mirror of https://github.com/coder/coder.git
fix: don't use adduser and addgroup for docker images (#3344)
* fix: don't use adduser and addgroup for docker images
* Revert "fix: Remove alternative image architectures until we virtualize (#3336)"
This reverts commit 00c5116a2e
.
This commit is contained in:
parent
8f3727d05d
commit
66a5b0f7bc
|
@ -102,7 +102,7 @@ jobs:
|
|||
|
||||
# build and (maybe) push Docker images for each architecture
|
||||
images=()
|
||||
for arch in amd64; do
|
||||
for arch in amd64 armv7 arm64; do
|
||||
img="$(
|
||||
./scripts/build_docker.sh \
|
||||
${{ (!github.event.inputs.dry_run && !github.event.inputs.snapshot) && '--push' || '' }} \
|
||||
|
|
16
Dockerfile
16
Dockerfile
|
@ -1,4 +1,8 @@
|
|||
FROM alpine
|
||||
# This is the multi-arch Dockerfile used for Coder. Since it's multi-arch and
|
||||
# cross-compiled, it cannot have ANY "RUN" commands. All binaries are built
|
||||
# using the go toolchain on the host and then copied into the build context by
|
||||
# scripts/build_docker.sh.
|
||||
FROM alpine:latest
|
||||
|
||||
# LABEL doesn't add any real layers so it's fine (and easier) to do it here than
|
||||
# in the build script.
|
||||
|
@ -11,12 +15,12 @@ LABEL \
|
|||
org.opencontainers.image.version="$CODER_VERSION" \
|
||||
org.opencontainers.image.licenses="AGPL-3.0"
|
||||
|
||||
# Create coder group and user. We cannot use `addgroup` and `adduser` because
|
||||
# they won't work if we're building the image for a different architecture.
|
||||
COPY --chown=root:root --chmod=644 group passwd /etc/
|
||||
|
||||
# The coder binary is injected by scripts/build_docker.sh.
|
||||
ADD coder /opt/coder
|
||||
COPY --chown=coder:coder --chmod=755 coder /opt/coder
|
||||
|
||||
# Create coder group and user.
|
||||
RUN addgroup -g 1000 coder && \
|
||||
adduser -D -g "" -h /home/coder -G coder -u 1000 -S -s /bin/sh coder
|
||||
USER coder:coder
|
||||
|
||||
ENTRYPOINT [ "/opt/coder", "server" ]
|
||||
|
|
|
@ -95,14 +95,27 @@ ln -P Dockerfile "$temp_dir/"
|
|||
|
||||
cd "$temp_dir"
|
||||
|
||||
build_args=(
|
||||
--platform "$arch"
|
||||
--build-arg "CODER_VERSION=$version"
|
||||
--tag "$image_tag"
|
||||
)
|
||||
|
||||
log "--- Building Docker image for $arch ($image_tag)"
|
||||
docker buildx build "${build_args[@]}" . 1>&2
|
||||
|
||||
# Pull the base image, copy the /etc/group and /etc/passwd files out of it, and
|
||||
# add the coder group and user. We have to do this in a separate step instead of
|
||||
# using the RUN directive in the Dockerfile because you can't use RUN if you're
|
||||
# building the image for a different architecture than the host.
|
||||
docker pull --platform "$arch" alpine:latest 1>&2
|
||||
|
||||
temp_container_id="$(docker create --platform "$arch" alpine:latest)"
|
||||
docker cp "$temp_container_id":/etc/group ./group 1>&2
|
||||
docker cp "$temp_container_id":/etc/passwd ./passwd 1>&2
|
||||
docker rm "$temp_container_id" 1>&2
|
||||
|
||||
echo "coder:x:1000:coder" >>./group
|
||||
echo "coder:x:1000:1000::/:/bin/sh" >>./passwd
|
||||
|
||||
docker buildx build \
|
||||
--platform "$arch" \
|
||||
--build-arg "CODER_VERSION=$version" \
|
||||
--tag "$image_tag" \
|
||||
. 1>&2
|
||||
|
||||
cdroot
|
||||
rm -rf "$temp_dir"
|
||||
|
|
Loading…
Reference in New Issue