From 201e487c31d75c8a13ca45230aeae81e0c6ebb8d Mon Sep 17 00:00:00 2001 From: Mateusz Urbanek Date: Fri, 15 Nov 2024 12:20:09 +0100 Subject: [PATCH 1/8] ci: rewritten the image building action Signed-off-by: Mateusz Urbanek --- .github/workflows/ci.yml | 47 +++++++++++++++++++++++++++++----------- 1 file changed, 34 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index af488cfe6..0a1ec0f9a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,6 +1,12 @@ --- name: CI + on: [ push, pull_request ] + +permissions: + contents: write + packages: write + jobs: test: name: Test @@ -36,6 +42,7 @@ jobs: with: command: test args: --verbose ${{ matrix.features }} + doc: name: Build documentation runs-on: ubuntu-latest @@ -55,6 +62,7 @@ jobs: with: command: doc args: --verbose + coverage: name: Coverage runs-on: ubuntu-latest @@ -81,21 +89,34 @@ jobs: with: command: tarpaulin args: --coveralls $TOKEN - dockerhub: - name: Docker build and push to Docker Hub + + ghcr: + name: Docker build and push to GitHub Container Registry runs-on: ubuntu-latest - if: github.ref == 'refs/heads/main' + if: ${{ !(startsWith(github.ref, 'refs/tags/v') || (github.ref == 'refs/heads/main')) }} steps: - - uses: actions/checkout@v2 - - uses: docker/setup-qemu-action@v1 - - uses: docker/setup-buildx-action@v1 - - uses: docker/login-action@v1 + - uses: actions/checkout@v4 + - uses: docker/login-action@v3 with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - uses: docker/build-push-action@v2 + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - uses: docker/setup-qemu-action@v3 + - id: buildx + uses: docker/setup-buildx-action@v3 with: - context: . - push: 'true' - tags: clevercloud/sozu:${{ github.sha }} + platforms: linux/amd64,linux/arm64 + - uses: docker/build-push-action@v6 + with: + builder: ${{ steps.buildx.outputs.name }} + platforms: linux/amd64,linux/arm64 + push: true + tags: | + ghcr.io/${{ github.event.repository.owner.name }}/sozu:${{ github.ref_name }} + - name: Scan image using Grype + id: grype + uses: anchore/scan-action@v5 + with: + image: ghcr.io/${{ github.event.repository.owner.name }}/sozu:${{ github.ref_name }} + output-format: table ... From 5616db055fc3c46da982827a3b6a5f1d1305e21d Mon Sep 17 00:00:00 2001 From: Mateusz Urbanek Date: Fri, 15 Nov 2024 12:43:28 +0100 Subject: [PATCH 2/8] fix: remove missing files Signed-off-by: Mateusz Urbanek --- Dockerfile | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 338a701d0..2fcee1716 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ ARG ALPINE_VERSION=edge -FROM alpine:$ALPINE_VERSION as builder +FROM alpine:$ALPINE_VERSION AS builder RUN apk update && apk add --no-cache --virtual .build-dependencies \ cargo \ @@ -21,7 +21,7 @@ WORKDIR /usr/src/sozu RUN cargo vendor --locked RUN cargo build --release --frozen -FROM alpine:$ALPINE_VERSION as bin +FROM alpine:$ALPINE_VERSION AS bin EXPOSE 80 EXPOSE 443 @@ -38,8 +38,6 @@ RUN apk update && apk add --no-cache \ COPY --from=builder /usr/src/sozu/target/release/sozu /usr/local/bin/sozu COPY os-build/config.toml /etc/sozu/config.toml -COPY lib/assets/404.html /etc/sozu/html/404.html -COPY lib/assets/503.html /etc/sozu/html/503.html ENTRYPOINT ["/usr/local/bin/sozu"] CMD ["start", "-c", "/etc/sozu/config.toml"] From 765f5d2ba4c506a7f8f8efefb568574d7b4f4abc Mon Sep 17 00:00:00 2001 From: Mateusz Urbanek Date: Fri, 15 Nov 2024 14:25:14 +0100 Subject: [PATCH 3/8] fix: added dynamic configuration Signed-off-by: Mateusz Urbanek --- .github/workflows/ci.yml | 22 +++++++++++++++++----- Dockerfile | 1 + 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0a1ec0f9a..421fa0c2b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -93,7 +93,6 @@ jobs: ghcr: name: Docker build and push to GitHub Container Registry runs-on: ubuntu-latest - if: ${{ !