-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Oraclelinux docker build #275
Closed
Closed
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
ceaef38
build: refactor docker build
jraman567 ed4fb2e
build: add support of Oracle Linux container build
jraman567 1367e51
selinux: disarm selinux labeling
jraman567 0087c6e
docker volume permission: logs location
jraman567 d43d959
fix(manager:) copy logs recursively
jraman567 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| FROM container-registry.oracle.com/os/oraclelinux:9 as veraison-builder | ||
|
|
||
| # User identity that will be used to build the project. This should be | ||
| # overriden at build time to match the host user running the builder, who owns | ||
| # the git checkout of the source. | ||
| ARG BUILDER_UID=1000 | ||
| ARG BUILDER_GID=1000 | ||
|
|
||
| RUN cat /etc/redhat-release | ||
| RUN dnf config-manager --set-enabled ol9_codeready_builder | ||
| RUN dnf install -y git | ||
| RUN dnf install -y make | ||
|
|
||
| RUN dnf update -y \ | ||
| && dnf install -y \ | ||
| protobuf* \ | ||
| sqlite \ | ||
| uuid \ | ||
| gettext \ | ||
| vim \ | ||
| jq \ | ||
| iputils \ | ||
| nmap \ | ||
| wget \ | ||
| sudo \ | ||
| ca-certificates \ | ||
| gcc \ | ||
| && uuidgen | tr -d - > /etc/machine-id \ | ||
| && rm -rf /var/tmp/* /tmp/* | ||
|
|
||
|
|
||
| SHELL ["/bin/bash", "-c"] | ||
|
|
||
| # Builder password is "builder" (sans quotes). | ||
| RUN groupadd -g ${BUILDER_GID} builder && \ | ||
| groupadd -g 616 veraison && \ | ||
| useradd -m -u ${BUILDER_UID} -g builder -G root,veraison,wheel -p paxyJoB0NZsNU -s /bin/bash builder | ||
|
|
||
| RUN groupadd -g 1001 opc | ||
| RUN useradd -m -u 1001 -g opc -G root,veraison,wheel -p paxyJoB0NZsNU -s /bin/bash opc | ||
|
|
||
| ADD --chown=root:root rootCA.crt /etc/pki/ca-trust/source/anchors/veraison-ca.crt | ||
| RUN update-ca-trust | ||
|
|
||
| RUN wget https://go.dev/dl/go1.23.1.linux-amd64.tar.gz | ||
| RUN rm -rf /usr/local/go | ||
| RUN tar -C /usr/local -xzf go1.23.1.linux-amd64.tar.gz | ||
| ENV PATH=$PATH:/usr/local/go/bin | ||
|
|
||
| WORKDIR /veraison | ||
|
|
||
| RUN chown -R builder:builder /veraison | ||
|
|
||
| #USER builder | ||
|
|
||
| RUN mkdir --mode=775 logs stores | ||
| ADD --chown=builder:builder go.mod go.sum ./ | ||
|
|
||
| # Download Go modules | ||
| RUN go mod download &&\ | ||
| go install golang.org/x/tools/gopls@latest &&\ | ||
| go install golang.org/x/tools/cmd/guru@latest &&\ | ||
| go install github.com/golang/mock/[email protected] &&\ | ||
| go install google.golang.org/protobuf/cmd/protoc-gen-go@latest &&\ | ||
| go install google.golang.org/grpc/cmd/[email protected] &&\ | ||
| go install github.com/mitchellh/[email protected] &&\ | ||
| go install github.com/veraison/corim/cocli@latest &&\ | ||
| go install github.com/veraison/evcli/v2@latest &&\ | ||
| go install github.com/veraison/pocli@latest &&\ | ||
| go install github.com/go-delve/delve/cmd/dlv@latest | ||
|
|
||
| ADD --chown=builder:builder builder-dispatcher . | ||
| ADD --chown=builder:builder builder-bashrc /home/builder/.bashrc | ||
|
|
||
| ENTRYPOINT ["/veraison/builder-dispatcher"] | ||
| CMD ["help"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| FROM quay.io/keycloak/keycloak:22.0.1 as keycloak-builder | ||
|
|
||
| WORKDIR /opt/keycloak | ||
| # note: for development set up early; use proper certification in production. | ||
| RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 \ | ||
| -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" \ | ||
| -keystore conf/server.keystore | ||
|
|
||
| RUN /opt/keycloak/bin/kc.sh build | ||
|
|
||
| FROM quay.io/keycloak/keycloak:22.0.1 | ||
| COPY --from=keycloak-builder /opt/keycloak/ /opt/keycloak/ | ||
| COPY keycloak.conf /opt/keycloak/conf/keycloak.conf | ||
| COPY veraison-realm.json /opt/keycloak/data/import/veraison-realm.json | ||
| COPY --chown=keycloak certs/keycloak.crt certs/keycloak.key /opt/keycloak/ | ||
|
|
||
| ENTRYPOINT ["/opt/keycloak/bin/kc.sh"] | ||
| CMD ["start", "--optimized", "--import-realm", "--verbose", \ | ||
| "--https-certificate-file", "/opt/keycloak/keycloak.crt", \ | ||
