Using PGP to verify GDB in an Alpine container - docker

I have compiled information from GNU.org, blogs and other SO posts, but I am missing a key component to properly validate the version of GDB I'm downloading into my container.
# Install GNU GDB
RUN ["/bin/ash","-c","\
mkdir gdb-build \
&& cd gdb-build \
&& wget https://ftp.gnu.org/gnu/gdb/gdb-8.1.tar.xz \
&& wget https://ftp.gnu.org/gnu/gdb/gdb-8.1.tar.xz.sig \
&& gpg --import https://ftp.gnu.org/gnu/gnu-keyring.gpg \
&& gpg --verify --keyring ./gnu-keyring.gpg gdb-8.1.tar.xz.sig \
&& tar -xvf gdb-8.1.tar.xz \
&& cd gdb-8.1 \
&& ./configure --prefix=/usr \
&& make \
&& make -C gdb install \
&& cd .. \
&& rm -rf gdb-build/ \
"]
The output looks like this:
...
2018-03-10 18:04:52 (5.92 MB/s) - 'gdb-8.1.tar.xz' saved [20095080/20095080]
--2018-03-10 18:04:52-- https://ftp.gnu.org/gnu/gdb/gdb-8.1.tar.xz.sig
Resolving ftp.gnu.org... 208.118.235.20, 2001:4830:134:3::b
Connecting to ftp.gnu.org|208.118.235.20|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 72 [application/pgp-signature]
Saving to: 'gdb-8.1.tar.xz.sig'
0K 100% 1.27M=0s
2018-03-10 18:04:52 (1.27 MB/s) - 'gdb-8.1.tar.xz.sig' saved [72/72]
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: can't open 'https://ftp.gnu.org/gnu/gnu-keyring.gpg': No such file or directory
gpg: Total number processed: 0
What step am I missing? How do appropriately configure GnuPG to access the keys?

The correct syntax of gpg command is:
Syntax: gpg [options] [files]
Sign, check, encrypt or decrypt
Default operation depends on the input data
A command gpg --import requires file, not a link, so gnu-keyring.gpg should be downloaded before the gpg command.
The correct part of Dockerfile is:
RUN ["/bin/ash","-c","\
mkdir gdb-build \
&& cd gdb-build \
&& wget https://ftp.gnu.org/gnu/gdb/gdb-8.1.tar.xz \
&& wget https://ftp.gnu.org/gnu/gdb/gdb-8.1.tar.xz.sig \
&& wget https://ftp.gnu.org/gnu/gnu-keyring.gpg \
&& gpg --import ./gnu-keyring.gpg \
&& gpg --verify --keyring ./gnu-keyring.gpg gdb-8.1.tar.xz.sig \
&& tar -xvf gdb-8.1.tar.xz \
&& cd gdb-8.1 \
&& ./configure --prefix=/usr \
&& make \
&& make -C gdb install \
&& cd .. \
&& rm -rf gdb-build/ \
"]

Related

Docker: Error: Unable to access jarfile lib/sonar-application-7.6.jar

Upon creating a container using docker-run after creating an image using Dockerfile for SonarQube-7.6, I am getting this error after running docker logs <container-name>
Error: Unable to access jarfile lib/sonar-application-7.6.jar
I think the user permission is incorrect but not sure where am I going wrong.
