diff --git a/Dockerfile b/Dockerfile index 9403d5d..5563282 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ ARG NODE_VERSION=16.0.0 ARG NPM_VERSION=6.0.0 ARG YARN_VERSION=1.6.0 -FROM ubuntu:20.04 as downloader +FROM ubuntu:22.04 as downloader ARG NODE_VERSION ARG YARN_VERSION @@ -69,10 +69,12 @@ RUN tar -xzf yarn-v$YARN_VERSION.tar.gz -C /opt/ --no-same-owner # # Build a common base image for both node-base and node-builder # -FROM ubuntu:20.04 as common +FROM ubuntu:22.04 as common ARG NODE_VERSION ARG YARN_VERSION +ARG TARGETOS +ARG TARGETARCH # Make sure we run latest ubuntu and install some basic packages RUN apt-get update -qq && \ @@ -108,6 +110,31 @@ RUN npm config set '//registry.npmjs.org/:_authToken' '${NPM_TOKEN}' --global COPY --chown=root:root files/opt/connectedcars/bin /opt/connectedcars/bin ENV PATH /opt/connectedcars/bin:$PATH +# Make sure we can install mysql-server from Ubuntu 18.04 as this is the last +# version with mysql 5.7, also pin mysql-server to Ubuntu 18.04 as we have +# some repos that install it expecting mysql 5.7 +COPY --chown=root:root files/etc/apt/ /etc/apt/ +RUN if [ "$TARGETOS/${TARGETARCH}" = "linux/amd64" ]; then \ + echo Addding bionic for amd64 binaies; \ + rm -f /etc/apt/sources.list.d/bionic-ports.list; \ + elif [ "$TARGETOS/${TARGETARCH}" = "linux/arm64" ]; then \ + echo Addding bionic Downloading arm64 binaies; \ + rm -f /etc/apt/sources.list.d/bionic.list; \ + else \ + echo "Unsupported target os and platform $TARGETOS/${TARGETARCH}"; \ + exit 1; \ + fi; + +# Install common libs from older ubuntu versions so most binaies would work +RUN apt-get update -qq && \ + apt-get install -qq -y --no-install-recommends libssl1.1 && \ + rm -rf /var/lib/apt/lists/* + +# Work arround issues for older node versions: +# https://github.com/nodejs/node/discussions/43184 +# https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#dll-hijacking-on-windows-high-cve-2022-32223 +RUN sed -i 's/^providers = provider_sect.*/#&/' /etc/ssl/openssl.cnf + # # Build node-base image # @@ -131,35 +158,15 @@ WORKDIR /app FROM common as builder ARG NODE_VERSION -ARG TARGETOS -ARG TARGETARCH RUN echo "Building builder image with node version: ${NODE_VERSION}" # Install basic build tools RUN apt-get update -qq && \ - apt-get install -qq -y --no-install-recommends build-essential python git openssh-client software-properties-common && \ + apt-get install -qq -y --no-install-recommends build-essential python3 git openssh-client && \ rm -rf /var/lib/apt/lists/* -# Make sure we use mysql-server from Ubuntu 18.04 as this is the last version with mysql 5.7 -RUN if [ "$TARGETOS/${TARGETARCH}" = "linux/amd64" ]; then \ - echo Downloading amd64 binaies; \ - add-apt-repository "deb http://mirrors.kernel.org/ubuntu/ bionic main"; \ - add-apt-repository "deb http://mirrors.kernel.org/ubuntu/ bionic-security main"; \ - elif [ "$TARGETOS/${TARGETARCH}" = "linux/arm64" ]; then \ - echo Downloading arm64 binaies; \ - add-apt-repository "deb http://ports.ubuntu.com/ubuntu-ports bionic main"; \ - add-apt-repository "deb http://ports.ubuntu.com/ubuntu-ports bionic-security main"; \ - else \ - echo "Unsupported target os and