From 92fd44c6404ba5717582ca6aab79b502d515dbd5 Mon Sep 17 00:00:00 2001 From: Dylan Page Date: Tue, 4 Apr 2023 16:55:24 -0500 Subject: [PATCH] Revert "refactor(atlantis-image): recombine with atlantis-base (#3001)" This reverts commit 310aff835108b527bca6a01298817174be02c838. --- .github/workflows/atlantis-base.yml | 98 +++++++++++++++ .github/workflows/atlantis-image.yml | 25 ---- Dockerfile | 182 +++++---------------------- Dockerfile.dev | 4 + docker-base/Dockerfile.alpine | 80 ++++++++++++ docker-base/Dockerfile.debian | 81 ++++++++++++ 6 files changed, 294 insertions(+), 176 deletions(-) create mode 100644 .github/workflows/atlantis-base.yml create mode 100644 docker-base/Dockerfile.alpine create mode 100644 docker-base/Dockerfile.debian diff --git a/.github/workflows/atlantis-base.yml b/.github/workflows/atlantis-base.yml new file mode 100644 index 0000000000..c18a68367f --- /dev/null +++ b/.github/workflows/atlantis-base.yml @@ -0,0 +1,98 @@ +name: atlantis-base + +on: + push: + paths: + - 'docker-base/Dockerfile.*' + - '.github/workflows/atlantis-base.yml' + branches: + - "main" + pull_request: + paths: + - 'docker-base/Dockerfile.*' + - '.github/workflows/atlantis-base.yml' + workflow_dispatch: + +defaults: + run: + working-directory: docker-base + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + build: + strategy: + matrix: + image_type: [alpine, debian] + runs-on: ubuntu-22.04 + env: + DOCKERFILE: "Dockerfile.${{ matrix.image_type }}" + IMAGE_BASE: ghcr.io/${{ github.repository_owner }}/atlantis-base + IMAGE_SUFFIX: ${{ matrix.image_type != 'alpine' && format('-{0}', matrix.image_type) || '' }} + steps: + - uses: actions/checkout@v3 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + with: + image: tonistiigi/binfmt:latest + platforms: arm64,arm + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + # related issues for pinning buildkit + # https://github.com/docker/build-push-action/issues/761 + # https://github.com/containerd/containerd/issues/7972 + # https://github.com/containerd/containerd/pull/6995 + with: + driver-opts: | + image=moby/buildkit:v0.10.6 + + - name: Docker meta + id: meta + uses: docker/metadata-action@v4 + with: + images: | + atlantis + labels: | + org.opencontainers.image.licenses=Apache-2.0 + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + + - name: Login to Packages Container registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Populate release version + run: echo "RELEASE_VERSION=$(date +"%Y.%m.%d")" >> $GITHUB_ENV + + - name: Build and push atlantis-base:${{ env.RELEASE_VERSION }}${{ env.IMAGE_SUFFIX }} image + uses: docker/build-push-action@v4 + with: + cache-from: type=gha + cache-to: type=gha,mode=max + context: docker-base + build-args: ATLANTIS_BASE_TAG_TYPE=${{ matrix.image_type }} + file: docker-base/${{ env.DOCKERFILE }} + platforms: linux/arm64/v8,linux/amd64,linux/arm/v7 + push: ${{ github.event_name != 'pull_request' }} + # release version is the YYYYMMDD date of the build i.e. 20301210 + # release version also has the image type appended i.e. 20301210-alpine + # release tag is latest i.e. latest + # release tag also has the image type appended i.e. latest-alpine + # if it's Dec 10, 2030 and alpine, it will do 20301210, 20301210-alpine, latest, latest-alpine + # if it's Dec 10, 2030 and debian, it will do 20301210-debian, latest-debian + tags: | + ${{ env.IMAGE_BASE }}:${{ env.RELEASE_VERSION }}${{ env.IMAGE_SUFFIX }} + ${{ env.IMAGE_BASE }}:${{ env.RELEASE_VERSION }}-${{ matrix.image_type }} + ${{ env.IMAGE_BASE }}:latest${{ env.IMAGE_SUFFIX }} + ${{ env.IMAGE_BASE }}:latest-${{ matrix.image_type }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 4f9a0cdd36..3b7c0969d4 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -10,7 +10,6 @@ on: pull_request: paths: - 'Dockerfile' - - 'docker-entrypoint.sh' - '.github/workflows/atlantis-image.yml' workflow_dispatch: @@ -33,12 +32,6 @@ jobs: steps: - uses: actions/checkout@v3 - # Lint the Dockerfile first before setting anything up - - name: Lint Dockerfile - uses: hadolint/hadolint-action@master - with: - dockerfile: "Dockerfile" - - name: Set up QEMU uses: docker/setup-qemu-action@v2 with: @@ -63,7 +56,6 @@ jobs: images: | ${{ env.DOCKER_REPO }} labels: | - org.opencontainers.image.authors="Anubhav Mishra, Luke Kysow" org.opencontainers.image.licenses=Apache-2.0 tags: | # semver @@ -94,22 +86,6 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - # Publish dev image to container registry - - name: Build and push atlantis:dev${{ env.IMAGE_SUFFIX }} image - if: ${{ contains(fromJson('["push", "pull_request"]'), github.event_name) }} - uses: docker/build-push-action@v3 - with: - cache-from: type=gha - cache-to: type=gha,mode=max - context: . - platforms: linux/arm64/v8,linux/amd64,linux/arm/v7 - push: ${{ github.event_name != 'pull_request' }} - tags: | - ghcr.io/${{ github.repository_owner }}/atlantis:dev${{ env.IMAGE_SUFFIX }} - ghcr.io/${{ github.repository_owner }}/atlantis:dev-${{ matrix.image_type }} - target: ${{ matrix.image_type }} - labels: ${{ steps.meta.outputs.labels }} - # Publish release to container registry - name: Populate release version if: contains(fromJson('["push", "pull_request"]'), github.event_name) @@ -130,6 +106,5 @@ jobs: platforms: linux/arm64/v8,linux/amd64,linux/arm/v7 push: ${{ env.PUSH }} tags: ${{ steps.meta.outputs.tags }} - target: ${{ matrix.image_type }} labels: ${{ steps.meta.outputs.labels }} outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} diff --git a/Dockerfile b/Dockerfile index 938b4ed07d..dacdd1bd6a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,8 @@ -# syntax=docker/dockerfile:1 -# what distro is the image being built for -ARG ALPINE_TAG=3.17.1 -ARG DEBIAN_TAG=11.6-slim +ARG ATLANTIS_BASE=ghcr.io/runatlantis/atlantis-base +ARG ATLANTIS_BASE_TAG_DATE=latest +ARG ATLANTIS_BASE_TAG_TYPE=alpine -# Stage 1: build artifact and download deps +# Stage 1: build artifact FROM golang:1.20.2-alpine AS builder @@ -20,102 +19,28 @@ WORKDIR /app # https://github.com/montanaflynn/golang-docker-cache # https://github.com/golang/go/issues/27719 COPY go.mod go.sum ./ -SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN go mod graph | awk '{if ($1 !~ "@") print $2}' | xargs go get COPY . /app + RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/root/.cache/go-build \ CGO_ENABLED=0 go build -trimpath -ldflags "-s -w -X 'main.version=${ATLANTIS_VERSION}' -X 'main.commit=${ATLANTIS_COMMIT}' -X 'main.date=${ATLANTIS_DATE}'" -v -o atlantis . -FROM debian:${DEBIAN_TAG} as deps +# Stage 2 +# The runatlantis/atlantis-base is created by docker-base/Dockerfile +FROM ${ATLANTIS_BASE}:${ATLANTIS_BASE_TAG_DATE}-${ATLANTIS_BASE_TAG_TYPE} AS base # Get the architecture the image is being built for ARG TARGETPLATFORM -WORKDIR /tmp/build - -# Install packages needed for building/verifying dependencies -# hadolint ignore=DL3008,SC2261 -RUN apt-get update \ - && apt-get