| "--https-certificate-key-file", "/opt/keycloak/keycloak.key"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| # Management service container. | ||
| # The context for building this image is assumed to be the Veraison deployment | ||
| # directory (/tmp/veraison is the default for make build). | ||
| FROM container-registry.oracle.com/os/oraclelinux:9 as veraison-management | ||
|
|
||
| RUN dnf update -y \ | ||
| && dnf install -y \ | ||
| uuid \ | ||
| ca-certificates \ | ||
| && uuidgen | tr -d - > /etc/machine-id \ | ||
| && rm -rf /var/tmp/* /tmp/* | ||
|
|
||
| RUN groupadd -g 616 veraison && \ | ||
| useradd -m -g veraison --system veraison | ||
|
|
||
| ADD --chown=root:root certs/rootCA.crt /etc/pki/ca-trust/source/anchors/veraison-ca.crt | ||
| RUN update-ca-trust | ||
|
|
||
| USER veraison | ||
|
|
||
| WORKDIR /opt/veraison | ||
|
|
||
| RUN mkdir -p --mode=0775 logs/logs | ||
|
|
||
| ADD --chown=veraison:nobody plugins plugins | ||
| ADD --chown=veraison:nobody config.yaml management-service service-entrypoint \ | ||
| certs/management.crt certs/management.key ./ | ||
|
|
||
| ENTRYPOINT ["/opt/veraison/service-entrypoint"] | ||
| CMD ["/opt/veraison/management-service"] | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| # VTS service container. | ||
| # The context for building this image is assumed to be the Veraison deployment | ||
| # directory (/tmp/veraison is the default for make build). | ||
| FROM container-registry.oracle.com/os/oraclelinux:9 as veraison-verification | ||
|
|
||
| # User identity that will be used to build the project. This should be | ||
| # overriden at build time to match the host user running the builder, who owns | ||
| # the git checkout of the source. | ||
| ARG MANAGER_UID=1000 | ||
| ARG MANAGER_GID=1000 | ||
| ARG VERAISON_GID=616 | ||
|
|
||
| RUN dnf update -y \ | ||
| && dnf install -y \ | ||
| sqlite \ | ||
| jq \ | ||
| uuid \ | ||
| ca-certificates \ | ||
| && uuidgen | tr -d - > /etc/machine-id \ | ||
| && rm -rf /var/tmp/* /tmp/* | ||
|
|
||
| RUN groupadd -g ${MANAGER_GID} manager && \ | ||
| groupadd -g ${VERAISON_GID} veraison && \ | ||
| useradd -m -u ${MANAGER_UID} -g manager -G veraison -s /bin/bash manager | ||
|
|
||
| ADD --chown=root:root certs/rootCA.crt /etc/pki/ca-trust/source/anchors/veraison-ca.crt | ||
| RUN update-ca-trust | ||
|
|
||
| USER manager | ||
|
|
||
| WORKDIR /opt/veraison | ||
|
|
||
| RUN mkdir -p --mode=0775 logs/logs | ||
|
|
||
| RUN mkdir -p /home/manager/.config/pocli && \ | ||
| echo "host: management-service" > /home/manager/.config/pocli/config.yaml | ||
|
|
||
| ADD --chown=manager:nobody utils/evcli utils/cocli utils/pocli ./utils/ | ||
| ADD --chown=manager:nobody manager-dispatcher ./ | ||
|
|
||
| ENTRYPOINT ["/opt/veraison/manager-dispatcher"] | ||
| CMD ["help"] | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| # Provisioning service container. | ||
| # The context for building this image is assumed to be the Veraison deployment | ||
| # directory (/tmp/veraison is the default for make build). | ||
| FROM container-registry.oracle.com/os/oraclelinux:9 as veraison-provisioning | ||
|
|
||
| RUN dnf update -y \ | ||
| && dnf install -y \ | ||
| uuid \ | ||
| ca-certificates \ | ||
| && uuidgen | tr -d - > /etc/machine-id \ | ||
| && rm -rf /var/tmp/* /tmp/* | ||
|
|
||
| RUN groupadd -g 616 veraison && \ | ||
| useradd -m -g veraison --system veraison | ||
|
|
||
| ADD --chown=root:root certs/rootCA.crt /etc/pki/ca-trust/source/anchors/veraison-ca.crt | ||
| RUN update-ca-trust | ||
|
|
||
| USER veraison | ||
|
|
||
| WORKDIR /opt/veraison | ||
|
|
||
| RUN mkdir -p --mode=0775 logs/logs | ||
|
|
||
| ADD --chown=veraison:nobody plugins plugins | ||
| ADD --chown=veraison:nobody config.yaml provisioning-service service-entrypoint \ | ||
| certs/provisioning.crt certs/provisioning.key ./ | ||
|
|
||
| ENTRYPOINT ["/opt/veraison/service-entrypoint"] | ||
| CMD ["/opt/veraison/provisioning-service"] | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| # Verification service container. | ||
| # The context for building this image is assumed to be the Veraison deployment | ||
| # directory (/tmp/veraison is the default for make build). | ||
