New approach to Gogs Docker Container

- VOLUME for ‘/data’ - Usage of S6 as PID 1 Process - Usage of ‘socat’ so linked container (like databases) are binded to localhost - OpenSSH, Socat Link and Gogs are supervised using S6 - Size of container reduced to ~75Mo
2015-10-02 10:56:36 +01:00 · 2015-10-02 10:56:36 +01:00 · e63e0b3105
commit e63e0b3105
parent e0a099ec11
8 changed files with 115 additions and 90 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,7 +1,7 @@
-.git/*
-conf/*
-packager/*
-scripts/*
+.git
+conf
+packager
+scripts
 *.yml
 *.md
 .bra.toml
--- a/63
+++ b/63
@ -1,54 +1,31 @@
-FROM google/debian:wheezy
-MAINTAINER u@gogs.io
+FROM alpine:3.2
+MAINTAINER roemer.jp@gmail.com

-RUN echo "deb http://ftp.debian.org/debian/ wheezy-backports main" >> /etc/apt/sources.list && \
-	apt-get update -qqy && \
-	apt-get install --no-install-recommends -qqy \
-	curl build-essential ca-certificates git \ 
-	openssh-server libpam-dev && \
-	apt-get autoclean && \
-    apt-get autoremove && \
-    rm -rf /var/lib/apt/lists/*
+# Install system utils & Gogs runtime dependencies
+ADD https://github.com/tianon/gosu/releases/download/1.5/gosu-amd64 /usr/sbin/gosu
+RUN echo "@edge http://dl-4.alpinelinux.org/alpine/edge/main" | tee -a /etc/apk/repositories \
+ && echo "@community http://dl-4.alpinelinux.org/alpine/edge/community" | tee -a /etc/apk/repositories \
+ && apk -U --no-progress upgrade \
+ && apk -U --no-progress add ca-certificates git linux-pam s6@edge curl openssh socat \
+ && chmod +x /usr/sbin/gosu

-ENV GOROOT /goroot
-ENV GOPATH /gopath
-ENV PATH $PATH:$GOROOT/bin:$GOPATH/bin
+# Configure SSH
+COPY docker/sshd_config /etc/ssh/sshd_config

-COPY . /gopath/src/github.com/gogits/gogs/
-WORKDIR /gopath/src/github.com/gogits/gogs/
-
-# Build binary and clean up useless files
-RUN mkdir /goroot && \
-	curl https://storage.googleapis.com/golang/go1.5.linux-amd64.tar.gz | tar xzf - -C /goroot --strip-components=1 && \
-	go get -v -tags "sqlite redis memcache cert pam" && \
-	go build -tags "sqlite redis memcache cert pam" && \
-	mkdir /app/ && \
-	mv /gopath/src/github.com/gogits/gogs/ /app/gogs/ && \
-	rm -r $GOROOT $GOPATH
+# Configure Go and build Gogs
+ENV GOPATH /tmp/go
+ENV PATH $PATH:$GOPATH/bin

+COPY . /app/gogs/
 WORKDIR /app/gogs/
+RUN ./docker/build.sh

-RUN useradd --shell /bin/bash --system --comment gogits git
-
-# SSH login fix, otherwise user is kicked off after login
-RUN mkdir /var/run/sshd && \
-	sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd && \
-	sed 's@UsePrivilegeSeparation yes@UsePrivilegeSeparation no@' -i /etc/ssh/sshd_config && \
-	echo "export VISIBLE=now" >> /etc/profile && \
-	echo "PermitUserEnvironment yes" >> /etc/ssh/sshd_config
-
-# Setup server keys on startup
-RUN sed 's@^HostKey@\#HostKey@' -i /etc/ssh/sshd_config && \
-	echo "HostKey /data/ssh/ssh_host_key" >> /etc/ssh/sshd_config && \
-	echo "HostKey /data/ssh/ssh_host_rsa_key" >> /etc/ssh/sshd_config && \
-	echo "HostKey /data/ssh/ssh_host_dsa_key" >> /etc/ssh/sshd_config && \
-	echo "HostKey /data/ssh/ssh_host_ecdsa_key" >> /etc/ssh/sshd_config && \
-	echo "HostKey /data/ssh/ssh_host_ed25519_key" >> /etc/ssh/sshd_config
-
-# Prepare data
 ENV GOGS_CUSTOM /data/gogs
+
+# Create git user for Gogs
+RUN adduser -D -g 'Gogs Git User' git -h /data/git/ -s /bin/sh && passwd -u git
 RUN echo "export GOGS_CUSTOM=/data/gogs" >> /etc/profile

