Skip to content

Commit

Permalink
Merge 0587b53 into 31358dc
Browse files Browse the repository at this point in the history
  • Loading branch information
@jason-fox
jason-fox committed Jan 19, 2022
2 parents 31358dc + 0587b53 commit ab8819a
Show file tree
Hide file tree
Showing 6 changed files with 6,958 additions and 3,707 deletions.
15 changes: 10 additions & 5 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ name: CI
pull_request:
branches:
- master
workflow_dispatch:
jobs:
lint-dockerfile:
name: Lint Dockerfile
Expand All @@ -14,10 +15,10 @@ jobs:
- name: Git checkout
uses: actions/checkout@v2
- name: Run Hadolint Dockerfile Linter
uses: burdzwastaken/hadolint-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
HADOLINT_ACTION_DOCKERFILE_FOLDER: extras/docker
uses: hadolint/hadolint-action@master
with:
dockerfile: extras/docker/Dockerfile
ignore: DL3006 DL3008 DL3018 DL3033 DL4006

lint-markdown:
name: Lint Markdown
Expand All @@ -31,6 +32,7 @@ jobs:
node-version: 12.x
- name: Run Remark Markdown Linter
run: |
CXXFLAGS="--std=c++14"
npm install
npm run lint:md
- name: Run Textlint Markdown Linter
Expand All @@ -48,6 +50,7 @@ jobs:
node-version: 12.x
- name: Run EsLint Node.js Linter
run: |
CXXFLAGS="--std=c++14"
npm install
npm run lint
Expand All @@ -57,9 +60,9 @@ jobs:
strategy:
matrix:
node-version:
- 10.x
- 12.x
- 14.x
# - 16.x
steps:
- name: Git checkout
uses: actions/checkout@v2
Expand All @@ -70,6 +73,7 @@ jobs:
- name: 'Unit Tests with Node.js ${{ matrix.node-version }}'
run: |
docker run -d -h mysql -p 3306:3306 --name mysql -e MYSQL_ROOT_PASSWORD=test mysql:5.7
CXXFLAGS="--std=c++14"
npm install
node ./test/database
IDM_DB_PASS=test
Expand All @@ -89,6 +93,7 @@ jobs:
node-version: 12.x
- run: |
docker run -d -h mysql -p 3306:3306 --name mysql -e MYSQL_ROOT_PASSWORD=test mysql:5.7
CXXFLAGS="--std=c++14"
npm install
node ./test/database
IDM_DB_PASS=test
Expand Down
7 changes: 7 additions & 0 deletions extras/docker/.hadolint.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
ignored:
- DL3006
- DL3008
- DL3018
- DL3013
- DL3033
- DL4006
140 changes: 53 additions & 87 deletions extras/docker/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,16 @@
ARG NODE_VERSION=12
ARG NODE_VERSION=14
ARG GITHUB_ACCOUNT=ging
ARG GITHUB_REPOSITORY=fiware-idm
ARG DOWNLOAD=latest
ARG SOURCE_BRANCH=master
ARG HEADLESS=false

# Default Builder, distro and distroless build version
ARG BUILDER=node:${NODE_VERSION}
ARG DISTRO=node:${NODE_VERSION}-slim
ARG DISTROLESS=gcr.io/distroless/nodejs:${NODE_VERSION}
ARG PACKAGE_MANAGER=apt
ARG USER=node

########################################################################################
#
Expand All @@ -19,92 +25,38 @@ ARG HEADLESS=false
#
########################################################################################

FROM node:${NODE_VERSION} as builder
FROM ${BUILDER} as builder
ARG GITHUB_ACCOUNT
ARG GITHUB_REPOSITORY
ARG DOWNLOAD
ARG SOURCE_BRANCH
ARG PACKAGE_MANAGER

SHELL ["/bin/bash", "-o", "pipefail", "-c"]
# hadolint ignore=DL3002
USER root

ENV PYTHONUNBUFFERED=1

# As an Alternative for local development, just copy this Dockerfile into file the root of
# the repository and replace the whole RUN statement below by the following COPY statement
# in your local source using :
#
# COPY . /opt/fiware-idm
#
# Ensure that the chosen package manger is supported by this Dockerfile
# also ensure that unzip is installed prior to downloading sources