My Dockerfile:
FROM openjdk:8
ENV SONAR_VERSION=7.6 \
SONARQUBE_HOME=/opt/sonarqube \
# Database configuration
# Defaults to using H2
# DEPRECATED. Use -v sonar.jdbc.username=... instead
# Drop these in the next release, also in the run script
SONARQUBE_JDBC_USERNAME=sonar \
SONARQUBE_JDBC_PASSWORD=sonar \
SONARQUBE_JDBC_URL=
# Http port
EXPOSE 9000
RUN groupadd -r sonarqube && useradd -r -g sonarqube sonarqube
# grab gosu for easy step-down from root
RUN set -x \
&& wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/1.10/gosu-$(dpkg --print-architecture)" \
&& wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/1.10/gosu-$(dpkg --print-architecture).asc" \
&& export GNUPGHOME="$(mktemp -d)" \
&& (gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
|| gpg --batch --keyserver ipv4.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4) \
&& gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
&& rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc \
&& chmod +x /usr/local/bin/gosu \
&& gosu nobody true
RUN set -x \
# pub 2048R/D26468DE 2015-05-25
# Key fingerprint = F118 2E81 C792 9289 21DB CAB4 CFCA 4A29 D264 68DE
# uid sonarsource_deployer (Sonarsource Deployer) <infra#sonarsource.com>
# sub 2048R/06855C1D 2015-05-25
&& (gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys F1182E81C792928921DBCAB4CFCA4A29D26468DE \
|| gpg --batch --keyserver ipv4.pool.sks-keyservers.net --recv-keys F1182E81C792928921DBCAB4CFCA4A29D26468DE) \
&& cd /opt \
&& curl -o sonarqube.zip -fSL https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-$SONAR_VERSION.zip \
&& curl -o sonarqube.zip.asc -fSL https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-$SONAR_VERSION.zip.asc \
&& gpg --batch --verify sonarqube.zip.asc sonarqube.zip \
&& unzip sonarqube.zip \
&& mv sonarqube-$SONAR_VERSION sonarqube \
&& chown -R sonarqube:sonarqube sonarqube \
&& rm sonarqube.zip* \
&& rm -rf $SONARQUBE_HOME/bin/*
VOLUME "$SONARQUBE_HOME/data"
WORKDIR $SONARQUBE_HOME
COPY run.sh $SONARQUBE_HOME/bin/
USER sonarqube
ENTRYPOINT ["./bin/run.sh"]
I solved this problem, it was a user permission error, in line:
chown -R sonarqube:sonarqube sonarqube
Used a different home path, SONARQUBE_HOME= /xyz
for setting the user permission, I used:
chown -R sonarqube:sonarqube xyz
Replaced this with,
chown -R sonarqube:sonarqube /xyz
It worked for me!!!!!

Unable to install vscode-ripgrep on Docker: Unexpected token "..." in "...url.parse(_url)"

I need to setup a theia environment on Docker (ubuntu 18.04 container). During the installation using the docker file, I need to install vscode-ripgrep since it is a dependency for 2 theia modules:
#theia/file-search
#theia/search-in-workspace
However, I get the following error:
I went through multiple issues on GitHub and StackOverflow, but cannot find one that will fix my problem.
I also tried to install vscode-ripgrep on my host machine (also ubuntu) and it worked. I guess I am missing some dependencies in the Dockerfile. However, I went through theia's GitHub page and installed all the common dependencies (https://github.com/theia-ide/theia-apps/blob/master/theia-full-docker/Dockerfile).
The previous OS kernel lab teacher used the exact Dockerfile and it did work about 3-4 months ago. I guess that dependencies changes made a breaking change.
