New approach to Gogs Docker Container

- VOLUME for ‘/data’
- Usage of S6 as PID 1 Process
- Usage of ‘socat’ so linked container (like databases) are binded to
localhost
- OpenSSH, Socat Link and Gogs are supervised using S6
- Size of container reduced to ~75Mo
release/v1.15
Jean-Philippe Roemer 2015-10-02 10:56:36 +01:00
parent e0a099ec11
commit e63e0b3105
8 changed files with 115 additions and 90 deletions

View File

@ -1,7 +1,7 @@
.git/*
conf/*
packager/*
scripts/*
.git
conf
packager
scripts
*.yml
*.md
.bra.toml

View File

@ -1,54 +1,31 @@
FROM google/debian:wheezy
MAINTAINER u@gogs.io
FROM alpine:3.2
MAINTAINER roemer.jp@gmail.com
RUN echo "deb http://ftp.debian.org/debian/ wheezy-backports main" >> /etc/apt/sources.list && \
apt-get update -qqy && \
apt-get install --no-install-recommends -qqy \
curl build-essential ca-certificates git \
openssh-server libpam-dev && \
apt-get autoclean && \
apt-get autoremove && \
rm -rf /var/lib/apt/lists/*
# Install system utils & Gogs runtime dependencies
ADD https://github.com/tianon/gosu/releases/download/1.5/gosu-amd64 /usr/sbin/gosu
RUN echo "@edge http://dl-4.alpinelinux.org/alpine/edge/main" | tee -a /etc/apk/repositories \
&& echo "@community http://dl-4.alpinelinux.org/alpine/edge/community" | tee -a /etc/apk/repositories \
&& apk -U --no-progress upgrade \
&& apk -U --no-progress add ca-certificates git linux-pam s6@edge curl openssh socat \
&& chmod +x /usr/sbin/gosu
ENV GOROOT /goroot
ENV GOPATH /gopath
ENV PATH $PATH:$GOROOT/bin:$GOPATH/bin
# Configure SSH
COPY docker/sshd_config /etc/ssh/sshd_config
COPY . /gopath/src/github.com/gogits/gogs/
WORKDIR /gopath/src/github.com/gogits/gogs/
# Build binary and clean up useless files
RUN mkdir /goroot && \
curl https://storage.googleapis.com/golang/go1.5.linux-amd64.tar.gz | tar xzf - -C /goroot --strip-components=1 && \
go get -v -tags "sqlite redis memcache cert pam" && \
go build -tags "sqlite redis memcache cert pam" && \
mkdir /app/ && \
mv /gopath/src/github.com/gogits/gogs/ /app/gogs/ && \
rm -r $GOROOT $GOPATH
# Configure Go and build Gogs
ENV GOPATH /tmp/go
ENV PATH $PATH:$GOPATH/bin
COPY . /app/gogs/
WORKDIR /app/gogs/
RUN ./docker/build.sh
RUN useradd --shell /bin/bash --system --comment gogits git
# SSH login fix, otherwise user is kicked off after login
RUN mkdir /var/run/sshd && \
sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd && \
sed 's@UsePrivilegeSeparation yes@UsePrivilegeSeparation no@' -i /etc/ssh/sshd_config && \
echo "export VISIBLE=now" >> /etc/profile && \
echo "PermitUserEnvironment yes" >> /etc/ssh/sshd_config
# Setup server keys on startup
RUN sed 's@^HostKey@\#HostKey@' -i /etc/ssh/sshd_config && \
echo "HostKey /data/ssh/ssh_host_key" >> /etc/ssh/sshd_config && \
echo "HostKey /data/ssh/ssh_host_rsa_key" >> /etc/ssh/sshd_config && \
echo "HostKey /data/ssh/ssh_host_dsa_key" >> /etc/ssh/sshd_config && \
echo "HostKey /data/ssh/ssh_host_ecdsa_key" >> /etc/ssh/sshd_config && \
echo "HostKey /data/ssh/ssh_host_ed25519_key" >> /etc/ssh/sshd_config
# Prepare data
ENV GOGS_CUSTOM /data/gogs
# Create git user for Gogs
RUN adduser -D -g 'Gogs Git User' git -h /data/git/ -s /bin/sh && passwd -u git
RUN echo "export GOGS_CUSTOM=/data/gogs" >> /etc/profile
VOLUME ["/data"]
EXPOSE 22 3000
ENTRYPOINT []
CMD ["./docker/start.sh"]

17
docker/build.sh Executable file
View File

@ -0,0 +1,17 @@
#!/bin/sh
# Install build deps
apk -U --no-progress add linux-pam-dev go@community gcc musl-dev
# Init go environment to build Gogs
mkdir -p ${GOPATH}/src/github.com/gogits/
ln -s /app/gogs/ ${GOPATH}/src/github.com/gogits/gogs
cd ${GOPATH}/src/github.com/gogits/gogs
go get -v -tags "sqlite redis memcache cert pam"
go build -tags "sqlite redis memcache cert pam"
# Cleanup GOPATH
rm -r $GOPATH
# Remove build deps
apk --no-progress del linux-pam-dev go gcc musl-dev