+VOLUME ["/data"]
 EXPOSE 22 3000
-ENTRYPOINT []
 CMD ["./docker/start.sh"]
--- a/docker/build.sh
+++ b/docker/build.sh
@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Install build deps
+apk -U --no-progress add linux-pam-dev go@community gcc musl-dev
+
+# Init go environment to build Gogs
+mkdir -p ${GOPATH}/src/github.com/gogits/
+ln -s /app/gogs/ ${GOPATH}/src/github.com/gogits/gogs
+cd ${GOPATH}/src/github.com/gogits/gogs
+go get -v -tags "sqlite redis memcache cert pam"
+go build -tags "sqlite redis memcache cert pam"
+
+# Cleanup GOPATH
+rm -r $GOPATH
+
+# Remove build deps
+apk --no-progress del linux-pam-dev go gcc musl-dev
--- a/docker/s6/.s6-svscan/finish
+++ b/docker/s6/.s6-svscan/finish
@ -0,0 +1,2 @@
+#!/bin/sh
+exec /bin/true
--- a/docker/s6/gogs/run
+++ b/docker/s6/gogs/run
@ -0,0 +1,28 @@
+#!/bin/sh
+USER=git
+USERNAME=$USER
+
+if ! test -d /data/gogs; then
+	mkdir -p /data/gogs/data /data/gogs/conf /data/gogs/log /data/git
+fi
+
+if ! test -d ~git/.ssh; then
+    mkdir ~git/.ssh
+    chmod 700 ~git/.ssh
+fi
+
+if ! test -f ~git/.ssh/environment; then
+    echo "GOGS_CUSTOM=/data/gogs" > ~git/.ssh/environment
+    chown git:git ~git/.ssh/environment
+    chown 600 ~git/.ssh/environment
+fi
+
+ln -sf /data/gogs/log  /app/gogs/log
+ln -sf /data/gogs/data /app/gogs/data
+ln -sf /data/gogs/conf /app/gogs/conf
+
+chown -R git:git /data /app/gogs ~git/
+
+export USER
+export USERNAME
+exec gosu $USER /app/gogs/gogs web
--- a/docker/s6/openssh/run
+++ b/docker/s6/openssh/run
@ -0,0 +1,15 @@
+#!/bin/sh
+
+if ! test -d /data/ssh
+then
+	mkdir -p /data/ssh
+	ssh-keygen -q -f /data/ssh/ssh_host_key -N '' -t rsa1
+	ssh-keygen -q -f /data/ssh/ssh_host_rsa_key -N '' -t rsa
+	ssh-keygen -q -f /data/ssh/ssh_host_dsa_key -N '' -t dsa
+	ssh-keygen -q -f /data/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
+	ssh-keygen -q -f /data/ssh/ssh_host_ed25519_key -N '' -t ed25519
+	chown -R root:root /data/ssh/*
+	chmod 600 /data/ssh/*
+fi
+
+exec gosu root /usr/sbin/sshd -D -f /etc/ssh/sshd_config
--- a/docker/sshd_config
+++ b/docker/sshd_config
@ -0,0 +1,17 @@
+Port 22
+AddressFamily any
+ListenAddress 0.0.0.0
+ListenAddress ::
+Protocol 2
+LogLevel INFO
+HostKey /data/ssh/ssh_host_key
+HostKey /data/ssh/ssh_host_rsa_key
+HostKey /data/ssh/ssh_host_dsa_key
+HostKey /data/ssh/ssh_host_ecdsa_key
+HostKey /data/ssh/ssh_host_ed25519_key
+PermitRootLogin no
+AuthorizedKeysFile	.ssh/authorized_keys
+PasswordAuthentication no
+UsePrivilegeSeparation no
+PermitUserEnvironment yes
+AllowUsers git
--- a/docker/start.sh
+++ b/docker/start.sh
@ -1,43 +1,12 @@
-#!/bin/bash -
-#
+#!/bin/sh

-if ! test -d /data/gogs
-then
-	mkdir -p /var/run/sshd
-	mkdir -p /data/gogs/data /data/gogs/conf /data/gogs/log /data/git
-fi
+# Bind linked docker container to localhost socket using socat
+env | sed -En 's|(.*)_PORT_([0-9]*)_TCP=tcp://(.*):(.*)|\1_\2 socat -ls TCP4-LISTEN:\2,fork,reuseaddr TCP4:\3:\4|p' | \
+while read NAME CMD; do
+    mkdir -p /app/gogs/docker/s6/$NAME
+    echo -e "#!/bin/sh\nexec $CMD" > /app/gogs/docker/s6/$NAME/run
+    chmod +x /app/gogs/docker/s6/$NAME/run
+done

-if ! test -d /data/ssh
-then
-	mkdir /data/ssh
-	ssh-keygen -q -f /data/ssh/ssh_host_key -N '' -t rsa1
-	ssh-keygen -q -f /data/ssh/ssh_host_rsa_key -N '' -t rsa
-	ssh-keygen -q -f /data/ssh/ssh_host_dsa_key -N '' -t dsa
-	ssh-keygen -q -f /data/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
-	ssh-keygen -q -f /data/ssh/ssh_host_ed25519_key -N '' -t ed25519
-	chown -R root:root /data/ssh/*
-	chmod 600 /data/ssh/*
-fi
-
-service ssh start
-
-ln -sf /data/gogs/log ./log
-ln -sf /data/gogs/data ./data
-ln -sf /data/git /home/git
-
-
-if ! test -d ~git/.ssh
-then
-  mkdir ~git/.ssh
-  chmod 700 ~git/.ssh
-fi
-
-if ! test -f ~git/.ssh/environment
-then
-  echo "GOGS_CUSTOM=/data/gogs" > ~git/.ssh/environment
-  chown git:git ~git/.ssh/environment
-  chown 600 ~git/.ssh/environment
-fi
-
-chown -R git:git /data .
-exec su git -c "./gogs web"
+# Exec S6 as process manager for gogs and dropbear ssh
+exec /usr/bin/s6-svscan /app/gogs/docker/s6/