Author: Kevin Schoon [me@kevinschoon.com]
Hash: fc46aaa364e0b1336e6546e268a435ab398e0306
Timestamp: Sat, 01 Jun 2024 16:11:32 +0000 (1 month ago)

+83 -31 +/-5 browse
add lfs support to base and multiuser container
1diff --git a/.containerignore b/.containerignore
2index eb5a316..b94ee54 100644
3--- a/.containerignore
4+++ b/.containerignore
5 @@ -1 +1,2 @@
6 target
7+ db
8 diff --git a/containers/base/Containerfile b/containers/base/Containerfile
9index b505cb6..3c21fdf 100644
10--- a/containers/base/Containerfile
11+++ b/containers/base/Containerfile
12 @@ -1,56 +1,97 @@
13 FROM alpine:3 AS build
14
15-
16 RUN apk add \
17- cargo rust pkgconf sqlite sassc npm \
18+ curl cargo rust pkgconf sqlite sassc npm \
19 openssl openssl-dev fontconfig fontconfig-dev \
20 tree-sitter-dev build-base git
21
22- # TODO: tree-sitter-diff needs APK support but they haven't cut a release yet
23 WORKDIR /src
24
25- RUN \
26- git clone https://github.com/the-mikedavis/tree-sitter-diff.git \
27- && cd tree-sitter-diff && abuild-tree-sitter build && abuild-tree-sitter install
28+ RUN --mount=type=cache,target=/root/.cargo \
29+ cargo install --color=never --no-default-features --features sqlite sqlx-cli
30
31- RUN adduser -D -s /bin/sh -h /home/builder builder
32+ ENV PATH="/root/.cargo/bin:$PATH"
33
34- USER builder
35+ ARG TREE_SITTER_DIFF_UPSTREAM_URL="https://github.com/the-mikedavis/tree-sitter-diff/archive"
36+ ARG TREE_SITTER_DIFF_COMMIT_ID="629676fc3919606964231b2c7b9677d6998a2cb4"
37+ ARG TREE_SITTER_DIFF_SHA256SUM="3b43eba0afcdbbc405a9d3284b3af73332fa3522f888a8629f8d14d685e69781"
38+
39+ # TODO: tree-sitter-diff needs APK support but they haven't cut a release yet
40+ RUN \
41+ curl -L "$TREE_SITTER_DIFF_UPSTREAM_URL/$TREE_SITTER_DIFF_COMMIT_ID.tar.gz" \
42+ -o tree-sitter-diff.tar.gz \
43+ && echo "$TREE_SITTER_DIFF_SHA256SUM tree-sitter-diff.tar.gz" | sha256sum -c \
44+ && tar xvf tree-sitter-diff.tar.gz
45
46- ENV PATH="/home/builder/.cargo/bin:$PATH"
47- RUN cargo install --color=never --no-default-features --features sqlite sqlx-cli
48+ RUN cd tree-sitter-diff-* && abuild-tree-sitter build && abuild-tree-sitter install
49
50- USER root
51- COPY . /home/builder/src
52- WORKDIR /home/builder/src
53- RUN chown -R builder /home/builder/src
54+ # Install rudolfs for LFS support
55+ ARG RUDOLFS_VERSION="0.3.7"
56+ ARG RUDOLFS_SHA256SUM="0ac57990e8923d2bf220a5c46a996d3b666f2d0454487597c0c106f8e079f2aa"
57+ ARG RUDOLFS_UPSTREAM_URL="https://github.com/jasonwhite/rudolfs/archive/refs/tags/${RUDOLFS_VERSION}.tar.gz"
58
59- USER builder
60+ RUN \
61+ curl -L "$RUDOLFS_UPSTREAM_URL" -o rudolfs.tar.gz \
62+ && echo "$RUDOLFS_SHA256SUM rudolfs.tar.gz" | sha256sum -c \
63+ && tar xvf rudolfs.tar.gz
64+
65+ RUN --mount=type=cache,target=/root/.cargo \
66+ cd "rudolfs-$RUDOLFS_VERSION" && cargo fetch --color=never --locked
67+ RUN --mount=type=cache,target=/root/.cargo --network=none \
68+ cd "rudolfs-$RUDOLFS_VERSION" && cargo build \
69+ --color=never --locked --frozen --offline --release \
70+ && cp -v target/release/rudolfs /usr/bin/
71+
72+ COPY ayllu /src/ayllu/ayllu
73+ COPY contrib /src/ayllu/contrib
74+ COPY crates /src/ayllu/crates
75+ COPY quipu /src/ayllu/quipu
76+ COPY scripts /src/ayllu/scripts
77+ COPY *.toml /src/ayllu/
78+ COPY Cargo.lock /src/ayllu/
79+ COPY LICENSE /src/ayllu/
80+ COPY ATTRIBUTIONS.md /src/ayllu/
81+ COPY package.json /src/ayllu/
82+
83+ WORKDIR /src/ayllu
84
85 RUN npm install
86
87- RUN cargo fetch --color=never --locked
88- RUN scripts/check_build_dependencies.sh || true
89- RUN scripts/ensure_database.sh ayllu
90+ RUN --mount=type=cache,target=/root/.cargo \
91+ scripts/check_build_dependencies.sh || true
92+
93+ RUN --mount=type=cache,target=/root/.cargo \
94+ scripts/ensure_database.sh ayllu
95+
96+ # cache all Ayllu dependencies required for the build
97+ RUN --mount=type=cache,target=/root/.cargo cargo fetch --color=never --locked
98
99 # build the main Ayllu binary
100- RUN cargo build \
101+ RUN --mount=type=cache,target=/root/.cargo --network=none \
102+ cargo build \
103 --color=never --locked --frozen --offline --release --package ayllu
104
