docker: switch from musl to glibc, and simplify stuff #4219
Conversation
ghost
force-pushed
the
feat/docker-rework
branch
from
944210c
to
2fa39fb
Compare
ghost
mentioned this pull request
There was a problem hiding this comment.
After a quick overview, this LGTM. Though I definitely want someone else to look over it. cc @Kubuxu
| RUN apt-get install -y ca-certificates | ||
|
|
||
| # Now comes the actual target image, which aims to be as small as possible. | ||
| FROM busybox:1-glibc |
There was a problem hiding this comment.
I heard some info that multiple FROM directives might be discontinued but as they are in stable Docker and AFAIK the Dockerfile format is still in change-lock state it should be safe to use.
bin/container_daemon
Outdated
| repo="$IPFS_PATH" | ||
|
|
||
| if [ `id -u` -eq 0 ]; then | ||
| # ensure folder is writable | ||
| su-exec "$user" test -w "$repo" || chown -R -- "$user" "$repo" |
There was a problem hiding this comment.
This is needed to fix permissions (#3744) if you run docker run -v /does/not/exist/yet:/data/ipfs go-ipfs, otherwise go-ipfs can't write to it's home and crashes. This is also the reason why there's no USER ipfs in the dockerfile itself, as the permissions need to be preserved and then dropped in the entrypoint. :)
Dockerfile
Outdated
|
|
||
| # This installs a very simple program acting as the init process. | ||
| # Makes sure signals are properly passed to the ipfs daemon process. | ||
| ENV TINI_VERSION v0.16.1 |
There was a problem hiding this comment.
On debian, I'd recommend dumb-init. :)
Dockerfile.fast
Outdated
| RUN mkdir -p $IPFS_PATH \ | ||
| && useradd -s /usr/sbin/nologin -d $IPFS_PATH -u 1000 -g 100 ipfs \ | ||
| && chown 1000:100 $IPFS_PATH | ||
| USER ipfs |
There was a problem hiding this comment.
USER ipfs needs to be removed as well so the entrypoint has the permissions to correct the ownership. :)
Dockerfile
Outdated
| ENV PATH /go/bin:$PATH | ||
| ENV SRC_PATH /go/src/github.com/ipfs/go-ipfs | ||
| RUN mkdir -p $IPFS_PATH && adduser -D -h $IPFS_PATH -u 1000 -g 100 ipfs | ||
| USER ipfs |
|
Hmm, it goes beyond my head right now. I would either have to dig deep into how that Dockerfile works or IDK. |
|
@Kubuxu the entrypoint is started as root, then the permissions are adjusted here: The most complicated part is the deprecation of the implicit daemon which was added about half a year ago so people start invoking the daemon with the new format. :) |
ghost
force-pushed
the
feat/docker-rework
branch
3 times, most recently
from
94e0205
to
5d5e605
Compare
The Dockerfile now has two stages: build and assembly. This allows for a full-fledged debian build container, while still resulting in a super-thin busybox image. License: MIT Signed-off-by: Lars Gierth <larsg@systemli.org>
ghost
force-pushed
the
feat/docker-rework
branch
from
5d5e605
to
e2a3cd3
Compare
|
Okay, removed that new test for now -- it wasn't able to clean up after itself :( |
|
That OSX failure on travis looks unrelated, it's t0180-p2p (cc @magik6k https://api.travis-ci.org/jobs/275047939/log.txt?deansi=true) |
|
Looks like 500ms is not enough for travis to launch a program and write a pidfile: |
The fs-repo-migrations releases on dist.ipfs.io never worked with the go-ipfs docker image because it's based on musl. That means binaries linked against glibc don't work, and I manually built and patched in an additional musl-based tarball for each fs-repo-migrations release. This madness has to stop.
The Dockerfile now has two stages: build and assembly.
This allows for a full-fledged debian build container,
while still resulting in a super-thin glibc-based busybox image.
License: MIT
Signed-off-by: Lars Gierth larsg@systemli.org