Here is the Dockerfile that I have:
FROM ubuntu:18.04
RUN rm /etc/dpkg/dpkg.cfg.d/excludes
RUN apt-get update
RUN apt-get install -y curl binutils python make build-essential \
man manpages-posix manpages-posix-dev glibc-doc \
python3 less locales libx11-dev libxkbfile-dev snapd
RUN apt-get update && apt-get -y install curl xz-utils wget gpg
#Install node and yarn
#From: https://github.com/nodejs/docker-node/blob/6b8d86d6ad59e0d1e7a94cec2e909cad137a028f/8/Dockerfile
# gpg keys listed at https://github.com/nodejs/node#release-keys
RUN set -ex \
&& for key in \
4ED778F539E3634C779C87C6D7062848A1AB005C \
B9E2F5981AA6E0CD28160D9FF13993A75599653C \
94AE36675C464D64BAFA68DD7434390BDBE9B9C5 \
B9AE9905FFD7803F25714661B63B535A4C206CA9 \
77984A986EBC2AA786BC0F66B01FBB92821C587A \
71DCFD284A79C3B38668286BC97EC7A07EDE3FC1 \
FD3A5288F042B6850C66B31F09FE44734EB7990E \
8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \
C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 \
DD8F2338BAE7501E3DD5AC78C273792F7D83545D \
A48C2BEE680E841632CD4E44F07496B3EB3C1762 \
; do \
gpg --batch --keyserver ipv4.pool.sks-keyservers.net --recv-keys "$key" || \
gpg --batch --keyserver pool.sks-keyservers.net --recv-keys "$key" || \
gpg --batch --keyserver pgp.mit.edu --recv-keys "$key" || \
gpg --batch --keyserver keyserver.pgp.com --recv-keys "$key" || \
gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key" ; \
done
ARG NODE_VERSION=8.0.0
ENV NODE_VERSION $NODE_VERSION
RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \
&& case "${dpkgArch##*-}" in \
amd64) ARCH='x64';; \
ppc64el) ARCH='ppc64le';; \
s390x) ARCH='s390x';; \
arm64) ARCH='arm64';; \
armhf) ARCH='armv7l';; \
i386) ARCH='x86';; \
*) echo "unsupported architecture"; exit 1 ;; \
esac \
&& curl -SLO "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \
&& curl -SLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
&& gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \
&& grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \
&& tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \
&& rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \
&& ln -s /usr/local/bin/node /usr/local/bin/nodejs
ENV YARN_VERSION 1.13.0
RUN set -ex \
&& for key in \
6A010C5166006599AA17F08146C2130DFD2497F5 \
; do \
gpg --batch --keyserver ipv4.pool.sks-keyservers.net --recv-keys "$key" || \
gpg --batch --keyserver pool.sks-keyservers.net --recv-keys "$key" || \
gpg --batch --keyserver pgp.mit.edu --recv-keys "$key" || \
gpg --batch --keyserver keyserver.pgp.com --recv-keys "$key" || \
gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key" ; \
done \
&& curl -fSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" \
&& curl -fSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" \
&& gpg --batch --verify yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz \
&& mkdir -p /opt/yarn \
&& tar -xzf yarn-v$YARN_VERSION.tar.gz -C /opt/yarn --strip-components=1 \
&& ln -s /opt/yarn/bin/yarn /usr/local/bin/yarn \
&& ln -s /opt/yarn/bin/yarn /usr/local/bin/yarnpkg \
&& rm yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz
#Developer tools
## Git and sudo (sudo needed for user override)
RUN apt-get -y install git sudo
RUN locale-gen fr_CA.UTF-8
RUN update-locale LANG=fr_CA.UTF-8
ENV NVM_DIR /usr/local/nvm
ENV NODE_VERSION 8.0.0
SHELL ["/bin/bash", "-c"]
ENV SHELL /bin/bash
ENV PAGER less
# Install nvm with node and npm
RUN curl https://raw.githubusercontent.com/creationix/nvm/v0.30.1/install.sh | bash \
&& source $NVM_DIR/nvm.sh \
&& nvm install $NODE_VERSION \
&& nvm alias default $NODE_VERSION \
&& nvm use default
ENV NODE_PATH $NVM_DIR/v$NODE_VERSION/lib/node_modules
ENV PATH $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
RUN npm install -g yarn
# Create fake clangd
RUN ln -s /bin/false /usr/bin/clangd
# Create user directory
RUN useradd -u 3000 --create-home student
RUN npm install vscode-ripgrep
COPY package.json package.json
# Switch to new user
WORKDIR /home/student
USER student
# Build Theia
RUN yarn install
RUN yarn && yarn theia build
# Create Theia directory and change cd alias
RUN echo "alias cd='HOME=~/workspace cd'" >> .bashrc
# Let's try to reduce memory footprint...
CMD yarn theia start workspace --hostname 0.0.0.0 --port 3000
Thanks for the help and have a nice day!
