Use BCI base image (#112)

* use bci as base image

* bci fix dependencies

* nginx image fix geoip dependency

* nginx image use catatonit

* install catatonit s390x rootfs

* fix linked libs (#113)

Signed-off-by: Brooks Newberry <[email protected]>

Dockerfile.dapper

@@ -1,4 +1,4 @@
-FROM rancher/hardened-build-base:v1.17.5b7
+FROM rancher/hardened-build-base:v1.19.4b1
 ARG STEP=ci
 ARG DAPPER_HOST_ARCH
 ARG DOCKER_USER
@@ -7,7 +7,7 @@ ENV HOST_ARCH=${DAPPER_HOST_ARCH} \
     ARCH=${DAPPER_HOST_ARCH} \
     DOCKER_USER=${DOCKER_USER} \
     DOCKER_PASS=${DOCKER_PASS}
-RUN apk add openssl docker wget
+RUN apk add openssl docker wget jq
 ENV GOPATH=/go PATH=/go/bin:/usr/local/go/bin:${PATH} SHELL=/bin/bash
 RUN mkdir -p /.docker/cli-plugins
 RUN  ln -sf /bin/bash /bin/sh # use bash for subsequent variable expansion

images/nginx/rootfs/Dockerfile.amd64

@@ -26,19 +26,12 @@ RUN dnf -y install conntrack-tools findutils which
 
 COPY etc /etc
 COPY patches /patches
-COPY build.sh /
+COPY --chmod=0755 build.sh /
 
 RUN /build.sh
 
-# Pull static components from alpine
-FROM alpine:3.13 as extras
-
-RUN apk update \
-  && apk upgrade \
-  && apk add -U --no-cache dumb-init
-
-# With UBI as base image
-FROM registry.access.redhat.com/ubi8/ubi-minimal
+# With BCI as base image
+FROM registry.suse.com/bci/bci-base:latest
 
 ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin
 
@@ -48,23 +41,26 @@ ENV LUA_CPATH="/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;"
 COPY --from=builder /usr/local /usr/local
 COPY --from=builder /opt /opt
 COPY --from=builder /etc/nginx /etc/nginx
-COPY --from=extras /usr/bin/dumb-init /usr/bin/dumb-init
-
-RUN rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
-RUN microdnf -y update && rm -rf /var/cache/yum
-RUN microdnf -y install lmdb-libs || rpm -iv http://vault.centos.org/centos/8/BaseOS/x86_64/os/Packages/lmdb-libs-0.9.24-1.el8.x86_64.rpm
-RUN microdnf -y install \
-      util-linux \
-      findutils \
-      which \
-      yajl \
-      GeoIP \
-      libmaxminddb \
-      wget
 
-RUN microdnf -y install crypto-policies-scripts
-
-RUN rm -rf /var/cache/yum
+RUN rpm -iv http://vault.centos.org/centos/8/BaseOS/x86_64/os/Packages/lmdb-libs-0.9.24-1.el8.x86_64.rpm
+RUN ln -s /usr/lib64/liblua5.3.so.5.3.0 /usr/local/lib/liblua-5.3.so
+
+RUN zypper addrepo \
+    -p 105 http://download.opensuse.org/tumbleweed/repo/oss/ download.opensuse.org-oss && \
+    zypper --gpg-auto-import-keys refresh
+RUN zypper install -y \
+        libcap-progs \
+        libmaxminddb0 \
+        libGeoIP1 \
+        crypto-policies-scripts \
+        wget \
+        which \
+        git \
+        libyajl2 \
+        make \
+        tar \
+        gzip \
+        catatonit
 
 RUN ldDirs=" \
       /usr/local/lib \
@@ -77,7 +73,7 @@ RUN /sbin/ldconfig
 
 RUN ln -s /usr/local/nginx/sbin/nginx /sbin/nginx
 RUN groupadd -rg 101 www-data
-RUN adduser -u 101 -M -d /usr/local/nginx -s /sbin/nologin -G www-data -g www-data www-data
+RUN useradd -u 101 -M -d /usr/local/nginx -s /sbin/nologin -G www-data -g www-data www-data
 