# hadolint ignore=DL3008
# hadolint ignore=SC2039
RUN \
if [ "${DOWNLOAD}" = "latest" ] ; \
then \
RELEASE="${SOURCE_BRANCH}"; \
echo "INFO: Building Latest Development from ${SOURCE_BRANCH} branch."; \
elif [ "${DOWNLOAD}" = "stable" ]; \
then \
RELEASE=$(curl -s https://api.github.com/repos/"${GITHUB_ACCOUNT}"/"${GITHUB_REPOSITORY}"/releases/latest | grep 'tag_name' | cut -d\" -f4); \
echo "INFO: Building Latest Stable Release: ${RELEASE}"; \
if [ "${PACKAGE_MANAGER}" = "apt" ]; then \
echo -e "\033[0;34mINFO: Using default \"${PACKAGE_MANAGER}\".\033[0m"; \
apt-get update; \
apt-get install -y --no-install-recommends unzip git; \
elif [ "${PACKAGE_MANAGER}" = "yum" ]; then \
echo -e "\033[0;33mWARNING: Overriding default package manager. Using \"${PACKAGE_MANAGER}\" .\033[0m"; \
yum install -y unzip git; \
yum clean all; \
elif [ "${PACKAGE_MANAGER}" = "apk" ]; then \
echo -e "\033[0;33mWARNING: Overriding default package manager. Using \"${PACKAGE_MANAGER}\" .\033[0m"; \
apk --update --no-cache add curl git make gcc g++ ca-certificates openssl unzip; \
else \
RELEASE="${DOWNLOAD}"; \
echo "INFO: Building Release: ${RELEASE}"; \
fi && \
RELEASE_CONCAT=$(echo "${RELEASE}" | tr / -); \
curl -s -L https://github.com/"${GITHUB_ACCOUNT}"/"${GITHUB_REPOSITORY}"/archive/"${RELEASE}".zip > source.zip && \
unzip source.zip -x "*/test/**" "*/doc/**" "*/doc.ja/**" "*/extras/**" && \
rm source.zip && \
mv "${GITHUB_REPOSITORY}-${RELEASE_CONCAT}" /opt/fiware-idm

WORKDIR /opt/fiware-idm

RUN npm cache clean -f && \
npm install --only=prod --no-package-lock --no-optional && \
rm -rf /root/.npm/cache/* && \
mkdir -p certs/applications && \
chmod -R 777 certs && \
openssl genrsa -out idm-2018-key.pem 2048 && \
openssl req -new -sha256 -key idm-2018-key.pem -out idm-2018-csr.pem -batch && \
openssl x509 -req -in idm-2018-csr.pem -signkey idm-2018-key.pem -out idm-2018-cert.pem && \
mv idm-2018-key.pem idm-2018-cert.pem idm-2018-csr.pem certs/ && \
chmod 755 certs/idm-2018-key.pem && \
chmod -R 777 public


########################################################################################
#
# This build stage retrieves the source code from GitHub. The default download is the
# latest tip of the master of the named repository on GitHub.
#
# To obtain the latest stable release run this Docker file with the parameters:
# --no-cache --build-arg DOWNLOAD=stable
#
# To obtain any specific version of a release run this Docker file with the parameters:
# --no-cache --build-arg DOWNLOAD=1.7.0
#
########################################################################################

FROM node:${NODE_VERSION}-alpine as builder-alpine
ARG GITHUB_ACCOUNT
ARG GITHUB_REPOSITORY
ARG DOWNLOAD
ARG SOURCE_BRANCH

SHELL ["/bin/ash", "-o", "pipefail", "-c"]

ENV PYTHONUNBUFFERED=1

#RUN apk add --no-cache python3 && \
# ln -sf python3 /usr/bin/python && \
# python3 -m ensurepip && \
# pip3 install --no-cache --upgrade pip setuptools

# hadolint ignore=DL3018,DL3013
RUN apk --no-cache add curl git python2 make gcc g++ ca-certificates openssl unzip && \
python -m ensurepip && \
rm -r /usr/lib/python*/ensurepip && \
pip install --no-cache-dir --upgrade pip setuptools

echo -e "\033[0;31mERROR: Package Manager \"${PACKAGE_MANAGER}\" not supported.\033[0m"; \
exit 1; \
fi

