Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add rootless (alpine) images #4617

Merged
merged 24 commits into from
Jan 8, 2025
Merged

Add rootless (alpine) images #4617

Show file tree
Hide file tree
Changes from 22 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
a5a3936
add rootless alpine images
pat-s Dec 24, 2024
a5138f7
cleanup
pat-s Dec 24, 2024
7e30ed6
add cli rootless image
pat-s Dec 24, 2024
dbb815c
build rootless image on tag event
pat-s Dec 24, 2024
4d9ec5d
add new docs placeholder
pat-s Dec 24, 2024
306dd39
spellcheck
pat-s Dec 25, 2024
ae694ae
v3
pat-s Dec 25, 2024
34ee024
replace alpine with alpine-rootless
pat-s Dec 27, 2024
1a9e392
Merge branch 'main' into feat/rootless-images
pat-s Dec 29, 2024
f0ef034
add image registries and tag info
pat-s Dec 29, 2024
3f806e2
Merge branch 'main' into feat/rootless-images
pat-s Dec 31, 2024
7a24241
squash RUN statements
pat-s Jan 4, 2025
fcf514d
Merge branch 'main' into feat/rootless-images
pat-s Jan 4, 2025
3872c9f
make scratch images rootless
pat-s Jan 5, 2025
082e6de
add migrations
pat-s Jan 5, 2025
17f7bea
don't create dir
pat-s Jan 5, 2025
4bf4d66
Update docs/docs/30-administration/04-image-variants.md
pat-s Jan 6, 2025
ac21d56
Update docs/docs/30-administration/04-image-variants.md
pat-s Jan 6, 2025
776d624
update migration msg
pat-s Jan 6, 2025
e6905e2
var/lib/woodpecker -> /etc/woodpecker
pat-s Jan 6, 2025
2aa91e4
builder -> build
pat-s Jan 6, 2025
bb3c274
use static uid and gid
pat-s Jan 6, 2025
ce592a7
fix debian user creation
pat-s Jan 6, 2025
2836fa9
squash RUN
pat-s Jan 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .cspell.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
],
"words": [
"abool",
"addgroup",
"adduser",
"anbraten",
"antfu",
"apimachinery",
Expand Down
34 changes: 17 additions & 17 deletions .woodpecker/docker.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ steps:
image: *buildx_plugin
settings:
repo: woodpeckerci/woodpecker-server
dockerfile: docker/Dockerfile.server.alpine.multiarch
dockerfile: docker/Dockerfile.server.alpine.multiarch.rootless
platforms: *platforms_preview
tag: pull_${CI_COMMIT_PULL_REQUEST}-alpine
logins: *publish_logins
Expand All @@ -142,7 +142,7 @@ steps:
settings:
dry_run: true
repo: woodpeckerci/woodpecker-server
dockerfile: docker/Dockerfile.server.multiarch
dockerfile: docker/Dockerfile.server.multiarch.rootless
platforms: *platforms_preview
tag: pull_${CI_COMMIT_PULL_REQUEST}
when: &when-dryrun
Expand All @@ -156,7 +156,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_server
dockerfile: docker/Dockerfile.server.multiarch
dockerfile: docker/Dockerfile.server.multiarch.rootless
platforms: *platforms_server
tag: [next, 'next-${CI_COMMIT_SHA:0:10}']
logins: *publish_logins
Expand All @@ -171,7 +171,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_server
dockerfile: docker/Dockerfile.server.alpine.multiarch
dockerfile: docker/Dockerfile.server.alpine.multiarch.rootless
platforms: *platforms_alpine
tag: [next-alpine, 'next-${CI_COMMIT_SHA:0:10}-alpine']
logins: *publish_logins
Expand All @@ -183,7 +183,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_server
dockerfile: docker/Dockerfile.server.multiarch
dockerfile: docker/Dockerfile.server.multiarch.rootless
platforms: *platforms_server
tag: ['${CI_COMMIT_TAG%%.*}', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}']
logins: *publish_logins
Expand All @@ -196,7 +196,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_server
dockerfile: docker/Dockerfile.server.alpine.multiarch
dockerfile: docker/Dockerfile.server.alpine.multiarch.rootless
platforms: *platforms_alpine
tag: ['${CI_COMMIT_TAG%%.*}-alpine', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}-alpine']
