From 48885d460c8175fc4c98f433d802682ea91d0250 Mon Sep 17 00:00:00 2001 From: Robert Cheramy Date: Thu, 25 Jul 2024 11:01:22 +0200 Subject: [PATCH] Update container image - Replace gems with packages: saves about 500 MByte image space - Run apt upgrade - security fixes / takes about 100 MByte image space - Update to phusion/baseimage:noble-1.0.0 - Place static commands at the beging to optimise build time/space - Comment each package / gem so that we know why they have been loaded into the container image - Fix exanples/podman-compose in order to access oxidied-web from outside --- CHANGELOG.md | 2 + Dockerfile | 89 +++++++++++-------- .../podman-compose/oxidized-config/config | 2 +- 3 files changed, 53 insertions(+), 40 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0ad1f9bb6..399dadbf8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). - oxidized: options (such as credentials, etc.) now use the same resolution logic as variables and can also be defined per model in a group (@EinGlasVollKakao) - Add JSONFILE source (@sargon) - saos: add inventory and software status collection (@grbeneke) +- container-image: update to phusion/baseimage:noble-1.0.0 and include security upgrades at build time (@robertcheramy) +- container-image: use ubuntu-packages instead of gems in order to reduce container image size (@robertcheramy) ### Fixed - fixed prompt for vyos/vyatta to allow logins with non-priviliged accounts. Fixes #3111 (@h-lopez) diff --git a/Dockerfile b/Dockerfile index 5fb1ac693..b643713c7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,31 +1,64 @@ # Single-stage build of an oxidized container from phusion/baseimage-docker -# derived from Ubuntu 22.04 (Jammy Jellyfish) -FROM docker.io/phusion/baseimage:jammy-1.0.4 +FROM docker.io/phusion/baseimage:noble-1.0.0 ENV DEBIAN_FRONTEND=noninteractive +##### Place "static" commands at the beginning to optimize image size and build speed +# add non-privileged user +ARG UID=30000 +ARG GID=$UID +RUN groupadd -g "${GID}" -r oxidized && useradd -u "${UID}" -r -m -d /home/oxidized -g oxidized oxidized + +# link config for msmtp for easier use. +RUN ln -s /home/oxidized/.config/oxidized/.msmtprc /home/oxidized/ + +# create parent directory & touch required file +RUN mkdir -p /home/oxidized/.config/oxidized/ +RUN touch /home/oxidized/.config/oxidized/.msmtprc + +# setup the access to the file +RUN chmod 600 /home/oxidized/.msmtprc +RUN chown oxidized:oxidized /home/oxidized/.msmtprc + +# add runit services +COPY extra/oxidized.runit /etc/service/oxidized/run +COPY extra/auto-reload-config.runit /etc/service/auto-reload-config/run +COPY extra/update-ca-certificates.runit /etc/service/update-ca-certificates/run + # set up dependencies for the build process RUN apt-get -yq update \ - && apt-get -yq --no-install-recommends install ruby3.0 ruby3.0-dev libssl3 \ - bzip2 libssl-dev pkg-config make cmake libssh2-1 libssh2-1-dev \ - git git-email libmailtools-perl g++ libffi-dev ruby-bundler \ - libicu70 libicu-dev \ - libsqlite3-0 libsqlite3-dev \ - libmysqlclient21 libmysqlclient-dev \ - libpq5 libpq-dev \ - zlib1g-dev msmtp \ - # dependency of psych > 5 - libyaml-dev \ + && apt-get -yq upgrade \ + && apt-get -yq --no-install-recommends install ruby \ + # Build process of oxidized from git (beloww) + git \ + # Allow git send-email from docker image + git-email libmailtools-perl \ + # Allow sending emails in the docker container + msmtp \ + # Debuging tools inside the container + inetutils-telnet \ + # Use ubuntu gems where possible + # Gems needed by oxidized + ruby-rugged ruby-slop ruby-psych \ + ruby-net-telnet ruby-net-ssh ruby-net-ftp ruby-net-scp ruby-ed25519 \ + # Gem dependencies for inputs + ruby-net-http-persistent ruby-mechanize \ + # Gem dependencies for sources + ruby-sqlite3 ruby-mysql2 ruby-pg ruby-sequel ruby-gpgme\ + # Gem dependencies for hooks + ruby-aws-sdk ruby-xmpp4r \ + # Gems needed by oxidized-web + ruby-charlock-holmes ruby-haml ruby-htmlentities ruby-json \ + puma ruby-sinatra ruby-sinatra-contrib \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* +# gems not available in ubuntu noble RUN gem install --no-document \ # dependencies for hooks - aws-sdk slack-ruby-client xmpp4r cisco_spark \ - # dependencies for sources - gpgme sequel sqlite3 mysql2 pg \ - # dependencies for inputs - net-tftp net-http-persistent mechanize + slack-ruby-client cisco_spark \ + # dependencies for specific inputs + net-tftp # build and install oxidized COPY . /tmp/oxidized/ @@ -43,27 +76,5 @@ RUN gem install oxidized-web --no-document # clean up WORKDIR / RUN rm -rf /tmp/oxidized -RUN apt-get -yq --purge autoremove ruby-dev pkg-config make cmake ruby-bundler libssl-dev libssh2-1-dev libicu-dev libsqlite3-dev libmysqlclient-dev libpq-dev zlib1g-dev - -# add non-privileged user -ARG UID=30000 -ARG GID=$UID -RUN groupadd -g "${GID}" -r oxidized && useradd -u "${UID}" -r -m -d /home/oxidized -g oxidized oxidized - -# link config for msmtp for easier use. -RUN ln -s /home/oxidized/.config/oxidized/.msmtprc /home/oxidized/ - -# create parent directory & touch required file -RUN mkdir -p /home/oxidized/.config/oxidized/ -RUN touch /home/oxidized/.config/oxidized/.msmtprc - -# setup the access to the file -RUN chmod 600 /home/oxidized/.msmtprc -RUN chown oxidized:oxidized /home/oxidized/.msmtprc - -# add runit services -COPY extra/oxidized.runit /etc/service/oxidized/run -COPY extra/auto-reload-config.runit /etc/service/auto-reload-config/run -COPY extra/update-ca-certificates.runit /etc/service/update-ca-certificates/run EXPOSE 8888/tcp diff --git a/examples/podman-compose/oxidized-config/config b/examples/podman-compose/oxidized-config/config index 45318e3ac..3ab54412b 100644 --- a/examples/podman-compose/oxidized-config/config +++ b/examples/podman-compose/oxidized-config/config @@ -10,7 +10,7 @@ use_max_threads: true timeout: 20 retries: 3 prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/ -rest: 127.0.0.1:8888 +rest: 0.0.0.0:8888 next_adds_job: false vars: {} groups: {}