Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add rootless (alpine) images #4617

Merged
merged 24 commits into from
Jan 8, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .cspell.json
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
],
"words": [
"abool",
"addgroup",
"adduser",
"anbraten",
"antfu",
"apimachinery",
Expand Down
34 changes: 17 additions & 17 deletions .woodpecker/docker.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ steps:
image: *buildx_plugin
settings:
repo: woodpeckerci/woodpecker-server
dockerfile: docker/Dockerfile.server.alpine.multiarch
dockerfile: docker/Dockerfile.server.alpine.multiarch.rootless
platforms: *platforms_preview
tag: pull_${CI_COMMIT_PULL_REQUEST}-alpine
logins: *publish_logins
Expand All @@ -142,7 +142,7 @@ steps:
settings:
dry_run: true
repo: woodpeckerci/woodpecker-server
dockerfile: docker/Dockerfile.server.multiarch
dockerfile: docker/Dockerfile.server.multiarch.rootless
platforms: *platforms_preview
tag: pull_${CI_COMMIT_PULL_REQUEST}
when: &when-dryrun
Expand All @@ -156,7 +156,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_server
dockerfile: docker/Dockerfile.server.multiarch
dockerfile: docker/Dockerfile.server.multiarch.rootless
platforms: *platforms_server
tag: [next, 'next-${CI_COMMIT_SHA:0:10}']
logins: *publish_logins
Expand All @@ -171,7 +171,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_server
dockerfile: docker/Dockerfile.server.alpine.multiarch
dockerfile: docker/Dockerfile.server.alpine.multiarch.rootless
platforms: *platforms_alpine
tag: [next-alpine, 'next-${CI_COMMIT_SHA:0:10}-alpine']
logins: *publish_logins
Expand All @@ -183,7 +183,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_server
dockerfile: docker/Dockerfile.server.multiarch
dockerfile: docker/Dockerfile.server.multiarch.rootless
platforms: *platforms_server
tag: ['${CI_COMMIT_TAG%%.*}', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}']
logins: *publish_logins
Expand All @@ -196,7 +196,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_server
dockerfile: docker/Dockerfile.server.alpine.multiarch
dockerfile: docker/Dockerfile.server.alpine.multiarch.rootless
platforms: *platforms_alpine
tag: ['${CI_COMMIT_TAG%%.*}-alpine', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}-alpine']
logins: *publish_logins
Expand All @@ -212,7 +212,7 @@ steps:
image: *buildx_plugin
settings:
repo: woodpeckerci/woodpecker-agent
dockerfile: docker/Dockerfile.agent.alpine.multiarch
dockerfile: docker/Dockerfile.agent.alpine.multiarch.rootless
platforms: *platforms_preview
tag: pull_${CI_COMMIT_PULL_REQUEST}-alpine
build_args: *build_args
Expand All @@ -226,7 +226,7 @@ steps:
settings:
dry_run: true
repo: woodpeckerci/woodpecker-agent
dockerfile: docker/Dockerfile.agent.multiarch
dockerfile: docker/Dockerfile.agent.multiarch.rootless
platforms: *platforms_preview
tag: pull_${CI_COMMIT_PULL_REQUEST}
build_args: *build_args
Expand All @@ -241,7 +241,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_agent
dockerfile: docker/Dockerfile.agent.multiarch
dockerfile: docker/Dockerfile.agent.multiarch.rootless
platforms: *platforms_release
tag: [next, 'next-${CI_COMMIT_SHA:0:10}']
logins: *publish_logins
Expand All @@ -260,7 +260,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_agent
dockerfile: docker/Dockerfile.agent.alpine.multiarch
dockerfile: docker/Dockerfile.agent.alpine.multiarch.rootless
platforms: *platforms_alpine
tag: [next-alpine, 'next-${CI_COMMIT_SHA:0:10}-alpine']
logins: *publish_logins
Expand All @@ -276,7 +276,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_agent
dockerfile: docker/Dockerfile.agent.multiarch
dockerfile: docker/Dockerfile.agent.multiarch.rootless
platforms: *platforms_release
tag: ['${CI_COMMIT_TAG%%.*}', '${CI_COMMIT_TAG%.*}', '${CI_COMMIT_TAG}']
logins: *publish_logins
Expand All @@ -292,7 +292,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_agent
dockerfile: docker/Dockerfile.agent.alpine.multiarch
dockerfile: docker/Dockerfile.agent.alpine.multiarch.rootless
platforms: *platforms_alpine
tag: ['${CI_COMMIT_TAG%%.*}-alpine', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}-alpine']
logins: *publish_logins
Expand All @@ -310,7 +310,7 @@ steps:
settings:
dry_run: true
repo: woodpeckerci/woodpecker-cli
dockerfile: docker/Dockerfile.cli.multiarch
dockerfile: docker/Dockerfile.cli.multiarch.rootless
platforms: *platforms_preview
tag: pull_${CI_COMMIT_PULL_REQUEST}
build_args: *build_args
Expand All @@ -325,7 +325,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_cli
dockerfile: docker/Dockerfile.cli.multiarch
dockerfile: docker/Dockerfile.cli.multiarch.rootless
platforms: *platforms_release
tag: [next, 'next-${CI_COMMIT_SHA:0:10}']
logins: *publish_logins
Expand All @@ -341,7 +341,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_cli
dockerfile: docker/Dockerfile.cli.alpine.multiarch
dockerfile: docker/Dockerfile.cli.alpine.multiarch.rootless
platforms: *platforms_alpine
tag: [next-alpine, 'next-${CI_COMMIT_SHA:0:10}-alpine']
logins: *publish_logins
Expand All @@ -357,7 +357,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_cli
dockerfile: docker/Dockerfile.cli.multiarch
dockerfile: docker/Dockerfile.cli.multiarch.rootless
platforms: *platforms_release
tag: ['${CI_COMMIT_TAG%%.*}', '${CI_COMMIT_TAG%.*}', '${CI_COMMIT_TAG}']
logins: *publish_logins
Expand All @@ -373,7 +373,7 @@ steps:
image: *buildx_plugin
settings:
repo: *publish_repos_cli
dockerfile: docker/Dockerfile.cli.alpine.multiarch
dockerfile: docker/Dockerfile.cli.alpine.multiarch.rootless
platforms: *platforms_alpine
tag: ['${CI_COMMIT_TAG%%.*}-alpine', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}-alpine']
logins: *publish_logins
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,20 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
make build-agent