logins: *publish_logins
Expand All @@ -212,7 +212,7 @@ steps:
image: *buildx_plugin
settings:
repo: woodpeckerci/woodpecker-agent
dockerfile: docker/Dockerfile.agent.alpine.multiarch
dockerfile: docker/Dockerfile.agent.alpine.multiarch.rootless
platforms: *platforms_preview
tag: pull_${CI_COMMIT_PULL_REQUEST}-alpine
build_args: *build_args
Expand All @@ -226,7 +226,7 @@ steps:
settings:
dry_run: true
repo: woodpeckerci/woodpecker-agent
dockerfile: docker/Dockerfile.agent.multiarch
dockerfile: docker/Dockerfile.agent.multiarch.rootless
platforms: *platforms_preview
tag: pull_${CI_COMMIT_PULL_REQUEST}
build_args: *build_args
Expand All @@ -241,7 +241,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_agent
dockerfile: docker/Dockerfile.agent.multiarch
dockerfile: docker/Dockerfile.agent.multiarch.rootless
platforms: *platforms_release
tag: [next, 'next-${CI_COMMIT_SHA:0:10}']
logins: *publish_logins
Expand All @@ -260,7 +260,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_agent
dockerfile: docker/Dockerfile.agent.alpine.multiarch
dockerfile: docker/Dockerfile.agent.alpine.multiarch.rootless
platforms: *platforms_alpine
tag: [next-alpine, 'next-${CI_COMMIT_SHA:0:10}-alpine']
logins: *publish_logins
Expand All @@ -276,7 +276,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_agent
dockerfile: docker/Dockerfile.agent.multiarch
dockerfile: docker/Dockerfile.agent.multiarch.rootless
platforms: *platforms_release
tag: ['${CI_COMMIT_TAG%%.*}', '${CI_COMMIT_TAG%.*}', '${CI_COMMIT_TAG}']
logins: *publish_logins
Expand All @@ -292,7 +292,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_agent
dockerfile: docker/Dockerfile.agent.alpine.multiarch
dockerfile: docker/Dockerfile.agent.alpine.multiarch.rootless
platforms: *platforms_alpine
tag: ['${CI_COMMIT_TAG%%.*}-alpine', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}-alpine']
logins: *publish_logins
Expand All @@ -310,7 +310,7 @@ steps:
settings:
dry_run: true
repo: woodpeckerci/woodpecker-cli
dockerfile: docker/Dockerfile.cli.multiarch
dockerfile: docker/Dockerfile.cli.multiarch.rootless
platforms: *platforms_preview
tag: pull_${CI_COMMIT_PULL_REQUEST}
build_args: *build_args
Expand All @@ -325,7 +325,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_cli
dockerfile: docker/Dockerfile.cli.multiarch
dockerfile: docker/Dockerfile.cli.multiarch.rootless
platforms: *platforms_release
tag: [next, 'next-${CI_COMMIT_SHA:0:10}']
logins: *publish_logins
Expand All @@ -341,7 +341,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_cli
dockerfile: docker/Dockerfile.cli.alpine.multiarch
dockerfile: docker/Dockerfile.cli.alpine.multiarch.rootless
platforms: *platforms_alpine
tag: [next-alpine, 'next-${CI_COMMIT_SHA:0:10}-alpine']
logins: *publish_logins
Expand All @@ -357,7 +357,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_cli
dockerfile: docker/Dockerfile.cli.multiarch
dockerfile: docker/Dockerfile.cli.multiarch.rootless
platforms: *platforms_release
tag: ['${CI_COMMIT_TAG%%.*}', '${CI_COMMIT_TAG%.*}', '${CI_COMMIT_TAG}']
logins: *publish_logins
Expand All @@ -373,7 +373,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_cli
dockerfile: docker/Dockerfile.cli.alpine.multiarch
dockerfile: docker/Dockerfile.cli.alpine.multiarch.rootless
platforms: *platforms_alpine
tag: ['${CI_COMMIT_TAG%%.*}-alpine', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}-alpine']
logins: *publish_logins
Expand Down
7 changes: 6 additions & 1 deletion docker/Dockerfile.agent.alpine.multiarch → ...ockerfile.agent.alpine.multiarch.rootless
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,12 @@ ENV WOODPECKER_IN_CONTAINER=true
EXPOSE 3000

