chore!: Change default Docker flavor to Alpine (#28042)

Co-authored-by: Guilherme Gazzo <[email protected]>
RocketChat · Oct 18, 2024 · 274a89b · 274a89b
1 parent e3dac4a
commit 274a89b
Show file tree

Hide file tree

Showing 7 changed files with 117 additions and 113 deletions.
diff --git a/.changeset/six-horses-sin.md b/.changeset/six-horses-sin.md
@@ -0,0 +1,8 @@
+---
+"@rocket.chat/meteor": patch
+---
+
+
+ Changes the default base Docker image to Alpine. Previously we were shipping Alpine as an alternative flavor under the tag rocketchat/rocket.chat:{release}.alpine , we have been testing this for a while now so we're migrating to use the official one to Alpine.
+
+We'll still ship a Debian variant under the tag rocketchat/rocket.chat:{release}.debian.
diff --git a/.github/actions/build-docker-image/action.yml b/.github/actions/build-docker-image/action.yml
@@ -51,7 +51,7 @@ runs:
         fi;
 
         DOCKERFILE_PATH="${DOCKER_PATH}/Dockerfile"
-        if [[ '${{ inputs.release }}' = 'alpine' ]]; then
+        if [[ '${{ inputs.release }}' = 'debian' ]]; then
           DOCKERFILE_PATH="${DOCKERFILE_PATH}.${{ inputs.release }}"
         fi;
 

diff --git a/.github/workflows/ci-test-e2e.yml b/.github/workflows/ci-test-e2e.yml
@@ -18,10 +18,10 @@ on:
       rc-docker-tag:
         required: true
         type: string
-      rc-dockerfile-alpine:
+      rc-dockerfile-debian:
         required: true
         type: string
-      rc-docker-tag-alpine:
+      rc-docker-tag-debian:
         required: true
         type: string
       gh-docker-tag:
@@ -83,16 +83,16 @@ jobs:
   test:
     runs-on: ubuntu-20.04
     env:
-      RC_DOCKERFILE: ${{ matrix.mongodb-version == '7.0' && inputs.rc-dockerfile-alpine || inputs.rc-dockerfile }}
-      RC_DOCKER_TAG: ${{ matrix.mongodb-version == '7.0' && inputs.rc-docker-tag-alpine || inputs.rc-docker-tag }}
+      RC_DOCKERFILE: ${{ matrix.mongodb-version == '7.0' && inputs.rc-dockerfile-debian || inputs.rc-dockerfile }}
+      RC_DOCKER_TAG: ${{ matrix.mongodb-version == '7.0' && inputs.rc-docker-tag-debian || inputs.rc-docker-tag }}
 
     strategy:
       fail-fast: false
       matrix:
         mongodb-version: ${{ fromJSON(inputs.mongodb-version) }}
         shard: ${{ fromJSON(inputs.shard) }}
 
-    name: MongoDB ${{ matrix.mongodb-version }}${{ inputs.db-watcher-disabled == 'true' && ' [no watchers]' || '' }} (${{ matrix.shard }}/${{ inputs.total-shard }})${{ matrix.mongodb-version == '7.0' && ' - Alpine' || '' }}
+    name: MongoDB ${{ matrix.mongodb-version }}${{ inputs.db-watcher-disabled == 'true' && ' [no watchers]' || '' }} (${{ matrix.shard }}/${{ inputs.total-shard }}) - ${{ matrix.mongodb-version == '7.0' && 'Debian' || 'Alpine (Official)' }}
 
     steps:
       - name: Collect Workflow Telemetry

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -32,8 +32,8 @@ jobs:
       lowercase-repo: ${{ steps.var.outputs.lowercase-repo }}
       rc-dockerfile: '${{ github.workspace }}/apps/meteor/.docker/Dockerfile'
       rc-docker-tag: '${{ steps.docker.outputs.gh-docker-tag }}.official'
-      rc-dockerfile-alpine: '${{ github.workspace }}/apps/meteor/.docker/Dockerfile.alpine'
-      rc-docker-tag-alpine: '${{ steps.docker.outputs.gh-docker-tag }}.alpine'
+      rc-dockerfile-debian: '${{ github.workspace }}/apps/meteor/.docker/Dockerfile.debian'
+      rc-docker-tag-debian: '${{ steps.docker.outputs.gh-docker-tag }}.debian'
       node-version: ${{ steps.var.outputs.node-version }}
       deno-version: ${{ steps.var.outputs.deno-version }}
       # this is 100% intentional, secrets are not available for forks, so ee-tests will always fail
@@ -327,15 +327,15 @@ jobs:
     runs-on: ubuntu-20.04
 
