-
-
Notifications
You must be signed in to change notification settings - Fork 2.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
build: optimize image layers in base images (#2212)
- Loading branch information
Showing
8 changed files
with
152 additions
and
245 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,7 @@ LABEL authors="Selenium <[email protected]>" | |
# Arguments to define the version of dependencies to download | ||
ARG VERSION | ||
ARG RELEASE=selenium-${VERSION} | ||
ARG GH_ORG=SeleniumHQ | ||
ARG AUTHORS=SeleniumHQ | ||
# Default value should be aligned with upstream Selenium (https://github.com/SeleniumHQ/selenium/blob/trunk/java/maven_deps.bzl) | ||
ARG OPENTELEMETRY_VERSION=1.36.0 | ||
ARG GRPC_VERSION=1.62.2 | ||
|
@@ -15,27 +15,31 @@ ARG SEL_GROUP=${SEL_USER} | |
ARG SEL_PASSWD=secret | ||
ARG UID=1200 | ||
ARG GID=1201 | ||
|
||
USER root | ||
#================================================ | ||
# Customize sources for apt-get | ||
#================================================ | ||
RUN echo "deb http://archive.ubuntu.com/ubuntu jammy main universe\n" > /etc/apt/sources.list \ | ||
&& echo "deb http://archive.ubuntu.com/ubuntu jammy-updates main universe\n" >> /etc/apt/sources.list \ | ||
&& echo "deb http://security.ubuntu.com/ubuntu jammy-security main universe\n" >> /etc/apt/sources.list | ||
ARG TZ="UTC" | ||
ARG JRE_VERSION=17 | ||
ARG TARGETARCH=amd64 | ||
ARG TARGETVARIANT | ||
|
||
# No interactive frontend during docker build | ||
USER root | ||
|
||
ENV DEBIAN_FRONTEND=noninteractive \ | ||
DEBCONF_NONINTERACTIVE_SEEN=true | ||
# No interactive frontend during docker build | ||
DEBCONF_NONINTERACTIVE_SEEN=true \ | ||
SEL_USER=${SEL_USER} \ | ||
SEL_UID=${UID} \ | ||
SEL_GID=${GID} \ | ||
HOME=/home/${SEL_USER} \ | ||
TZ=${TZ} \ | ||
SEL_DOWNLOAD_DIR=${HOME}/Downloads | ||
|
||
#======================== | ||
# Miscellaneous packages | ||
# Includes minimal runtime used for executing non GUI Java programs | ||
#======================== | ||
ARG JRE_VERSION=17 | ||
RUN apt-get -qqy update \ | ||
RUN echo "deb http://archive.ubuntu.com/ubuntu jammy main universe\n" > /etc/apt/sources.list \ | ||
&& echo "deb http://archive.ubuntu.com/ubuntu jammy-updates main universe\n" >> /etc/apt/sources.list \ | ||
&& echo "deb http://security.ubuntu.com/ubuntu jammy-security main universe\n" >> /etc/apt/sources.list \ | ||
&& apt-get -qqy update \ | ||
&& apt-get upgrade -yq \ | ||
&& apt-get -qqy --no-install-recommends install \ | ||
acl \ | ||
|
@@ -56,40 +60,24 @@ RUN apt-get -qqy update \ | |
&& echo "deb [signed-by=/etc/apt/keyrings/adoptium.asc] https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" | tee /etc/apt/sources.list.d/adoptium.list >dev/null \ | ||
&& apt-get -qqy update \ | ||
&& apt-get -qqy --no-install-recommends install temurin-${JRE_VERSION}-jre -y \ | ||
&& rm -rf /var/lib/apt/lists/* /var/cache/apt/* | ||
|
||
#=================== | ||
|
||
RUN if [ $TARGETARCH = "arm" ] && [ $TARGETVARIANT = "v7" ]; then \ | ||
&& if [ "${TARGETARCH}" = "arm" ] && [ "${TARGETVARIANT}" = "v7" ]; then \ | ||
export ARCH=armhf ; \ | ||
else \ | ||
export ARCH=$TARGETARCH ; \ | ||
export ARCH=${TARGETARCH} ; \ | ||
fi \ | ||
&& sed -i 's/securerandom\.source=file:\/dev\/random/securerandom\.source=file:\/dev\/urandom/' ./usr/lib/jvm/temurin-${JRE_VERSION}-jre-$ARCH/conf/security/java.security | ||
|
||
|
||
&& sed -i 's/securerandom\.source=file:\/dev\/random/securerandom\.source=file:\/dev\/urandom/' ./usr/lib/jvm/temurin-${JRE_VERSION}-jre-${ARCH}/conf/security/java.security \ | ||