 RUN writeDirs=" \
       /var/log/nginx \
@@ -93,8 +89,6 @@ RUN writeDirs=" \
     chown -R www-data.www-data ${dir}; \
   done
 
-RUN microdnf clean all
-
 EXPOSE 80 443
 
 CMD ["nginx", "-g", "daemon off;"]

images/nginx/rootfs/Dockerfile.s390x

@@ -22,7 +22,7 @@ RUN dnf -y install conntrack-tools findutils which microdnf libcap-progs
 
 COPY etc /etc
 COPY patches /patches
-COPY build.sh /
+COPY --chmod=0755 build.sh /
 
 RUN /build.sh
 
@@ -54,7 +54,8 @@ RUN dnf -y install \
       libmaxminddb0 \
       lmdb \
       wget \
-      libcap-progs
+      libcap-progs \
+      catatonit
 
 RUN dnf -y install 'dnf-command(config-manager)'
 RUN dnf config-manager --add-repo https://download.opensuse.org/repositories/security:tls/openSUSE_Leap_15.3/security:tls.repo

rootfs/Dockerfile

@@ -59,8 +59,8 @@ RUN  setcap    cap_net_bind_service=+ep /nginx-ingress-controller \
   && setcap -v cap_net_bind_service=+ep /nginx-ingress-controller \
   && setcap    cap_net_bind_service=+ep /usr/local/nginx/sbin/nginx \
   && setcap -v cap_net_bind_service=+ep /usr/local/nginx/sbin/nginx \
-  && setcap    cap_net_bind_service=+ep /usr/bin/dumb-init \
-  && setcap -v cap_net_bind_service=+ep /usr/bin/dumb-init \
+  && setcap    cap_net_bind_service=+ep /usr/bin/catatonit \
+  && setcap -v cap_net_bind_service=+ep /usr/bin/catatonit \
   && ln -sf /usr/local/nginx/sbin/nginx /usr/bin/nginx
 
 USER www-data
@@ -69,6 +69,6 @@ USER www-data
 RUN  ln -sf /dev/stdout /var/log/nginx/access.log \
   && ln -sf /dev/stderr /var/log/nginx/error.log
 
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+ENTRYPOINT ["/usr/bin/catatonit", "--"]
 
 CMD ["/nginx-ingress-controller"]

rootfs/Dockerfile-chroot

@@ -48,12 +48,7 @@ RUN if [ "$TARGETARCH" = "s390x" ] ; then dnf install -y \
      ca-certificates \
      diffutils \
      timezone \
-     util-linux ; else microdnf install bash \
-     curl \
-     openssl \
-     ca-certificates \
-     tzdata \
-     diffutils; fi
+     util-linux ; fi
 
 COPY --chown=www-data:www-data etc /chroot/etc
 
@@ -85,8 +80,8 @@ RUN setcap    cap_sys_chroot,cap_net_bind_service=+ep /nginx-ingress-controller
   && setcap -v cap_sys_chroot,cap_net_bind_service=+ep /usr/bin/unshare \
   && setcap    cap_net_bind_service=+ep /chroot/usr/local/nginx/sbin/nginx \
   && setcap -v cap_net_bind_service=+ep /chroot/usr/local/nginx/sbin/nginx \
-  && setcap    cap_sys_chroot,cap_net_bind_service=+ep /usr/bin/dumb-init \
-  && setcap -v cap_sys_chroot,cap_net_bind_service=+ep /usr/bin/dumb-init 
+  && setcap    cap_sys_chroot,cap_net_bind_service=+ep /usr/bin/catatonit \
+  && setcap -v cap_sys_chroot,cap_net_bind_service=+ep /usr/bin/catatonit 
 
 RUN  ln -sf /chroot/etc/nginx /etc/nginx \
   && ln -sf /chroot/tmp/nginx /tmp/nginx \
@@ -112,7 +107,7 @@ USER www-data
 
 EXPOSE 80 443
 
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+ENTRYPOINT ["/usr/bin/catatonit", "--"]
 
 CMD ["/nginx-ingress-controller"]