install -y --no-install-recommends \ - ca-certificates>=20210119 \ - curl>=7.74 \ - git>=1:2.30 \ - unzip>=6.0 \ - bash>=5.1 \ - openssh-server>=1:8.4p1 \ - libcap2>=1:2.44 \ - dumb-init>=1.2 \ - gnupg>=2.2 \ - openssl>=1.1.1n - -# install conftest -# renovate: datasource=github-releases depName=open-policy-agent/conftest -SHELL ["/bin/bash", "-o", "pipefail", "-c"] -ENV DEFAULT_CONFTEST_VERSION=0.40.0 -RUN AVAILABLE_CONFTEST_VERSIONS=${DEFAULT_CONFTEST_VERSION} && \ - case ${TARGETPLATFORM} in \ - "linux/amd64") CONFTEST_ARCH=x86_64 ;; \ - "linux/arm64") CONFTEST_ARCH=arm64 ;; \ - # There is currently no compiled version of conftest for armv7 - "linux/arm/v7") CONFTEST_ARCH=x86_64 ;; \ - esac && \ - for VERSION in ${AVAILABLE_CONFTEST_VERSIONS}; do \ - curl -LOs "https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \ - curl -LOs "https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/checksums.txt" && \ - sed -n "/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz/p" checksums.txt | sha256sum -c && \ - mkdir -p "/usr/local/bin/cft/versions/${VERSION}" && \ - tar -C "/usr/local/bin/cft/versions/${VERSION}" -xzf "conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \ - ln -s "/usr/local/bin/cft/versions/${VERSION}/conftest" /usr/local/bin/conftest && \ - rm "conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \ - rm checksums.txt; \ - done - -# install gosu -# We use gosu to step down from root and run as the atlantis user -# renovate: datasource=github-releases depName=tianon/gosu -ENV GOSU_VERSION=1.16 - -RUN case ${TARGETPLATFORM} in \ - "linux/amd64") GOSU_ARCH=amd64 ;; \ - "linux/arm64") GOSU_ARCH=arm64 ;; \ - "linux/arm/v7") GOSU_ARCH=armhf ;; \ - esac && \ - curl -L -s --output gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}" && \ - curl -L -s --output gosu.asc "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}.asc" && \ - for server in $(shuf -e ipv4.pool.sks-keyservers.net \ - hkp://p80.pool.sks-keyservers.net:80 \ - keyserver.ubuntu.com \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu) ; do \ - gpg --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \ - done && \ - gpg --batch --verify gosu.asc gosu && \ - chmod +x gosu && \ - cp gosu /bin && \ - gosu --version - -# install git-lfs -# renovate: datasource=github-releases depName=git-lfs/git-lfs -ENV GIT_LFS_VERSION=3.3.0 - -RUN case ${TARGETPLATFORM} in \ - "linux/amd64") GIT_LFS_ARCH=amd64 ;; \ - "linux/arm64") GIT_LFS_ARCH=arm64 ;; \ - "linux/arm/v7") GIT_LFS_ARCH=arm ;; \ - esac && \ - curl -L -s --output git-lfs.tar.gz "https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-${GIT_LFS_ARCH}-v${GIT_LFS_VERSION}.tar.gz" && \ - tar --strip-components=1 -xf git-lfs.tar.gz && \ - chmod +x git-lfs && \ - mv git-lfs /usr/bin/git-lfs && \ - git-lfs --version # install terraform binaries # renovate: datasource=github-releases depName=hashicorp/terraform versioning=hashicorp ENV DEFAULT_TERRAFORM_VERSION=1.4.4 -# In the official Atlantis image, we only have the latest of each Terraform version. -RUN AVAILABLE_TERRAFORM_VERSIONS="1.1.9 1.2.9 1.3.9 ${DEFAULT_TERRAFORM_VERSION}" && \ +# In the official Atlantis image we only have the latest of each Terraform version. +SHELL ["/bin/bash", "-o", "pipefail", "-c"] +RUN AVAILABLE_TERRAFORM_VERSIONS="1.0.11 1.1.9 1.2.9 1.3.9 ${DEFAULT_TERRAFORM_VERSION}" && \ case "${TARGETPLATFORM}" in \ "linux/amd64") TERRAFORM_ARCH=amd64 ;; \ "linux/arm64") TERRAFORM_ARCH=arm64 ;; \ @@ -134,79 +59,34 @@ RUN AVAILABLE_TERRAFORM_VERSIONS="1.1.9 1.2.9 1.3.9 ${DEFAULT_TERRAFORM_VERSION} done && \ ln -s "/usr/local/bin/tf/versions/${DEFAULT_TERRAFORM_VERSION}/terraform" /usr/local/bin/terraform +# renovate: datasource=github-releases depName=open-policy-agent/conftest +ENV DEFAULT_CONFTEST_VERSION=0.40.0 -# Stage 2 - Alpine -# Creating the individual distro builds using targets -FROM alpine:${ALPINE_TAG} AS alpine +RUN AVAILABLE_CONFTEST_VERSIONS="${DEFAULT_CONFTEST_VERSION}" && \ + case "${TARGETPLATFORM}" in \ + "linux/amd64") CONFTEST_ARCH=x86_64 ;; \ + "linux/arm64") CONFTEST_ARCH=arm64 ;; \ + # There is currently no compiled version of conftest for armv7 + "linux/arm/v7") CONFTEST_ARCH=x86_64 ;; \ + esac && \ + for VERSION in ${AVAILABLE_CONFTEST_VERSIONS}; do \ + curl -LOs "https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \ + curl -LOs "https://github.com/open-policy-agent/conftest/releases/download/v${VERSION}/checksums.txt" && \ + sed -n "/conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz/p" checksums.txt | sha256sum -c && \ + mkdir -p "/usr/local/bin/cft/versions/${VERSION}" && \ + tar -C "/usr/local/bin/cft/versions/${VERSION}" -xzf "conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \ + ln -s "/usr/local/bin/cft/versions/${VERSION}/conftest" "/usr/local/bin/conftest${VERSION}" && \ + rm "conftest_${VERSION}_Linux_${CONFTEST_ARCH}.tar.gz" && \ + rm checksums.txt; \ + done -# atlantis user for gosu and OpenShift compatibility -RUN addgroup atlantis && \ - adduser -S -G atlantis atlantis && \ - adduser atlantis root && \ - chown atlantis:root /home/atlantis/ && \ - chmod g=u /home/atlantis/ && \ - chmod g=u /etc/passwd +RUN ln -s /usr/local/bin/cft/versions/${DEFAULT_CONFTEST_VERSION}/conftest /usr/local/bin/conftest # copy binary COPY --from=builder /app/atlantis /usr/local/bin/atlantis -# copy terraform -COPY --from=deps /usr/local/bin/terraform* /usr/local/bin/ -# copy deps -COPY --from=deps /usr/local/bin/conftest /usr/local/bin/conftest -COPY --from=deps /bin/gosu /bin/gosu -COPY --from=deps /usr/bin/git-lfs /usr/bin/git-lfs -# copy docker entrypoint -COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh - -# Install packages needed for running Atlantis. -# We place this last as it will bust less docker layer caches when packages update -RUN apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main/ \ - git~=2.40 && \ - apk add --no-cache \ - ca-certificates~=20220614 \ - curl~=7.87 \ - unzip~=6.0 \ - bash~=5.2 \ - openssh~=9.1_p1 \ - libcap~=2.66 \ - dumb-init~=1.2 \ - gcompat~=1.1 -ENTRYPOINT ["docker-entrypoint.sh"] -CMD ["server"] - -# Stage 2 - Debian -FROM debian:${DEBIAN_TAG} AS debian - -# copy binary -COPY --from=builder /app/atlantis /usr/local/bin/atlantis -# copy terraform -COPY --from=deps /usr/local/bin/terraform* /usr/local/bin/ -# copy deps -COPY --from=deps /usr/local/bin/conftest /usr/local/bin/conftest -COPY --from=deps /bin/gosu /bin/gosu -COPY --from=deps /usr/bin/git-lfs /usr/bin/git-lfs # copy docker entrypoint COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh -# Install packages needed for running Atlantis. -# We place this last as it will bust less docker layer caches when packages update -# hadolint ignore explanation -# DL3008 (pin versions using "=") - Ignored to avoid failing the build -# SC2261 (multiple redirections) - This is a bug https://github.com/hadolint/hadolint/issues/782 -# hadolint ignore=DL3008,SC2261 -RUN