diff --git a/Dockerfile b/Dockerfile index c4294d9..2708391 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,4 @@ -FROM --platform=$BUILDPLATFORM alpine:3 AS build-env - +FROM alpine:3 AS build-env RUN apk add --update --no-cache \ automake \ autoconf \ @@ -14,11 +13,10 @@ RUN apk add --update --no-cache \ libtool \ linux-headers \ make \ + vim \ wget - ARG TARGETARCH ARG BUILDARCH - RUN LIBDIR=/lib; \ if [ "${TARGETARCH}" = "arm64" ]; then \ ARCH=aarch64; \ @@ -35,20 +33,17 @@ RUN LIBDIR=/lib; \ mkdir -p $LIBDIR; \ fi; \ fi; - # Build minimal busybox WORKDIR / -# busybox v1.34.1 stable RUN git clone -b 1_34_1 --single-branch https://git.busybox.net/busybox WORKDIR /busybox -ADD busybox.min.config .config +COPY busybox.min.config .config RUN if [ "${TARGETARCH}" = "arm64" ] && [ "${BUILDARCH}" != "arm64" ]; then \ export CC=aarch64-linux-musl-gcc; \ elif [ "${TARGETARCH}" = "amd64" ] && [ "${BUILDARCH}" != "amd64" ]; then \ export CC=x86_64-linux-musl-gcc; \ fi; \ make - # Static jq WORKDIR / RUN git clone --recursive -b jq-1.6 --single-branch https://github.com/stedolan/jq.git @@ -60,7 +55,6 @@ RUN autoreconf -fi;\ FROM boxboat/config-merge:0.2.1 as config-merge FROM alpine:3 - RUN apk add --no-cache \ curl \ lz4 \ @@ -69,7 +63,49 @@ RUN apk add --no-cache \ rsync \ tar \ wget \ - zstd-dev + zstd-dev \ + python3 \ + py3-pip \ + tmux \ + vim \ + python3-dev \ + sudo + +# Create operator user and group, and set up sudo +RUN addgroup -g 1000 operator && \ + adduser -D -u 1000 -G operator operator && \ + echo "operator ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/operator && \ + chmod 0440 /etc/sudoers.d/operator + +# Install gcloud +RUN apk add --no-cache python3 curl bash && \ + curl -O https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-453.0.0-linux-x86_64.tar.gz && \ + tar -xf google-cloud-cli-453.0.0-linux-x86_64.tar.gz && \ + ./google-cloud-sdk/install.sh --quiet --path-update=true --usage-reporting=false --additional-components beta gsutil && \ + rm -f google-cloud-cli-453.0.0-linux-x86_64.tar.gz && \ + ln -s /google-cloud-sdk/bin/gcloud /usr/local/bin/gcloud && \ + ln -s /google-cloud-sdk/bin/gsutil /usr/local/bin/gsutil && \ + chown -R operator:operator /google-cloud-sdk + +# Create and activate a virtual environment +RUN python3 -m venv /opt/venv && \ + chown -R operator:operator /opt/venv && \ + chmod -R 755 /opt/venv/bin # Ensure executables are runnable + +ENV PATH="/opt/venv/bin:/google-cloud-sdk/bin:$PATH" + +# Install gsutil and fix permissions +USER operator +RUN /opt/venv/bin/pip3 install --upgrade pip && \ + /opt/venv/bin/pip3 install gsutil google-cloud-storage + +# Make sure all files in venv are owned by operator +USER root +RUN chown -R operator:operator /opt/venv && \ + chmod -R 755 /opt/venv/bin + +# Switch back to operator for the remaining operations +USER operator # Install busybox COPY --from=build-env /busybox/busybox /busybox/busybox @@ -82,11 +118,10 @@ COPY --from=config-merge /usr/local/config-merge /usr/local/config-merge COPY --from=config-merge /usr/local/bin/config-merge /usr/local/bin/config-merge COPY --from=config-merge /usr/local/bin/envsubst /usr/local/bin/envsubst -# Add dasel. -# The dasel repository does not post checksums of the published binaries, -# so use hardcoded binaries in order to avoid potential supply chain attacks. -# Note, dasel does publish docker images, but only for amd64, -# so we cannot copy the binary out like we do for config-merge. +# Switch to root for dasel installation +USER root + +# Add dasel RUN if [ "$(uname -m)" = "aarch64" ]; then \ ARCH=arm64 DASELSUM="8e1f95b5f361f68ed8376d5a9593ae4249e28153a05b26f1f99f9466efeac5c9 /usr/local/bin/dasel"; \ else \ @@ -95,3 +130,12 @@ RUN if [ "$(uname -m)" = "aarch64" ]; then \ wget -O /usr/local/bin/dasel https://github.com/TomWright/dasel/releases/download/v1.26.0/dasel_linux_$ARCH && \ sha256sum -c <(echo "$DASELSUM") && \ chmod +x /usr/local/bin/dasel + +# Set ownership of working directory and home directory +RUN mkdir -p /app && chown operator:operator /app && \ + mkdir -p /home/operator && chown -R operator:operator /home/operator + +# Switch to operator user at the end +USER operator +WORKDIR /app +ENTRYPOINT ["/bin/sh"]