docker: refactored build scripts, added alpine variants (#23683)

README.md

@@ -12,6 +12,8 @@ But - some of the things in this repo are explorations, and the app you build
 from source just *might not do what it says it's doing*. So, if you just want
 to install Keybase on your computer, you should **[monitor our releases](https://keybase.io/download)** for macOS, Linux, or Windows.
 
+If you're interested in our Docker image releases, please check out **[the Docker README](packaging/linux/docker/README.md)**.
+
 ![Sharing](https://keybase.io/images/github/repo_share.png?)
 
 

packaging/linux/docker/CHANGELOG.md

@@ -0,0 +1,5 @@
+# 5.4.0
+
+- New `python` and `python-slim` variants of the images.
+- All base images have been switched to `debian:buster`.
+- New `alpine` and `alpine-slim` variants.

packaging/linux/docker/README.md

@@ -4,6 +4,8 @@
 
 - [the "standard" image](https://github.com/keybase/client/blob/master/packaging/linux/docker/standard/Dockerfile)
 - [the "slim" variant](https://github.com/keybase/client/blob/master/packaging/linux/docker/slim/Dockerfile)
+- [the "alpine" image](https://github.com/keybase/client/blob/master/packaging/linux/docker/alpine/Dockerfile)
+- [the "alpine-slim" variant](https://github.com/keybase/client/blob/master/packaging/linux/docker/alpine-slim/Dockerfile)
 - [the "node" variant (standard image based on an LTS release of Node)](https://github.com/keybase/client/blob/master/packaging/linux/docker/node/Dockerfile)
 - [the "node-slim" variant (slim image based on an LTS release of Node)](https://github.com/keybase/client/blob/master/packaging/linux/docker/node-slim/Dockerfile)
 - [the "python" variant (standard image based on Python 3.8)](https://github.com/keybase/client/blob/master/packaging/linux/docker/python/Dockerfile)
@@ -17,6 +19,9 @@
 - **Where to file issues**:
   [https://github.com/keybase/client](https://github.com/keybase/client)
 
+- **Where to find a changelog**:
+  [packaging/linux/docker/README.md](https://github.com/keybase/client/blob/master/packaging/linux/docker/README.md)
+
 - **Supported architectures**:
   Currently we only support amd64, please file a ticket if you'd like us to
   support other architectures!

packaging/linux/docker/alpine-slim/Dockerfile

@@ -0,0 +1,37 @@
+ARG BASE_IMAGE=keybaseio/client:alpine
+
+FROM $BASE_IMAGE AS base
+
+FROM alpine:3.11
+LABEL maintainer="Keybase <admin@keybase.io>"
+
+RUN apk add --update --no-cache gnupg procps ca-certificates bash
+
+ENV TINI_VERSION v0.18.0
+ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
+ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini.asc /tini.asc
+COPY packaging/linux/docker/tini_key.asc /tini_key.asc
+RUN gpg --import /tini_key.asc \
+    && rm /tini_key.asc \
+    && gpg --batch --verify /tini.asc /tini \
+    && chmod +x /tini
+
+ENV GOSU_VERSION 1.11
+ADD https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-amd64 /usr/local/bin/gosu
+ADD https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-amd64.asc /usr/local/bin/gosu.asc
+COPY packaging/linux/docker/gosu_key.asc /gosu_key.asc
+RUN gpg --import /gosu_key.asc \
+    && rm /gosu_key.asc \
+    && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
+    && chmod +x /usr/local/bin/gosu
+
+COPY packaging/linux/docker/slim/entrypoint.sh /usr/bin/entrypoint.sh
+RUN chmod +x /usr/bin/entrypoint.sh
+
+RUN adduser --disabled-password --gecos "" --shell /bin/bash keybase
+VOLUME [ "/home/keybase/.config/keybase", "/home/keybase/.cache/keybase" ]
+
+COPY --from=base /usr/bin/keybase /usr/bin/keybase
+COPY --from=base /usr/bin/keybase.sig /usr/bin/keybase.sig
+
+ENTRYPOINT ["/tini", "--", "entrypoint.sh"]