&& rm -rf /var/lib/apt/lists/* /var/cache/apt/* \ | ||
#=================== | ||
# Timezone settings | ||
# Possible alternative: https://github.com/docker/docker/issues/3359#issuecomment-32150214 | ||
#=================== | ||
ENV TZ "UTC" | ||
RUN ln -fs /usr/share/zoneinfo/${TZ} /etc/localtime && \ | ||
&& ln -fs /usr/share/zoneinfo/${TZ} /etc/localtime && \ | ||
dpkg-reconfigure -f noninteractive tzdata && \ | ||
cat /etc/timezone | ||
|
||
#====================================== | ||
# Configure environement | ||
#====================================== | ||
ENV SEL_USER=${SEL_USER} | ||
ENV SEL_UID=${UID} | ||
ENV SEL_GID=${GID} | ||
ENV HOME=/home/${SEL_USER} | ||
ENV SEL_DOWNLOAD_DIR=${HOME}/Downloads | ||
|
||
cat /etc/timezone \ | ||
#======================================== | ||
# Add normal user and group with passwordless sudo | ||
# Add normal user and group without password sudo | ||
#======================================== | ||
RUN groupadd ${SEL_GROUP} \ | ||
&& groupadd ${SEL_GROUP} \ | ||
--gid ${SEL_GID} \ | ||
&& useradd ${SEL_USER} \ | ||
--create-home \ | ||
|
@@ -98,75 +86,63 @@ RUN groupadd ${SEL_GROUP} \ | |
--uid ${SEL_UID} \ | ||
&& usermod -a -G sudo ${SEL_USER} \ | ||
&& echo 'ALL ALL = (ALL) NOPASSWD: ALL' >> /etc/sudoers \ | ||
&& echo "${SEL_USER}:${SEL_PASSWD}" | chpasswd | ||
|
||
#====================================== | ||
# Add Grid check script | ||
#====================================== | ||
COPY --chown="${SEL_UID}:${SEL_GID}" check-grid.sh entry_point.sh /opt/bin/ | ||
|
||
#====================================== | ||
# Add Supervisor configuration file | ||
#====================================== | ||
COPY supervisord.conf /etc | ||
|
||
&& echo "${SEL_USER}:${SEL_PASSWD}" | chpasswd \ | ||
#========== | ||
# Selenium & relaxing permissions for OpenShift and other non-sudo environments | ||
#========== | ||
RUN mkdir -p /opt/selenium /opt/selenium/assets /var/run/supervisor /var/log/supervisor ${SEL_DOWNLOAD_DIR} \ | ||
&& mkdir -p /opt/selenium /opt/selenium/assets /var/run/supervisor /var/log/supervisor ${SEL_DOWNLOAD_DIR} \ | ||
${HOME}/.mozilla ${HOME}/.vnc $HOME/.pki/nssdb \ | ||
# NSSDB initialization with an empty password | ||
&& certutil -d sql:$HOME/.pki/nssdb -N --empty-password \ | ||
&& touch /opt/selenium/config.toml \ | ||
&& chown -R ${SEL_USER}:${SEL_GROUP} /opt/selenium /var/run/supervisor /var/log/supervisor /etc/passwd ${HOME} \ | ||
&& chmod -R 775 /opt/selenium /var/run/supervisor /var/log/supervisor /etc/passwd ${HOME} \ | ||
&& wget --no-verbose https://github.com/${GH_ORG}/selenium/releases/download/${RELEASE}/selenium-server-${VERSION}.jar \ | ||
&& wget --no-verbose https://github.com/${AUTHORS}/selenium/releases/download/${RELEASE}/selenium-server-${VERSION}.jar \ | ||
-O /opt/selenium/selenium-server.jar \ | ||
&& echo "${SEL_PASSWD}" > /opt/selenium/initialPasswd \ | ||
&& chgrp -R 0 /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor \ | ||
&& chmod -R g=u /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor \ | ||
&& setfacl -Rm u:${SEL_USER}:rwx /opt /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor \ | ||
&& setfacl -Rm g:${SEL_GROUP}:rwx /opt /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor | ||
|
||
&& setfacl -Rm g:${SEL_GROUP}:rwx /opt /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor \ | ||
#===== | ||
