From e63e0b3105124bd8ec3028a39dc71c8d8ca103e3 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Roemer Date: Fri, 2 Oct 2015 10:56:36 +0100 Subject: [PATCH] New approach to Gogs Docker Container MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - VOLUME for ‘/data’ - Usage of S6 as PID 1 Process - Usage of ‘socat’ so linked container (like databases) are binded to localhost - OpenSSH, Socat Link and Gogs are supervised using S6 - Size of container reduced to ~75Mo --- .dockerignore | 10 +++--- Dockerfile | 65 ++++++++++++------------------------- docker/build.sh | 17 ++++++++++ docker/s6/.s6-svscan/finish | 2 ++ docker/s6/gogs/run | 28 ++++++++++++++++ docker/s6/openssh/run | 15 +++++++++ docker/sshd_config | 17 ++++++++++ docker/start.sh | 51 ++++++----------------------- 8 files changed, 115 insertions(+), 90 deletions(-) create mode 100755 docker/build.sh create mode 100755 docker/s6/.s6-svscan/finish create mode 100755 docker/s6/gogs/run create mode 100755 docker/s6/openssh/run create mode 100644 docker/sshd_config diff --git a/.dockerignore b/.dockerignore index fe2ac6ec774..5139905d1b1 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,7 +1,7 @@ -.git/* -conf/* -packager/* -scripts/* +.git +conf +packager +scripts *.yml *.md .bra.toml @@ -9,4 +9,4 @@ scripts/* .gitignore .gopmfile config.codekit -LICENSE \ No newline at end of file +LICENSE diff --git a/Dockerfile b/Dockerfile index 64433cb0528..453324a1dc6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,54 +1,31 @@ -FROM google/debian:wheezy -MAINTAINER u@gogs.io +FROM alpine:3.2 +MAINTAINER roemer.jp@gmail.com -RUN echo "deb http://ftp.debian.org/debian/ wheezy-backports main" >> /etc/apt/sources.list && \ - apt-get update -qqy && \ - apt-get install --no-install-recommends -qqy \ - curl build-essential ca-certificates git \ - openssh-server libpam-dev && \ - apt-get autoclean && \ - apt-get autoremove && \ - rm -rf /var/lib/apt/lists/* +# Install system utils & Gogs runtime dependencies +ADD https://github.com/tianon/gosu/releases/download/1.5/gosu-amd64 /usr/sbin/gosu +RUN echo "@edge http://dl-4.alpinelinux.org/alpine/edge/main" | tee -a /etc/apk/repositories \ + && echo "@community http://dl-4.alpinelinux.org/alpine/edge/community" | tee -a /etc/apk/repositories \ + && apk -U --no-progress upgrade \ + && apk -U --no-progress add ca-certificates git linux-pam s6@edge curl openssh socat \ + && chmod +x /usr/sbin/gosu -ENV GOROOT /goroot -ENV GOPATH /gopath -ENV PATH $PATH:$GOROOT/bin:$GOPATH/bin +# Configure SSH +COPY docker/sshd_config /etc/ssh/sshd_config -COPY . /gopath/src/github.com/gogits/gogs/ -WORKDIR /gopath/src/github.com/gogits/gogs/ - -# Build binary and clean up useless files -RUN mkdir /goroot && \ - curl https://storage.googleapis.com/golang/go1.5.linux-amd64.tar.gz | tar xzf - -C /goroot --strip-components=1 && \ - go get -v -tags "sqlite redis memcache cert pam" && \ - go build -tags "sqlite redis memcache cert pam" && \ - mkdir /app/ && \ - mv /gopath/src/github.com/gogits/gogs/ /app/gogs/ && \ - rm -r $GOROOT $GOPATH +# Configure Go and build Gogs +ENV GOPATH /tmp/go +ENV PATH $PATH:$GOPATH/bin +COPY . /app/gogs/ WORKDIR /app/gogs/ +RUN ./docker/build.sh -RUN useradd --shell /bin/bash --system --comment gogits git - -# SSH login fix, otherwise user is kicked off after login -RUN mkdir /var/run/sshd && \ - sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd && \ - sed 's@UsePrivilegeSeparation yes@UsePrivilegeSeparation no@' -i /etc/ssh/sshd_config && \ - echo "export VISIBLE=now" >> /etc/profile && \ - echo "PermitUserEnvironment yes" >> /etc/ssh/sshd_config - -# Setup server keys on startup -RUN sed 's@^HostKey@\#HostKey@' -i /etc/ssh/sshd_config && \ - echo "HostKey /data/ssh/ssh_host_key" >> /etc/ssh/sshd_config && \ - echo "HostKey /data/ssh/ssh_host_rsa_key" >> /etc/ssh/sshd_config && \ - echo "HostKey /data/ssh/ssh_host_dsa_key" >> /etc/ssh/sshd_config && \ - echo "HostKey /data/ssh/ssh_host_ecdsa_key" >> /etc/ssh/sshd_config && \ - echo "HostKey /data/ssh/ssh_host_ed25519_key" >> /etc/ssh/sshd_config - -# Prepare data ENV GOGS_CUSTOM /data/gogs + +# Create git user for Gogs +RUN adduser -D -g 'Gogs Git User' git -h /data/git/ -s /bin/sh && passwd -u git RUN echo "export GOGS_CUSTOM=/data/gogs" >> /etc/profile +VOLUME ["/data"] EXPOSE 22 3000 -ENTRYPOINT [] -CMD ["./docker/start.sh"] \ No newline at end of file +CMD ["./docker/start.sh"] diff --git a/docker/build.sh b/docker/build.sh new file mode 100755 index 00000000000..0616aa40f45 --- /dev/null +++ b/docker/build.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Install build deps +apk -U --no-progress add linux-pam-dev go@community gcc musl-dev + +# Init go environment to build Gogs +mkdir -p ${GOPATH}/src/github.com/gogits/ +ln -s /app/gogs/ ${GOPATH}/src/github.com/gogits/gogs +cd ${GOPATH}/src/github.com/gogits/gogs +go get -v -tags "sqlite redis memcache cert pam" +go build -tags "sqlite redis memcache cert pam" + +# Cleanup GOPATH +rm -r $GOPATH + +# Remove build deps +apk --no-progress del linux-pam-dev go gcc musl-dev diff --git a/docker/s6/.s6-svscan/finish b/docker/s6/.s6-svscan/finish new file mode 100755 index 00000000000..22665fa9bb0 --- /dev/null +++ b/docker/s6/.s6-svscan/finish @@ -0,0 +1,2 @@ +#!/bin/sh +exec /bin/true diff --git a/docker/s6/gogs/run b/docker/s6/gogs/run new file mode 100755 index 00000000000..a7b4cc55ee4 --- /dev/null +++ b/docker/s6/gogs/run @@ -0,0 +1,28 @@ +#!/bin/sh +USER=git +USERNAME=$USER + +if ! test -d /data/gogs; then + mkdir -p /data/gogs/data /data/gogs/conf /data/gogs/log /data/git +fi + +if ! test -d ~git/.ssh; then + mkdir ~git/.ssh + chmod 700 ~git/.ssh +fi + +if ! test -f ~git/.ssh/environment; then + echo "GOGS_CUSTOM=/data/gogs" > ~git/.ssh/environment + chown git:git ~git/.ssh/environment + chown 600 ~git/.ssh/environment +fi + +ln -sf /data/gogs/log /app/gogs/log +ln -sf /data/gogs/data /app/gogs/data +ln -sf /data/gogs/conf /app/gogs/conf + +chown -R git:git /data /app/gogs ~git/ + +export USER +export USERNAME +exec gosu $USER /app/gogs/gogs web diff --git a/docker/s6/openssh/run b/docker/s6/openssh/run new file mode 100755 index 00000000000..891285764a6 --- /dev/null +++ b/docker/s6/openssh/run @@ -0,0 +1,15 @@ +#!