Skip to content

Commit

Permalink
Merge pull request #138 from voxpupuli/streamline_dockerfile
Browse files Browse the repository at this point in the history 
feat: streamline Dockerfile
  • Loading branch information
@bastelfreak
bastelfreak authored Oct 25, 2024
2 parents 8c27f5f + 63d41e5 commit 67dcdd7
Showing 1 changed file with 38 additions and 74 deletions.
112 changes: 38 additions & 74 deletions puppetserver/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,24 +1,30 @@
ARG build_type=release
ARG UBUNTU_CODENAME=jammy

######################################################
# base
######################################################

FROM ubuntu:22.04 AS base
FROM ubuntu:22.04

ARG PACKAGES="ca-certificates git netbase openjdk-17-jre-headless ruby3.0 openssh-client libssh2-1"
ARG vcs_ref
ARG build_type
ARG build_date
ARG PACKAGES="ca-certificates git netbase openjdk-17-jre-headless ruby3.0 openssh-client libssh2-1 dumb-init"
ARG BUILD_PKGS="ruby3.0-dev gcc make cmake pkg-config libssl-dev libc6-dev libssh2-1-dev"
ARG DUMB_INIT_VERSION="1.2.5"
ARG TARGETARCH
ARG R10K_VERSION=4.1.0
ARG RUGGED_VERSION=1.7.2
ARG PUPPET_RELEASE=8
ARG PUPPETSERVER_VERSION=8.6.1
ARG UBUNTU_CODENAME=jammy
ARG PUPPET_USER_UID=999
ARG PUPPET_USER_GID=999

LABEL org.label-schema.maintainer="Voxpupuli Team <voxpupuli@groups.io>" \
org.label-schema.vendor="Voxpupuli" \
org.label-schema.url="https://github.com/voxpupuli/container-puppetserver" \
org.label-schema.license="Apache-2.0" \
org.label-schema.vcs-url="https://github.com/voxpupuli/container-puppetserver" \
org.label-schema.schema-version="1.0" \
org.label-schema.dockerfile="/Dockerfile"
org.label-schema.dockerfile="/Dockerfile" \
org.label-schema.name="Puppet Server ($build_type)" \
org.label-schema.version="$PUPPETSERVER_VERSION" \
org.label-schema.vcs-ref="$vcs_ref" \
org.label-schema.build-date="$build_date"

ENV PUPPETSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m" \

Check warning on line 29 in puppetserver/Dockerfile

View workflow job for this annotation

GitHub Actions / build-and-push-container (7, 7.17.3, 4.1.0, 1.7.2)

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INTERMEDIATE_CA_KEY")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 29 in puppetserver/Dockerfile

View workflow job for this annotation

GitHub Actions / build-and-push-container (8, 8.7.0, 4.1.0, 1.7.2)

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INTERMEDIATE_CA_KEY")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
PATH=$PATH:/opt/puppetlabs/server/bin:/opt/puppetlabs/puppet/bin:/opt/puppetlabs/bin \
Expand Down Expand Up @@ -51,78 +57,35 @@ ENV PUPPETSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m" \
PUPPETSERVER_ENABLE_ENV_CACHE_DEL_API=true \
ENVIRONMENTPATH=/etc/puppetlabs/code/environments \
HIERACONFIG='$confdir/hiera.yaml' \
CSR_ATTRIBUTES='{}'

# NOTE: this is just documentation on defaults
EXPOSE 8140

ENTRYPOINT ["dumb-init", "/docker-entrypoint.sh"]
CMD ["foreground"]

ADD https://github.com/Yelp/dumb-init/releases/download/v"$DUMB_INIT_VERSION"/dumb-init_"$DUMB_INIT_VERSION"_"$TARGETARCH".deb /
CSR_ATTRIBUTES='{}' \
PUPPET_DEB=puppet${PUPPET_RELEASE}-release-${UBUNTU_CODENAME}.deb

COPY docker-entrypoint.sh \
healthcheck.sh \
/
COPY docker-entrypoint.d /docker-entrypoint.d
COPY metrics.conf.tmpl /metrics.conf.tmpl
COPY add_cache_del_api_auth_rules.rb /add_cache_del_api_auth_rules.rb
# k8s uses livenessProbe, startupProbe, readinessProbe and ignores HEALTHCHECK
HEALTHCHECK --interval=20s --timeout=15s --retries=12 --start-period=3m CMD ["/healthcheck.sh"]
COPY Dockerfile /

