Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update dockerfile and use openssl #6828

Merged
merged 4 commits into from
Jan 16, 2020
Merged

update dockerfile and use openssl #6828

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
cc25df7
feat(docker): bump the go version
Stebalien Jan 16, 2020
8ed357d
feat(docker): bump the tini version
Stebalien Jan 16, 2020
ee9b468
feat(docker): build with openssl by default
Stebalien Jan 16, 2020
c2fd41c
fix(docker): fix the start_ipfs permissions
Stebalien Jan 16, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 16 additions & 9 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
FROM golang:1.13.4-buster
FROM golang:1.13.6-buster
LABEL maintainer="Steven Allen <steven@stebalien.com>"

# Install deps
RUN apt-get update && apt-get install -y \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: I think moving this to the first line means we'll have to explicitly run with --no-cache=true when we want to re-update those dependencies. The layer cache uses the string value of the RUN command to see if already has a layer for that.

aside from the ADD and COPY commands, cache checking does not look at the files in the container to determine a cache match. For example, when processing a RUN apt-get -y update command the files updated in the container are not examined to determine if a cache hit exists. In that case just the command string itself is used to find a match.

https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#leverage-build-cache

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's probably for the best, actually. When rebuilding, we usually just want to update ipfs itself.

libssl-dev \
ca-certificates \
fuse

ENV SRC_DIR /go-ipfs

# Download packages first so they can be cached.
Expand All @@ -14,12 +20,12 @@ COPY . $SRC_DIR
# Also: fix getting HEAD commit hash via git rev-parse.
RUN cd $SRC_DIR \
&& mkdir .git/objects \
&& make build
&& make build GOFLAGS=-tags=openssl

# Get su-exec, a very minimal tool for dropping privileges,
# and tini, a very minimal init daemon for containers
ENV SUEXEC_VERSION v0.2
ENV TINI_VERSION v0.16.1
ENV TINI_VERSION v0.18.0
RUN set -x \
&& cd /tmp \
&& git clone https://github.com/ncopa/su-exec.git \
Expand All @@ -30,12 +36,6 @@ RUN set -x \
&& wget -q -O tini https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini \
&& chmod +x tini

# Get the TLS CA certificates, they're not provided by busybox.
RUN apt-get update && apt-get install -y ca-certificates

# Install FUSE
RUN apt-get update && apt-get install -y fuse

# Now comes the actual target image, which aims to be as small as possible.
FROM busybox:1.31.0-glibc
LABEL maintainer="Steven Allen <stven@stebalien.com>"
Expand All @@ -52,9 +52,16 @@ COPY --from=0 /etc/ssl/certs /etc/ssl/certs
# Add suid bit on fusermount so it will run properly
RUN chmod 4755 /usr/local/bin/fusermount

# Fix permissions on start_ipfs (ignore the build machine's permissions)
RUN chmod 0755 /usr/local/bin/start_ipfs

# This shared lib (part of glibc) doesn't seem to be included with busybox.
COPY --from=0 /lib/x86_64-linux-gnu/libdl.so.2 /lib/libdl.so.2

# Copy over SSL libraries.
COPY --from=0 /usr/lib/x86_64-linux-gnu/libssl.so* /usr/lib/
COPY --from=0 /usr/lib/x86_64-linux-gnu/libcrypto.so* /usr/lib/

# Swarm TCP; should be exposed to the public
EXPOSE 4001
# Daemon API; must not be exposed publicly but to client services under you control
Expand Down