From b2be7cd15e83e2c61930ab9d8e9cbf797f82ad58 Mon Sep 17 00:00:00 2001 From: Dylan Page Date: Tue, 4 Apr 2023 16:49:00 -0500 Subject: [PATCH] refactor(atlantis-image): recombine with atlantis-base (#3001) * refactor: atlantis-image build pipeline and docker images Atlantis built and maintained two separate docker images, atlantis and atlantis-base. This made cutting releases cumbersome and had inefficiencies in the docker image layers. This PR condenses the workflow into a single job and Dockerfile once again by utilizing multi-stage builds more heavily and Docker build targeting. * fix: apply @nitrocode suggestions from code review * feat: hadolint * fix: DL4006 on go mod graph * fix: version regressions --------- Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com> --- .github/workflows/atlantis-base.yml | 98 --------------- .github/workflows/atlantis-image.yml | 25 ++++ Dockerfile | 182 ++++++++++++++++++++++----- _Dockerfile.dev | 4 - docker-base/Dockerfile.alpine | 80 ------------ docker-base/Dockerfile.debian | 81 ------------ 6 files changed, 176 insertions(+), 294 deletions(-) delete mode 100644 .github/workflows/atlantis-base.yml delete mode 100644 docker-base/Dockerfile.alpine delete mode 100644 docker-base/Dockerfile.debian diff --git a/.github/workflows/atlantis-base.yml b/.github/workflows/atlantis-base.yml deleted file mode 100644 index c18a68367f..0000000000 --- a/.github/workflows/atlantis-base.yml +++ /dev/null @@ -1,98 +0,0 @@ -name: atlantis-base - -on: - push: - paths: - - 'docker-base/Dockerfile.*' - - '.github/workflows/atlantis-base.yml' - branches: - - "main" - pull_request: - paths: - - 'docker-base/Dockerfile.*' - - '.github/workflows/atlantis-base.yml' - workflow_dispatch: - -defaults: - run: - working-directory: docker-base - -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} - cancel-in-progress: true - -jobs: - build: - strategy: - matrix: - image_type: [alpine, debian] - runs-on: ubuntu-22.04 - env: - DOCKERFILE: "Dockerfile.${{ matrix.image_type }}" - IMAGE_BASE: ghcr.io/${{ github.repository_owner }}/atlantis-base - IMAGE_SUFFIX: ${{ matrix.image_type != 'alpine' && format('-{0}', matrix.image_type) || '' }} - steps: - - uses: actions/checkout@v3 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - with: - image: tonistiigi/binfmt:latest - platforms: arm64,arm - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - # related issues for pinning buildkit - # https://github.com/docker/build-push-action/issues/761 - # https://github.com/containerd/containerd/issues/7972 - # https://github.com/containerd/containerd/pull/6995 - with: - driver-opts: | - image=moby/buildkit:v0.10.6 - - - name: Docker meta - id: meta - uses: docker/metadata-action@v4 - with: - images: | - atlantis - labels: | - org.opencontainers.image.licenses=Apache-2.0 - tags: | - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - - - name: Login to Packages Container registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Populate release version - run: echo "RELEASE_VERSION=$(date +"%Y.%m.