COPY --from=build /src/dist/woodpecker-agent /bin/
RUN mkdir -p /etc/woodpecker

RUN adduser -u 1000 -g 1000 woodpecker && \
pat-s marked this conversation as resolved.
Show resolved Hide resolved
mkdir -p /etc/woodpecker && \
chown -R woodpecker:woodpecker /etc/woodpecker

USER woodpecker

HEALTHCHECK CMD ["/bin/woodpecker-agent", "ping"]
ENTRYPOINT ["/bin/woodpecker-agent"]
9 changes: 8 additions & 1 deletion docker/Dockerfile.agent.multiarch → docker/Dockerfile.agent.multiarch.rootless
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,15 @@
FROM --platform=$BUILDPLATFORM docker.io/golang:1.23 AS build

RUN adduser -u 1000 -g 1000 woodpecker && \
pat-s marked this conversation as resolved.
Show resolved Hide resolved
mkdir -p /etc/woodpecker && \
chown -R woodpecker:woodpecker /etc/woodpecker

WORKDIR /src
COPY . .
ARG TARGETOS TARGETARCH CI_COMMIT_SHA CI_COMMIT_TAG CI_COMMIT_BRANCH
RUN --mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg \
make build-agent
RUN mkdir -p /etc/woodpecker

FROM scratch
ENV GODEBUG=netdns=go
Expand All @@ -19,6 +22,10 @@ COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certifica
# copy agent binary
COPY --from=build /src/dist/woodpecker-agent /bin/
COPY --from=build /etc/woodpecker /etc
COPY --from=build /etc/passwd /etc/passwd
COPY --from=build /etc/group /etc/group

USER woodpecker

HEALTHCHECK CMD ["/bin/woodpecker-agent", "ping"]
ENTRYPOINT ["/bin/woodpecker-agent"]
4 changes: 4 additions & 0 deletions docker/Dockerfile.cli.alpine.multiarch → .../Dockerfile.cli.alpine.multiarch.rootless
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,9 @@ ENV WOODPECKER_DISABLE_UPDATE_CHECK=true

COPY --from=build /src/dist/woodpecker-cli /bin/

RUN adduser -u 1000 -g 1000 woodpecker

USER woodpecker

HEALTHCHECK CMD ["/bin/woodpecker-cli", "ping"]
ENTRYPOINT ["/bin/woodpecker-cli"]
6 changes: 6 additions & 0 deletions docker/Dockerfile.cli.multiarch → docker/Dockerfile.cli.multiarch.rootless
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
FROM --platform=$BUILDPLATFORM docker.io/golang:1.23 AS build

RUN adduser -u 1000 -g 1000 woodpecker

WORKDIR /src
COPY . .
ARG TARGETOS TARGETARCH CI_COMMIT_SHA CI_COMMIT_TAG CI_COMMIT_BRANCH
Expand All @@ -17,6 +19,10 @@ ENV WOODPECKER_DISABLE_UPDATE_CHECK=true
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
# copy cli binary
COPY --from=build /src/dist/woodpecker-cli /bin/
COPY --from=build /etc/passwd /etc/passwd
COPY --from=build /etc/group /etc/group

USER woodpecker

HEALTHCHECK CMD ["/bin/woodpecker-cli", "ping"]
ENTRYPOINT ["/bin/woodpecker-cli"]
6 changes: 6 additions & 0 deletions docker/Dockerfile.server.alpine.multiarch → ...ckerfile.server.alpine.multiarch.rootless
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,11 @@ EXPOSE 8000 9000 80 443

COPY dist/server/${TARGETOS}_${TARGETARCH}/woodpecker-server /bin/

RUN adduser -u 1000 -g 1000 woodpecker && \
mkdir -p /var/lib/woodpecker && \
chown -R woodpecker:woodpecker /var/lib/woodpecker

