diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 3c9dad5d94..a1a5d134ef 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -17,6 +17,15 @@ jobs: fi echo "DOCKER_PUSH_TAG=${DOCKER_PUSH_TAG}" echo "DOCKER_PUSH_TAG=${DOCKER_PUSH_TAG}" >> $GITHUB_ENV + VERSION_MAJOR=`echo "${DOCKER_PUSH_TAG}" | cut -f1 -d'.'` + if [ "${VERSION_MAJOR}" != "${DOCKER_PUSH_TAG}" ]; then + VERSION_MINOR=`echo "${DOCKER_PUSH_TAG}" | cut -f2 -d'.'` + DOCKER_PUSH_TAG_SHORT=${VERSION_MAJOR}.${VERSION_MINOR} + if [ "${DOCKER_PUSH_TAG_SHORT}" != "${DOCKER_PUSH_TAG}" ]; then + echo "DOCKER_PUSH_TAG_SHORT=${DOCKER_PUSH_TAG_SHORT}" + echo "DOCKER_PUSH_TAG_SHORT=${DOCKER_PUSH_TAG_SHORT}" >> $GITHUB_ENV + fi + fi - name: Test tag if: env.DOCKER_PUSH_TAG != '' run: echo "${DOCKER_PUSH_TAG}" @@ -35,10 +44,19 @@ jobs: with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Push to DockerHub - if: env.DOCKER_PUSH_TAG != '' + - name: Push to DockerHub (for branches) + if: env.DOCKER_PUSH_TAG != '' && env.DOCKER_PUSH_TAG_SHORT == '' + uses: docker/build-push-action@v3 + with: + context: . + push: true + tags: ${{ secrets.DOCKERHUB_REPO_PATH }}:${{ env.DOCKER_PUSH_TAG }} + - name: Push to DockerHub (for tags) + if: env.DOCKER_PUSH_TAG != '' && env.DOCKER_PUSH_TAG_SHORT != '' uses: docker/build-push-action@v3 with: context: . push: true - tags: bitshares/bitshares-core:${{ env.DOCKER_PUSH_TAG }} + tags: | + ${{ secrets.DOCKERHUB_REPO_PATH }}:${{ env.DOCKER_PUSH_TAG }} + ${{ secrets.DOCKERHUB_REPO_PATH }}:${{ env.DOCKER_PUSH_TAG_SHORT }} diff --git a/Dockerfile b/Dockerfile index 52d4cc0405..b948626e93 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,8 @@ -FROM phusion/baseimage:focal-1.2.0 -MAINTAINER The bitshares decentralized organisation - +# The image for building +FROM phusion/baseimage:focal-1.2.0 as build ENV LANG=en_US.UTF-8 + +# Install dependencies RUN \ apt-get update && \ apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \ @@ -29,7 +30,6 @@ RUN \ libtool \ doxygen \ ca-certificates \ - fish \ && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* @@ -52,7 +52,10 @@ RUN \ -DGRAPHENE_DISABLE_UNITY_BUILD=ON \ . && \ make witness_node cli_wallet get_dev_key && \ - install -s programs/witness_node/witness_node programs/genesis_util/get_dev_key programs/cli_wallet/cli_wallet /usr/local/bin && \ + install -s programs/witness_node/witness_node \ + programs/genesis_util/get_dev_key \ + programs/cli_wallet/cli_wallet \ + /usr/local/bin && \ # # Obtain version mkdir -p /etc/bitshares && \ @@ -60,12 +63,39 @@ RUN \ cd / && \ rm -rf /bitshares-core -# Home directory $HOME +# The final image +FROM phusion/baseimage:focal-1.2.0 +LABEL maintainer="The bitshares decentralized organisation" +ENV LANG=en_US.UTF-8 + +# Install required libraries +RUN \ + apt-get update && \ + apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \ + apt-get update && \ + apt-get install --no-install-recommends -y \ + libcurl4 \ + ca-certificates \ + && \ + mkdir -p /etc/bitshares && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +COPY --from=build /usr/local/bin/* /usr/local/bin/ +COPY --from=build /etc/bitshares/version /etc/bitshares/ + WORKDIR / -RUN useradd -s /bin/bash -m -d /var/lib/bitshares bitshares +RUN groupadd -g 10001 bitshares +RUN useradd -u 10000 -g bitshares -s /bin/bash -m -d /var/lib/bitshares --no-log-init bitshares ENV HOME /var/lib/bitshares RUN chown bitshares:bitshares -R /var/lib/bitshares +# default exec/config files +ADD docker/default_config.ini /etc/bitshares/config.ini +ADD docker/default_logging.ini /etc/bitshares/logging.ini +ADD docker/bitsharesentry.sh /usr/local/bin/bitsharesentry.sh +RUN chmod a+x /usr/local/bin/bitsharesentry.sh + # Volume VOLUME ["/var/lib/bitshares", "/etc/bitshares"] @@ -74,14 +104,11 @@ EXPOSE 8090 # p2p service: EXPOSE 1776 -# default exec/config files -ADD docker/default_config.ini /etc/bitshares/config.ini -ADD docker/default_logging.ini /etc/bitshares/logging.ini -ADD docker/bitsharesentry.sh /usr/local/bin/bitsharesentry.sh -RUN chmod a+x /usr/local/bin/bitsharesentry.sh - # Make Docker send SIGINT instead of SIGTERM to the daemon STOPSIGNAL SIGINT +# Temporarily commented out due to permission issues caused by older versions, to be restored in a future version +#USER bitshares:bitshares + # default execute entry -CMD ["/usr/local/bin/bitsharesentry.sh"] +ENTRYPOINT ["/usr/local/bin/bitsharesentry.sh"] diff --git a/docker/bitsharesentry.sh b/docker/bitsharesentry.sh index 58a2cd5150..4f8bd95664 100644 --- a/docker/bitsharesentry.sh +++ b/docker/bitsharesentry.sh @@ -84,10 +84,17 @@ fi ln -f -s /etc/bitshares/config.ini /var/lib/bitshares ln -f -s /etc/bitshares/logging.ini /var/lib/bitshares +chown -R bitshares:bitshares /var/lib/bitshares + +# Get the latest security updates +apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold" + # Plugins need to be provided in a space-separated list, which # makes it necessary to write it like this if [[ ! -z "$BITSHARESD_PLUGINS" ]]; then - exec "$BITSHARESD" --data-dir "${HOME}" ${ARGS} ${BITSHARESD_ARGS} --plugins "${BITSHARESD_PLUGINS}" + exec /usr/bin/setpriv --reuid=bitshares --regid=bitshares --clear-groups \ + "$BITSHARESD" --data-dir "${HOME}" ${ARGS} ${BITSHARESD_ARGS} --plugins "${BITSHARESD_PLUGINS}" else - exec "$BITSHARESD" --data-dir "${HOME}" ${ARGS} ${BITSHARESD_ARGS} + exec /usr/bin/setpriv --reuid=bitshares --regid=bitshares --clear-groups \ + "$BITSHARESD" --data-dir "${HOME}" ${ARGS} ${BITSHARESD_ARGS} fi