wip: rework containers for rootless images

2025-07-20 08:57:07 -05:00 · 2025-02-14 16:25:03 -08:00
parent 90a9473a5e
commit 1190357e81
8 changed files with 162 additions and 51 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,3 +1,3 @@
-**/bin
-**/obj
-**/node_modules
+# **/bin
+# **/obj
+# **/node_modules
--- a/Directory.Build.props
+++ b/Directory.Build.props
@ -7,7 +7,6 @@

    <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
    <ImplicitUsings>enable</ImplicitUsings>
-    <IncludeSourceRevisionInInformationalVersion>false</IncludeSourceRevisionInInformationalVersion>
  </PropertyGroup>

  <!--
@ -46,22 +45,4 @@
    <AutoFixtureAutoNSubstituteVersion>4.18.1</AutoFixtureAutoNSubstituteVersion>
  </PropertyGroup>

-  <!--
-    This section is for getting & setting the gitHash value, which can easily be accessed
-    via the Core.Utilities.AssemblyHelpers class.
-  -->
-  <Target Name="SetSourceRevisionId" BeforeTargets="CoreGenerateAssemblyInfo">
-    <Exec Command="git describe --long --always --dirty --exclude=* --abbrev=8" ConsoleToMSBuild="True" IgnoreExitCode="False">
-      <Output PropertyName="SourceRevisionId" TaskParameter="ConsoleOutput"/>
-    </Exec>
-  </Target>
-  <Target Name="WriteRevision" AfterTargets="SetSourceRevisionId">
-    <ItemGroup>
-      <AssemblyAttribute Include="System.Reflection.AssemblyMetadataAttribute">
-        <_Parameter1>GitHash</_Parameter1>
-        <_Parameter2>$(SourceRevisionId)</_Parameter2>
-      </AssemblyAttribute>
-    </ItemGroup>
-  </Target>
-
 </Project>
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,25 @@
+services:
+  api:
+    image: api
+    ports:
+      - "4000:5000"
+    environment:
+      globalSettings__DataProtection__directory: /home/app/.aspnet/DataProtection-Keys
+      globalSettings__selfHosted: true
+  identity:
+    image: identity
+    ports:
+      - "33656:5000"
+    environment:
+      globalSettings__DataProtection__directory: /home/app/.aspnet/DataProtection-Keys
+      globalSettings__selfHosted: true
+      globalSettings__IdentityServer__CertificateLocation: /home/app/config/identity.pfx
+    volumes:
+      - /tmp/server:/home/app/config # identity.pfx exists here
+  mssql:
+    image: bitwarden/mssql:2024.10.0
+    container_name: bitwarden-mssql
+    ports:
+      - "1433:1433"
+    environment:
+      ACCEPT_EULA: true
--- a/src/Api/.dockerignore
+++ b/src/Api/.dockerignore
@ -1,4 +1,4 @@
-*
-!obj/build-output/publish/*
-!obj/Docker/empty/
-!entrypoint.sh
+# *
+# !obj/build-output/publish/*
+# !obj/Docker/empty/
+# !entrypoint.sh
--- a/src/Api/Dockerfile
+++ b/src/Api/Dockerfile
@ -1,21 +1,73 @@
-FROM mcr.microsoft.com/dotnet/aspnet:8.0
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+
+WORKDIR /build
+COPY ../../ ./
+
+WORKDIR /build/src/Api
+
+RUN <<EOF
+  case "$TARGETPLATFORM" in
+    *"linux/amd64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-x64 -o out
+      ;;
+    *"linux/arm64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out
+      ;;
+    *)
+      echo "unsupported target platform: $TARGETPLATFORM"
+      exit 1;;
+  esac
+EOF
+
+
+FROM ghcr.io/linuxserver/baseimage-ubuntu:noble

 LABEL com.bitwarden.product="bitwarden"

+# RUN apt-get update \
+#     && apt-get install -y --no-install-recommends \
+#     gosu \
+#     curl \
+#     krb5-user \
+#     && rm -rf /var/lib/apt/lists/*
+
+ENV APP_UID=1654
+ENV ASPNETCORE_HTTP_PORTS=8080
+ENV DOTNET_RUNNING_IN_CONTAINER=true
+
 RUN apt-get update \
    && apt-get install -y --no-install-recommends \
-    gosu \
-    curl \
-    krb5-user \
+        ca-certificates \
+        \
+        # .NET dependencies
+        libc6 \
+        libgcc-s1 \
+        # libicu70 \
+        libicu74 \
+        libssl3 \
+        libstdc++6 \
+        tzdata \
+        zlib1g \
    && rm -rf /var/lib/apt/lists/*

+# Create a non-root user and group
+RUN groupadd \
+        --gid=$APP_UID \
+        app \
+    && useradd -l \
+        --uid=$APP_UID \
+        --gid=$APP_UID \
+        --create-home \
+        app
+
+EXPOSE 5000
+
+USER app
+ENV HOME=/home/app
 ENV ASPNETCORE_URLS http://+:5000
 WORKDIR /app
-EXPOSE 5000
-COPY obj/build-output/publish .
-COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
-
+COPY --from=build /build/src/Api/out /app
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
-
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["./Api"]
--- a/src/Core/Settings/GlobalSettings.cs
+++ b/src/Core/Settings/GlobalSettings.cs
@ -336,6 +336,7 @@ public class GlobalSettings : IGlobalSettings

    public class IdentityServerSettings
    {
+        public string CertificateLocation { get; set; } = "identity.pfx";
        public string CertificateThumbprint { get; set; }
        public string CertificatePassword { get; set; }
        public string RedisConnectionString { get; set; }
--- a/src/Core/Utilities/CoreHelpers.cs
+++ b/src/Core/Utilities/CoreHelpers.cs
@ -656,9 +656,9 @@ public static class CoreHelpers
    {
        if (globalSettings.SelfHosted &&
            SettingHasValue(globalSettings.IdentityServer.CertificatePassword)
-            && File.Exists("identity.pfx"))
+            && File.Exists(globalSettings.IdentityServer.CertificateLocation))
        {
-            return GetCertificate("identity.pfx",
+            return GetCertificate(globalSettings.IdentityServer.CertificateLocation,
                globalSettings.IdentityServer.CertificatePassword);
        }
        else if (SettingHasValue(globalSettings.IdentityServer.CertificateThumbprint))
--- a/src/Identity/Dockerfile
+++ b/src/Identity/Dockerfile
@ -1,21 +1,73 @@
-FROM mcr.microsoft.com/dotnet/aspnet:8.0
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+
+WORKDIR /build
+COPY ../../ ./
+
+WORKDIR /build/src/Identity
+
+RUN <<EOF
+  case "$TARGETPLATFORM" in
+    *"linux/amd64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-x64 -o out
+      ;;
+    *"linux/arm64"*)
+      dotnet publish --self-contained /p:PublishSingleFile=true -r linux-arm64 -o out
+      ;;
+    *)
+      echo "unsupported target platform: $TARGETPLATFORM"
+      exit 1;;
+  esac
+EOF
+
+
+FROM ghcr.io/linuxserver/baseimage-ubuntu:noble

 LABEL com.bitwarden.product="bitwarden"

+# RUN apt-get update \
+#     && apt-get install -y --no-install-recommends \
+#     gosu \
+#     curl \
+#     krb5-user \
+#     && rm -rf /var/lib/apt/lists/*
+
+ENV APP_UID=1654
+ENV ASPNETCORE_HTTP_PORTS=8080
+ENV DOTNET_RUNNING_IN_CONTAINER=true
+
 RUN apt-get update \
    && apt-get install -y --no-install-recommends \
-    gosu \
-    curl \
-    krb5-user \
+        ca-certificates \
+        \
+        # .NET dependencies
+        libc6 \
+        libgcc-s1 \
+        # libicu70 \
+        libicu74 \
+        libssl3 \
+        libstdc++6 \
+        tzdata \
+        zlib1g \
    && rm -rf /var/lib/apt/lists/*

-ENV ASPNETCORE_URLS http://+:5000
-WORKDIR /app
+# Create a non-root user and group
+RUN groupadd \
+        --gid=$APP_UID \
+        app \
+    && useradd -l \
+        --uid=$APP_UID \
+        --gid=$APP_UID \
+        --create-home \
+        app
+
 EXPOSE 5000
-COPY obj/build-output/publish .
-COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh

-HEALTHCHECK CMD curl -f http://localhost:5000/.well-known/openid-configuration || exit 1
-
-ENTRYPOINT ["/entrypoint.sh"]
+USER app
+ENV HOME=/home/app
+ENV ASPNETCORE_URLS=http://+:5000
+WORKDIR /app
+COPY --from=build /build/src/Identity/out /app
+HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
+ENTRYPOINT ["./Identity"]