nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-25 11:31:10 -05:00
Code Activity

wip: rework containers for rootless images

Browse Source
This commit is contained in:
tangowithfoxtrot
2025-02-14 16:25:03 -08:00
parent 90a9473a5e
commit 1190357e81
8 changed files with 162 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.dockerignore
View File

@ -1,3 +1,3 @@
**/bin # **/bin
**/obj # **/obj
**/node_modules # **/node_modules

19
Directory.Build.props
View File

@ -7,7 +7,6 @@
<RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace> <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
<ImplicitUsings>enable</ImplicitUsings> <ImplicitUsings>enable</ImplicitUsings>
<IncludeSourceRevisionInInformationalVersion>false</IncludeSourceRevisionInInformationalVersion>
</PropertyGroup> </PropertyGroup>
<!-- <!--
@ -46,22 +45,4 @@
<AutoFixtureAutoNSubstituteVersion>4.18.1</AutoFixtureAutoNSubstituteVersion> <AutoFixtureAutoNSubstituteVersion>4.18.1</AutoFixtureAutoNSubstituteVersion>
</PropertyGroup> </PropertyGroup>
<!--
This section is for getting & setting the gitHash value, which can easily be accessed
via the Core.Utilities.AssemblyHelpers class.
-->
<Target Name="SetSourceRevisionId" BeforeTargets="CoreGenerateAssemblyInfo">
<Exec Command="git describe --long --always --dirty --exclude=* --abbrev=8" ConsoleToMSBuild="True" IgnoreExitCode="False">
<Output PropertyName="SourceRevisionId" TaskParameter="ConsoleOutput"/>
</Exec>
</Target>
<Target Name="WriteRevision" AfterTargets="SetSourceRevisionId">
<ItemGroup>
<AssemblyAttribute Include="System.Reflection.AssemblyMetadataAttribute">
<_Parameter1>GitHash</_Parameter1>
<_Parameter2>$(SourceRevisionId)</_Parameter2>
</AssemblyAttribute>
</ItemGroup>
</Target>
</Project> </Project>

25
docker-compose.yml Normal file
View File

@ -0,0 +1,25 @@
services:
api:
image: api
ports:
- "4000:5000"
environment:
globalSettings__DataProtection__directory: /home/app/.aspnet/DataProtection-Keys
globalSettings__selfHosted: true
identity:
image: identity
ports:
- "33656:5000"
environment:
globalSettings__DataProtection__directory: /home/app/.aspnet/DataProtection-Keys
globalSettings__selfHosted: true
globalSettings__IdentityServer__CertificateLocation: /home/app/config/identity.pfx
volumes:
- /tmp/server:/home/app/config # identity.pfx exists here
mssql:
image: bitwarden/mssql:2024.10.0
container_name: bitwarden-mssql
ports:
- "1433:1433"
environment:
ACCEPT_EULA: true

8
src/Api/.dockerignore
View File

@ -1,4 +1,4 @@
* # *
!obj/build-output/publish/* # !obj/build-output/publish/*
!obj/Docker/empty/ # !obj/Docker/empty/
!entrypoint.sh # !entrypoint.sh

74
src/Api/Dockerfile
View File

@ -1,21 +1,73 @@
FROM mcr.microsoft.com/dotnet/aspnet:8.0 FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
ARG TARGETPLATFORM
ARG BUILDPLATFORM
WORKDIR /build
COPY ../../ ./
WORKDIR /build/src/Api
RUN <<EOF
case "$TARGETPLATFORM" in
*"linux/amd64"*)
dotnet publish --self-contained /p:PublishSingleFile=true -r linux-x64 -o out
;;
*"linux/arm64"*)
dotnet publish --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out
;;
*)
echo "unsupported target platform: $TARGETPLATFORM"
exit 1;;
esac
EOF
FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
LABEL com.bitwarden.product="bitwarden" LABEL com.bitwarden.product="bitwarden"
# RUN apt-get update \
# && apt-get install -y --no-install-recommends \
# gosu \
# curl \
# krb5-user \
# && rm -rf /var/lib/apt/lists/*
ENV APP_UID=1654
ENV ASPNETCORE_HTTP_PORTS=8080
ENV DOTNET_RUNNING_IN_CONTAINER=true
RUN apt-get update \ RUN apt-get update \
&& apt-get install -y --no-install-recommends \ && apt-get install -y --no-install-recommends \
gosu \ ca-certificates \
curl \ \
krb5-user \ # .NET dependencies
libc6 \
libgcc-s1 \
# libicu70 \
libicu74 \
libssl3 \
libstdc++6 \
tzdata \
zlib1g \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
# Create a non-root user and group
RUN groupadd \
--gid=$APP_UID \
app \
&& useradd -l \
--uid=$APP_UID \
--gid=$APP_UID \
--create-home \
app
EXPOSE 5000
USER app
ENV HOME=/home/app
ENV ASPNETCORE_URLS http://+:5000 ENV ASPNETCORE_URLS http://+:5000
WORKDIR /app WORKDIR /app
EXPOSE 5000 COPY --from=build /build/src/Api/out /app
COPY obj/build-output/publish .
COPY entrypoint.sh /
RUN chmod +x /entrypoint.sh
HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
ENTRYPOINT ["./Api"]
ENTRYPOINT ["/entrypoint.sh"]

