Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Broke the Dockerfile up into more layers to allow better local caching at build time. Further optimized build time by producing the Fossil source tarball from the local repo instead of hitting the home site if you use the container-image target, since we can be reasonably certain you're working from a repo checkout and thus have all the info available here locally already. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
1da464eeb941e5de8631af4bb6c846dc |
| User & Date: | wyoung 2022-09-05 08:15:27.642 |
Context
|
2022-09-05
| ||
| 14:03 | Update the built-in SQLite to the latest 3.40.0 alpha. ... (check-in: 9d12e96440 user: drh tags: trunk) | |
| 08:15 | Broke the Dockerfile up into more layers to allow better local caching at build time. Further optimized build time by producing the Fossil source tarball from the local repo instead of hitting the home site if you use the container-image target, since we can be reasonably certain you're working from a repo checkout and thus have all the info available here locally already. ... (check-in: 1da464eeb9 user: wyoung tags: trunk) | |
| 01:42 | Expanded the paragraph on WAL mode interactions in the container doc into a full section, placed higher up, immediately after the first use of Docker's "--volume" flag, to explain why we don't map just the repo DB file, but the whole directory it sits in. Even if we later convince ourselves WAL is safe under this scenario, it'll be conditional at best, so some remnant of this section must remain, no matter which way the experiments go. ... (check-in: 698587d41d user: wyoung tags: trunk) | |
Changes
Changes to Dockerfile.
1 2 | # See www/containers.md for documentation on how to use this file. | > | > < < < < < < < > > > > > > > | | | > > > > > > > > > > | | > > > > > > > > > > > > > > > > > > | > | | > | > | > | > > > > > > < < < < | | > > > > > > > > > > | | | | < < > > > | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 |
# See www/containers.md for documentation on how to use this file.
## ---------------------------------------------------------------------
## STAGE 1: Build static Fossil & BusyBox binaries atop Alpine Linux
## ---------------------------------------------------------------------
FROM alpine:latest AS builder
WORKDIR /tmp
### Bake the basic Alpine Linux into a base layer so we never have to
### repeat that step unless we change the package set. Although we're
### going to throw this layer away below, we still pass --no-cache
### because that cache is of no use in an immutable layer. Note that
### we allow the UPX step to fail: it isn't in the ARM distros. We'll
### check whether this optional piece exists before using it below.
RUN set -x \
&& apk update \
&& apk upgrade --no-cache \
&& apk add --no-cache \
gcc make moreutils \
linux-headers musl-dev \
openssl-dev openssl-libs-static \
zlib-dev zlib-static \
; apk add --no-cache upx
### Bake the custom BusyBox into another layer. The intent is that this
### changes only when we change BBXVER. That will force an update of
### the layers below, but this is a rare occurrence.
ARG BBXVER="1_35_0"
ENV BBXURL "https://github.com/mirror/busybox/tarball/${BBXVER}"
