Add alpine dockerimage (#70)

* switch to alpine Dockerfile * remove unused kbfsfuse from generate script * switch to kbfsfuse built from source for alpine * correct entrypoint paths for alpine Dockerfile * remove redundant 2nd build from make serve * fix env.sh in Dockerfile and entrypoint scripts * fix tests for alpine Dockerfile * clean up teutat3s changes * fix oneshot command * remove mention of env.sh Co-authored-by: M Ember Mou <mmou@keyba.se>
keybase · Jan 4, 2020 · 41ad75e · 41ad75e
1 parent 20cee26
commit 41ad75e
Show file tree

Hide file tree

Showing 6 changed files with 59 additions and 54 deletions.
diff --git a/docker/Dockerfile-ca b/docker/Dockerfile-ca
@@ -1,47 +1,49 @@
-# This dockerfile builds a container capable of running the SSH CA bot. Note that a lot of this code is duplicated
-# between this file and Dockerfile-kssh.
-FROM ubuntu:18.04
-
-# Dependencies
-RUN apt-get -qq update
-RUN apt-get -qq  install curl software-properties-common ca-certificates gnupg -y
-RUN useradd -ms /bin/bash keybase
-USER keybase
-WORKDIR /home/keybase
+# This dockerfile builds a container capable of running the SSH CA bot.
 
-# Download and verify the deb
-# Key fingerprint from https://keybase.io/docs/server_security/our_code_signing_key
-RUN curl --remote-name https://prerelease.keybase.io/keybase_amd64.deb
-RUN curl --remote-name https://prerelease.keybase.io/keybase_amd64.deb.sig
-# Import our gpg key from our website. Pulling from key servers caused a flakey build so
-# we get the key from the Keybase website instead.
-RUN curl -sSL https://keybase.io/docs/server_security/code_signing_key.asc | gpg --import
-# This line will error if the fingerprint of the key in the file does not match the
-# known fingerprint of the our PGP key
-RUN gpg --fingerprint 222B85B0F90BE2D24CFEB93F47484E50656D16C7
-# And then verify the signature now that we have the key
-RUN gpg --verify keybase_amd64.deb.sig keybase_amd64.deb
-
-# Silence the error from dpkg about failing to configure keybase since `apt-get install -f` fixes it
-USER root
-RUN dpkg -i keybase_amd64.deb || true
-RUN apt-get install -fy
-USER keybase
+FROM alpine:3.11 AS builder
 
-# Install go
-USER root
-RUN add-apt-repository ppa:gophers/archive -y
-RUN apt-get update
-RUN apt-get install golang-1.11-go git sudo -y
-USER keybase
+# add dependencies
+RUN apk update && apk add --no-cache go curl git musl-dev gcc
+
+# build keybase binary
+WORKDIR /go
+ENV GOPATH=/go
+ENV KEYBASE_VERSION=5.0.0
+RUN go get -d github.com/keybase/client/go/keybase
+RUN cd src/github.com/keybase/client/go/keybase && git checkout v$KEYBASE_VERSION
+RUN go install -tags production github.com/keybase/client/go/keybase
+
+# build kbfsfuse binary (we won't use FUSE but the bot needs KBFS for exchanging Team config files)
+RUN go install -tags production github.com/keybase/client/go/kbfs/kbfsfuse
 
-# Install go dependencies (speeds up future builds)
-COPY --chown=keybase go.mod .
-COPY --chown=keybase go.sum .
-RUN /usr/lib/go-1.11/bin/go mod download
+# build keybaseca
+WORKDIR /bot-sshca
+COPY . ./
+RUN go build -o bin/keybaseca src/cmd/keybaseca/keybaseca.go
 
-COPY --chown=keybase ./ /home/keybase/
+FROM alpine:3.11
 
-RUN /usr/lib/go-1.11/bin/go build -o bin/keybaseca src/cmd/keybaseca/keybaseca.go
+# add bash for entrypoint scripts, ssh for ssh-keygen used by the bot, sudo for stepping down to keybase user
+RUN apk update && apk add --no-cache bash openssh sudo
 
-USER root
+# add the keybase user
+RUN adduser -s /bin/bash -h /home/keybase -D keybase
+RUN chown keybase:keybase /home/keybase
+
+# this folder is needed for kbfsfuse
+RUN mkdir /keybase && chown -R keybase:keybase /keybase
+
+USER keybase
+WORKDIR /home/keybase
+
+# copy the keybase binaries from previous build step
+COPY --from=builder --chown=keybase:keybase /go/bin/keybase /usr/local/bin/
+COPY --from=builder --chown=keybase:keybase /go/bin/kbfsfuse /usr/local/bin/
+COPY --from=builder --chown=keybase:keybase /bot-sshca/bin/keybaseca bin/
+
+# copy in entrypoint scripts and env.sh
+COPY --chown=keybase:keybase ./docker ./
+
+# Run container as root but only to be able to chown the Docker bind-mount, 
+# then immediatetly step down to the keybase user via sudo in the entrypoint scripts
+USER root
diff --git a/docker/Makefile b/docker/Makefile
@@ -15,7 +15,7 @@ build: reset-permissions
 
