forked from darklang/dark
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
338 lines (282 loc) · 11.1 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
# This is an image used to compile and test Dark. Later, we will use this to
# create another dockerfile to deploy.
FROM ubuntu:18.04@sha256:3235326357dfb65f1781dbc4df3b834546d8bf914e82cce58e6e6b676e23ce8f as dark-base
ENV FORCE_BUILD 1
# These are reasonable defaults, and what the dark uid/gid would be if we didn't
# specify values. By exposing them as build-args, we can set these values to
# match the host user's uid/gid - allowing for dark-owned files in-container to
# be owned by the host user on the host fs.
#
# We didn't need this in OS X because Docker for Mac handles it for you, and we
# avoided it on Linux for a while because often the first non-root user has uid
# 1000. But that's not always the case, and when it's not, you get files owned
# by 1000:1000 that need to be sudo chown'd on the host.
ARG uid=1000
ARG gid=1000
############################
## apt
############################
USER root
RUN DEBIAN_FRONTEND=noninteractive \
apt update --allow-releaseinfo-change && \
DEBIAN_FRONTEND=noninteractive \
apt install \
-y \
--no-install-recommends \
curl \
apt-transport-https \
ca-certificates \
lsb-core \
less \
gpg \
gpg-agent \
&& apt clean \
&& rm -rf /var/lib/apt/lists/*
# Latest NPM (taken from https://deb.nodesource.com/setup_8.x )
RUN curl -sSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -
RUN curl -sSL https://dl.google.com/linux/linux_signing_key.pub | apt-key add -
RUN curl -sSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
RUN curl -sSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
RUN curl -sSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
RUN curl -sSL https://nginx.org/keys/nginx_signing.key | apt-key add -
# We want postgres 9.6, but it is not in ubuntu 18.04
RUN echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" >> /etc/apt/sources.list.d/pgdg.list
RUN echo "deb [arch=amd64] https://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google-chrome.list
RUN echo "deb https://nginx.org/packages/ubuntu/ bionic nginx" > /etc/apt/sources.list.d/nginx.list
# Testcafe needs node >= 11
RUN echo "deb https://deb.nodesource.com/node_13.x bionic main" > /etc/apt/sources.list.d/nodesource.list
RUN echo "deb-src https://deb.nodesource.com/node_13.x bionic main" >> /etc/apt/sources.list.d/nodesource.list
RUN export CLOUD_SDK_REPO="cloud-sdk-$(lsb_release -cs)" && \
echo "deb http://packages.cloud.google.com/apt $CLOUD_SDK_REPO main" > /etc/apt/sources.list.d/google-cloud-sdk.list
RUN echo "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list
# We pin the exact package version so that we don't have any surprises.
# However, sometimes the versions upgrade from under us and break the
# build. To fix that, you need the actual package version, which you can
# find by installing it directly:
# $ docker run <HASH> apt install mypackage
# Notes
# - replace <HASH> with a recent hash from the docker build output.
# - just use the package name, not the version.
# Deps:
# - apt-transport-https for npm
# - expect for unbuffer
# - most libs re for ocaml
# - net-tools for netstat
# - esy packages need texinfo
RUN DEBIAN_FRONTEND=noninteractive \
apt update --allow-releaseinfo-change && \
DEBIAN_FRONTEND=noninteractive \
apt install \
--no-install-recommends \
-y \
software-properties-common \
make \
rsync \
git \
wget \
sudo \
locales \
expect \
tcl8.6 \
libev-dev \
libgmp-dev \
pkg-config \
libcurl4-openssl-dev \
libpq-dev \
postgresql-9.6 \
postgresql-client-9.6 \
postgresql-contrib-9.6 \
google-chrome-stable \
nodejs \
google-cloud-sdk \
jq \
vim \
unzip \
docker-ce \
build-essential \
kubectl \
python3-pip \
python3-setuptools \
python3-dev \
libsodium-dev \
gcc \
pgcli \
ffmpeg \
libssl-dev \
libssl-ocaml-dev \
zlib1g-dev \
pv \
net-tools \
nginx=1.16.1-1~bionic \
bash-completion \
texinfo \
openssh-server \
&& apt clean \
&& rm -rf /var/lib/apt/lists/*
############################
# Dark user
############################
USER root
RUN groupadd -g ${gid} dark \
&& adduser --disabled-password --gecos '' --uid ${uid} --gid ${gid} dark
RUN echo "dark:dark" | chpasswd && adduser dark sudo
RUN chown -R dark:dark /home/dark
RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
USER dark
WORKDIR /home/dark
RUN mkdir bin
# otherwise this gets created by the mount, and it'll be owned by root if your docker host os is linux
RUN mkdir .config
############################
# Locales
############################
USER dark
RUN sudo locale-gen "en_US.UTF-8"
ENV LANGUAGE en_US.UTF-8
ENV LANG en_US.UTF-8
ENV LC_ALL en_US.UTF-8
############################
# Frontend
############################
USER root
# esy uses the _build directory, none of the platform dirs are needed but
# they take 150MB
RUN npm install -g [email protected] --unsafe-perm=true \
&& sudo rm -Rf /usr/lib/node_modules/esy/platform-*
ENV PATH "$PATH:/home/dark/node_modules/.bin"
############################
# Postgres
############################
USER postgres
RUN /etc/init.d/postgresql start && \
psql --command "CREATE USER dark WITH SUPERUSER PASSWORD 'eapnsdc';" && \
createdb -O dark devdb
# Adjust PostgreSQL configuration so that remote connections to the
# database are possible.
RUN echo "host all all 0.0.0.0/0 md5" >> /etc/postgresql/9.6/main/pg_hba.conf
# RUN echo "listen_addresses='*'" >> /etc/postgresql/10/main/postgresql.conf
user dark
# Add VOLUMEs to allow backup of config, logs and databases
VOLUME ["/etc/postgresql", "/var/log/postgresql", "/var/lib/postgresql"]
# No idea what caused this, but we get permission problems otherwise.
RUN sudo chown postgres:postgres -R /etc/postgresql
RUN sudo chown postgres:postgres -R /var/log/postgresql
RUN sudo chown postgres:postgres -R /var/lib/postgresql
############################
# Nginx
############################
# We could mount these files into the container, but then we'd also want to make
# scripts/support/compile restart runserver if either of the nginx files
# changed, and I'd rather not add to the complexity of that file right now.
# nginx changes should be infrequent, making users restart scripts/builder is
# fine
RUN sudo rm /etc/nginx/conf.d/default.conf \
&& sudo ln -s /home/dark/app/scripts/support/nginx.conf /etc/nginx/conf.d/nginx.conf
RUN sudo rm -r /etc/nginx/nginx.conf && sudo ln -s /home/dark/app/scripts/support/base-nginx.conf /etc/nginx/nginx.conf
RUN sudo chown -R dark:dark /var/log/nginx
############################
# Kubernetes
############################
RUN sudo kubectl completion bash | sudo tee /etc/bash_completion.d/kubectl > /dev/null
############################
# Google cloud
############################
# New authentication for docker - not supported via apt
user root
RUN curl -sSL "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v1.4.3/docker-credential-gcr_linux_amd64-1.4.3.tar.gz" \
| tar xz --to-stdout docker-credential-gcr > /usr/bin/docker-credential-gcr \
&& chmod +x /usr/bin/docker-credential-gcr
RUN docker-credential-gcr config --token-source="gcloud"
# crcmod for gsutil; this gets us the compiled (faster), not pure Python
# (slower) crcmod, as described in `gsutil help crcmod`
#
# It requires that python3-pip, python3-dev, python3-setuptools, and gcc be
# installed. You'll also need CLOUDSDK_PYTHON=python3 to be set when you use
# gsutil. (Which the ENV line handles.)
#
# The last line greps to confirm that gsutil has a compiled crcmod.
# Possible failure modes; missing deps above (-pip, -dev, -setuptools, gcc); a
# pre-installed crcmod that needs to be uninstalled first. Added that because
# this install is a bit brittle, and it's easy to invisibly install the pure
# Python crcmod.
ENV CLOUDSDK_PYTHON=python3
RUN pip3 install -U --no-cache-dir -U crcmod \
&& ((gsutil version -l | grep compiled.crcmod:.True) \
|| (echo "Compiled crcmod not installed." && false))
############################
# Pip packages
############################
RUN pip3 install yq && echo 'PATH=~/.local/bin:$PATH' >> ~/.bashrc
############################
# Ocaml
############################
USER dark
ENV ESY__PROJECT=/home/dark/app
############################
# Shellcheck
# Ubuntu has a very old version
############################
RUN \
VERSION=v0.7.0 \
&& FILENAME=shellcheck-$VERSION.linux.x86_64.tar.xz \
&& wget -P tmp_install_folder/ https://shellcheck.storage.googleapis.com/$FILENAME \
&& tar xvf tmp_install_folder/$FILENAME -C tmp_install_folder \
&& sudo cp tmp_install_folder/shellcheck-$VERSION/shellcheck /usr/bin/shellcheck \
&& rm -Rf tmp_install_folder
####################################
# Honeytail and honeymarker installs
####################################
RUN wget -q https://honeycomb.io/download/honeytail/linux/honeytail_1.762_amd64.deb && \
echo 'd7bed8a005cbc6a34b232c54f0f84b945f0bb90905c67f85cceaedee9bbbad1e honeytail_1.762_amd64.deb' | sha256sum -c && \
sudo dpkg -i honeytail_1.762_amd64.deb && \
rm honeytail_1.762_amd64.deb
RUN wget -q https://honeycomb.io/download/honeymarker/linux/honeymarker_1.9_amd64.deb && \
echo '5aa10dd42f4f369c9463a8c8a361e46058339e6273055600ddad50e1bcdf2149 honeymarker_1.9_amd64.deb' | sha256sum -c && \
sudo dpkg -i honeymarker_1.9_amd64.deb && \
rm honeymarker_1.9_amd64.deb
#############
# tunnel user
#############
USER root
RUN adduser --disabled-password --gecos '' --gid ${gid} tunnel
############################
# Environment
############################
USER dark
ENV TERM=xterm-256color
############################
# Finish
############################
user dark
CMD ["app", "scripts", "builder"]
########################
# Install Rust toolchain
# This is in a separate container to save time in CI
########################
FROM dark-base
USER root
ENV RUSTUP_HOME=/usr/local/rustup \
CARGO_HOME=/usr/local/cargo \
PATH=/usr/local/cargo/bin:$PATH \
RUST_VERSION=1.40.0
RUN curl https://sh.rustup.rs -sSf | sh -s -- -y --profile minimal --default-toolchain $RUST_VERSION \
&& rustup --version \
&& cargo --version \
&& rustc --version
# install Rust dev tools
RUN rustup component add clippy-preview rustfmt-preview
RUN cargo install cargo-cache --no-default-features --features ci-autoclean
# Once we have cargo and things installed in /usr/local/cargo and that added to PATH,
# reset CARGO_HOME so that we can use it as a project cache directory like normal.
ENV CARGO_HOME=/home/dark/.cargo
######################
# Quick hacks here, to avoid massive recompiles
######################
RUN wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 \
-O /usr/bin/cloud_sql_proxy \
&& chmod +x /usr/bin/cloud_sql_proxy
RUN apt update && apt install -y dnsutils \
jq && \
apt clean && \
rm -rf /var/lib/apt/lists/*
user dark