Skip to content

Commit

Permalink
Switch to base image new tagging; Add multistage image building
Browse files Browse the repository at this point in the history
  • Loading branch information
hdabrowski authored and marek-jakubowski committed Aug 30, 2023
1 parent 85eaaa3 commit adb87c9
Show file tree
Hide file tree
Showing 7 changed files with 100 additions and 87 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
- Additive policy requests submitted via POST are rejected with a 400 status if
they attempt to update an existing resource.
[cyberark/conjur#2888](https://github.com/cyberark/conjur/pull/2888)
- Changed base-image tagging strategy
[cyberark/conjur#2926](https://github.com/cyberark/conjur/pull/2926)

### Fixed
- Support Authn-IAM regional requests when host value is missing from signed headers.
Expand Down
46 changes: 24 additions & 22 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,12 +1,28 @@
FROM cyberark/ubuntu-ruby-builder:latest as builder

WORKDIR /opt/conjur-server

COPY Gemfile Gemfile.lock ./
COPY ./gems/ ./gems/

RUN bundle --without test development && \
# Remove private keys brought in by gems in their test data
find / -name openid_connect -type d -exec find {} -name '*.pem' -type f -delete \; && \
find / -name 'httpclient-*' -type d -exec find {} -name '*.key' -type f -delete \; && \
find / -name httpclient -type d -exec find {} -name '*.pem' -type f -delete \;

FROM cyberark/ubuntu-ruby-fips:latest

ENV DEBIAN_FRONTEND=noninteractive \
PORT=80 \
LOG_DIR=/opt/conjur-server/log \
TMP_DIR=/opt/conjur-server/tmp \
SSL_CERT_DIRECTORY=/opt/conjur/etc/ssl
ENV PORT=80 \
LOG_DIR=${CONJUR_HOME}/log \
TMP_DIR=${CONJUR_HOME}/tmp \
SSL_CERT_DIRECTORY=/opt/conjur/etc/ssl \
RAILS_ENV=production \
CONJUR_HOME=/opt/conjur-server

ENV PATH="${PATH}:${CONJUR_HOME}/bin"

EXPOSE 80
WORKDIR ${CONJUR_HOME}

RUN apt-get update -y && \
apt-get -y dist-upgrade && \
Expand All @@ -19,30 +35,16 @@ RUN apt-get install -y build-essential \
tzdata \
&& rm -rf /var/lib/apt/lists/*

WORKDIR /opt/conjur-server

# Ensure few required GID0-owned folders to run as a random UID (OpenShift requirement)
RUN mkdir -p $TMP_DIR \
$LOG_DIR \
$SSL_CERT_DIRECTORY/ca \
$SSL_CERT_DIRECTORY/cert \
/run/authn-local

COPY Gemfile \
Gemfile.lock ./
COPY gems/ gems/


RUN bundle --without test development && \
# Remove private keys brought in by gems in their test data
find / -name openid_connect -type d -exec find {} -name '*.pem' -type f -delete \; && \
find / -name 'httpclient-*' -type d -exec find {} -name '*.key' -type f -delete \; && \
find / -name httpclient -type d -exec find {} -name '*.pem' -type f -delete \;

COPY . .
COPY --from=builder ${CONJUR_HOME} ${CONJUR_HOME}

RUN ln -sf /opt/conjur-server/bin/conjurctl /usr/local/bin/

ENV RAILS_ENV production
EXPOSE ${PORT}

ENTRYPOINT [ "conjurctl" ]
84 changes: 39 additions & 45 deletions Dockerfile.ubi
Original file line number Diff line number Diff line change
@@ -1,22 +1,45 @@
# Ruby builder
FROM cyberark/ubi-ruby-builder:latest as builder

WORKDIR /opt/conjur-server

COPY Gemfile Gemfile.lock ./
COPY ./gems/ ./gems/

# Install package dependencies for Conjur
RUN INSTALL_PKGS="openldap-clients \
tzdata" && \
yum install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
rpm -V $INSTALL_PKGS && \
yum -y clean all --enablerepo='*'

RUN bundle --without test development && \
# removing CA bundle of httpclient gem
find / -name 'httpclient-*' -type d -exec find {} -name '*.pem' -type f -delete \; && \
find / -name 'httpclient-*' -type d -exec find {} -name '*.key' -type f -delete \; && \
# remove the private key in the oidc_connect gem spec directory
find / -name openid_connect -type d -exec find {} -name '*.pem' -type f -delete \;

# Conjur Base Image (UBI)
FROM cyberark/ubi-ruby-fips:latest

EXPOSE 8080
ARG VERSION

ENV PORT=8080 \
LOG_DIR=/opt/conjur-server/log \
TMP_DIR=/opt/conjur-server/tmp \
SSL_CERT_DIRECTORY=/opt/conjur/etc/ssl \
RAILS_ENV=production

LABEL name="conjur-ubi" \
vendor="CyberArk" \
version="$VERSION" \
release="$VERSION" \
summary="Conjur UBI-based image" \
description="Conjur provides secrets management and machine identity for modern infrastructure."

