Merge pull request #70 from axiom-data-science/add-arm64-build

Add arm64/v8 build, inherit from tomcat, upgrade to tomcat 10.1.16
axiom-data-science · Dec 1, 2023 · 4c4b510 · 4c4b510
2 parents 5710f21 + 90bf47d
commit 4c4b510
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 23 deletions.
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -19,12 +19,17 @@ jobs:
     timeout-minutes: 10
 
     strategy:
+      #NOTE: make sure to replicate this matrix config in the push job below
       matrix:
         include:
-          - tag: "jdk17-openjdk"
-            base: "unidata/tomcat-docker:10.1.0-jdk17-openjdk@sha256:8b595bcd8eee410e2d610829b5d4e312d51e3ea6c6bde952a5838845f67a4839"
-          - tag: "jdk17-temurin-focal"
-            base: "unidata/tomcat-docker:10.1.0-jdk17-temurin-focal@sha256:99c083fd17d1f8d6c85a0f771039ffb4d2430ff7fd6dabea8eb50f2731328af8"
+          #amd64
+          - platform: "linux/amd64"
+            tag: "jdk17-openjdk"
+            base: "tomcat:10.1.16-jdk17-temurin-jammy@sha256:5d06ae2052b1a4c636454e65360a712fd262eebf574f8a97f37c2580edce7d46"
+          #arm64/v8
+          - platform: "linux/arm64/v8"
+            tag: "jdk17-openjdk"
+            base: "tomcat:10.1.16-jdk17-temurin-jammy@sha256:7d930ac5ba9091aa12c1a42e3cc7c59c12c8d032e076c3713c10bb9b35227b5d"
 
     steps:
     - name: Checkout
@@ -51,17 +56,11 @@ jobs:
         restore-keys: |
           ${ CACHE_KEY }
 
-    - name: Login to Docker Hub
-      uses: docker/login-action@v1
-      continue-on-error: true
-      with:
-        username: ${{ secrets.DOCKER_USERNAME }}
-        password: ${{ secrets.DOCKER_PASSWORD }}
-
-    - name: Build and push
+    - name: Build image
       uses: docker/build-push-action@v2
       with:
         push: false
+        platforms: ${{ matrix.platform }}
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
         build-args: |
@@ -71,9 +70,11 @@ jobs:
         outputs: type=docker
 
     - name: Run Docker Image in Background
+      if: matrix.platform == 'linux/amd64'
       run: docker run -d -p 8080:8080 ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
 
     - name: Check that ERDDAP Docker Image will return a 200
+      if: matrix.platform == 'linux/amd64'
       uses: ifaxity/wait-on-action@v1
       timeout-minutes: 1
       with:
@@ -89,10 +90,14 @@ jobs:
     strategy:
       matrix:
         include:
-          - tag: "jdk17-openjdk"
-            base: "unidata/tomcat-docker:10.1.0-jdk17-openjdk@sha256:8b595bcd8eee410e2d610829b5d4e312d51e3ea6c6bde952a5838845f67a4839"
-          - tag: "jdk17-temurin-focal"
-            base: "unidata/tomcat-docker:10.1.0-jdk17-temurin-focal@sha256:99c083fd17d1f8d6c85a0f771039ffb4d2430ff7fd6dabea8eb50f2731328af8"
+          #amd64
+          - platform: "linux/amd64"
+            tag: "jdk17-openjdk"
+            base: "tomcat:10.1.16-jdk17-temurin-jammy@sha256:5d06ae2052b1a4c636454e65360a712fd262eebf574f8a97f37c2580edce7d46"
+          #arm64/v8
+          - platform: "linux/arm64/v8"
+            tag: "jdk17-openjdk"
+            base: "tomcat:10.1.16-jdk17-temurin-jammy@sha256:7d930ac5ba9091aa12c1a42e3cc7c59c12c8d032e076c3713c10bb9b35227b5d"
 
     steps:
     - name: Checkout
@@ -129,6 +134,7 @@ jobs:
       uses: docker/build-push-action@v2
       with:
         push: true
+        platforms: ${{ matrix.platform }}
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
         build-args: |

diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,43 @@
-ARG BASE_IMAGE=unidata/tomcat-docker:10.1.0-jdk17-openjdk@sha256:8b595bcd8eee410e2d610829b5d4e312d51e3ea6c6bde952a5838845f67a4839
+ARG BASE_IMAGE=tomcat:10.1.16-jdk17-temurin-jammy
+#referencing a specific image digest pins our unidata tomcat-docker image to platform amd64 (good)
+ARG UNIDATA_TOMCAT_IMAGE=unidata/tomcat-docker:10-jdk17@sha256:af7d3fecec753cbd438f25881deeaf48b40ac1f105971d6f300252e104e39fb2
+FROM ${UNIDATA_TOMCAT_IMAGE} as unidata-tomcat-image
 FROM ${BASE_IMAGE}
-LABEL maintainer="Kyle Wilcox <[email protected]>"
+
+#use approaches and hardened files from https://github.com/Unidata/tomcat-docker
+#note: we don't inherit directly from Unidata/tomcat-docker to allow more
+#flexibility in building images using different tomcat base images, architectures, etc
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends  \
+        gosu \
+        zip \
+        unzip \
+        && \
+    # Cleanup
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    # Eliminate default web applications
+    rm -rf ${CATALINA_HOME}/webapps/* && \
+    rm -rf ${CATALINA_HOME}/webapps.dist && \
+    # Obscuring server info
+    cd ${CATALINA_HOME}/lib && \
+    mkdir -p org/apache/catalina/util/ && \
+    unzip -j catalina.jar org/apache/catalina/util/ServerInfo.properties \
+        -d org/apache/catalina/util/ && \
+    sed -i 's/server.info=.*/server.info=Apache Tomcat/g' \
+        org/apache/catalina/util/ServerInfo.properties && \
+    zip -ur catalina.jar \
+        org/apache/catalina/util/ServerInfo.properties && \
+    rm -rf org && cd ${CATALINA_HOME} && \
+    # Setting restrictive umask container-wide
+    echo "session optional pam_umask.so" >> /etc/pam.d/common-session && \
+    sed -i 's/UMASK.*022/UMASK           007/g' /etc/login.defs
+
+# Security enhanced web.xml
+COPY --from=unidata-tomcat-image ${CATALINA_HOME}/conf/web.xml ${CATALINA_HOME}/conf/
+
+# Security enhanced server.xml
+COPY --from=unidata-tomcat-image ${CATALINA_HOME}/conf/server.xml ${CATALINA_HOME}/conf/
 
 ARG ERDDAP_VERSION=2.23
 ARG ERDDAP_CONTENT_URL=https://github.com/BobSimons/erddap/releases/download/v$ERDDAP_VERSION/erddapContent.zip

diff --git a/README.md b/README.md
@@ -7,9 +7,7 @@ Most recent versions:
 * `axiom/docker-erddap:latest-jdk17-openjdk` (2.23)
 * `axiom/docker-erddap:2.23-jdk17-openjdk`
 
-See all versions available [here](https://hub.docker.com/r/axiom/docker-erddap/tags). As always, consult the [ERDDAP Changes](https://coastwatch.pfeg.noaa.gov/erddap/download/changes.html) documentation before upgrading your sever.
-
-The [upstream image](https://github.com/Unidata/tomcat-docker) this project uses replaces tagged images with new images periodically. Even for release tags. This repository will **not** back-port changes from the upstream image to existing tags and overwrite them. If you require features from a newer upstream image (for example - SHA512 password hashes) you will have to wait for the next ERDDAP release which will be built with the newest upstream image. You can also build this image yourself.
+See all versions available [here](https://hub.docker.com/r/axiom/docker-erddap/tags). As always, consult the [ERDDAP Changes](https://coastwatch.pfeg.noaa.gov/erddap/download/changes.html) documentation before upgrading your server.
 
 Use any of the `latest-*` images with caution as they follow the upstream image, and is not as thoroughly tested as tagged images.
 
@@ -44,11 +42,11 @@ later customization
 
 ### Tomcat
 
-See [these instructions for configuring Tomcat](https://github.com/unidata/tomcat-docker) from the Tomcat image this is built from (`unidata/tomcat-docker`).
+See [these instructions for configuring Tomcat](https://github.com/unidata/tomcat-docker) from the Tomcat image this image borrows from (`unidata/tomcat-docker`).
 
 ### CORS
 
-The [Tomcat Docker image](https://github.com/unidata/tomcat-docker) used by this image enables the
+The [Tomcat configuration](https://github.com/unidata/tomcat-docker) used by this image enables the
 [Apache Tomcat CORS filter](https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CORS_Filter) by
 default. To disable it (maybe you want to handle CORS uniformly in a proxying webserver?), set environment
 variable `DISABLE_CORS` to `1`.