Add an image for ZNC

[DarthGandalf]

Ref: znc/znc#1286

Checklist for Review

NOTE: This checklist is intended for the use of the Official Images maintainers both to track the status of your PR and to help inform you and others of where we're at. As such, please leave the "checking" of items to the repository maintainers. If there is a point below for which you would like to provide additional information or note completion, please do so by commenting on the PR. Thanks! (and thanks for staying patient with us ❤️)

• associated with or contacted upstream?
  • https://github.com/znc
• does it fit into one of the common categories? ("service", "language stack", "base distribution")
  • service
• is it reasonably popular, or does it solve a particular use case well?
• does a documentation PR exist? (should be reviewed and merged at roughly the same time so that we don't have an empty image page on the Hub for very long)
  • Add docs for ZNC image docs#821
• dockerization review for best practices and cache gotchas/improvements (ala the official review guidelines)?
• 2+ dockerization review?
• existing official images have been considered as a base? (ie, if foobar needs Node.js, has FROM node:... instead of grabbing node via other means been considered?)
  • FROM alpine, compiles application via gcc
• if FROM scratch, tarballs only exist in a single commit within the associated history?
• passes current tests? any simple new tests that might be appropriate to add? (https://github.com/docker-library/official-images/tree/master/test)

[TimWolla]

Thanks, if this is merged I can get rid of my personal ZNC image 🎉

Here's some tips to improve your Dockerfile:

1. Reorder your ENV variables to move the version number to the bottom, this improves caching.
2. Use curl instead of wget. curl seems to be the canonical way to download files. Make sure to pass the -fsSL parameters to curl. Consider using -o to specify a target file without a version number.
3. Use the --strip-components parameter of tar to ignore the topmost directory in the tarball. This saves you the ugly escaping of the ZNC version in the configure line.
4. You made a typo in your docker-entrypoint.sh: “This effects ownership of the” should read “This affects ownership of the”.

See here for an more or less untested Dockerfile that incorporates my suggestions:

FROM alpine:3.5

ENV GPG_KEY D5823CACB477191CAC0075555AE420CC0209989E

# modperl and modpython are built, but won't be loadable.
# :extmodules image installs perl and python3 again, making these modules loadable.

# musl silently doesn't support AI_ADDRCONFIG yet, and ZNC doesn't support Happy Eyeballs yet.
# Together they cause very slow connection.
ARG CONFIGUREFLAGS="--prefix=/opt/znc --enable-cyrus --enable-perl --enable-python --disable-ipv6"
ARG MAKEFLAGS=""

ENV ZNC_VERSION 1.6.4

RUN set -x \
    && adduser -S znc \
    && addgroup -S znc \
    && apk add --no-cache --virtual .runtime-deps \
        tini \
        icu \
        openssl \
        cyrus-sasl \
        ca-certificates \
    && apk add --no-cache --virtual .build-deps \
        build-base \
        icu-dev \
        openssl-dev \
        cyrus-sasl-dev \
        gnupg \
        perl-dev \
        python3-dev \
        curl \
    && curl -fsSL "http://znc.in/releases/archive/znc-${ZNC_VERSION}.tar.gz" -o znc.tar.gz \
    && curl -fsSL "http://znc.in/releases/archive/znc-${ZNC_VERSION}.tar.gz.sig" -o znc.tar.gz.sig \
    && export GNUPGHOME="$(mktemp -d)" \
    && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "${GPG_KEY}" \
    && gpg --batch --verify znc.tar.gz.sig znc.tar.gz \
    && rm -r "$GNUPGHOME" \
    && mkdir -p /usr/local/src/znc \
    && tar xzf "znc.tar.gz" -C /usr/local/src/znc --strip-components=1 \
    && rm "znc.tar.gz" "znc.tar.gz.sig" \
    && cd /usr/local/src/znc \
    && mkdir build \
    && cd build \
    && ../configure ${CONFIGUREFLAGS} \
    && make $MAKEFLAGS \
    && make install \
    && apk del .build-deps \
    && cd / \
    && rm -rf /usr/local/src/znc

COPY docker-entrypoint.sh /

USER znc
VOLUME /znc-data

EXPOSE 6667

ENTRYPOINT ["/docker-entrypoint.sh"]

[DarthGandalf]

Thanks, applied the listed suggestions.
Is there any difference between .build-deps and build-dependencies, between /usr/local/src/znc and /znc-src?

I see this warning, is it ok?

gpg: Good signature from ...
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

I'm not sure if 6667 is the right port to EXPOSE. Elsewhere ZNC recommends against using it, because some browsers block it.