ENV PORT=8080 \
LOG_DIR=${CONJUR_HOME}/log \
TMP_DIR=${CONJUR_HOME}/tmp \
SSL_CERT_DIRECTORY=/opt/conjur/etc/ssl \
RAILS_ENV=production \
CONJUR_HOME=/opt/conjur-server

ENV PATH="${PATH}:${CONJUR_HOME}/bin"

# Create conjur user with one that has known gid / uid.
RUN groupadd -r conjur \
-g 777 && \
Expand All @@ -28,7 +51,7 @@ RUN groupadd -r conjur \
-s /bin/bash \
-u 777 conjur

WORKDIR /opt/conjur-server
WORKDIR ${CONJUR_HOME}

# Ensure few required GID0-owned folders to run as a random UID (OpenShift requirement)
RUN mkdir -p "$TMP_DIR" \
Expand All @@ -37,52 +60,23 @@ RUN mkdir -p "$TMP_DIR" \
"$SSL_CERT_DIRECTORY/cert" \
/run/authn-local && \
# Use GID of 0 since that is what OpenShift will want to be able to read things
chown conjur:0 "$LOG_DIR" \
chown -R conjur:0 "$LOG_DIR" \
"$TMP_DIR" \
"$SSL_CERT_DIRECTORY" \
"$CONJUR_HOME" \
/run/authn-local && \
# We need open group permissions in these directories since OpenShift won't
# match our UID when we try to write files to them
chmod 770 "$LOG_DIR" \
chmod -R 770 "$LOG_DIR" \
"$TMP_DIR" \
"$SSL_CERT_DIRECTORY" \
"$CONJUR_HOME" \
/run/authn-local

COPY Gemfile \
Gemfile.lock ./
COPY gems/ gems/

# Install package dependencies for Conjur
RUN INSTALL_PKGS="openldap-clients \
tzdata" && \
yum install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
rpm -V $INSTALL_PKGS && \
yum -y clean all --enablerepo='*'

# Install Gems (and build native gems) for Conjur
RUN INSTALL_PKGS="gcc \
gcc-c++ \
git \
glibc-devel \
libxml2-devel \
libxslt-devel \
make" && \
yum install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
rpm -V $INSTALL_PKGS && \
# Install the gems dependencies
bundle --without test development && \
# Remove the build packages
yum remove -y $INSTALL_PKGS && \
yum -y clean all --enablerepo='*' && \
# removing CA bundle of httpclient gem
find / -name 'httpclient-*' -type d -exec find {} -name '*.pem' -type f -delete \; && \
find / -name 'httpclient-*' -type d -exec find {} -name '*.key' -type f -delete \; && \
# remove the private key in the oidc_connect gem spec directory
find / -name openid_connect -type d -exec find {} -name '*.pem' -type f -delete \;

COPY . .
COPY --chown=conjur:0 . .
COPY --from=builder --chown=conjur:0 ${CONJUR_HOME} ${CONJUR_HOME}

RUN ln -sf /opt/conjur-server/bin/conjurctl /usr/local/bin/
EXPOSE ${PORT}

COPY LICENSE.md /licenses/

Expand Down
36 changes: 22 additions & 14 deletions build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -26,26 +26,33 @@ shift # past argument or value
done

# Flatten resulting image.
# This script will rewrite all properties of input image (PORT, ENV, WORKDIR, USER, ENTRYPOINT, CMD)
# instead of hard-coding each of them.
# shellcheck disable=SC2016
function flatten() {
local image="$1"
echo "Flattening image '$image'..."

