diff --git a/.github/workflows/build-python3.yaml b/.github/workflows/build-python3.yaml new file mode 100644 index 0000000..3379bcf --- /dev/null +++ b/.github/workflows/build-python3.yaml @@ -0,0 +1,50 @@ +--- +name: Build the Python3 container + +on: + push: + paths: + - "python3/**" + - ".github/workflows/build-python3.yaml" + schedule: + - cron: '0 7 * * *' + workflow_dispatch: + +jobs: + build-push-python3: + runs-on: "ubuntu-22.04" + permissions: + packages: write + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + with: + platforms: "linux/amd64,linux/arm64" + # The latest version will lead to segmentation fault. + image: "tonistiigi/binfmt:qemu-v7.0.0-28" + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push + uses: docker/build-push-action@v6 + with: + context: "./python3" + platforms: "linux/amd64,linux/arm64" + # only push the latest tag on the main branch + push: "${{ github.ref == 'refs/heads/main' }}" + tags: | + ghcr.io/openconext/openconext-basecontainers/python3:latest + ghcr.io/openconext/openconext-basecontainers/python3:${{ github.sha }} + cache-from: type=gha + cache-to: type=gha diff --git a/python3/Dockerfile b/python3/Dockerfile new file mode 100644 index 0000000..da0fdef --- /dev/null +++ b/python3/Dockerfile @@ -0,0 +1,35 @@ +FROM docker.io/library/python:3.11-slim-bookworm + +# Do an initial clean up and general upgrade of the distribution +ENV DEBIAN_FRONTEND=noninteractive +RUN \ + apt-get update && \ + apt-get -y dist-upgrade && \ + apt-get -y install \ + build-essential \ + bzip2 \ + curl \ + default-libmysqlclient-dev \ + git \ + libxmlsec1-dev \ + pkgconf \ + python3-dev \ + util-linux \ + xz-utils \ + && \ + apt-get -y autoremove && \ + rm -rf /var/lib/apt/lists/* /var/cache/apt/* + +# if specified, drop privileges to this uid and gid +ARG RUNAS_UID +ARG RUNAS_GID + +# Copy the startup script +RUN mkdir /container-init /container-init-post +COPY --chmod=0755 ./bin/entrypoint.sh /entrypoint.sh + +# Set the default workdir +WORKDIR /opt + +ENTRYPOINT ["/entrypoint.sh"] +CMD ["python3"] diff --git a/python3/bin/entrypoint.sh b/python3/bin/entrypoint.sh new file mode 100755 index 0000000..89dc238 --- /dev/null +++ b/python3/bin/entrypoint.sh @@ -0,0 +1,54 @@ +#!/usr/bin/env bash +set -e + +# handle privilege dropping +if [ $UID -ne 0 ] +then + echo "This container need to run as root" + echo "Use USER/GROUP environment variables to specify the uid/gid to run as" + + exit 1 +fi + +# run custom scripts before dropping privileges +echo "Running custom scripts in /container-init as root" +if [ -d "/container-init" ] +then + # run all scripts using run-parts + run-parts --verbose --regex '.*' "/container-init" +fi + +# set up privilege dropping to user and group +PRIVDROP= +if [ -n "$RUNAS_UID" ] +then + if [ -n "$RUNAS_GID" ] + then + echo "Switching to user $RUNAS_UID and group $RUNAS_GID" + groupadd -g $RUNAS_GID openconext + useradd -M -u $RUNAS_UID -g $RUNAS_GID openconext + PRIVDROP="setpriv --reuid=openconext --regid=openconext --reset-env --clear-groups" + else + echo "Switching to user $RUNAS_UID" + useradd -M -u $RUNAS_UID openconext + PRIVDROP="setpriv --reuid=openconext --reset-env --clear-groups" +fi + echo "Dropping privileges to $($PRIVDROP id -u):$($PRIVDROP id -g)" + + # run custom scripts after dropping privileges + echo "Running custom scripts in /container-init-post as $RUNAS_UID" + if [ -d "/container-init-post" ] + then + # run all scripts using run-parts + ${PRIVDROP} run-parts --verbose --regex '.*' "/container-init-post" + fi +else + echo "Warning: not dropping privileges" + if [ -d "/container-init-post" ] && ! find /container-init-post/ -maxdepth 0 -empty + then + echo "Warning: not running scripts in /container-init-post as no user is specified" + fi +fi + +# Hand off to the CMD +exec ${PRIVDROP} "$@"