Merge pull request #2666 from bitshares/update-build-docker

Update Dockerfile and build-docker workflow

.github/workflows/build-docker.yml

@@ -17,6 +17,15 @@ jobs:
         fi
         echo "DOCKER_PUSH_TAG=${DOCKER_PUSH_TAG}"
         echo "DOCKER_PUSH_TAG=${DOCKER_PUSH_TAG}" >> $GITHUB_ENV
+        VERSION_MAJOR=`echo "${DOCKER_PUSH_TAG}" | cut -f1 -d'.'`
+        if [ "${VERSION_MAJOR}" != "${DOCKER_PUSH_TAG}" ]; then
+          VERSION_MINOR=`echo "${DOCKER_PUSH_TAG}" | cut -f2 -d'.'`
+          DOCKER_PUSH_TAG_SHORT=${VERSION_MAJOR}.${VERSION_MINOR}
+          if [ "${DOCKER_PUSH_TAG_SHORT}" != "${DOCKER_PUSH_TAG}" ]; then
+            echo "DOCKER_PUSH_TAG_SHORT=${DOCKER_PUSH_TAG_SHORT}"
+            echo "DOCKER_PUSH_TAG_SHORT=${DOCKER_PUSH_TAG_SHORT}" >> $GITHUB_ENV
+          fi
+        fi
     - name: Test tag
       if: env.DOCKER_PUSH_TAG != ''
       run: echo "${DOCKER_PUSH_TAG}"
@@ -35,10 +44,19 @@ jobs:
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
-    - name: Push to DockerHub
-      if: env.DOCKER_PUSH_TAG != ''
+    - name: Push to DockerHub (for branches)
+      if: env.DOCKER_PUSH_TAG != '' && env.DOCKER_PUSH_TAG_SHORT == ''
+      uses: docker/build-push-action@v3
+      with:
+        context: .
+        push: true
+        tags: ${{ secrets.DOCKERHUB_REPO_PATH }}:${{ env.DOCKER_PUSH_TAG }}
+    - name: Push to DockerHub (for tags)
+      if: env.DOCKER_PUSH_TAG != '' && env.DOCKER_PUSH_TAG_SHORT != ''
       uses: docker/build-push-action@v3
       with:
         context: .
         push: true
-        tags: bitshares/bitshares-core:${{ env.DOCKER_PUSH_TAG }}
+        tags: |
+          ${{ secrets.DOCKERHUB_REPO_PATH }}:${{ env.DOCKER_PUSH_TAG }}
+          ${{ secrets.DOCKERHUB_REPO_PATH }}:${{ env.DOCKER_PUSH_TAG_SHORT }}

Dockerfile

@@ -1,7 +1,8 @@
-FROM phusion/baseimage:focal-1.2.0
-MAINTAINER The bitshares decentralized organisation
-
+# The image for building
+FROM phusion/baseimage:focal-1.2.0 as build
 ENV LANG=en_US.UTF-8
+
+# Install dependencies
 RUN \
     apt-get update && \
     apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \
@@ -29,7 +30,6 @@ RUN \
       libtool \
       doxygen \
       ca-certificates \
-      fish \
     && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
@@ -52,20 +52,50 @@ RUN \
 	-DGRAPHENE_DISABLE_UNITY_BUILD=ON \
         . && \
     make witness_node cli_wallet get_dev_key && \
-    install -s programs/witness_node/witness_node programs/genesis_util/get_dev_key programs/cli_wallet/cli_wallet /usr/local/bin && \
+    install -s programs/witness_node/witness_node \
+               programs/genesis_util/get_dev_key \
+               programs/cli_wallet/cli_wallet \
+            /usr/local/bin && \
     #
     # Obtain version
     mkdir -p /etc/bitshares && \
     git rev-parse --short HEAD > /etc/bitshares/version && \
     cd / && \
     rm -rf /bitshares-core
 
-# Home directory $HOME
+# The final image
+FROM phusion/baseimage:focal-1.2.0
+LABEL maintainer="The bitshares decentralized organisation"
+ENV LANG=en_US.UTF-8
+
+# Install required libraries
+RUN \
+    apt-get update && \
+    apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \
+    apt-get update && \
+    apt-get install --no-install-recommends -y \
+      libcurl4 \
+      ca-certificates \
+    && \
+    mkdir -p /etc/bitshares && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+COPY --from=build /usr/local/bin/* /usr/local/bin/
+COPY --from=build /etc/bitshares/version /etc/bitshares/
+
 WORKDIR /
-RUN useradd -s /bin/bash -m -d /var/lib/bitshares bitshares
+RUN groupadd -g 10001 bitshares
+RUN useradd -u 10000 -g bitshares -s /bin/bash -m -d /var/lib/bitshares --no-log-init bitshares
 ENV HOME /var/lib/bitshares
 RUN chown bitshares:bitshares -R /var/lib/bitshares
 
+# default exec/config files
+ADD docker/default_config.ini /etc/bitshares/config.ini
+ADD docker/default_logging.ini /etc/bitshares/logging.ini
+ADD docker/bitsharesentry.sh /usr/local/bin/bitsharesentry.sh
+RUN chmod a+x /usr/local/bin/bitsharesentry.sh
+
 # Volume
 VOLUME ["/var/lib/bitshares", "/etc/bitshares"]
 
@@ -74,14 +104,11 @@ EXPOSE 8090
 # p2p service:
 EXPOSE 1776
 
-# default exec/config files
-ADD docker/default_config.ini /etc/bitshares/config.ini
-ADD docker/default_logging.ini /etc/bitshares/logging.ini
-ADD docker/bitsharesentry.sh /usr/local/bin/bitsharesentry.sh
-RUN chmod a+x /usr/local/bin/bitsharesentry.sh
-
 # Make Docker send SIGINT instead of SIGTERM to the daemon
 STOPSIGNAL SIGINT
 
+# Temporarily commented out due to permission issues caused by older versions, to be restored in a future version
+#USER bitshares:bitshares
+
 # default execute entry
-CMD ["/usr/local/bin/bitsharesentry.sh"]
+ENTRYPOINT ["/usr/local/bin/bitsharesentry.sh"]

docker/bitsharesentry.sh

@@ -84,10 +84,17 @@ fi
 ln -f -s /etc/bitshares/config.ini /var/lib/bitshares
 ln -f -s /etc/bitshares/logging.ini /var/lib/bitshares
 
+chown -R bitshares:bitshares /var/lib/bitshares
+
+# Get the latest security updates
+apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold"
+
 # Plugins need to be provided in a space-separated list, which
 # makes it necessary to write it like this
 if [[ ! -z "$BITSHARESD_PLUGINS" ]]; then
-   exec "$BITSHARESD" --data-dir "${HOME}" ${ARGS} ${BITSHARESD_ARGS} --plugins "${BITSHARESD_PLUGINS}"
+   exec /usr/bin/setpriv --reuid=bitshares --regid=bitshares --clear-groups \
+     "$BITSHARESD" --data-dir "${HOME}" ${ARGS} ${BITSHARESD_ARGS} --plugins "${BITSHARESD_PLUGINS}"
 else
-   exec "$BITSHARESD" --data-dir "${HOME}" ${ARGS} ${BITSHARESD_ARGS}
+   exec /usr/bin/setpriv --reuid=bitshares --regid=bitshares --clear-groups \
+     "$BITSHARESD" --data-dir "${HOME}" ${ARGS} ${BITSHARESD_ARGS}
 fi