From 4f6855b7332c7f6cf471aa5a4c1bcea7a0b86aa1 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Thu, 20 Jan 2022 11:43:13 +0100 Subject: [PATCH 1/5] Allow cross-platform build of the Docker image Also allows it to run as non-root and set the rageshake binary as the entrypoint rather than setting the command. Signed-off-by: Quentin Gliech --- Dockerfile | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 093e8c5..ea66fa6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,18 +1,20 @@ -FROM golang:alpine as builder -RUN apk add --update --no-cache git ca-certificates +ARG GO_VERSION=1.17 +ARG DEBIAN_VERSION=11 +ARG DEBIAN_VERSION_NAME=bullseye + +# Build stage +FROM --platform=${BUILDPLATFORM} docker.io/library/golang:${GO_VERSION}-${DEBIAN_VERSION_NAME} as builder -RUN mkdir /build WORKDIR /build -COPY go.mod . -COPY go.sum . +COPY go.mod go.sum ./ RUN go mod download COPY . . -RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags '-extldflags "-static"' -o rageshake +RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o rageshake -FROM scratch +# Runtime stage +FROM --platform=${TARGETPLATFORM} gcr.io/distroless/static-debian${DEBIAN_VERSION}:nonroot COPY --from=builder /build/rageshake /rageshake -COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ WORKDIR / EXPOSE 9110 -CMD ["/rageshake"] +ENTRYPOINT ["/rageshake"] From b2db9ef0aa12d42bf1402f47e83092b31ba98c66 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Thu, 20 Jan 2022 11:56:07 +0100 Subject: [PATCH 2/5] Build and push Docker image in GitHub Actions --- .github/workflows/docker.yaml | 73 +++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 .github/workflows/docker.yaml diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml new file mode 100644 index 0000000..e518ba4 --- /dev/null +++ b/.github/workflows/docker.yaml @@ -0,0 +1,73 @@ +name: Docker + +on: + push: + pull_request: + branches: [ master ] + +jobs: + build: + name: Build and push Docker image + runs-on: ubuntu-latest + env: + IMAGE: ghcr.io/${{ github.repository }} + + permissions: + packages: write + contents: read + + steps: + - name: Docker meta + id: meta + uses: docker/metadata-action@v3 + with: + images: "${{ env.IMAGE }}" + bake-target: docker-metadata-action + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + with: + config-inline: | + [registry."docker.io"] + mirrors = ["mirror.gcr.io"] + + - name: Login to GitHub Container Registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build + uses: docker/build-push-action@v2 + if: github.event_name == 'pull_request' + with: + platforms: | + linux/amd64 + linux/arm64 + linux/arm + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=registry,ref=${{ env.IMAGE }}:buildcache + + - name: Build and push + uses: docker/build-push-action@v2 + if: github.event_name != 'pull_request' + with: + platforms: | + linux/amd64 + linux/arm64 + linux/arm + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + push: true + cache-from: type=registry,ref=${{ env.IMAGE }}:buildcache + cache-to: type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max From cc70dba38fb56a10e2d21374accf76d857de11c7 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Thu, 20 Jan 2022 12:30:51 +0100 Subject: [PATCH 3/5] Newsfile. Signed-off-by: Quentin Gliech --- changelog.d/47.misc | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/47.misc diff --git a/changelog.d/47.misc b/changelog.d/47.misc new file mode 100644 index 0000000..7000960 --- /dev/null +++ b/changelog.d/47.misc @@ -0,0 +1 @@ +Build and push a multi-arch Docker image on the GitHub Container Registry. From ec204d164af73361df0a46bd972d4bdc9c748297 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Fri, 21 Jan 2022 11:20:13 +0100 Subject: [PATCH 4/5] Build and push a debug variant of the image --- .github/workflows/docker.yaml | 49 +++++++++++++++++++++-------------- Dockerfile | 15 +++++++---- docker-bake.hcl | 25 ++++++++++++++++++ 3 files changed, 65 insertions(+), 24 deletions(-) create mode 100644 docker-bake.hcl diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index e518ba4..07d12bf 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -17,6 +17,9 @@ jobs: contents: read steps: + - name: Checkout the code + uses: actions/checkout@v2 + - name: Docker meta id: meta uses: docker/metadata-action@v3 @@ -25,12 +28,28 @@ jobs: bake-target: docker-metadata-action tags: | type=ref,event=branch - type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} type=sha + - name: Docker meta (debug variant) + id: meta-debug + uses: docker/metadata-action@v3 + with: + images: "${{ env.IMAGE }}" + bake-target: docker-metadata-action-debug + tags: | + type=ref,event=branch,suffix=-debug + type=semver,pattern={{version}},suffix=-debug + type=semver,pattern={{major}}.