%d")" >> $GITHUB_ENV - - - name: Build and push atlantis-base:${{ env.RELEASE_VERSION }}${{ env.IMAGE_SUFFIX }} image - uses: docker/build-push-action@v4 - with: - cache-from: type=gha - cache-to: type=gha,mode=max - context: docker-base - build-args: ATLANTIS_BASE_TAG_TYPE=${{ matrix.image_type }} - file: docker-base/${{ env.DOCKERFILE }} - platforms: linux/arm64/v8,linux/amd64,linux/arm/v7 - push: ${{ github.event_name != 'pull_request' }} - # release version is the YYYYMMDD date of the build i.e. 20301210 - # release version also has the image type appended i.e. 20301210-alpine - # release tag is latest i.e. latest - # release tag also has the image type appended i.e. latest-alpine - # if it's Dec 10, 2030 and alpine, it will do 20301210, 20301210-alpine, latest, latest-alpine - # if it's Dec 10, 2030 and debian, it will do 20301210-debian, latest-debian - tags: | - ${{ env.IMAGE_BASE }}:${{ env.RELEASE_VERSION }}${{ env.IMAGE_SUFFIX }} - ${{ env.IMAGE_BASE }}:${{ env.RELEASE_VERSION }}-${{ matrix.image_type }} - ${{ env.IMAGE_BASE }}:latest${{ env.IMAGE_SUFFIX }} - ${{ env.IMAGE_BASE }}:latest-${{ matrix.image_type }} - labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 3b7c0969d4..4f9a0cdd36 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -10,6 +10,7 @@ on: pull_request: paths: - 'Dockerfile' + - 'docker-entrypoint.sh' - '.github/workflows/atlantis-image.yml' workflow_dispatch: @@ -32,6 +33,12 @@ jobs: steps: - uses: actions/checkout@v3 + # Lint the Dockerfile first before setting anything up + - name: Lint Dockerfile + uses: hadolint/hadolint-action@master + with: + dockerfile: "Dockerfile" + - name: Set up QEMU uses: docker/setup-qemu-action@v2 with: @@ -56,6 +63,7 @@ jobs: images: | ${{ env.DOCKER_REPO }} labels: | + org.opencontainers.image.authors="Anubhav Mishra, Luke Kysow" org.opencontainers.image.licenses=Apache-2.0 tags: | # semver @@ -86,6 +94,22 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + # Publish dev image to container registry + - name: Build and push atlantis:dev${{ env.IMAGE_SUFFIX }} image + if: ${{ contains(fromJson('["push", "pull_request"]'), github.event_name) }} + uses: docker/build-push-action@v3 + with: + cache-from: type=gha + cache-to: type=gha,mode=max + context: . + platforms: linux/arm64/v8,linux/amd64,linux/arm/v7 + push: ${{ github.event_name != 'pull_request' }} + tags: | + ghcr.io/${{ github.repository_owner }}/atlantis:dev${{ env.IMAGE_SUFFIX }} + ghcr.io/${{ github.repository_owner }}/atlantis:dev-${{ matrix.image_type }} + target: ${{ matrix.image_type }} + labels: ${{ steps.meta.outputs.labels }} + # Publish release to container registry - name: Populate release version if: contains(fromJson('["push", "pull_request"]'), github.event_name) @@ -106,5 +130,6 @@ jobs: platforms: linux/arm64/v8,linux/amd64,linux/arm/v7 push: ${{ env.PUSH }} tags: ${{ steps.meta.outputs.tags }} + target: ${{ matrix.image_type }} labels: ${{ steps.meta.outputs.labels }} outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} diff --git a/Dockerfile b/Dockerfile index fd843deef0..074ef21514 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,9 @@ -ARG ATLANTIS_BASE=ghcr.io/runatlantis/atlantis-base -ARG ATLANTIS_BASE_TAG_DATE=latest -ARG ATLANTIS_BASE_TAG_TYPE=alpine +# syntax=docker/dockerfile:1 +# what distro is the image being built for +ARG ALPINE_TAG=3.17.1 +ARG DEBIAN_TAG=11.6-slim -# Stage 1: build artifact +# Stage 1: build artifact and download deps FROM golang:1.20.2-alpine AS builder @@ -19,28 +20,102 @@ WORKDIR /app # https://github.com/montanaflynn/golang-docker-cache # https://github.com/golang/go/issues/27719 COPY go.mod go.sum ./ +SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN go mod graph | awk '{if ($1 !