Commit
+83 -31 +/-5 browse
1 | diff --git a/.containerignore b/.containerignore |
2 | index eb5a316..b94ee54 100644 |
3 | --- a/.containerignore |
4 | +++ b/.containerignore |
5 | @@ -1 +1,2 @@ |
6 | target |
7 | + db |
8 | diff --git a/containers/base/Containerfile b/containers/base/Containerfile |
9 | index b505cb6..3c21fdf 100644 |
10 | --- a/containers/base/Containerfile |
11 | +++ b/containers/base/Containerfile |
12 | @@ -1,56 +1,97 @@ |
13 | FROM alpine:3 AS build |
14 | |
15 | - |
16 | RUN apk add \ |
17 | - cargo rust pkgconf sqlite sassc npm \ |
18 | + curl cargo rust pkgconf sqlite sassc npm \ |
19 | openssl openssl-dev fontconfig fontconfig-dev \ |
20 | tree-sitter-dev build-base git |
21 | |
22 | - # TODO: tree-sitter-diff needs APK support but they haven't cut a release yet |
23 | WORKDIR /src |
24 | |
25 | - RUN \ |
26 | - git clone https://github.com/the-mikedavis/tree-sitter-diff.git \ |
27 | - && cd tree-sitter-diff && abuild-tree-sitter build && abuild-tree-sitter install |
28 | + RUN --mount=type=cache,target=/root/.cargo \ |
29 | + cargo install --color=never --no-default-features --features sqlite sqlx-cli |
30 | |
31 | - RUN adduser -D -s /bin/sh -h /home/builder builder |
32 | + ENV PATH="/root/.cargo/bin:$PATH" |
33 | |
34 | - USER builder |
35 | + ARG TREE_SITTER_DIFF_UPSTREAM_URL="https://github.com/the-mikedavis/tree-sitter-diff/archive" |
36 | + ARG TREE_SITTER_DIFF_COMMIT_ID="629676fc3919606964231b2c7b9677d6998a2cb4" |
37 | + ARG TREE_SITTER_DIFF_SHA256SUM="3b43eba0afcdbbc405a9d3284b3af73332fa3522f888a8629f8d14d685e69781" |
38 | + |
39 | + # TODO: tree-sitter-diff needs APK support but they haven't cut a release yet |
40 | + RUN \ |
41 | + curl -L "$TREE_SITTER_DIFF_UPSTREAM_URL/$TREE_SITTER_DIFF_COMMIT_ID.tar.gz" \ |
42 | + -o tree-sitter-diff.tar.gz \ |
43 | + && echo "$TREE_SITTER_DIFF_SHA256SUM tree-sitter-diff.tar.gz" | sha256sum -c \ |
44 | + && tar xvf tree-sitter-diff.tar.gz |
45 | |
46 | - ENV PATH="/home/builder/.cargo/bin:$PATH" |
47 | - RUN cargo install --color=never --no-default-features --features sqlite sqlx-cli |
48 | + RUN cd tree-sitter-diff-* && abuild-tree-sitter build && abuild-tree-sitter install |
49 | |
50 | - USER root |
51 | - COPY . /home/builder/src |
52 | - WORKDIR /home/builder/src |
53 | - RUN chown -R builder /home/builder/src |
54 | + # Install rudolfs for LFS support |
55 | + ARG RUDOLFS_VERSION="0.3.7" |
56 | + ARG RUDOLFS_SHA256SUM="0ac57990e8923d2bf220a5c46a996d3b666f2d0454487597c0c106f8e079f2aa" |
57 | + ARG RUDOLFS_UPSTREAM_URL="https://github.com/jasonwhite/rudolfs/archive/refs/tags/${RUDOLFS_VERSION}.tar.gz" |
58 | |
59 | - USER builder |
60 | + RUN \ |
61 | + curl -L "$RUDOLFS_UPSTREAM_URL" -o rudolfs.tar.gz \ |
62 | + && echo "$RUDOLFS_SHA256SUM rudolfs.tar.gz" | sha256sum -c \ |
63 | + && tar xvf rudolfs.tar.gz |
64 | + |
65 | + RUN --mount=type=cache,target=/root/.cargo \ |
66 | + cd "rudolfs-$RUDOLFS_VERSION" && cargo fetch --color=never --locked |
67 | + RUN --mount=type=cache,target=/root/.cargo --network=none \ |