2
docker/s6/.s6-svscan/finish Executable file
View File

@ -0,0 +1,2 @@
#!/bin/sh
exec /bin/true

28
docker/s6/gogs/run Executable file
View File

@ -0,0 +1,28 @@
#!/bin/sh
USER=git
USERNAME=$USER
if ! test -d /data/gogs; then
mkdir -p /data/gogs/data /data/gogs/conf /data/gogs/log /data/git
fi
if ! test -d ~git/.ssh; then
mkdir ~git/.ssh
chmod 700 ~git/.ssh
fi
if ! test -f ~git/.ssh/environment; then
echo "GOGS_CUSTOM=/data/gogs" > ~git/.ssh/environment
chown git:git ~git/.ssh/environment
chown 600 ~git/.ssh/environment
fi
ln -sf /data/gogs/log /app/gogs/log
ln -sf /data/gogs/data /app/gogs/data
ln -sf /data/gogs/conf /app/gogs/conf
chown -R git:git /data /app/gogs ~git/
export USER
export USERNAME
exec gosu $USER /app/gogs/gogs web

15
docker/s6/openssh/run Executable file
View File

@ -0,0 +1,15 @@
#!/bin/sh
if ! test -d /data/ssh
then
mkdir -p /data/ssh
ssh-keygen -q -f /data/ssh/ssh_host_key -N '' -t rsa1
ssh-keygen -q -f /data/ssh/ssh_host_rsa_key -N '' -t rsa
ssh-keygen -q -f /data/ssh/ssh_host_dsa_key -N '' -t dsa
ssh-keygen -q -f /data/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
ssh-keygen -q -f /data/ssh/ssh_host_ed25519_key -N '' -t ed25519
chown -R root:root /data/ssh/*
chmod 600 /data/ssh/*
fi
exec gosu root /usr/sbin/sshd -D -f /etc/ssh/sshd_config

17
docker/sshd_config Normal file
View File

@ -0,0 +1,17 @@
Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
Protocol 2
LogLevel INFO
HostKey /data/ssh/ssh_host_key
HostKey /data/ssh/ssh_host_rsa_key
HostKey /data/ssh/ssh_host_dsa_key
HostKey /data/ssh/ssh_host_ecdsa_key
HostKey /data/ssh/ssh_host_ed25519_key
PermitRootLogin no
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
UsePrivilegeSeparation no
PermitUserEnvironment yes
AllowUsers git

View File

@ -1,43 +1,12 @@
#!/bin/bash -
#
#!/bin/sh
if ! test -d /data/gogs
then
mkdir -p /var/run/sshd
mkdir -p /data/gogs/data /data/gogs/conf /data/gogs/log /data/git
fi
# Bind linked docker container to localhost socket using socat
env | sed -En 's|(.*)_PORT_([0-9]*)_TCP=tcp://(.*):(.*)|\1_\2 socat -ls TCP4-LISTEN:\2,fork,reuseaddr TCP4:\3:\4|p' | \
while read NAME CMD; do
mkdir -p /app/gogs/docker/s6/$NAME
echo -e "#!/bin/sh\nexec $CMD" > /app/gogs/docker/s6/$NAME/run
chmod +x /app/gogs/docker/s6/$NAME/run
done
if ! test -d /data/ssh
then
mkdir /data/ssh
ssh-keygen -q -f /data/ssh/ssh_host_key -N '' -t rsa1
ssh-keygen -q -f /data/ssh/ssh_host_rsa_key -N '' -t rsa
ssh-keygen -q -f /data/ssh/ssh_host_dsa_key -N '' -t dsa
ssh-keygen -q -f /data/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
ssh-keygen -q -f /data/ssh/ssh_host_ed25519_key -N '' -t ed25519
chown -R root:root /data/ssh/*
chmod 600 /data/ssh/*
fi
service ssh start
ln -sf /data/gogs/log ./log
ln -sf /data/gogs/data ./data
ln -sf /data/git /home/git
if ! test -d ~git/.ssh
then
mkdir ~git/.ssh
chmod 700 ~git/.ssh
fi
if ! test -f ~git/.ssh/environment
then
echo "GOGS_CUSTOM=/data/gogs" > ~git/.ssh/environment
chown git:git ~git/.ssh/environment
chown 600 ~git/.ssh/environment
fi
chown -R git:git /data .
exec su git -c "./gogs web"
# Exec S6 as process manager for gogs and dropbear ssh
exec /usr/bin/s6-svscan /app/gogs/docker/s6/