-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
167 lines (155 loc) · 6.09 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
FROM registry.access.redhat.com/ubi8/ubi:latest AS base
# Only set variables or install packages that need to end up in the
# final container here.
ENV PATH=/app/bin/:$PATH \
PYTHONUNBUFFERED=1 \
PYTHONIOENCODING=UTF-8 \
LC_ALL=C.UTF-8 \
LANG=C.UTF-8
ENV QUAYDIR /quay-registry
ENV QUAYCONF /quay-registry/conf
ENV QUAYPATH $QUAYDIR
ENV PYTHONUSERBASE /app
ENV PYTHONPATH $QUAYPATH
RUN set -ex\
; dnf -y -q --setopt=tsflags=nodocs --setopt=skip_missing_names_on_install=False install\
dnsmasq \
memcached \
nginx \
openldap \
openssl \
python38 \
python3-gpg \
skopeo \
; dnf -y -q clean all
# Build has all the build-only tools.
FROM base AS build
ENV PYTHONDONTWRITEBYTECODE 1
RUN set -ex\
; dnf -y -q --setopt=tsflags=nodocs --setopt=skip_missing_names_on_install=False install\
gcc-c++\
git\
nodejs\
openldap-devel\
python38-devel\
; dnf -y -q clean all
WORKDIR /build
# Config-editor builds the javascript for the configtool.
FROM build AS config-editor
# This argument must be repeated, and should have the same default as
# the other CONFIGTOOL_VERSION argument.
ARG CONFIGTOOL_VERSION=master
RUN curl -fsSL "https://github.com/quay/config-tool/archive/${CONFIGTOOL_VERSION}.tar.gz"\
| tar xz --strip-components=4 --exclude='*.go'
RUN set -ex\
; npm install --quiet --no-progress --ignore-engines\
; npm run --quiet build\
;
# Build-python installs the requirements for the python code.
FROM build AS build-python
COPY requirements.txt .
# Note that it installs into PYTHONUSERBASE because of the '--user'
# flag.
RUN set -ex\
; python3 -m pip install --no-cache-dir --quiet\
--upgrade setuptools pip\
; python3 -m pip install --no-cache-dir --progress-bar off\
--user --requirement requirements.txt --no-cache\
;
RUN set -ex\
# Doing this is explicitly against the purpose and use of certifi.
; for dir in\
$(find "$(python3 -m site --user-base)" -type d -name certifi)\
; do chgrp -R 0 "$dir" && chmod -R g=u "$dir" ; done\
;
# Build-static downloads the static javascript.
FROM build-python AS build-static
COPY --chown=0:0 static/ ./static/
COPY --chown=0:0 *.json *.js ./
RUN set -ex\
; npm install --quiet --no-progress --ignore-engines\
; npm run --quiet build\
;
# Jwtproxy grabs jwtproxy.
FROM registry.access.redhat.com/ubi8/ubi:latest AS jwtproxy
ENV OS=linux ARCH=amd64
ARG JWTPROXY_VERSION=0.0.3
RUN set -ex\
; curl -fsSL -o /usr/local/bin/jwtproxy "https://github.com/coreos/jwtproxy/releases/download/v${JWTPROXY_VERSION}/jwtproxy-${OS}-${ARCH}"\
; chmod +x /usr/local/bin/jwtproxy\
;
# Pushgateway grabs pushgateway.
FROM registry.access.redhat.com/ubi8/ubi:latest AS pushgateway
ENV OS=linux ARCH=amd64
ARG PUSHGATEWAY_VERSION=1.0.0
RUN set -ex\
; curl -fsSL "https://github.com/prometheus/pushgateway/releases/download/v${PUSHGATEWAY_VERSION}/pushgateway-${PUSHGATEWAY_VERSION}.${OS}-${ARCH}.tar.gz"\
| tar xz "pushgateway-${PUSHGATEWAY_VERSION}.${OS}-${ARCH}/pushgateway"\
; install "pushgateway-${PUSHGATEWAY_VERSION}.${OS}-${ARCH}/pushgateway" /usr/local/bin/pushgateway\
;