FROM docker.io/alpine:3.21
RUN apk add -U --no-cache ca-certificates

RUN apk add -U --no-cache ca-certificates && \
adduser -u 1000 -g 1000 woodpecker && \
mkdir -p /etc/woodpecker && \
chown -R woodpecker:woodpecker /etc/woodpecker

ENV GODEBUG=netdns=go
# Internal setting do NOT change! Signals that woodpecker is running inside a container
ENV WOODPECKER_IN_CONTAINER=true
EXPOSE 3000

COPY --from=build /src/dist/woodpecker-agent /bin/
RUN mkdir -p /etc/woodpecker

USER woodpecker

HEALTHCHECK CMD ["/bin/woodpecker-agent", "ping"]
ENTRYPOINT ["/bin/woodpecker-agent"]
Original file line number Diff line number Diff line change
@@ -1,12 +1,16 @@
FROM --platform=$BUILDPLATFORM docker.io/golang:1.23 AS build

RUN groupadd -g 1000 woodpecker && \
useradd -u 1000 -g 1000 woodpecker && \
mkdir -p /etc/woodpecker && \
chown -R woodpecker:woodpecker /etc/woodpecker

WORKDIR /src
COPY . .
ARG TARGETOS TARGETARCH CI_COMMIT_SHA CI_COMMIT_TAG CI_COMMIT_BRANCH
RUN --mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg \
make build-agent
RUN mkdir -p /etc/woodpecker

FROM scratch
ENV GODEBUG=netdns=go
Expand All @@ -19,6 +23,10 @@ COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certifica
# copy agent binary
COPY --from=build /src/dist/woodpecker-agent /bin/
COPY --from=build /etc/woodpecker /etc
COPY --from=build /etc/passwd /etc/passwd
COPY --from=build /etc/group /etc/group

USER woodpecker

HEALTHCHECK CMD ["/bin/woodpecker-agent", "ping"]
ENTRYPOINT ["/bin/woodpecker-agent"]
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,18 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
make build-cli

FROM docker.io/alpine:3.21

WORKDIR /woodpecker

RUN apk add -U --no-cache ca-certificates
RUN apk add -U --no-cache ca-certificates && \
adduser -u 1000 -g 1000 woodpecker

ENV GODEBUG=netdns=go
ENV WOODPECKER_DISABLE_UPDATE_CHECK=true

COPY --from=build /src/dist/woodpecker-cli /bin/

USER woodpecker

HEALTHCHECK CMD ["/bin/woodpecker-cli", "ping"]
ENTRYPOINT ["/bin/woodpecker-cli"]
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
FROM --platform=$BUILDPLATFORM docker.io/golang:1.23 AS build

RUN groupadd -g 1000 woodpecker && \
useradd -u 1000 -g 1000 woodpecker

WORKDIR /src
COPY . .
ARG TARGETOS TARGETARCH CI_COMMIT_SHA CI_COMMIT_TAG CI_COMMIT_BRANCH
Expand All @@ -17,6 +20,10 @@ ENV WOODPECKER_DISABLE_UPDATE_CHECK=true
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
# copy cli binary
COPY --from=build /src/dist/woodpecker-cli /bin/
COPY --from=build /etc/passwd /etc/passwd
COPY --from=build /etc/group /etc/group