     env:
-      RC_DOCKERFILE: ${{ matrix.platform == 'alpine' && needs.release-versions.outputs.rc-dockerfile-alpine || needs.release-versions.outputs.rc-dockerfile }}
-      RC_DOCKER_TAG: ${{ matrix.platform == 'alpine' && needs.release-versions.outputs.rc-docker-tag-alpine || needs.release-versions.outputs.rc-docker-tag }}
+      RC_DOCKERFILE: ${{ matrix.platform == 'debian' && needs.release-versions.outputs.rc-dockerfile-debian || needs.release-versions.outputs.rc-dockerfile }}
+      RC_DOCKER_TAG: ${{ matrix.platform == 'debian' && needs.release-versions.outputs.rc-docker-tag-debian || needs.release-versions.outputs.rc-docker-tag }}
       DOCKER_TAG: ${{ needs.release-versions.outputs.gh-docker-tag }}
       LOWERCASE_REPOSITORY: ${{ needs.release-versions.outputs.lowercase-repo }}
 
     strategy:
       fail-fast: false
       matrix:
-        platform: ['official', 'alpine']
+        platform: ['official', 'debian']
 
     steps:
       - uses: actions/checkout@v4
@@ -349,7 +349,7 @@ jobs:
           node-version: ${{ needs.release-versions.outputs.node-version }}
           deno-version: ${{ needs.release-versions.outputs.deno-version }}
           platform: ${{ matrix.platform }}
-          build-containers: ${{ matrix.platform == 'alpine' && 'authorization-service account-service ddp-streamer-service presence-service stream-hub-service queue-worker-service omnichannel-transcript-service' || '' }}
+          build-containers: ${{ matrix.platform == 'debian' && 'authorization-service account-service ddp-streamer-service presence-service stream-hub-service queue-worker-service omnichannel-transcript-service' || '' }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Make sure matrix bindings load
@@ -363,15 +363,15 @@ jobs:
     runs-on: ubuntu-20.04
 
     env:
-      RC_DOCKERFILE: ${{ matrix.platform == 'alpine' && needs.release-versions.outputs.rc-dockerfile-alpine || needs.release-versions.outputs.rc-dockerfile }}
-      RC_DOCKER_TAG: ${{ matrix.platform == 'alpine' && needs.release-versions.outputs.rc-docker-tag-alpine || needs.release-versions.outputs.rc-docker-tag }}
+      RC_DOCKERFILE: ${{ matrix.platform == 'debian' && needs.release-versions.outputs.rc-dockerfile-debian || needs.release-versions.outputs.rc-dockerfile }}
+      RC_DOCKER_TAG: ${{ matrix.platform == 'debian' && needs.release-versions.outputs.rc-docker-tag-debian || needs.release-versions.outputs.rc-docker-tag }}
       DOCKER_TAG: ${{ needs.release-versions.outputs.gh-docker-tag }}
       LOWERCASE_REPOSITORY: ${{ needs.release-versions.outputs.lowercase-repo }}
 
     strategy:
       fail-fast: false
       matrix:
-        platform: ['official', 'alpine']
+        platform: ['official', 'debian']
 
