update: make improvements to containers (#50)

* update: setup containers to not run as root * update: avoid issues when mounting src; fqdn * update: fix vars; remove test for docker build * update: consistency /app * fix: some issues around upstream container * update: use /app * fix onionbalance tag ref variable --------- Co-authored-by: BugFest <bugfest.dev@pm.me>
bugfest · Apr 11, 2023 · 5e88648 · 5e88648
1 parent a44157d
commit 5e88648
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 24 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -3,19 +3,22 @@ FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.20 as builder
 
 WORKDIR /src
 
+COPY . /src
+
 # Build
 ARG TARGETOS TARGETARCH
-RUN --mount=target=. \
-    --mount=type=cache,target=/root/.cache/go-build \
+RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg \
     CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -a -ldflags="-s -w" -o /out/manager main.go
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 FROM gcr.io/distroless/static:nonroot
 
-COPY --from=builder /out/manager /
 
-USER 65532:65532
+WORKDIR /app
+COPY --from=builder /out/manager /app
+
+USER 1001
 
-ENTRYPOINT ["/manager"]
+ENTRYPOINT ["/app/manager"]
diff --git a/Dockerfile.tor-daemon b/Dockerfile.tor-daemon
@@ -2,3 +2,12 @@ ARG TOR_VERSION="0.4.7.13"
 ARG TOR_IMAGE="quay.io/bugfest/tor"
 
 FROM ${TOR_IMAGE}:${TOR_VERSION} as tor
+
+USER 0
+
+WORKDIR /app
+RUN chmod g+w /app
+
+VOLUME /run/tor/service
+
+USER 1001
diff --git a/Dockerfile.tor-daemon-manager b/Dockerfile.tor-daemon-manager
@@ -5,20 +5,16 @@ FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.20 as builder
 
 WORKDIR /src
 
+COPY . /src
+
 # Build
 ARG TARGETOS TARGETARCH
-RUN --mount=target=. \
-    --mount=type=cache,target=/root/.cache/go-build \
+RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg \
     CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -a -ldflags="-s -w" -o /out/tor-local-manager ./agents/tor/main.go
 
 FROM ${TOR_IMAGE}:${TOR_VERSION} as tor
 
-WORKDIR /root/
-
-# install tor-local-manager
-RUN mkdir -p /run/tor/service
-
-COPY --from=builder /out/tor-local-manager .
+COPY --from=builder /out/tor-local-manager /app
 
-ENTRYPOINT ["./tor-local-manager"]
+ENTRYPOINT ["/app/tor-local-manager"]
diff --git a/Dockerfile.tor-onionbalance-manager b/Dockerfile.tor-onionbalance-manager
@@ -2,16 +2,18 @@ FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.20  as builder
 
 WORKDIR /src
 
+COPY . /src
+
 # Build
 ARG TARGETOS TARGETARCH
-RUN --mount=target=. \
-    --mount=type=cache,target=/root/.cache/go-build \
+RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg \
     CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -a -ldflags="-s -w" -o /out/onionbalance-local-manager ./agents/onionbalance/main.go
 
-FROM docker.io/library/alpine:3.17.3
+# package build
+FROM docker.io/library/alpine:3.17
 
-ARG VERSION=0.2.2
+ARG OB_VERSION="0.2.2"
 
 RUN apk add --no-cache --update \
         git=2.38.4-r1 \
@@ -21,8 +23,9 @@ RUN apk add --no-cache --update \
         py3-setproctitle=1.3.1-r0 \
         py3-wheel=0.38.4-r0 \
         python3=3.10.11-r0 \
-    && python3 -m pip install --no-cache-dir git+https://gitlab.torproject.org/tpo/core/onionbalance.git@${VERSION}
+    && python3 -m pip install --no-cache-dir git+https://gitlab.torproject.org/tpo/core/onionbalance.git@${OB_VERSION}
 
-COPY --from=builder /out/onionbalance-local-manager /
+WORKDIR /app
+COPY --from=builder /out/onionbalance-local-manager /app
 
-ENTRYPOINT ["/onionbalance-local-manager"]
+ENTRYPOINT ["/app/onionbalance-local-manager"]
diff --git a/Makefile b/Makefile
@@ -1,8 +1,9 @@
 
 # Image URL to use all building/pushing image targets
 IMG ?= tor-controller:latest
-IMG_DAEMON ?= tor-daemon-manager:latest
-IMG_ONIONBALANCE ?= tor-onionbalance:latest
+IMG_DAEMON ?= tor-daemon:latest
+IMG_DAEMON_MANAGER ?= tor-daemon-manager:latest
+IMG_ONIONBALANCE_MANAGER ?= tor-onionbalance-manager:latest
 
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.22
@@ -88,7 +89,7 @@ docker-build-all: docker-build docker-build-daemon docker-build-daemon-manager d
 docker-push-all: docker-push docker-push-daemon docker-push-daemon-manager docker-push-onionbalance-manager
 
 .PHONY: docker-build
-docker-build: test ## Build docker image with the manager.
+docker-build: ## Build docker image with the manager.
 	docker build -t ${IMG} -f Dockerfile .
 
 .PHONY: docker-push