Add dive to analyze docker images during CI

.dive-ci

@@ -0,0 +1,4 @@
+rules:
+  lowestEfficiency: 0.98
+  highestWastedBytes: "disabled"
+  highestUserWastedPercent: "disabled"

.gitignore

@@ -10,5 +10,6 @@ venv*/
 .coverage
 cover/
 .mypy_cache/
+dive.log
 
 serviceprincipal.json

.travis.yml

@@ -9,7 +9,7 @@ services:
   - docker
 
 install:
-  - make build
+  - make build verify-build
 
 before_script:
   - docker-compose up -d

docker/app/Dockerfile

@@ -21,7 +21,7 @@ RUN pip wheel -r requirements.txt -w /deps
 
 COPY . .
 
-RUN make ci
+RUN make ci clean
 
 FROM python:${PYTHON_VERSION}-slim AS runtime
 

docker/nginx/Dockerfile

@@ -1,19 +1,22 @@
-FROM nginx:stable
+FROM nginx:stable AS builder
 
 RUN apt-get -qq update \
   && apt-get -qq install -y --no-install-recommends \
     ca-certificates=20161130+nmu1+deb9u1 \
     curl=7.52.1-5+deb9u9 \
-  && curl -fsSL https://git.io/get-mo -o /usr/local/bin/mo \
-  && chmod +x /usr/local/bin/mo \
   && rm -rf /var/lib/apt/lists/* \
-  && rm /etc/nginx/conf.d/default.conf
+  && curl -fsSL https://git.io/get-mo -o /usr/local/bin/mo \
+  && chmod +x /usr/local/bin/mo
+
+FROM nginx:stable AS runtime
 
+COPY --from=builder /usr/local/bin/mo /usr/local/bin/mo
 COPY docker/nginx/static /static
 COPY docker/nginx/nginx.conf.mu /app/nginx.conf.mu
 COPY docker/nginx/run-nginx.sh /app/run-nginx.sh
 
 RUN mkdir -p /var/cache/nginx \
+  && rm /etc/nginx/conf.d/default.conf \
   && chown -R nginx:nginx \
     /app \
     /static \
@@ -30,6 +33,4 @@ EXPOSE ${PORT}
 USER nginx
 WORKDIR /static
 
-COPY docker/nginx/healthcheck.sh /app/healthcheck.sh
-HEALTHCHECK --interval=89s --timeout=17s CMD /app/healthcheck.sh
 CMD ["/app/run-nginx.sh"]

makefile

@@ -14,8 +14,10 @@ tests: venv
 	$(PY_ENV)/bin/coverage run -m nose2 && $(PY_ENV)/bin/coverage report
 
 lint-swagger: venv
-	find opwen_email_server/swagger -type f -name '*.yaml' \
-    | while read swagger; do $(PY_ENV)/bin/swagger-flex --source="$$swagger" || exit 1; done
+	find opwen_email_server/swagger -type f -name '*.yaml' | while read file; do \
+    echo "====================  $$file ===================="; \
+    $(PY_ENV)/bin/swagger-flex --source="$$file" \
+  || exit 1; done
 
 lint-python: venv
 	$(PY_ENV)/bin/flake8 opwen_email_server
@@ -26,13 +28,15 @@ lint-python: venv
 lint-docker:
 	if command -v hadolint >/dev/null; then \
     find . -type f -name Dockerfile -not -path '$(PY_ENV)/*' | while read file; do \
+      echo "====================  $$file ===================="; \
       hadolint "$$file" \
     || exit 1; done \
   fi
 
 lint-shell:
 	if command -v shellcheck >/dev/null; then \
     find . -type f -name '*.sh' -not -path '$(PY_ENV)/*' | while read file; do \
+      echo "====================  $$file ===================="; \
       shellcheck "$$file" \
     || exit 1; done \
   fi
@@ -50,6 +54,21 @@ integration-tests:
     ./tests/integration/assert.sh && \
     rm -rf tests/files/end_to_end/test.out
 
+clean:
+	find . -name '__pycache__' -type d -print0 | xargs -0 rm -rf
+
 build:
 	docker-compose pull --ignore-pull-failures
 	docker-compose build
+
+verify-build:
+	docker pull wagoodman/dive
+	docker-compose config | grep -o "image: ascoderu/.*" | sed 's/^image: //' | sort -u | while read image; do \
+    echo "====================  $$image ===================="; \
+    docker run --rm \
+      -v /var/run/docker.sock:/var/run/docker.sock \
+      -v $(PWD)/.dive-ci:/.dive-ci \
+      -e DOCKER_API_VERSION="$(shell docker version -f '{{.Client.APIVersion}}')" \
+      -e CI="true" \
+      wagoodman/dive "$$image" \
+    || exit 1; done