-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* switch to alpine Dockerfile * remove unused kbfsfuse from generate script * switch to kbfsfuse built from source for alpine * correct entrypoint paths for alpine Dockerfile * remove redundant 2nd build from make serve * fix env.sh in Dockerfile and entrypoint scripts * fix tests for alpine Dockerfile * clean up teutat3s changes * fix oneshot command * remove mention of env.sh Co-authored-by: M Ember Mou <mmou@keyba.se>
- Loading branch information
Showing
6 changed files
with
59 additions
and
54 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,47 +1,49 @@ | ||
# This dockerfile builds a container capable of running the SSH CA bot. Note that a lot of this code is duplicated | ||
# between this file and Dockerfile-kssh. | ||
FROM ubuntu:18.04 | ||
|
||
# Dependencies | ||
RUN apt-get -qq update | ||
RUN apt-get -qq install curl software-properties-common ca-certificates gnupg -y | ||
RUN useradd -ms /bin/bash keybase | ||
USER keybase | ||
WORKDIR /home/keybase | ||
# This dockerfile builds a container capable of running the SSH CA bot. | ||
|
||
# Download and verify the deb | ||
# Key fingerprint from https://keybase.io/docs/server_security/our_code_signing_key | ||
RUN curl --remote-name https://prerelease.keybase.io/keybase_amd64.deb | ||
RUN curl --remote-name https://prerelease.keybase.io/keybase_amd64.deb.sig | ||
# Import our gpg key from our website. Pulling from key servers caused a flakey build so | ||
# we get the key from the Keybase website instead. | ||
RUN curl -sSL https://keybase.io/docs/server_security/code_signing_key.asc | gpg --import | ||
# This line will error if the fingerprint of the key in the file does not match the | ||
# known fingerprint of the our PGP key | ||
RUN gpg --fingerprint 222B85B0F90BE2D24CFEB93F47484E50656D16C7 | ||
# And then verify the signature now that we have the key | ||
RUN gpg --verify keybase_amd64.deb.sig keybase_amd64.deb | ||
|
||
# Silence the error from dpkg about failing to configure keybase since `apt-get install -f` fixes it | ||
USER root | ||
RUN dpkg -i keybase_amd64.deb || true | ||
RUN apt-get install -fy | ||
USER keybase | ||
FROM alpine:3.11 AS builder | ||
|
||
# Install go | ||
USER root | ||
RUN add-apt-repository ppa:gophers/archive -y | ||
RUN apt-get update | ||
RUN apt-get install golang-1.11-go git sudo -y | ||
USER keybase | ||
# add dependencies | ||
RUN apk update && apk add --no-cache go curl git musl-dev gcc | ||
|
||
# build keybase binary | ||
WORKDIR /go | ||
ENV GOPATH=/go | ||
ENV KEYBASE_VERSION=5.0.0 | ||
RUN go get -d github.com/keybase/client/go/keybase | ||
RUN cd src/github.com/keybase/client/go/keybase && git checkout v$KEYBASE_VERSION | ||
RUN go install -tags production github.com/keybase/client/go/keybase | ||
|
||
# build kbfsfuse binary (we won't use FUSE but the bot needs KBFS for exchanging Team config files) | ||
RUN go install -tags production github.com/keybase/client/go/kbfs/kbfsfuse | ||
|
||
# Install go dependencies (speeds up future builds) | ||
COPY --chown=keybase go.mod . | ||
COPY --chown=keybase go.sum . | ||
RUN /usr/lib/go-1.11/bin/go mod download | ||
# build keybaseca | ||
WORKDIR /bot-sshca | ||
COPY . ./ | ||
RUN go build -o bin/keybaseca src/cmd/keybaseca/keybaseca.go | ||
|
||
COPY --chown=keybase ./ /home/keybase/ | ||
FROM alpine:3.11 | ||
|
||
RUN /usr/lib/go-1.11/bin/go build -o bin/keybaseca src/cmd/keybaseca/keybaseca.go | ||
# add bash for entrypoint scripts, ssh for ssh-keygen used by the bot, sudo for stepping down to keybase user | ||
RUN apk update && apk add --no-cache bash openssh sudo | ||
|
||
USER root | ||
# add the keybase user | ||
RUN adduser -s /bin/bash -h /home/keybase -D keybase | ||
RUN chown keybase:keybase /home/keybase | ||
|
||
# this folder is needed for kbfsfuse | ||
RUN mkdir /keybase && chown -R keybase:keybase /keybase | ||
|
||
USER keybase | ||
WORKDIR /home/keybase | ||
|
||
# copy the keybase binaries from previous build step | ||
COPY --from=builder --chown=keybase:keybase /go/bin/keybase /usr/local/bin/ | ||
COPY --from=builder --chown=keybase:keybase /go/bin/kbfsfuse /usr/local/bin/ | ||
COPY --from=builder --chown=keybase:keybase /bot-sshca/bin/keybaseca bin/ | ||
|
||
# copy in entrypoint scripts and env.sh | ||
COPY --chown=keybase:keybase ./docker ./ | ||
|
||
# Run container as root but only to be able to chown the Docker bind-mount, | ||
# then immediatetly step down to the keybase user via sudo in the entrypoint scripts | ||
USER root |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters