PR#1264: docker: changes for copr-frontend Dockerfile to be able to run in OpenShift - copr/copr

copr / copr

#1264 docker: changes for copr-frontend Dockerfile to be able to run in OpenShift

Merged 4 years ago by praiskup. Opened 4 years ago by frostyx.

copr/ frostyx/copr dockerfiles-without-tito into master

docker: update run.sh to only create database

Jakub Kadlcik • 4 years ago

5c20cee

docker: expose 5000 because that's where copr-frontend is listening

Jakub Kadlcik • 4 years ago

e756ab1

docker: run httpd server as copr-fe user

Jakub Kadlcik • 4 years ago

c079c9f

docker: install packages from repo, not via tito

Jakub Kadlcik • 4 years ago

284872c

docker-compose.yaml

file modified

+14 -28

		`@@ -5,8 +5,7 @@`

		`backend:`
		`build:`
		`- context: .`
		`- dockerfile: docker/backend/Dockerfile`
		`+ context: docker/backend`
		`hostname: backend`
		`command: /usr/sbin/runuser -u copr -g copr -- /usr/bin/copr_be.py`
		`depends_on:`
		`@@ -21,8 +20,7 @@`

		`backend-log:`
		`build:`
		`- context: .`
		`- dockerfile: docker/backend/Dockerfile`
		`+ context: docker/backend`
		`hostname: backend-log`
		`command: /usr/sbin/runuser -u copr -g copr -- /usr/bin/copr_run_logger.py`
		`depends_on:`
		`@@ -36,8 +34,7 @@`

		`backend-vmm:`
		`build:`
		`- context: .`
		`- dockerfile: docker/backend/Dockerfile`
		`+ context: docker/backend`
		`hostname: backend-vmm`
		`command: /usr/sbin/runuser -u copr -g copr -- /usr/bin/copr_run_vmm.py`
		`depends_on:`
		`@@ -51,8 +48,7 @@`

		`backend-build:`
		`build:`
		`- context: .`
		`- dockerfile: docker/backend/Dockerfile`
		`+ context: docker/backend`
		`hostname: backend-build`
		`command: /usr/sbin/runuser -u copr -g copr -G obsrun -- /usr/bin/copr_run_build_dispatcher.py`
		`depends_on:`
		`@@ -67,8 +63,7 @@`

		`backend-action:`
		`build:`
		`- context: .`
		`- dockerfile: docker/backend/Dockerfile`
		`+ context: docker/backend`
		`hostname: backend-action`
		`command: /usr/sbin/runuser -u copr -g copr -- /usr/bin/copr_run_action_dispatcher.py`
		`depends_on:`
		`@@ -83,8 +78,7 @@`

		`backend-signd:`
		`build:`
		`- context: .`
		`- dockerfile: docker/backend/Dockerfile`
		`+ context: docker/backend`
		`hostname: backend-signd`
		`command: /usr/sbin/runuser -u copr -g copr -- /usr/sbin/signd`
		`stdin_open: true`
		`@@ -100,8 +94,7 @@`

		`backend_httpd:`
		`build:`
		`- context: .`
		`- dockerfile: docker/backend_httpd/Dockerfile`
		`+ context: docker/backend_httpd`
		`hostname: backend_httpd`
		`ports:`
		`- "5002:5002"`
		`@@ -110,8 +103,7 @@`

		`builder:`
		`build:`
		`- context: .`
		`- dockerfile: docker/builder/Dockerfile`
		`+ context: docker/builder`
		`hostname: builder`
		`stdin_open: true`
		`tty: true`
		`@@ -124,8 +116,7 @@`

		`frontend:`
		`build:`
		`- context: .`
		`- dockerfile: docker/frontend/Dockerfile`
		`+ context: docker/frontend/`
		`hostname: frontend`
		`depends_on:`
		`- database`
		`@@ -141,8 +132,7 @@`

		`database:`
		`build:`
		`- context: .`
		`- dockerfile: docker/database/Dockerfile`
		`+ context: docker/database/`
		`hostname: database`
		`stdin_open: true`
		`tty: true`
		`@@ -155,8 +145,7 @@`

		`distgit:`
		`build:`
		`- context: .`
		`- dockerfile: docker/distgit/Dockerfile`
		`+ context: docker/distgit/`
		`hostname: distgit`
		`stdin_open: true`
		`tty: true`
		`@@ -166,8 +155,7 @@`

		`distgit-httpd:`
		`build:`
		`- context: .`
		`- dockerfile: docker/distgit-httpd/Dockerfile`
		`+ context: docker/distgit-httpd/`
		`hostname: distgit-httpd`
		`stdin_open: true`
		`tty: true`
		`@@ -179,8 +167,7 @@`

