From c926ddbdef11c0db4194ba8d514ce0eed882b908 Mon Sep 17 00:00:00 2001 From: bmacnaughton Date: Mon, 22 Jul 2024 06:23:27 -0700 Subject: [PATCH] move to contrast-security-oss --- .github/workflows/container.yml | 2 +- .github/workflows/release.yml | 8 +- README.md | 144 +++++++------------------------- original-readme.md | 117 ++++++++++++++++++++++++++ 4 files changed, 151 insertions(+), 120 deletions(-) create mode 100644 original-readme.md diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 7f5c31d..2bcf00e 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -29,6 +29,6 @@ jobs: - name: Build binaries run: | - docker run --rm -v ${{ github.workspace }}:/repo -w /repo ghcr.io/bmacnaughton/${{ matrix.image }}:latest + docker run --rm -v ${{ github.workspace }}:/repo -w /repo ghcr.io/contrast-security-oss/${{ matrix.image }}:latest - name: Show files run: find ${{ github.workspace }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2aa6073..85efde9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,10 +45,10 @@ jobs: with: context: ${{ matrix.image }} tags: | - ghcr.io/bmacnaughton/${{ matrix.image }}:latest - ghcr.io/bmacnaughton/${{ matrix.image }}:${{ env.MAJOR }} - ghcr.io/bmacnaughton/${{ matrix.image }}:${{ env.MINOR }} - ghcr.io/bmacnaughton/${{ matrix.image }}:${{ env.PATCH }} + ghcr.io/contrast-security-oss/${{ matrix.image }}:latest + ghcr.io/contrast-security-oss/${{ matrix.image }}:${{ env.MAJOR }} + ghcr.io/contrast-security-oss/${{ matrix.image }}:${{ env.MINOR }} + ghcr.io/contrast-security-oss/${{ matrix.image }}:${{ env.PATCH }} labels: | org.opencontainers.image.version=${{ env.PATCH }} org.opencontainers.image.source=${{ github.event.repository.html_url }} diff --git a/README.md b/README.md index 1b11254..4928d06 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,20 @@ # docker-images +These docker images are used to build software for different target systems. + Originally used by `prebuildify-cross`, these images were modified by Contrast Security, Inc. so -they had fewer dependencies. The primary changes are that the containers now require that the repo +they had fewer dependencies. + +All images include Node.js LTS, Python 3.x, npm and a build toolchain suitable for +`node-gyp` and `prebuildify`. + +# using the images + +The primary changes are that the containers now require that the repo be mapped to `/repo`, `entrypoint` is set to `sh`, and `cmd` is set to `scripts/build-generic.sh` -with an argument of the image name, e.g., `centos7`. +with an argument of the image name, e.g., `centos7`. You'll typically want to set the user when +you invoke the image; if you don't you'll have to make sure the file/directory permissions will +work. From `centos7/Dockerfile`: ``` @@ -11,9 +22,12 @@ ENTRYPOINT ["sh"] CMD ["scripts/build-generic.sh", "centos7"] ``` -How to invoke the `centos7` image: +How to invoke the `centos7` image (to build from my local copy of `node-fn-inspect`): ``` -docker run -v /home/bruce/github/csi/fn-inspect:/repo ghcr.io/bmacnaughton/centos7 +# typical usage is to set the user to the user invoking the image so that the +# permissions are effectively inherited. + +docker run -v /home/bruce/github/csi/fn-inspect:/repo -u $(id -u) ghcr.io/contrast-security-oss/centos7 # The docker image will invoke `/home/bruce/github/csi/fn-inspect/scripts/build-generic.sh` # as a shell script with the argument `centos7` (the name of the image). The command that is @@ -22,126 +36,26 @@ docker run -v /home/bruce/github/csi/fn-inspect:/repo ghcr.io/bmacnaughton/cento # `sh scripts/build-generic.sh centos7` ``` +A more minor change is to not create the `node` user in the `centos7` image. It's not +needed and had the potential to create permissions issues. + ## build-generic.sh The `build-generic.sh` script can be invoked from images that do not have `bash`, so your script must be Posix-compliant in order to work with `ash`, `dash`, etc. -# THE FOLLOWING TEXT NEEDS TO BE UPDATED - - -**Docker images for cross compiling prebuilt binaries for Node.js. Used by [`prebuildify-cross`](https://github.com/prebuild/prebuildify-cross).