set a non-root user for containers (#2496)

* change root user in dockerfile * build container on push/pr * grab docker build params from env * consolidate container build * rm unused container build workflow/script * cleanup ci * set user for earthly container build * rm ci docker build for develop branch * checkout full repo for docker builds * read earthly push from env * cleanup ci * rm unsupported option for actions/checkout@v3 * check dockerfile in ci * add dockerfile build to earthfile * authenticate to GH only on schedule builds * accurate name for dev container builder script * add note to the dockerfile about earthfile * document dev build process more clearly
3 years ago · 2c6fd67276
10 changed files with 134 additions and 121 deletions
--- a/.github/workflows/container-lint.yml
+++ b/.github/workflows/container-lint.yml
@ -0,0 +1,28 @@
				@@ -0,0 +1,28 @@
+name: Lint
+
+on:
+  push:
+    branches:
+      - webv2
+    paths:
+      - 'Dockerfile'
+  pull_request:
+    branches:
+      - webv2
+    paths:
+      - 'Dockerfile'
+
+jobs:
+  trivy:
+    name: Dockerfile
+    runs-on: ubuntu-latest
+    container:
+      image: aquasec/trivy
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Check critical issues
+        run: trivy config --exit-code 1 --severity "HIGH,CRITICAL" ./Dockerfile
+
+      - name: Check non-critical issues
+        run: trivy config --severity "LOW,MEDIUM" ./Dockerfile
--- a/.github/workflows/container.yaml
+++ b/.github/workflows/container.yaml
@ -0,0 +1,56 @@
				@@ -0,0 +1,56 @@
+# See https://docs.earthly.dev/ci-integration/vendor-specific-guides/gh-actions-integration
+# for details.
+
+name: Build development container
+
+on:
+  schedule:
+    - cron: '0 2 * * *'
+  push:
+    branches:
+      - webv2
+  pull_request:
+    branches:
+      - webv2
+
+jobs:
+  Earthly:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Earthly
+        uses: earthly/actions-setup@v1
+        with:
+          version: 'latest' # or pin to an specific version, e.g. "v0.6.10"
+
+      - name: Log Earthly version
+        run: earthly --version
+
+      - name: Authenticate to GitHub Container Registry
+        if: ${{ github.event_name == 'schedule' && env.GH_CR_PAT != null }}
+        env:
+          GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
+        run: echo "${{ secrets.GH_CR_PAT }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+        with:
+          image: tonistiigi/binfmt:latest
+          platforms: all
+
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Build and push
+        if: ${{ github.event_name == 'schedule' && env.GH_CR_PAT != null }}
+        env:
+          GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
+          EARTHLY_BUILD_TAG: 'webv2'
+          EARTHLY_BUILD_BRANCH: 'webv2'
+          EARTHLY_PUSH: true
+        run: ./build/develop/container.sh
+
+      - name: Build
+        if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' }}
+        run: ./build/develop/container.sh
--- a/.github/workflows/docker-nightly.yaml
+++ b/.github/workflows/docker-nightly.yaml
@ -1,41 +0,0 @@
				@@ -1,41 +0,0 @@
-# See https://docs.earthly.dev/ci-integration/vendor-specific-guides/gh-actions-integration
-# for details.
-
-name: Build nightly docker
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '0 2 * * *'
-
-jobs:
-  Docker:
-    runs-on: ubuntu-latest
-    if: github.repository == 'owncast/owncast'
-    steps:
-      - uses: earthly/actions-setup@v1
-        with:
-          version: 'latest' # or pin to an specific version, e.g. "v0.6.10"
-
-      - name: Earthly version
-        run: earthly --version
-
-      - name: Log into GitHub Container Registry
-        env:
-          GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
-        run: echo "${{ secrets.GH_CR_PAT }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
-        if: env.GH_CR_PAT != null
-
-      - name: Set up QEMU
-        id: qemu
-        uses: docker/setup-qemu-action@v2
-        with:
-          image: tonistiigi/binfmt:latest
-          platforms: all
-
-      - uses: actions/checkout@v3
-      - name: Checkout and build
-        if: env.GH_CR_PAT != null
-        env:
-          GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
-        run: cd build/release && ./docker-nightly.sh
--- a/.github/workflows/docker-webv2.yaml
+++ b/.github/workflows/docker-webv2.yaml
@ -1,43 +0,0 @@
				@@ -1,43 +0,0 @@
-# See https://docs.earthly.dev/ci-integration/vendor-specific-guides/gh-actions-integration
-# for details.
-
-name: Build webv2 docker
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '0 0 * * *'
-
-jobs:
-  Docker:
-    runs-on: ubuntu-latest
-    if: github.repository == 'owncast/owncast'
-    steps:
-      - uses: earthly/actions-setup@v1
-        with:
-          version: 'latest' # or pin to an specific version, e.g. "v0.6.10"
-
-      - name: Earthly version
-        run: earthly --version
-
-      - name: Log into GitHub Container Registry
-        env:
-          GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
-        run: echo "${{ secrets.GH_CR_PAT }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
-        if: env.GH_CR_PAT != null
-
-      - name: Set up QEMU
-        id: qemu
-        uses: docker/setup-qemu-action@v2
-        with:
-          image: tonistiigi/binfmt:latest
-          platforms: all
-
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Checkout and build
-        if: env.GH_CR_PAT != null
-        env:
-          GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
-        run: cd build/release && ./docker-webv2.sh
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@ -18,7 +18,7 @@ jobs:
				@@ -18,7 +18,7 @@ jobs:
    env:
      LANG: C.UTF-8
    container:
-      image: docker.io/ubuntu:22.10
+      image: docker.io/ubuntu:22.04
    steps:
      - uses: actions/checkout@v3