Vittorio

Docker Alpine Error: possibly undefined macro: AC_PROG_LIBTOOL

I am trying to create a custom image for building React based project using Alpine as base image.
FROM python:3.6-alpine3.6
ENV NODE_VERSION 8.11.4
RUN addgroup -g 1000 node \
&& adduser -u 1000 -G node -s /bin/sh -D node \
&& apk add --no-cache \
libstdc++ \
&& apk add --no-cache --virtual .build-deps \
binutils-gold \
curl \
g++ \
gcc \
autoconf \
automake \
gnupg \
libtool \ # Was added later based on suggestions I saw online
#libltdl-dev \
libgcc \
libc-dev \
libpng-dev \
linux-headers \
make \
python \
# gpg keys listed at https://github.com/nodejs/node#release-team
&& for key in \
94AE36675C464D64BAFA68DD7434390BDBE9B9C5 \
FD3A5288F042B6850C66B31F09FE44734EB7990E \
71DCFD284A79C3B38668286BC97EC7A07EDE3FC1 \
DD8F2338BAE7501E3DD5AC78C273792F7D83545D \
C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 \
B9AE9905FFD7803F25714661B63B535A4C206CA9 \
56730D5401028683275BD23C23EFEFE93C4CFFFE \
77984A986EBC2AA786BC0F66B01FBB92821C587A \
8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \
; do \
gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys "$key" || \
gpg --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys "$key" || \
gpg --keyserver hkp://pgp.mit.edu:80 --recv-keys "$key" ; \
done \
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" \
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
&& gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \
&& grep " node-v$NODE_VERSION.tar.xz\$" SHASUMS256.txt | sha256sum -c - \
&& tar -xf "node-v$NODE_VERSION.tar.xz" \
&& cd "node-v$NODE_VERSION" \
&& ./configure \
&& make -j$(getconf _NPROCESSORS_ONLN) \
&& make install \
#&& apk del .build-deps \ # Had to disable this otherwise Node project compilation was failing
&& ln -s /usr/share/aclocal /usr/local/share/aclocal \ # Tried linking but seems it's not working
&& cd .. \
&& rm -Rf "node-v$NODE_VERSION" \
&& rm "node-v$NODE_VERSION.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt
ENV YARN_VERSION 1.6.0
RUN apk add --no-cache --virtual .build-deps-yarn curl gnupg tar \
&& for key in \
6A010C5166006599AA17F08146C2130DFD2497F5 \
; do \
gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys "$key" || \
gpg --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys "$key" || \
gpg --keyserver hkp://pgp.mit.edu:80 --recv-keys "$key" ; \
done \
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" \
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" \
&& gpg --batch --verify yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz \
&& mkdir -p /opt \
&& tar -xzf yarn-v$YARN_VERSION.tar.gz -C /opt/ \
&& ln -s /opt/yarn-v$YARN_VERSION/bin/yarn /usr/local/bin/yarn \
&& ln -s /opt/yarn-v$YARN_VERSION/bin/yarnpkg /usr/local/bin/yarnpkg \
&& rm yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz \
&& apk del .build-deps-yarn
# RUN Install some more tools in one layer
USER node # Had to use this otherwise Node project compilation was failing when running with root user
Now when i build this image and use in my Bitbucket pipeline, i get the following error:
> node lib/install.js
⚠ spawn /opt/atlassian/pipelines/agent/build/node_modules/mozjpeg/vendor/cjpeg ENOENT
⚠ mozjpeg pre-build test failed
ℹ compiling from source
✖ Error: autoreconf -fiv && ./configure --disable-shared --disable-dependency-tracking --with-jpeg8 --prefix="/opt/atlassian/pipelines/agent/build/node_modules/mozjpeg/vendor" --bindir="/opt/atlassian/pipelines/agent/build/node_modules/mozjpeg/vendor" --libdir="/opt/atlassian/pipelines/agent/build/node_modules/mozjpeg/vendor" && make -j8 && make install -j8
Command failed: autoreconf -fiv
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force
autoreconf: configure.ac: tracing
autoreconf: configure.ac: not using Libtool
autoreconf: running: /usr/bin/autoconf --force
configure.ac:23: error: possibly undefined macro: AC_PROG_LIBTOOL
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1
at ChildProcess.exithandler (child_process.js:275:12)
at emitTwo (events.js:126:13)
at ChildProcess.emit (events.js:214:7)
at maybeClose (internal/child_process.js:925:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:209:5)
Checking online gave me clue that libtool was needed so i added that to the Dockerfile (as you can see above) but i am still getting the same error.