1
src/Core/Settings/GlobalSettings.cs
View File

@ -336,6 +336,7 @@ public class GlobalSettings : IGlobalSettings
public class IdentityServerSettings public class IdentityServerSettings
{ {
public string CertificateLocation { get; set; } = "identity.pfx";
public string CertificateThumbprint { get; set; } public string CertificateThumbprint { get; set; }
public string CertificatePassword { get; set; } public string CertificatePassword { get; set; }
public string RedisConnectionString { get; set; } public string RedisConnectionString { get; set; }

4
src/Core/Utilities/CoreHelpers.cs
View File

@ -656,9 +656,9 @@ public static class CoreHelpers
{ {
if (globalSettings.SelfHosted && if (globalSettings.SelfHosted &&
SettingHasValue(globalSettings.IdentityServer.CertificatePassword) SettingHasValue(globalSettings.IdentityServer.CertificatePassword)
&& File.Exists("identity.pfx")) && File.Exists(globalSettings.IdentityServer.CertificateLocation))
{ {
return GetCertificate("identity.pfx", return GetCertificate(globalSettings.IdentityServer.CertificateLocation,
globalSettings.IdentityServer.CertificatePassword); globalSettings.IdentityServer.CertificatePassword);
} }
else if (SettingHasValue(globalSettings.IdentityServer.CertificateThumbprint)) else if (SettingHasValue(globalSettings.IdentityServer.CertificateThumbprint))

76
src/Identity/Dockerfile
View File

@ -1,21 +1,73 @@
FROM mcr.microsoft.com/dotnet/aspnet:8.0 FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
ARG TARGETPLATFORM
ARG BUILDPLATFORM
WORKDIR /build
COPY ../../ ./
WORKDIR /build/src/Identity
RUN <<EOF
case "$TARGETPLATFORM" in
*"linux/amd64"*)
dotnet publish --self-contained /p:PublishSingleFile=true -r linux-x64 -o out
;;
*"linux/arm64"*)
dotnet publish --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out
;;
*)
echo "unsupported target platform: $TARGETPLATFORM"
exit 1;;
esac
EOF
FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
LABEL com.bitwarden.product="bitwarden" LABEL com.bitwarden.product="bitwarden"
# RUN apt-get update \
# && apt-get install -y --no-install-recommends \
# gosu \
# curl \
# krb5-user \
# && rm -rf /var/lib/apt/lists/*
ENV APP_UID=1654
ENV ASPNETCORE_HTTP_PORTS=8080
ENV DOTNET_RUNNING_IN_CONTAINER=true
RUN apt-get update \ RUN apt-get update \
&& apt-get install -y --no-install-recommends \ && apt-get install -y --no-install-recommends \
gosu \ ca-certificates \
curl \ \
krb5-user \ # .NET dependencies
libc6 \
libgcc-s1 \
# libicu70 \
libicu74 \
libssl3 \
libstdc++6 \
tzdata \
zlib1g \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
ENV ASPNETCORE_URLS http://+:5000 # Create a non-root user and group
WORKDIR /app RUN groupadd \
--gid=$APP_UID \
app \
&& useradd -l \
--uid=$APP_UID \
--gid=$APP_UID \
--create-home \
app
EXPOSE 5000 EXPOSE 5000
COPY obj/build-output/publish .
COPY entrypoint.sh /
RUN chmod +x /entrypoint.sh
HEALTHCHECK CMD curl -f http://localhost:5000/.well-known/openid-configuration || exit 1 USER app
ENV HOME=/home/app
ENTRYPOINT ["/entrypoint.sh"] ENV ASPNETCORE_URLS=http://+:5000
WORKDIR /app
COPY --from=build /build/src/Identity/out /app
HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
ENTRYPOINT ["./Identity"]