     steps:
       - uses: actions/checkout@v4
@@ -383,7 +383,7 @@ jobs:
           node-version: ${{ needs.release-versions.outputs.node-version }}
           deno-version: ${{ needs.release-versions.outputs.deno-version }}
           platform: ${{ matrix.platform }}
-          build-containers: ${{ matrix.platform == 'alpine' && 'authorization-service account-service ddp-streamer-service presence-service stream-hub-service queue-worker-service omnichannel-transcript-service' || '' }}
+          build-containers: ${{ matrix.platform == 'debian' && 'authorization-service account-service ddp-streamer-service presence-service stream-hub-service queue-worker-service omnichannel-transcript-service' || '' }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Rename official Docker tag to GitHub Container Registry
@@ -429,8 +429,8 @@ jobs:
       lowercase-repo: ${{ needs.release-versions.outputs.lowercase-repo }}
       rc-dockerfile: ${{ needs.release-versions.outputs.rc-dockerfile }}
       rc-docker-tag: ${{ needs.release-versions.outputs.rc-docker-tag }}
-      rc-dockerfile-alpine: ${{ needs.release-versions.outputs.rc-dockerfile-alpine }}
-      rc-docker-tag-alpine: ${{ needs.release-versions.outputs.rc-docker-tag-alpine }}
+      rc-dockerfile-debian: ${{ needs.release-versions.outputs.rc-dockerfile-debian }}
+      rc-docker-tag-debian: ${{ needs.release-versions.outputs.rc-docker-tag-debian }}
       gh-docker-tag: ${{ needs.release-versions.outputs.gh-docker-tag }}
     secrets:
       CR_USER: ${{ secrets.CR_USER }}
@@ -453,8 +453,8 @@ jobs:
       lowercase-repo: ${{ needs.release-versions.outputs.lowercase-repo }}
       rc-dockerfile: ${{ needs.release-versions.outputs.rc-dockerfile }}
       rc-docker-tag: ${{ needs.release-versions.outputs.rc-docker-tag }}
-      rc-dockerfile-alpine: ${{ needs.release-versions.outputs.rc-dockerfile-alpine }}
-      rc-docker-tag-alpine: ${{ needs.release-versions.outputs.rc-docker-tag-alpine }}
+      rc-dockerfile-debian: ${{ needs.release-versions.outputs.rc-dockerfile-debian }}
+      rc-docker-tag-debian: ${{ needs.release-versions.outputs.rc-docker-tag-debian }}
       gh-docker-tag: ${{ needs.release-versions.outputs.gh-docker-tag }}
       retries: ${{ (github.event_name == 'release' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master') && 2 || 0 }}
     secrets:
@@ -481,8 +481,8 @@ jobs:
       lowercase-repo: ${{ needs.release-versions.outputs.lowercase-repo }}
       rc-dockerfile: ${{ needs.release-versions.outputs.rc-dockerfile }}
       rc-docker-tag: ${{ needs.release-versions.outputs.rc-docker-tag }}
-      rc-dockerfile-alpine: ${{ needs.release-versions.outputs.rc-dockerfile-alpine }}
-      rc-docker-tag-alpine: ${{ needs.release-versions.outputs.rc-docker-tag-alpine }}
+      rc-dockerfile-debian: ${{ needs.release-versions.outputs.rc-dockerfile-debian }}
+      rc-docker-tag-debian: ${{ needs.release-versions.outputs.rc-docker-tag-debian }}
       gh-docker-tag: ${{ needs.release-versions.outputs.gh-docker-tag }}
     secrets:
       CR_USER: ${{ secrets.CR_USER }}
@@ -506,8 +506,8 @@ jobs:
       lowercase-repo: ${{ needs.release-versions.outputs.lowercase-repo }}
       rc-dockerfile: ${{ needs.release-versions.outputs.rc-dockerfile }}
       rc-docker-tag: ${{ needs.release-versions.outputs.rc-docker-tag }}
-      rc-dockerfile-alpine: ${{ needs.release-versions.outputs.rc-dockerfile-alpine }}
-      rc-docker-tag-alpine: ${{ needs.release-versions.outputs.rc-docker-tag-alpine }}
+      rc-dockerfile-debian: ${{ needs.release-versions.outputs.rc-dockerfile-debian }}
+      rc-docker-tag-debian: ${{ needs.release-versions.outputs.rc-docker-tag-debian }}
       gh-docker-tag: ${{ needs.release-versions.outputs.gh-docker-tag }}
       retries: ${{ (github.event_name == 'release' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master') && 2 || 0 }}
     secrets:
@@ -537,8 +537,8 @@ jobs:
       lowercase-repo: ${{ needs.release-versions.outputs.lowercase-repo }}
       rc-dockerfile: ${{ needs.release-versions.outputs.rc-dockerfile }}
       rc-docker-tag: ${{ needs.release-versions.outputs.rc-docker-tag }}
-      rc-dockerfile-alpine: ${{ needs.release-versions.outputs.rc-dockerfile-alpine }}
-      rc-docker-tag-alpine: ${{ needs.release-versions.outputs.rc-docker-tag-alpine }}
+      rc-dockerfile-debian: ${{ needs.release-versions.outputs.rc-dockerfile-debian }}
+      rc-docker-tag-debian: ${{ needs.release-versions.outputs.rc-docker-tag-debian }}
       gh-docker-tag: ${{ needs.release-versions.outputs.gh-docker-tag }}
       retries: ${{ (github.event_name == 'release' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master') && 2 || 0 }}
       db-watcher-disabled: 'true'
@@ -683,7 +683,7 @@ jobs:
     strategy:
       matrix:
         # this is currently a mix of variants and different images
-        release: ['official', 'preview', 'alpine']
+        release: ['official', 'preview', 'debian']
 
