From 177809ca5c55f6e5f1e7033ccfe26840675ba3f8 Mon Sep 17 00:00:00 2001 From: Dean Sheather Date: Mon, 1 Aug 2022 17:53:39 +0000 Subject: [PATCH 1/4] fix: don't use adduser and addgroup for docker images --- Dockerfile | 16 ++++++++++------ scripts/build_docker.sh | 27 ++++++++++++++++++++------- 2 files changed, 30 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6dcdcc21205bf..b28d92b3cb1dd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,8 @@ -FROM alpine +# This is the multi-arch Dockerfile used for Coder. Since it's multi-arch and +# cross-compiled, it cannot have ANY "RUN" commands. All binaries are built +# using the go toolchain on the host and then copied into the build context by +# scripts/build_docker.sh. +FROM alpine:latest # LABEL doesn't add any real layers so it's fine (and easier) to do it here than # in the build script. @@ -11,12 +15,12 @@ LABEL \ org.opencontainers.image.version="$CODER_VERSION" \ org.opencontainers.image.licenses="AGPL-3.0" +# Create coder group and user. We cannot use `addgroup` and `adduser` because +# they won't work if we're building the image for a different architecture. +COPY --chown=root:root --chmod=644 group passwd /etc/ + # The coder binary is injected by scripts/build_docker.sh. -ADD coder /opt/coder +COPY --chown=coder:coder --chmod=755 coder /opt/coder -# Create coder group and user. -RUN addgroup -g 1000 coder && \ - adduser -D -g "" -h /home/coder -G coder -u 1000 -S -s /bin/sh coder USER coder:coder - ENTRYPOINT [ "/opt/coder", "server" ] diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh index 3ac8c311dd347..38d8ef5eaeb49 100755 --- a/scripts/build_docker.sh +++ b/scripts/build_docker.sh @@ -95,14 +95,27 @@ ln -P Dockerfile "$temp_dir/" cd "$temp_dir" -build_args=( - --platform "$arch" - --build-arg "CODER_VERSION=$version" - --tag "$image_tag" -) - log "--- Building Docker image for $arch ($image_tag)" -docker buildx build "${build_args[@]}" . 1>&2 + +# Pull the base image, copy the /etc/group and /etc/passwd files out of it, and +# add the coder group and user. We have to do this in a separate step instead of +# using the RUN directive in the Dockerfile because you can't use RUN if you're +# building the image for a different architecture than the host. +docker pull --platform "$arch" alpine:latest + +temp_container_id="$(docker create --platform "$arch" alpine:latest)" +docker cp "$temp_container_id":/etc/group ./group +docker cp "$temp_container_id":/etc/passwd ./passwd +docker rm "$temp_container_id" + +echo "coder:x:1000:coder" >> ./group +echo "coder:x:1000:1000::/:/bin/sh" >> ./passwd + +docker buildx build \ + --platform "$arch" \ + --build-arg "CODER_VERSION=$version" \ + --tag "$image_tag" \ + . 1>&2 cdroot rm -rf "$temp_dir" From 84a989326c10f95c00dba881f8a60d06bdff939a Mon Sep 17 00:00:00 2001 From: Dean Sheather Date: Mon, 1 Aug 2022 18:02:03 +0000 Subject: [PATCH 2/4] Revert "fix: Remove alternative image architectures until we virtualize (#3336)" This reverts commit 00c5116a2e9c18f489cd876f7cd965686cbd759a. --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 92d9b881a4bbe..c767cc908032e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -102,7 +102,7 @@ jobs: # build and (maybe) push Docker images for each architecture images=() - for arch in amd64; do + for arch in amd64 armv7 arm64; do img="$( ./scripts/build_docker.sh \ ${{ (!github.event.inputs.dry_run && !github.event.inputs.snapshot) && '--push' || '' }} \ From 020e8e6b5e29295b8e30e262d3c7b1da2aa793b8 Mon Sep 17 00:00:00 2001 From: Dean Sheather Date: Mon, 1 Aug 2022 18:05:16 +0000 Subject: [PATCH 3/4] fixup! Revert "fix: Remove alternative image architectures until we virtualize (#3336)" --- scripts/build_docker.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh index 38d8ef5eaeb49..57f81af513dc6 100755 --- a/scripts/build_docker.sh +++ b/scripts/build_docker.sh @@ -101,12 +101,12 @@ log "--- Building Docker image for $arch ($image_tag)" # add the coder group and user. We have to do this in a separate step instead of # using the RUN directive in the Dockerfile because you can't use RUN if you're # building the image for a different architecture than the host. -docker pull --platform "$arch" alpine:latest +docker pull --platform "$arch" alpine:latest 1>&2 temp_container_id="$(docker create --platform "$arch" alpine:latest)" -docker cp "$temp_container_id":/etc/group ./group -docker cp "$temp_container_id":/etc/passwd ./passwd -docker rm "$temp_container_id" +docker cp "$temp_container_id":/etc/group ./group 1>&2 +docker cp "$temp_container_id":/etc/passwd ./passwd 1>&2 +docker rm "$temp_container_id" 1>&2 echo "coder:x:1000:coder" >> ./group echo "coder:x:1000:1000::/:/bin/sh" >> ./passwd From ab4d58f5e542c6fb5f834dd85e5114260d41bc4b Mon Sep 17 00:00:00 2001 From: Dean Sheather Date: Mon, 1 Aug 2022 18:52:51 +0000 Subject: [PATCH 4/4] fixup! Revert "fix: Remove alternative image architectures until we virtualize (#3336)" --- scripts/build_docker.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh index 57f81af513dc6..de5c3c0dbdd48 100755 --- a/scripts/build_docker.sh +++ b/scripts/build_docker.sh @@ -108,8 +108,8 @@ docker cp "$temp_container_id":/etc/group ./group 1>&2 docker cp "$temp_container_id":/etc/passwd ./passwd 1>&2 docker rm "$temp_container_id" 1>&2 -echo "coder:x:1000:coder" >> ./group -echo "coder:x:1000:1000::/:/bin/sh" >> ./passwd +echo "coder:x:1000:coder" >>./group +echo "coder:x:1000:1000::/:/bin/sh" >>./passwd docker buildx build \ --platform "$arch" \