forked from camunda/camunda
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile
169 lines (145 loc) · 6.8 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
# syntax=docker/dockerfile:1.4
# This Dockerfile requires BuildKit to be enabled, by setting the environment variable
# DOCKER_BUILDKIT=1
# see https://docs.docker.com/build/buildkit/#getting-started
# Both ubuntu and eclipse-temurin are pinned via digest and not by a strict version tag, as Renovate
# has trouble with custom versioning schemes
ARG BASE_IMAGE="ubuntu:jammy"
ARG BASE_DIGEST="sha256:f9d633ff6640178c2d0525017174a688e2c1aef28f0a0130b26bd5554491f0da"
ARG JDK_IMAGE="eclipse-temurin:21-jdk-jammy"
ARG JDK_DIGEST="sha256:4280c36ff5cab08aa53600154899de7ee3ae885a59253cf94dc901c37546ca41"
# set to "build" to build zeebe from scratch instead of using a distball
ARG DIST="distball"
### Base image ###
# All package installation, updates, etc., anything with APT should be done here in a single step
# hadolint ignore=DL3006
FROM ${BASE_IMAGE}@${BASE_DIGEST} as base
WORKDIR /
# Upgrade all outdated packages and install missing ones (e.g. locales, tini)
# This breaks reproducibility of builds, but is acceptable to gain access to security patches faster
# than the base image releases
# FYI, installing packages via APT also updates the dpkg files, which are few MBs, but removing or
# caching them could break stuff (like not knowing the package is present) or container scanners
# hadolint ignore=DL3008
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
--mount=type=cache,target=/var/log/apt,sharing=locked \
apt-get -qq update && \
apt-get install -yqq --no-install-recommends tini ca-certificates && \
apt-get upgrade -yqq --no-install-recommends
### Build custom JRE using the base JDK image
# hadolint ignore=DL3006
FROM ${JDK_IMAGE}@${JDK_DIGEST} as jre-build
# Build a custom JRE which will strip down and compress modules to end up with a smaller Java \
# distribution than the official JRE. This will also include useful debugging tools like
# jcmd, jmod, jps, etc., which take little to no space. Anecdotally, compressing modules add around
# 10ms to the start up time, which is negligible considering our application takes ~10s to start up.
# See https://adoptium.net/blog/2021/10/jlink-to-produce-own-runtime/
# hadolint ignore=DL3018
# required to compile a JRE on ARM64
# see https://github.com/openzipkin/docker-java/issues/34
ENV JAVA_TOOL_OPTIONS "-Djdk.lang.Process.launchMechanism=vfork"
RUN jlink \
--add-modules ALL-MODULE-PATH \
--strip-debug \
--no-man-pages \
--no-header-files \
--compress=2 \
--output /jre && \
rm -rf /jre/lib/src.zip
### Java base image
FROM base AS java
WORKDIR /
# Inherit from previous build stage
ARG JAVA_HOME=/opt/java/openjdk
# Default to UTF-8 file encoding
ENV LANG='C.UTF-8' LC_ALL='C.UTF-8'
# Setup JAVA_HOME and binaries in the path
ENV JAVA_HOME ${JAVA_HOME}
ENV PATH $JAVA_HOME/bin:$PATH
# Copy JRE from previous build stage
COPY --from=jre-build /jre ${JAVA_HOME}
# https://github.com/docker-library/openjdk/issues/212#issuecomment-420979840
# https://openjdk.java.net/jeps/341
# TL;DR generate some class data sharing for faster load time
RUN java -Xshare:dump;
### Build zeebe from scratch ###
FROM java as build
WORKDIR /zeebe
ENV MAVEN_OPTS -XX:MaxRAMPercentage=80
COPY --link . ./
RUN --mount=type=cache,target=/root/.m2,rw \
./mvnw -B -am -pl dist package -T1C -D skipChecks -D skipTests && \
mv dist/target/camunda-zeebe .