~ "@") print $2}' | xargs go get COPY . /app - RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/root/.cache/go-build \ CGO_ENABLED=0 go build -trimpath -ldflags "-s -w -X 'main.version=${ATLANTIS_VERSION}' -X 'main.commit=${ATLANTIS_COMMIT}' -X 'main.date=${ATLANTIS_DATE}'" -v -o atlantis . -# Stage 2 -# The runatlantis/atlantis-base is created by docker-base/Dockerfile -FROM ${ATLANTIS_BASE}:${ATLANTIS_BASE_TAG_DATE}-${ATLANTIS_BASE_TAG_TYPE} AS base +FROM debian:${DEBIAN_TAG} as deps # Get the architecture the image is being built for ARG TARGETPLATFORM +WORKDIR /tmp/build + +# Install packages needed for building/verifying dependencies +# hadolint ignore=DL3008,SC2261 +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + ca-certificates>=20210119 \ + curl>=7.74 \ + git>=1:2.30 \ + unzip>=6.0 \ + bash>=5.1 \ + openssh-server>=1:8.4p1 \ + libcap2>=1:2.44 \ + dumb-init>=1.2 \ + gnupg>=2.2 \ + openssl>=1.1.1n + +# install conftest +# renovate: datasource=github-releases depName=open-policy-agent/conftest +SHELL ["/bin/bash", "-o", "pipefail", "-c"] +ENV DEFAULT_CONFTEST_VERSION=0.40.0 +RUN AVAILABLE_CONFTEST_VERSIONS=${DEFAULT_CONFTEST_VERSION} && \ + case ${TARGETPLATFORM} in \ + "linux/amd64") CONFTEST_ARCH=x86_64 ;; \ + "linux/arm64") CONFTEST_ARCH=arm64 ;; \ + # There is currently no compiled version of conftest for armv7 + "linux/arm/v7") CONFTEST_ARCH=x86_64 ;; \ + esac && \ + for VERSION in ${AVAILABLE_CONFTEST_VERSIONS}; do \ + curl -LOs "https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \ + curl -LOs "https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/checksums.txt" && \ + sed -n "/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz/p" checksums.txt | sha256sum -c && \ + mkdir -p "/usr/local/bin/cft/versions/${VERSION}" && \ + tar -C "/usr/local/bin/cft/versions/${VERSION}" -xzf "conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \ + ln -s "/usr/local/bin/cft/versions/${VERSION}/conftest" /usr/local/bin/conftest && \ + rm "conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \ + rm checksums.txt; \ + done + +# install gosu +# We use gosu to step down from root and run as the atlantis user +# renovate: datasource=github-releases depName=tianon/gosu +ENV GOSU_VERSION=1.16 + +RUN case ${TARGETPLATFORM} in \ + "linux/amd64") GOSU_ARCH=amd64 ;; \ + "linux/arm64") GOSU_ARCH=arm64 ;; \ + "linux/arm/v7") GOSU_ARCH=armhf ;; \ + esac && \ + curl -L -s --output gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}" && \ + curl -L -s --output gosu.asc "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}.asc" && \ + for server in $(shuf -e ipv4.pool.sks-keyservers.net \ + hkp://p80.pool.sks-keyservers.net:80 \ + keyserver.ubuntu.com \ + hkp://keyserver.ubuntu.com:80 \ + pgp.mit.edu) ; do \ + gpg --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \ + done && \ + gpg --batch --verify gosu.asc gosu && \ + chmod +x gosu && \ + cp gosu /bin && \ + gosu --version + +# install git-lfs +# renovate: datasource=github-releases depName=git-lfs/git-lfs +ENV GIT_LFS_VERSION=3.3.0 + +RUN case ${TARGETPLATFORM} in \ + "linux/amd64") GIT_LFS_ARCH=amd64 ;; \ + "linux/arm64") GIT_LFS_ARCH=arm64 ;; \ + "linux/arm/v7") GIT_LFS_ARCH=arm ;; \ + esac && \ + curl -L -s --output git-lfs.tar.gz "https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-${GIT_LFS_ARCH}-v${GIT_LFS_VERSION}.tar.gz" && \ + tar --strip-components=1 -xf git-lfs.tar.gz && \ + chmod +x git-lfs && \ + mv git-lfs /usr/bin/git-lfs && \ + git-lfs --version # install terraform binaries # renovate: datasource=github-releases depName=hashicorp/terraform versioning=hashicorp ENV DEFAULT_TERRAFORM_VERSION=1.4.4 -# In the official Atlantis image we only have the latest of each Terraform version. -SHELL ["/bin/bash", "-o", "pipefail", "-c"] -RUN AVAILABLE_TERRAFORM_VERSIONS="1.0.11 1.1.9 1.2.9 1.3.9 ${DEFAULT_TERRAFORM_VERSION}" && \ +# In the official Atlantis image, we only have the latest of each Terraform version. +RUN AVAILABLE_TERRAFORM_VERSIONS="1.1.9 1.2.9 1.3.9 ${DEFAULT_TERRAFORM_VERSION}" && \ case "${TARGETPLATFORM}" in \ "linux/amd64") TERRAFORM_ARCH=amd64 ;; \ "linux/arm64") TERRAFORM_ARCH=arm64 ;; \ @@ -58,34 +133,79 @@ RUN AVAILABLE_TERRAFORM_VERSIONS="1.0.11 1.1.9 1.2.9 1.3.9 ${DEFAULT_TERRAFORM_V rm "terraform_${VERSION}_SHA256SUMS"; \ done -# renovate: datasource=github-releases depName=open-policy-agent/conftest -ENV DEFAULT_CONFTEST_VERSION=0.40.0 -RUN AVAILABLE_CONFTEST_VERSIONS="${DEFAULT_CONFTEST_VERSION}" && \ - case "${TARGETPLATFORM}" in \ - "linux/amd64") CONFTEST_ARCH=x86_64 ;; \ - "linux/arm64") CONFTEST_ARCH=arm64 ;; \ - # There is currently no compiled version of conftest for armv7 - "linux/arm/v7") CONFTEST_ARCH=x86_64 ;; \ - esac && \ - for VERSION in ${AVAILABLE_CONFTEST_VERSIONS}; do \ - curl -LOs "https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \ - curl -LOs "https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/checksums.txt" && \ - sed -n "/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz/p" checksums.txt | sha256sum -c && \ - mkdir -p "/usr/local/bin/cft/versions/${VERSION}" && \ - tar -C "/usr/local/bin/cft/versions/${VERSION}" -xzf "conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \ - ln -s "/usr/local/bin/cft/versions/${VERSION}/conftest" "/usr/local/bin/conftest${VERSION}" && \ - rm "conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \ - rm checksums.txt; \ - done +# Stage 2 - Alpine +# Creating the individual distro builds using targets +FROM alpine:${ALPINE_TAG} AS alpine -RUN ln -s /usr/local/bin/cft/versions/${DEFAULT_CONFTEST_VERSION}/conftest /usr/local/bin/conftest +# atlantis user for gosu and OpenShift compatibility +RUN addgroup atlantis && \ + adduser -S -G atlantis atlantis && \ + adduser atlantis root && \ + chown atlantis:root /home/atlantis/ && \ + chmod g=u /home/atlantis/ && \ + chmod g=u /etc/passwd # copy binary COPY --from=builder /app/atlantis /usr/local/bin/atlantis +# copy terraform +COPY --from=deps /usr/local/bin/terraform* /usr/local/bin/ +# copy deps +COPY --from=deps /usr/local/bin/conftest /usr/local/bin/conftest +COPY --from=deps /bin/gosu /bin/gosu +COPY --from=deps /usr/bin/git-lfs /usr/bin/git-lfs +# copy docker entrypoint +COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh + +# Install packages needed for running Atlantis. +# We place this last as it will bust less docker layer caches when packages update +RUN apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main/ \ + git~=2.40 && \ + apk add --no-cache \ + ca-certificates~=20220614 \ + curl~=7.87 \ + unzip~=6.0 \ + bash~=5.2 \ + openssh~=9.1_p1 \ + libcap~=2.66 \ + dumb-init~=1.2 \ + gcompat~=1.1 + +ENTRYPOINT ["docker-entrypoint.sh"] +CMD ["server"] + +# Stage 2 - Debian +FROM debian:${DEBIAN_TAG} AS debian +# copy binary +COPY --from=builder /app/atlantis /usr/local/bin/atlantis +# copy terraform +COPY --from=deps /usr/local/bin/terraform* /usr/local/bin/ +# copy deps +COPY --from=deps /usr/local/bin/conftest /usr/local/bin/conftest +COPY --from=deps /bin/gosu /bin/gosu +COPY --from=deps /usr/bin/git-lfs /usr/bin/git-lfs # copy docker entrypoint COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh +# Install packages needed for running Atlantis. +# We place this last as it will bust less docker layer caches when packages update +# hadolint ignore explanation +# DL3008 (pin versions using "=") - Ignored to avoid failing the