(startsWith(github.ref, 'refs/tags/v') || (github.ref == 'refs/heads/main')) }} steps: - uses: actions/checkout@v4 - uses: docker/login-action@v3 @@ -106,17 +105,30 @@ jobs: uses: docker/setup-buildx-action@v3 with: platforms: linux/amd64,linux/arm64 + - id: config + run: | + var="${{ github.ref_name }}" + if [[ "$var" == "main" || "$var" == v* ]]; then + # TODO: this won't build on arm64, need to fix kawa lib first + # echo arch=linux/amd64,linux/arm64 >> ${GITHUB_OUTPUT} + echo arch=linux/amd64 >> ${GITHUB_OUTPUT} + echo tag=$var >> ${GITHUB_OUTPUT} + else + echo arch=linux/amd64 >> ${GITHUB_OUTPUT} + echo tag=$var >> ${GITHUB_OUTPUT} + fi - uses: docker/build-push-action@v6 with: builder: ${{ steps.buildx.outputs.name }} - platforms: linux/amd64,linux/arm64 - push: true + platforms: ${{ steps.config.outputs.arch }} + push: ${{ startsWith(github.ref, 'refs/tags/v') || (github.ref == 'refs/heads/main') }} + load: ${{ !(startsWith(github.ref, 'refs/tags/v') || (github.ref == 'refs/heads/main')) }} tags: | - ghcr.io/${{ github.event.repository.owner.name }}/sozu:${{ github.ref_name }} + ghcr.io/sozu-proxy/sozu:${{ steps.config.outputs.tag }} - name: Scan image using Grype id: grype uses: anchore/scan-action@v5 with: - image: ghcr.io/${{ github.event.repository.owner.name }}/sozu:${{ github.ref_name }} + image: ghcr.io/sozu-proxy/sozu:${{ steps.config.outputs.tag }} output-format: table ... diff --git a/Dockerfile b/Dockerfile index 2fcee1716..401e250f6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,7 @@ FROM alpine:$ALPINE_VERSION AS builder RUN apk update && apk add --no-cache --virtual .build-dependencies \ cargo \ + cmake \ build-base \ file \ libgcc \ From 7616e1c0d8c9e242acbe15ac5e9edee53b9545aa Mon Sep 17 00:00:00 2001 From: Mateusz Urbanek Date: Fri, 15 Nov 2024 15:15:08 +0100 Subject: [PATCH 4/8] fix: improve the default dockerfile Signed-off-by: Mateusz Urbanek --- Dockerfile | 35 +++++++++++++++++++---------------- doc/how_to_use.md | 9 +-------- 2 files changed, 20 insertions(+), 24 deletions(-) diff --git a/Dockerfile b/Dockerfile index 401e250f6..fc929edb2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,44 +1,47 @@ -ARG ALPINE_VERSION=edge - -FROM alpine:$ALPINE_VERSION AS builder +# Stage 1: Build the application +FROM docker.io/library/rust:1.80-alpine AS builder +# Update Alpine packages and install build dependencies RUN apk update && apk add --no-cache --virtual .build-dependencies \ - cargo \ - cmake \ - build-base \ - file \ - libgcc \ - musl-dev \ - protobuf \ - protobuf-dev \ - rust - -RUN apk add --no-cache llvm-libunwind \ - pkgconfig + musl-dev \ + protobuf \ + protobuf-dev +# Copy the source code into the image COPY . /usr/src/sozu WORKDIR /usr/src/sozu +# Build the application in release mode with a frozen lockfile RUN cargo vendor --locked RUN cargo build --release --frozen -FROM alpine:$ALPINE_VERSION AS bin +# Stage 2: Create the runtime environment +FROM docker.io/library/alpine:3.20 AS bin +# Expose ports for the application EXPOSE 80 EXPOSE 443 +# Define volumes for configuration and runtime state VOLUME /etc/sozu VOLUME /run/sozu +# Create a directory for persistent state RUN mkdir -p /var/lib/sozu +# Install runtime dependencies RUN apk update && apk add --no-cache \ llvm-libunwind \ libgcc \ ca-certificates +# Copy the built binary from the builder stage COPY --from=builder /usr/src/sozu/target/release/sozu /usr/local/bin/sozu + +# Copy the default configuration file COPY os-build/config.toml /etc/sozu/config.toml +# Set the default entry point to the binary and provide default command +# to start the application with a specific config ENTRYPOINT ["/usr/local/bin/sozu"] CMD ["start", "-c", "/etc/sozu/config.toml"] diff --git a/doc/how_to_use.md b/doc/how_to_use.md index dfadea8cc..12a9902d4 100644 --- a/doc/how_to_use.md +++ b/doc/how_to_use.md @@ -32,15 +32,12 @@ Check out the command line [documentation](./configure_cli.md) for more informat ## Run it with Docker -The repository