		`keygen-signd:`
		`build:`
		`- context: .`
		`- dockerfile: docker/keygen-signd/Dockerfile`
		`+ context: docker/keygen-signd/`
		`hostname: keygen-signd`
		`stdin_open: true`
		`tty: true`
		`@@ -190,8 +177,7 @@`

		`keygen-httpd:`
		`build:`
		`- context: .`
		`- dockerfile: docker/keygen-httpd/Dockerfile`
		`+ context: docker/keygen-httpd/`
		`hostname: keygen-httpd`
		`stdin_open: true`
		`tty: true`

docker/backend/Dockerfile

file modified

+5 -24

		`@@ -25,12 +25,12 @@`
		`psmisc \`
		`nginx \`
		`python3-ipdb \`
		`+ findutils \`
		`# to get more entropy for generation of gpg keys`
		`rng-tools \`
		`# for unbuffer package`
		`expect \`
		`- tito && \`
		`- dnf clean all`
		`+ && dnf clean all`

		`# needed to be able to ping`
		`RUN setcap cap_net_raw,cap_net_admin+p /usr/bin/ping`
		`@@ -53,34 +53,15 @@`
		`cat /home/copr/.ssh/id_rsa.pub >> /home/copr/.ssh/authorized_keys && \`
		`chown copr:copr -R /home/copr`

		`-`
		`- # preinstall backend and its builddeps to utilize most of Docker cache`
		- RUN cd `mktemp -d` && \
		`- dnf -y download --source copr-backend && \`
		`- dnf -y builddep *.src.rpm --allowerasing && \`
		`- dnf -y install copr-backend && \`
		`+ # Install copr-backend package`
		`+ RUN dnf -y install copr-backend && \`
		`dnf clean all`

		`# system setup for copr-backend`
		`RUN usermod -a -G mock copr`

		`- # copy your copr sources to the docker image`
		`- COPY . /copr`
		`-`
		`-`
		`- RUN dnf -y builddep /copr/backend/*.spec --allowerasing && \`
		`- dnf clean all`
		`-`
		`- # build packages from sources`
		`- RUN cd /copr/backend && \`
		`- tito build --rpm --test --rpmbuild-options='--nocheck'`
		`-`
		`- # upgrade the already pre-installed packages if possible`
		`- RUN dnf -y upgrade /tmp/tito/noarch/copr-backend*.noarch.rpm ; \`
		`- dnf clean all`
		`-`
		`# copy filesystem setup and setup ownership and permissions`
		`- COPY docker/backend/files/ /`
		`+ COPY files/ /`
		`RUN chmod 700 /root && \`
		`chmod 700 /home/copr && \`
		`chmod 400 /home/copr/.ssh/id_rsa && \`

docker/backend_httpd/Dockerfile

file modified

+1 -1

		`@@ -1,4 +1,4 @@`
		`FROM fedora/nginx`
		`MAINTAINER copr-devel@lists.fedorahosted.org`

		`- COPY docker/backend_httpd/files/ /`
		`+ COPY files/ /`

docker/builder/Dockerfile

file modified

+3 -9

		`@@ -30,12 +30,9 @@`
		`glib2 \`
		`ca-certificates \`
		`scl-utils-build \`
		`- ethtool \`
		`- tito`
		`+ ethtool`

		`- COPY . /copr`
		`- COPY docker/builder/files/ /`
		`- COPY docker/backend/files/home/copr/.ssh/id_rsa.pub /root/.ssh/id_backend.pub`
		`+ COPY files/ /`

		`# needed to run sshd`
		`RUN ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -q`
		`@@ -46,10 +43,7 @@`
		`touch /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys && \`
		`cat /root/.ssh/id_backend.pub >> /root/.ssh/authorized_keys`

		`- RUN cd /copr/rpmbuild && \`
		`- dnf builddep -y *spec && \`
		`- tito build --rpm --test --rpmbuild-options='--nocheck' && \`
		`- dnf -y install /tmp/tito/x86_64/copr-{rpmbuild,builder}*.x86_64.rpm --allowerasing && \`
		`+ RUN dnf -y install copr-builder && \`
		`dnf clean all`