Also I'm wondering, what is "2+ dockerization review"?

[yosifkit]

I would guess Tim recommened .build-deps since it is shorter (no requirement on what you name your virtual package from our side) and I assume the period is to prevent possible package name conflicts. As for /usr/local/src/, I think we usually stick to the refspec, but no specific requirement in official images on where you temporarily download your source or install binaries. And since it is deleted at the end, it doesn't really matter to the end user.

The warning about no trusted keys is fine, since there isn't a full web of trust with a chain of signatures. The important part is that the gpg --batch --verify ... doesn't fail.

As far as port exposing, I would stick with the regular known port for ZNC, since a user can simply switch the public facing port to anything they like on docker run with -p 9001:6667.

Also I'm wondering, what is "2+ dockerization review"?

That would be for @tianon and I to both review. 😞 -> We're a bit slow on new images. I plan to post any feedback about the dockerization this week, but tianon is at a conference so he probably won't have time until next week.

[DarthGandalf]

As far as port exposing, I would stick with the regular known port for ZNC

There's no such port...

since a user can simply switch the public facing port to anything they like on docker run with -p 9001:6667.

User can use -p 9001:4321 even if 4321 is not in EXPOSE, at least that worked when I tried. As user better knows which port is used, maybe there should be no EXPOSE line at all in this case?

[TimWolla]

I would guess Tim recommened .build-deps since it is shorter (no requirement on what you name your virtual package from our side) and I assume the period is to prevent possible package name conflicts. As for /usr/local/src/, I think we usually stick to the refspec, but no specific requirement in official images on where you temporarily download your source or install binaries. And since it is deleted at the end, it doesn't really matter to the end user.

I took these conventions from my own Dockerfiles, which in turn have been inspired mostly by the Redis one: https://github.com/docker-library/redis/blob/master/3.2/alpine/Dockerfile Changed it to make the official Dockerfiles more consistent.

[yosifkit]

So, for the EXPOSE command, that is up to you.

Dockerization looks great to me!

diff --git a/znc_latest/Dockerfile b/znc_latest/Dockerfile
new file mode 100644
index 0000000..4f52eee
--- /dev/null
+++ b/znc_latest/Dockerfile
@@ -0,0 +1,11 @@
+FROM znc:small
+
+# znc:small removed them. Install them again.
+RUN set -x \
+    && apk add --no-cache \
+        build-base \
+        icu-dev \
+        openssl-dev \
+        perl \
+        python3
+COPY znc-build-modules.sh /
diff --git a/znc_latest/znc-build-modules.sh b/znc_latest/znc-build-modules.sh
new file mode 100755
index 0000000..ea87d1b
--- /dev/null
+++ b/znc_latest/znc-build-modules.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# Build modules from source.
+if [ -d "${DATADIR}/modules" ]; then
+    cd "${DATADIR}/modules" || exit 11
+
+    # Find module sources.
+    modules=$(find . -name "*.cpp")
+
+    if [ -n "$modules" ]; then
+        # Build modules.
+        echo "Building modules $modules..."
+        /opt/znc/bin/znc-buildmod $modules || exit 12
+    fi
+fi
+
diff --git a/znc_small/Dockerfile b/znc_small/Dockerfile
new file mode 100644
index 0000000..b7bdbc9
--- /dev/null
+++ b/znc_small/Dockerfile
@@ -0,0 +1,55 @@
+FROM alpine:3.5
+
+ENV GPG_KEY D5823CACB477191CAC0075555AE420CC0209989E
+
+# modperl and modpython are built, but won't be loadable.
+# :full image installs perl and python3 again, making these modules loadable.
+
+# musl silently doesn't support AI_ADDRCONFIG yet, and ZNC doesn't support Happy Eyeballs yet.
+# Together they cause very slow connection. So for now IPv6 is disabled here.
+ARG CONFIGUREFLAGS="--prefix=/opt/znc --enable-cyrus --enable-perl --enable-python --disable-ipv6"
+ARG MAKEFLAGS=""
+
+ENV ZNC_VERSION 1.6.4
+
+RUN set -x \
+    && adduser -S znc \
+    && addgroup -S znc \
+    && apk add --no-cache --virtual runtime-dependencies \
+        ca-certificates \
+        cyrus-sasl \
+        icu \
+        openssl \
+        tini \
+    && apk add --no-cache --virtual build-dependencies \
+        build-base \
+        curl \
+        cyrus-sasl-dev \
+        gnupg \
+        icu-dev \
+        openssl-dev \
+        perl-dev \
+        python3-dev \
+    && mkdir /znc-src && cd /znc-src \
+    && curl -fsSL "http://znc.in/releases/archive/znc-${ZNC_VERSION}.tar.gz" -o znc.tgz \
+    && curl -fsSL "http://znc.in/releases/archive/znc-${ZNC_VERSION}.tar.gz.sig" -o znc.tgz.sig \
+    && export GNUPGHOME="$(mktemp -d)" \
+    && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "${GPG_KEY}" \
+    && gpg --batch --verify znc.tgz.sig znc.tgz \
+    && rm -rf "$GNUPGHOME" \
+    && tar -zxf znc.tgz --strip-components=1 \
+    && mkdir build && cd build \
+    && ../configure ${CONFIGUREFLAGS} \
+    && make $MAKEFLAGS \
+    && make install \
+    && apk del build-dependencies \
+    && cd / && rm -rf /znc-src
+
+COPY docker-entrypoint.sh /
+
+USER znc
+VOLUME /znc-data
+
+EXPOSE 6667
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
diff --git a/znc_small/docker-entrypoint.sh b/znc_small/docker-entrypoint.sh
new file mode 100755
index 0000000..5b06172
--- /dev/null
+++ b/znc_small/docker-entrypoint.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# "docker run -ti znc sh" should work, according to
+# https://github.com/docker-library/official-images
+if [ "${1:0:1}" != '-' ]; then
+    exec "$@"
+fi
+
+# Options.
+DATADIR="/znc-data"
+
+# Make sure $DATADIR is owned by znc user. This affects ownership of the
+# mounted directory on the host machine too.
+chown -R znc:znc "$DATADIR" || exit 1
+chmod 700 "$DATADIR" || exit 2
+
+# This file is added by znc:full image
+if [ -r /znc-build-modules.sh ]; then
+    source /znc-build-modules.sh || exit 3
+fi
+
+cd /
+
+# ZNC itself responds to SIGTERM, and reaps its children, but whatever was
+# started via *shell module is not guaranteed to reap their children.
+exec /sbin/tini -- /opt/znc/bin/znc --foreground --datadir "$DATADIR" "$@"

