Update container image

- Replace gems with packages: saves about 500 MByte image space - Run apt upgrade - security fixes / takes about 100 MByte image space - Update to phusion/baseimage:noble-1.0.0 - Place static commands at the beging to optimise build time/space - Comment each package / gem so that we know why they have been loaded into the container image - Fix exanples/podman-compose in order to access oxidied-web from outside
ytti · Aug 16, 2024 · 48885d4 · 48885d4
1 parent fe8500c
commit 48885d4
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 40 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -24,6 +24,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 - oxidized: options (such as credentials, etc.) now use the same resolution logic as variables and can also be defined per model in a group (@EinGlasVollKakao)
 - Add JSONFILE source (@sargon)
 - saos: add inventory and software status collection (@grbeneke)
+- container-image: update to phusion/baseimage:noble-1.0.0 and include security upgrades at build time (@robertcheramy)
+- container-image: use ubuntu-packages instead of gems in order to reduce container image size (@robertcheramy)
 
 ### Fixed
 - fixed prompt for vyos/vyatta to allow logins with non-priviliged accounts. Fixes #3111 (@h-lopez)

diff --git a/Dockerfile b/Dockerfile
@@ -1,31 +1,64 @@
 # Single-stage build of an oxidized container from phusion/baseimage-docker
-# derived from Ubuntu 22.04 (Jammy Jellyfish)
-FROM docker.io/phusion/baseimage:jammy-1.0.4
+FROM docker.io/phusion/baseimage:noble-1.0.0
 
 ENV DEBIAN_FRONTEND=noninteractive
 
+##### Place "static" commands at the beginning to optimize image size and build speed
+# add non-privileged user
+ARG UID=30000
+ARG GID=$UID
+RUN groupadd -g "${GID}" -r oxidized && useradd -u "${UID}" -r -m -d /home/oxidized -g oxidized oxidized
+
+# link config for msmtp for easier use.
+RUN ln -s /home/oxidized/.config/oxidized/.msmtprc /home/oxidized/
+
+# create parent directory & touch required file
+RUN mkdir -p /home/oxidized/.config/oxidized/
+RUN touch /home/oxidized/.config/oxidized/.msmtprc
+
+# setup the access to the file
+RUN chmod 600 /home/oxidized/.msmtprc
+RUN chown oxidized:oxidized /home/oxidized/.msmtprc
+
+# add runit services
+COPY extra/oxidized.runit /etc/service/oxidized/run
+COPY extra/auto-reload-config.runit /etc/service/auto-reload-config/run
+COPY extra/update-ca-certificates.runit /etc/service/update-ca-certificates/run
+
 # set up dependencies for the build process
 RUN apt-get -yq update \
-    && apt-get -yq --no-install-recommends install ruby3.0 ruby3.0-dev libssl3 \
-    bzip2 libssl-dev pkg-config make cmake libssh2-1 libssh2-1-dev \
-    git git-email libmailtools-perl g++ libffi-dev ruby-bundler \
-    libicu70 libicu-dev \
-    libsqlite3-0 libsqlite3-dev \
-    libmysqlclient21 libmysqlclient-dev \
-    libpq5 libpq-dev \
-    zlib1g-dev msmtp \
-    # dependency of psych > 5
-    libyaml-dev \
+    && apt-get -yq upgrade \
+    && apt-get -yq --no-install-recommends install ruby \
+    # Build process of oxidized from git (beloww)
+    git \
+    # Allow git send-email from docker image
+    git-email libmailtools-perl \
+    # Allow sending emails in the docker container
+    msmtp \
+    # Debuging tools inside the container
+    inetutils-telnet \
+    # Use ubuntu gems where possible
+    # Gems needed by oxidized
+    ruby-rugged ruby-slop ruby-psych \
+    ruby-net-telnet ruby-net-ssh ruby-net-ftp ruby-net-scp ruby-ed25519 \
+    # Gem dependencies for inputs
+    ruby-net-http-persistent ruby-mechanize \
+    # Gem dependencies for sources
+    ruby-sqlite3 ruby-mysql2 ruby-pg ruby-sequel ruby-gpgme\
+    # Gem dependencies for hooks
+    ruby-aws-sdk ruby-xmpp4r \
+    # Gems needed by oxidized-web
+    ruby-charlock-holmes ruby-haml ruby-htmlentities ruby-json \
+    puma ruby-sinatra ruby-sinatra-contrib \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
+# gems not available in ubuntu noble
 RUN gem install --no-document \
     # dependencies for hooks
-    aws-sdk slack-ruby-client xmpp4r cisco_spark \
-    # dependencies for sources
-    gpgme sequel sqlite3 mysql2 pg \
-    # dependencies for inputs
-    net-tftp net-http-persistent mechanize
+    slack-ruby-client cisco_spark \
+    # dependencies for specific inputs
+    net-tftp
 
 # build and install oxidized
 COPY . /tmp/oxidized/
@@ -43,27 +76,5 @@ RUN gem install oxidized-web --no-document
 # clean up
 WORKDIR /
 RUN rm -rf /tmp/oxidized
-RUN apt-get -yq --purge autoremove ruby-dev pkg-config make cmake ruby-bundler libssl-dev libssh2-1-dev libicu-dev libsqlite3-dev libmysqlclient-dev libpq-dev zlib1g-dev
-
-# add non-privileged user
-ARG UID=30000
-ARG GID=$UID
-RUN groupadd -g "${GID}" -r oxidized && useradd -u "${UID}" -r -m -d /home/oxidized -g oxidized oxidized
-
-# link config for msmtp for easier use.
-RUN ln -s /home/oxidized/.config/oxidized/.msmtprc /home/oxidized/
-
-# create parent directory & touch required file
-RUN mkdir -p /home/oxidized/.config/oxidized/
-RUN touch /home/oxidized/.config/oxidized/.msmtprc
-
-# setup the access to the file
-RUN chmod 600 /home/oxidized/.msmtprc
-RUN chown oxidized:oxidized /home/oxidized/.msmtprc
-
-# add runit services
-COPY extra/oxidized.runit /etc/service/oxidized/run
-COPY extra/auto-reload-config.runit /etc/service/auto-reload-config/run
-COPY extra/update-ca-certificates.runit /etc/service/update-ca-certificates/run
 
 EXPOSE 8888/tcp
diff --git a/examples/podman-compose/oxidized-config/config b/examples/podman-compose/oxidized-config/config
@@ -10,7 +10,7 @@ use_max_threads: true
 timeout: 20
 retries: 3
 prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/
-rest: 127.0.0.1:8888
+rest: 0.0.0.0:8888
 next_adds_job: false
 vars: {}
 groups: {}