** - -[![Release](https://img.shields.io/github/v/release/prebuild/docker-images)](https://github.com/prebuild/docker-images/releases/latest) -[![Release](https://github.com/prebuild/docker-images/actions/workflows/release.yml/badge.svg)](https://github.com/prebuild/docker-images/actions/workflows/release.yml) -[![Common Changelog](https://common-changelog.org/badge.svg)](https://common-changelog.org) - -## About - -All images include Node.js LTS, Python 3.x, npm and a preconfigured build toolchain suitable for `node-gyp` and `prebuildify`. For example: - -``` -> docker run --rm ghcr.io/prebuild/alpine node -v -v16.15.1 -``` - -Images are tagged with a major, minor and full version as well as `latest`. For example, use the following to pin to major version 2: - -```dockerfile -FROM ghcr.io/prebuild/alpine:2 -``` - -## Versioning guarantees - -Within a major version range, we will not change toolchains, environment variables, working directories, users and more. However, the Node.js version will change without notice. We use Node.js [LTS](https://github.com/nodejs/Release) (at the time of building images) for a light maintenance effort. This is okay because `prebuildify` can target (the headers of) older Node.js versions while itself running on a newer version. - -Images that are based on [`dockcross`](https://github.com/dockcross/dockcross) (see below) may inadvertently introduce breaking changes because `dockcross` does not use semantic versions ([dockcross/dockcross#399](https://github.com/dockcross/dockcross/issues/399)) and does not maintain a changelog that would allow us to easily categorize changes and then tag our images accordingly. If this concerns you we recommend pinning to an exact version (`x.x.x`) which we treat as immutable. - -## Images - -### [`centos7-devtoolset7`](https://github.com/orgs/prebuild/packages/container/package/centos7-devtoolset7) - -Compile in CentOS 7, as a better alternative to (commonly) Ubuntu 16.04 on Travis or GitHub Actions. Makes prebuilds compatible with Debian 8, Ubuntu 14.04, RHEL 7, CentOS 7 and other Linux flavors with an old glibc. - -> The neat thing about this is that you get to compile with gcc 7 but glibc 2.17, so binaries are compatible for \[among others] Ubuntu 14.04 and Debian 8. -> -> The RHEL folks put in a ton of work to make the devtoolsets work on their older base systems (libc mainly), which involves shipping a delta library that contains the new stuff that can be statically linked in where it's used. We use this method for building Node binary releases. -> -> \-- [**@rvagg**](https://github.com/rvagg) ([prebuild/docker-images#8](https://github.com/prebuild/docker-images/pull/8)) - -Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the libc flavor, to set them apart from musl prebuilds, e.g. `linux-x64/node.glibc.node`. - -### [`alpine`](https://github.com/orgs/prebuild/packages/container/package/alpine) - -Compile in Alpine, which uses musl instead of glibc and therefore can't run regular linux prebuilds. Worse, it sometimes does successfully _load_ such a prebuild during `npm install` - which prevents a compilation fallback from kicking in - and then segfaults at runtime. You can fix this situation in two ways: by shipping an `alpine` prebuild and/or by shipping a `centos7-devtoolset7` prebuild, because the latter will be skipped in Alpine thanks to the `glibc` tag. +Of course, you can use `--entrypoint` or run a command other than `scripts/build-generic.sh` +if your use case calls for it. -Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the libc flavor, to set them apart from glibc prebuilds, e.g. `linux-x64/node.musl.node`. +## limitations -### [`linux-armv6`](https://github.com/orgs/prebuild/packages/container/package/linux-armv6) +Only the images required by Contrast Security, Inc. are built and published at this time. +If you're using the images and need another target, let us know; we'll add it. -Cross-compile for Linux ARM. This image thinly wraps a [`dockcross`](https://github.com/dockcross/dockcross) image. Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the armv version (6). - -### [`linux-armv7`](https://github.com/orgs/prebuild/packages/container/package/linux-armv7) - -Cross-compile for Linux ARM. This image thinly wraps a [`dockcross`](https://github.com/dockcross/dockcross) image. Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the armv version (7). - -### [`linux-armv7l-musl`](https://github.com/orgs/prebuild/packages/container/package/linux-armv7l-musl) - -Cross-compile for Linux ARM. This image uses musl instead of glibc for Alpine linux. This image thinly wraps a [`dockcross`](https://github.com/dockcross/dockcross) image. Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the armv version (7). - -### [`linux-arm64`](https://github.com/orgs/prebuild/packages/container/package/linux-arm64) - -Cross-compile for Linux ARM. This image thinly wraps a [`dockcross`](https://github.com/dockcross/dockcross) image. Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the armv version (8). - -### [`linux-arm64-lts`](https://github.com/orgs/prebuild/packages/container/package/linux-arm64-lts) - -Cross-compile for Linux ARM. This image uses an old version of glibc (glibc 2.27) for compatibility. This image thinly wraps a [`dockcross`](https://github.com/dockcross/dockcross) image. Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the armv version (8). - -### [`linux-arm64-musl`](https://github.com/orgs/prebuild/packages/container/package/linux-arm64-musl) - -Cross-compile for Linux ARM. This image uses musl instead of glibc for Alpine linux. This image thinly wraps a [`dockcross`](https://github.com/dockcross/dockcross) image. Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the armv version (8). - -### [`android-armv7`](https://github.com/orgs/prebuild/packages/container/package/android-armv7) - -Cross-compile for Android ARM. This image thinly wraps a [`dockcross`](https://github.com/dockcross/dockcross) image. Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the armv version (7). - -### [`android-arm64`](https://github.com/orgs/prebuild/packages/container/package/android-arm64) - -Cross-compile for Android ARM. This image thinly wraps a [`dockcross`](https://github.com/dockcross/dockcross) image. Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the armv version (8). - -## Old images - -Images were previously hosted on Docker Hub. These are no longer updated: - -- [`centos7-devtoolset7`](https://hub.docker.com/r/prebuild/centos7-devtoolset7) -- [`alpine`](https://hub.docker.com/r/prebuild/alpine) -- [`linux-armv6`](https://hub.docker.com/r/prebuild/linux-armv6) -- [`linux-armv7`](https://hub.docker.com/r/prebuild/linux-armv7) -- [`linux-arm64`](https://hub.docker.com/r/prebuild/linux-arm64) -- [`android-armv7`](https://hub.docker.com/r/prebuild/android-armv7) -- [`android-arm64`](https://hub.docker.com/r/prebuild/android-arm64) - -## Development - -### Releasing - -Update [`CHANGELOG.md`](CHANGELOG.md) according to [Common Changelog](https://common-changelog), for which you might like [`hallmark`](https://github.com/vweevers/hallmark) to pull commit messages into the changelog: - -``` -hallmark bump minor -``` - -Tweak `CHANGELOG.md` as needed until `hallmark lint` is happy. Then commit, tag and push. For example: - -``` -git add CHANGELOG.md -git commit -m "2.1.0" -git tag -a v2.1.0 -m v2.1.0 -git push --follow-tags -``` +## releasing -The git tag triggers [CI/CD](https://github.com/prebuild/docker-images/actions) to publish new images to [GHCR](https://github.com/orgs/prebuild/packages?ecosystem=container). A changelog entry is required. +Create a version tag of the form vX.Y.Z and push it to master. ## License -[GPL-3.0-only](LICENSE) © 2019 `prebuild` contributors. +[GPL-3.0-only](LICENSE) © 2019 `prebuild` contributors. 