105- # build the Quipu binary
106- RUN cargo build \
107- --color=never --locked --frozen --offline --release --package quipu
108+ # build the Quipu binary
109+ RUN --mount=type=cache,target=/root/.cargo --network=none \
110+ cargo build \
111+ --color=never --locked --frozen --offline --release --package quipu
112
113- FROM alpine:3.19.1
114+ FROM alpine:3
115
116 RUN apk add \
117 fontconfig font-misc-misc git git-daemon libgit2-dev sqlite \
118 tree-sitter-grammars # all of the syntax highlighting available in alpine
119
120- COPY --from=build --chown=0:0 /home/builder/src/target/release/ayllu /usr/bin/
121- COPY --from=build --chown=0:0 /home/builder/src/target/release/quipu /usr/bin/
122- COPY --from=build --chown=0:0 /home/builder/src/ayllu/themes /usr/lib/ayllu/themes
123- COPY --from=build --chown=0:0 /home/builder/src/ayllu/migrations /usr/lib/ayllu/migrations/ayllu
124+ # FIXME: Due to a bug in tree-sitter-cpp we have to remove this parser
125+ RUN rm -v /usr/lib/libtree-sitter-cpp.so
126+
127+ COPY --from=build --chown=0:0 /usr/bin/rudolfs /usr/bin/
128+ COPY --from=build --chown=0:0 /src/ayllu/target/release/ayllu /usr/bin/
129+ COPY --from=build --chown=0:0 /src/ayllu/target/release/quipu /usr/bin/
130+ COPY --from=build --chown=0:0 /src/ayllu/ayllu/themes /usr/lib/ayllu/themes
131+ COPY --from=build --chown=0:0 /src/ayllu/ayllu/migrations /usr/lib/ayllu/migrations/ayllu
132+ COPY --from=build --chown=0:0 /src/ayllu/LICENSE /usr/share/licenses/ayllu/
133+ COPY --from=build --chown=0:0 /src/ayllu/ATTRIBUTIONS.md /usr/share/licenses/ayllu/
134
135 COPY --from=build --chown=0:0 /usr/lib/tree-sitter/diff.so /usr/lib/tree-sitter/diff.so
136 COPY --from=build --chown=0:0 /usr/share/tree-sitter/queries/diff /usr/share/tree-sitter/queries/diff
137 @@ -60,18 +101,20 @@ RUN ln -sv /usr/lib/tree-sitter/diff.so /usr/lib/libtree-sitter-diff.so
138 # desired runtime security and required UID/GID mapping.
139 RUN adduser -D -s /bin/sh -h /home/ayllu ayllu
140
141- # NOTE: this explicitly ignores CVE 2022-24765 because this is not a multi-user
142- # git environment.
143 RUN \
144 mkdir -p /etc/ayllu /var/lib/ayllu /var/lib/git && \
145 ayllu config generate > /etc/ayllu/config.toml && \
146 fc-cache -fv # update font cache which is required by plotters.rs
147
148+ # setup an unprivileged user for rudolfs
149+ RUN adduser -D -s /bin/sh -h /home/rudolfs rudolfs
150+
151 # default to the non-root ayllu user
152 USER ayllu
153 WORKDIR /home/ayllu
154
155- # same git config as above but as the Ayllu user
156+ # NOTE: this explicitly ignores CVE 2022-24765 because this is not a multi-user
157+ # git environment.
158 RUN \
159 git config --global --add user.name 'ayllu' && \
160 git config --global --add safe.directory '*'
161 diff --git a/containers/multiuser/Containerfile b/containers/multiuser/Containerfile
162index 1513bea..34eaa20 100644
163--- a/containers/multiuser/Containerfile
164+++ b/containers/multiuser/Containerfile
165 @@ -3,7 +3,7 @@ FROM $BASE_IMAGE
166
167 USER root
168
169- RUN apk add --no-cache acl gawk htop dropbear runit tmux
170+ RUN apk add --no-cache acl gawk htop dropbear runit tmux vim
171
172 COPY containers/multiuser/motd.txt /etc/motd
173 COPY containers/multiuser/service /etc/service
174 diff --git a/containers/multiuser/service/rudolfs/run b/containers/multiuser/service/rudolfs/run
175new file mode 100755
176index 0000000..3871098
177--- /dev/null
178+++ b/containers/multiuser/service/rudolfs/run
179 @@ -0,0 +1,7 @@
180+ #!/bin/sh
181+
182+ RUDOLFS_DATA_PATH="${RUDOLFS_DATA_PATH:-/home/rudolfs/data}"
183+ RUDOLFS_PORT="${RUDOLFS_PORT:-7000}"
184+
185+ exec su rudolfs -c \
186+ "rudolfs --port=${RUDOLFS_PORT} local --path ${RUDOLFS_DATA_PATH}"
187 diff --git a/contrib/systemd-podman/ayllu.container b/contrib/systemd-podman/ayllu.container
188index 0aa5e32..f23e09c 100644
189--- a/contrib/systemd-podman/ayllu.container
190+++ b/contrib/systemd-podman/ayllu.container
191 @@ -17,6 +17,7 @@ Volume=/etc/ayllu:/etc/ayllu
192
193 HostName=ayllu
194 PublishPort=127.0.0.1:8080:8080/tcp
195+ PublishPort=127.0.0.1:7000:7000/tcp
196
197 Environment=PUID=1000
198 Environment=PGID=1000