68 | + cd "rudolfs-$RUDOLFS_VERSION" && cargo build \ |
69 | + --color=never --locked --frozen --offline --release \ |
70 | + && cp -v target/release/rudolfs /usr/bin/ |
71 | + |
72 | + COPY ayllu /src/ayllu/ayllu |
73 | + COPY contrib /src/ayllu/contrib |
74 | + COPY crates /src/ayllu/crates |
75 | + COPY quipu /src/ayllu/quipu |
76 | + COPY scripts /src/ayllu/scripts |
77 | + COPY *.toml /src/ayllu/ |
78 | + COPY Cargo.lock /src/ayllu/ |
79 | + COPY LICENSE /src/ayllu/ |
80 | + COPY ATTRIBUTIONS.md /src/ayllu/ |
81 | + COPY package.json /src/ayllu/ |
82 | + |
83 | + WORKDIR /src/ayllu |
84 | |
85 | RUN npm install |
86 | |
87 | - RUN cargo fetch --color=never --locked |
88 | - RUN scripts/check_build_dependencies.sh || true |
89 | - RUN scripts/ensure_database.sh ayllu |
90 | + RUN --mount=type=cache,target=/root/.cargo \ |
91 | + scripts/check_build_dependencies.sh || true |
92 | + |
93 | + RUN --mount=type=cache,target=/root/.cargo \ |
94 | + scripts/ensure_database.sh ayllu |
95 | + |
96 | + # cache all Ayllu dependencies required for the build |
97 | + RUN --mount=type=cache,target=/root/.cargo cargo fetch --color=never --locked |
98 | |
99 | # build the main Ayllu binary |
100 | - RUN cargo build \ |
101 | + RUN --mount=type=cache,target=/root/.cargo --network=none \ |
102 | + cargo build \ |
103 | --color=never --locked --frozen --offline --release --package ayllu |
104 | |
105 | - # build the Quipu binary |
106 | - RUN cargo build \ |
107 | - --color=never --locked --frozen --offline --release --package quipu |
108 | + # build the Quipu binary |
109 | + RUN --mount=type=cache,target=/root/.cargo --network=none \ |
110 | + cargo build \ |
111 | + --color=never --locked --frozen --offline --release --package quipu |
112 | |
113 | - FROM alpine:3.19.1 |
114 | + FROM alpine:3 |
115 | |
116 | RUN apk add \ |
117 | fontconfig font-misc-misc git git-daemon libgit2-dev sqlite \ |
118 | tree-sitter-grammars # all of the syntax highlighting available in alpine |
119 | |
120 | - COPY --from=build --chown=0:0 /home/builder/src/target/release/ayllu /usr/bin/ |
121 | - COPY --from=build --chown=0:0 /home/builder/src/target/release/quipu /usr/bin/ |
122 | - COPY --from=build --chown=0:0 /home/builder/src/ayllu/themes /usr/lib/ayllu/themes |
123 | - COPY --from=build --chown=0:0 /home/builder/src/ayllu/migrations /usr/lib/ayllu/migrations/ayllu |
124 | + # FIXME: Due to a bug in tree-sitter-cpp we have to remove this parser |
125 | + RUN rm -v /usr/lib/libtree-sitter-cpp.so |
126 | + |
127 | + COPY --from=build --chown=0:0 /usr/bin/rudolfs /usr/bin/ |
128 | + COPY --from=build --chown=0:0 /src/ayllu/target/release/ayllu /usr/bin/ |
129 | + COPY --from=build --chown=0:0 /src/ayllu/target/release/quipu /usr/bin/ |
130 | + COPY --from=build --chown=0:0 /src/ayllu/ayllu/themes /usr/lib/ayllu/themes |
131 | + COPY --from=build --chown=0:0 /src/ayllu/ayllu/migrations /usr/lib/ayllu/migrations/ayllu |
132 | + COPY --from=build --chown=0:0 /src/ayllu/LICENSE /usr/share/licenses/ayllu/ |
