Skip to content

Commit

Permalink
Merge pull request #87 from voxpupuli/streamline_dockerfile
Browse files Browse the repository at this point in the history
feat: streamline Dockerfile
  • Loading branch information
rwaffen authored Oct 25, 2024
2 parents 43f01c4 + 3c527d0 commit c77b0e3
Showing 1 changed file with 49 additions and 86 deletions.
135 changes: 49 additions & 86 deletions puppetdb/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,18 +1,35 @@
# Determines source "edge" or binary "release" builds
ARG build_type=release
ARG UBUNTU_CODENAME=jammy
# NOTE: never pass as a build-arg / must match .dockerenv -- used in logback.xml
ARG LOGDIR=/opt/puppetlabs/server/data/puppetdb/logs
FROM ubuntu:22.04

######################################################
# base
######################################################
ARG vcs_ref
ARG build_date
ARG build_type

FROM ubuntu:22.04 as base
LABEL org.label-schema.maintainer="Voxpupuli Release Team <[email protected]>" \
org.label-schema.vendor="Vox Pupuli" \
org.label-schema.url="https://github.com/voxpupuli/container-puppetdb" \
org.label-schema.license="Apache-2.0" \
org.label-schema.vcs-url="https://github.com/voxpupuli/container-puppetdb" \
org.label-schema.schema-version="1.0" \
org.label-schema.dockerfile="/Dockerfile" \
org.label-schema.name="PuppetDB ($build_type)" \
org.label-schema.vcs-ref="$vcs_ref" \
org.label-schema.build-date="$build_date"

ARG DUMB_INIT_VERSION="1.2.5"
ARG LOGDIR
ARG TARGETARCH
ARG UBUNTU_CODENAME=jammy

ARG LOGDIR
ENV LOGDIR=${LOGDIR:-/opt/puppetlabs/server/data/puppetdb/logs}

ARG PUPPET_RELEASE
ENV PUPPET_RELEASE=${PUPPET_RELEASE:-8}

ARG PUPPETDB_VERSION
ENV PUPPETDB_VERSION=${PUPPETDB_VERSION:-8.8.0}

ARG SSLDIR
ENV SSLDIR=${SSLDIR:-/opt/puppetlabs/server/data/puppetdb/certs}

ENV PUPPETDB_POSTGRES_HOSTNAME="postgres" \

Check warning on line 34 in puppetdb/Dockerfile

View workflow job for this annotation

GitHub Actions / build-and-push-container (7, 7.20.0)

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "PUPPETDB_PASSWORD") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 34 in puppetdb/Dockerfile

View workflow job for this annotation

GitHub Actions / build-and-push-container (8, 8.8.0)

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "PUPPETDB_PASSWORD") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
PUPPETDB_POSTGRES_PORT="5432" \
Expand All @@ -28,99 +45,38 @@ ENV PUPPETDB_POSTGRES_HOSTNAME="postgres" \
# used by entrypoint to determine if puppetserver should be contacted for config
# set to false when container tests are run
USE_PUPPETSERVER=true \
# this value may be set by users, keeping in mind that some of these values are mandatory
# -Djavax.net.debug=ssl may be particularly useful to set for debugging SSL
PUPPETDB_JAVA_ARGS="-Djava.net.preferIPv4Stack=true -Xms256m -Xmx256m -XX:+UseParallelGC -Xlog:gc*:file=$LOGDIR/puppetdb_gc.log -Djdk.tls.ephemeralDHKeySize=2048"
# this value may be set by users, keeping in mind that some of these values are mandatory
# -Djavax.net.debug=ssl may be particularly useful to set for debugging SSL
PUPPETDB_JAVA_ARGS="-Djava.net.preferIPv4Stack=true -Xms256m -Xmx256m -XX:+UseParallelGC -Xlog:gc*:file=$LOGDIR/puppetdb_gc.log -Djdk.tls.ephemeralDHKeySize=2048" \
PUPPET_DEB=puppet${PUPPET_RELEASE}-release-${UBUNTU_CODENAME}.deb \
DEBIAN_FRONTEND=noninteractive

# puppetdb data and generated certs
VOLUME /opt/puppetlabs/server/data/puppetdb

LABEL org.label-schema.maintainer="Voxpupuli Release Team <[email protected]>" \
org.label-schema.vendor="Vox Pupuli" \
org.label-schema.url="https://github.com/voxpupuli/container-puppetdb" \
org.label-schema.license="Apache-2.0" \
org.label-schema.vcs-url="https://github.com/voxpupuli/container-puppetdb" \
org.label-schema.schema-version="1.0" \
org.label-schema.dockerfile="/Dockerfile"

# NOTE: this is just documentation on defaults
EXPOSE 8080 8081

ENTRYPOINT ["dumb-init", "/docker-entrypoint.sh"]
CMD ["foreground"]