# Config-tool builds the go binary in the configtool.
FROM registry.access.redhat.com/ubi8/go-toolset:1.16.12 as config-tool
WORKDIR /opt/app-root/src
ARG CONFIGTOOL_VERSION=v0.1.10
RUN curl -fsSL "https://github.com/quay/config-tool/archive/${CONFIGTOOL_VERSION}.tar.gz"\
| tar xz --strip-components=1 --exclude '*/pkg/lib/editor/static/build'
COPY --from=config-editor /build/static/build /opt/app-root/src/pkg/lib/editor/static/build
RUN go install ./cmd/config-tool
# Final is the end container, where all the work from the other
# containers are copied in.
FROM base AS final
LABEL maintainer "[email protected]"
# All of these chgrp+chmod commands are an Openshift-ism.
#
# Openshift runs a container as a random UID and GID 0, so anything
# that's in the base image and needs to be modified at runtime needs
# to make sure it's group-writable.
RUN alternatives --set python /usr/bin/python3
RUN set -ex\
; setperms() { for d in "$@"; do chgrp -R 0 "$d" && chmod -R g=u "$d" && ls -ld "$d"; done; }\
; newdir() { for d in "$@"; do mkdir -m g+w "$d" || { mkdir -p "$d" && chgrp 0 "$d" && chmod g=u "$d"; }; ls -ld "$d"; done; }\
# Allow TLS certs to be created and installed as non-root user.
# See also update-ca-trust(8).
; setperms /etc/pki/ca-trust/extracted /etc/pki/ca-trust/source/anchors\
# Allow for nginx to run unprivledged.
; setperms /etc/nginx\
; ln -sf /dev/stdout /var/log/nginx/access.log\
; ln -sf /dev/stdout /var/log/nginx/error.log\
# The code doesn't agree on where the configuration lives, so create a
# symlink.
; ln -s $QUAYCONF /conf\
# Make a grip of runtime directories.
; newdir /certificates /quay-registry/conf/stack /datastorage\
# Another Openshift-ism: it doesn't bother picking a uid that means
# anything to the OS inside the container, so the process needs
# permissions to modify the user database.
; setperms /etc/passwd\
;
WORKDIR $QUAYDIR
RUN mkdir ${QUAYDIR}/config_app
# Ordered from least changing to most changing.
COPY --from=jwtproxy /usr/local/bin/jwtproxy /usr/local/bin/jwtproxy
COPY --from=pushgateway /usr/local/bin/pushgateway /usr/local/bin/pushgateway
COPY --from=build-python /app /app
COPY --from=config-tool /opt/app-root/src/go/bin/config-tool /bin
COPY --from=config-editor /build ${QUAYDIR}/config_app
COPY --from=build-static /build/static ${QUAYDIR}/static
# Copy in source and update local copy of AWS IP Ranges.
# This is a bad place to do the curl, but there's no good place to do
# it except to have it checked in.
COPY --chown=0:0 . ${QUAYDIR}
RUN set -ex\
; chmod -R g=u "${QUAYDIR}"\
; curl -fsSL https://ip-ranges.amazonaws.com/ip-ranges.json -o util/ipresolver/aws-ip-ranges.json\
;
RUN rm -Rf node_modules config_app/node_modules
EXPOSE 8080 8443 7443 9091 55443
# Don't expose /var/log as a volume, because we just configured it
# correctly above.
# It's probably unwise to mount /tmp as a volume but if someone must,
# make sure it's mode 1777 like /tmp should be.
VOLUME ["/datastorage", "/tmp", "/conf/stack"]
# In non-Openshift environments, drop privilege.
USER 1001
ENTRYPOINT ["dumb-init", "--", "/quay-registry/quay-entrypoint.sh"]
CMD ["registry"]