| FROM container-registry.oracle.com/os/oraclelinux:9 as veraison-verification | ||
|
|
||
| RUN dnf update -y \ | ||
| && dnf install -y \ | ||
| uuid \ | ||
| ca-certificates \ | ||
| && uuidgen | tr -d - > /etc/machine-id \ | ||
| && rm -rf /var/tmp/* /tmp/* | ||
|
|
||
| RUN groupadd -g 616 veraison && \ | ||
| useradd -m -g veraison --system veraison | ||
|
|
||
| ADD --chown=root:root certs/rootCA.crt /etc/pki/ca-trust/source/anchors/veraison-ca.crt | ||
| RUN update-ca-trust | ||
|
|
||
| USER veraison | ||
|
|
||
| WORKDIR /opt/veraison | ||
|
|
||
| RUN mkdir -p --mode=0775 logs/logs | ||
|
|
||
| ADD --chown=veraison:nobody config.yaml verification-service service-entrypoint \ | ||
| certs/verification.crt certs/verification.key ./ | ||
|
|
||
| ENTRYPOINT ["/opt/veraison/service-entrypoint"] | ||
| CMD ["/opt/veraison/verification-service"] | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| # VTS service container. | ||
| # The context for building this image is assumed to be the Veraison deployment | ||
| # directory (/tmp/veraison is the default for make build). | ||
| FROM container-registry.oracle.com/os/oraclelinux:9 as veraison-vts | ||
|
|
||
| RUN dnf update -y \ | ||
| && dnf install -y \ | ||
| uuid \ | ||
| ca-certificates \ | ||
| && uuidgen | tr -d - > /etc/machine-id \ | ||
| && rm -rf /var/tmp/* /tmp/* | ||
|
|
||
| RUN groupadd -g 616 veraison && \ | ||
| useradd -m -g veraison --system veraison | ||
|
|
||
| ADD --chown=root:root certs/rootCA.crt /etc/pki/ca-trust/source/anchors/veraison-ca.crt | ||
| RUN update-ca-trust | ||
|
|
||
| USER veraison | ||
|
|
||
| WORKDIR /opt/veraison | ||
|
|
||
| # The stores should be modifiable by any member of group veraison (GID 616). | ||
| # This is to allow both the vts services' veraison user, and the manger's | ||
| # manager user to modify them. We can't simply match UID's of the users in the | ||
| # two containers because the manager has to UID-match the host's user. In order | ||
| # for a database to be modifiable, sqlite3 requires that not only the file is | ||
| # writable, but that the directory containing the file is also writable. When | ||
| # docker creates a mount point, the mode bits are set based on umask, and there | ||
| # does not appear to be a way to override that on case-by-case basis. To get | ||
| # around that, we need to create a subdirectory under the mount point, that we | ||
| # _can_ set mode bits on. Hence the stores are deployed into vts/ subdir inside | ||
| # the volume. | ||
| RUN mkdir -p --mode=0775 stores/vts | ||
|
|
||
| RUN mkdir -p --mode=0775 logs/logs | ||
|
|
||
| ADD --chown=veraison:nobody plugins plugins | ||
| ADD --chown=veraison:veraison --chmod=0660 stores/* stores/vts | ||
| ADD --chown=veraison:nobody config.yaml skey.jwk vts-service service-entrypoint \ | ||
| certs/vts.crt certs/vts.key ./ | ||
|
|
||
| ENTRYPOINT ["/opt/veraison/service-entrypoint"] | ||
| CMD ["/opt/veraison/vts-service"] | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is the container distro determined by the host distro? The two should be independent. Just set it to "ubuntu", and allow overriding form the enviroment
(and this should probably go into the .cfg file along with other deployment configs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Sergei, Docker Ubuntu container images are not available within the Oracle network, so we cannot perform Veraison Docker builds with Ubuntu. Therefore, we have decided to add support for building Veraison using Oracle Linux containers.
I cannot reproduce the issue with the "logs" subdirectory on fresh Oracle Linux images, so I assume it is specific to my setup. We do not need this fix, and I will submit a new pull request without it.
I saw a similar workaround for the "stores" volume in "vts.docker". So, I wouldn't be surprised if it reproduces for someone in the future. We don't need these fixes for now, and we can stash it for later.
I'll try to reproduce this. I assume your host is running Ubuntu. @setrofim Is that correct?
ACK
OK
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Arch
Docker version 27.3.1, build ce1223035a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks