From 78758441e29a17f3ff0dcb950e80006471f51108 Mon Sep 17 00:00:00 2001 From: 2xburnt <169301814+2xburnt@users.noreply.github.com> Date: Tue, 1 Oct 2024 22:35:11 -0500 Subject: [PATCH] intitial create --- .github/workflows/docker-build.yaml | 44 ++------ .github/workflows/docker-push.yaml | 97 ------------------ .github/workflows/docker-scout.yaml | 19 ++-- Dockerfile | 150 ++-------------------------- 4 files changed, 25 insertions(+), 285 deletions(-) delete mode 100644 .github/workflows/docker-push.yaml diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml index 49a6bf1..a2d16f1 100644 --- a/.github/workflows/docker-build.yaml +++ b/.github/workflows/docker-build.yaml @@ -8,20 +8,12 @@ on: env: repo_names: | ghcr.io/${{ github.repository }} + platforms: linux/amd64,linux/arm64 jobs: - build-images: - name: Build ${{ matrix.os }}/${{ matrix.arch }} - runs-on: ${{ format('burnt-labs-{0}', matrix.arch) }} - - strategy: - fail-fast: false - matrix: - os: - - linux - arch: - - amd64 - - arm64 + build-docker-images: + name: Build Docker Images + runs-on: ubuntu-latest permissions: id-token: write @@ -39,13 +31,7 @@ jobs: uses: docker/setup-buildx-action@v3 with: driver: docker - platforms: ${{ matrix.os }}/${{ matrix.arch }} - - - name: Prepare environment - run: | - echo "TAG_VERSION=${GITHUB_SHA:0:7}" | tee -a $GITHUB_ENV - echo "CONTAINER=$(basename $(echo ${{ env.repo_names }} | head -n1 ))" | tee -a $GITHUB_ENV - echo "DOCKER_FN=$CONTAINER-${{ matrix.os }}-${{ matrix.arch }}.tar" | tee -a $GITHUB_ENV + platforms: ${{ env.platforms }} - name: Metadata for container id: meta @@ -53,28 +39,16 @@ jobs: with: images: ${{ env.repo_names }} tags: | - type=sha + type=raw,value={{sha}} + type=semver,pattern={{version}},enable=${{ startsWith(github.ref, 'refs/tags/v') }} - name: Build Docker Image id: build-docker uses: docker/build-push-action@v5 with: target: release - push: false + push: true load: true labels: ${{ steps.meta.outputs.labels }} - platforms: ${{ matrix.os }}/${{ matrix.arch }} + platforms: ${{ env.platforms }} tags: ${{ steps.meta.outputs.tags }} - - - name: Save Docker Image - working-directory: ${{ runner.temp }} - run: | - docker save ${{ steps.meta.outputs.tags }} > ${{ runner.temp }}/${DOCKER_FN} - - - name: Upload Docker Image - uses: actions/upload-artifact@v4 - with: - name: ${{ env.DOCKER_FN }} - path: ${{ runner.temp }}/${{ env.DOCKER_FN }} - if-no-files-found: error - retention-days: 3 diff --git a/.github/workflows/docker-push.yaml b/.github/workflows/docker-push.yaml deleted file mode 100644 index c7ab703..0000000 --- a/.github/workflows/docker-push.yaml +++ /dev/null @@ -1,97 +0,0 @@ -name: Push Docker images - -# reusable workflow, do not add triggers -on: - workflow_call: - workflow_dispatch: - -env: - REPOS: | - burntnetwork/xion - ghcr.io/${{ github.repository }}/xion - 385156030167.dkr.ecr.us-east-1.amazonaws.com/burnt/xiond - -jobs: - merge: - name: Create registry manifests - runs-on: ubuntu-latest - permissions: - id-token: write - contents: read - packages: write - steps: - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: us-east-1 - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v2 - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Prepare environment - run: | - echo "TAG_VERSION=${GITHUB_SHA:0:7}" | tee -a $GITHUB_ENV - - - name: Metadata for xion container - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REPOS }} - tags: | - type=raw,value=${{ env.TAG_VERSION }} - type=semver,pattern={{version}},enable=${{ github.event_name == 