		`RUN echo 'config_opts["use_nspawn"] = False' >> /etc/mock/site-defaults.cfg`

docker/builder/files/root/.ssh/id_backend.pub

file added

		`@@ -0,0 +1,1 @@`
		`+ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDeoirV/QUOXQVraEut6ta8eYNiK+jRGOhybOSmzgLd+/4Ve9PCl3ybw288nGKiohwCpFC5e8t2xjQITQyCaBaX23eIi2zlb6uNxplXeqdqxPA5XlGXPUwD88jXmVShwnz+34e8aV0FihV5z5N+xBWW7k9dB9ZXvK1lrKq0Y22SIYJCnys6toB4D5McVy++HjIg9RVTAlKN0H7UF6B3xd6YNQEFTx/BQCceh1EYko6OS2EO2b4ZEnAcJ8SXqNJz/oGZ4Xgy4n6dVahPq4edHEn7VXMk+3KAHoXVaYN/CVN3wbuvgL8UFrwao8i7yucB3VNuIvadbdr5slx1QavMFJrn root@backend`
praiskup commented 4 years ago Where the private counterpart is stored?
frostyx commented 4 years ago This is a copy-paste of `docker/backend/files/home/copr/.ssh/id_rsa.pub` and the private part is `docker/backend/files/home/copr/.ssh/id_rsa`

docker/distgit-httpd/Dockerfile

file modified

+2 -8

		`@@ -14,15 +14,9 @@`
		`wget \`
		`vim \`
		`copr-selinux \`
		`- cgit \`
		`- tito`
		`+ cgit`

		`- COPY . /copr`
		`-`
		`- RUN cd /copr/dist-git && \`
		`- dnf builddep -y *spec && \`
		`- tito build --rpm --test --rpmbuild-options='--nocheck' && \`
		`- ( dnf -y install /tmp/tito/noarch/copr-dist-git*.noarch.rpm \|\| true ) && \`
		`+ RUN dnf -y install copr-dist-git && \`
		`dnf clean all`

		`RUN rm /etc/httpd/conf.d/ssl.conf`

docker/distgit/Dockerfile

file modified

+2 -8

		`@@ -16,15 +16,9 @@`
		`copr-selinux \`
		`cgit \`
		`python3-rpkg \`
		`- python3-ipdb \`
		`- tito`
		`+ python3-ipdb`

		`- COPY . /copr`
		`-`
		`- RUN cd /copr/dist-git && \`
		`- dnf builddep -y *spec && \`
		`- tito build --rpm --test --rpmbuild-options='--nocheck' && \`
		`- ( dnf -y install /tmp/tito/noarch/copr-dist-git*.noarch.rpm \|\| true ) && \`
		`+ RUN dnf -y install copr-dist-git && \`
		`dnf clean all`

		`RUN mkdir /tmp/copr-dist-git`

docker/frontend/Dockerfile

file modified

+37 -13

		`@@ -24,20 +24,44 @@`
		`postgresql-server \`
		`redis \`
		`mock-core-configs \`
		`- tito`
		`+ findutils \`
		`+ copr-frontend`

		`- COPY . /copr`
		`- COPY docker/frontend/files/ /`
		`+ COPY files/ /`

		`- # build and install copr-frontend`
		`- RUN cd /copr/frontend && \`
		`- dnf builddep -y *spec && \`
		`- tito build --rpm --test --rpmbuild-options='--nocheck' && \`
		`- ( dnf -y install /tmp/tito/noarch/copr-frontend*.noarch.rpm \|\| true ) && \`
		`- dnf clean all`
		`+ RUN sed -i 's/User apache/User copr-fe/g' /etc/httpd/conf/httpd.conf`
		`+ RUN sed -i 's/Group apache/Group copr-fe/g' /etc/httpd/conf/httpd.conf`

		`- RUN mkdir -p /usr/share/copr/data/whooshee`
		`- RUN chown -R copr-fe:copr-fe /usr/share/copr`
		`- RUN chown -R copr-fe:copr-fe /var/log/copr-frontend`
		`+ # We cannot expose privileged port as non-root user`
		`+ RUN sed -i 's/Listen 80/#Listen 80/g' /etc/httpd/conf/httpd.conf`

		`- CMD ["/bin/run.sh"]`
		`+ # Otherwise it is run/httpd.pid in OpenShift, which is outside of`
		`+ # the copr-fe user permissions`
		`+ RUN echo "PidFile /var/run/httpd/httpd.pid" >> /etc/httpd/conf/httpd.conf`
		`+`
		`+ # Some OpenShift shenanigans`
		`+ # We can't have these directories owned by copr-fe:copr-fe`
		`+ # because OpenShift runs pod as a semi-randomly generated user`
		`+ # https://docs.openshift.com/container-platform/4.3/openshift_images/create-images.html#use-uid_create-images`
		`+ RUN chown -R copr-fe:root \`
		`+ /usr/share/copr \`
		`+ /var/log/copr-frontend \`
		`+ /etc/httpd/ \`
		`+ /var/run/httpd/ \`
		`+ /var/log/httpd/`
		`+`
		`+ # Too bad, Dockerfile can't handle arrays in ARG definitions`
		`+ # so we need to copy-paste the directories`
		`+ RUN chmod -R g+rwX \`
		`+ /usr/share/copr \`
		`+ /var/log/copr-frontend \`
		`+ /etc/httpd/ \`
		`+ /var/run/httpd/ \`
		`+ /var/log/httpd/`
		`+`
		`+ # Use copr-fe user when running outside of OpenShift`
		`+ USER 993`
		`+`
		`+ EXPOSE 5000`
		`+`
		`+ CMD ["/usr/sbin/httpd", "-DFOREGROUND"]`