 # Generate a new CA key
 generate: env-file-exists build
-	docker run -e FORCE_WRITE=$(FORCE_WRITE) -v $(CURDIR)/example-keybaseca-volume:/mnt:rw ca:latest docker/entrypoint-generate.sh
+	docker run -e FORCE_WRITE=$(FORCE_WRITE) -v $(CURDIR)/example-keybaseca-volume:/mnt:rw ca:latest ./entrypoint-generate.sh
 	@echo -e "\nRun these commands on each server that you wish to use with the CA chatbot\n"
 	@echo "useradd developer && mkdir -p /home/developer && chown developer:developer /home/developer  # The user that will be used for non-root logins"
 	@echo "echo \"`cat $(CURDIR)/example-keybaseca-volume/keybase-ca-key.pub`\" > /etc/ssh/ca.pub"
@@ -26,8 +26,8 @@ generate: env-file-exists build
 	@echo -e "\nSee the getting started docs for information on how to define which teams are allowed to access which servers"
 
 # Start the CA chatbot in the background
-serve: env-file-exists ca-key-exists build
-	docker run -d --restart unless-stopped -v $(CURDIR)/example-keybaseca-volume:/mnt:rw ca:latest docker/entrypoint-server.sh
+serve: env-file-exists ca-key-exists
+	docker run -d --restart unless-stopped -v $(CURDIR)/example-keybaseca-volume:/mnt:rw ca:latest ./entrypoint-server.sh
 	@echo "Started CA bot service in the background... Use `docker ps` and `docker logs` to monitor it"
 
 # Stop the service

diff --git a/docker/entrypoint-generate.sh b/docker/entrypoint-generate.sh
@@ -7,10 +7,10 @@ chown -R keybase:keybase /mnt
 
 # Run everything else as the keybase user
 sudo -i -u keybase bash << EOF
-source docker/env.sh
+source ./env.sh
 export "FORCE_WRITE=$FORCE_WRITE"
-nohup bash -c "run_keybase -g 2>&1 | grep -v 'KBFS failed to FUSE mount' &"
+nohup bash -c "KEYBASE_RUN_MODE=prod kbfsfuse /keybase | grep -v 'ERROR Mounting the filesystem failed' &"
 sleep 3
-keybase oneshot --username \$KEYBASE_USERNAME --paperkey "\$KEYBASE_PAPERKEY"
+keybase oneshot
 bin/keybaseca generate
-EOF
+EOF
diff --git a/docker/entrypoint-server.sh b/docker/entrypoint-server.sh
@@ -7,9 +7,9 @@ chown -R keybase:keybase /mnt
 
 # Run everything else as the keybase user
 sudo -i -u keybase bash << EOF
-source docker/env.sh
-nohup bash -c "run_keybase -g 2>&1 | grep -v 'KBFS failed to FUSE mount' &"
+source ./env.sh
+nohup bash -c "KEYBASE_RUN_MODE=prod kbfsfuse /keybase | grep -v 'ERROR Mounting the filesystem failed' &"
 sleep 3
-keybase oneshot --username \$KEYBASE_USERNAME --paperkey "\$KEYBASE_PAPERKEY"
+keybase oneshot
 bin/keybaseca service
-EOF
+EOF
diff --git a/tests/Dockerfile-cabot b/tests/Dockerfile-cabot
@@ -2,5 +2,8 @@ FROM ca:latest
 
 USER root
 
-RUN apt-get install python3 python3-pip gettext -y
+RUN apk add python3 py3-pip gettext
+RUN pip3 install --upgrade pip
 RUN pip3 install flask
+
+COPY --chown=keybase:keybase ./tests ./tests/
diff --git a/tests/bot-entrypoint.sh b/tests/bot-entrypoint.sh
@@ -10,7 +10,7 @@ touch /shared/.keep
 mkdir -p tests/generated-env
 ls tests/envFiles/ | xargs -I {} -- bash -c 'cat tests/envFiles/{} | envsubst > tests/generated-env/{}'
 
-nohup bash -c "run_keybase -g 2>&1 | grep -v 'KBFS failed to FUSE mount' &"
+nohup bash -c "KEYBASE_RUN_MODE=prod kbfsfuse /keybase | grep -v 'ERROR Mounting the filesystem failed' &"
 sleep 3
 keybase oneshot --username $BOT_USERNAME --paperkey "$BOT_PAPERKEY"
 touch /shared/ready