From 3922b13696b85f93936c555085af8209f7148548 Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 15:00:08 +0000 Subject: [PATCH 01/24] Force dockerfile to rootless on rootless build. --- .github/workflows/docker-publish-rootless.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-publish-rootless.yaml b/.github/workflows/docker-publish-rootless.yaml index e06ae05e0..817826a90 100644 --- a/.github/workflows/docker-publish-rootless.yaml +++ b/.github/workflows/docker-publish-rootless.yaml @@ -93,6 +93,7 @@ jobs: uses: docker/build-push-action@v6 with: platforms: ${{ matrix.platform }} + file: Dockerfile.rootless # Explicitly specify the Dockerfile labels: ${{ steps.meta.outputs.labels }} outputs: type=image,"name=${{ env.DOCKERHUB_REPO }},${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=true cache-from: type=registry,ref=ghcr.io/sysadminsmedia/devcache:${{ env.PLATFORM_PAIR }}-${{ env.BRANCH }}-rootless From 62dc9f83c285770872feb16db1be540046c8aea2 Mon Sep 17 00:00:00 2001 From: Matt Kilgore Date: Sun, 5 Jan 2025 10:05:58 -0500 Subject: [PATCH 02/24] Fix missing version information in docker files --- .github/workflows/docker-publish-rootless.yaml | 3 +++ .github/workflows/docker-publish.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/docker-publish-rootless.yaml b/.github/workflows/docker-publish-rootless.yaml index 817826a90..7c6635485 100644 --- a/.github/workflows/docker-publish-rootless.yaml +++ b/.github/workflows/docker-publish-rootless.yaml @@ -98,6 +98,9 @@ jobs: outputs: type=image,"name=${{ env.DOCKERHUB_REPO }},${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=true cache-from: type=registry,ref=ghcr.io/sysadminsmedia/devcache:${{ env.PLATFORM_PAIR }}-${{ env.BRANCH }}-rootless cache-to: type=registry,ref=ghcr.io/sysadminsmedia/devcache:${{ env.PLATFORM_PAIR}}-${{ env.BRANCH }}-rootless,mode=max + build-args: | + VERSION=${{ github.ref_name }} + COMMIT=${{ github.sha }} - name: Export digest run: | diff --git a/.github/workflows/docker-publish.yaml b/.github/workflows/docker-publish.yaml index 5c4afac53..83f305365 100644 --- a/.github/workflows/docker-publish.yaml +++ b/.github/workflows/docker-publish.yaml @@ -94,6 +94,9 @@ jobs: outputs: type=image,"name=${{ env.DOCKERHUB_REPO }},${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=true cache-from: type=registry,ref=ghcr.io/sysadminsmedia/devcache:${{ env.PLATFORM_PAIR }}-${{ env.BRANCH }} cache-to: type=registry,ref=ghcr.io/sysadminsmedia/devcache:${{ env.PLATFORM_PAIR}}-${{ env.BRANCH }},mode=max + build-args: | + VERSION=${{ github.ref_name }} + COMMIT=${{ github.sha }} - name: Export digest run: | From f5e404e6cd9c9895cc5f0000353f8c512b00544e Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 15:07:34 +0000 Subject: [PATCH 03/24] Update to rectify rootless build issues. --- Dockerfile.rootless | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index f38e50a06..f6ee1a411 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -53,7 +53,7 @@ ENV HBOX_STORAGE_SQLITE_URL=/data/homebox.db?_fk=1&_time_format=sqlite # Copy the binary and data directory, change ownership COPY --from=builder /go/bin/api /app COPY --from=builder /data /data -COPY --from=ghcr.io/rockylinux/alpine:latest /bin/wget /usr/bin/wget +COPY --from=public.ecr.aws/docker/library/alpine:latest /bin/wget /usr/bin/wget LABEL Name=homebox Version=0.0.1 LABEL org.opencontainers.image.source="https://github.com/sysadminsmedia/homebox" From 8d3de1a1e5173d7f1c2ed980db7a69487d977c8d Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 15:13:23 +0000 Subject: [PATCH 04/24] Update Dockerfile.rootless to fix wget --- Dockerfile.rootless | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index f6ee1a411..a3357992f 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -54,6 +54,8 @@ ENV HBOX_STORAGE_SQLITE_URL=/data/homebox.db?