# Since `--squash` is still experimental, we have to flatten the image
# by exporting and importing a container based on the source image. By
# doing this though, we lose a lot of the Dockerfile variables that are
# required for running the image (ENV, EXPOSE, WORKDIR, etc) so we
# manually rebuild them.
# See here for more details: https://github.com/moby/moby/issues/8334
local container
container=$(docker create "$image")
local envs
envs=$(docker inspect -f '{{range $index, $value := .Config.Env}}{{$value}} {{end}}' "$container")
local workDir
workDir=$(docker inspect -f '{{ .Config.WorkingDir }}' "$container")
local user
user=$(docker inspect -f '{{ .Config.User }}' "$container")
local entrypoint
entrypoint=$(docker inspect -f '[{{range $index, $value := .Config.Entrypoint }}{{if $index}},{{end}}"{{$value}}"{{end}}]' "$container")
local cmd
cmd=$(docker inspect -f '[{{range $index, $value := .Config.Cmd }}{{if $index}},{{end}}"{{$value}}"{{end}}]' "$container")
local ports
IFS=":" read -r -a ports <<< "$(docker inspect -f '{{range $port, $empty := .Config.ExposedPorts}}--change:EXPOSE {{$port}}:{{end}}' "$container")"
docker export "$container" | docker import \
--change "ENV PATH /usr/local/pgsql/bin:/var/lib/ruby/bin:/usr/local/ssl/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
--change "ENV LD_LIBRARY_PATH /usr/local/ssl/lib" \
--change "ENV OPENSSL_FIPS 1" \
--change "EXPOSE 80" \
--change "ENV RAILS_ENV=production" \
--change "WORKDIR /opt/conjur-server" \
--change 'ENTRYPOINT ["conjurctl"]' \
"${ports[@]}" \
--change "ENV $envs" \
--change "WORKDIR $workDir" \
--change "USER ${user:=0}" \
--change "ENTRYPOINT $entrypoint" \
--change "CMD $cmd" \
- "$image"
docker rm "$container"
}
Expand Down Expand Up @@ -82,4 +89,5 @@ fi
if image_doesnt_exist "conjur-ubi:$TAG"; then
echo "Building image conjur-ubi:$TAG container"
docker build --build-arg "VERSION=$TAG" -t "conjur-ubi:$TAG" -f Dockerfile.ubi .
flatten "conjur-ubi:$TAG"
fi
2 changes: 1 addition & 1 deletion ci/test_suites/authenticators_k8s/Dockerfile.dev
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM registry2.itci.conjur.net/conjur-appliance-cuke-master:4.9-stable
FROM registry.tld/conjur-appliance-cuke-master:4.9-stable

RUN apt-get update && apt-get install -y zlib1g-dev

Expand Down
9 changes: 6 additions & 3 deletions dev/Dockerfile.dev
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
FROM cyberark/phusion-ruby-fips:latest
FROM cyberark/ubuntu-ruby-postgres-fips:latest

RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y \
libz-dev
RUN DEBIAN_FRONTEND=noninteractive apt-get install -y \
build-essential \
ldap-utils \
git \
Expand Down Expand Up @@ -30,11 +32,12 @@ RUN bundle
# removing CA bundle of httpclient gem
RUN find / -name httpclient -type d -exec find {} -name *.pem -type f -delete \;

RUN rm /etc/service/sshd/down
RUN ln -sf /src/conjur-server/bin/conjurctl /usr/local/bin/
RUN rm /etc/my_init.d/10_syslog-ng.init
RUN rm /etc/service/syslog-ng/run

ENV PORT 3000
ENV TERM xterm

EXPOSE 3000

ENTRYPOINT ["/usr/bin/runsvdir", "-P", "/etc/service"]
8 changes: 6 additions & 2 deletions package.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,16 @@ chmod +x docker-debify
docker run --rm \
-v "$(pwd)":"$(pwd)" \
--workdir "$(pwd)" \
cyberark/phusion-ruby-fips:latest \
sh -c "apt-get update -y && apt-get install -y git && bundle lock --update=conjur-api"
cyberark/ubuntu-ruby-builder:latest \
sh -c "bundle lock --update=conjur-api"

# Create possum deb
./docker-debify package \
--dockerfile=Dockerfile.fpm \
--output=deb \
--version "$(<VERSION)" \
--image="cyberark/ubuntu-ruby-builder" \
--image-tag="latest" \
possum \
-- \
--depends tzdata
Expand All @@ -27,6 +29,8 @@ docker run --rm \
--dockerfile=Dockerfile.fpm \
--output=rpm \
--version "$(<VERSION)" \
--image="cyberark/ubuntu-ruby-builder" \
--image-tag="latest" \
possum \
-- \
--depends tzdata \
Expand Down

0 comments on commit adb87c9

Please sign in to comment.