feat: rootless tool install (#145)

renovatebot · Feb 9, 2021 · 7fe5151 · 7fe5151
1 parent 1e84ab9
commit 7fe5151
Show file tree

Hide file tree

Showing 44 changed files with 702 additions and 510 deletions.
diff --git a/.github/bin/env.sh b/.github/bin/env.sh
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -37,12 +37,9 @@ jobs:
             swift,
             latest,
           ]
-        image: [latest, bionic, focal]
 
     env:
       TARGET: ${{ matrix.tag }}
-      TARGET_TAG: ${{ matrix.tag }}-${{ matrix.image }}
-      IMAGE: ${{ matrix.image }}
       TEST_IMAGE: renovate/buildpack-test:${{ matrix.tag }}
 
     steps:
@@ -52,9 +49,6 @@ jobs:
         if: github.ref == 'refs/heads/master'
         run: echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
 
-      - name: fix env
-        run: .github/bin/env.sh
-
       - name: build
         run: docker build -t ${{ env.TEST_IMAGE }} --build-arg TARGET --build-arg BASE_IMAGE --build-arg USER_NAME .
 
@@ -67,6 +61,6 @@ jobs:
           command: docker-builder
           build-args: TARGET,BASE_IMAGE,USER_NAME
           last-only: true
-          tag-suffix: ${{ env.TARGET_TAG }}
+          tag-suffix: ${{ env.TARGET }}
           major-minor: false
           dry-run: ${{ env.DRY_RUN }}
diff --git a/Dockerfile b/Dockerfile
@@ -3,11 +3,6 @@
 #--------------------------------------
 ARG TARGET=latest
 
-#--------------------------------------
-# Ubuntu base image to use
-#--------------------------------------
-ARG BASE_IMAGE=ubuntu
-
 #--------------------------------------
 # Non-root user to create
 #--------------------------------------
@@ -17,7 +12,7 @@ ARG USER_NAME=user
 #--------------------------------------
 # Image: base
 #--------------------------------------
-FROM ${BASE_IMAGE} as base
+FROM ubuntu:focal@sha256:703218c0465075f4425e58fac086e09e1de5c340b12976ab9eb8ad26615c3715 as base
 
 ARG USER_ID
 ARG USER_NAME

diff --git a/README.md b/README.md
@@ -4,3 +4,53 @@
 # docker-buildpack
 
 This repository is the source for the Docker Hub image `renovate/buildpack`. Commits to `master` branch are automatically built and published.
+
+
+### Custom base image
+
+```dockerfile
+# This buildpack is used for tool intallation and user/directory setup
+FROM renovate/buildpack:4 AS buildpack
+
+# currently only ubuntu focal based distro suported
+FROM ubuntu:focal as base
+
+# The buildpack supports custom user but Renovate requires ubuntu
+ARG USER_NAME=ubuntu
+ARG USER_ID=1000
+ARG APP_ROOT=/usr/src/app
+
+# Set env and shell
+ENV BASH_ENV=/usr/local/etc/env
+SHELL ["/bin/bash" , "-c"]
+
+# Set up buildpack
+COPY --from=buildpack /usr/local/bin/ /usr/local/bin/
+COPY --from=buildpack /usr/local/buildpack/ /usr/local/buildpack/
+RUN install-buildpack
+
+# These packages are required for installs and runtime
+RUN install-apt \
+  dumb-init \
+  gnupg \
+  curl \
+  ca-certificates \
+  unzip \
+  xz-utils \
+  openssh-client
+
+# renovate: datasource=github-tags lookupName=git/git
+RUN install-tool git v2.30.0
+# renovate: datasource=docker versioning=docker
+RUN install-tool node 14.15.4
+# renovate: datasource=npm versioning=npm
+RUN install-tool yarn 1.22.10
+
+WORKDIR ${APP_ROOT}
+
+# This entry point ensures that dumb-init is run
+ENTRYPOINT [ "docker-entrypoint.sh" ]
+CMD [ "bash" ]
+
+USER $UBUNTU_ID
+```
diff --git a/builder.json b/builder.json
@@ -1,9 +1,9 @@
 {
   "image": "buildpack",
   "versioning": "docker",
-  "startVersion": "3",
-  "latestVersion": "3",
+  "startVersion": "4",
+  "latestVersion": "4",
   "cache": "docker-build-cache",
-  "versions": ["1", "2", "3"],
+  "versions": ["1", "2", "3", "4"],
   "forceUnstable": true
 }
diff --git a/renovate.Dockerfile b/renovate.Dockerfile
diff --git a/src/base/bin/install-apt b/src/base/bin/install-apt
@@ -2,12 +2,9 @@
 
 set -e
 
-if [[ $EUID -ne 0 ]]; then
-   echo "This script must be run as root"
-   exit 1
-fi
+. /usr/local/buildpack/util.sh
 
-. /usr/local/build/util.sh
+require_root
 
 apt_install $@
 

diff --git a/src/base/bin/install-buildpack b/src/base/bin/install-buildpack
@@ -1,24 +1,52 @@
 #!/bin/bash
 