platform $TARGETOS/${TARGETARCH}"; \ - exit 1; \ - fi; -RUN echo 'Package: mysql-server\n\ -Pin: release n=bionic\n\ -Pin-Priority: 1001\n' > /etc/apt/preferences.d/mysql - - -# Install mysql 5.7 and 8.x dependencies and download both version to /opt +# Install mysql 5.7 and 8.x dependencies and download both versions to /opt RUN apt-get update -qq && \ apt-get install -qq -y --no-install-recommends mysql-client-core-8.0 && \ apt-get install -qq -y --no-install-recommends $(apt-cache depends mysql-server-core-5.7 mysql-server-core-8.0 | grep Depends | sed "s/.*ends:\ //" | tr '\n' ' ') && \ diff --git a/README.md b/README.md index f26c199..eef6381 100644 --- a/README.md +++ b/README.md @@ -71,5 +71,16 @@ echo "" | base64 -D | gcloud kms decrypt --plaintext-file=- --ciph ``` bash export NPM_TOKEN=yournpmtoken # Only build specific node version on arm64 -PROJECT_ID=connectedcars-staging NODE_VERSIONS="16.16.0" BUILD_PLATFORMS="linux/arm64" BRANCH_NAME=`git symbolic-ref --short -q HEAD` ./build-all.sh +PROJECT_ID=connectedcars-staging NODE_VERSIONS="16.16.0" BUILD_PLATFORMS="linux/arm64" COMMIT_SHA=ABCD1234 BRANCH_NAME=`git symbolic-ref --short -q HEAD` ./build-all.sh ``` + + +## Rollback to older version + +``` bash +export OLD_SHA=abcd1234 +for NODE_VERSION in 18.7.0 16.16.0 14.20.0 12.22.12; do + NODE_MAJOR_VERSION=$(echo "$NODE_VERSION" | cut -d. -f1) + echo docker buildx imagetools create "gcr.io/connectedcars-staging/node-builder.master:${NODE_VERSION}-${OLD_SHA}" --tag "gcr.io/connectedcars-staging/node-builder.master:${NODE_MAJOR_VERSION}.x" +done +``` \ No newline at end of file diff --git a/build-all.sh b/build-all.sh index 6729b3a..1752408 100755 --- a/build-all.sh +++ b/build-all.sh @@ -10,6 +10,7 @@ BUILD_PLATFORMS=${BUILD_PLATFORMS:='linux/amd64 linux/arm64'} # External variables PROJECT_ID=${PROJECT_ID:-} NPM_TOKEN=${NPM_TOKEN:-} +COMMIT_SHA=${COMMIT_SHA:-} BRANCH_NAME=${BRANCH_NAME:-} PUSH=${PUSH:-} @@ -23,6 +24,11 @@ if [[ ! -n "$NPM_TOKEN" ]]; then exit 255 fi +if [[ ! -n "$COMMIT_SHA" ]]; then + echo "COMMIT_SHA needs to be set" + exit 255 +fi + if [[ ! -n "$BRANCH_NAME" ]]; then echo "BRANCH_NAME needs to be set" exit 255 @@ -66,20 +72,23 @@ for NODE_VERSION in $NODE_VERSIONS; do if [[ -n "$PUSH" ]]; then echo Push base images docker buildx build --platform="${DOCKER_PLATFORMS}" --progress=plain --target=base ${DOCKER_NODE_BUILD_ARGS} --push \ + --tag="gcr.io/${PROJECT_ID}/node-base.${BRANCH_NAME}:${NODE_VERSION}-${COMMIT_SHA}" \ --tag="gcr.io/${PROJECT_ID}/node-base.${BRANCH_NAME}:${NODE_VERSION}" \ - --tag="gcr.io/${PROJECT_ID}/node-base.${BRANCH_NAME}:$NODE_MAJOR_VERSION.x" \ + --tag="gcr.io/${PROJECT_ID}/node-base.${BRANCH_NAME}:${NODE_MAJOR_VERSION}.x" \ . echo Push builder images docker buildx build --platform="${DOCKER_PLATFORMS}" --progress=plain --target=builder ${DOCKER_NODE_BUILD_ARGS} --push \ - --tag="gcr.io/${PROJECT_ID}/node-builder.${BRANCH_NAME}:$NODE_VERSION.x" \ - --tag="gcr.io/${PROJECT_ID}/node-builder.${BRANCH_NAME}:$NODE_MAJOR_VERSION.x" \ + --tag="gcr.io/${PROJECT_ID}/node-builder.${BRANCH_NAME}:${NODE_VERSION}-${COMMIT_SHA}" \ + --tag="gcr.io/${PROJECT_ID}/node-builder.