packaging/linux/docker/alpine/Dockerfile

@@ -0,0 +1,63 @@
+FROM golang:1.13.10-alpine3.11 AS builder
+
+RUN apk add --update --no-cache gnupg bash build-base
+
+ARG SOURCE_COMMIT=unknown
+
+ARG SIGNING_FINGERPRINT
+COPY .docker/code_signing_key /code_signing_key
+RUN gpg --import /code_signing_key
+
+COPY . /go/src/github.com/keybase/client
+RUN SOURCE_COMMIT=${SOURCE_COMMIT} \
+    KEYBASE_NO_GUI=1 \
+    KEYBASE_SKIP_32_BIT=1 \
+    /go/src/github.com/keybase/client/packaging/linux/build_binaries.sh \
+    prerelease /
+RUN gpg --detach-sign --armor --use-agent --local-user "$SIGNING_FINGERPRINT" \
+    -o "/binaries/amd64/usr/bin/keybase.sig" /binaries/amd64/usr/bin/keybase && \
+    gpg --detach-sign --armor --use-agent --local-user "$SIGNING_FINGERPRINT" \
+    -o "/binaries/amd64/usr/bin/kbfsfuse.sig" /binaries/amd64/usr/bin/kbfsfuse && \
+    gpg --detach-sign --armor --use-agent --local-user "$SIGNING_FINGERPRINT" \
+    -o "/binaries/amd64/usr/bin/git-remote-keybase.sig" /binaries/amd64/usr/bin/git-remote-keybase
+RUN chmod +x /binaries/amd64/usr/bin/keybase \
+    && chmod +x /binaries/amd64/usr/bin/kbfsfuse \
+    && chmod +x /binaries/amd64/usr/bin/git-remote-keybase
+
+FROM alpine:3.11
+LABEL maintainer="Keybase <admin@keybase.io>"
+
+RUN apk add --update --no-cache gnupg procps ca-certificates bash
+
+ENV TINI_VERSION v0.18.0
+ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /usr/local/bin/tini
+ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini.asc /usr/local/bin/tini.asc
+COPY packaging/linux/docker/tini_key.asc /tini_key.asc
+RUN gpg --import /tini_key.asc \
+    && rm /tini_key.asc \
+    && gpg --batch --verify /usr/local/bin/tini.asc /usr/local/bin/tini \
+    && chmod +x /usr/local/bin/tini
+
+ENV GOSU_VERSION 1.11
+ADD https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-amd64 /usr/local/bin/gosu
+ADD https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-amd64.asc /usr/local/bin/gosu.asc
+COPY packaging/linux/docker/gosu_key.asc /gosu_key.asc
+RUN gpg --import /gosu_key.asc \
+    && rm /gosu_key.asc \
+    && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
+    && chmod +x /usr/local/bin/gosu
+
+COPY packaging/linux/docker/standard/entrypoint.sh /usr/bin/entrypoint.sh
+RUN chmod +x /usr/bin/entrypoint.sh
+
+RUN adduser --disabled-password --gecos "" --shell /bin/bash keybase
+VOLUME [ "/home/keybase/.config/keybase", "/home/keybase/.cache/keybase" ]
+
+COPY --from=builder /binaries/amd64/usr/bin/keybase /usr/bin/keybase
+COPY --from=builder /binaries/amd64/usr/bin/keybase.sig /usr/bin/keybase.sig
+COPY --from=builder /binaries/amd64/usr/bin/kbfsfuse /usr/bin/kbfsfuse
+COPY --from=builder /binaries/amd64/usr/bin/kbfsfuse.sig /usr/bin/kbfsfuse.sig
+COPY --from=builder /binaries/amd64/usr/bin/git-remote-keybase /usr/bin/git-remote-keybase
+COPY --from=builder /binaries/amd64/usr/bin/git-remote-keybase.sig /usr/bin/git-remote-keybase.sig
+
+ENTRYPOINT ["tini", "--", "entrypoint.sh"]

packaging/linux/docker/build.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-set -euxo pipefail
+set -Eeuxo pipefail
 
 here="$(dirname "${BASH_SOURCE[0]}")"
 client_dir="$(git -C "$here" rev-parse --show-toplevel)"
@@ -13,47 +13,32 @@ code_signing_fingerprint="$("$here/../fingerprint.sh")"
 gpg_tempfile="$client_dir/.docker/code_signing_key"
 gpg --export-secret-key --armor "$code_signing_fingerprint" > "$gpg_tempfile"
 