--- a/22
+++ b/22
@ -1,10 +1,17 @@
				@@ -1,10 +1,17 @@
-# Perform a build
+# IMPORTANT: This Dockerfile has been provided for the sake of convenience.
+# Currently, functionality of the containers built based on this file
+# is not a part of our continuous testing. Although, patches to keep it
+# up to date are always welcome.
+#
+# See ‘Earthfile’ for the recipes used in official builds.
+
 FROM golang:alpine AS build
-RUN mkdir /build
-ADD . /build
-WORKDIR /build
+
 RUN apk update && apk add --no-cache git gcc build-base linux-headers

+WORKDIR /build
+COPY . /build
+
 ARG VERSION=dev
 ENV VERSION=${VERSION}
 ARG GIT_COMMIT
@ -15,13 +22,16 @@ ENV NAME=${NAME}
				@@ -15,13 +22,16 @@ ENV NAME=${NAME}
 RUN CGO_ENABLED=1 GOOS=linux go build -a -installsuffix cgo -ldflags "-extldflags \"-static\" -s -w -X github.com/owncast/owncast/config.GitCommit=$GIT_COMMIT -X github.com/owncast/owncast/config.VersionNumber=$VERSION -X github.com/owncast/owncast/config.BuildPlatform=$NAME" -o owncast .

 # Create the image by copying the result of the build into a new alpine image
-FROM alpine
+FROM alpine:3.15.5
 RUN apk update && apk add --no-cache ffmpeg ffmpeg-libs ca-certificates && update-ca-certificates

+RUN addgroup -g 101 -S owncast && adduser -u 101 -S owncast -G owncast
+
 # Copy owncast assets
 WORKDIR /app
 COPY --from=build /build/owncast /app/owncast
-COPY --from=build /build/webroot /app/webroot
 RUN mkdir /app/data
+RUN chown -R owncast:owncast /app
+USER owncast
 ENTRYPOINT ["/app/owncast"]
 EXPOSE 8080 1935
--- a/7
+++ b/7
@ -25,7 +25,6 @@ crosscompiler:
				@@ -25,7 +25,6 @@ crosscompiler:
 code:
  FROM --platform=linux/amd64 +crosscompiler
  COPY . /build
-  #GIT CLONE --branch=$version git@github.com:owncast/owncast.git /build

