Docker improvements (#6075)

* use chown and chmod flags on COPY commands in the Dockerfile in order to save a lot of space by not having duplicate layers

Signed-off-by: Amndeep Singh Mann <[email protected]>

* explore doing a multistage build using a macos runner for heimdall lite

Signed-off-by: Amndeep Singh Mann <[email protected]>

* easier way to trigger the workflow

Signed-off-by: Amndeep Singh Mann <[email protected]>

* apparently the macos runners don't include docker by default - moving the setup buildx command earlier since it'll hopefully install docker then

Signed-off-by: Amndeep Singh Mann <[email protected]>

* Reverting back to ubuntu-22.04 instead of using macos-14; however, now am experimenting with QEMU to do the emulation.

Turns out that we need at least macos-15 and m3 chip runners in order to support virtualization properly.  Currently, the runner version is on 14 and m1.

Signed-off-by: Amndeep Singh Mann <[email protected]>

* fixed mixed capitalization of docker keywords

Signed-off-by: Amndeep Singh Mann <[email protected]>

* experiment failed

Signed-off-by: Amndeep Singh Mann <[email protected]>

* update build-push-action version to 6

Signed-off-by: Amndeep Singh Mann <[email protected]>

---------

Signed-off-by: Amndeep Singh Mann <[email protected]>

.github/workflows/push-lite-to-docker.yml

@@ -8,21 +8,21 @@ jobs:
   docker:
     runs-on: ubuntu-22.04
     steps:
+      - name: Checkout the Heimdall Repository
+        uses: actions/checkout@v4
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Login to DockerHub
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Checkout the Heimdall Repository
-        uses: actions/checkout@v4
       - name: Build and push
         id: docker_build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: Dockerfile.lite
           push: true
-          platforms: 'linux/amd64'
+          platforms: linux/amd64
           tags: mitre/heimdall-lite:latest

.github/workflows/push-server-to-docker.yml

@@ -21,9 +21,9 @@ jobs:
           fetch-depth: 0
       - name: Build and push
         id: docker_build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: true
-          platforms: 'linux/amd64'
+          platforms: linux/amd64
           tags: mitre/heimdall2:latest

.github/workflows/release-lite-to-docker.yml

@@ -8,8 +8,6 @@ jobs:
   docker:
     runs-on: ubuntu-22.04
     steps:
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
       - name: Run string replace # remove the v from the version number before using it in the docker tag
         uses: frabert/replace-string-action@v2
         id: format-tag
@@ -18,19 +16,21 @@ jobs:
           string: '${{ github.event.release.tag_name }}'
           replace-with: ''
           flags: 'g'
+      - name: Checkout the Heimdall Repository
+        uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
       - name: Login to DockerHub
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Checkout the Heimdall Repository
-        uses: actions/checkout@v4
       - name: Build and push
         id: docker_build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: Dockerfile.lite
           push: true
-          platforms: 'linux/amd64'
+          platforms: linux/amd64
           tags: mitre/heimdall-lite:release-latest,mitre/heimdall-lite:${{ steps.format-tag.outputs.replaced }}

.github/workflows/release-server-to-docker.yml

@@ -13,13 +13,6 @@ jobs:
   docker:
     runs-on: ubuntu-22.04
     steps:
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Login to DockerHub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Run string replace # remove the v from the version number before using it in the docker tag
         uses: frabert/replace-string-action@v2
         id: format-tag
@@ -30,13 +23,20 @@ jobs:
           flags: 'g'
       - name: Checkout the Heimdall Repository
         uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Build and push
         id: docker_build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: true
-          platforms: 'linux/amd64'
+          platforms: linux/amd64
           tags: mitre/heimdall2:release-latest,mitre/heimdall2:${{ steps.format-tag.outputs.replaced }}
       - name: Get Docker SHA
         shell: bash

Dockerfile

@@ -41,25 +41,22 @@ WORKDIR /app
 
 RUN curl -sL https://dl.yarnpkg.com/rpm/yarn.repo -o /etc/yum.repos.d/yarn.repo && microdnf install -y yarn && microdnf clean all && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.*
 
-COPY --from=builder /src/package.json ./
-COPY --from=builder /src/apps/backend/package.json apps/backend/
+COPY --from=builder --chown=1001 /src/package.json ./
+COPY --from=builder --chown=1001 /src/apps/backend/package.json apps/backend/
 
-COPY --from=builder /src/apps/backend/node_modules apps/backend/node_modules
-COPY --from=builder /src/apps/backend/.sequelizerc apps/backend/
-COPY --from=builder /src/apps/backend/db apps/backend/db
-COPY --from=builder /src/apps/backend/config apps/backend/config
-COPY --from=builder /src/apps/backend/migrations apps/backend/migrations
-COPY --from=builder /src/apps/backend/seeders apps/backend/seeders
+COPY --from=builder --chown=1001 /src/apps/backend/node_modules apps/backend/node_modules
+COPY --from=builder --chown=1001 /src/apps/backend/.sequelizerc apps/backend/
+COPY --from=builder --chown=1001 /src/apps/backend/db apps/backend/db
+COPY --from=builder --chown=1001 /src/apps/backend/config apps/backend/config
+COPY --from=builder --chown=1001 /src/apps/backend/migrations apps/backend/migrations
+COPY --from=builder --chown=1001 /src/apps/backend/seeders apps/backend/seeders
 
-COPY --from=builder /src/libs/password-complexity/ libs/password-complexity
+COPY --from=builder --chown=1001 /src/libs/password-complexity/ libs/password-complexity
 
-COPY --from=builder /src/apps/backend/dist apps/backend/dist
-COPY --from=builder /src/dist/ dist/
+COPY --from=builder --chown=1001 /src/apps/backend/dist apps/backend/dist
+COPY --from=builder --chown=1001 /src/dist/ dist/
 
-RUN chown -R 1001 .
-
-COPY cmd.sh /usr/local/bin/
-RUN chmod 755 /usr/local/bin/cmd.sh
+COPY --chmod=755 cmd.sh /usr/local/bin/
 
 USER 1001
 

Dockerfile.lite

@@ -1,7 +1,7 @@
 ARG BUILD_CONTAINER=registry.access.redhat.com/ubi8/nodejs-18-minimal:1
 ARG BASE_CONTAINER=nginx:alpine
 
-FROM $BUILD_CONTAINER as builder
+FROM $BUILD_CONTAINER AS builder
 
 ARG NODE_ENV=production
 ENV NODE_ENV=$NODE_ENV
@@ -30,7 +30,7 @@ COPY libs ./libs
 
 RUN yarn frontend build
 
-FROM $BASE_CONTAINER as production-stage
+FROM $BASE_CONTAINER AS production-stage
 
 EXPOSE 80