docker: switch from musl to glibc, and simplify stuff

The Dockerfile now has two stages: build and assembly.
This allows for a full-fledged debian build container,
while still resulting in a super-thin busybox image.

License: MIT
Signed-off-by: Lars Gierth <[email protected]>

Author: Lars Gierth

.dockerignore

@@ -1,3 +1,5 @@
+Dockerfile
+Dockerfile.fast
 .git/
 !.git/HEAD
 !.git/refs/

Dockerfile

@@ -1,11 +1,46 @@
-FROM alpine:edge
+FROM golang:1.9-stretch
 MAINTAINER Lars Gierth <[email protected]>
 
 # There is a copy of this Dockerfile called Dockerfile.fast,
 # which is optimized for build time, instead of image size.
 #
 # Please keep these two Dockerfiles in sync.
 
+ENV GX_IPFS ""
+ENV SRC_DIR /go/src/github.com/ipfs/go-ipfs
+
+COPY . $SRC_DIR
+
+# Build the thing.
+RUN cd $SRC_DIR \
+  # Required for getting the HEAD commit hash via git rev-parse.
+  && mkdir .git/objects \
+  # Allows using a custom (i.e. local) IPFS API endpoint.
+  && ([ -z "$GX_IPFS" ] || echo $GX_IPFS > /root/.ipfs/api) \
+  # Build the thing.
+  && make build
+
+# Get the TLS CA certificates, they're not provided by busybox.
+RUN apt-get install -y ca-certificates
+
+# Now comes the actual target image, which aims to be as small as possible.
+FROM busybox:1-glibc
+MAINTAINER Lars Gierth <[email protected]>
+
+# Get the ipfs binary, entrypoint script, and TLS CAs from the build container.
+ENV SRC_DIR /go/src/github.com/ipfs/go-ipfs
+COPY --from=0 $SRC_DIR/cmd/ipfs/ipfs /usr/local/bin/ipfs
+COPY --from=0 $SRC_DIR/bin/container_daemon /usr/local/bin/start_ipfs
+COPY --from=0 /etc/ssl/certs /etc/ssl/certs
+
+# This shared lib (part of glibc) doesn't seem to be included with busybox.
+COPY --from=0 /lib/x86_64-linux-gnu/libdl-2.24.so /lib/libdl.so.2
+
+# This installs a very simple program acting as the init process.
+# Makes sure signals are properly passed to the ipfs daemon process.
+ENV TINI_VERSION v0.16.1
+ADD https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini /sbin/tini
+RUN chmod +x /sbin/tini
 
 # Ports for Swarm TCP, Swarm uTP, API, Gateway, Swarm Websockets
 EXPOSE 4001
@@ -14,51 +49,18 @@ EXPOSE 5001
 EXPOSE 8080
 EXPOSE 8081
 
-# IPFS API to use for fetching gx packages.
-# This can be a gateway too, since its read-only API provides all gx needs.
-# - e.g. /ip4/172.17.0.1/tcp/8080 if the Docker host
-#   has the IPFS gateway listening on the bridge interface
-#   provided by Docker's default networking.
-# - if empty, the public gateway at ipfs.io is used.
-ENV GX_IPFS   ""
-# The IPFS fs-repo within the container
+# Create the fs-repo directory and switch to a non-privileged user.
 ENV IPFS_PATH /data/ipfs
-# The default logging level
-ENV IPFS_LOGGING ""
-# Golang stuff
-ENV GOPATH     /go
-ENV PATH       /go/bin:$PATH
-ENV SRC_PATH   /go/src/github.com/ipfs/go-ipfs
+RUN mkdir -p $IPFS_PATH && adduser -D -h $IPFS_PATH -u 1000 -g 100 ipfs
+USER ipfs
 
 # Expose the fs-repo as a volume.
-# start_ipfs initializes an fs-repo if none is mounted
+# start_ipfs initializes an fs-repo if none is mounted.
+# Important this happens after the USER directive so permission are correct.
 VOLUME $IPFS_PATH
 
-# Get the go-ipfs sourcecode
-COPY . $SRC_PATH
-
-RUN apk add --no-cache --virtual .build-deps-ipfs musl-dev gcc go git \
-	&& apk add --no-cache tini su-exec bash wget ca-certificates \
-	# Setup user
-	&& adduser -D -h $IPFS_PATH -u 1000 ipfs \
-	# Install gx
-	&& go get -u github.com/whyrusleeping/gx \
-	&& go get -u github.com/whyrusleeping/gx-go \
-	# Point gx to a specific IPFS API
-	&& ([ -z "$GX_IPFS" ] || echo $GX_IPFS > $IPFS_PATH/api) \
-	# Invoke gx
-	&& cd $SRC_PATH \
-	&& gx --verbose install --global \
-	&& mkdir .git/objects && commit=$(git rev-parse --short HEAD) \
-	&& echo "ldflags=-X github.com/ipfs/go-ipfs/repo/config.CurrentCommit=$commit" \
-	# Build and install IPFS and entrypoint script
-	&& cd $SRC_PATH/cmd/ipfs \
-	&& go build -ldflags "-X github.com/ipfs/go-ipfs/repo/config.CurrentCommit=$commit" \
-	&& cp ipfs /usr/local/bin/ipfs \
-	&& cp $SRC_PATH/bin/container_daemon /usr/local/bin/start_ipfs \
-	&& chmod 755 /usr/local/bin/start_ipfs \
-	# Remove all build-time dependencies
-	&& apk del --purge .build-deps-ipfs && rm -rf $GOPATH && rm -vf $IPFS_PATH/api
+# The default logging level
+ENV IPFS_LOGGING ""
 
 # This just makes sure that:
 # 1. There's an fs-repo, and initializes one if there isn't.

Dockerfile.fast

@@ -1,55 +1,69 @@
-FROM alpine:edge
+FROM golang:1.9-stretch
 MAINTAINER Lars Gierth <[email protected]>
 
 # This is a copy of /Dockerfile,
 # except that we optimize for build time, instead of image size.
 #
 # Please keep these two Dockerfiles in sync.
 
