From 474b08df4c01bfdfb75968043b79a920a0449d6b Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Thu, 6 Feb 2025 12:05:17 +0100 Subject: [PATCH 01/10] add python3 basecontainer --- .github/workflows/build-python3.yaml | 63 ++++++++++++++++++++++++++++ python3/Dockerfile | 36 ++++++++++++++++ python3/bin/entrypoint.sh | 37 ++++++++++++++++ python3/bla | 3 ++ 4 files changed, 139 insertions(+) create mode 100644 .github/workflows/build-python3.yaml create mode 100644 python3/Dockerfile create mode 100755 python3/bin/entrypoint.sh create mode 100755 python3/bla diff --git a/.github/workflows/build-python3.yaml b/.github/workflows/build-python3.yaml new file mode 100644 index 0000000..bb83881 --- /dev/null +++ b/.github/workflows/build-python3.yaml @@ -0,0 +1,63 @@ +--- +name: Build the Python3 container + +on: + push: + branches: + - main + paths: + - python3/** + schedule: + - cron: '0 7 * * *' + workflow_dispatch: + + +jobs: + build-push-apache2: + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Cache Docker layers + uses: actions/cache@v4 + with: + path: /tmp/.buildx-cache + key: ${{ runner.os }}-buildx-${{ github.sha }} + restore-keys: | + ${{ runner.os }}-buildx- + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push + uses: docker/build-push-action@v6 + with: + context: ./apache2 + platforms: linux/amd64,linux/arm64 + push: true + tags: | + ghcr.io/openconext/openconext-basecontainers/python3:latest + ghcr.io/openconext/openconext-basecontainers/python3:${{ github.sha }} + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max + + - # Temp fix + # https://github.com/docker/build-push-action/issues/252 + # https://github.com/moby/buildkit/issues/1896 + name: Move cache + run: | + rm -rf /tmp/.buildx-cache + mv /tmp/.buildx-cache-new /tmp/.buildx-cache diff --git a/python3/Dockerfile b/python3/Dockerfile new file mode 100644 index 0000000..c8275dd --- /dev/null +++ b/python3/Dockerfile @@ -0,0 +1,36 @@ +# First build SRAM SBS image +FROM docker.io/library/python:3.11-slim-bookworm + +# Do an initial clean up and general upgrade of the distribution +ENV DEBIAN_FRONTEND noninteractive +RUN \ + apt-get update && \ + apt-get -y dist-upgrade && \ + apt-get -y install \ + bzip2 \ + curl \ + default-libmysqlclient-dev \ + git \ + libxmlsec1-dev \ + pkgconf \ + python3-dev \ + util-linux \ + xz-utils \ + && \ + apt-get -y autoclean && \ + apt-get -y autoremove && \ + rm -rf /var/lib/apt/lists/* /var/cache/apt/* + +# if specified, drop privileges to this uid and gid +ARG RUNAS_UID +ARG RUNAS_GID + +# Copy the startup script +RUN mkdir /container_init +COPY --chmod=0755 ./bin/entrypoint.sh /entrypoint.sh + +# Set the default workdir +WORKDIR /opt + +ENTRYPOINT ["/entrypoint.sh"] +CMD ["python3"] diff --git a/python3/bin/entrypoint.sh b/python3/bin/entrypoint.sh new file mode 100755 index 0000000..2129d5e --- /dev/null +++ b/python3/bin/entrypoint.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +set -e + +# handle privilege dropping +if [ $UID -ne 0 ] +then + echo "This container need to run as root" + echo "Use USER/GROUP environment variables to specify the uid/gid to run as" + + exit 1 +fi + +# run custom scripts before dropping privileges +echo "Running custom scripts in /container-init" +if [ -d "/container-init" ] +then + # run all scripts using run-parts + run-parts --verbose "/container-init" +fi + +# set up privilege dropping to user and group +PRIVDROP= +if [ -n "$RUNAS_UID" ] +then + if [ -n "$RUNAS_GID" ] + then + echo "Switching to user $RUNAS_UID and group $RUNAS_GID" + PRIVDROP="setpriv --reuid=$RUNAS_UID --regid=$RUNAS_GID --clear-groups" + else + echo "Switching to user $RUNAS_UID" + PRIVDROP="setpriv --reuid=$RUNAS_UID" + fi + echo "Dropping privileges to $($PRIVDROP id -u):$($PRIVDROP id -g)" +fi + +# Hand off to the CMD +exec ${PRIVDROP} "$@" diff --git a/python3/bla b/python3/bla new file mode 100755 index 0000000..9cd76f6 --- /dev/null +++ b/python3/bla @@ -0,0 +1,3 @@ +#!