[tianon]

Dockerization looks sane (and agree 100% personally with dropping EXPOSE if there's not a "standard" ZNC port folks would expect). The only comment I'd add is that renaming znc:small to znc:slim would be more consistent with a number of other official images, but otherwise everything looks pretty good to me. 👍

[DarthGandalf]

Done.

[tianon]

Nice -- love the level of responsiveness. I wish we could consistently be as responsive as you've been. 😅 ❤️

Updated diff: (which LGTM)

diff --git a/_bashbrew-list b/_bashbrew-list
index e69de29..fc89bac 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -0,0 +1,6 @@
+znc:1.6
+znc:1.6-slim
+znc:1.6.4
+znc:1.6.4-slim
+znc:latest
+znc:slim
diff --git a/znc_latest/Dockerfile b/znc_latest/Dockerfile
new file mode 100644
index 0000000..409bf55
--- /dev/null
+++ b/znc_latest/Dockerfile
@@ -0,0 +1,11 @@
+FROM znc:slim
+
+# znc:slim removed them. Install them again.
+RUN set -x \
+    && apk add --no-cache \
+        build-base \
+        icu-dev \
+        openssl-dev \
+        perl \
+        python3
+COPY znc-build-modules.sh /
diff --git a/znc_latest/znc-build-modules.sh b/znc_latest/znc-build-modules.sh
new file mode 100755
index 0000000..ea87d1b
--- /dev/null
+++ b/znc_latest/znc-build-modules.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# Build modules from source.
+if [ -d "${DATADIR}/modules" ]; then
+    cd "${DATADIR}/modules" || exit 11
+
+    # Find module sources.
+    modules=$(find . -name "*.cpp")
+
+    if [ -n "$modules" ]; then
+        # Build modules.
+        echo "Building modules $modules..."
+        /opt/znc/bin/znc-buildmod $modules || exit 12
+    fi
+fi
+
diff --git a/znc_slim/Dockerfile b/znc_slim/Dockerfile
new file mode 100644
index 0000000..d3e785b
--- /dev/null
+++ b/znc_slim/Dockerfile
@@ -0,0 +1,53 @@
+FROM alpine:3.5
+
+ENV GPG_KEY D5823CACB477191CAC0075555AE420CC0209989E
+
+# modperl and modpython are built, but won't be loadable.
+# :full image installs perl and python3 again, making these modules loadable.
+
+# musl silently doesn't support AI_ADDRCONFIG yet, and ZNC doesn't support Happy Eyeballs yet.
+# Together they cause very slow connection. So for now IPv6 is disabled here.
+ARG CONFIGUREFLAGS="--prefix=/opt/znc --enable-cyrus --enable-perl --enable-python --disable-ipv6"
+ARG MAKEFLAGS=""
+
+ENV ZNC_VERSION 1.6.4
+
+RUN set -x \
+    && adduser -S znc \
+    && addgroup -S znc \
+    && apk add --no-cache --virtual runtime-dependencies \
+        ca-certificates \
+        cyrus-sasl \
+        icu \
+        openssl \
+        tini \
+    && apk add --no-cache --virtual build-dependencies \
+        build-base \
+        curl \
+        cyrus-sasl-dev \
+        gnupg \
+        icu-dev \
+        openssl-dev \
+        perl-dev \
+        python3-dev \
+    && mkdir /znc-src && cd /znc-src \
+    && curl -fsSL "http://znc.in/releases/archive/znc-${ZNC_VERSION}.tar.gz" -o znc.tgz \
+    && curl -fsSL "http://znc.in/releases/archive/znc-${ZNC_VERSION}.tar.gz.sig" -o znc.tgz.sig \
+    && export GNUPGHOME="$(mktemp -d)" \