133 | + COPY --from=build --chown=0:0 /src/ayllu/ATTRIBUTIONS.md /usr/share/licenses/ayllu/ |
134 | |
135 | COPY --from=build --chown=0:0 /usr/lib/tree-sitter/diff.so /usr/lib/tree-sitter/diff.so |
136 | COPY --from=build --chown=0:0 /usr/share/tree-sitter/queries/diff /usr/share/tree-sitter/queries/diff |
137 | @@ -60,18 +101,20 @@ RUN ln -sv /usr/lib/tree-sitter/diff.so /usr/lib/libtree-sitter-diff.so |
138 | # desired runtime security and required UID/GID mapping. |
139 | RUN adduser -D -s /bin/sh -h /home/ayllu ayllu |
140 | |
141 | - # NOTE: this explicitly ignores CVE 2022-24765 because this is not a multi-user |
142 | - # git environment. |
143 | RUN \ |
144 | mkdir -p /etc/ayllu /var/lib/ayllu /var/lib/git && \ |
145 | ayllu config generate > /etc/ayllu/config.toml && \ |
146 | fc-cache -fv # update font cache which is required by plotters.rs |
147 | |
148 | + # setup an unprivileged user for rudolfs |
149 | + RUN adduser -D -s /bin/sh -h /home/rudolfs rudolfs |
150 | + |
151 | # default to the non-root ayllu user |
152 | USER ayllu |
153 | WORKDIR /home/ayllu |
154 | |
155 | - # same git config as above but as the Ayllu user |
156 | + # NOTE: this explicitly ignores CVE 2022-24765 because this is not a multi-user |
157 | + # git environment. |
158 | RUN \ |
159 | git config --global --add user.name 'ayllu' && \ |
160 | git config --global --add safe.directory '*' |
161 | diff --git a/containers/multiuser/Containerfile b/containers/multiuser/Containerfile |
162 | index 1513bea..34eaa20 100644 |
163 | --- a/containers/multiuser/Containerfile |
164 | +++ b/containers/multiuser/Containerfile |
165 | @@ -3,7 +3,7 @@ FROM $BASE_IMAGE |
166 | |
167 | USER root |
168 | |
169 | - RUN apk add --no-cache acl gawk htop dropbear runit tmux |
170 | + RUN apk add --no-cache acl gawk htop dropbear runit tmux vim |
171 | |
172 | COPY containers/multiuser/motd.txt /etc/motd |
173 | COPY containers/multiuser/service /etc/service |
174 | diff --git a/containers/multiuser/service/rudolfs/run b/containers/multiuser/service/rudolfs/run |
175 | new file mode 100755 |
176 | index 0000000..3871098 |
177 | --- /dev/null |
178 | +++ b/containers/multiuser/service/rudolfs/run |
179 | @@ -0,0 +1,7 @@ |
180 | + #!/bin/sh |
181 | + |
182 | + RUDOLFS_DATA_PATH="${RUDOLFS_DATA_PATH:-/home/rudolfs/data}" |
183 | + RUDOLFS_PORT="${RUDOLFS_PORT:-7000}" |
184 | + |
185 | + exec su rudolfs -c \ |
186 | + "rudolfs --port=${RUDOLFS_PORT} local --path ${RUDOLFS_DATA_PATH}" |
187 | diff --git a/contrib/systemd-podman/ayllu.container b/contrib/systemd-podman/ayllu.container |
188 | index 0aa5e32..f23e09c 100644 |
189 | --- a/contrib/systemd-podman/ayllu.container |
190 | +++ b/contrib/systemd-podman/ayllu.container |
191 | @@ -17,6 +17,7 @@ Volume=/etc/ayllu:/etc/ayllu |
192 | |
193 | HostName=ayllu |
194 | PublishPort=127.0.0.1:8080:8080/tcp |
195 | + PublishPort=127.0.0.1:7000:7000/tcp |
196 | |
197 | Environment=PUID=1000 |
198 | Environment=PGID=1000 |