# Download observability related jaegar jars and make them available in a separate directory | ||
# Download observability related OpenTelemetry jars and make them available in a separate directory | ||
# so that the container can skip downloading them everytime it comes up | ||
#===== | ||
RUN curl -fLo /tmp/cs https://github.com/coursier/launchers/raw/master/coursier \ | ||
&& curl -fLo /tmp/cs https://github.com/coursier/launchers/raw/master/coursier \ | ||
&& chmod +x /tmp/cs \ | ||
&& mkdir -p /external_jars \ | ||
&& chmod -R 775 /external_jars | ||
|
||
RUN /tmp/cs fetch --classpath --cache /external_jars \ | ||
&& chmod -R 775 /external_jars \ | ||
&& /tmp/cs fetch --classpath --cache /external_jars \ | ||
io.opentelemetry:opentelemetry-exporter-otlp:${OPENTELEMETRY_VERSION} \ | ||
io.grpc:grpc-netty:${GRPC_VERSION} > /external_jars/.classpath.txt | ||
io.grpc:grpc-netty:${GRPC_VERSION} > /external_jars/.classpath.txt \ | ||
&& chmod 664 /external_jars/.classpath.txt \ | ||
&& rm -fr /root/.cache/* \ | ||
# (Note that .bashrc is only executed in interactive bash shells.) | ||
&& echo 'if [[ $(ulimit -n) -gt 200000 ]]; then echo "WARNING: Very high value reported by \"ulimit -n\". Consider passing \"--ulimit nofile=32768\" to \"docker run\"."; fi' >> ${HOME}/.bashrc | ||
Check notice on line 121 in Base/Dockerfile GitHub Actions / Scan Dockerfile vulnerabilitiesDS014
|
||
|
||
RUN chmod 664 /external_jars/.classpath.txt | ||
RUN rm -fr /root/.cache/* | ||
#====================================== | ||
# Add Grid check script | ||
#====================================== | ||
COPY --chown="${SEL_UID}:${SEL_GID}" check-grid.sh entry_point.sh /opt/bin/ | ||
|
||
#====================================== | ||
# Add Supervisor configuration file | ||
#====================================== | ||
COPY supervisord.conf /etc | ||
|
||
#=================================================== | ||
# Run the following commands as non-privileged user | ||
#=================================================== | ||
USER ${SEL_UID}:${SEL_GID} | ||
|
||
#========== | ||
# NSSDB initialization with an empty password | ||
#========== | ||
RUN certutil -d sql:$HOME/.pki/nssdb -N --empty-password | ||
|
||
# Boolean value, maps "--bind-host" | ||
ENV SE_BIND_HOST false | ||
# Boolean value, maps "--reject-unsupported-caps" | ||
ENV SE_REJECT_UNSUPPORTED_CAPS false | ||
|
||
ENV SE_OTEL_JAVA_GLOBAL_AUTOCONFIGURE_ENABLED true | ||
ENV SE_OTEL_TRACES_EXPORTER "otlp" | ||
|
||
# A too high maximum number of file descriptors (with the default value | ||
# inherited from the docker host) can cause issues with some of our tools: | ||
# - sanitizers hanging: https://github.com/google/sanitizers/issues/1662 | ||
# - valgrind crashing: https://stackoverflow.com/a/75293014 | ||
# This is not be a problem on our CI hosts, but developers who run the image | ||
# on their machines may run into this (e.g., on Arch Linux), so warn them. | ||
# (Note that .bashrc is only executed in interactive bash shells.) | ||
RUN echo 'if [[ $(ulimit -n) -gt 200000 ]]; then echo "WARNING: Very high value reported by \"ulimit -n\". Consider passing \"--ulimit nofile=32768\" to \"docker run\"."; fi' >> ${HOME}/.bashrc | ||
#====================================== | ||
# Configure environement | ||
#====================================== | ||
# Boolean value, maps "--bind-host" | ||
ENV SE_BIND_HOST=false \ | ||
# Boolean value, maps "--reject-unsupported-caps" | ||
SE_REJECT_UNSUPPORTED_CAPS=false \ | ||
SE_OTEL_JAVA_GLOBAL_AUTOCONFIGURE_ENABLED=true \ | ||
SE_OTEL_TRACES_EXPORTER="otlp" | ||
|
||
CMD ["/opt/bin/entry_point.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.