-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathDockerfile
128 lines (98 loc) · 3.32 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# One of `core` | `edge`
ARG TARGET=core
ARG CRYSTAL_VERSION=latest
FROM placeos/crystal:$CRYSTAL_VERSION as build
WORKDIR /app
ARG TARGET
# Set the commit via a build arg
ARG PLACE_COMMIT="DEV"
# Set the platform version via a build arg
ARG PLACE_VERSION="DEV"
# Create a non-privileged user, defaults are appuser:10001
ARG IMAGE_UID="10001"
ENV UID=$IMAGE_UID
ENV USER=appuser
# See https://stackoverflow.com/a/55757473/12429735
RUN adduser \
--disabled-password \
--gecos "" \
--home "/nonexistent" \
--shell "/sbin/nologin" \
--no-create-home \
--uid "${UID}" \
"${USER}"
# Install additional libs required for drivers
# hadolint ignore=DL3059
RUN apk add \
--update \
--no-cache \
'apk-tools>=2.10.8-r0' \
'expat>=2.2.10-r1' \
'libcurl>=7.79.1-r0'
# Install shards for caching
COPY shard.yml shard.yml
COPY shard.override.yml shard.override.yml
COPY shard.lock shard.lock
RUN shards install --production --ignore-crystal-version --skip-postinstall --skip-executables
# Add src
COPY ./src /app/src
# Build the required target
ENV UNAME_AT_COMPILE_TIME=true
# hadolint ignore=SC2086
RUN PLACE_VERSION=$PLACE_VERSION \
PLACE_COMMIT=$PLACE_COMMIT \
shards build $TARGET \
--error-trace \
--production \
--static
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
# Create binary directories
RUN mkdir -p repositories bin/drivers tmp \
&& chown appuser -R /app
###############################################################################
FROM scratch as minimal
WORKDIR /app
ENV PATH=$PATH:/bin
# Copy the user information over
COPY --from=build /etc/passwd /etc/passwd
COPY --from=build /etc/group /etc/group
# These are required for communicating with external services
COPY --from=build /etc/hosts /etc/hosts
# These provide certificate chain validation where communicating with external services over TLS
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
# This is required for Timezone support
COPY --from=build /usr/share/zoneinfo/ /usr/share/zoneinfo/
# configure folder permissions
COPY --from=build --chown=0:0 /app/tmp /tmp
COPY --from=build --chown=0:0 /app/bin/drivers /app/bin/drivers
# This seems to be the only way to set permissions properly
COPY --from=build /bin /bin
COPY --from=build /lib/ld-musl-* /lib/
RUN chmod -R a+rwX /tmp
# hadolint ignore=DL3059
RUN chmod -R a+rwX /app/bin/drivers
# hadolint ignore=SC2114,DL3059
RUN rm -rf /bin /lib
# Copy the app into place
COPY --from=build /app/bin /bin
# Use an unprivileged user.
USER appuser:appuser
###############################################################################
FROM minimal as edge
ENTRYPOINT ["/bin/edge"]
CMD ["/bin/edge"]
###############################################################################
# FIXME: core currently has a number of dependandancies on the runtime for
# retreiving repositories and compiling drivers. When the migrates into an
# external service, this can base from `minimal` instead for cleaner images.
FROM minimal as core
WORKDIR /app
EXPOSE 3000
VOLUME ["/app/bin/drivers/"]
ENTRYPOINT ["/bin/core"]
HEALTHCHECK CMD ["/bin/core", "--curl", "http://localhost:3000/api/core/v1"]
CMD ["/bin/core", "-b", "0.0.0.0", "-p", "3000"]
###############################################################################
# hadolint ignore=DL3006
FROM ${TARGET}