-
Notifications
You must be signed in to change notification settings - Fork 60
/
Copy pathbrew.Dockerfile
142 lines (117 loc) · 5.52 KB
/
brew.Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
#
# Copyright (c) 2018-2023 Red Hat, Inc.
# This program and the accompanying materials are made
# available under the terms of the Eclipse Public License 2.0
# which is available at https://www.eclipse.org/legal/epl-2.0/
#
# SPDX-License-Identifier: EPL-2.0
#
# Contributors:
# Red Hat, Inc. - initial API and implementation
# IBM Corporation - implementation
#
# Builder: check meta.yamls and create index.json
# https://registry.access.redhat.com/ubi8/python-39
FROM ubi8/python-39:1-97 as builder
# hadolint ignore=DL3002
USER root
# cachito #1
COPY $REMOTE_SOURCES $REMOTE_SOURCES_DIR
ENV PYTHON_VERSION=3.9
# TODO remove BOOTSTRAP when we replace resources with cachito
ARG BOOTSTRAP=false
ENV BOOTSTRAP=${BOOTSTRAP}
# if not defined or string is null, allow all registries/tags in list_referenced_images
# otherwise restrict to only those space-separated registries/tags; if others found, build will fail
# useful for failing build if quay images in an RC, or wrong devspaces image tag (3.2 in 3.1 build)
ARG ALLOWED_REGISTRIES=""
ENV ALLOWED_REGISTRIES=${ALLOWED_REGISTRIES}
ARG ALLOWED_TAGS=""
ENV ALLOWED_TAGS=${ALLOWED_TAGS}
# enable content sets to resolve jq as rpm
COPY ./build/dockerfiles/content_sets_rhel8.repo /etc/yum.repos.d/
# install yq and jq
# hadolint ignore=DL3003,DL4006,SC2086,DL3040,DL3041
RUN dnf -y -q install python39 python39-devel python39-setuptools python39-pip jq tree && \
# tree -L 2 "$REMOTE_SOURCES_DIR/*/app/" && \
# cachito #2: install yq using cachito sources
cd $REMOTE_SOURCES_DIR/python-deps/app/devspaces-devfileregistry/build/python && \
source $REMOTE_SOURCES_DIR/python-deps/cachito.env && \
python${PYTHON_VERSION} -m pip install --no-cache-dir --upgrade pip argcomplete setuptools yq && yq --version
WORKDIR /build/
COPY ./build/scripts ./versions.json ./job-config.json /build/
COPY ./devfiles /build/devfiles
# build eclipse-che/plugin-registry-generator
# hadolint ignore=DL3003,SC2086
RUN cd $REMOTE_SOURCES_DIR/plugin-registry-generator/app/tools/build && \
yarn install
# TODO use cachito to fetch sample project code (instead of ./resources or resources.tgz
# TODO can we run this inside brew?
# TODO do we need to overrride the version in versions.json?
# hadolint ignore=DL3003,SC2086
RUN tree -L 2 $REMOTE_SOURCES_DIR/*/app/ && \
./generate_devworkspace_templates.sh && chmod -R g+rwX /build/resources
# validate devfile content
RUN ./check_referenced_images.sh devfiles --registries "${ALLOWED_REGISTRIES}" --tags "${ALLOWED_TAGS}" && \
./check_mandatory_fields.sh devfiles
# Cache projects in DS
# TODO remove resources.tgz in favour of cachito solution
COPY ./build/dockerfiles/rhel.cache_projects.sh resources.tgz /tmp/
RUN /tmp/rhel.cache_projects.sh /build/ && rm -rf /tmp/rhel.cache_projects.sh /tmp/resources.tgz && ./swap_yamlfiles.sh devfiles
RUN ./index.sh > /build/devfiles/index.json && \
./list_referenced_images.sh devfiles > /build/devfiles/external_images.txt && \
./list_referenced_images_by_file.sh devfiles > /build/devfiles/external_images_by_devfile.txt && \
chmod -R g+rwX /build/devfiles /build/resources
#################
# PHASE TWO: configure registry image
#################
# Build registry, copying meta.yamls and index.json from builder
# https://registry.access.redhat.com/rhel8/httpd-24
FROM rhel8/httpd-24:1-240.1675799498 AS registry
# hadolint ignore=DL3002
USER 0
# latest httpd container doesn't include ssl cert, so generate one
# hadolint ignore=DL4006
RUN chmod +x /usr/share/container-scripts/httpd/pre-init/40-ssl-certs.sh && \
/usr/share/container-scripts/httpd/pre-init/40-ssl-certs.sh && \
yum -y -q update && \
yum -y -q clean all && rm -rf /var/cache/yum && \
echo "Installed Packages" && rpm -qa | sort -V && echo "End Of Installed Packages"
# hadolint ignore=SC2140
RUN echo "<FilesMatch "\""^\\.ht"\"">" >> /etc/httpd/conf/httpd.conf && \
echo "Require all denied" >> /etc/httpd/conf/httpd.conf && \
echo "</FilesMatch>" >> /etc/httpd/conf/httpd.conf
RUN sed -i /etc/httpd/conf.d/ssl.conf \
-e "s,SSLProtocol all -SSLv2,SSLProtocol all -SSLv3," \
-e "s,SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5,SSLCipherSuite HIGH:!aNULL:!MD5,"
RUN sed -i /etc/httpd/conf/httpd.conf \
-e "s,Listen 80,Listen 8080," \
-e "s,logs/error_log,/dev/stderr," \
-e "s,logs/access_log,/dev/stdout," \
-e "s,AllowOverride None,AllowOverride All," && \
chmod a+rwX /etc/httpd/conf /run/httpd /etc/httpd/logs/
STOPSIGNAL SIGWINCH
ARG DS_BRANCH=devspaces-3-rhel-8
ENV DS_BRANCH=${DS_BRANCH}
WORKDIR /var/www/html
RUN mkdir -m 777 /var/www/html/devfiles
COPY README.md .htaccess /var/www/html/
COPY --from=builder /build/devfiles /var/www/html/devfiles
COPY --from=builder /build/resources /var/www/html/resources
COPY ./images /var/www/html/images
COPY ./build/dockerfiles/rhel.entrypoint.sh ./build/dockerfiles/entrypoint.sh /usr/local/bin/
RUN chmod g+rwX /usr/local/bin/entrypoint.sh /usr/local/bin/rhel.entrypoint.sh && \
chgrp -R 0 /var/www/html && chmod -R g+rw /var/www/html
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
CMD ["/usr/local/bin/rhel.entrypoint.sh"]
# Offline build
#TODO can we enable these stages in Brew?
# FROM builder AS offline-builder
# RUN ./cache_projects.sh devfiles resources && \
# ./cache_images.sh devfiles resources && \
# chmod -R g+rwX /build
#TODO can we enable these stages in Brew?
# FROM registry AS offline-registry
# COPY --from=offline-builder /build/devfiles /var/www/html/devfiles
# COPY --from=offline-builder /build/resources /var/www/html/resources
# append Brew metadata here