# As an Alternative for local development, just copy this Dockerfile into file the root of
# the repository and replace the whole RUN statement below by the following COPY statement
Expand Down Expand Up @@ -135,15 +87,16 @@ RUN \

WORKDIR /opt/fiware-idm

RUN npm cache clean -f && \
npm install --only=prod --no-package-lock --no-optional && \
RUN \
CXXFLAGS="--std=c++14" \
npm install --only=prod --no-package-lock --no-optional --unsafe-perm && \
rm -rf /root/.npm/cache/* && \
mkdir -p certs/applications && \
chmod -R 777 certs && \
openssl genrsa -out idm-2018-key.pem 2048 && \
openssl req -new -sha256 -key idm-2018-key.pem -out idm-2018-csr.pem -batch && \
openssl x509 -req -in idm-2018-csr.pem -signkey idm-2018-key.pem -out idm-2018-cert.pem && \
mv idm-2018-key.pem idm-2018-cert.pem idm-2018-csr.pem certs/ && \
mv idm-2018-key.pem idm-2018-cert.pem idm-2018-csr.pem certs/ && \
chmod 755 certs/idm-2018-key.pem && \
chmod -R 777 public

Expand All @@ -153,7 +106,7 @@ RUN npm cache clean -f && \
# as defined below.
#
########################################################################################
FROM node:${NODE_VERSION} AS anon-user
FROM ${BUILDER} AS anon-user
RUN sed -i -r "/^(root|nobody)/!d" /etc/passwd /etc/shadow /etc/group \
&& sed -i -r 's#^(.*):[^:]*$#\1:/sbin/nologin#' /etc/passwd

Expand All @@ -180,13 +133,17 @@ RUN sed -i -r "/^(root|nobody)/!d" /etc/passwd /etc/shadow /etc/group \
#
########################################################################################

FROM gcr.io/distroless/nodejs:${NODE_VERSION} AS distroless
FROM ${DISTROLESS} AS distroless
ARG GITHUB_ACCOUNT
ARG GITHUB_REPOSITORY
ARG NODE_VERSION
ARG HEADLESS

LABEL "maintainer"="FIWARE Identity Manager Team. DIT-UPM"
LABEL "description"="OAuth2-based authentication of users and devices, user profile management, Single Sign-On (SSO) and Identity Federation across multiple administration domains."
LABEL "name"="keyrock"
LABEL "summary"="Keyrock Identity Manager - Distroless"

LABEL "org.opencontainers.image.authors"=""
LABEL "org.opencontainers.image.documentation"="https://fiware-idm.readthedocs.io/"
LABEL "org.opencontainers.image.vendor"="Universidad Politécnica de Madrid."
Expand Down Expand Up @@ -224,7 +181,7 @@ HEALTHCHECK --interval=30s --timeout=3s --start-period=10s \

########################################################################################
#
# This build stage creates an alpine build for production.
# This build stage creates a build for production.
#
# IMPORTANT: For production environments use Docker Secrets to protect values of the
# sensitive ENV variables defined below, by adding _FILE to the name of the relevant
Expand All @@ -244,14 +201,15 @@ HEALTHCHECK --interval=30s --timeout=3s --start-period=10s \
#
########################################################################################

FROM node:${NODE_VERSION}-alpine
FROM ${DISTRO} AS distro
ARG GITHUB_ACCOUNT
ARG GITHUB_REPOSITORY
ARG NODE_VERSION
ARG HEADLESS

WORKDIR /opt/fiware-idm
COPY --from=builder-alpine /opt/fiware-idm .
COPY --from=builder /opt/fiware-idm .
COPY --from=builder /opt/fiware-idm/LICENSE /licenses/LICENSE

ENV IDM_HOST="http://localhost:3000" \
IDM_PORT="3000" \
Expand All @@ -267,19 +225,27 @@ ENV IDM_HOST="http://localhost:3000" \
ENV IDM_HEADLESS=$HEADLESS

# hadolint ignore=DL3018
RUN apk add --no-cache ca-certificates bash openssl
RUN \
if [ "${PACKAGE_MANAGER}" = "apk" ]; then \
apk add --no-cache ca-certificates bash openssl; \
fi

