use BUNDLE_PATH in COPY

ensure that the application is not writable by kubernaut
create system user and group for kubernaut
2025-04-30 16:43:08 -05:00 · 2025-04-30 16:40:58 -05:00 · 2025-04-30 16:34:51 -05:00 · 2025-04-30 16:20:53 -05:00 · 2025-04-30 16:20:32 -05:00 · 2025-04-30 16:16:24 -05:00
3 changed files with 52 additions and 27 deletions
--- a/dockerfiles/alpine.Dockerfile
+++ b/dockerfiles/alpine.Dockerfile
@ -1,43 +1,51 @@
 ARG RUBY_VERSION="3.4.3"
-FROM ruby:${RUBY_VERSION}-alpine AS base
+FROM docker.io/library/ruby:${RUBY_VERSION}-alpine AS base
-WORKDIR /app
+WORKDIR /kubernaut
 RUN <<EOT
-  apk update
+  apk update -q
  apk add bash
  rm -rf /var/cache/apk
  gem update --system --no-document
  gem install -N bundler
 EOT
 ENV RACK_ENV="production" \
  BUNDLE_DEPLOYMENT=true \
  BUNDLE_PATH="/usr/local/bundle" \
  BUNDLE_WITHOUT="development test"
 FROM base AS build
 ENV BUNDLE_DEPLOYMENT=true \
  BUNDLE_WITHOUT="development test"
 RUN <<EOT
  apk add musl-dev gcc make
  rm -rf /var/cache/apk
 EOT
-COPY Gemfile* .
+COPY Gemfile Gemfile.lock ./
 RUN <<EOT
  bundle install
  rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git
 EOT
 COPY . .
 FROM base
 ENV PORT=4567
-RUN adduser --home /app --disabled-password app
+RUN <<EOT
  addgroup --system --gid 666 kubernaut
  adduser --system --uid 666 --ingroup kubernaut --shell /bin/bash --disabled-password kubernaut
 EOT
-USER app:app
+COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
 COPY --from=build /kubernaut /kubernaut
-COPY --from=build /usr/local/bundle /usr/local/bundle
+USER kubernaut:kubernaut
 COPY --from=build --chown=app:app /app /app
 COPY --chown=app:app . .
 EXPOSE $PORT
 ENTRYPOINT [ "/kubernaut/dockerfiles/entrypoint.sh" ]
 CMD [ "bundle", "exec", "puma" ]
--- a/dockerfiles/bookworm.Dockerfile
+++ b/dockerfiles/bookworm.Dockerfile
@ -1,44 +1,51 @@
 ARG RUBY_VERSION="3.4.3"
-FROM ruby:${RUBY_VERSION}-slim-bookworm AS base
+FROM docker.io/library/ruby:${RUBY_VERSION}-slim-bookworm AS base
-WORKDIR /app
+WORKDIR /kubernaut
 RUN <<EOT
-  apt-get update
+  apt-get update -qq
  rm -rf /var/lib/apt/lists /var/cache/apt/archives
  gem update --system --no-document
  gem install -N bundler
 EOT
 ENV RACK_ENV="production" \
  BUNDLE_DEPLOYMENT=true \
  BUNDLE_PATH="/usr/local/bundle" \
  BUNDLE_WITHOUT="development test"
 FROM base AS build
 ENV BUNDLE_DEPLOYMENT=true \
  BUNDLE_WITHOUT="development test"
 RUN <<EOT
  apt-get update -qq
  apt-get install --yes --no-install-recommends gcc make libc-dev
  rm -rf /var/lib/apt/lists /var/cache/apt/archives
 EOT
-COPY Gemfile* .
+COPY Gemfile Gemfile.lock ./
 RUN <<EOT
  bundle install
  rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git
 EOT
 COPY . .
 FROM base
 ENV PORT=4567
-# RUN useradd ruby --home /app --shell /bin/sh
+RUN <<EOT
-RUN useradd --home /app --create-home app
+  groupadd --system --gid 666 kubernaut
  useradd --system --uid 666 --gid kubernaut --create-home --shell /bin/bash kubernaut
 EOT
-USER app:app
+COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
 COPY --from=build /kubernaut /kubernaut
-COPY --from=build /usr/local/bundle /usr/local/bundle
+USER kubernaut:kubernaut
 COPY --from=build --chown=app:app /app /app
 COPY --chown=app:app . .
 EXPOSE $PORT
 ENTRYPOINT [ "/kubernaut/dockerfiles/entrypoint.sh" ]
 CMD [ "bundle", "exec", "puma" ]
--- a/dockerfiles/entrypoint.sh
+++ b/dockerfiles/entrypoint.sh
@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # output debugging info
 ruby --version
 printf "rubygems %s\n" "$(gem --version)"
 bundle version
 exec "${@}"
Author	SHA1	Message	Date
Ryan Cavicchioni	45f1250d9c	use BUNDLE_PATH in COPY Some checks failed Gitea Actions Demo / lint (push) Successful in 19s Details Gitea Actions Demo / test (push) Successful in 23s Details Gitea Actions Demo / docker (push) Has been cancelled Details	2025-04-30 16:43:08 -05:00
Ryan Cavicchioni	0e52df2fac	ensure that the application is not writable by kubernaut	2025-04-30 16:40:58 -05:00
Ryan Cavicchioni	d894d1f87f	create system user and group for kubernaut	2025-04-30 16:34:51 -05:00
Ryan Cavicchioni	df86eec943	remove commented out line	2025-04-30 16:20:53 -05:00
Ryan Cavicchioni	cc5704506b	whitespace fix	2025-04-30 16:20:32 -05:00
Ryan Cavicchioni	16441acd93	change the application user to be kubernaut	2025-04-30 16:16:24 -05:00
Ryan Cavicchioni	0397423eb6	make WORKDIR /kubernaut	2025-04-30 16:14:17 -05:00
Ryan Cavicchioni	ce89aad06a	tidy up after bundler	2025-04-30 16:11:47 -05:00
Ryan Cavicchioni	e5dd7d499d	explicitly copy Gemfile and Gemfile.lock	2025-04-30 16:03:04 -05:00
Ryan Cavicchioni	6759d15095	fix bundler environment variables	2025-04-30 15:55:23 -05:00
Ryan Cavicchioni	dc6b9ff20e	clean up apk/apt caches	2025-04-30 15:55:06 -05:00
Ryan Cavicchioni	7dc8642321	make apk/apt update quiter	2025-04-30 15:54:22 -05:00
Ryan Cavicchioni	8c528bb7cb	use full registry path in Dockerfile	2025-04-30 15:23:33 -05:00
Ryan Cavicchioni	7db559e848	add basic Docker entrypoint script	2025-04-30 14:56:36 -05:00
Ryan Cavicchioni	bcce68ad1f	add bash to Alpine Docker image	2025-04-30 14:56:00 -05:00