 build:
  ARG EARTHLY_GIT_HASH # provided by Earthly
@ -110,13 +109,19 @@ docker:
				@@ -110,13 +109,19 @@ docker:
  ARG TARGETPLATFORM
  FROM --platform=$TARGETPLATFORM alpine:3.15.5
  RUN apk update && apk add --no-cache ffmpeg ffmpeg-libs ca-certificates unzip && update-ca-certificates
+  RUN addgroup -g 101 -S owncast && adduser -u 101 -S owncast -G owncast
  WORKDIR /app
  COPY --platform=$TARGETPLATFORM +package/owncast.zip /app
  RUN unzip -x owncast.zip && mkdir data
+  RUN chown -R owncast:owncast /app
+  USER owncast
  ENTRYPOINT ["/app/owncast"]
  EXPOSE 8080 1935
  SAVE IMAGE --push $image:$tag

+dockerfile:
+  FROM DOCKERFILE -f Dockerfile .
+
 unit-tests:
  FROM --platform=linux/amd64 bdwyertech/go-crosscompile
  COPY . /build
--- a/build/develop/container.sh
+++ b/build/develop/container.sh
@ -0,0 +1,27 @@
				@@ -0,0 +1,27 @@
+#!/bin/sh
+set -e
+
+# Development container builder
+#
+# Must authenticate first: https://docs.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-docker-for-use-with-github-packages#authenticating-to-github-packages
+# env vars: 
+#   $EARTHLY_BUILD_BRANCH: git branch to checkout
+#   $EARTHLY_BUILD_TAG: tag for container image
+
+
+EARTHLY_IMAGE_NAME="owncast"
+BUILD_TAG=${EARTHLY_BUILD_TAG:-webv2}
+DATE=$(date +"%Y%m%d")
+VERSION="${DATE}-${BUILD_TAG}"
+
+
+echo "Building container image ${EARTHLY_IMAGE_NAME}:${BUILD_TAG} ..."
+
+# Change to the root directory of the repository
+cd "$(git rev-parse --show-toplevel)" || exit
+if [ -n "${EARTHLY_BUILD_BRANCH}" ]; then
+    git checkout "${EARTHLY_BUILD_BRANCH}" || exit
+fi
+
+earthly --ci +docker-all --image="ghcr.io/owncast/${EARTHLY_IMAGE_NAME}" --tag="${BUILD_TAG}" --version="${VERSION}"
+earthly --ci +dockerfile
--- a/build/release/docker-nightly.sh
+++ b/build/release/docker-nightly.sh
@ -1,14 +0,0 @@
				@@ -1,14 +0,0 @@
-#!/bin/sh
-
-# Docker build
-# Must authenticate first: https://docs.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-docker-for-use-with-github-packages#authenticating-to-github-packages
-DOCKER_IMAGE="owncast"
-DATE=$(date +"%Y%m%d")
-VERSION="${DATE}-nightly"
-
-echo "Building Docker image ${DOCKER_IMAGE}..."
-
-# Change to the root directory of the repository
-cd "$(git rev-parse --show-toplevel)" || exit
-
-earthly --ci --push +docker-all --image="ghcr.io/owncast/${DOCKER_IMAGE}" --tag=nightly --version="${VERSION}"
--- a/build/release/docker-webv2.sh
+++ b/build/release/docker-webv2.sh
@ -1,15 +0,0 @@
				@@ -1,15 +0,0 @@
-#!/bin/sh
-
-# Docker build
-# Must authenticate first: https://docs.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-docker-for-use-with-github-packages#authenticating-to-github-packages
-DOCKER_IMAGE="owncast"
-DATE=$(date +"%Y%m%d")
-TAG="webv2"
-VERSION="${DATE}-${TAG}"
-echo "Building Docker image ${DOCKER_IMAGE}..."
-
-# Change to the root directory of the repository
-cd "$(git rev-parse --show-toplevel)" || exit
-git checkout webv2
-
-earthly --ci --push +docker-all --image="ghcr.io/owncast/${DOCKER_IMAGE}" --tag="${TAG}" --version="${VERSION}"