_fk=1&_time_format=sqlite COPY --from=builder /go/bin/api /app COPY --from=builder /data /data COPY --from=public.ecr.aws/docker/library/alpine:latest /bin/wget /usr/bin/wget +COPY --from=public.ecr.aws/docker/library/alpine:latest /lib /lib +COPY --from=public.ecr.aws/docker/library/alpine:latest /usr/lib /usr/lib LABEL Name=homebox Version=0.0.1 LABEL org.opencontainers.image.source="https://github.com/sysadminsmedia/homebox" From f30ccec451788ea4b394029e6502a8690a9bad86 Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 15:15:38 +0000 Subject: [PATCH 05/24] Update Dockerfile.rootless to use Curl instead of wget --- Dockerfile.rootless | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index a3357992f..cb6bdc7fc 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -53,19 +53,19 @@ ENV HBOX_STORAGE_SQLITE_URL=/data/homebox.db?_fk=1&_time_format=sqlite # Copy the binary and data directory, change ownership COPY --from=builder /go/bin/api /app COPY --from=builder /data /data -COPY --from=public.ecr.aws/docker/library/alpine:latest /bin/wget /usr/bin/wget -COPY --from=public.ecr.aws/docker/library/alpine:latest /lib /lib -COPY --from=public.ecr.aws/docker/library/alpine:latest /usr/lib /usr/lib +# Add curl instead of wget from alpine +COPY --from=public.ecr.aws/docker/library/alpine:latest /usr/bin/curl /usr/bin/curl LABEL Name=homebox Version=0.0.1 LABEL org.opencontainers.image.source="https://github.com/sysadminsmedia/homebox" EXPOSE 7745 +# Update HEALTHCHECK to use curl HEALTHCHECK --interval=30s \ --timeout=5s \ --start-period=5s \ --retries=3 \ - CMD ["/usr/bin/wget", "--no-verbose", "--tries=1", "-O", "-", "http://localhost:7745/api/v1/status"] + CMD ["/usr/bin/curl", "--silent", "--fail", "http://localhost:7745/api/v1/status"] VOLUME ["/data"] From 342caf2e6bd788eda1dc101e4c8ed8ea4bdad405 Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 15:21:08 +0000 Subject: [PATCH 06/24] Update docker-publish-rootless.yaml --- .github/workflows/docker-publish-rootless.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-publish-rootless.yaml b/.github/workflows/docker-publish-rootless.yaml index 7c6635485..9ff2630d2 100644 --- a/.github/workflows/docker-publish-rootless.yaml +++ b/.github/workflows/docker-publish-rootless.yaml @@ -93,6 +93,7 @@ jobs: uses: docker/build-push-action@v6 with: platforms: ${{ matrix.platform }} + context: . file: Dockerfile.rootless # Explicitly specify the Dockerfile labels: ${{ steps.meta.outputs.labels }} outputs: type=image,"name=${{ env.DOCKERHUB_REPO }},${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=true From 40ba888e05b807133adee1629bb5a8d3f8f60909 Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 15:24:25 +0000 Subject: [PATCH 07/24] Migrate context to variable. --- .../workflows/docker-publish-rootless.yaml | 27 +++++++++---------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/.github/workflows/docker-publish-rootless.yaml b/.github/workflows/docker-publish-rootless.yaml index 9ff2630d2..bd6603a80 100644 --- a/.github/workflows/docker-publish-rootless.yaml +++ b/.github/workflows/docker-publish-rootless.yaml @@ -31,10 +31,10 @@ jobs: build: runs-on: ubuntu-latest permissions: - contents: read # Allows access to repository contents (read-only) - packages: write # Allows pushing to GHCR - id-token: write # Allows identity token write access for authentication - attestations: write # Needed for signing and attestation (if required) + contents: read + packages: write + id-token: write + attestations: write strategy: fail-fast: false @@ -54,7 +54,6 @@ jobs: echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV branch=${{ github.event.pull_request.number || github.ref_name }} echo "BRANCH=${branch//\//-}" >> $GITHUB_ENV - - name: Docker meta id: meta @@ -75,7 +74,7 @@ jobs: with: registry: ghcr.io username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} # The GitHub token with the necessary permissions + password: ${{ secrets.GITHUB_TOKEN }} - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -92,16 +91,16 @@ jobs: id: build uses: docker/build-push-action@v6 with: - platforms: ${{ matrix.platform }} - context: . + context: ${{ github.workspace }} # Explicitly specify the build context file: Dockerfile.rootless # Explicitly specify the Dockerfile + platforms: ${{ matrix.platform }} labels: ${{ steps.meta.outputs.labels }} outputs: type=image,"name=${{ env.DOCKERHUB_REPO }},${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=true cache-from: type=registry,ref=ghcr.io/sysadminsmedia/devcache:${{ env.PLATFORM_PAIR }}-${{ env.BRANCH }}-rootless - cache-to: type=registry,ref=ghcr.io/sysadminsmedia/devcache:${{ env.PLATFORM_PAIR}}-${{ env.BRANCH }}-rootless,mode=max + cache-to: type=registry,ref=ghcr.io/sysadminsmedia/devcache:${{ env.PLATFORM_PAIR }}-${{ env.BRANCH }}-rootless,mode=max build-args: | VERSION=${{ github.ref_name }} - COMMIT=${{ github.sha }} + COMMIT=${{ github.sha }} - name: Export digest run: | @@ -120,10 +119,10 @@ jobs: merge: runs-on: ubuntu-latest permissions: - contents: read # Allows access to repository contents (read-only) - packages: write # Allows pushing to GHCR! - id-token: write # Allows identity token write access for authentication - attestations: write # Needed for signing and attestation (if required) + contents: read + packages: write + id-token: write + attestations: write needs: - build From 587887080910d8f2aea5e471325a31caf9f3aa6b Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 15:27:03 +0000 Subject: [PATCH 08/24] Losing the will to live, one commit at a time --- .github/workflows/docker-publish-rootless.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-publish-rootless.yaml b/.github/workflows/docker-publish-rootless.yaml index bd6603a80..3639c64aa 100644 --- a/.github/workflows/docker-publish-rootless.yaml +++ b/.github/workflows/docker-publish-rootless.yaml @@ -91,8 +91,8 @@ jobs: id: build uses: docker/build-push-action@v6 with: - context: ${{ github.workspace }} # Explicitly specify the build context - file: Dockerfile.rootless # Explicitly specify the Dockerfile + context: . # Explicitly specify the build context + file: ./Dockerfile.rootless # Explicitly specify the Dockerfile platforms: ${{ matrix.platform }} labels: ${{ steps.meta.outputs.labels }} outputs: type=image,"name=${{ env.DOCKERHUB_REPO }},${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=true From f56067ac5c758595273dcfa474b75881e5618d0f Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 15:31:16 +0000 Subject: [PATCH 09/24] Update Dockerfile.rootless --- Dockerfile.rootless | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index cb6bdc7fc..d294b4f98 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -44,7 +44,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ RUN chown -R nonroot:nonroot /go/bin/api /go/src/app # Production stage with distroless -FROM ghcr.io/distroless/static:latest +FROM ghcr.io/distroless/base:latest ENV HBOX_MODE=production ENV HBOX_STORAGE_DATA=/data/ From d8c98d1bdbf8bdab52b738cb6ab85f2c91e6a80c Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 15:34:24 +0000 Subject: [PATCH 10/24] Update Dockerfile.rootless --- Dockerfile.rootless | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index d294b4f98..c61c94ac1 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -44,7 +44,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ RUN chown -R nonroot:nonroot /go/bin/api /go/src/app # Production stage with distroless -FROM ghcr.io/distroless/base:latest +FROM gcr.io/distroless/base:latest ENV HBOX_MODE=production ENV HBOX_STORAGE_DATA=/data/ From 2e4a9675596ca7557ee3dcf9830e6104757bbb14 Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 15:42:05 +0000 Subject: [PATCH 11/24] Update Dockerfile.rootless --- Dockerfile.rootless | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index c61c94ac1..f4e1ef22c 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -44,16 +44,20 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ RUN chown -R nonroot:nonroot /go/bin/api /go/src/app # Production stage with distroless -FROM gcr.io/distroless/base:latest +FROM ghcr.io/distroless/base:latest ENV HBOX_MODE=production ENV HBOX_STORAGE_DATA=/data/ ENV HBOX_STORAGE_SQLITE_URL=/data/homebox.db?_fk=1&_time_format=sqlite -# Copy the binary and data directory, change ownership +# Copy the binary and data directory COPY --from=builder /go/bin/api /app COPY --from=builder /data /data -# Add curl instead of wget from alpine + +# Copy curl and its dependencies from Alpine image into distroless +# Also copy the libraries that curl depends on (if required) +COPY --from=public.ecr.aws/docker/library/alpine:latest /lib/libssl.so.* /lib/ +# Copy curl from alpine to the distroless image COPY --from=public.ecr.aws/docker/library/alpine:latest /usr/bin/curl /usr/bin/curl LABEL Name=homebox Version=0.0.1 From 0e3c1db33489fb20a2f604892225eca876cc38cc Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 15:43:44 +0000 Subject: [PATCH 12/24] Update Dockerfile.rootless --- Dockerfile.rootless | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index f4e1ef22c..6ea7c7446 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -44,7 +44,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ RUN chown -R nonroot:nonroot /go/bin/api /go/src/app # Production stage with distroless -FROM ghcr.io/distroless/base:latest +FROM gcr.io/distroless/base:latest ENV HBOX_MODE=production ENV HBOX_STORAGE_DATA=/data/ From 966ae9062ef858126ce1152abd92aeeb5923de03 Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 15:51:29 +0000 Subject: [PATCH 13/24] Adjust from Distroless to Alpine --- Dockerfile.rootless | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index 6ea7c7446..200bb3d94 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -43,23 +43,20 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ # Change ownership of files to nonroot RUN chown -R nonroot:nonroot /go/bin/api /go/src/app -# Production stage with distroless -FROM gcr.io/distroless/base:latest +# Production stage with Alpine +FROM public.ecr.aws/docker/library/alpine:latest ENV HBOX_MODE=production ENV HBOX_STORAGE_DATA=/data/ ENV HBOX_STORAGE_SQLITE_URL=/data/homebox.db?_fk=1&_time_format=sqlite +# Install necessary runtime dependencies +RUN apk --no-cache add ca-certificates wget curl + # Copy the binary and data directory COPY --from=builder /go/bin/api /app COPY --from=builder /data /data -# Copy curl and its dependencies from Alpine image into distroless -# Also copy the libraries that curl depends on (if required) -COPY --from=public.ecr.aws/docker/library/alpine:latest /lib/libssl.so.