Dockerfile review after CI changes (#1624)

* Dockerfile review after CI changes Removing some unnecessary lines on the Docker file and making everything more explicit * fix the docker tagging to look more as we imagined * test different options for docker tags * use edge tag is used when not pushing a branch * fix condition for docker tag * assume prefix adds a `-` except for raw formt * Add some comments to the dockerfile * yet another try at fixing the tag when not in main * More tag experiments * explicitly set prefix for each tag * fix user creation in docker --------- Co-authored-by: William Freudenberger <[email protected]>
centrifuge · Nov 27, 2023 · 1e65036 · 1e65036
1 parent 2b28ef3
commit 1e65036
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 27 deletions.
diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
@@ -49,14 +49,12 @@ jobs:
         uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 #v5
         with:
           images: centrifugeio/centrifuge-chain
-          flavor: |
-            suffix=-${{ env.NOW }}
-            prefix=${{ matrix.target == 'test' && 'test-' || 'latest=auto' }}
           tags: |
-            type=raw,event=branch,value={{branch}}-{{sha}}
-            type=semver,pattern={{raw}},suffix=,prefix=${{ matrix.target == 'test' && 'test-' || 'latest=auto' }}
-            type=semver,pattern={{major}},prefix=${{ matrix.target == 'test' && 'test-' || '' }},suffix=
-            type=edge
+            type=semver,pattern={{raw}},prefix=${{ matrix.target == 'test' && 'test-' || '' }}
+            type=edge,event=pr,suffix={{sha}}-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }}
+            type=ref,event=tag,suffix={{sha}}-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }}
+            type=ref,event=pr,suffix={{sha}}-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }}
+            type=ref,event=branch,prefix=${{ matrix.target == 'test' && 'test-' || '' }}-{{branch}},suffix={{sha}}-${{ env.NOW }}
 
       - name: Configure GHA cache
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v6
@@ -72,7 +70,7 @@ jobs:
           file: ./docker/centrifuge-chain/Dockerfile
           build-args: |
             FEATURES=${{ matrix.target == 'test' && 'fast-runtime' || '' }}
-          push: ${{ github.event_name == 'pull_request' && false || true }}
+          push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           # Cache options:
           # https://docs.docker.com/build/ci/github-actions/cache/

diff --git a/docker/centrifuge-chain/Dockerfile b/docker/centrifuge-chain/Dockerfile
@@ -1,8 +1,6 @@
-# Based on
+# Inspired by
 # https://github.com/paritytech/polkadot-sdk/blob/master/docker/dockerfiles/polkadot/polkadot_injected_release.Dockerfile
 
-# ToDo: create a CI/builder image with preloaded tools
-# FROM --platform=linux/amd64 docker.io/library/ubuntu:22.04 as builder
 FROM --platform=linux/amd64 docker.io/library/rust:bookworm as builder
   # Defaults
 	ENV RUST_BACKTRACE 1
@@ -30,8 +28,6 @@ FROM --platform=linux/amd64 docker.io/library/rust:bookworm as builder
 	ARG RUSTC_WRAPPER=''
 	ARG SCCACHE_GHA_ENABLED="false"
 
-	RUN	rustup target add wasm32-unknown-unknown
-
 	COPY . centrifuge-chain
 	WORKDIR /centrifuge-chain
 	ARG FEATURES=""
@@ -40,7 +36,9 @@ FROM --platform=linux/amd64 docker.io/library/rust:bookworm as builder
 
 
 # ===== SECOND STAGE ======
-# ToDo: create a secure image as a base for the binary
+# IF we were to publish binaries that we can always trust we could skip the first part
+# and simply download the binaries here. Some short of hash or integrity check would need to
+# happen to make sure the binary is what we want.
 FROM --platform=linux/amd64 docker.io/library/ubuntu:jammy
 
 	LABEL io.centrifuge.image.authors="[email protected]" \
@@ -54,24 +52,29 @@ FROM --platform=linux/amd64 docker.io/library/ubuntu:jammy
 	# Add chain resources to image
 	COPY res /resources/
 
-	RUN useradd -m -u 1000 -U -s /bin/sh -d /centrifuge centrifuge && \
-			mkdir -p /data /centrifuge/.local/share && \
-			chown -R centrifuge:centrifuge /data && \
-			ln -s /data /centrifuge/.local/share/centrifuge
-
 	COPY --from=builder /centrifuge-chain/target/release/centrifuge-chain /usr/local/bin
-	# checks
-	RUN ldd /usr/local/bin/centrifuge-chain && \
-		/usr/local/bin/centrifuge-chain --version
 
 	RUN apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/* ;
-	RUN	mkdir -p /root/.local/share/centrifuge-chain && \
-		ln -s /root/.local/share/centrifuge-chain /data
-
-
-ENV RUST_BACKTRACE 1
+
+	# Because of the following, all data and config directories need to be owned by UID and GID 1000
+	RUN useradd -m -u 1000 -U -s /bin/sh -d /centrifuge centrifuge
+
+	RUN mkdir -p /data && \ 
+		chown -R centrifuge:centrifuge /data && \
+		chown -R centrifuge:centrifuge /resources && \
+		chown -R centrifuge:centrifuge /usr/local/bin/centrifuge-chain && \
+		chown -R centrifuge:centrifuge /centrifuge/
+
+# Running as an non-root is a good security practice
+# in some cases the container can be forced to run as root overriding the next line
+# but by default we want to enforce this.
 USER centrifuge
+# checks
+RUN ldd /usr/local/bin/centrifuge-chain && \
+	/usr/local/bin/centrifuge-chain --version
+ENV RUST_BACKTRACE 1
 EXPOSE 30333 9933 9944
 VOLUME ["/data"]
 
 ENTRYPOINT ["/usr/local/bin/centrifuge-chain"]
+CMD ["--help"]