ci: docker test

.github/workflows/docker-image.yml

@@ -6,6 +6,7 @@ on:
     branches:
       - 'master'
       - 'bifrost-*'
+      - 'ci-docker-test'
     tags:
       - 'v*'
 
@@ -53,17 +54,57 @@ jobs:
           username: ${{ vars.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Build Docker image and publish to Docker Hub
+      - name: Build Docker image (linux/amd64)
         uses: docker/build-push-action@v4
         with:
-          platforms: linux/amd64,linux/arm/v7,linux/arm64/v8
+          platforms: linux/amd64
           context: .
-          push: true
+          push: false
+          load: true
           file: ./Dockerfile
-          tags: "${{ steps.tags.outputs.value }}"
+          tags: ${{ env.IMAGE_NAME }}:linux-amd64
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache-new
 
+      # - name: Build Docker image (linux/arm/v7)
+      #   uses: docker/build-push-action@v4
+      #   with:
+      #     platforms: linux/arm/v7
+      #     context: .
+      #     push: false
+      #     load: true
+      #     file: ./Dockerfile
+      #     tags: ${{ env.IMAGE_NAME }}:linux-arm-v7
+      #     cache-from: type=local,src=/tmp/.buildx-cache
+      #     cache-to: type=local,dest=/tmp/.buildx-cache-new
+
+      # - name: Build Docker image (linux/arm64/v8)
+      #   uses: docker/build-push-action@v4
+      #   with:
+      #     platforms: linux/arm64/v8
+      #     context: .
+      #     push: false
+      #     load: true
+      #     file: ./Dockerfile
+      #     tags: ${{ env.IMAGE_NAME }}:linux-arm64-v8
+      #     cache-from: type=local,src=/tmp/.buildx-cache
+      #     cache-to: type=local,dest=/tmp/.buildx-cache-new
+
+      - run: docker run --rm $IMAGE_NAME:linux-amd64 --version
+      # - run: docker run --rm $IMAGE_NAME:linux-arm-v7 --version
+      # - run: docker run --rm $IMAGE_NAME:linux-arm64-v8 --version
+
+      # - name: Publish to Docker Hub
+      #   uses: docker/build-push-action@v4
+      #   with:
+      #     platforms: linux/amd64,linux/arm/v7,linux/arm64/v8
+      #     context: .
+      #     push: true
+      #     file: ./Dockerfile
+      #     tags: "${{ steps.tags.outputs.value }}"
+      #     cache-from: type=local,src=/tmp/.buildx-cache-new
+      #     cache-to: type=local,dest=/tmp/.buildx-cache-new
+
       # https://github.com/docker/build-push-action/issues/252
       # https://github.com/moby/buildkit/issues/1896
       - name: Move cache to limit growth

Dockerfile

@@ -1,16 +1,6 @@
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-buster
-LABEL maintainer="Steven Allen <[email protected]>"
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-buster AS builder
 
-ARG TARGETPLATFORM
-ARG BUILDPLATFORM
-ARG TARGETOS
-ARG TARGETARCH
-
-# Install deps
-RUN apt-get update && apt-get install -y \
-  libssl-dev \
-  ca-certificates \
-  fuse
+ARG TARGETPLATFORM TARGETOS TARGETARCH
 
 ENV SRC_DIR /kubo
 
@@ -31,38 +21,32 @@ RUN cd $SRC_DIR \
   && mkdir -p .git/objects \
   && GOOS=$TARGETOS GOARCH=$TARGETARCH GOFLAGS=-buildvcs=false make build GOTAGS=openssl IPFS_PLUGINS=$IPFS_PLUGINS
 
-# Get su-exec, a very minimal tool for dropping privileges,
-# and tini, a very minimal init daemon for containers
-ENV SUEXEC_VERSION v0.2
-ENV TINI_VERSION v0.19.0
+FROM debian:bookworm-slim AS utilities
 RUN set -eux; \
-    dpkgArch="$(dpkg --print-architecture)"; \
-    case "${dpkgArch##*-}" in \
-        "amd64" | "armhf" | "arm64") tiniArch="tini-static-$dpkgArch" ;;\
-        *) echo >&2 "unsupported architecture: ${dpkgArch}"; exit 1 ;; \
-    esac; \
-  cd /tmp \
-  && git clone https://github.com/ncopa/su-exec.git \
-  && cd su-exec \
-  && git checkout -q $SUEXEC_VERSION \
-  && make su-exec-static \
-  && cd /tmp \
-  && wget -q -O tini https://github.com/krallin/tini/releases/download/$TINI_VERSION/$tiniArch \
-  && chmod +x tini
+	apt-get update; \
+	apt-get install -y \
+    # v0.19.0
+		tini \
+    # v0.2, su-exec
+		gosu \
+    fuse \
+    ca-certificates \
+    libssl-dev \
+	; \
+	rm -rf /var/lib/apt/lists/*
 
 # Now comes the actual target image, which aims to be as small as possible.
-FROM --platform=${BUILDPLATFORM:-linux/amd64} busybox:1.31.1-glibc
-LABEL maintainer="Steven Allen <[email protected]>"
+FROM busybox:1.31.1-glibc
 
 # Get the ipfs binary, entrypoint script, and TLS CAs from the build container.
 ENV SRC_DIR /kubo
-COPY --from=0 $SRC_DIR/cmd/ipfs/ipfs /usr/local/bin/ipfs
-COPY --from=0 $SRC_DIR/bin/container_daemon /usr/local/bin/start_ipfs
-COPY --from=0 $SRC_DIR/bin/container_init_run /usr/local/bin/container_init_run
-COPY --from=0 /tmp/su-exec/su-exec-static /sbin/su-exec
-COPY --from=0 /tmp/tini /sbin/tini
-COPY --from=0 /bin/fusermount /usr/local/bin/fusermount
-COPY --from=0 /etc/ssl/certs /etc/ssl/certs
+COPY --from=builder $SRC_DIR/cmd/ipfs/ipfs /usr/local/bin/ipfs
+COPY --from=builder $SRC_DIR/bin/container_daemon /usr/local/bin/start_ipfs
+COPY --from=builder $SRC_DIR/bin/container_init_run /usr/local/bin/container_init_run
+COPY --from=utilities /usr/sbin/gosu /sbin/su-exec
+COPY --from=utilities /usr/bin/tini /sbin/tini
+COPY --from=utilities /usr/bin/fusermount /usr/local/bin/fusermount
+COPY --from=utilities /etc/ssl/certs /etc/ssl/certs
 
 # Add suid bit on fusermount so it will run properly
 RUN chmod 4755 /usr/local/bin/fusermount
@@ -71,11 +55,11 @@ RUN chmod 4755 /usr/local/bin/fusermount
 RUN chmod 0755 /usr/local/bin/start_ipfs
 
 # This shared lib (part of glibc) doesn't seem to be included with busybox.
-COPY --from=0 /lib/*-linux-gnu*/libdl.so.2 /lib/
+COPY --from=utilities /lib/*-linux-gnu*/libdl.so.2 /lib/
 
 # Copy over SSL libraries.
-COPY --from=0 /usr/lib/*-linux-gnu*/libssl.so* /usr/lib/
-COPY --from=0 /usr/lib/*-linux-gnu*/libcrypto.so* /usr/lib/
+COPY --from=utilities /usr/lib/*-linux-gnu*/libssl.so* /usr/lib/
+COPY --from=utilities /usr/lib/*-linux-gnu*/libcrypto.so* /usr/lib/
 
 # Swarm TCP; should be exposed to the public
 EXPOSE 4001