2024 Contrast Security, Inc. diff --git a/original-readme.md b/original-readme.md new file mode 100644 index 0000000..c22a709 --- /dev/null +++ b/original-readme.md @@ -0,0 +1,117 @@ +# This is the unmodified portion of prebuild/docker-images + +**Docker images for cross compiling prebuilt binaries for Node.js. Used by [`prebuildify-cross`](https://github.com/prebuild/prebuildify-cross).** + +[![Release](https://img.shields.io/github/v/release/prebuild/docker-images)](https://github.com/prebuild/docker-images/releases/latest) +[![Release](https://github.com/prebuild/docker-images/actions/workflows/release.yml/badge.svg)](https://github.com/prebuild/docker-images/actions/workflows/release.yml) +[![Common Changelog](https://common-changelog.org/badge.svg)](https://common-changelog.org) + +## About + +All images include Node.js LTS, Python 3.x, npm and a preconfigured build toolchain suitable for `node-gyp` and `prebuildify`. For example: + +``` +> docker run --rm ghcr.io/prebuild/alpine node -v +v16.15.1 +``` + +Images are tagged with a major, minor and full version as well as `latest`. For example, use the following to pin to major version 2: + +```dockerfile +FROM ghcr.io/prebuild/alpine:2 +``` + +## Versioning guarantees + +Within a major version range, we will not change toolchains, environment variables, working directories, users and more. However, the Node.js version will change without notice. We use Node.js [LTS](https://github.com/nodejs/Release) (at the time of building images) for a light maintenance effort. This is okay because `prebuildify` can target (the headers of) older Node.js versions while itself running on a newer version. + +Images that are based on [`dockcross`](https://github.com/dockcross/dockcross) (see below) may inadvertently introduce breaking changes because `dockcross` does not use semantic versions ([dockcross/dockcross#399](https://github.com/dockcross/dockcross/issues/399)) and does not maintain a changelog that would allow us to easily categorize changes and then tag our images accordingly. If this concerns you we recommend pinning to an exact version (`x.x.x`) which we treat as immutable. + +## Images + +### [`centos7-devtoolset7`](https://github.com/orgs/prebuild/packages/container/package/centos7-devtoolset7) + +Compile in CentOS 7, as a better alternative to (commonly) Ubuntu 16.04 on Travis or GitHub Actions. Makes prebuilds compatible with Debian 8, Ubuntu 14.04, RHEL 7, CentOS 7 and other Linux flavors with an old glibc. + +> The neat thing about this is that you get to compile with gcc 7 but glibc 2.17, so binaries are compatible for \[among others] Ubuntu 14.04 and Debian 8. +> +> The RHEL folks put in a ton of work to make the devtoolsets work on their older base systems (libc mainly), which involves shipping a delta library that contains the new stuff that can be statically linked in where it's used. We use this method for building Node binary releases. +> +> \-- [**@rvagg**](https://github.com/rvagg) ([prebuild/docker-images#8](https://github.com/prebuild/docker-images/pull/8)) + +Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the libc flavor, to set them apart from musl prebuilds, e.g. `linux-x64/node.glibc.node`. + +### [`alpine`](https://github.com/orgs/prebuild/packages/container/package/alpine) + +Compile in Alpine, which uses musl instead of glibc and therefore can't run regular linux prebuilds. Worse, it sometimes does successfully _load_ such a prebuild during `npm install` - which prevents a compilation fallback from kicking in - and then segfaults at runtime. You can fix this situation in two ways: by shipping an `alpine` prebuild and/or by shipping a `centos7-devtoolset7` prebuild, because the latter will be skipped in Alpine thanks to the `glibc` tag. + +Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the libc flavor, to set them apart from glibc prebuilds, e.g. `linux-x64/node.musl.node`. + +### [`linux-armv6`](https://github.com/orgs/prebuild/packages/container/package/linux-armv6) + +Cross-compile for Linux ARM. This image thinly wraps a [`dockcross`](https://github.com/dockcross/dockcross) image. Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the armv version (6). + +### [`linux-armv7`](https://github.com/orgs/prebuild/packages/container/package/linux-armv7) + +Cross-compile for Linux ARM. This image thinly wraps a [`dockcross`](https://github.com/dockcross/dockcross) image. Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the armv version (7). + +### [`linux-armv7l-musl`](https://github.com/orgs/prebuild/packages/container/package/linux-armv7l-musl) + +Cross-compile for Linux ARM. This image uses musl instead of glibc for Alpine linux. This image thinly wraps a [`dockcross`](https://github.com/dockcross/dockcross) image. Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the armv version (7). + +### [`linux-arm64`](https://github.com/orgs/prebuild/packages/container/package/linux-arm64) + +Cross-compile for Linux ARM. This image thinly wraps a [`dockcross`](https://github.com/dockcross/dockcross) image. Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the armv version (8). + +### [`linux-arm64-lts`](https://github.com/orgs/prebuild/packages/container/package/linux-arm64-lts) + +Cross-compile for Linux ARM. This image uses an old version of glibc (glibc 2.27) for compatibility. This image thinly wraps a [`dockcross`](https://github.com/dockcross/dockcross) image. Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the armv version (8). + +### [`linux-arm64-musl`](https://github.com/orgs/prebuild/packages/container/package/linux-arm64-musl) + +Cross-compile for Linux ARM. This image uses musl instead of glibc for Alpine linux. This image thinly wraps a [`dockcross`](https://github.com/dockcross/dockcross) image. Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the armv version (8). + +### [`android-armv7`](https://github.com/orgs/prebuild/packages/container/package/android-armv7) + +Cross-compile for Android ARM. This image thinly wraps a [`dockcross`](https://github.com/dockcross/dockcross) image. Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the armv version (7). + +### [`android-arm64`](https://github.com/orgs/prebuild/packages/container/package/android-arm64) + +Cross-compile for Android ARM. This image thinly wraps a [`dockcross`](https://github.com/dockcross/dockcross) image. Preconfigures `prebuildify` to [tag](https://github.com/prebuild/prebuildify#options) prebuilds with the armv version (8). + +## Old images + +Images were previously hosted on Docker Hub. These are no longer updated: + +- [`centos7-devtoolset7`](https://hub.docker.com/r/prebuild/centos7-devtoolset7) +- [`alpine`](https://hub.docker.com/r/prebuild/alpine) +- [`linux-armv6`](https://hub.docker.com/r/prebuild/linux-armv6) +- [`linux-armv7`](https://hub.docker.com/r/prebuild/linux-armv7) +- [`linux-arm64`](https://hub.docker.com/r/prebuild/linux-arm64) +- [`android-armv7`](https://hub.docker.com/r/prebuild/android-armv7) +- [`android-arm64`](https://hub.docker.com/r/prebuild/android-arm64) + +## Development + +### Releasing + +Update [`CHANGELOG.md`](CHANGELOG.md) according to [Common Changelog](https://common-changelog), for which you might like [`hallmark`](https://github.com/vweevers/hallmark) to pull commit messages into the changelog: + +``` +hallmark bump minor +``` + +Tweak `CHANGELOG.md` as needed until `hallmark lint` is happy. Then commit, tag and push. For example: + +``` +git add CHANGELOG.md +git commit -m "2.1.0" +git tag -a v2.1.0 -m v2.1.0 +git push --follow-tags +``` + +The git tag triggers [CI/CD](https://github.com/prebuild/docker-images/actions) to publish new images to [GHCR](https://github.com/orgs/prebuild/packages?ecosystem=container). A changelog entry is required. + +## License + +[GPL-3.0-only](LICENSE) © 2019 `prebuild` contributors.