     env:
       IMAGE_NAME: 'rocketchat/rocket.chat'
@@ -729,7 +729,7 @@ jobs:
           DOCKER_TAG=$GITHUB_REF_NAME
 
           # append the variant name to docker tag
-          if [[ '${{ matrix.release }}' = 'alpine' ]]; then
+          if [[ '${{ matrix.release }}' = 'debian'] ]]; then
             DOCKER_TAG="${DOCKER_TAG}-${{ matrix.release }}"
           fi;
 
@@ -744,7 +744,7 @@ jobs:
           if [[ $GITHUB_REF == refs/tags/* ]]; then
             RELEASE="${{ needs.release-versions.outputs.release }}"
 
-            if [[ '${{ matrix.release }}' = 'alpine' ]]; then
+            if [[ '${{ matrix.release }}' = 'debian' ]]; then
               RELEASE="${RELEASE}-${{ matrix.release }}"
             fi;
 
@@ -769,7 +769,7 @@ jobs:
           TAG_SHA="${{ steps.gh-docker.outputs.gh-docker-tag-sha }}"
 
           # append the variant name to docker tag
-          if [[ '${{ matrix.release }}' = 'alpine' ]]; then
+          if [[ '${{ matrix.release }}' = 'debian'] ]]; then
             TAG_SHA="${TAG_SHA}-${{ matrix.release }}"
           fi;
 

diff --git a/apps/meteor/.docker/Dockerfile b/apps/meteor/.docker/Dockerfile
@@ -1,25 +1,14 @@
-ARG DENO_VERSION="1.37.1"
-
-FROM denoland/deno:bin-${DENO_VERSION} as deno
-
-FROM node:20.17.0-bullseye-slim
+FROM node:20.17.0-alpine3.20
 
 LABEL maintainer="[email protected]"
 
-# dependencies
-RUN groupadd -g 65533 -r rocketchat \
-    && useradd -u 65533 -r -g rocketchat rocketchat \
-    && mkdir -p /app/uploads \
-    && chown rocketchat:rocketchat /app/uploads \
-    && apt-get update \
-    && apt-get install -y --no-install-recommends fontconfig
+ENV LANG=C.UTF-8
 
-COPY --from=deno /deno /bin/deno
+RUN apk add --no-cache deno ttf-dejavu
 
-# --chown requires Docker 17.12 and works only on Linux
-ADD --chown=rocketchat:rocketchat . /app
+ADD . /app
 
-# needs a mongoinstance - defaults to container linking with alias 'mongo'
+# needs a mongo instance - defaults to container linking with alias 'mongo'
 ENV DEPLOY_METHOD=docker \
     NODE_ENV=production \
     MONGO_URL=mongodb://mongo:27017/rocketchat \
@@ -28,25 +17,24 @@ ENV DEPLOY_METHOD=docker \
     ROOT_URL=http://localhost:3000 \
     Accounts_AvatarStorePath=/app/uploads
 
