use BUNDLE_PATH in COPY

ensure that the application is not writable by kubernaut
create system user and group for kubernaut
2025-04-30 16:43:08 -05:00 · 2025-04-30 16:40:58 -05:00 · 2025-04-30 16:34:51 -05:00 · 2025-04-30 16:20:53 -05:00 · 2025-04-30 16:20:32 -05:00 · 2025-04-30 16:16:24 -05:00
3 changed files with 54 additions and 29 deletions
--- a/dockerfiles/alpine.Dockerfile
+++ b/dockerfiles/alpine.Dockerfile
@ -1,43 +1,51 @@
 ARG RUBY_VERSION="3.4.3"
-FROM ruby:${RUBY_VERSION}-alpine AS base
+FROM docker.io/library/ruby:${RUBY_VERSION}-alpine AS base

-WORKDIR /app
+WORKDIR /kubernaut

 RUN <<EOT
-  apk update
+  apk update -q
+  apk add bash
+  rm -rf /var/cache/apk
  gem update --system --no-document
  gem install -N bundler
 EOT

+ENV RACK_ENV="production" \
+  BUNDLE_DEPLOYMENT=true \
+  BUNDLE_PATH="/usr/local/bundle" \
+  BUNDLE_WITHOUT="development test"

 FROM base AS build

-ENV BUNDLE_DEPLOYMENT=true \
-  BUNDLE_WITHOUT="development test"
-
 RUN <<EOT
  apk add musl-dev gcc make
+  rm -rf /var/cache/apk
 EOT

-COPY Gemfile* .
+COPY Gemfile Gemfile.lock ./

 RUN <<EOT
  bundle install
+  rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git
 EOT

+COPY . .

 FROM base

 ENV PORT=4567

-RUN adduser --home /app --disabled-password app
+RUN <<EOT
+  addgroup --system --gid 666 kubernaut
+  adduser --system --uid 666 --ingroup kubernaut --shell /bin/bash --disabled-password kubernaut
+EOT

-USER app:app
+COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
+COPY --from=build /kubernaut /kubernaut

-COPY --from=build /usr/local/bundle /usr/local/bundle
-COPY --from=build --chown=app:app /app /app
-
-COPY --chown=app:app . .
+USER kubernaut:kubernaut

 EXPOSE $PORT
-CMD [ "puma" ]
+ENTRYPOINT [ "/kubernaut/dockerfiles/entrypoint.sh" ]
+CMD [ "bundle", "exec", "puma" ]
--- a/dockerfiles/bookworm.Dockerfile
+++ b/dockerfiles/bookworm.Dockerfile
@ -1,44 +1,51 @@
 ARG RUBY_VERSION="3.4.3"
-FROM ruby:${RUBY_VERSION}-slim-bookworm AS base
+FROM docker.io/library/ruby:${RUBY_VERSION}-slim-bookworm AS base

-WORKDIR /app
+WORKDIR /kubernaut

 RUN <<EOT
-  apt-get update
+  apt-get update -qq
+  rm -rf /var/lib/apt/lists /var/cache/apt/archives
  gem update --system --no-document
  gem install -N bundler
 EOT

+ENV RACK_ENV="production" \
+  BUNDLE_DEPLOYMENT=true \
+  BUNDLE_PATH="/usr/local/bundle" \
+  BUNDLE_WITHOUT="development test"

 FROM base AS build

-ENV BUNDLE_DEPLOYMENT=true \
-  BUNDLE_WITHOUT="development test"
-
 RUN <<EOT
+  apt-get update -qq
  apt-get install --yes --no-install-recommends gcc make libc-dev
+  rm -rf /var/lib/apt/lists /var/cache/apt/archives
 EOT

-COPY Gemfile* .
+COPY Gemfile Gemfile.lock ./

 RUN <<EOT
  bundle install
+  rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git
 EOT

+COPY . .

 FROM base

 ENV PORT=4567

-# RUN useradd ruby --home /app --shell /bin/sh
-RUN useradd --home /app --create-home app
+RUN <<EOT
+  groupadd --system --gid 666 kubernaut
+  useradd --system --uid 666 --gid kubernaut --create-home --shell /bin/bash kubernaut
+EOT

-USER app:app
+COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
+COPY --from=build /kubernaut /kubernaut

-COPY --from=build /usr/local/bundle /usr/local/bundle
-COPY --from=build --chown=app:app /app /app
-
-COPY --chown=app:app . .
+USER kubernaut:kubernaut

 EXPOSE $PORT
-CMD [ "puma" ]
+ENTRYPOINT [ "/kubernaut/dockerfiles/entrypoint.sh" ]
+CMD [ "bundle", "exec", "puma" ]
--- a/dockerfiles/entrypoint.sh
+++ b/dockerfiles/entrypoint.sh
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# output debugging info
+ruby --version
+printf "rubygems %s\n" "$(gem --version)"
+bundle version
+
+exec "${@}"
Author	SHA1	Message	Date
Ryan Cavicchioni	45f1250d9c	use BUNDLE_PATH in COPY Some checks failed Gitea Actions Demo / lint (push) Successful in 19s Details Gitea Actions Demo / test (push) Successful in 23s Details Gitea Actions Demo / docker (push) Has been cancelled Details	2025-04-30 16:43:08 -05:00
Ryan Cavicchioni	0e52df2fac	ensure that the application is not writable by kubernaut	2025-04-30 16:40:58 -05:00
Ryan Cavicchioni	d894d1f87f	create system user and group for kubernaut	2025-04-30 16:34:51 -05:00
Ryan Cavicchioni	df86eec943	remove commented out line	2025-04-30 16:20:53 -05:00
Ryan Cavicchioni	cc5704506b	whitespace fix	2025-04-30 16:20:32 -05:00
Ryan Cavicchioni	16441acd93	change the application user to be kubernaut	2025-04-30 16:16:24 -05:00
Ryan Cavicchioni	0397423eb6	make WORKDIR /kubernaut	2025-04-30 16:14:17 -05:00
Ryan Cavicchioni	ce89aad06a	tidy up after bundler	2025-04-30 16:11:47 -05:00
Ryan Cavicchioni	e5dd7d499d	explicitly copy Gemfile and Gemfile.lock	2025-04-30 16:03:04 -05:00
Ryan Cavicchioni	6759d15095	fix bundler environment variables	2025-04-30 15:55:23 -05:00
Ryan Cavicchioni	dc6b9ff20e	clean up apk/apt caches	2025-04-30 15:55:06 -05:00
Ryan Cavicchioni	7dc8642321	make apk/apt update quiter	2025-04-30 15:54:22 -05:00
Ryan Cavicchioni	8c528bb7cb	use full registry path in Dockerfile	2025-04-30 15:23:33 -05:00
Ryan Cavicchioni	7db559e848	add basic Docker entrypoint script	2025-04-30 14:56:36 -05:00
Ryan Cavicchioni	bcce68ad1f	add bash to Alpine Docker image	2025-04-30 14:56:00 -05:00
Ryan Cavicchioni	239df00c92	v0.2.0 All checks were successful Gitea Actions Demo / lint (push) Successful in 22s Details Gitea Actions Demo / test (push) Successful in 16s Details Gitea Actions Demo / docker (push) Successful in 3m12s Details	2025-04-29 15:07:36 -05:00
Ryan Cavicchioni	2c71dfac86	don't install apt-get recommendations	2025-04-29 15:07:36 -05:00
Ryan Cavicchioni	f0f439fb6d	set PORT and PIDFILE via environment variables	2025-04-29 15:07:36 -05:00