docker/frontend/files/usr/bin/init-database.sh

file added

		`@@ -0,0 +1,5 @@`
		`+ #!/bin/bash`
		`+`
		`+ cd /usr/share/copr/coprs_frontend/ && copr-frontend create-db --alembic alembic.ini`
		`+ copr-frontend create-chroot \`
		`+ $(ls /etc/mock/{fedora,epel}-*-{i386,x86_64}.cfg \|xargs -I{} -n1 basename {} .cfg)`

docker/frontend/files/usr/bin/run.sh

file removed

-11

		`@@ -1,11 +0,0 @@`
		`- #!/bin/bash`
		`-`
		- # @FIXME The `database` container can be up while postgresql can be unreachable for few miliseconds
		`- # and therefore the alembic migration fails. Waiting 1s workarounds the issue`
		`- sleep 1`
		`-`
		`- cd /usr/share/copr/coprs_frontend/ && sudo -u copr-fe copr-frontend create-db --alembic alembic.ini`
		`- sudo -u copr-fe copr-frontend create-chroot \`
		`- $(ls /etc/mock/{fedora,epel}-*-{i386,x86_64}.cfg \|xargs -I{} -n1 basename {} .cfg)`
		`-`
		`- /usr/sbin/httpd -DFOREGROUND`

docker/keygen-httpd/Dockerfile

file modified

+1 -6

		`@@ -29,20 +29,15 @@`
		`python3-alembic \`
		`postgresql-server \`
		`redis \`
		`- tito \`
		`uwsgi \`
		`uwsgi-plugin-python3`

		`# Copy files from the host into the container`
		`- COPY . /copr`
		`- COPY docker/keygen-httpd/files/ /`
		`-`
		`+ COPY files/ /`

		`# Install copr-keygen package`
		`- # We should probably install it via tito`
		`RUN dnf -y install copr-keygen && dnf clean all`

		`-`
		`# For whatever reason the copr-keygen package installed`
		`# copr-signer user incorrectly and set it's home directory`
		`# as /home/copr-signer`

docker/keygen-signd/Dockerfile

file modified

+1 -6

		`@@ -1,20 +1,15 @@`
		`FROM fedora:30`
		`MAINTAINER copr-devel@lists.fedorahosted.org`

		`-`
		`# Copy files from the host into the container`
		`- COPY . /copr`
		`- COPY docker/keygen-signd/files/ /`
		`+ COPY files/ /`

		`# Create copr-signer:copr-signer manually, so we can`
		`# be sure that the UID and GID is same on all keygen containers`
		`RUN groupadd -r copr-signer -g 992`
		`RUN useradd -r copr-signer -u 993 -g 992`

		`-`
		`# Install copr-keygen package`
		`- # We should probably install it via tito`
		`RUN dnf -y install copr-keygen && dnf clean all`

		`-`
		`CMD ["/usr/sbin/signd"]`

frostyx commented 4 years ago

Mainly:

Installing copr packages from repositories, not building it locally via tito
Allowing httpd with copr-frontend to run under a semi-randomly generated user (because you can't just run it as root or copr-fe in OpenShift)

praiskup commented on line 2 of docker/builder/files/root/.ssh/id_backend.pub 4 years ago

Where the private counterpart is stored?

praiskup commented 4 years ago

Installing copr packages from repositories, not building it locally via tito

Makes sense, for development you use local bind-mounted source files anyway, right?

Allowing httpd with copr-frontend to run under a semi-randomly generated user (because you can't just run it as root or copr-fe in OpenShift)

Because it is not secure (at least with bind-mounts) you don't want to run anything under root in docker. :-). This change sounds good.

frostyx commented 4 years ago

Makes sense, for development you use local bind-mounted source files anyway, right?

Exactly

Because it is not secure (at least with bind-mounts) you don't want to run anything under root in docker. :-). This change sounds good.

It doesn't surprise me, that you cannot run anything as root but I was surprised that you can't even create your user copr-fe and run things on its behalf.