+    && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "${GPG_KEY}" \
+    && gpg --batch --verify znc.tgz.sig znc.tgz \
+    && rm -rf "$GNUPGHOME" \
+    && tar -zxf znc.tgz --strip-components=1 \
+    && mkdir build && cd build \
+    && ../configure ${CONFIGUREFLAGS} \
+    && make $MAKEFLAGS \
+    && make install \
+    && apk del build-dependencies \
+    && cd / && rm -rf /znc-src
+
+COPY docker-entrypoint.sh /
+
+USER znc
+VOLUME /znc-data
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
diff --git a/znc_slim/docker-entrypoint.sh b/znc_slim/docker-entrypoint.sh
new file mode 100755
index 0000000..5b06172
--- /dev/null
+++ b/znc_slim/docker-entrypoint.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# "docker run -ti znc sh" should work, according to
+# https://github.com/docker-library/official-images
+if [ "${1:0:1}" != '-' ]; then
+    exec "$@"
+fi
+
+# Options.
+DATADIR="/znc-data"
+
+# Make sure $DATADIR is owned by znc user. This affects ownership of the
+# mounted directory on the host machine too.
+chown -R znc:znc "$DATADIR" || exit 1
+chmod 700 "$DATADIR" || exit 2
+
+# This file is added by znc:full image
+if [ -r /znc-build-modules.sh ]; then
+    source /znc-build-modules.sh || exit 3
+fi
+
+cd /
+
+# ZNC itself responds to SIGTERM, and reaps its children, but whatever was
+# started via *shell module is not guaranteed to reap their children.
+exec /sbin/tini -- /opt/znc/bin/znc --foreground --datadir "$DATADIR" "$@"

[tianon]

Heh, znc:full currently fails to build: (looks like the USER znc needs to be overwritten with USER root before the RUN followed by USER znc after)

Once that's fixed, all that will be left is minor loose ends on the docs PR! 👍

Build test of #2617; 211fe49 (znc):

$ bashbrew build znc:1.6.4-slim
Using bashbrew/cache:d8e5a79f38b86720f93c76fc43ab9cf4c9db25bdd237075d4edb97d93bf02d15 (znc:1.6.4-slim)
Tagging znc:1.6.4-slim
Tagging znc:1.6-slim
Tagging znc:slim

$ test/run.sh znc:1.6.4-slim
testing znc:1.6.4-slim
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build znc:1.6.4
Building bashbrew/cache:35bf25fe5105c0bb4ff2f0deacfd07414314846fd5e008f137f82db2fb87ec72 (znc:1.6.4)
error: failed building "znc" (tags "1.6.4, 1.6, latest")
exit status 1
docker ["build" "-t" "bashbrew/cache:35bf25fe5105c0bb4ff2f0deacfd07414314846fd5e008f137f82db2fb87ec72" "--rm" "--force-rm" "-"] output:
Sending build context to Docker daemon 10.24 kB
Step 1/3 : FROM znc:slim
 ---> 42078906ffa8
Step 2/3 : RUN set -x     && apk add --no-cache         build-base         icu-dev         openssl-dev         perl         python3
 ---> Running in 82348d402e4d
+ apk add --no-cache build-base icu-dev openssl-dev perl python3
ERROR: Unable to lock database: Permission denied
ERROR: Failed to open apk database: Permission denied
Removing intermediate container 82348d402e4d
The command '/bin/sh -c set -x     && apk add --no-cache         build-base         icu-dev         openssl-dev         perl         python3' returned a non-zero code: 243

The following images failed to build:

• znc:
  • znc:1.6.4

[DarthGandalf]

That's strange. It works for me.