{{minor}},suffix=-debug + type=semver,pattern={{major}},suffix=-debug + type=sha,suffix=-debug + + - name: Merge buildx bake files + run: | + jq -s '.[0] * .[1]' ${{ steps.meta.outputs.bake-file }} ${{ steps.meta-debug.outputs.bake-file }} > docker-bake.override.json + - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 with: @@ -46,28 +65,20 @@ jobs: username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} + # For pull-requests, only read from the cache, do not try to push to the + # cache or the image itself - name: Build - uses: docker/build-push-action@v2 + uses: docker/bake-action@v1 if: github.event_name == 'pull_request' with: - platforms: | - linux/amd64 - linux/arm64 - linux/arm - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=registry,ref=${{ env.IMAGE }}:buildcache + set: | + base.cache-from=type=registry,ref=${{ env.IMAGE }}:buildcache - name: Build and push - uses: docker/build-push-action@v2 + uses: docker/bake-action@v1 if: github.event_name != 'pull_request' with: - platforms: | - linux/amd64 - linux/arm64 - linux/arm - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - push: true - cache-from: type=registry,ref=${{ env.IMAGE }}:buildcache - cache-to: type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max + set: | + base.output=type=image,push=true + base.cache-from=type=registry,ref=${{ env.IMAGE }}:buildcache + base.cache-to=type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max diff --git a/Dockerfile b/Dockerfile index ea66fa6..6c9966e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,8 +2,8 @@ ARG GO_VERSION=1.17 ARG DEBIAN_VERSION=11 ARG DEBIAN_VERSION_NAME=bullseye -# Build stage -FROM --platform=${BUILDPLATFORM} docker.io/library/golang:${GO_VERSION}-${DEBIAN_VERSION_NAME} as builder +## Build stage ## +FROM --platform=${BUILDPLATFORM} docker.io/library/golang:${GO_VERSION}-${DEBIAN_VERSION_NAME} AS builder WORKDIR /build COPY go.mod go.sum ./ @@ -12,9 +12,14 @@ RUN go mod download COPY . . RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o rageshake -# Runtime stage -FROM --platform=${TARGETPLATFORM} gcr.io/distroless/static-debian${DEBIAN_VERSION}:nonroot +## Runtime stage, debug variant ## +FROM --platform=${TARGETPLATFORM} gcr.io/distroless/static-debian${DEBIAN_VERSION}:debug-nonroot AS debug +COPY --from=builder /build/rageshake /rageshake +EXPOSE 9110 +ENTRYPOINT ["/rageshake"] + +## Runtime stage ## +FROM --platform=${TARGETPLATFORM} gcr.io/distroless/static-debian${DEBIAN_VERSION}:nonroot COPY --from=builder /build/rageshake /rageshake -WORKDIR / EXPOSE 9110 ENTRYPOINT ["/rageshake"] diff --git a/docker-bake.hcl b/docker-bake.hcl new file mode 100644 index 0000000..97acacd --- /dev/null +++ b/docker-bake.hcl @@ -0,0 +1,25 @@ +// This is what is baked by GitHub Actions +group "default" { targets = ["regular", "debug"] } + +// Targets filled by GitHub Actions: one for the regular tag, one for the debug tag +target "docker-metadata-action" {} +target "docker-metadata-action-debug" {} + +// This sets the platforms and is further extended by GitHub Actions to set the +// output and the cache locations +target "base" { + platforms = [ + "linux/amd64", + "linux/arm64", + "linux/arm", + ] +} + +target "regular" { + inherits = ["base", "docker-metadata-action"] +} + +target "debug" { + inherits = ["base", "docker-metadata-action-debug"] + target = "debug" +} From ab3c3d8e460e3d34e4bd53d813b8990abc260516 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Fri, 21 Jan 2022 11:33:35 +0100 Subject: [PATCH 5/5] Set the workdir back to / in Docker image --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index 6c9966e..4811623 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,11 +15,13 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o rageshake ## Runtime stage, debug variant ## FROM --platform=${TARGETPLATFORM} gcr.io/distroless/static-debian${DEBIAN_VERSION}:debug-nonroot AS debug COPY --from=builder /build/rageshake /rageshake +WORKDIR / EXPOSE 9110 ENTRYPOINT ["/rageshake"] ## Runtime stage ## FROM --platform=${TARGETPLATFORM} gcr.io/distroless/static-debian${DEBIAN_VERSION}:nonroot COPY --from=builder /build/rageshake /rageshake +WORKDIR / EXPOSE 9110 ENTRYPOINT ["/rageshake"]