/bin/sh +echo "hoi" +exit 0 From 93e00683ed6aeccbbfaed6358e90b0a711507ced Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Tue, 18 Feb 2025 11:09:00 +0100 Subject: [PATCH 02/10] remove test file --- python3/bla | 3 --- 1 file changed, 3 deletions(-) delete mode 100755 python3/bla diff --git a/python3/bla b/python3/bla deleted file mode 100755 index 9cd76f6..0000000 --- a/python3/bla +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -echo "hoi" -exit 0 From 6b8a9ded350e9ae31b0e4709c2ea2e22b20e9e06 Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Tue, 18 Feb 2025 11:12:39 +0100 Subject: [PATCH 03/10] add build-essential, fix apt cleanup --- python3/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python3/Dockerfile b/python3/Dockerfile index c8275dd..da4b2d4 100644 --- a/python3/Dockerfile +++ b/python3/Dockerfile @@ -7,6 +7,7 @@ RUN \ apt-get update && \ apt-get -y dist-upgrade && \ apt-get -y install \ + build-essential \ bzip2 \ curl \ default-libmysqlclient-dev \ @@ -17,7 +18,6 @@ RUN \ util-linux \ xz-utils \ && \ - apt-get -y autoclean && \ apt-get -y autoremove && \ rm -rf /var/lib/apt/lists/* /var/cache/apt/* From afe47d3a46a0e91f2510fbcdb69e6ff999754d3a Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Tue, 18 Feb 2025 11:17:26 +0100 Subject: [PATCH 04/10] clean up build file --- .github/workflows/build-python3.yaml | 37 +++++++++------------------- 1 file changed, 12 insertions(+), 25 deletions(-) diff --git a/.github/workflows/build-python3.yaml b/.github/workflows/build-python3.yaml index bb83881..e66b316 100644 --- a/.github/workflows/build-python3.yaml +++ b/.github/workflows/build-python3.yaml @@ -3,18 +3,16 @@ name: Build the Python3 container on: push: - branches: - - main paths: - - python3/** + - "python3/**" + - ".github/workflows/build-python3.yaml" schedule: - cron: '0 7 * * *' workflow_dispatch: - jobs: build-push-apache2: - runs-on: ubuntu-latest + runs-on: "ubuntu-22.04" permissions: packages: write steps: @@ -23,18 +21,14 @@ jobs: - name: Set up QEMU uses: docker/setup-qemu-action@v3 + with: + platforms: "linux/amd64,linux/arm64" + # The latest version will lead to segmentation fault. + image: "tonistiigi/binfmt:qemu-v7.0.0-28" - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Cache Docker layers - uses: actions/cache@v4 - with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx- - - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: @@ -46,18 +40,11 @@ jobs: uses: docker/build-push-action@v6 with: context: ./apache2 - platforms: linux/amd64,linux/arm64 - push: true + platforms: "linux/amd64,linux/arm64" + # only push the latest tag on the main branch + push: "${{ github.ref == 'refs/heads/main' }}" tags: | ghcr.io/openconext/openconext-basecontainers/python3:latest ghcr.io/openconext/openconext-basecontainers/python3:${{ github.sha }} - cache-from: type=local,src=/tmp/.buildx-cache - cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max - - - # Temp fix - # https://github.com/docker/build-push-action/issues/252 - # https://github.com/moby/buildkit/issues/1896 - name: Move cache - run: | - rm -rf /tmp/.buildx-cache - mv /tmp/.buildx-cache-new /tmp/.buildx-cache + cache-from: type=gha + cache-to: type=gha From 70e929e16283661b921346c700caa77dfebd7dc4 Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Tue, 18 Feb 2025 11:19:02 +0100 Subject: [PATCH 05/10] use correct dockerfile --- .github/workflows/build-python3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-python3.yaml b/.github/workflows/build-python3.yaml index e66b316..deddea6 100644 --- a/.github/workflows/build-python3.yaml +++ b/.github/workflows/build-python3.yaml @@ -39,7 +39,7 @@ jobs: - name: Build and push uses: docker/build-push-action@v6 with: - context: ./apache2 + context: "./python3" platforms: "linux/amd64,linux/arm64" # only push the latest tag on the main branch push: "${{ github.ref == 'refs/heads/main' }}" From a4d5fe2e01b856f2d5a635e8bf50aad0ba6d113f Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Tue, 18 Feb 2025 11:25:07 +0100 Subject: [PATCH 06/10] fix deprecated ENV syntax --- python3/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python3/Dockerfile b/python3/Dockerfile index da4b2d4..45a19cc 100644 --- a/python3/Dockerfile +++ b/python3/Dockerfile @@ -2,7 +2,7 @@ FROM docker.io/library/python:3.11-slim-bookworm # Do an initial clean up and general upgrade of the distribution -ENV DEBIAN_FRONTEND noninteractive +ENV DEBIAN_FRONTEND=noninteractive RUN \ apt-get update && \ apt-get -y dist-upgrade && \ From c45cbfa08a2055836cec2020d7682b9de57f6780 Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Tue, 18 Feb 2025 15:01:42 +0100 