-# Clear all existing base images
-sudo docker rmi golang:1.13.7-stretch || true
-sudo docker rmi debian:stretch || true
-
-# Build all variants
-sudo docker build \
-  --build-arg SOURCE_COMMIT="$source_commit" \
-  --build-arg SIGNING_FINGERPRINT="$code_signing_fingerprint" \
-  -f "$client_dir/packaging/linux/docker/standard/Dockerfile" \
-  -t "keybaseio/client:$tag" \
-  "$client_dir"
-
-sudo docker build \
-  --build-arg BASE_IMAGE="keybaseio/client:$tag" \
-  -f "$client_dir/packaging/linux/docker/slim/Dockerfile" \
-  -t "keybaseio/client:$tag-slim" \
-  "$client_dir"
-
-sudo docker build \
-  --build-arg BASE_IMAGE="keybaseio/client:$tag" \
-  -f "$client_dir/packaging/linux/docker/node/Dockerfile" \
-  -t "keybaseio/client:$tag-node" \
-  "$client_dir"
-
-sudo docker build \
-  --build-arg BASE_IMAGE="keybaseio/client:$tag" \
-  -f "$client_dir/packaging/linux/docker/node-slim/Dockerfile" \
-  -t "keybaseio/client:$tag-node-slim" \
-  "$client_dir"
-
-sudo docker build \
-  --build-arg BASE_IMAGE="keybaseio/client:$tag" \
-  -f "$client_dir/packaging/linux/docker/python/Dockerfile" \
-  -t "keybaseio/client:$tag-python" \
-  "$client_dir"
-
-sudo docker build \
-  --build-arg BASE_IMAGE="keybaseio/client:$tag" \
-  -f "$client_dir/packaging/linux/docker/python-slim/Dockerfile" \
-  -t "keybaseio/client:$tag-python-slim" \
-  "$client_dir"
-
 # Don't store any secrets in the repo dir
-rm -r "$client_dir/.docker" || true
+trap "rm -r ""$client_dir/.docker"" || true" ERR
+
+# Load up all the config we need now, the rest will be resolved as needed
+config_file="$client_dir/packaging/linux/docker/config.json"
+image_name="$(jq -r '.image_name' "$config_file")"
+readarray -t variants <<< "$(jq -r '.variants | keys | .[]' "$config_file")"
+
+# We assume that the JSON file is correctly ordered
+for variant in "${variants[@]}"; do
+  base_variant="$(jq -r ".variants.\"$variant\".base" "$config_file")"
+  dockerfile="$(jq -r ".variants.\"$variant\".dockerfile" "$config_file")"
+
+  if [ "$base_variant" = "null" ]; then
+    sudo docker build \
+      --pull \
+      --build-arg SOURCE_COMMIT="$source_commit" \
+      --build-arg SIGNING_FINGERPRINT="$code_signing_fingerprint" \
+      -f "$client_dir/$dockerfile" \
+      -t "$image_name:$tag$variant" \
+      "$client_dir"
+  else
+    sudo docker build \
+      --build-arg BASE_IMAGE="$image_name:$tag$base_variant" \
+      -f "$client_dir/$dockerfile" \
+      -t "$image_name:$tag$variant" \
+      "$client_dir"
+  fi
+done

packaging/linux/docker/config.json

@@ -0,0 +1,46 @@
+{
+  "_c": "Base image of the name",
+  "image_name": "keybaseio/client",
+
+  "_c": "Variant definitions",
+  "variants": {
+    "": {
+      "_c": "Path to the Dockerfile relative to the project's root",
+      "dockerfile": "packaging/linux/docker/standard/Dockerfile",
+
+      "_c": "`null` if it has no dependencies, otherwise the key of the image its based on",
+      "base": null
+    },
+    "-slim": {
+      "dockerfile": "packaging/linux/docker/slim/Dockerfile",
+      "base": ""
+    },
+
+    "-alpine": {
+      "dockerfile": "packaging/linux/docker/alpine/Dockerfile",
+      "base": null
+    },
+    "-alpine-slim": {
+      "dockerfile": "packaging/linux/docker/alpine-slim/Dockerfile",
+      "base": "-alpine"
+    },
+
+    "-node": {
+      "dockerfile": "packaging/linux/docker/node/Dockerfile",
+      "base": ""
+    },
+    "-node-slim": {
+      "dockerfile": "packaging/linux/docker/node-slim/Dockerfile",
+      "base": ""
+    },
+
+    "-python": {
+      "dockerfile": "packaging/linux/docker/python/Dockerfile",
+      "base": ""
+    },
+    "-python-slim": {
+      "dockerfile": "packaging/linux/docker/python-slim/Dockerfile",
+      "base": ""
+    }
+  }
+}

packaging/linux/docker/node-slim/Dockerfile

@@ -1,7 +1,7 @@
 ARG BASE_IMAGE=keybaseio/client:latest
 FROM $BASE_IMAGE AS base
 
-FROM node:12.16.1-buster
+FROM node:12.16.2-buster
 LABEL maintainer="Keybase <admin@keybase.io>"
 
 RUN apt-get update \

packaging/linux/docker/node/Dockerfile

@@ -1,7 +1,7 @@
 ARG BASE_IMAGE=keybaseio/client:latest
 FROM $BASE_IMAGE AS base
 