${BRANCH_NAME}:${NODE_VERSION}" \ + --tag="gcr.io/${PROJECT_ID}/node-builder.${BRANCH_NAME}:${NODE_MAJOR_VERSION}.x" \ . echo Push fat-base images docker buildx build --platform="${DOCKER_PLATFORMS}" --progress=plain --target=fat-base ${DOCKER_NODE_BUILD_ARGS} --push \ + --tag="gcr.io/${PROJECT_ID}/node-fat-base.${BRANCH_NAME}:${NODE_VERSION}-${COMMIT_SHA}" \ --tag="gcr.io/${PROJECT_ID}/node-fat-base.${BRANCH_NAME}:${NODE_VERSION}" \ - --tag="gcr.io/${PROJECT_ID}/node-fat-base.${BRANCH_NAME}:$NODE_MAJOR_VERSION.x" \ + --tag="gcr.io/${PROJECT_ID}/node-fat-base.${BRANCH_NAME}:${NODE_MAJOR_VERSION}.x" \ . fi done diff --git a/cloudbuild.yaml b/cloudbuild.yaml index 7b5116e..d1fdee5 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -12,7 +12,7 @@ steps: - name: 'gcr.io/cloud-builders/docker' entrypoint: 'bash' args: ['-c', './build-all.sh'] - env: ['BRANCH_NAME=${BRANCH_NAME}','PROJECT_ID=${PROJECT_ID}', 'PUSH=y'] + env: ['COMMIT_SHA=${COMMIT_SHA}','BRANCH_NAME=${BRANCH_NAME}','PROJECT_ID=${PROJECT_ID}', 'PUSH=y'] secretEnv: ['NPM_TOKEN'] timeout: 7200s secrets: diff --git a/files/etc/apt/preferences.d/mysql b/files/etc/apt/preferences.d/mysql new file mode 100644 index 0000000..7c524db --- /dev/null +++ b/files/etc/apt/preferences.d/mysql @@ -0,0 +1,3 @@ +Package: mysql-server +Pin: release n=bionic +Pin-Priority: 1001 diff --git a/files/etc/apt/sources.list.d/bionic-ports.list b/files/etc/apt/sources.list.d/bionic-ports.list new file mode 100644 index 0000000..96d2d8d --- /dev/null +++ b/files/etc/apt/sources.list.d/bionic-ports.list @@ -0,0 +1,4 @@ +deb http://ports.ubuntu.com/ubuntu-ports bionic main +# deb-src http://ports.ubuntu.com/ubuntu-ports bionic main +deb http://ports.ubuntu.com/ubuntu-ports bionic-security main +# deb-src http://ports.ubuntu.com/ubuntu-ports bionic-security main \ No newline at end of file diff --git a/files/etc/apt/sources.list.d/bionic.list b/files/etc/apt/sources.list.d/bionic.list new file mode 100644 index 0000000..88f3107 --- /dev/null +++ b/files/etc/apt/sources.list.d/bionic.list @@ -0,0 +1,4 @@ +deb http://mirrors.kernel.org/ubuntu bionic main +# deb-src http://mirrors.kernel.org/ubuntu bionic main +deb http://mirrors.kernel.org/ubuntu bionic-security main +# deb-src http://mirrors.kernel.org/ubuntu bionic-security main \ No newline at end of file diff --git a/files/etc/apt/trusted.gpg.d/bionic.gpg b/files/etc/apt/trusted.gpg.d/bionic.gpg new file mode 100644 index 0000000..0886f4a Binary files /dev/null and b/files/etc/apt/trusted.gpg.d/bionic.gpg differ diff --git a/keys/updatekeys.sh b/keys/updatekeys.sh index 310df80..24eb2a4 100644 --- a/keys/updatekeys.sh +++ b/keys/updatekeys.sh @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # gpg keys listed at https://github.com/nodejs/node#release-team NODE_KEYS="4ED778F539E3634C779C87C6D7062848A1AB005C diff --git a/test/Dockerfile b/test/Dockerfile index 9c0091f..06a9a79 100644 --- a/test/Dockerfile +++ b/test/Dockerfile @@ -37,6 +37,9 @@ RUN npm install RUN npm test +# Install a binary dependency to see if gyp works +RUN npm install --loglevel verbose node-expat + FROM gcr.io/connectedcars-staging/node-base.$BRANCH_NAME:$NODE_VERSION WORKDIR /app