Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dockerfile review after CI changes #1624

Merged
merged 13 commits into from
Nov 27, 2023
Merged

Dockerfile review after CI changes #1624

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
c0863c7
Dockerfile review after CI changes
gpmayorga Nov 24, 2023
60be1a4
fix the docker tagging to look more as we imagined
gpmayorga Nov 24, 2023
585fc92
test different options for docker tags
gpmayorga Nov 24, 2023
10c800c
use edge tag is used when not pushing a branch
gpmayorga Nov 24, 2023
25dde97
fix condition for docker tag
gpmayorga Nov 24, 2023
ac3a7b4
assume prefix adds a `-` except for raw formt
gpmayorga Nov 24, 2023
00d3e69
Add some comments to the dockerfile
gpmayorga Nov 24, 2023
901fbca
yet another try at fixing the tag when not in main
gpmayorga Nov 24, 2023
3581cf3
Merge branch 'main' into dockerfile-cleanup
wischli Nov 24, 2023
2472877
More tag experiments
gpmayorga Nov 24, 2023
f4ded09
explicitly set prefix for each tag
gpmayorga Nov 24, 2023
1749241
fix user creation in docker
gpmayorga Nov 24, 2023
a1ddc1a
Merge branch 'main' into dockerfile-cleanup
gpmayorga Nov 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 6 additions & 8 deletions .github/workflows/build-docker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,14 +49,12 @@ jobs:
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 #v5
with:
images: centrifugeio/centrifuge-chain
flavor: |
suffix=-${{ env.NOW }}
prefix=${{ matrix.target == 'test' && 'test-' || 'latest=auto' }}
tags: |
type=raw,event=branch,value={{branch}}-{{sha}}
type=semver,pattern={{raw}},suffix=,prefix=${{ matrix.target == 'test' && 'test-' || 'latest=auto' }}
type=semver,pattern={{major}},prefix=${{ matrix.target == 'test' && 'test-' || '' }},suffix=
type=edge
type=semver,pattern={{raw}},prefix=${{ matrix.target == 'test' && 'test-' || '' }}
type=edge,event=pr,suffix={{sha}}-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }}
type=ref,event=tag,suffix={{sha}}-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }}
type=ref,event=pr,suffix={{sha}}-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }}
type=ref,event=branch,prefix=${{ matrix.target == 'test' && 'test-' || '' }}-{{branch}},suffix={{sha}}-${{ env.NOW }}

- name: Configure GHA cache
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v6
Expand All @@ -72,7 +70,7 @@ jobs:
file: ./docker/centrifuge-chain/Dockerfile
build-args: |
FEATURES=${{ matrix.target == 'test' && 'fast-runtime' || '' }}
push: ${{ github.event_name == 'pull_request' && false || true }}
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
# Cache options:
# https://docs.docker.com/build/ci/github-actions/cache/
Expand Down
41 changes: 22 additions & 19 deletions docker/centrifuge-chain/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
# Based on
# Inspired by
# https://github.com/paritytech/polkadot-sdk/blob/master/docker/dockerfiles/polkadot/polkadot_injected_release.Dockerfile

# ToDo: create a CI/builder image with preloaded tools
# FROM --platform=linux/amd64 docker.io/library/ubuntu:22.04 as builder
FROM --platform=linux/amd64 docker.io/library/rust:bookworm as builder
# Defaults
ENV RUST_BACKTRACE 1
Expand Down Expand Up @@ -30,8 +28,6 @@ FROM --platform=linux/amd64 docker.io/library/rust:bookworm as builder
ARG RUSTC_WRAPPER=''
ARG SCCACHE_GHA_ENABLED="false"

RUN rustup target add wasm32-unknown-unknown

COPY . centrifuge-chain
WORKDIR /centrifuge-chain
ARG FEATURES=""
Expand All @@ -40,7 +36,9 @@ FROM --platform=linux/amd64 docker.io/library/rust:bookworm as builder


# ===== SECOND STAGE ======
# ToDo: create a secure image as a base for the binary
# IF we were to publish binaries that we can always trust we could skip the first part
# and simply download the binaries here. Some short of hash or integrity check would need to
# happen to make sure the binary is what we want.
FROM --platform=linux/amd64 docker.io/library/ubuntu:jammy

LABEL io.centrifuge.image.authors="[email protected]" \
Expand All @@ -54,24 +52,29 @@ FROM --platform=linux/amd64 docker.io/library/ubuntu:jammy
# Add chain resources to image
COPY res /resources/

RUN useradd -m -u 1000 -U -s /bin/sh -d /centrifuge centrifuge && \
mkdir -p /data /centrifuge/.local/share && \
chown -R centrifuge:centrifuge /data && \
ln -s /data /centrifuge/.local/share/centrifuge

COPY --from=builder /centrifuge-chain/target/release/centrifuge-chain /usr/local/bin
# checks
RUN ldd /usr/local/bin/centrifuge-chain && \
/usr/local/bin/centrifuge-chain --version

RUN apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/* ;
RUN mkdir -p /root/.local/share/centrifuge-chain && \
ln -s /root/.local/share/centrifuge-chain /data


ENV RUST_BACKTRACE 1

# Because of the following, all data and config directories need to be owned by UID and GID 1000
RUN useradd -m -u 1000 -U -s /bin/sh -d /centrifuge centrifuge

RUN mkdir -p /data && \
chown -R centrifuge:centrifuge /data && \
chown -R centrifuge:centrifuge /resources && \
chown -R centrifuge:centrifuge /usr/local/bin/centrifuge-chain && \
chown -R centrifuge:centrifuge /centrifuge/

# Running as an non-root is a good security practice
# in some cases the container can be forced to run as root overriding the next line
# but by default we want to enforce this.
USER centrifuge
# checks
RUN ldd /usr/local/bin/centrifuge-chain && \
/usr/local/bin/centrifuge-chain --version
ENV RUST_BACKTRACE 1
EXPOSE 30333 9933 9944
VOLUME ["/data"]

ENTRYPOINT ["/usr/local/bin/centrifuge-chain"]
CMD ["--help"]
Loading