-FROM node:12.16.1-buster
+FROM node:12.16.2-buster
 LABEL maintainer="Keybase <admin@keybase.io>"
 
 RUN apt-get update \

packaging/linux/docker/push.sh

@@ -1,6 +1,9 @@
 #!/usr/bin/env bash
 set -Eeuo pipefail
 
+here="$(dirname "${BASH_SOURCE[0]}")"
+client_dir="$(git -C "$here" rev-parse --show-toplevel)"
+
 # Force correct usage
 if [ -z "${1:-}" ] || [ "${2:-}" != "nightly" ] && [ "${2:-}" != "release" ]; then
   echo "FAIL: Invalid arguments"
@@ -14,46 +17,38 @@ kind="$2"
 trap "docker logout || true" ERR
 docker login --username "$DOCKERHUB_USERNAME" --password-stdin <<< "$DOCKERHUB_PASSWORD" &> /dev/null
 
-# Base name of the image
-imageName="keybaseio/client"
-
-# An array with all the image variants
-variants=(
-  ''
-  '-slim'
-  '-node'
-  '-node-slim'
-  '-python'
-  '-python-slim'
-)
+# Load up all the config we need
+config_file="$client_dir/packaging/linux/docker/config.json"
+image_name="$(jq -r '.image_name' "$config_file")"
+readarray -t variants <<< "$(jq -r '.variants | keys | .[]' "$config_file")"
 
 # Instructions is an array of strings, where the value has the format of `[src],[target]`.
 # The [target] part can be empty, which makes it a simple push.
 instructions=()
 
 # We always push the base tags.
 for variant in "${variants[@]}"; do
-  instructions+=("$imageName:$tag$variant,")
+  instructions+=("$image_name:$tag$variant,")
 done
 
 if [ "$kind" = "nightly" ]; then
-  # Nightly builds also get released as `$imageName:nightly$variant`
+  # Nightly builds also get released as `$image_name:nightly$variant`
   for variant in "${variants[@]}"; do
-    instructions+=("$imageName:$tag$variant,$imageName:nightly$variant")
+    instructions+=("$image_name:$tag$variant,$image_name:nightly$variant")
   done
 elif [ "$kind" = "release" ]; then
   # Release builds end up as:
-  # - `$imageName:latest$variant`
-  # - `$imageName:stable$variant`
-  # - `$imageName:$version$variant`, where $version is the first item of a dash-split tag arg
+  # - `$image_name:latest$variant`
+  # - `$image_name:stable$variant`
+  # - `$image_name:$version$variant`, where $version is the first item of a dash-split tag arg
   for variant in "${variants[@]}"; do
-    IFS='-'; read -ra tagParts <<< "$tag"
+    IFS='-' read -ra tagParts <<< "$tag"
     version="${tagParts[0]}"
 
     instructions+=(
-      "$imageName:$tag$variant,$imageName:latest$variant"
-      "$imageName:$tag$variant,$imageName:stable$variant"
-      "$imageName:$tag$variant,$imageName:$version$variant"
+      "$image_name:$tag$variant,$image_name:latest$variant"
+      "$image_name:$tag$variant,$image_name:stable$variant"
+      "$image_name:$tag$variant,$image_name:$version$variant"
     )
   done
 fi

packaging/linux/docker/slim/Dockerfile

@@ -2,7 +2,7 @@ ARG BASE_IMAGE=keybaseio/client:latest
 
 FROM $BASE_IMAGE AS base
 
-FROM debian:stretch-slim
+FROM debian:buster-slim
 LABEL maintainer="Keybase <admin@keybase.io>"
 
 RUN apt-get update \

packaging/linux/docker/standard/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.13.7-stretch AS builder
+FROM golang:1.13.10-buster AS builder
 
 ARG SOURCE_COMMIT=unknown
 
@@ -22,7 +22,7 @@ RUN chmod +x /binaries/amd64/usr/bin/keybase \
     && chmod +x /binaries/amd64/usr/bin/kbfsfuse \
     && chmod +x /binaries/amd64/usr/bin/git-remote-keybase
 
-FROM debian:stretch
+FROM debian:buster
 LABEL maintainer="Keybase <admin@keybase.io>"
 
 RUN apt-get update \

packaging/linux/tuxbot/provision_tuxbot_root

@@ -4,7 +4,7 @@ set -euox pipefail
 export DEBIAN_FRONTEND=noninteractive
 
 apt-get update
-apt-get install -yq git curl vim python3-pip
+apt-get install -yq git curl vim python3-pip jq
 
 GOLANG_VERSION=1.13.7
 GOLANG_DOWNLOAD_URL=https://dl.google.com/go/go$GOLANG_VERSION.linux-amd64.tar.gz