+ENV GX_IPFS ""
+ENV SRC_DIR /go/src/github.com/ipfs/go-ipfs
 
+COPY ./package.json $SRC_DIR/package.json
+
+RUN set -x \
+  && go get github.com/whyrusleeping/gx \
+  && go get github.com/whyrusleeping/gx-go \
+  # Allows using a custom (i.e. local) IPFS API endpoint.
+  && ([ -z "$GX_IPFS" ] || echo $GX_IPFS > /root/.ipfs/api) \
+  # Fetch the dependencies so we don't have to do it everytime.
+  && cd $SRC_DIR \
+  && gx install
+
+COPY . $SRC_DIR
+
+# Build the thing.
+RUN set -x \
+  && cd $SRC_DIR \
+  # Required for getting the HEAD commit hash via git rev-parse.
+  && mkdir .git/objects \
+  # Build the thing.
+  && make build \
+  && mv cmd/ipfs/ipfs /usr/local/bin/ipfs \
+  && mv bin/container_daemon /usr/local/bin/start_ipfs
+
+# This installs a very simple program acting as the init process.
+# Makes sure signals are properly passed to the ipfs daemon process.
+ENV TINI_VERSION v0.16.1
+ADD https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini /sbin/tini
+RUN chmod +x /sbin/tini
+
+# Ports for Swarm TCP, Swarm uTP, API, Gateway, Swarm Websockets
 EXPOSE 4001
 EXPOSE 4002/udp
 EXPOSE 5001
 EXPOSE 8080
+EXPOSE 8081
 
-ENV GX_IPFS   ""
+# Create the fs-repo directory and switch to a non-privileged user.
 ENV IPFS_PATH /data/ipfs
-ENV IPFS_LOGGING ""
-ENV GOPATH     /go
-ENV PATH       /go/bin:$PATH
-ENV SRC_PATH   /go/src/github.com/ipfs/go-ipfs
+RUN mkdir -p $IPFS_PATH \
+  && useradd -s /usr/sbin/nologin -d $IPFS_PATH -u 1000 -g 100 ipfs \
+  && chown 1000:100 $IPFS_PATH
+USER ipfs
 
+# Expose the fs-repo as a volume.
+# start_ipfs initializes an fs-repo if none is mounted.
+# Important this happens after the USER directive so permission are correct.
 VOLUME $IPFS_PATH
 
-# This is an optimization which avoids rebuilding
-# of the gx dependencies every time anything changes.
-# gx will only be invoked if the dependencies have changed.
-#
-# Put differently: if package.json has changed,
-# the image-id after this COPY command will change,
-# and trigger a re-run of all following commands.
-COPY ./package.json $SRC_PATH/package.json
-
-RUN apk add --no-cache --virtual .build-deps-ipfs musl-dev gcc go git \
-	&& apk add --no-cache tini su-exec bash wget ca-certificates \
-	&& adduser -D -h $IPFS_PATH -u 1000 ipfs \
-	&& go get -u github.com/whyrusleeping/gx \
-	&& go get -u github.com/whyrusleeping/gx-go \
-	&& ([ -z "$GX_IPFS" ] || echo $GX_IPFS > $IPFS_PATH/api) \
-	&& cd $SRC_PATH \
-	&& gx --verbose install --global
-
-COPY . $SRC_PATH
-
-RUN cd $SRC_PATH \
-	&& mkdir .git/objects && commit=$(git rev-parse --short HEAD) \
-	&& echo "ldflags=-X github.com/ipfs/go-ipfs/repo/config.CurrentCommit=$commit" \
-	&& cd $SRC_PATH/cmd/ipfs \
-	&& go build -ldflags "-X github.com/ipfs/go-ipfs/repo/config.CurrentCommit=$commit" \
-	&& cp ipfs /usr/local/bin/ipfs \
-	&& cp $SRC_PATH/bin/container_daemon /usr/local/bin/start_ipfs \
-	&& chmod 755 /usr/local/bin/start_ipfs \
-	&& apk del --purge .build-deps-ipfs && rm -rf $GOPATH && rm -vf $IPFS_PATH/api
+# The default logging level
+ENV IPFS_LOGGING ""
 
+# This just makes sure that:
+# 1. There's an fs-repo, and initializes one if there isn't.
+# 2. The API and Gateway are accessible from outside the container.
 ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/start_ipfs"]
+
+# Execute the daemon subcommand by default
 CMD ["daemon", "--migrate=true"]

bin/container_daemon

@@ -1,16 +1,7 @@
 #!/bin/sh
 set -e
-user=ipfs
 repo="$IPFS_PATH"
 
-if [ `id -u` -eq 0 ]; then
-  # ensure folder is writable
-  su-exec "$user" test -w "$repo" || chown -R -- "$user" "$repo"
-  # restart script with new privileges
-  exec su-exec "$user" "$0" "$@"
-fi
-
-# 2nd invocation with regular user
 ipfs version
 
 if [ -e "$repo/config" ]; then