USER woodpecker

HEALTHCHECK CMD ["/bin/woodpecker-cli", "ping"]
ENTRYPOINT ["/bin/woodpecker-cli"]
Original file line number Diff line number Diff line change
@@ -1,7 +1,11 @@
FROM docker.io/alpine:3.21

ARG TARGETOS TARGETARCH
RUN apk add -U --no-cache ca-certificates
RUN apk add -U --no-cache ca-certificates && \
adduser -u 1000 -g 1000 woodpecker && \
mkdir -p /var/lib/woodpecker && \
chown -R woodpecker:woodpecker /var/lib/woodpecker

ENV GODEBUG=netdns=go
# Internal setting do NOT change! Signals that woodpecker is running inside a container
ENV WOODPECKER_IN_CONTAINER=true
Expand All @@ -11,5 +15,7 @@ EXPOSE 8000 9000 80 443

COPY dist/server/${TARGETOS}_${TARGETARCH}/woodpecker-server /bin/

USER woodpecker

HEALTHCHECK CMD ["/bin/woodpecker-server", "ping"]
ENTRYPOINT ["/bin/woodpecker-server"]
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
FROM --platform=$BUILDPLATFORM docker.io/golang:1.23 AS certs
FROM --platform=$BUILDPLATFORM docker.io/golang:1.23 AS build

RUN groupadd -g 1000 woodpecker && \
useradd -u 1000 -g 1000 woodpecker && \
mkdir -p /var/lib/woodpecker && \
chown -R woodpecker:woodpecker /var/lib/woodpecker

FROM scratch
ARG TARGETOS TARGETARCH
Expand All @@ -10,9 +15,14 @@ ENV XDG_DATA_HOME=/var/lib/woodpecker
EXPOSE 8000 9000 80 443

# copy certs from certs image
COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
# copy server binary
COPY dist/server/${TARGETOS}_${TARGETARCH}/woodpecker-server /bin/
COPY --from=build /etc/passwd /etc/passwd
COPY --from=build /etc/group /etc/group
COPY --from=build /var/lib/woodpecker /var/lib/woodpecker

USER woodpecker

HEALTHCHECK CMD ["/bin/woodpecker-server", "ping"]
ENTRYPOINT ["/bin/woodpecker-server"]
30 changes: 30 additions & 0 deletions docs/docs/30-administration/04-image-variants.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Image variants

:::info
The `latest` tag has been deprecated as of v3.0 and will be completely removed in the future.
This was done to prevent accidental major version upgrades.
:::

- `vX.Y.Z`: SemVer tags for specific releases, no entrypoint shell (scratch image)
- `vX.Y`
- `vX`
- `vX.Y.Z-alpine`: SemVer tags for specific releases, based on Alpine, rootless (as of v3.0).
- `vX.Y-alpine`
- `vX-alpine`
- `next`: Built from the `main` branch
- `pull_<PR_ID>`: Images built from Pull Request branches.

## Image registries

Images are pushed to DockerHub and Quay.

[woodpecker-server (DockerHub)](https://hub.docker.com/repository/docker/woodpeckerci/woodpecker-server)
[woodpecker-server (Quay)](https://quay.io/repository/woodpeckerci/woodpecker-server)

[woodpecker-agent (DockerHub)](https://hub.docker.com/repository/docker/woodpeckerci/woodpecker-agent)
[woodpecker-agent (Quay)](https://quay.io/repository/woodpeckerci/woodpecker-agent)

[woodpecker-cli (DockerHub)](https://hub.docker.com/repository/docker/woodpeckerci/woodpecker-cli)
[woodpecker-cli (Quay)](https://quay.io/repository/woodpeckerci/woodpecker-cli)

[woodpecker-autoscaler (DockerHub)](https://hub.docker.com/repository/docker/woodpeckerci/autoscaler)
6 changes: 3 additions & 3 deletions docs/docs/92-development/07-guides.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ export PLATFORMS='linux|amd64'
make cross-compile-server

### build the image
docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.server.multiarch --push .
docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.server.multiarch.rootless --push .
```

:::info
Expand All @@ -55,7 +55,7 @@ You can try to use the `build-server` rule instead, however this one fails for s
make build-agent

### build the image
docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.agent.multiarch --push .
docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.agent.multiarch.rootless --push .
```

### CLI
Expand All @@ -65,5 +65,5 @@ docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Docker
make build-cli

### build the image
docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.cli.multiarch --push .
docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.cli.multiarch.rootless --push .
```
5 changes: 5 additions & 0 deletions docs/src/pages/migrations.md
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,11 @@ The following restructuring was done to achieve a more consistent grouping:

- Webhook signatures now use the `rfc9421` protocol

#### Rootless images

All Woodpecker images now use a non-privileged user (`woodpecker`) by default.
If you have volume mounts attached to containers, you might need to update the ownership of these directories from `root` to `woodpecker`.

## User migrations

- `gated` has been replaced by `require-approval`
Expand Down