Bitbucket pipeline:
image: my_custom_image
pipelines:
branches:
some_branch:
- step:
name: Deploy
script:
- chmod u+x build.sh && bash ./build.sh
I thought of listing the packages that are installed in the image.
$ cat build.sh
#!/bin/bash
apk info -v | sort
ls -laR /usr/share/aclocal
npm install
npm run build
Output of above command:
g++-6.3.0-r4
gcc-6.3.0-r4
gdbm-1.12-r0
git-2.13.7-r0
gmp-6.1.2-r0
gnupg-2.1.20-r1
isl-0.17.1-r0
libassuan-2.4.3-r0
libatomic-6.3.0-r4
libbz2-1.0.6-r5
libc-dev-0.7.1-r0
libc-utils-0.7.1-r0
libcap-2.25-r1
libcurl-7.61.0-r0
libffi-3.2.1-r3
libgcc-6.3.0-r4
libgcrypt-1.7.10-r0
libgomp-6.3.0-r4
libgpg-error-1.27-r0
libksba-1.3.4-r0
libldap-2.4.44-r5
libpng-1.6.29-r1
libpng-dev-1.6.29-r1
libressl2.5-libcrypto-2.5.5-r2
libressl2.5-libssl-2.5.5-r2
libressl2.5-libtls-2.5.5-r2
libsasl-2.1.26-r10
libssh2-1.8.0-r1
libstdc++-6.3.0-r4
linux-headers-4.4.6-r2
m4-1.4.18-r0
make-4.2.1-r0
mpc1-1.0.3-r0
mpfr3-3.1.5-r0
musl-1.1.16-r14
musl-dev-1.1.16-r14
musl-utils-1.1.16-r14
ncurses-libs-6.0_p20171125-r1
ncurses-terminfo-6.0_p20171125-r1
ncurses-terminfo-base-6.0_p20171125-r1
npth-1.2-r0
openssh-7.5_p1-r2
openssh-client-7.5_p1-r2
openssh-keygen-7.5_p1-r2
openssh-server-7.5_p1-r2
openssh-sftp-server-7.5_p1-r2
pcre-8.41-r0
perl-5.24.4-r1
pinentry-1.0.0-r0
pkgconf-1.3.7-r0
python2-2.7.15-r0
readline-6.3.008-r5
scanelf-1.2.2-r0
sqlite-libs-3.20.1-r2
ssl_client-1.26.2-r11
xz-libs-5.2.3-r0
zlib-1.2.11-r0
zlib-dev-1.2.11-r0
/usr/share/aclocal:
total 32
drwxr-xr-x 2 root root 4096 Sep 3 08:37 .
drwxr-xr-x 1 root root 4096 Sep 3 09:04 ..
-rw-r--r-- 1 root root 368 Oct 19 2017 README
-rw-r--r-- 1 root root 12670 May 20 2017 pkg.m4
I could not find libtool in the package list above. Am i missing something?
Note: Using jessie instead of alpine as base image works but the image size is more. I want to keep it as small as possible.
I was finally able to resolve it. Though i came across this link before, that time i just checked the Contents of package section. Today i again visited libtool's page and finally noticed that there is a Depends section on the right-hand side that mentions two packages as dependency (bash and libltdl) for libtool. Installing both the packages did the trick. :)
UPDATE:
Although my issue was resolved, i thought of cleaning up the script just to ensure i don't end up adding unnecessary packages to my image. That's when i found that my earlier assumption about explicitly adding bash and libltdl packages for fixing libtool dependency was wrong. I am going to write all the issues (and fixes) that i encountered while trying to build my docker image for building React project. It's more of a note for me and might still help someone.
Issues and Fixes:
1) npm WARN lifecycle <project_name>#3.6.0~preinstall: cannot run in wd %s %s (wd=%s) <project_name>#3.6.0 npm run npmcheckversion /opt/atlassian/pipelines/agent/build
Fix: Image was running with root user and not with node user. At the end of my Dockerfile, i added this line:
USER node
What this does is runs the image as the specified user and not as root user.
Ref: https://docs.docker.com/v17.09/engine/reference/builder/#user
2) Error: pngquant failed to build, make sure that libpng-dev is installed
Fix: As mentioned in the error message, i installed package libpng-dev
3) /bin/sh: autoreconf: not found
Fix: To fix this, i installed autoconf and libtool. Please note that libtool automatically installs its dependencies i.e., libltdl and bash.
I checked the list of installed packages and was able to confirm that libtool was actually installed but the build again failed, although with another error.
4) Can't exec "aclocal": No such file or directory at /usr/share/autoconf/Autom4te/FileUtils.pm line 326.
autoreconf: failed to run aclocal: No such file or directory
Fix: automake was required to fix the issue. Still, one more error was about to come :)
5) configure: error: no nasm (Netwide Assembler) found
Fix: Installing nasm package fixed it.
That's it. I was ready with my final image. ;)

Docker image Size increases if I remove few lines of code

I'm trying to reduce the docker image size, but Dockerfile is being weird.
I concatenate the RUN command to reduce the size of the image. When I build the below Dockerfile it creates only 235MB.
FROM nginx:alpine
RUN apk add --no-cache --virtual .build-deps \
gcc \
libc-dev \
make \
openssl \
pcre-dev \
zlib-dev \
linux-headers \
curl \
gnupg \
libxslt-dev \
gd-dev \
perl-dev \
&& apk add --no-cache --virtual .libmodsecurity-deps \
pcre-dev \
libxml2-dev \
git \
libtool \
automake \
autoconf \
g++ \
flex \
bison \
yajl-dev \
git \
# Add runtime dependencies that should not be removed
&& apk add --no-cache \
doxygen \
geoip \
geoip-dev \
yajl \
libstdc++ \
sed \
# Installing ModSec Library version 3
&& echo "Installing ModSec Library" \
&& git clone -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity /opt/ModSecurity \
&& cd /opt/ModSecurity \
&& git submodule init \
&& git submodule update \
&& ./build.sh \
&& ./configure && make && make install \
&& echo "Finished Installing ModSec Library" \
# Installing ModSec - Nginx connector
&& cd /opt \
&& echo 'Installing ModSec - Nginx connector' \
&& git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git \
&& wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz \
&& tar zxvf nginx-$NGINX_VERSION.tar.gz \
# Adding Nginx Connector Module
&& cd /opt/nginx-$NGINX_VERSION \
&& ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx \
&& make modules \
&& cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules \
&& echo "Finished Installing ModSec - Nginx connector" \
# Begin installing ModSec OWASP Rules
&& echo "Begin installing ModSec OWASP Rules" \
&& mkdir /etc/nginx/modsec \
&& wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended \
&& mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf \
&& sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf \
# Fetching owasp-modsecurity-crs
&& cd /opt \
&& git clone -b v3.0/master https://github.com/SpiderLabs/owasp-modsecurity-crs \
&& mv owasp-modsecurity-crs/ /usr/local/ \
&& cp /usr/local/owasp-modsecurity-crs/crs-setup.conf.example /usr/local/owasp-modsecurity-crs/crs-setup.conf \
# Creating modsec file
&& echo 'Creating modsec file' \
&& echo -e '# From https://github.com/SpiderLabs/ModSecurity/blob/master/\n \
# modsecurity.conf-recommended\n \
# Edit to set SecRuleEngine On\n \
Include "/etc/nginx/modsec/modsecurity.conf"\n \
# OWASP CRS v3 rules\n \
Include "/usr/local/owasp-modsecurity-crs/crs-setup.conf"\n \
Include "/usr/local/owasp-modsecurity-crs/rules/*.conf"'\
>>/etc/nginx/modsec/main.conf \
&& chown nginx:nginx /etc/nginx/modsec/main.conf \
# Removing old Nginx conf files
&& rm -fr /etc/nginx/conf.d/ \
&& rm -fr /etc/nginx/nginx.conf \
&& chown -R nginx:nginx /usr/share/nginx \
# delete uneeded and clean up
&& apk del .build-deps \
&& apk del .libmodsecurity-deps \
&& rm -fr ModSecurity \
&& rm -fr ModSecurity-nginx \
&& rm -fr nginx-$NGINX_VERSION.tar.gz \
&& rm -fr nginx-$NGINX_VERSION
COPY conf/nginx.conf /etc/nginx
COPY conf/conf.d /etc/nginx/conf.d
COPY errors /usr/share/nginx/errors
WORKDIR /usr/share/nginx/html
CMD nginx -g 'daemon off;'
EXPOSE 80
I have seen the docker history imagedId it shows that this RUN command has an increased size around 855MB. Anybody Understand why it is behaving weird?
Any thoughts would be much helpful, its is hard to debug building the image everytime.
I tried building in both ways and found not much difference.
Most of the disk space is consumed by /opt/ModSecurity
Initially it was 74MB after git clone.
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
oldimage latest 924a8d4f941e 11 minutes ago 867MB
newimage latest d1ca029927c2 About an hour ago 867MB
nginx alpine ebe2c7c61055 6 days ago 18MB
However after building the complete build - it has grown to ~650MB.
$ du -sh *
639.7M ModSecurity
408.0K ModSecurity-nginx
7.5M nginx-1.13.12
996.0K nginx-1.13.12.tar.gz

PHP 7.1 Docker build will not compile with pgsql

I am using the polinux/httpd:centos repo to run Apache and PHP 7.1. The build seems to go ok. There are a few warnings related to keys, but none related to php or pgsql. The build completes successfully, but when I ssh into the container the module is not listed (php -m) and there's no extension config file in php.d.
I verified it is listed in the Dockerfile multiple times.
I can install php71-php-pgsql manually after starting the container, but then I can't restart Apache without restarting the container.
I've tried moving yum install php71-php-pgsql to the end of the Dockerfile as a separate RUN command (in addition to the original), but it reports it has already been installed, yet when I ssh into the container its not listed in the modules and no config, as mentioned above.
When I rebuild a container I stop and remove it, then run build with the no-cache option.
I'm stumped...
The Dockerfile is quite long, but I can post if that would be helpful.
Thanks.
UPDATE: Dockerfile per request...
FROM polinux/httpd:centos
ENV \
NVM_DIR="/usr/local/nvm" \
NODE_VERSION="9.2.0" \
GIT_VERSION="2.15.0" \
PHP_VERSION="71"
ADD mariadb.repo /etc/yum.repos.d/mariadb.repo
RUN \
rpm --rebuilddb && yum clean all && rm -rf /var/cache/yum && \
yum update -y && \
yum install -y \
wget \
patch \
bzip2 \
unzip \
make \
openssh-clients \
git \
MariaDB-client && \
rpm -Uvh http://rpms.remirepo.net/enterprise/remi-release-7.rpm && \
yum install -y \
php${PHP_VERSION}-php \
php${PHP_VERSION}-php-bcmath \
php${PHP_VERSION}-php-cli \
php${PHP_VERSION}-php-common \
php${PHP_VERSION}-php-devel \
php${PHP_VERSION}-php-fpm \
php${PHP_VERSION}-php-gd \
php${PHP_VERSION}-php-gmp \
php${PHP_VERSION}-php-intl \
php${PHP_VERSION}-php-json \
php${PHP_VERSION}-php-mbstring \
php${PHP_VERSION}-php-mcrypt \
php${PHP_VERSION}-php-mysqlnd \
php${PHP_VERSION}-php-pgsql \
php${PHP_VERSION}-php-opcache \
php${PHP_VERSION}-php-pdo \
php${PHP_VERSION}-php-pear \
php${PHP_VERSION}-php-process \
php${PHP_VERSION}-php-pspell \
php${PHP_VERSION}-php-xml \
php${PHP_VERSION}-php-pecl-imagick \
php${PHP_VERSION}-php-pecl-mysql \
php${PHP_VERSION}-php-pecl-uploadprogress \
php${PHP_VERSION}-php-pecl-uuid \
php${PHP_VERSION}-php-pecl-memcache \
php${PHP_VERSION}-php-pecl-memcached \
php${PHP_VERSION}-php-pecl-redis \
php${PHP_VERSION}-php-pecl-zip && \
ln -sfF /opt/remi/php${PHP_VERSION}/enable /etc/profile.d/php${PHP_VERSION}-paths.sh && \
ln -sfF /opt/remi/php${PHP_VERSION}/root/usr/bin/{pear,pecl,phar,php,php-cgi,php-config,phpize} /usr/local/bin/. && \
mv -f /etc/opt/remi/php${PHP_VERSION}/php.ini /etc/php.ini && ln -s /etc/php.ini /etc/opt/remi/php${PHP_VERSION}/php.ini && \
rm -rf /etc/php.d && mv /etc/opt/remi/php${PHP_VERSION}/php.d /etc/. && ln -s /etc/php.d /etc/opt/remi/php${PHP_VERSION}/php.d && \
yum install -y \
ImageMagick \
GraphicsMagick \
gcc \
gcc-c++ \
libffi-devel \
libpng-devel \
zlib-devel && \
yum install -y ruby ruby-devel && \
echo 'gem: --no-document' > /etc/gemrc && \
gem update --system && \
gem install bundler && \
export PROFILE=/etc/profile.d/nvm.sh && touch $PROFILE && \
curl -sSL https://raw.githubusercontent.com/creationix/nvm/v0.31.2/install.sh | bash && \
source $NVM_DIR/nvm.sh && \
nvm install $NODE_VERSION && \
nvm alias default $NODE_VERSION && \
nvm use default && \
npm install -g \
gulp \
grunt-cli \
bower \
browser-sync && \
echo -e "StrictHostKeyChecking no" >> /etc/ssh/ssh_config && \
curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer && \
chown apache /usr/local/bin/composer && composer --version && \
yum clean all && rm -rf /tmp/yum* && \
sed -i 's|SetHandler application/x-httpd-php|SetHandler "proxy:fcgi://127.0.0.1:9000"|g' /etc/httpd/conf.d/php${PHP_VERSION}-php.conf
ADD container-files /
ENV \
NODE_PATH=$NVM_DIR/versions/node/v$NODE_VERSION/lib/node_modules \
PATH=$NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
RUN \
mkdir -p /data/tmp/php && \
chmod -R 777 /data/tmp
# Weird issue: For some reason pgsql is not installed above. May be OoO...
Manually installing worked, so adding here at the end.
RUN \
yum install php71-php-pgsql -y
Chalk this up to inexperience...
This turned out to be a problem with how I was referencing images, first when building and then running the instance. I'm still not sure I fully understand, but I think I was running the base container instead of the modified build.
For others that may run into similar problems, the 2 commands that helped me get this working are:
docker build --rm -t local/httpd-php71 .
... and then ...
docker run \
-d \
--name httpd-php71 \
--restart unless-stopped \
--net dockersubnet \
--volume /www:/var/www \
local/httpd-php71
Where 'local/httpd-php71' is my local/custom build. Before I was not using any tag reference in the build command and then I was referencing 'polinux/httpd:centos', the base, in the run command.
Thanks.

Resources