### Extract zeebe from distball ###
# hadolint ignore=DL3006
FROM base as distball
WORKDIR /zeebe
ARG DISTBALL="dist/target/camunda-zeebe-*.tar.gz"
COPY --link ${DISTBALL} zeebe.tar.gz
# Remove zbctl from the distribution to reduce CVE related maintenance effort w.r.t to containers
RUN mkdir camunda-zeebe && \
tar xfvz zeebe.tar.gz --strip 1 -C camunda-zeebe && \
find . -type f -name 'zbctl*' -delete
### Image containing the zeebe distribution ###
# hadolint ignore=DL3006
FROM ${DIST} as dist
### Application Image ###
# https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope
# hadolint ignore=DL3006
FROM java as app
# leave unset to use the default value at the top of the file
ARG BASE_IMAGE
ARG BASE_DIGEST
ARG VERSION=""
ARG DATE=""
ARG REVISION=""
# OCI labels: https://github.com/opencontainers/image-spec/blob/main/annotations.md
LABEL org.opencontainers.image.base.digest="${BASE_DIGEST}"
LABEL org.opencontainers.image.base.name="docker.io/library/${BASE_IMAGE}"
LABEL org.opencontainers.image.created="${DATE}"
LABEL org.opencontainers.image.authors="[email protected]"
LABEL org.opencontainers.image.url="https://zeebe.io"
LABEL org.opencontainers.image.documentation="https://docs.camunda.io/docs/self-managed/zeebe-deployment/"
LABEL org.opencontainers.image.source="https://github.com/camunda/zeebe"
LABEL org.opencontainers.image.version="${VERSION}"
# According to https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys
# and given we set the base.name and base.digest, we reference the manifest of the base image here
LABEL org.opencontainers.image.ref.name="${BASE_IMAGE}"
LABEL org.opencontainers.image.revision="${REVISION}"
LABEL org.opencontainers.image.vendor="Camunda Services GmbH"
LABEL org.opencontainers.image.licenses="(Apache-2.0 AND LicenseRef-Zeebe-Community-1.1)"
LABEL org.opencontainers.image.title="Zeebe"
LABEL org.opencontainers.image.description="Workflow engine for microservice orchestration"
# OpenShift labels: https://docs.openshift.com/container-platform/4.10/openshift_images/create-images.html#defining-image-metadata
LABEL io.openshift.tags="bpmn,orchestration,workflow"
LABEL io.k8s.description="Workflow engine for microservice orchestration"
LABEL io.openshift.non-scalable="false"
LABEL io.openshift.min-memory="512Mi"
LABEL io.openshift.min-cpu="1"
ENV ZB_HOME=/usr/local/zeebe \
ZEEBE_BROKER_GATEWAY_NETWORK_HOST=0.0.0.0 \
ZEEBE_STANDALONE_GATEWAY=false \
ZEEBE_RESTORE=false
ENV PATH "${ZB_HOME}/bin:${PATH}"
# Disable RocksDB runtime check for musl, which launches `ldd` as a shell process
# We know there's no need to check for musl on this image
ENV ROCKSDB_MUSL_LIBC=false
WORKDIR ${ZB_HOME}
EXPOSE 8080 26500 26501 26502
VOLUME /tmp
VOLUME ${ZB_HOME}/data
VOLUME ${ZB_HOME}/logs
RUN groupadd --gid 1001 camunda && \
adduser --system --gid 1001 --uid 1001 --home ${ZB_HOME} camunda && \
chmod g=u /etc/passwd && \
# These directories are to be mounted by users, eagerly creating them and setting ownership
# helps to avoid potential permission issues due to default volume ownership.
mkdir ${ZB_HOME}/data && \
mkdir ${ZB_HOME}/logs && \
chown -R 1001:0 ${ZB_HOME} && \
chmod -R 0775 ${ZB_HOME}
COPY --link --chown=1001:0 docker/utils/startup.sh /usr/local/bin/startup.sh
COPY --from=dist --chown=1001:0 /zeebe/camunda-zeebe ${ZB_HOME}
USER 1001:1001
ENTRYPOINT ["tini", "--", "/usr/local/bin/startup.sh"]