provides a multi-stage [Dockerfile][df] image based on `alpine:edge`. +The repository provides a multi-stage [Dockerfile][df] image based on `alpine:3.20`. You can build the image by doing: docker build -t sozu . -There's also the [clevercloud/sozu](https://hub.docker.com/r/clevercloud/sozu/) image -following the master branch (outdated). - Run it with the command: ```bash @@ -55,10 +52,6 @@ docker run \ sozu ``` -To build an image with a specific version of Alpine: - - docker build --build-arg ALPINE_VERSION=3.14 -t sozu:main-alpine-3.14 . - ### Using a custom `config.toml` configuration file The default configuration for sozu can be found in `../os-build/docker/config.toml`. From 696f8672933c0b0b5f23e87f250389a175100887 Mon Sep 17 00:00:00 2001 From: Mateusz Urbanek Date: Fri, 15 Nov 2024 15:15:20 +0100 Subject: [PATCH 5/8] ci: add dependabot config Signed-off-by: Mateusz Urbanek --- .github/dependabot.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..dc510e55b --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,31 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "cargo" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "fix" + include: "scope" + labels: [] + - package-ecosystem: "docker" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "fix" + include: "scope" + labels: [] + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "fix" + include: "scope" + labels: [] From 83169a076e5331f1a10b815f92874b9a6bfa36a4 Mon Sep 17 00:00:00 2001 From: Mateusz Urbanek Date: Fri, 15 Nov 2024 15:27:03 +0100 Subject: [PATCH 6/8] fixup! fix: improve the default dockerfile --- Dockerfile | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index fc929edb2..c89b90283 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,10 +2,17 @@ FROM docker.io/library/rust:1.80-alpine AS builder # Update Alpine packages and install build dependencies -RUN apk update && apk add --no-cache --virtual .build-dependencies \ - musl-dev \ - protobuf \ - protobuf-dev +RUN apk update && \ + apk add --no-cache --virtual .build-dependencies \ + musl-dev \ + libgcc \ + cmake \ + build-base \ + file \ + protobuf \ + protobuf-dev && \ + apk add --no-cache \ + llvm-libunwind # Copy the source code into the image COPY . /usr/src/sozu From 160d75f50444ed1e1cd55213e845ef7004bbc7bc Mon Sep 17 00:00:00 2001 From: Mateusz Urbanek Date: Fri, 15 Nov 2024 15:42:35 +0100 Subject: [PATCH 7/8] fixup! fix: added dynamic configuration --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 421fa0c2b..c146b84e8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -115,7 +115,7 @@ jobs: echo tag=$var >> ${GITHUB_OUTPUT} else echo arch=linux/amd64 >> ${GITHUB_OUTPUT} - echo tag=$var >> ${GITHUB_OUTPUT} + echo tag=dev >> ${GITHUB_OUTPUT} fi - uses: docker/build-push-action@v6 with: From d7901cf5b08c78901d1ada82edc0088751de0842 Mon Sep 17 00:00:00 2001 From: Mateusz Urbanek Date: Fri, 15 Nov 2024 15:58:45 +0100 Subject: [PATCH 8/8] fix: do not scan fail on medium or lower Signed-off-by: Mateusz Urbanek --- .github/workflows/ci.yml | 2 +- Dockerfile | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c146b84e8..366ff46ab 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -126,9 +126,9 @@ jobs: tags: | ghcr.io/sozu-proxy/sozu:${{ steps.config.outputs.tag }} - name: Scan image using Grype - id: grype uses: anchore/scan-action@v5 with: image: ghcr.io/sozu-proxy/sozu:${{ steps.config.outputs.tag }} output-format: table + severity-cutoff: high ... diff --git a/Dockerfile b/Dockerfile index c89b90283..2bd94d926 100644 --- a/Dockerfile +++ b/Dockerfile @@ -38,9 +38,9 @@ RUN mkdir -p /var/lib/sozu # Install runtime dependencies RUN apk update && apk add --no-cache \ - llvm-libunwind \ - libgcc \ - ca-certificates + llvm-libunwind \ + libgcc \ + ca-certificates # Copy the built binary from the builder stage COPY --from=builder /usr/src/sozu/target/release/sozu /usr/local/bin/sozu