* /lib/ -# Copy curl from alpine to the distroless image -COPY --from=public.ecr.aws/docker/library/alpine:latest /usr/bin/curl /usr/bin/curl - LABEL Name=homebox Version=0.0.1 LABEL org.opencontainers.image.source="https://github.com/sysadminsmedia/homebox" EXPOSE 7745 From d1dff61bef1fbf82b2ccc3bef96153e9a47de77d Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 15:53:44 +0000 Subject: [PATCH 14/24] They see my errors... they hatin' --- Dockerfile.rootless | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index 200bb3d94..68b4123d6 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -1,13 +1,21 @@ # Node dependencies FROM public.ecr.aws/docker/library/node:18-alpine AS frontend-dependencies WORKDIR /app + +# Install bash and pnpm dependencies +RUN apk update && apk add --no-cache bash + +# Install pnpm globally RUN npm install -g pnpm + COPY frontend/package.json frontend/pnpm-lock.yaml ./ RUN pnpm install --frozen-lockfile --shamefully-hoist # Build Nuxt FROM public.ecr.aws/docker/library/node:18-alpine AS frontend-builder WORKDIR /app + +# Copy frontend and install node_modules from previous stage COPY frontend ./ COPY --from=frontend-dependencies /app/node_modules ./node_modules RUN pnpm build @@ -51,7 +59,7 @@ ENV HBOX_STORAGE_DATA=/data/ ENV HBOX_STORAGE_SQLITE_URL=/data/homebox.db?_fk=1&_time_format=sqlite # Install necessary runtime dependencies -RUN apk --no-cache add ca-certificates wget curl +RUN apk --no-cache add ca-certificates wget curl bash # Copy the binary and data directory COPY --from=builder /go/bin/api /app From 4b9bf95f206136c9139bf3ca95ee43c1ac3c50d2 Mon Sep 17 00:00:00 2001 From: Matt Kilgore Date: Sun, 5 Jan 2025 11:00:57 -0500 Subject: [PATCH 15/24] Fix missing pnpm --- Dockerfile.rootless | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index 68b4123d6..53452dba5 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -15,6 +15,9 @@ RUN pnpm install --frozen-lockfile --shamefully-hoist FROM public.ecr.aws/docker/library/node:18-alpine AS frontend-builder WORKDIR /app +# Install pnpm globally +RUN npm install -g pnpm + # Copy frontend and install node_modules from previous stage COPY frontend ./ COPY --from=frontend-dependencies /app/node_modules ./node_modules From 5009879f9fde9f82351d476392a918336849c6db Mon Sep 17 00:00:00 2001 From: Matt Kilgore Date: Sun, 5 Jan 2025 11:06:02 -0500 Subject: [PATCH 16/24] Try this instead to fix rootless --- Dockerfile.rootless | 86 ++++++++++++++++++++++++--------------------- 1 file changed, 46 insertions(+), 40 deletions(-) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index 53452dba5..caeabd474 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -1,87 +1,93 @@ -# Node dependencies +# Node dependencies stage FROM public.ecr.aws/docker/library/node:18-alpine AS frontend-dependencies WORKDIR /app -# Install bash and pnpm dependencies -RUN apk update && apk add --no-cache bash - -# Install pnpm globally +# Install pnpm globally (caching layer) RUN npm install -g pnpm -COPY frontend/package.json frontend/pnpm-lock.yaml ./ +# Copy package.json and lockfile to leverage caching +COPY frontend/package.json frontend/pnpm-lock.yaml ./ RUN pnpm install --frozen-lockfile --shamefully-hoist -# Build Nuxt +# Build Nuxt (frontend) stage FROM public.ecr.aws/docker/library/node:18-alpine AS frontend-builder WORKDIR /app -# Install pnpm globally +# Install pnpm globally again (it can reuse the cache if not changed) RUN npm install -g pnpm -# Copy frontend and install node_modules from previous stage -COPY frontend ./ +# Copy over source files and node_modules from dependencies stage +COPY frontend . COPY --from=frontend-dependencies /app/node_modules ./node_modules RUN pnpm build -# Build Go dependencies +# Go dependencies stage FROM public.ecr.aws/docker/library/golang:alpine