-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bitswap-monitoring-client: update Dockerfile to support writing trace…
…s with appropriate ownership
- Loading branch information
Showing
3 changed files
with
74 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,36 +1,65 @@ | ||
| # Implements an image to run the bitswap-monitoring-client tool. | ||
| # This will expose port 8088 for prometheus. | ||
| # The executable is placed in /, the config in /config/. | ||
| # The executable is placed in /ipfs-tools, the config in /ipfs-tools/config/. | ||
| # The config is copied from the builder stage (and thus verbose from the sources). | ||
| # You can probably overwrite it by mounting your own config directory, I guess. | ||
| # You can override it by mounting your own. | ||
|
|
||
| # First build su-exec | ||
| FROM ubuntu:jammy AS builder | ||
|
|
||
| RUN apt-get update && apt-get install -y \ | ||
| curl \ | ||
| build-essential \ | ||
| git \ | ||
| wget | ||
|
|
||
| # Get su-exec, a very minimal tool for dropping privileges. | ||
| ENV SUEXEC_VERSION=v0.2 | ||
| RUN set -eux; \ | ||
| dpkgArch="$(dpkg --print-architecture)"; \ | ||
| case "${dpkgArch##*-}" in \ | ||
| "amd64" | "armhf" | "arm64") tiniArch="tini-static-$dpkgArch" ;;\ | ||
| *) echo >&2 "unsupported architecture: ${dpkgArch}"; exit 1 ;; \ | ||
| esac; \ | ||
| cd /tmp \ | ||
| && git clone https://github.com/ncopa/su-exec.git \ | ||
| && cd su-exec \ | ||
| && git checkout -q $SUEXEC_VERSION \ | ||
| && make su-exec-static | ||
|
|
||
| # Get yq | ||
| ENV YQ_VERSION=v4.44.3 | ||
| RUN set -eux; \ | ||
| dpkgArch="$(dpkg --print-architecture)"; \ | ||
| case "${dpkgArch##*-}" in \ | ||
| "amd64" | "arm" | "armhf" | "arm64") tiniArch="tini-static-$dpkgArch" ;;\ | ||
| *) echo >&2 "unsupported architecture: ${dpkgArch}"; exit 1 ;; \ | ||
| esac; \ | ||
| wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${dpkgArch} -O /usr/bin/yq &&\ | ||
| chmod +x /usr/bin/yq | ||
|
|
||
| # Get some small base image to run things on. | ||
| FROM ubuntu:jammy AS runtime | ||
|
|
||
| # Create a system user to drop into. | ||
| # This will get some small (<1000) UID and GID, which is fine since we don't write to any files on the host. | ||
| RUN groupadd -r ipfs \ | ||
| && useradd --no-log-init -r -g ipfs ipfs \ | ||
| && mkdir -p ipfs | ||
|
|
||
| # Enter our working directory. | ||
| WORKDIR ipfs-tools | ||
|
|
||
| # Copy compiled binaries from builder. | ||
| COPY --from=ipfs-tools-builder /ipfs-tools/target/release/bitswap-monitoring-client . | ||
| COPY --from=ipfs-tools-builder /ipfs-tools/bitswap-monitoring-client/config.yaml ./config/bitswap-monitoring-client-config.yaml | ||
| COPY --from=ipfs-tools-builder /ipfs-tools/bitswap-monitoring-client/docker-entrypoint.sh . | ||
| COPY --from=0 /tmp/su-exec/su-exec-static /sbin/su-exec | ||
| COPY --from=0 /usr/bin/yq /usr/bin/yq | ||
|
|
||
| # Set ownership. | ||
| RUN chown -R ipfs:ipfs ./ | ||
| # Make sure our entrypoint is executable. | ||
| RUN chmod 755 ./docker-entrypoint.sh | ||
|
|
||
| # Set log level. | ||
| ENV RUST_LOG=info | ||
|
|
||
| # Expose Prometheus endpoint. | ||
| EXPOSE 8088 | ||
|
|
||
| # Drop root. | ||
| #USER ipfs | ||
|
|
||
| # Run the binary. | ||
| ENTRYPOINT ["./bitswap-monitoring-client","--config","./config/bitswap-monitoring-client-config.yaml"] | ||
| # Run the script. | ||
| # This will fix permissions on the temporary file storage directory, drop root, and then run the binary. | ||
| ENTRYPOINT ["./docker-entrypoint.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| #!/bin/bash | ||
|
|
||
| set -ex | ||
|
|
||
| user_id=$PUID | ||
| user_gid=$PGID | ||
| if [ -z "$PUID" ]; then | ||
| echo "PUID unset, using default value of 1000" | ||
| user_id=1000 | ||
| fi | ||
| if [ -z "$PGID" ]; then | ||
| echo "PGID unset, using default value of 1000" | ||
| user_gid=1000 | ||
| fi | ||
|
|
||
| traces_dir=$(yq '.disk_logging_directory' ./config/bitswap-monitoring-client-config.yaml) | ||
|
|
||
| if [ "$(id -u)" -eq 0 ]; then | ||
| echo "Changing user to $user_id" | ||
| if [ ! "$traces_dir" == "null" ]; then | ||
| echo "Fixing permissions on logging directory $traces_dir..." | ||
| # ensure traces directory is writable | ||
| su-exec "$user_id" test -w "$traces_dir" || chown -R -- "$user_id:$user_gid" "$traces_dir" | ||
| fi | ||
| # restart script with new privileges | ||
| exec su-exec "$user_id:$user_gid" "$0" "$@" | ||
| fi | ||
|
|
||
| # 2nd invocation with regular user | ||
| exec ./bitswap-monitoring-client "$@" |