build +# SC2261 (multiple redirections) - This is a bug https://github.com/hadolint/hadolint/issues/782 +# hadolint ignore=DL3008,SC2261 +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + ca-certificates>=20210119 \ + curl>=7.74 \ + git>=1:2.30 \ + unzip>=6.0 \ + bash>=5.1 \ + openssh-server>=1:8.4p1 \ + libcap2>=1:2.44 \ + dumb-init>=1.2 && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* + ENTRYPOINT ["docker-entrypoint.sh"] CMD ["server"] diff --git a/_Dockerfile.dev b/_Dockerfile.dev index f3b917db70..f85a5555e2 100644 --- a/_Dockerfile.dev +++ b/_Dockerfile.dev @@ -1,7 +1,3 @@ FROM ghcr.io/runatlantis/atlantis:latest COPY atlantis /usr/local/bin/atlantis -# TODO: remove this once we get this in the base image -# renovate: datasource=github-releases depName=open-policy-agent/conftest -ENV DEFAULT_CONFTEST_VERSION=0.40.0 - WORKDIR /atlantis/src diff --git a/docker-base/Dockerfile.alpine b/docker-base/Dockerfile.alpine deleted file mode 100644 index ff48a8734c..0000000000 --- a/docker-base/Dockerfile.alpine +++ /dev/null @@ -1,80 +0,0 @@ -# This Dockerfile builds our base image with gosu, dumb-init and the atlantis -# user. We split this from the main Dockerfile because this base doesn't change -# and also because it kept breaking the build due to flakiness. -FROM alpine:3.17.3 -LABEL authors="Anubhav Mishra, Luke Kysow" - -# We use gosu to step down from root and run as the atlantis user so we need -# to create that user and group. -# We add the atlantis user to the root group and make its home directory -# owned by root so that OpenShift users can use /home/atlantis as their -# data dir because OpenShift runs containers as a random uid that's part of -# the root group. -RUN addgroup atlantis && \ - adduser -S -G atlantis atlantis && \ - adduser atlantis root && \ - chown atlantis:root /home/atlantis/ && \ - chmod g=u /home/atlantis/ && \ - chmod g=u /etc/passwd - -# Install gosu and git-lfs. -ENV GOSU_VERSION=1.16 -ENV GIT_LFS_VERSION=3.3.0 - -# Automatically populated with the architecture the image is being built for. -ARG TARGETPLATFORM - -# Install packages needed for running Atlantis. -RUN apk add git~=2.40 --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main/ && \ - apk add --no-cache \ - ca-certificates~=20220614 \ - curl~=7.88 \ - unzip~=6.0 \ - bash~=5.2 \ - openssh~=9.1_p1 \ - libcap~=2.66 \ - dumb-init~=1.2 \ - gcompat~=1.1 && \ - # Install packages needed for building dependencies. - apk add --no-cache --virtual .build-deps \ - gnupg~=2.2 \ - openssl~=3.0 && \ - mkdir -p /tmp/build && \ - cd /tmp/build && \ - # git-lfs - case ${TARGETPLATFORM} in \ - "linux/amd64") GIT_LFS_ARCH=amd64 ;; \ - "linux/arm64") GIT_LFS_ARCH=arm64 ;; \ - "linux/arm/v7") GIT_LFS_ARCH=arm ;; \ - esac && \ - curl -L -s --output git-lfs.tar.gz "https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-${GIT_LFS_ARCH}-v${GIT_LFS_VERSION}.tar.gz" && \ - tar --strip-components=1 -xf git-lfs.tar.gz && \ - chmod +x git-lfs && \ - mv git-lfs /usr/bin/git-lfs && \ - git-lfs --version && \ - # gosu - case ${TARGETPLATFORM} in \ - "linux/amd64") GOSU_ARCH=amd64 ;; \ - "linux/arm64") GOSU_ARCH=arm64 ;; \ - "linux/arm/v7") GOSU_ARCH=armhf ;; \ - esac && \ - curl -L -s --output gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}" && \ - curl -L -s --output gosu.asc "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}.asc" && \ - for server in $(shuf -e ipv4.pool.sks-keyservers.net \ - hkp://p80.pool.sks-keyservers.net:80 \ - keyserver.ubuntu.com \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu) ; do \ - gpg --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \ - done && \ - gpg --batch --verify gosu.asc gosu && \ - chmod +x gosu && \ - cp gosu /bin && \ - gosu --version && \ - # Cleanup - cd /tmp && \ - rm -rf /tmp/build && \ - gpgconf --kill dirmngr && \ - gpgconf --kill gpg-agent && \ - apk del .build-deps && \ - rm -rf /root/.gnupg diff --git a/docker-base/Dockerfile.debian b/docker-base/Dockerfile.debian deleted file mode 100644 index 63da851bb1..0000000000 --- a/docker-base/Dockerfile.debian +++ /dev/null @@ -1,81 +0,0 @@ -# This Dockerfile builds our base image with gosu, dumb-init and the atlantis -# user. We split this from the main Dockerfile because this base doesn't change -# and also because it kept breaking the build due to flakiness. -FROM debian:11.6-slim - -# We use gosu to step down from root and run as the atlantis user so we need -# to create that user and group. -# We add the atlantis user to the root group and make its home directory -# owned by root so that OpenShift users can use /home/atlantis as their -# data dir because OpenShift runs containers as a random uid that's part of -# the root group. -RUN useradd --create-home --user-group --shell /bin/bash atlantis && \ - adduser atlantis root && \ - chown atlantis:root /home/atlantis/ && \ - chmod g=u /home/atlantis/ && \ - chmod g=u /etc/passwd - -# Install gosu and git-lfs. -ENV GOSU_VERSION=1.16 -ENV GIT_LFS_VERSION=3.3.0 - -# Automatically populated with the architecture the image is being built for. -ARG TARGETPLATFORM - -# Install packages needed for running Atlantis. -# hadolint ignore explanation -# DL3008 (pin versions using "=") - Ignored to avoid failing the build -# SC2261 (multiple redirections) - This is a bug https://github.com/hadolint/hadolint/issues/782 -# hadolint ignore=DL3008,SC2261 -RUN apt-get update \ - && apt-get install -y --no-install-recommends \ - ca-certificates>=20210119 \ - curl>=7.74 \ - git>=1:2.30 \ - unzip>=6.0 \ - bash>=5.1 \ - openssh-server>=1:8.4p1 \ - libcap2>=1:2.44 \ - dumb-init>=1.2 \ - # Install packages needed for building dependencies. - && apt-get install -y --no-install-recommends \ - gnupg>=2.2 \ - openssl>=1.1.1n && \ - mkdir -p /tmp/build && \ - cd /tmp/build && \ - # git-lfs - case ${TARGETPLATFORM} in \ - "linux/amd64") GIT_LFS_ARCH=amd64 ;; \ - "linux/arm64") GIT_LFS_ARCH=arm64 ;; \ - "linux/arm/v7") GIT_LFS_ARCH=arm ;; \ - esac && \ - curl -L -s --output git-lfs.tar.gz "https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-${GIT_LFS_ARCH}-v${GIT_LFS_VERSION}.tar.gz" && \ - tar --strip-components=1 -xf git-lfs.tar.gz && \ - chmod +x git-lfs && \ - mv git-lfs /usr/bin/git-lfs && \ - git-lfs --version && \ - # gosu - case ${TARGETPLATFORM} in \ - "linux/amd64") GOSU_ARCH=amd64 ;; \ - "linux/arm64") GOSU_ARCH=arm64 ;; \ - "linux/arm/v7") GOSU_ARCH=armhf ;; \ - esac && \ - curl -L -s --output gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}" && \ - curl -L -s --output gosu.asc "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}.asc" && \ - for server in $(shuf -e ipv4.pool.sks-keyservers.net \ - hkp://p80.pool.sks-keyservers.net:80 \ - keyserver.ubuntu.com \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu) ; do \ - gpg --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \ - done && \ - gpg --batch --verify gosu.asc gosu && \ - chmod +x gosu && \ - cp gosu /bin && \ - gosu --version && \ - # Cleanup - cd /tmp && \ - rm -rf /tmp/build && \ - gpgconf --kill dirmngr && \ - gpgconf --kill gpg-agent && \ - rm -rf /root/.gnupg