generated from nickgaray/osh-docker-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile
172 lines (140 loc) · 5.97 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
################################################################################
##
## OpenSensorHub Node
## Nicolas Garay
##
## Builds a container image of the OpenSensorHub Node. This Dockerfile assumes
## that it can pull source code from OpenSensorHub public GitHub repos other
## repos as well. The target source code will be built and deployed by within
## the image by the dockerfile
##
################################################################################
## Based on Dockerfile template provided in RepositoryTemplate repository.
## Environment variables outside image context. These will be available until the first FROM statement.
ARG BASE_REGISTRY=docker.io
ARG BASE_BUILD_IMAGE=library/ubuntu
ARG BASE_BUILD_TAG=22.04
ARG BASE_DEPLOY_IMAGE=library/ubuntu
ARG BASE_DEPLOY_TAG=22.04
## Base build image
FROM ${BASE_REGISTRY}/${BASE_BUILD_IMAGE}:${BASE_BUILD_TAG} AS build_container
## Working directory. Will be created if it doesn't exist by default.
# WORKDIR <directory>
WORKDIR buildDir
## root user
USER root
## Install dependencies
# COPY <source file(s) required for resolving dependencies> <container destination>
# RUN <command(s) to install build container dependencies, shared by all environments>
RUN apt-get update \
&& apt-get install -y git \
&& apt install -y openjdk-17-jdk \
&& rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*
## Copy source
# Retrieve the sources from a repo using the REPO_URL and BRANCH passed as a command line argument
ARG REPO_URL
ARG BRANCH
RUN git clone -b ${BRANCH} --recursive ${REPO_URL} .
# Run builds excluding unit tests
RUN chmod +x ./gradlew
RUN ./gradlew build -x test
## root command(s)
# RUN <command(s)>
RUN apt remove -y git
## Base deploy image
FROM ${BASE_REGISTRY}/${BASE_DEPLOY_IMAGE}:${BASE_DEPLOY_TAG} AS deploy_container
## Environment variables in image build context. These will be available until image is built or next FROM statement.
# ARG <VARIABLE><=default value>
## Environment variable(s) in image context. These will be available in image after it has been built.
# ENV <VARIABLE>=<value>
ENV OSH_HOME=/opt/osh
## Working directory. Will be created if it doesn't exist by default.
# WORKDIR <directory>
WORKDIR ${OSH_HOME}
## root user
# USER root
USER 0:0
## Install dependencies
# COPY <source file(s) required for resolving dependencies> <container destination>
# RUN <command(s) to install build container dependencies, shared by all environments>
RUN apt-get update \
&& apt-get install -y unzip \
&& apt-get install -y openjdk-17-jre \
&& rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*
# Override java security settings as provided by MCSCOP ISSE for OSH FIPS compliance
RUN sed -i 's/security.useSystemPropertiesFile=true/security.useSystemPropertiesFile=false/g' \
/etc/java-17-openjdk/security/java.security
# Create the "real" structure of the install.
RUN \
mkdir -p ${OSH_HOME} && \
mkdir -p ${OSH_HOME}/defaultconfig && \
mkdir -p ${OSH_HOME}/defaultbundles && \
mkdir -p ${OSH_HOME}/config && \
mkdir -p ${OSH_HOME}/data && \
mkdir -p ${OSH_HOME}/db && \
mkdir -p ${OSH_HOME}/lib && \
mkdir -p ${OSH_HOME}/bundles
# Remove unneeded groups and accounts. OpenSCAP CCE-85987-6.
RUN \
userdel bin && \
userdel daemon && \
userdel lp && \
userdel sync && \
userdel mail && \
groupdel dialout
# We'll run as a non-privileged user with UID and GID 4242
ARG USERNAME=osh
ARG USER_UID=14242
ARG USER_GID=14243
RUN \
groupadd --gid ${USER_GID} ${USERNAME} && \
useradd --uid ${USER_UID} --gid ${USER_GID} -m ${USERNAME}
## Copy source
# COPY ./<source file or directory requiring root ownership> <container destination>
# COPY --chown=<default user>:0 ./<source file or directory requiring default user ownership> <container destination>
# COPY --chown=<default user>:0 --from=build_container ./<source file or directory from build_container requiring default user ownership> <container destination>
COPY --from=build_container ./buildDir/build/distributions/osh-core-osgi*.zip /tmp/.
RUN unzip /tmp/osh-core-osgi*.zip "*" -d /opt
RUN mv /opt/osh-core-osgi*/* ${OSH_HOME}
RUN rmdir /opt/osh-core-osgi*
RUN rm ${OSH_HOME}/config.json ${OSH_HOME}/logback.xml ${OSH_HOME}/launch.bat
RUN cp ${OSH_HOME}/bundles/* ${OSH_HOME}/defaultbundles/.
COPY config/config.json config/logback.xml ${OSH_HOME}/defaultconfig/
COPY scripts/launch.sh scripts/load_trusted_certs.sh ${OSH_HOME}
# Set permissions appropriately. All directories are given 770 mode. All files
# are given 660. And "*.sh" in the OSH_HOME dir are given 770.
RUN \
chown -R ${USER_UID}:${USER_GID} ${OSH_HOME} && \
find ${OSH_HOME} -type d -print0 | xargs -0 chmod 770 && \
find ${OSH_HOME} -type f -print0 | xargs -0 chmod 660 && \
chmod 770 ${OSH_HOME}/*.sh
## Cleanup Unzip
RUN apt remove -y unzip
# CVE-2019-20916, PRISMA-2022-0168
RUN rm -rf /usr/lib/python3.6
## Default user
#USER <default user>:0
USER ${USER_UID}:${USER_GID}
## Expose port(s)
# EXPOSE <#>
EXPOSE 8080 8443
## Default startup executable. Will treat elements of 'docker run' command, or elements of "CMD" input, as parameters.
# ENTRYPOINT ["<executable>"]
# Specifying a docker entrypoint that can do a little extra stuff at startup.
# Ultimately, it will end up calling "java" to run the SensorHub class.
ENTRYPOINT [ "./launch.sh" ]
## Default startup input. Will be overridden by elements of 'docker run' command.
# CMD ["<input to be run from the working directory>"]
## Declare volume(s) for mount point directories
# VOLUME [<"/first/container/directory"><, "/second/container/directory", ...]
# Location of config.json and logback.xml.
VOLUME ${OSH_HOME}/config
# Suggested location of any data, such as video files, or other sensor data.
# Can be referenced as "./data" in node configuration paths.
VOLUME ${OSH_HOME}/data
# Suggested location to save H2 database files. Can be referenced as "./db" in
# node configuration.
VOLUME ${OSH_HOME}/db
# Any additional OSGi Bundles that the user may want to include
# after install.
VOLUME ${OSH_HOME}/bundles