/bin/sh + +if ! test -d /data/ssh +then + mkdir -p /data/ssh + ssh-keygen -q -f /data/ssh/ssh_host_key -N '' -t rsa1 + ssh-keygen -q -f /data/ssh/ssh_host_rsa_key -N '' -t rsa + ssh-keygen -q -f /data/ssh/ssh_host_dsa_key -N '' -t dsa + ssh-keygen -q -f /data/ssh/ssh_host_ecdsa_key -N '' -t ecdsa + ssh-keygen -q -f /data/ssh/ssh_host_ed25519_key -N '' -t ed25519 + chown -R root:root /data/ssh/* + chmod 600 /data/ssh/* +fi + +exec gosu root /usr/sbin/sshd -D -f /etc/ssh/sshd_config diff --git a/docker/sshd_config b/docker/sshd_config new file mode 100644 index 00000000000..9b62f1486aa --- /dev/null +++ b/docker/sshd_config @@ -0,0 +1,17 @@ +Port 22 +AddressFamily any +ListenAddress 0.0.0.0 +ListenAddress :: +Protocol 2 +LogLevel INFO +HostKey /data/ssh/ssh_host_key +HostKey /data/ssh/ssh_host_rsa_key +HostKey /data/ssh/ssh_host_dsa_key +HostKey /data/ssh/ssh_host_ecdsa_key +HostKey /data/ssh/ssh_host_ed25519_key +PermitRootLogin no +AuthorizedKeysFile .ssh/authorized_keys +PasswordAuthentication no +UsePrivilegeSeparation no +PermitUserEnvironment yes +AllowUsers git diff --git a/docker/start.sh b/docker/start.sh index cea6e54e7d0..b560b2bc0a3 100755 --- a/docker/start.sh +++ b/docker/start.sh @@ -1,43 +1,12 @@ -#!/bin/bash - -# +#!/bin/sh -if ! test -d /data/gogs -then - mkdir -p /var/run/sshd - mkdir -p /data/gogs/data /data/gogs/conf /data/gogs/log /data/git -fi +# Bind linked docker container to localhost socket using socat +env | sed -En 's|(.*)_PORT_([0-9]*)_TCP=tcp://(.*):(.*)|\1_\2 socat -ls TCP4-LISTEN:\2,fork,reuseaddr TCP4:\3:\4|p' | \ +while read NAME CMD; do + mkdir -p /app/gogs/docker/s6/$NAME + echo -e "#!/bin/sh\nexec $CMD" > /app/gogs/docker/s6/$NAME/run + chmod +x /app/gogs/docker/s6/$NAME/run +done -if ! test -d /data/ssh -then - mkdir /data/ssh - ssh-keygen -q -f /data/ssh/ssh_host_key -N '' -t rsa1 - ssh-keygen -q -f /data/ssh/ssh_host_rsa_key -N '' -t rsa - ssh-keygen -q -f /data/ssh/ssh_host_dsa_key -N '' -t dsa - ssh-keygen -q -f /data/ssh/ssh_host_ecdsa_key -N '' -t ecdsa - ssh-keygen -q -f /data/ssh/ssh_host_ed25519_key -N '' -t ed25519 - chown -R root:root /data/ssh/* - chmod 600 /data/ssh/* -fi - -service ssh start - -ln -sf /data/gogs/log ./log -ln -sf /data/gogs/data ./data -ln -sf /data/git /home/git - - -if ! test -d ~git/.ssh -then - mkdir ~git/.ssh - chmod 700 ~git/.ssh -fi - -if ! test -f ~git/.ssh/environment -then - echo "GOGS_CUSTOM=/data/gogs" > ~git/.ssh/environment - chown git:git ~git/.ssh/environment - chown 600 ~git/.ssh/environment -fi - -chown -R git:git /data . -exec su git -c "./gogs web" +# Exec S6 as process manager for gogs and dropbear ssh +exec /usr/bin/s6-svscan /app/gogs/docker/s6/