-if [[ $EUID -ne 0 ]]; then
-   echo "This script must be run as root"
-   exit 1
+set -e
+
+. /usr/local/buildpack/util.sh
+
+# no duplicate installs
+if [[ ! -z "${BUILDPACK+x}" ]]; then
+  echo "BUILDPACK defined - skipping: ${BUILDPACK}"
+  exit 1;
 fi
 
+require_distro
+require_root
+require_user
+
 if [[ -z "${USER_ID+x}" ]]; then
   echo "No USER_ID defined - skipping: ${USER_ID}"
   exit 1;
 fi
 
-if [[ -z "${USER_NAME+x}" ]]; then
-  echo "No USER_NAME defined - skipping: ${USER_NAME}"
+if [[ -z "${BASH_ENV+x}" ]]; then
+  echo "No BASH_ENV defined - skipping: ${BASH_ENV}"
   exit 1;
 fi
 
-. /usr/local/build/util.sh
 
 export_env BUILDPACK 1
 
+# env helper, loads tool specific env
+cat >> $BASH_ENV <<- EOM
+if [ -d /usr/local/env.d ]; then
+  for i in /usr/local/env.d/*.sh; do
+    if [ -r \$i ]; then
+      . \$i
+    fi
+  done
+  unset i
+fi
+if [ -d \$HOME/.local/env.d ]; then
+  for i in \$HOME/.local/env.d/*.sh; do
+    if [ -r \$i ]; then
+      . \$i
+    fi
+  done
+  unset i
+fi
+EOM
+
 echo "APT::Install-Recommends \"false\";" | tee -a /etc/apt/apt.conf.d/buildpack.conf
 echo "APT::Get::Upgrade \"false\";" | tee -a /etc/apt/apt.conf.d/buildpack.conf
 echo "APT::Get::Install-Suggests \"false\";" | tee -a /etc/apt/apt.conf.d/buildpack.conf
@@ -28,6 +56,10 @@ echo "APT::Get::Install-Suggests \"false\";" | tee -a /etc/apt/apt.conf.d/buildp
 groupadd --gid ${USER_ID} ${USER_NAME};
 useradd --uid ${USER_ID} --gid 0 --groups ${USER_NAME} --shell /bin/bash --create-home ${USER_NAME}
 
+# create env helper paths
+mkdir /usr/local/env.d
+su ${USER_NAME} -c 'mkdir -p /home/${USER_NAME}/.local/env.d'
+
 export_env USER_NAME ${USER_NAME}
 export_env USER_ID ${USER_ID}
 export_env DEBIAN_FRONTEND "noninteractive"

diff --git a/src/base/bin/install-tool b/src/base/bin/install-tool
@@ -1,38 +1,24 @@
 #!/bin/bash
 
-if [[ $EUID -ne 0 ]]; then
-   echo "This script must be run as root"
-   exit 1
-fi
-
-if [[ -z "${USER_NAME+x}" ]]; then
-  echo "No USER_NAME defined - skipping: ${USER_NAME}"
-  exit 1;
-fi
+set -e
 
-. /usr/local/build/util.sh
+. /usr/local/buildpack/util.sh
 
-TOOLNAME=${1}
-TOOLVERSION=${1//-/_}
-TOOL="/usr/local/build/${1}.sh"
-shift;
+require_distro
+require_user
+require_tool $@
 
+TOOL="/usr/local/buildpack/tools/${TOOL_NAME}.sh"
 if [[ ! -f "$TOOL" ]]; then
-  echo "No tool defined - skipping: ${TOOLNAME}"
+  echo "No tool defined - skipping: ${TOOL_NAME}" >&2
   exit 1;
 fi
 
-ENVNAME=${TOOLVERSION^^}_VERSION
 
-if [[ "${1}" ]]; then
-  export "$ENVNAME=$1"
-  shift;
-fi
-
-check_version ${ENVNAME}
-
-echo "Installing tool ${TOOLNAME} v${!ENVNAME}"
-. $TOOL $@
+echo "Installing tool ${TOOL_NAME} v${TOOL_VERSION}"
+. $TOOL
 
 # cleanup
-rm -rf /var/lib/apt/lists/*
+if [[ $EUID -eq 0 ]]; then
+  rm -rf /var/lib/apt/lists/*
+fi
diff --git a/src/base/build/util.sh b/src/base/build/util.sh
diff --git a/src/base/build/git.sh → src/base/buildpack/tools/git.sh b/src/base/build/git.sh → src/base/buildpack/tools/git.sh
@@ -2,13 +2,14 @@
 
 set -e
 
+require_root
 VERSION_CODENAME=$(. /etc/os-release && echo ${VERSION_CODENAME})
 
 echo "deb http://ppa.launchpad.net/git-core/ppa/ubuntu ${VERSION_CODENAME} main" | tee -a /etc/apt/sources.list.d/git.list
 apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E1DD270288B4E6030699E45FA1715D88E1DF1F24
 
 # TODO: Only latest version available on launchpad :-/
-#apt_install git=1:${GIT_VERSION}*
+#apt_install git=1:${TOOL_VERSION}*
 apt_install git
 
 git --version