AS builder-dependencies WORKDIR /go/src/app -COPY ./backend/go.mod ./backend/go.sum ./ -RUN apk update && apk add --no-cache git \ - && go mod download -# Build API +# Copy go.mod and go.sum for better caching +COPY ./backend/go.mod ./backend/go.sum ./ +RUN go mod download + +# Build API stage FROM public.ecr.aws/docker/library/golang:alpine AS builder ARG BUILD_TIME ARG COMMIT ARG VERSION -RUN apk update && apk upgrade && apk add --no-cache git build-base gcc g++ \ - && addgroup -S nonroot && adduser -S nonroot -G nonroot +# Install necessary build tools +RUN apk update && \ + apk upgrade && \ + apk add --no-cache git build-base gcc g++ WORKDIR /go/src/app -COPY ./backend ./ + +# Copy Go modules (from dependencies stage) and source code +COPY --from=builder-dependencies /go/pkg/mod /go/pkg/mod +COPY ./backend . + +# Clear old public files and copy new ones from frontend build RUN rm -rf ./app/api/public COPY --from=frontend-builder /app/.output/public ./app/api/static/public -COPY --from=builder-dependencies /go/pkg/mod /go/pkg/mod -# Use cache for Go build +# Use cache for Go build artifacts RUN --mount=type=cache,target=/root/.cache/go-build \ CGO_ENABLED=0 GOOS=linux go build \ -ldflags "-s -w -X main.commit=$COMMIT -X main.buildTime=$BUILD_TIME -X main.version=$VERSION" \ - -o /go/bin/api ./app/api/*.go - -# Change ownership of files to nonroot -RUN chown -R nonroot:nonroot /go/bin/api /go/src/app + -o /go/bin/api \ + -v ./app/api/*.go -# Production stage with Alpine +# Production stage FROM public.ecr.aws/docker/library/alpine:latest - ENV HBOX_MODE=production ENV HBOX_STORAGE_DATA=/data/ -ENV HBOX_STORAGE_SQLITE_URL=/data/homebox.db?_fk=1&_time_format=sqlite +ENV HBOX_STORAGE_SQLITE_URL=/data/homebox.db?_pragma=busy_timeout=2000&_pragma=journal_mode=WAL&_fk=1&_time_format=sqlite # Install necessary runtime dependencies -RUN apk --no-cache add ca-certificates wget curl bash +RUN apk --no-cache add ca-certificates wget +RUN addgroup -S nonroot && adduser -S nonroot -G nonroot -# Copy the binary and data directory +# Create application directory and copy over built Go binary +RUN mkdir /app COPY --from=builder /go/bin/api /app -COPY --from=builder /data /data +RUN chmod +x /app/api +# Labels and configuration for the final image LABEL Name=homebox Version=0.0.1 LABEL org.opencontainers.image.source="https://github.com/sysadminsmedia/homebox" + +# Expose necessary ports for Homebox EXPOSE 7745 +WORKDIR /app -# Update HEALTHCHECK to use curl -HEALTHCHECK --interval=30s \ - --timeout=5s \ - --start-period=5s \ - --retries=3 \ - CMD ["/usr/bin/curl", "--silent", "--fail", "http://localhost:7745/api/v1/status"] +# Healthcheck configuration +HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \ + CMD [ "wget", "--no-verbose", "--tries=1", "-O", "-", "http://localhost:7745/api/v1/status" ] -VOLUME ["/data"] +# Persist volume +VOLUME [ "/data" ] -# Use nonroot user +# Entrypoint and CMD USER nonroot -ENTRYPOINT ["/app"] -CMD ["/data/config.yml"] +ENTRYPOINT [ "/app/api" ] +CMD [ "/data/config.yml" ] From 0484bbb0c33b5890332be710808396b63dc309b1 Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 16:32:08 +0000 Subject: [PATCH 17/24] Update Dockerfile.rootless --- Dockerfile.rootless | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index caeabd474..6a80addd5 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -72,6 +72,9 @@ RUN mkdir /app COPY --from=builder /go/bin/api /app RUN chmod +x /app/api +# Set ownership for required directories +RUN chown -R nonroot:nonroot /app /data /app/api + # Labels and configuration for the final image LABEL Name=homebox Version=0.0.1 LABEL