ARG R10K_VERSION=4.1.0
ARG RUGGED_VERSION=1.7.2
ADD https://apt.puppet.com/${PUPPET_DEB} /${PUPPET_DEB}

# Create puppet user and group with PUPPET_USER_UID and PUPPET_USER_GID
RUN groupadd -g ${PUPPET_USER_GID} puppet && \
useradd -m -u ${PUPPET_USER_UID} -g puppet puppet

# no need to pin versions or clear apt cache as its still being used
# hadolint ignore=DL3008,DL3009
RUN chmod +x /docker-entrypoint.sh /healthcheck.sh /docker-entrypoint.d/*.sh && \
RUN dpkg -i /${PUPPET_DEB} && \
rm /${PUPPET_DEB} && \
chmod +x /docker-entrypoint.sh /healthcheck.sh /docker-entrypoint.d/*.sh && \
apt-get update && \
apt-get install -y --no-install-recommends $PACKAGES $BUILD_PKGS && \
gem install --no-doc r10k -v $R10K_VERSION && \
gem install --no-doc rugged -v $RUGGED_VERSION -- --with-ssh && \
dpkg -i dumb-init_"$DUMB_INIT_VERSION"_"$TARGETARCH".deb && \
rm dumb-init_"$DUMB_INIT_VERSION"_"$TARGETARCH".deb && \
apt remove -y $BUILD_PKGS && \
apt-get clean && \
apt-get autoremove -y && \
rm -rf /var/lib/apt/lists/*

######################################################
# release (build from packages)
######################################################

FROM base AS release

ARG PUPPET_RELEASE=8
ARG PUPPETSERVER_VERSION=8.6.1
ARG UBUNTU_CODENAME
ARG PUPPET_USER_UID=999
ARG PUPPET_USER_GID=999

######################################################
# final image
######################################################

# dynamically selects "edge" or "release" alias based on ARG
# hadolint ignore=DL3006
FROM ${build_type} AS final

ARG vcs_ref
ARG build_type
ARG build_date

ENV PUPPET_DEB=puppet${PUPPET_RELEASE}-release-${UBUNTU_CODENAME}.deb
ADD https://apt.puppet.com/${PUPPET_DEB} /${PUPPET_DEB}

# Create puppet user and group with PUPPET_USER_UID and PUPPET_USER_GID
RUN groupadd -g ${PUPPET_USER_GID} puppet && \
useradd -m -u ${PUPPET_USER_UID} -g puppet puppet

# hadolint ignore=DL3008,DL3028
RUN dpkg -i /${PUPPET_DEB} && \
rm /${PUPPET_DEB}
RUN apt-get update && \
apt-get install --no-install-recommends -y puppetserver=${PUPPETSERVER_VERSION}-1${UBUNTU_CODENAME} puppetdb-termini && \
apt-get autoremove -y && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* && \
cp -pr /etc/puppetlabs/puppet /var/tmp && \
Expand All @@ -131,17 +94,18 @@ RUN apt-get update && \

COPY puppetserver /etc/default/puppetserver
COPY logback.xml \
request-logging.xml \
/etc/puppetlabs/puppetserver/
request-logging.xml \
/etc/puppetlabs/puppetserver/

COPY conf.d/puppetserver.conf /etc/puppetlabs/puppetserver/conf.d/
COPY conf.d/product.conf /etc/puppetlabs/puppetserver/conf.d/

COPY puppetdb.conf /var/tmp/puppet/

LABEL org.label-schema.name="Puppet Server ($build_type)" \
org.label-schema.version="$PUPPETSERVER_VERSION" \
org.label-schema.vcs-ref="$vcs_ref" \
org.label-schema.build-date="$build_date"
# k8s uses livenessProbe, startupProbe, readinessProbe and ignores HEALTHCHECK
HEALTHCHECK --interval=20s --timeout=15s --retries=12 --start-period=3m CMD ["/healthcheck.sh"]

COPY Dockerfile /
# NOTE: this is just documentation on defaults
EXPOSE 8140

ENTRYPOINT ["dumb-init", "/docker-entrypoint.sh"]
CMD ["foreground"]

0 comments on commit 67dcdd7

Please sign in to comment.