=fsl/src/src/main.mk \
&& fsl/src/configure --static CFLAGS='-Os -s' $FSLCFG && make -j11
## ---------------------------------------------------------------------
## STAGE 2: Pare that back to the bare essentials.
## ---------------------------------------------------------------------
FROM scratch AS os
ARG UID=499
### Lay BusyBox down as the first base layer. Coupled with the host's
### kernel, this is the "OS" used to RUN the subsequent setup script.
COPY --from=builder /bin/busybox.static /bin/busybox
RUN [ "/bin/busybox", "--install", "/bin" ]
### Set up that base OS for our specific use without tying it to
### anything likely to change often. So long as the user leaves
### UID alone, this layer will be durable.
RUN set -x \
&& mkdir log museum tmp \
&& echo "root:x:0:0:Admin:/:/false" > /tmp/passwd \
&& echo "root:x:0:root" > /tmp/group \
&& echo "fossil:x:${UID}:${UID}:User:/museum:/false" >> /tmp/passwd \
&& echo "fossil:x:${UID}:fossil" >> /tmp/group
## ---------------------------------------------------------------------
## STAGE 3: Drop BusyBox, too, now that we're done with its /bin/sh &c
## ---------------------------------------------------------------------
FROM scratch AS run
COPY --from=os /tmp/group /tmp/passwd /etc/
COPY --from=os --chown=fossil:fossil /log /log/
COPY --from=os --chown=fossil:fossil /museum /museum/
COPY --from=os --chmod=1777 /tmp /tmp/
COPY --from=builder /tmp/fossil /bin/
## ---------------------------------------------------------------------
## RUN!
## ---------------------------------------------------------------------
ENV PATH "/bin"
EXPOSE 8080/tcp
USER fossil
CMD [ \
"fossil", "server", \
"--create", \
"--jsmode", "bundled", \
"--user", "admin", \
"museum/repo.fossil" ]
|