apt-get update && \ - apt-get install -y --no-install-recommends \ - ca-certificates>=20210119 \ - curl>=7.74 \ - git>=1:2.30 \ - unzip>=6.0 \ - bash>=5.1 \ - openssh-server>=1:8.4p1 \ - libcap2>=1:2.44 \ - dumb-init>=1.2 && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists/* - ENTRYPOINT ["docker-entrypoint.sh"] CMD ["server"] diff --git a/Dockerfile.dev b/Dockerfile.dev index f85a5555e2..f3b917db70 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,3 +1,7 @@ FROM ghcr.io/runatlantis/atlantis:latest COPY atlantis /usr/local/bin/atlantis +# TODO: remove this once we get this in the base image +# renovate: datasource=github-releases depName=open-policy-agent/conftest +ENV DEFAULT_CONFTEST_VERSION=0.40.0 + WORKDIR /atlantis/src diff --git a/docker-base/Dockerfile.alpine b/docker-base/Dockerfile.alpine new file mode 100644 index 0000000000..ff48a8734c --- /dev/null +++ b/docker-base/Dockerfile.alpine @@ -0,0 +1,80 @@ +# This Dockerfile builds our base image with gosu, dumb-init and the atlantis +# user. We split this from the main Dockerfile because this base doesn't change +# and also because it kept breaking the build due to flakiness. +FROM alpine:3.17.3 +LABEL authors="Anubhav Mishra, Luke Kysow" + +# We use gosu to step down from root and run as the atlantis user so we need +# to create that user and group. +# We add the atlantis user to the root group and make its home directory +# owned by root so that OpenShift users can use /home/atlantis as their +# data dir because OpenShift runs containers as a random uid that's part of +# the root group. +RUN addgroup atlantis && \ + adduser -S -G atlantis atlantis && \ + adduser atlantis root && \ + chown atlantis:root /home/atlantis/ && \ + chmod g=u /home/atlantis/ && \ + chmod g=u /etc/passwd + +# Install gosu and git-lfs. +ENV GOSU_VERSION=1.16 +ENV GIT_LFS_VERSION=3.3.0 + +# Automatically populated with the architecture the image is being built for. +ARG TARGETPLATFORM + +# Install packages needed for running Atlantis. +RUN apk add git~=2.40 --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main/ && \ + apk add --no-cache \ + ca-certificates~=20220614 \ + curl~=7.88 \ + unzip~=6.0 \ + bash~=5.2 \ + openssh~=9.1_p1 \ + libcap~=2.66 \ + dumb-init~=1.2 \ + gcompat~=1.1 && \ + # Install packages needed for building dependencies. + apk add --no-cache --virtual .build-deps \ + gnupg~=2.2 \ + openssl~=3.0 && \ + mkdir -p /tmp/build && \ + cd /tmp/build && \ + # git-lfs + case ${TARGETPLATFORM} in \ + "linux/amd64") GIT_LFS_ARCH=amd64 ;; \ + "linux/arm64") GIT_LFS_ARCH=arm64 ;; \ + "linux/arm/v7") GIT_LFS_ARCH=arm ;; \ + esac && \ + curl -L -s --output git-lfs.tar.gz "https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-${GIT_LFS_ARCH}-v${GIT_LFS_VERSION}.tar.gz" && \ + tar --strip-components=1 -xf git-lfs.tar.gz && \ + chmod +x git-lfs && \ + mv git-lfs /usr/bin/git-lfs && \ + git-lfs --version && \ + # gosu + case ${TARGETPLATFORM} in \ + "linux/amd64") GOSU_ARCH=amd64 ;; \ + "linux/arm64") GOSU_ARCH=arm64 ;; \ + "linux/arm/v7") GOSU_ARCH=armhf ;; \ + esac && \ + curl -L -s --output gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}" && \ + curl -L -s --output gosu.asc "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}.asc" && \ + for server in $(shuf -e ipv4.pool.sks-keyservers.net \ + hkp://p80.pool.sks-keyservers.net:80 \ + keyserver.ubuntu.com \ + hkp://keyserver.ubuntu.com:80 \ + pgp.mit.edu) ; do \ + gpg --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \ + done && \ + gpg --batch --verify gosu.asc gosu && \ + chmod +x gosu && \ + cp gosu /bin && \ + gosu --version && \ + # Cleanup + cd /tmp && \ + rm -rf /tmp/build && \ + gpgconf --kill dirmngr && \ + gpgconf --kill gpg-agent && \ + apk del .build-deps && \ + rm -rf /root/.gnupg diff --git a/docker-base/Dockerfile.debian b/docker-base/Dockerfile.debian new file mode 100644 index 0000000000..63da851bb1 --- /dev/null +++ b/docker-base/Dockerfile.debian @@ -0,0 +1,81 @@ +# This Dockerfile builds our base image with gosu, dumb-init and the atlantis +# user. We split this from the main Dockerfile because this base doesn't change +# and also because it kept breaking the build due to flakiness. +FROM debian:11.6-slim + +# We use gosu to step down from root and run as the atlantis user so we need +# to create that user and group. +# We add the atlantis user to the root group and make its home directory +# owned by root so that OpenShift users can use /home/atlantis as their +# data dir because OpenShift runs containers as a random uid that's part of +# the root group. +RUN useradd --create-home --user-group --shell /bin/bash atlantis && \ + adduser atlantis root && \ + chown atlantis:root /home/atlantis/ && \ + chmod g=u /home/atlantis/ && \ + chmod g=u /etc/passwd + +# Install gosu and git-lfs. +ENV GOSU_VERSION=1.16 +ENV GIT_LFS_VERSION=3.3.0 + +# Automatically populated with the architecture the image is being built for. +ARG TARGETPLATFORM + +# Install packages needed for running Atlantis. +# hadolint ignore explanation +# DL3008 (pin versions using "=") - Ignored to avoid failing the build +# SC2261 (multiple redirections) - This is a bug https://github.com/hadolint/hadolint/issues/782 +# hadolint ignore=DL3008,SC2261 +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + ca-certificates>=20210119 \ + curl>=7.74 \ + git>=1:2.30 \ + unzip>=6.0 \ + bash>=5.1 \ + openssh-server>=1:8.4p1 \ + libcap2>=1:2.44 \ + dumb-init>=1.2 \ + # Install packages needed for building dependencies. + && apt-get install -y --no-install-recommends \ + gnupg>=2.2 \ + openssl>=1.1.1n && \ + mkdir -p /tmp/build && \ + cd /tmp/build && \ + # git-lfs + case ${TARGETPLATFORM} in \ + "linux/amd64") GIT_LFS_ARCH=amd64 ;; \ + "linux/arm64") GIT_LFS_ARCH=arm64 ;; \ + "linux/arm/v7") GIT_LFS_ARCH=arm ;; \ + esac && \ + curl -L -s --output git-lfs.tar.gz "https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-${GIT_LFS_ARCH}-v${GIT_LFS_VERSION}.tar.gz" && \ + tar --strip-components=1 -xf git-lfs.tar.gz && \ + chmod +x git-lfs && \ + mv git-lfs /usr/bin/git-lfs && \ + git-lfs --version && \ + # gosu + case ${TARGETPLATFORM} in \ + "linux/amd64") GOSU_ARCH=amd64 ;; \ + "linux/arm64") GOSU_ARCH=arm64 ;; \ + "linux/arm/v7") GOSU_ARCH=armhf ;; \ + esac && \ + curl -L -s --output gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}" && \ + curl -L -s --output gosu.asc "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}.asc" && \ + for server in $(shuf -e ipv4.pool.sks-keyservers.net \ + hkp://p80.pool.sks-keyservers.net:80 \ + keyserver.ubuntu.com \ + hkp://keyserver.ubuntu.com:80 \ + pgp.mit.edu) ; do \ + gpg --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \ + done && \ + gpg --batch --verify gosu.asc gosu && \ + chmod +x gosu && \ + cp gosu /bin && \ + gosu --version && \ + # Cleanup + cd /tmp && \ + rm -rf /tmp/build && \ + gpgconf --kill dirmngr && \ + gpgconf --kill gpg-agent && \ + rm -rf /root/.gnupg