# The start-period is just a wild guess how long it takes PuppetDB to come
# up in the worst case. The other timing parameters are set so that it
# takes at most a minute to realize that PuppetDB has failed.
# Probe failure during --start-period will not be counted towards the maximum number of retries
# NOTE: k8s uses livenessProbe, startupProbe, readinessProbe and ignores HEALTHCHECK
HEALTHCHECK --start-period=5m --interval=10s --timeout=10s --retries=6 CMD ["/healthcheck.sh"]
ADD https://apt.puppet.com/${PUPPET_DEB} /${PUPPET_DEB}

# hadolint ignore=DL3020
ADD ssl.sh \
wtfc.sh \
https://github.com/Yelp/dumb-init/releases/download/v"$DUMB_INIT_VERSION"/dumb-init_"$DUMB_INIT_VERSION"_"$TARGETARCH".deb \
docker-entrypoint.sh \
healthcheck.sh \
/

COPY docker-entrypoint.d /docker-entrypoint.d

# hadolint ignore=DL3009
ENV DEBIAN_FRONTEND noninteractive
RUN apt update && \
apt install --no-install-recommends -y ca-certificates curl dnsutils netcat && \
chmod +x /ssl.sh /wtfc.sh /docker-entrypoint.sh /healthcheck.sh /docker-entrypoint.d/*.sh && \
dpkg -i dumb-init_"$DUMB_INIT_VERSION"_"$TARGETARCH".deb && \
rm dumb-init_"$DUMB_INIT_VERSION"_"$TARGETARCH".deb

######################################################
# release (build from packages)
######################################################

FROM base as release

ARG PUPPET_RELEASE
ENV PUPPET_RELEASE=${PUPPET_RELEASE:-7}

ARG PUPPETDB_VERSION
ENV PUPPETDB_VERSION=${PUPPETDB_VERSION:-7.14.0}

ARG UBUNTU_CODENAME

######################################################
# final image
######################################################

# dynamically selects "edge" or "release" alias based on ARG
# hadolint ignore=DL3006
FROM ${build_type} as final

ARG UBUNTU_CODENAME
ARG vcs_ref
ARG build_date
ARG build_type

ARG LOGDIR
ENV LOGDIR=${LOGDIR:-/opt/puppetlabs/server/data/puppetdb/logs}

ARG SSLDIR
ENV SSLDIR=${SSLDIR:-/opt/puppetlabs/server/data/puppetdb/certs}

ENV PUPPET_DEB=puppet${PUPPET_RELEASE}-release-${UBUNTU_CODENAME}.deb
ADD https://apt.puppet.com/${PUPPET_DEB} /${PUPPET_DEB}

RUN dpkg -i /${PUPPET_DEB} && \
rm /${PUPPET_DEB} && \
apt update && \
apt install --no-install-recommends -y ca-certificates curl dnsutils netcat-traditional dumb-init && \
chmod +x /ssl.sh /wtfc.sh /docker-entrypoint.sh /healthcheck.sh /docker-entrypoint.d/*.sh && \
apt install --no-install-recommends -y puppetdb=${PUPPETDB_VERSION}-1${UBUNTU_CODENAME} && \
apt install --no-install-recommends -y openjdk-17-jre-headless && \
apt autoremove && \
rm -rf /var/lib/apt/lists/* && \
mkdir -p "$LOGDIR" && \
chown puppetdb:puppetdb "$LOGDIR" && \
# We want to use the HOCON database.conf and config.conf files, so get rid
# of the packaged files
# We want to use the HOCON database.conf and config.conf files, so get rid
# of the packaged files
rm -f /etc/puppetlabs/puppetdb/conf.d/database.ini && \
rm -f /etc/puppetlabs/puppetdb/conf.d/config.ini

Expand All @@ -129,10 +85,17 @@ COPY logback.xml \
/etc/puppetlabs/puppetdb/
COPY conf.d /etc/puppetlabs/puppetdb/conf.d/
COPY puppetdb /etc/default/puppetdb
COPY Dockerfile /

LABEL org.label-schema.name="PuppetDB ($build_type)" \
org.label-schema.vcs-ref="$vcs_ref" \
org.label-schema.version="$PUPPETDB_VERSION" \
org.label-schema.build-date="$build_date"
# The start-period is just a wild guess how long it takes PuppetDB to come
# up in the worst case. The other timing parameters are set so that it
# takes at most a minute to realize that PuppetDB has failed.
# Probe failure during --start-period will not be counted towards the maximum number of retries
# NOTE: k8s uses livenessProbe, startupProbe, readinessProbe and ignores HEALTHCHECK
HEALTHCHECK --start-period=5m --interval=10s --timeout=10s --retries=6 CMD ["/healthcheck.sh"]

COPY Dockerfile /
# NOTE: this is just documentation on defaults
EXPOSE 8080 8081

ENTRYPOINT ["dumb-init", "/docker-entrypoint.sh"]
CMD ["foreground"]

0 comments on commit c77b0e3

Please sign in to comment.