'push' }} - type=raw,value=latest,enable={{is_default_branch}} - - - name: Download images - uses: actions/download-artifact@v4 - with: - path: ${{ runner.temp }} - pattern: docker* - merge-multiple: true - - - name: Load images - working-directory: ${{ runner.temp }} - run: | - for image in docker*.tar; do - PLATFORM=$(basename $image .tar | cut -d- -f2-) - docker load < $image; - docker tag xion:$PLATFORM burntnetwork/xion:$PLATFORM - docker push burntnetwork/xion:$PLATFORM; - done; - - - name: Prepare mainfest vars - run: | - IMAGE_TARGETS=$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< $DOCKER_METADATA_OUTPUT_JSON) - IMAGE_TAGS=$(docker image ls burntnetwork/xion --digests --format json | jq -r '"\(.Repository):\(.Tag)"' | tr '\n' ' ') - echo "IMAGE_TAGS=$IMAGE_TAGS" | tee -a $GITHUB_ENV - echo "IMAGE_TARGETS=${IMAGE_TARGETS}" | tee -a $GITHUB_ENV - - - name: Create manifest list and push - run: | - eval "docker buildx imagetools create ${IMAGE_TARGETS} ${IMAGE_TAGS}" - - - name: Inspect image - run: | - jq -cr '.tags | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON" | \ - xargs -n1 docker buildx imagetools inspect% diff --git a/.github/workflows/docker-scout.yaml b/.github/workflows/docker-scout.yaml index 04c142a..6e57b11 100644 --- a/.github/workflows/docker-scout.yaml +++ b/.github/workflows/docker-scout.yaml @@ -29,18 +29,13 @@ jobs: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - - name: Download images - uses: actions/download-artifact@v4 + - name: Metadata for container + id: meta + uses: docker/metadata-action@v5 with: - path: ${{ runner.temp }} - pattern: docker-${{ matrix.os }}-${{ matrix.arch }}.tar - merge-multiple: true - - - name: Load images - working-directory: ${{ runner.temp }} - run: | - ls -la - docker load < ${{ env.DOCKER_FN }} + images: ${{ env.repo_names }} + tags: | + type=raw,value={{sha}} - name: Run Docker Scout uses: docker/scout-action@v1 @@ -48,4 +43,4 @@ jobs: command: cves only-fixed: true platform: ${{ matrix.os }}/${{ matrix.arch }} - image: xion:${{ matrix.os }}-${{ matrix.arch }} + image: ${{ steps.meta.outputs.tags }} diff --git a/Dockerfile b/Dockerfile index e0dfc7d..798ed45 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,24 +7,12 @@ ARG ALPINE_VERSION="3.20" # Builder # -------------------------------------------------------- -FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS builder +FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS release # Always set by buildkit ARG TARGETPLATFORM ARG TARGETARCH ARG TARGETOS -ARG XIOND_BINARY - -# needed in makefile -ARG COMMIT -ARG VERSION - -# Consume Args to env -ENV COMMIT=${COMMIT} \ - VERSION=${VERSION} \ - GOOS=${TARGETOS} \ - GOARCH=${TARGETARCH} \ - XIOND_BINARY=${XIOND_BINARY} # Install dependencies RUN set -eux; \ @@ -36,142 +24,22 @@ RUN set -eux; \ git # Set the workdir -WORKDIR /go/src/github.com/burnt-labs/xion +WORKDIR /go/src/cosmossdk.io/tools/cosmovisor -# Download go dependencies -COPY go.mod go.sum ./ +# install cosmovisor RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/root/pkg/mod \ set -eux; \ - go install cosmossdk.io/tools/cosmovisor/cmd/cosmovisor@v1.5.0; \ - go mod download + go install cosmossdk.io/tools/cosmovisor/cmd/cosmovisor@v1.5.0; # Cosmwasm - Download correct libwasmvm version RUN set -eux; \ WASMVM_REPO="github.com/CosmWasm/wasmvm"; \ WASMVM_MOD_VERSION="$(grep ${WASMVM_REPO} go.mod | cut -d ' ' -f 1)"; \ WASMVM_VERSION="$(go list -m ${WASMVM_MOD_VERSION} | cut -d ' ' -f 2)"; \ - [ ${TARGETPLATFORM} = "linux/amd64" ] && LIBWASM="libwasmvm_muslc.x86_64.a"; \ - [ ${TARGETPLATFORM} = "linux/arm64" ] && LIBWASM="libwasmvm_muslc.aarch64.a"; \ - [ ${TARGETOS} = "darwin" ] && LIBWASM="libwasmvmstatic_darwin.a"; \ - [ -z "$LIBWASM" ] && echo "Arch ${TARGETARCH} not recognized" && exit 1; \ - wget "https://${WASMVM_REPO}/releases/download/${WASMVM_VERSION}/${LIBWASM}" -O "/lib/${LIBWASM}"; \ - # verify checksum - EXPECTED=$(wget -q "https://${WASMVM_REPO}/releases/download/${WASMVM_VERSION}/checksums.txt" -O- | grep "${LIBWASM}" | awk '{print $1}'); \ - sha256sum "/lib/${LIBWASM}" | grep "${EXPECTED}"; \ - cp /lib/${LIBWASM} /lib/libwasmvm_muslc.a; - -# Copy local files -COPY . . - -# Build xiond binary -RUN --mount=type=cache,target=/root/.cache/go-build \ - --mount=type=cache,target=/root/pkg/mod \ - if [ -e "${XIOND_BINARY:-}" ]; then \ - cp "${XIOND_BINARY}" /go/bin/xiond; \ - else \ - export CGO_ENABLED=1 LINK_STATICALLY=true BUILD_TAGS=muslc; \ - make test-version; \ - make install; \ - fi - -# -------------------------------------------------------- -# Heighliner -# -------------------------------------------------------- - -# Build final image from scratch -FROM scratch AS heighliner - -WORKDIR /bin -ENV PATH=/bin - -# Install busybox -COPY --from=busybox:1.36-musl /bin/busybox /bin/busybox - -# users and group -COPY --from=busybox:1.36-musl /etc/passwd /etc/group /etc/ - -# Install trusted CA certificates -COPY --from=builder /etc/ssl/cert.pem /etc/ssl/cert.pem - -# Install xiond -COPY --from=builder /go/bin/xiond /bin/xiond - -# Install jq -COPY --from=ghcr.io/strangelove-ventures/infra-toolkit:v0.1.4 /usr/local/bin/jq /bin/jq - -# link shell -RUN ["busybox", "ln", "/bin/busybox", "sh"] - -# Add hard links for read-only utils -# Will then only have one copy of the busybox minimal binary file with all utils pointing to the same underlying inode -RUN set -eux; \ - for bin in \ - cat \ - date \ - df \ - du \ - env \ - grep \ - head \ - less \ - ls \ - md5sum \ - pwd \ - sha1sum \ - sha256sum \ - sha3sum \ - sha512sum \ - sleep \ - stty \ - tail \ - tar \ - tee \ - tr \ - watch \ - which \ - ; do busybox ln /bin/busybox $bin; \ + for LIBWASM in "libwasmvm_muslc.x86_64.a" "libwasmvm_muslc.aarch64.a" "libwasmvmstatic_darwin.a"; \ + wget "https://${WASMVM_REPO}/releases/download/${WASMVM_VERSION}/${LIBWASM}" -O "/lib/${LIBWASM}"; \ + # verify checksum + EXPECTED=$(wget -q "https://${WASMVM_REPO}/releases/download/${WASMVM_VERSION}/checksums.txt" -O- | grep "${LIBWASM}" | awk '{print $1}'); \ + sha256sum "/lib/${LIBWASM}" | grep "${EXPECTED}"; \ done; - -RUN set -eux; \ - busybox mkdir -p /tmp /home/heighliner; \ - busybox addgroup --gid 1025 -S heighliner; \ - busybox adduser --uid 1025 -h /home/heighliner -S heighliner -G heighliner; \ - busybox chown 1025:1025 /tmp /home/heighliner; \ - busybox unlink busybox; - -WORKDIR /home/heighliner -USER heighliner - -# -------------------------------------------------------- -# Runner -# -------------------------------------------------------- - -FROM alpine:${ALPINE_VERSION} AS release -COPY --from=builder /go/bin/xiond /usr/bin/xiond -COPY --from=builder /go/bin/cosmovisor /usr/bin/cosmovisor - -# api -EXPOSE 1317 -# grpc -EXPOSE 9090 -# p2p -EXPOSE 26656 -# rpc -EXPOSE 26657 -# prometheus -EXPOSE 26660 - -RUN set -euxo pipefail; \ - apk add --no-cache bash openssl curl htop jq lz4 tini; \ - addgroup --gid 1000 -S xiond; \ - adduser --uid 1000 -S xiond \ - --disabled-password \ - --gecos xiond \ - --ingroup xiond; \ - mkdir -p /home/xiond; \ - chown -R xiond:xiond /home/xiond - -USER xiond:xiond -WORKDIR /home/xiond/.xiond -CMD ["/usr/bin/xiond"]