Subject: [PATCH 07/10] add option to run script before and after dropping privileges --- python3/Dockerfile | 2 +- python3/bin/entrypoint.sh | 16 +++++++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/python3/Dockerfile b/python3/Dockerfile index 45a19cc..ef92c71 100644 --- a/python3/Dockerfile +++ b/python3/Dockerfile @@ -26,7 +26,7 @@ ARG RUNAS_UID ARG RUNAS_GID # Copy the startup script -RUN mkdir /container_init +RUN mkdir /container-init /container-init-post COPY --chmod=0755 ./bin/entrypoint.sh /entrypoint.sh # Set the default workdir diff --git a/python3/bin/entrypoint.sh b/python3/bin/entrypoint.sh index 2129d5e..aa04c77 100755 --- a/python3/bin/entrypoint.sh +++ b/python3/bin/entrypoint.sh @@ -15,7 +15,7 @@ echo "Running custom scripts in /container-init" if [ -d "/container-init" ] then # run all scripts using run-parts - run-parts --verbose "/container-init" + run-parts --verbose --regex '.*' "/container-init" fi # set up privilege dropping to user and group @@ -31,6 +31,20 @@ then PRIVDROP="setpriv --reuid=$RUNAS_UID" fi echo "Dropping privileges to $($PRIVDROP id -u):$($PRIVDROP id -g)" + + # run custom scripts after dropping privileges + echo "Running custom scripts in /container-init-post as $RUNAS_UID" + if [ -d "/container-init-post" ] + then + # run all scripts using run-parts + ${PRIVDROP} run-parts --verbose --regex '.*' "/container-init-post" + fi +else + echo "Warning: not dropping privileges" + if [ -d "/container-init-post" ] && ! find /container-init-post/ -maxdepth 0 -empty + then + echo "Warning: not running scripts in /container-init-post as no user is specified" + fi fi # Hand off to the CMD From b945b162839a6f12de7c44396918fa1d1791767b Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Tue, 18 Feb 2025 15:02:22 +0100 Subject: [PATCH 08/10] add explicit openconext user with correct UID and GID and use that to run command --- python3/bin/entrypoint.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/python3/bin/entrypoint.sh b/python3/bin/entrypoint.sh index aa04c77..c509fb9 100755 --- a/python3/bin/entrypoint.sh +++ b/python3/bin/entrypoint.sh @@ -25,11 +25,14 @@ then if [ -n "$RUNAS_GID" ] then echo "Switching to user $RUNAS_UID and group $RUNAS_GID" - PRIVDROP="setpriv --reuid=$RUNAS_UID --regid=$RUNAS_GID --clear-groups" + groupadd -g $RUNAS_GID openconext + useradd -M -u $RUNAS_UID -g $RUNAS_GID openconext + PRIVDROP="setpriv --reuid=openconext --regid=openconext --reset-env --clear-groups" else echo "Switching to user $RUNAS_UID" - PRIVDROP="setpriv --reuid=$RUNAS_UID" - fi + useradd -M -u $RUNAS_UID openconext + PRIVDROP="setpriv --reuid=openconext --reset-env --clear-groups" +fi echo "Dropping privileges to $($PRIVDROP id -u):$($PRIVDROP id -g)" # run custom scripts after dropping privileges From 4d7f47445ef9f7bff3139e04d8bfd09519153514 Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Tue, 18 Feb 2025 15:02:31 +0100 Subject: [PATCH 09/10] clean up --- python3/Dockerfile | 1 - python3/bin/entrypoint.sh | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/python3/Dockerfile b/python3/Dockerfile index ef92c71..da0fdef 100644 --- a/python3/Dockerfile +++ b/python3/Dockerfile @@ -1,4 +1,3 @@ -# First build SRAM SBS image FROM docker.io/library/python:3.11-slim-bookworm # Do an initial clean up and general upgrade of the distribution diff --git a/python3/bin/entrypoint.sh b/python3/bin/entrypoint.sh index c509fb9..89dc238 100755 --- a/python3/bin/entrypoint.sh +++ b/python3/bin/entrypoint.sh @@ -11,7 +11,7 @@ then fi # run custom scripts before dropping privileges -echo "Running custom scripts in /container-init" +echo "Running custom scripts in /container-init as root" if [ -d "/container-init" ] then # run all scripts using run-parts From bf04cc619d840a8343f2db2f5d82caa0b2239b3c Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Tue, 18 Feb 2025 15:03:56 +0100 Subject: [PATCH 10/10] rename GHA workflow --- .github/workflows/build-python3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-python3.yaml b/.github/workflows/build-python3.yaml index deddea6..3379bcf 100644 --- a/.github/workflows/build-python3.yaml +++ b/.github/workflows/build-python3.yaml @@ -11,7 +11,7 @@ on: workflow_dispatch: jobs: - build-push-apache2: + build-push-python3: runs-on: "ubuntu-22.04" permissions: packages: write