USER woodpecker

HEALTHCHECK CMD ["/bin/woodpecker-server", "ping"]
ENTRYPOINT ["/bin/woodpecker-server"]
13 changes: 11 additions & 2 deletions docker/Dockerfile.server.multiarch → docker/Dockerfile.server.multiarch.rootless
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
FROM --platform=$BUILDPLATFORM docker.io/golang:1.23 AS certs
FROM --platform=$BUILDPLATFORM docker.io/golang:1.23 AS build

RUN adduser -u 1000 -g 1000 woodpecker && \
mkdir -p /var/lib/woodpecker && \
chown -R woodpecker:woodpecker /var/lib/woodpecker

FROM scratch
ARG TARGETOS TARGETARCH
Expand All @@ -10,9 +14,14 @@ ENV XDG_DATA_HOME=/var/lib/woodpecker
EXPOSE 8000 9000 80 443

# copy certs from certs image
COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
# copy server binary
COPY dist/server/${TARGETOS}_${TARGETARCH}/woodpecker-server /bin/
COPY --from=build /etc/passwd /etc/passwd
COPY --from=build /etc/group /etc/group
COPY --from=build /var/lib/woodpecker /var/lib/woodpecker

USER woodpecker

HEALTHCHECK CMD ["/bin/woodpecker-server", "ping"]
ENTRYPOINT ["/bin/woodpecker-server"]
30 changes: 30 additions & 0 deletions docs/docs/30-administration/04-image-variants.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Image variants

:::info
The `latest` tag has been deprecated as of v3.0 and will be completely removed in the future.
This was done to prevent accidental major version upgrades.
:::

- `vX.Y.Z`: SemVer tags for specific releases, no entrypoint shell (scratch image)
- `vX.Y`
- `vX`
- `vX.Y.Z-alpine`: SemVer tags for specific releases, based on Alpine, rootless (as of v3.0).
- `vX.Y-alpine`
- `vX-alpine`
- `next`: Built from the `main` branch
- `pull_<PR_ID>`: Images built from Pull Request branches.

## Image registries

Images are pushed to DockerHub and Quay.

[woodpecker-server (DockerHub)](https://hub.docker.com/repository/docker/woodpeckerci/woodpecker-server)
[woodpecker-server (Quay)](https://quay.io/repository/woodpeckerci/woodpecker-server)

[woodpecker-agent (DockerHub)](https://hub.docker.com/repository/docker/woodpeckerci/woodpecker-agent)
[woodpecker-agent (Quay)](https://quay.io/repository/woodpeckerci/woodpecker-agent)

[woodpecker-cli (DockerHub)](https://hub.docker.com/repository/docker/woodpeckerci/woodpecker-cli)
[woodpecker-cli (Quay)](https://quay.io/repository/woodpeckerci/woodpecker-cli)

[woodpecker-autoscaler (DockerHub)](https://hub.docker.com/repository/docker/woodpeckerci/autoscaler)
6 changes: 3 additions & 3 deletions docs/docs/92-development/07-guides.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ export PLATFORMS='linux|amd64'
make cross-compile-server

### build the image
docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.server.multiarch --push .
docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.server.multiarch.rootless --push .
```

:::info
Expand All @@ -55,7 +55,7 @@ You can try to use the `build-server` rule instead, however this one fails for s
make build-agent

### build the image
docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.agent.multiarch --push .
docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.agent.multiarch.rootless --push .
```

### CLI
Expand All @@ -65,5 +65,5 @@ docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Docker
make build-cli

### build the image
docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.cli.multiarch --push .
docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.cli.multiarch.rootless --push .
```
5 changes: 5 additions & 0 deletions docs/src/pages/migrations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,11 @@ The following restructuring was done to achieve a more consistent grouping:

- Webhook signatures now use the `rfc9421` protocol

#### Rootless images

All Woodpecker images now use a non-privileged user (`woodpecker`) by default.
If you have volume mounts attached to containers, you might need to update the ownership of these directories from `root` to `woodpecker`.

## User migrations

- `gated` has been replaced by `require-approval`
Expand Down