-RUN aptMark="$(apt-mark showmanual)" \
-    && apt-get install -y --no-install-recommends g++ make python3 ca-certificates \
+RUN set -x \
+    && apk add --no-cache --virtual .fetch-deps python3 make g++ py3-setuptools libc6-compat \
     && cd /app/bundle/programs/server \
-    && npm install \
-    && cd npm/node_modules/isolated-vm \
-    && npm install \
-    && apt-mark auto '.*' > /dev/null \
-    && apt-mark manual $aptMark > /dev/null \
-    && find /usr/local -type f -executable -exec ldd '{}' ';' \
-    | awk '/=>/ { print $(NF-1) }' \
-    | sort -u \
-    | xargs -r dpkg-query --search \
-    | cut -d: -f1 \
-    | sort -u \
-    | xargs -r apt-mark manual \
-    && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
-    && npm cache clear --force
-
-USER rocketchat
+    && npm install --omit=dev --unsafe-perm \
+    # Start hack for sharp...
+    && rm -rf npm/node_modules/sharp \
+    && npm install [email protected] \
+    && mv node_modules/sharp npm/node_modules/sharp \
+    # End hack for sharp
+    # # Start hack for isolated-vm...
+    # && rm -rf npm/node_modules/isolated-vm \
+    # && npm install [email protected] \
+    # && mv node_modules/isolated-vm npm/node_modules/isolated-vm \
+    # # End hack for isolated-vm
+    && cd /app/bundle/programs/server/npm \
+    && npm rebuild bcrypt --build-from-source \
+    && npm cache clear --force \
+    && apk del .fetch-deps
 
 VOLUME /app/uploads
 

diff --git a/apps/meteor/.docker/Dockerfile.alpine b/apps/meteor/.docker/Dockerfile.alpine
diff --git a/apps/meteor/.docker/Dockerfile.debian b/apps/meteor/.docker/Dockerfile.debian
@@ -0,0 +1,57 @@
+ARG DENO_VERSION="1.37.1"
+
+FROM denoland/deno:bin-${DENO_VERSION} as deno
+
+FROM node:20.17.0-bullseye-slim
+
+LABEL maintainer="[email protected]"
+
+# dependencies
+RUN groupadd -g 65533 -r rocketchat \
+    && useradd -u 65533 -r -g rocketchat rocketchat \
+    && mkdir -p /app/uploads \
+    && chown rocketchat:rocketchat /app/uploads \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends fontconfig
+
+COPY --from=deno /deno /bin/deno
+
+# --chown requires Docker 17.12 and works only on Linux
+ADD --chown=rocketchat:rocketchat . /app
+
+# needs a mongoinstance - defaults to container linking with alias 'mongo'
+ENV DEPLOY_METHOD=docker \
+    NODE_ENV=production \
+    MONGO_URL=mongodb://mongo:27017/rocketchat \
+    HOME=/tmp \
+    PORT=3000 \
+    ROOT_URL=http://localhost:3000 \
+    Accounts_AvatarStorePath=/app/uploads
+
+RUN aptMark="$(apt-mark showmanual)" \
+    && apt-get install -y --no-install-recommends g++ make python3 ca-certificates \
+    && cd /app/bundle/programs/server \
+    && npm install \
+    && cd npm/node_modules/isolated-vm \
+    && npm install \
+    && apt-mark auto '.*' > /dev/null \
+    && apt-mark manual $aptMark > /dev/null \
+    && find /usr/local -type f -executable -exec ldd '{}' ';' \
+    | awk '/=>/ { print $(NF-1) }' \
+    | sort -u \
+    | xargs -r dpkg-query --search \
+    | cut -d: -f1 \
+    | sort -u \
+    | xargs -r apt-mark manual \
+    && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+    && npm cache clear --force
+
+USER rocketchat
+
+VOLUME /app/uploads
+
+WORKDIR /app/bundle
+
+EXPOSE 3000
+
+CMD ["node", "main.js"]