Author:
Hash:
Timestamp:
+19 -22 +/-2 browse
Kevin Schoon [me@kevinschoon.com]
ad94559aa3fb7b94196d5a48ee9012d0cc781222
Sun, 27 Jul 2025 10:04:21 +0000 (3 months ago)
| 1 | diff --git a/containers/ayllu/Containerfile b/containers/ayllu/Containerfile |
| 2 | index f725572..00c74b8 100644 |
| 3 | --- a/containers/ayllu/Containerfile |
| 4 | +++ b/containers/ayllu/Containerfile |
| 5 | @@ -44,8 +44,8 @@ RUN cd tree-sitter-diff-* && abuild-tree-sitter build \ |
| 6 | COPY ayllu /src/ayllu |
| 7 | # COPY ayllu-mail /src/ayllu-mail |
| 8 | # COPY ayllu-jobs /src/ayllu-jobs |
| 9 | - # COPY ayllu-shell /src/ayllu-shell |
| 10 | - # COPY ayllu-keys /src/ayllu-keys |
| 11 | + COPY ayllu-shell /src/ayllu-shell |
| 12 | + COPY ayllu-keys /src/ayllu-keys |
| 13 | COPY contrib /src/contrib |
| 14 | COPY crates /src/crates |
| 15 | COPY quipu /src/quipu |
| 16 | @@ -69,10 +69,15 @@ RUN $CARGO_CACHE_OFFLINE \ |
| 17 | cargo build \ |
| 18 | --color=never --locked --frozen --offline --release --package ayllu |
| 19 | |
| 20 | - # build the ayllu binary |
| 21 | - # RUN $CARGO_CACHE_OFFLINE \ |
| 22 | - # cargo build \ |
| 23 | - # --color=never --locked --frozen --offline --release --package ayllu-shell |
| 24 | + # build the ayllu-keys binary |
| 25 | + RUN $CARGO_CACHE_OFFLINE \ |
| 26 | + cargo build \ |
| 27 | + --color=never --locked --frozen --offline --release --package ayllu-keys |
| 28 | + |
| 29 | + # build the ayllu-shell binary |
| 30 | + RUN $CARGO_CACHE_OFFLINE \ |
| 31 | + cargo build \ |
| 32 | + --color=never --locked --frozen --offline --release --package ayllu-shell |
| 33 | # |
| 34 | # # build the ayllu-jobs binary |
| 35 | # RUN $CARGO_CACHE_OFFLINE \ |
| 36 | @@ -86,8 +91,7 @@ RUN $CARGO_CACHE_OFFLINE \ |
| 37 | |
| 38 | FROM $ALPINE_BASE_IMAGE |
| 39 | |
| 40 | - RUN apk add \ |
| 41 | - fontconfig font-misc-misc git git-daemon libgit2-dev \ |
| 42 | + RUN apk add git git-daemon libgit2-dev \ |
| 43 | tree-sitter-grammars # all of the syntax highlighting available in alpine |
| 44 | |
| 45 | # FIXME: Due to a bug in tree-sitter-cpp we have to remove this parser |
| 46 | @@ -107,9 +111,9 @@ RUN \ |
| 47 | # COPY --from=build --chown=0:0 /src/rudolfs /usr/bin/ |
| 48 | COPY --from=build --chown=0:0 /src/target/release/ayllu /usr/bin/ |
| 49 | # COPY --from=build --chown=0:0 /src/target/release/ayllu-jobs /usr/bin/ |
| 50 | - # COPY --from=build --chown=0:0 /src/target/release/ayllu-shell /usr/bin/ |
| 51 | + COPY --from=build --chown=0:0 /src/target/release/ayllu-shell /usr/bin/ |
| 52 | + COPY --from=build --chown=0:0 /src/target/release/ayllu-keys /usr/bin/ |
| 53 | COPY --from=build --chown=0:0 /src/target/release/quipu /usr/bin/ |
| 54 | - COPY --from=build --chown=0:0 /src/ayllu/themes /usr/lib/ayllu/themes |
| 55 | # COPY --from=build --chown=0:0 /src/migrations /usr/lib/ayllu/migrations |
| 56 | COPY --from=build --chown=0:0 /src/LICENSE /usr/share/licenses/ayllu/ |
| 57 | COPY --from=build --chown=0:0 /src/ATTRIBUTIONS.md /usr/share/licenses/ayllu/ |
| 58 | @@ -117,25 +121,18 @@ COPY --from=build --chown=0:0 /src/ATTRIBUTIONS.md /usr/share/licenses/ayllu/ |
| 59 | |
| 60 | # this container supports running Ayllu as root and non-root depending on the |
| 61 | # desired runtime security and required UID/GID mapping. |
| 62 | - RUN adduser -D -s /bin/sh -h /home/ayllu ayllu |
| 63 | + RUN adduser -D -s /usr/bin/ayllu-shell -h /var/lib/ayllu ayllu |
| 64 | |
| 65 | RUN \ |
| 66 | mkdir -p /etc/ayllu /var/lib/ayllu /var/lib/git && \ |
| 67 | ayllu config generate > /etc/ayllu/config.toml && \ |
| 68 | - ayllu config set "http.address" "'0.0.0.0:10000'" && \ |
| 69 | - fc-cache -fv # update font cache which is required by plotters.rs |
| 70 | + ayllu config set "http.address" "'0.0.0.0:10000'" |
| 71 | |
| 72 | # setup an unprivileged user for rudolfs |
| 73 | # RUN adduser -D -s /bin/sh -h /home/rudolfs rudolfs |
| 74 | |
| 75 | # default to the non-root ayllu user |
| 76 | USER ayllu |
| 77 | - WORKDIR /home/ayllu |
| 78 | - |
| 79 | - # NOTE: this explicitly ignores CVE 2022-24765 because this is not a multi-user |
| 80 | - # git environment. |
| 81 | - RUN \ |
| 82 | - git config --global --add user.name 'ayllu' && \ |
| 83 | - git config --global --add safe.directory '*' |
| 84 | + WORKDIR /var/lib/ayllu |
| 85 | |
| 86 | CMD ["/usr/bin/ayllu", "serve"] |
| 87 | diff --git a/containers/base-build/Containerfile b/containers/base-build/Containerfile |
| 88 | index a02506b..9d31fa7 100644 |
| 89 | --- a/containers/base-build/Containerfile |
| 90 | +++ b/containers/base-build/Containerfile |
| 91 | @@ -2,11 +2,11 @@ ARG ALPINE_BASE_IMAGE |
| 92 | FROM $ALPINE_BASE_IMAGE |
| 93 | |
| 94 | RUN apk add \ |
| 95 | - curl cargo rust pkgconf sqlite sassc ncurses npm \ |
| 96 | + curl cargo rust pkgconf \ |
| 97 | openssl openssl-dev fontconfig fontconfig-dev \ |
| 98 | tree-sitter-dev build-base git |
| 99 | |
| 100 | - RUN adduser -D -h /src ayllu |
| 101 | + RUN adduser -D -h /src -s /bin/sh ayllu |
| 102 | |
| 103 | USER ayllu |
| 104 | WORKDIR /src |