COPY containers/busybox-config /tmp/bbx/.config
ADD $BBXURL /tmp/bbx/src.tar.gz
RUN set -x \
&& tar --strip-components=1 -C bbx -xzf bbx/src.tar.gz \
&& ( cd bbx && yes "" | make oldconfig && make -j11 ) \
&& if [ -x /usr/bin/upx ] ; then upx -9q bbx/busybox ; fi
### The changeable Fossil layer is the only one in the first stage that
### changes often, so add it last, to make it independent of the others.
###
### $FSLSTB can be either a file or a directory due to a ADD's bizarre
### behavior: it unpacks tarballs when added from a local file but not
### from a URL! It matters because we default to a URL in case you're
### building outside a Fossil checkout, but when building via the
### container-image target, we can avoid a costly hit on the Fossil
### project's home site by pulling the data from the local repo via the
### "tarball" command. This is a DVCS, after all!
ARG FSLVER="trunk"
ARG FSLURL="https://fossil-scm.org/home/tarball/src?r=${FSLVER}"
ENV FSLSTB=/tmp/fsl/src.tar.gz
ADD $FSLURL $FSLSTB
RUN set -x \
&& if [ -d $FSLSTB ] ; then mv $FSLSTB/src fsl ; \
else tar -C fsl -xzf fsl/src.tar.gz ; fi \
&& m=fsl/src/src/main.mk \
&& grep -v '/skins/[a-ce-z]' $m | sponge $m \
&& fsl/src/configure --static CFLAGS='-Os -s' && make -j11 \
&& if [ -x /usr/bin/upx ] ; then upx -9q fossil ; fi
## ---------------------------------------------------------------------
## STAGE 2: Pare that back to the bare essentials.
## ---------------------------------------------------------------------
FROM scratch
WORKDIR /jail
ARG UID=499
ENV PATH "/bin:/jail/bin"
### Lay BusyBox down as the first base layer. Coupled with the host's
### kernel, this is the "OS."
COPY --from=builder /tmp/bbx/busybox /bin/
RUN [ "/bin/busybox", "--install", "/bin" ]
### Set up that base OS for our specific use without tying it to
### anything likely to change often. So long as the user leaves
### UID alone, this layer will be durable.
RUN set -x \
&& echo 'root:x:0:0:SysAdmin:/:/bin/nologin' > /etc/passwd \
&& echo 'root:x:0:root' > /etc/group \
&& addgroup -S -g ${UID} fossil \
&& adduser -S -h `pwd` -g 'Fossil User' -G fossil -u ${UID} fossil \
&& install -d -m 700 -o fossil -g fossil log museum \
&& install -d -m 755 -o fossil -g fossil dev \
&& mknod -m 666 dev/null c 1 3 \
&& mknod -m 444 dev/urandom c 1 9
### Do Fossil-specific things atop those base layers; this will change
### as often as the Fossil build-from-source layer above.
COPY --from=builder /tmp/fossil bin/
RUN set -x \
&& ln -s /jail/bin/fossil /bin/f \
&& echo -e '#!/bin/sh\nfossil sha1sum "$@"' > /bin/sha1sum \
&& echo -e '#!/bin/sh\nfossil sha3sum "$@"' > /bin/sha3sum \
&& echo -e '#!/bin/sh\nfossil sqlite3 --no-repository "$@"' > \
/bin/sqlite3 \
&& chmod +x /bin/sha?sum /bin/sqlite3
## ---------------------------------------------------------------------
## STAGE 3: Run!
## ---------------------------------------------------------------------
EXPOSE 8080/tcp
CMD [ \
"bin/fossil", "server", \
"--chroot", "/jail", \
"--create", \
"--jsmode", "bundled", \
|
| ︙ | ︙ |
Changes to Makefile.in.
| ︙ | ︙ | |||
116 117 118 119 120 121 122 123 124 125 | # of delegating to it with "$(MAKE) reconfig": having children running # around interfering makes this failure mode even worse. Makefile: @srcdir@/Makefile.in $(SRCDIR)/main.mk @AUTODEPS@ @AUTOREMAKE@ touch @builddir@/Makefile # Container stuff container-image: docker build \ --tag fossil:@FOSSIL_CI_PFX@ \ | > > | > | 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 | # of delegating to it with "$(MAKE) reconfig": having children running # around interfering makes this failure mode even worse. Makefile: @srcdir@/Makefile.in $(SRCDIR)/main.mk @AUTODEPS@ @AUTOREMAKE@ touch @builddir@/Makefile # Container stuff SRCTB := src-@FOSSIL_CI_PFX@.tar.gz container-image: $(APPNAME) tarball --name src @FOSSIL_CI_PFX@ $(SRCTB) docker build \ --tag fossil:@FOSSIL_CI_PFX@ \ --build-arg FSLURL=$(SRCTB) \ $(DBFLAGS) @srcdir@ rm -f $(SRCTB) container-run: container-image docker run \ --name fossil-@FOSSIL_CI_PFX@ \ --cap-drop AUDIT_WRITE \ --cap-drop CHOWN \ --cap-drop FSETID \ |
| ︙ | ︙ |