From b8ace39fb179c740d209046b05e70bb91d286dcd Mon Sep 17 00:00:00 2001 From: spwoodcock Date: Mon, 27 Nov 2023 04:08:14 +0000 Subject: [PATCH 1/8] build: optimise central backend (service) dockerfile --- service.dockerfile | 66 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 52 insertions(+), 14 deletions(-) diff --git a/service.dockerfile b/service.dockerfile index 11f5e280..fa089faa 100644 --- a/service.dockerfile +++ b/service.dockerfile @@ -1,30 +1,68 @@ -ARG node_version=18.17 -FROM node:${node_version} as intermediate +ARG node_version=18 + + +FROM node:${node_version}-slim as pgdg +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + ca-certificates \ + curl \ + gpg \ + && rm -rf /var/lib/apt/lists/* \ + && update-ca-certificates +RUN echo "deb http://apt.postgresql.org/pub/repos/apt/ $(grep -oP 'VERSION_CODENAME=\K\w+' /etc/os-release)-pgdg main" \ + | tee /etc/apt/sources.list.d/pgdg.list \ + && curl https://www.postgresql.org/media/keys/ACCC4CF8.asc \ + | gpg --dearmor > /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg + + + +FROM node:${node_version}-slim as intermediate +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + git \ + && rm -rf /var/lib/apt/lists/* COPY . . RUN mkdir /tmp/sentry-versions RUN git describe --tags --dirty > /tmp/sentry-versions/central -WORKDIR server +WORKDIR /server RUN git describe --tags --dirty > /tmp/sentry-versions/server -WORKDIR ../client +WORKDIR /client RUN git describe --tags --dirty > /tmp/sentry-versions/client -FROM node:${node_version} -WORKDIR /usr/odk -RUN apt-get update && apt-get install wait-for-it && rm -rf /var/lib/apt/lists/* +FROM node:${node_version}-slim + +ARG node_version +LABEL org.getodk.central.app-name="central" \ + org.getodk.central.node-tag="${node_version}" \ + org.getodk.central.maintainer="admin@hotosm.org" \ + org.getodk.central.port="8383" -RUN echo "deb http://apt.postgresql.org/pub/repos/apt/ $(grep -oP 'VERSION_CODENAME=\K\w+' /etc/os-release)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list && \ - curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor > /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg && \ - apt-get update && \ - apt-get install -y cron gettext postgresql-client-14 +WORKDIR /usr/odk + +COPY --from=pgdg /etc/apt/sources.list.d/pgdg.list \ + /etc/apt/sources.list.d/pgdg.list +COPY --from=pgdg /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg \ + /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + gpg \ + cron \ + wait-for-it \ + gettext \ + procps \ + postgresql-client-14 \ + netcat-traditional \ + && rm -rf /var/lib/apt/lists/* COPY files/service/crontab /etc/cron.d/odk COPY server/package*.json ./ -RUN npm clean-install --omit=dev --legacy-peer-deps --no-audit --fund=false --update-notifier=false +RUN npm clean-install --omit=dev --legacy-peer-deps --no-audit \ + --fund=false --update-notifier=false COPY server/ ./ COPY files/service/scripts/ ./ @@ -34,5 +72,5 @@ COPY files/service/odk-cmd /usr/bin/ COPY --from=intermediate /tmp/sentry-versions/ ./sentry-versions -EXPOSE 8383 - +HEALTHCHECK --start-period=10s --interval=5s --retries=10 \ + CMD nc -z localhost 8383 || exit 1 From 79ec540dbeb0dc8907983418bfff1e01ac9a5023 Mon Sep 17 00:00:00 2001 From: spwoodcock Date: Mon, 27 Nov 2023 04:12:49 +0000 Subject: [PATCH 2/8] build: service dockerfile copy files after apt install --- service.dockerfile | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/service.dockerfile b/service.dockerfile index fa089faa..9d71580c 100644 --- a/service.dockerfile +++ b/service.dockerfile @@ -42,6 +42,7 @@ LABEL org.getodk.central.app-name="central" \ WORKDIR /usr/odk +COPY server/package*.json ./ COPY --from=pgdg /etc/apt/sources.list.d/pgdg.list \ /etc/apt/sources.list.d/pgdg.list COPY --from=pgdg /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg \ @@ -55,19 +56,15 @@ RUN apt-get update \ procps \ postgresql-client-14 \ netcat-traditional \ - && rm -rf /var/lib/apt/lists/* - -COPY files/service/crontab /etc/cron.d/odk - -COPY server/package*.json ./ - -RUN npm clean-install --omit=dev --legacy-peer-deps --no-audit \ + && rm -rf /var/lib/apt/lists/* \ + && npm clean-install --omit=dev --legacy-peer-deps --no-audit \ --fund=false --update-notifier=false COPY server/ ./ COPY files/service/scripts/ ./ COPY files/service/config.json.template /usr/share/odk/ +COPY files/service/crontab /etc/cron.d/odk COPY files/service/odk-cmd /usr/bin/ COPY --from=intermediate /tmp/sentry-versions/ ./sentry-versions From 1b4325952b4b40b160fffab22d1a173f5e35f893 Mon Sep 17 00:00:00 2001 From: spwoodcock Date: Mon, 27 Nov 2023 05:40:12 +0000 Subject: [PATCH 3/8] build: pin node version 18 --> 18.17 --- service.dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/service.dockerfile b/service.dockerfile index 9d71580c..fc45a07a 100644 --- a/service.dockerfile +++ b/service.dockerfile @@ -1,4 +1,4 @@ -ARG node_version=18 +ARG node_version=18.17 From 4cafcff4c60913ba0bc70d0e0fccdcf00770018e Mon Sep 17 00:00:00 2001 From: spwoodcock Date: Thu, 7 Dec 2023 05:00:07 +0000 Subject: [PATCH 4/8] build: update maintainer label, remove healthcheck --- service.dockerfile | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/service.dockerfile b/service.dockerfile index fc45a07a..2ae9fc8b 100644 --- a/service.dockerfile +++ b/service.dockerfile @@ -37,7 +37,7 @@ FROM node:${node_version}-slim ARG node_version LABEL org.getodk.central.app-name="central" \ org.getodk.central.node-tag="${node_version}" \ - org.getodk.central.maintainer="admin@hotosm.org" \ + org.getodk.central.maintainer="support@getodk.org" \ org.getodk.central.port="8383" WORKDIR /usr/odk @@ -68,6 +68,3 @@ COPY files/service/crontab /etc/cron.d/odk COPY files/service/odk-cmd /usr/bin/ COPY --from=intermediate /tmp/sentry-versions/ ./sentry-versions - -HEALTHCHECK --start-period=10s --interval=5s --retries=10 \ - CMD nc -z localhost 8383 || exit 1 From a6d57e3d8b54147e8b9d7ef31526a38a5240e480 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A9l=C3=A8ne=20Martin?= Date: Fri, 8 Dec 2023 10:43:39 -0800 Subject: [PATCH 5/8] Use node version 20.10 --- service.dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/service.dockerfile b/service.dockerfile index 2ae9fc8b..49a54b80 100644 --- a/service.dockerfile +++ b/service.dockerfile @@ -1,4 +1,4 @@ -ARG node_version=18.17 +ARG node_version=20.10 From 35bd78001b54032b04d6a9337d3c93e2b31bccea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A9l=C3=A8ne=20Martin?= Date: Fri, 8 Dec 2023 12:48:38 -0800 Subject: [PATCH 6/8] Use slim base images for nginx and secrets --- nginx.dockerfile | 9 ++++++++- secrets.dockerfile | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/nginx.dockerfile b/nginx.dockerfile index cced9345..8981409e 100644 --- a/nginx.dockerfile +++ b/nginx.dockerfile @@ -1,10 +1,17 @@ -FROM node:18.17 as intermediate +FROM node:20.10-slim as intermediate + +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + git \ + && rm -rf /var/lib/apt/lists/* COPY ./ ./ RUN files/prebuild/write-version.sh ARG OIDC_ENABLED RUN OIDC_ENABLED="$OIDC_ENABLED" files/prebuild/build-frontend.sh + + # when upgrading, look for upstream changes to redirector.conf # also, confirm setup-odk.sh strips out HTTP-01 ACME challenge location FROM jonasal/nginx-certbot:4.2.0 diff --git a/secrets.dockerfile b/secrets.dockerfile index b200d26b..9e59323e 100644 --- a/secrets.dockerfile +++ b/secrets.dockerfile @@ -1,2 +1,2 @@ -FROM node:18.17 +FROM node:20.10-slim COPY files/enketo/generate-secrets.sh ./ From 8aa8ebc54949406c7cfa84faf9b017df5f48561c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A9l=C3=A8ne=20Martin?= Date: Fri, 8 Dec 2023 15:11:29 -0800 Subject: [PATCH 7/8] Use opencontainer labels, bring back EXPOSE --- service.dockerfile | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/service.dockerfile b/service.dockerfile index 49a54b80..2f668959 100644 --- a/service.dockerfile +++ b/service.dockerfile @@ -35,10 +35,9 @@ RUN git describe --tags --dirty > /tmp/sentry-versions/client FROM node:${node_version}-slim ARG node_version -LABEL org.getodk.central.app-name="central" \ - org.getodk.central.node-tag="${node_version}" \ - org.getodk.central.maintainer="support@getodk.org" \ - org.getodk.central.port="8383" +LABEL org.opencontainers.image.title="ODK Central backend" \ + org.opencontainers.image.vendor="ODK" \ + org.opencontainers.image.source="https://github.com/getodk/central" WORKDIR /usr/odk @@ -68,3 +67,5 @@ COPY files/service/crontab /etc/cron.d/odk COPY files/service/odk-cmd /usr/bin/ COPY --from=intermediate /tmp/sentry-versions/ ./sentry-versions + +EXPOSE 8383 From 7c3e7a1b368ae7fe3c3b20f8c1ff05fdb9464123 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A9l=C3=A8ne=20Martin?= Date: Fri, 8 Dec 2023 16:29:05 -0800 Subject: [PATCH 8/8] Remove labels that aren't used by GHCR --- service.dockerfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/service.dockerfile b/service.dockerfile index 2f668959..8c47e998 100644 --- a/service.dockerfile +++ b/service.dockerfile @@ -35,9 +35,7 @@ RUN git describe --tags --dirty > /tmp/sentry-versions/client FROM node:${node_version}-slim ARG node_version -LABEL org.opencontainers.image.title="ODK Central backend" \ - org.opencontainers.image.vendor="ODK" \ - org.opencontainers.image.source="https://github.com/getodk/central" +LABEL org.opencontainers.image.source="https://github.com/getodk/central" WORKDIR /usr/odk