org.opencontainers.image.source="https://github.com/sysadminsmedia/homebox" From 1f197f748a355a650fede97dda3eb7d7af81fcc1 Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 16:40:17 +0000 Subject: [PATCH 18/24] CHOWN the required directories --- Dockerfile.rootless | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index 6a80addd5..e20c5b972 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -72,9 +72,6 @@ RUN mkdir /app COPY --from=builder /go/bin/api /app RUN chmod +x /app/api -# Set ownership for required directories -RUN chown -R nonroot:nonroot /app /data /app/api - # Labels and configuration for the final image LABEL Name=homebox Version=0.0.1 LABEL org.opencontainers.image.source="https://github.com/sysadminsmedia/homebox" @@ -90,6 +87,9 @@ HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \ # Persist volume VOLUME [ "/data" ] +# Set ownership for required directories +RUN chown -R nonroot:nonroot /app /data /app/api + # Entrypoint and CMD USER nonroot ENTRYPOINT [ "/app/api" ] From d84c45d3322dab95feb29503c61a3c7384982dec Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 16:46:04 +0000 Subject: [PATCH 19/24] Fix ownership of directories --- Dockerfile.rootless | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index e20c5b972..dda875722 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -6,7 +6,7 @@ WORKDIR /app RUN npm install -g pnpm # Copy package.json and lockfile to leverage caching -COPY frontend/package.json frontend/pnpm-lock.yaml ./ +COPY frontend/package.json frontend/pnpm-lock.yaml ./ RUN pnpm install --frozen-lockfile --shamefully-hoist # Build Nuxt (frontend) stage @@ -17,7 +17,7 @@ WORKDIR /app RUN npm install -g pnpm # Copy over source files and node_modules from dependencies stage -COPY frontend . +COPY frontend . COPY --from=frontend-dependencies /app/node_modules ./node_modules RUN pnpm build @@ -26,7 +26,7 @@ FROM public.ecr.aws/docker/library/golang:alpine AS builder-dependencies WORKDIR /go/src/app # Copy go.mod and go.sum for better caching -COPY ./backend/go.mod ./backend/go.sum ./ +COPY ./backend/go.mod ./backend/go.sum ./ RUN go mod download # Build API stage @@ -87,10 +87,7 @@ HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \ # Persist volume VOLUME [ "/data" ] -# Set ownership for required directories -RUN chown -R nonroot:nonroot /app /data /app/api - -# Entrypoint and CMD +# Set ownership for required directories at runtime (excluding /data) +ENTRYPOINT ["/bin/sh", "-c", "chown -R nonroot:nonroot /app /app/api && /app/api /data/config.yml"] USER nonroot -ENTRYPOINT [ "/app/api" ] -CMD [ "/data/config.yml" ] +CMD ["/data/config.yml"] From 1d62552046828ec1c979e47fdf7c5aa1df5ef952 Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 17:01:42 +0000 Subject: [PATCH 20/24] Update Dockerfile.rootless --- Dockerfile.rootless | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index dda875722..9a0966db7 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -6,7 +6,7 @@ WORKDIR /app RUN npm install -g pnpm # Copy package.json and lockfile to leverage caching -COPY frontend/package.json frontend/pnpm-lock.yaml ./ +COPY frontend/package.json frontend/pnpm-lock.yaml ./ RUN pnpm install --frozen-lockfile --shamefully-hoist # Build Nuxt (frontend) stage @@ -17,7 +17,7 @@ WORKDIR /app RUN npm install -g pnpm # Copy over source files and node_modules from dependencies stage -COPY frontend . +COPY frontend . COPY --from=frontend-dependencies /app/node_modules ./node_modules RUN pnpm build @@ -26,7 +26,7 @@ FROM public.ecr.aws/docker/library/golang:alpine AS builder-dependencies WORKDIR /go/src/app # Copy go.mod and go.sum for better caching -COPY ./backend/go.mod ./backend/go.sum ./ +COPY ./backend/go.mod ./backend/go.sum ./ RUN go mod download # Build API stage @@ -87,7 +87,10 @@ HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \ # Persist volume VOLUME [ "/data" ] -# Set ownership for required directories at runtime (excluding /data) -ENTRYPOINT ["/bin/sh", "-c", "chown -R nonroot:nonroot /app /app/api && /app/api /data/config.yml"] +# Set ownership for required directories +RUN chown -R nonroot:nonroot /app /app/api + +# Entrypoint and CMD USER nonroot -CMD ["/data/config.yml"] +ENTRYPOINT [ "/app/api" ] +CMD [ "/data/config.yml" ] From 14bb2de5840e7891d03023ae083aad64deaaaa2d Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 17:15:01 +0000 Subject: [PATCH 21/24] CHOWN data file --- Dockerfile.rootless | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index 9a0966db7..23d685560 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -88,7 +88,7 @@ HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \ VOLUME [ "/data" ] # Set ownership for required directories -RUN chown -R nonroot:nonroot /app /app/api +RUN chown -R nonroot:nonroot /app /app/api /data # Entrypoint and CMD USER nonroot From 6ad0c33340ec69344f58d620b1363ed1a90c6283 Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Sun, 5 Jan 2025 17:25:11 +0000 Subject: [PATCH 22/24] Attempt #182391239123 --- Dockerfile.rootless | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index 23d685560..ec0dafa72 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -72,6 +72,9 @@ RUN mkdir /app COPY --from=builder /go/bin/api /app RUN chmod +x /app/api +# Create /data directory and set ownership for required directories +RUN mkdir /data && chown -R nonroot:nonroot /app /app/api /data + # Labels and configuration for the final image LABEL Name=homebox Version=0.0.1 LABEL org.opencontainers.image.source="https://github.com/sysadminsmedia/homebox" @@ -87,9 +90,6 @@ HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \ # Persist volume VOLUME [ "/data" ] -# Set ownership for required directories -RUN chown -R nonroot:nonroot /app /app/api /data - # Entrypoint and CMD USER nonroot ENTRYPOINT [ "/app/api" ] From ac4707398843d7cd82c862a592f4d73c326283a5 Mon Sep 17 00:00:00 2001 From: Matt Kilgore Date: Sun, 5 Jan 2025 12:48:00 -0500 Subject: [PATCH 23/24] Lets try this --- Dockerfile.rootless | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index ec0dafa72..dcf6fc842 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -69,12 +69,10 @@ RUN addgroup -S nonroot && adduser -S nonroot -G nonroot # Create application directory and copy over built Go binary RUN mkdir /app -COPY --from=builder /go/bin/api /app +COPY --from=builder --chown=nonroot /go/bin/api /app +COPY --from=builder --chown=nonroot /data /data RUN chmod +x /app/api -# Create /data directory and set ownership for required directories -RUN mkdir /data && chown -R nonroot:nonroot /app /app/api /data - # Labels and configuration for the final image LABEL Name=homebox Version=0.0.1 LABEL org.opencontainers.image.source="https://github.com/sysadminsmedia/homebox" From c839e82b93c2f2ae6f51047eb76428ac1b311f10 Mon Sep 17 00:00:00 2001 From: Matt Kilgore Date: Sun, 5 Jan 2025 12:50:52 -0500 Subject: [PATCH 24/24] Need to make the directory from the builder --- Dockerfile.rootless | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index dcf6fc842..866bf5602 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -57,6 +57,8 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ -o /go/bin/api \ -v ./app/api/*.go +RUN mkdir /data + # Production stage FROM public.ecr.aws/docker/library/alpine:latest ENV HBOX_MODE=production