LABEL "maintainer"="FIWARE Identity Manager Team. DIT-UPM"
LABEL "description"="OAuth2-based authentication of users and devices, user profile management, Single Sign-On (SSO) and Identity Federation across multiple administration domains."
LABEL "name"="keyrock"
LABEL "summary"="Keyrock Identity Manager"

LABEL "org.opencontainers.image.authors"=""
LABEL "org.opencontainers.image.documentation"="https://fiware-idm.readthedocs.io/"
LABEL "org.opencontainers.image.vendor"="Universidad Politécnica de Madrid."
LABEL "org.opencontainers.image.licenses"="MIT"
LABEL "org.opencontainers.image.title"="Identity Manager - Keyrock"
LABEL "org.opencontainers.image.title"="Keyrock Identity Manager"
LABEL "org.opencontainers.image.description"="OAuth2-based authentication of users and devices, user profile management, Single Sign-On (SSO) and Identity Federation across multiple administration domains."
LABEL "org.opencontainers.image.source"=https://github.com/${GITHUB_ACCOUNT}/${GITHUB_REPOSITORY}
LABEL "org.nodejs.version"=${NODE_VERSION}

USER node
# Node by default, use 406 for Alpine, 1001 for UBI
USER ${USER}
ENV NODE_ENV=production
# Ports used by application
EXPOSE ${IDM_PORT:-3000}
Expand Down
44 changes: 44 additions & 0 deletions extras/docker/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -217,3 +217,47 @@ fiware-idm:
volumes:
- path_to_file:/opt/fiware-idm/config.js
```

## Building using an alternative sources and Linux Distros

The `Dockerfile` is flexible enough to be able to use
[alternative base images](https://kuberty.io/blog/best-os-for-docker/) should
you wish. The base image defaults to using the `node:slim` distro, but other
base images can be injected using `--build-arg` parameters on the commmand line.
For example, to create a container based on
[Red Hat UBI (Universal Base Image) 8](https://developers.redhat.com/articles/2021/11/08/optimize-nodejs-images-ubi-8-nodejs-minimal-image)
add `BUILDER`, `DISTRO`, `PACKAGE_MANAGER` and `USER` parameters as shown:

```console
sudo docker build -t keyrock \
--build-arg BUILDER=registry.access.redhat.com/ubi8/nodejs-14 \
--build-arg DISTRO=registry.access.redhat.com/ubi8/nodejs-14-minimal \
--build-arg PACKAGE_MANAGER=yum \
--build-arg USER=1001 . --no-cache
```

To create a container based on [Alpine Linux](https://alpinelinux.org/about/)
add `BUILDER`, `DISTRO`, `PACKAGE_MANAGER` and `USER` parameters as shown:

```console
docker build -t keyrock \
--build-arg BUILDER=node:16-alpine \
--build-arg DISTRO=node:16-alpine \
--build-arg PACKAGE_MANAGER=apk . \
--build-arg USER=406 . --no-cache
```

Currently, the following `--build-arg` parameters are supported:

| Parameter | Description |
| ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `BUILDER` | Preferred [linux distro](https://kuberty.io/blog/best-os-for-docker/) to use whilst building the image, defaults to `node:${NODE_VERSION}` |
| `DISTRO` | Preferred [linux distro](https://kuberty.io/blog/best-os-for-docker/) to use for the final container image, defaults to `node:${NODE_VERSION}-slim` |
| `DISTROLESS` | Preferred [Distroless Image](https://betterprogramming.pub/how-to-harden-your-containers-with-distroless-docker-images-c2abd7c71fdb) to use for the final container. Distroless images can be built using `-target=distroless` , defaults to `gcr.io/distroless/nodejs:${NODE_VERSION}` |
| `DOWNLOAD` | The GitHub SHA or tag to download - defaults to `latest` |
| `GITHUB_ACCOUNT` | The GitHub Action to download the source files from, defaults to `ging` |
| `GITHUB_REPOSITORY` | The name of the GitHub repository to download the source files from, defaults to `fiware-idm` |
| `NODE_VERSION` | the version of Node.js to use |
| `PACKAGE_MANAGER` | Package manager to use whilst creating the build, defaults to `apt` |
| `SOURCE_BRANCH` | The GitHub repository branch to download the source files from, defaults to `master` |
| `USER` | User in the final container image, defaults to `node` |

0 comments on commit ab8819a

Please sign in to comment.