$ docker build -t znc:full .
Sending build context to Docker daemon 3.072 kB
Step 1 : FROM znc:slim
 ---> 8b9467535409
Step 2 : RUN set -x     && apk add --no-cache         build-base         icu-dev         openssl-dev         perl         python3
 ---> Running in 3b9dd0665893
+ apk add --no-cache build-base icu-dev openssl-dev perl python3
fetch http://dl-cdn.alpinelinux.org/alpine/v3.5/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.5/community/x86_64/APKINDEX.tar.gz
(1/26) Installing binutils-libs (2.27-r0)
(2/26) Installing binutils (2.27-r0)
(3/26) Installing gmp (6.1.1-r0)
(4/26) Installing isl (0.17.1-r0)
(5/26) Installing libgomp (6.2.1-r1)
(6/26) Installing libatomic (6.2.1-r1)
(7/26) Installing pkgconf (1.0.2-r0)
(8/26) Installing mpfr3 (3.1.5-r0)
(9/26) Installing mpc1 (1.0.3-r0)
(10/26) Installing gcc (6.2.1-r1)
(11/26) Installing make (4.2.1-r0)
(12/26) Installing musl-dev (1.1.15-r6)
(13/26) Installing libc-dev (0.7-r1)
(14/26) Installing fortify-headers (0.8-r0)
(15/26) Installing g++ (6.2.1-r1)
(16/26) Installing build-base (0.4-r1)
(17/26) Installing icu-dev (57.1-r2)
(18/26) Installing zlib-dev (1.2.8-r2)
(19/26) Installing openssl-dev (1.0.2k-r0)
(20/26) Installing perl (5.24.0-r0)
(21/26) Installing libbz2 (1.0.6-r5)
(22/26) Installing expat (2.2.0-r0)
(23/26) Installing libffi (3.2.1-r2)
(24/26) Installing gdbm (1.12-r0)
(25/26) Installing xz-libs (5.2.2-r1)
(26/26) Installing python3 (3.5.2-r9)
Executing busybox-1.25.1-r0.trigger
OK: 330 MiB in 58 packages
 ---> 03e820108c27
Removing intermediate container 3b9dd0665893
Step 3 : COPY znc-build-modules.sh /
 ---> a9c50ed94081
Removing intermediate container 7062b2c6cfee
Successfully built a9c50ed94081

[DarthGandalf]

Well, done, and it still works for me...

The versions installed on my Gentoo:
app-emulation/docker-1.12.6:0
app-emulation/containerd-0.2.5:0

[tianon]

Oh man, the timing on this is absolutely incredible. I literally committed tianon/docker-overlay@4f5bd8a this morning to fix that very issue. 😅

(Which is also why @yosifkit's previous build testing was successful.)

[tianon]

I also ran a build test on a server we've got which is running Debian in a very similar configuration to our official build server and it failed in the same way as my own local build. 😄 👍 I'll go re-run now.

[DarthGandalf]

I'm not using your overlay, but docker from portage.

[tianon]

Right, see also gentoo/gentoo@8784a58 and gentoo/gentoo@37e1e34 which are the attempts to fix this in the main tree (making a separate runc ebuild to pull in all the changes Docker has been releasing with as well rather than just the one patch which I included).

In either case, it was failing on Debian (which is what our official build server runs) before, and passes now, so we're good now (and the swapping back and forth is definitely necessary):

Build test of #2617; af4982a (znc):

$ bashbrew build znc:1.6.4-slim
Building bashbrew/cache:c89a1a476dc8f7ef6cb788d17ab249eda93edcbc012a2b59e463618a9a557f50 (znc:1.6.4-slim)
Tagging znc:1.6.4-slim
Tagging znc:1.6-slim
Tagging znc:slim

$ test/run.sh znc:1.6.4-slim
testing znc:1.6.4-slim
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed


$ bashbrew build znc:1.6.4
Building bashbrew/cache:0e00ef49b864f9dd494ee7f1b53d425a0e9a6be32c43158f078a23259eb97c77 (znc:1.6.4)
Tagging znc:1.6.4
Tagging znc:1.6
Tagging znc:latest

$ test/run.sh znc:1.6.4
testing znc:1.6.4
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed