From 92c70a2b3b750f508d24838c8b2e8731c027de6f Mon Sep 17 00:00:00 2001 From: aj-bw <81774843+aj-bw@users.noreply.github.com> Date: Mon, 28 Jul 2025 10:58:21 -0400 Subject: [PATCH] BRE-924/update-unified-to-alpine (#380) * switch to alpine * add su-exec package and update script * build testing * add missing dep for app stage * test entrypoint fix * troubleshooting hbs nginx * reset build workflow to latest main --- docker-unified/Dockerfile | 28 ++++++++++++++-------------- docker-unified/entrypoint.sh | 22 +++++++++++++++------- 2 files changed, 29 insertions(+), 21 deletions(-) diff --git a/docker-unified/Dockerfile b/docker-unified/Dockerfile index ceaaab2..0d61a55 100644 --- a/docker-unified/Dockerfile +++ b/docker-unified/Dockerfile @@ -2,15 +2,14 @@ ############################################### # Build stage # ############################################### -FROM --platform=$BUILDPLATFORM debian AS web-setup +FROM --platform=$BUILDPLATFORM alpine:3.21 AS web-setup # Add packages -RUN apt-get update && apt-get install -y \ +RUN apk add --no-cache \ curl \ jq \ unzip \ - git \ - && rm -rf /var/lib/apt/lists/* + git WORKDIR /tmp @@ -34,7 +33,7 @@ RUN VERSION=$(cat version.txt) \ ############################################### # Build stage # ############################################### -FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0 AS dotnet-build +FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0-alpine3.21 AS dotnet-build # Docker buildx supplies the value for this arg ARG TARGETPLATFORM @@ -42,18 +41,17 @@ ARG TARGETPLATFORM # Determine proper runtime value for .NET # We put the value in a file to be read by later layers. RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \ - RID=linux-x64 ; \ + RID=linux-musl-x64 ; \ elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \ - RID=linux-arm64 ; \ + RID=linux-musl-arm64 ; \ elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \ - RID=linux-arm ; \ + RID=linux-musl-arm ; \ fi \ && echo "RID=$RID" > /tmp/rid.txt # Add packages -RUN apt-get update && apt-get install -y \ - npm \ - && rm -rf /var/lib/apt/lists/* +RUN apk add --no-cache \ + npm # Copy csproj files as distinct layers WORKDIR /source @@ -172,7 +170,7 @@ RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Scim --no-restore --no-s ############################################### # App stage # ############################################### -FROM mcr.microsoft.com/dotnet/aspnet:8.0 +FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine3.21 ARG TARGETPLATFORM LABEL com.bitwarden.product="bitwarden" LABEL com.bitwarden.project="unified" @@ -208,7 +206,7 @@ ENV globalSettings__logDirectoryByProject="false" ENV globalSettings__logRollBySizeLimit="1073741824" # Add packages -RUN apt-get update && apt-get install -y \ +RUN apk add --no-cache \ curl \ jq \ nginx \ @@ -216,7 +214,9 @@ RUN apt-get update && apt-get install -y \ supervisor \ tzdata \ unzip \ - && rm -rf /var/lib/apt/lists/* + su-exec \ + icu-libs \ + gcompat # Create required directories RUN mkdir -p /etc/bitwarden/attachments/send diff --git a/docker-unified/entrypoint.sh b/docker-unified/entrypoint.sh index a04337c..dd62f6c 100755 --- a/docker-unified/entrypoint.sh +++ b/docker-unified/entrypoint.sh @@ -1,15 +1,15 @@ -#!/bin/bash +#!/bin/sh # Set up user group PGID="${PGID:-1000}" -addgroup --gid $PGID bitwarden +addgroup -g $PGID bitwarden # Set up user PUID="${PUID:-1000}" -adduser --no-create-home --shell /bin/bash --disabled-password --uid $PUID --gid $PGID --gecos "" bitwarden +adduser -D -H -u $PUID -G bitwarden bitwarden # Translate environment variables for application settings -VAULT_SERVICE_URI=https://$BW_DOMAIN +VAULT_SERVICE_URI=https://${BW_DOMAIN:-localhost} MYSQL_CONNECTION_STRING="server=$BW_DB_SERVER;port=${BW_DB_PORT:-3306};database=$BW_DB_DATABASE;user=$BW_DB_USERNAME;password=$BW_DB_PASSWORD" POSTGRESQL_CONNECTION_STRING="Host=$BW_DB_SERVER;Port=${BW_DB_PORT:-5432};Database=$BW_DB_DATABASE;Username=$BW_DB_USERNAME;Password=$BW_DB_PASSWORD" SQLSERVER_CONNECTION_STRING="Server=$BW_DB_SERVER,${BW_DB_PORT:-1433};Database=$BW_DB_DATABASE;User Id=$BW_DB_USERNAME;Password=$BW_DB_PASSWORD;Encrypt=True;TrustServerCertificate=True" @@ -64,7 +64,10 @@ cp /etc/bitwarden/identity.pfx /app/Identity/identity.pfx cp /etc/bitwarden/identity.pfx /app/Sso/identity.pfx # Generate SSL certificates -if [ "$BW_ENABLE_SSL" = "true" -a ! -f /etc/bitwarden/${BW_SSL_KEY:-ssl.key} ]; then +if [ "$BW_ENABLE_SSL" = "true" ] && [ ! -f /etc/bitwarden/${BW_SSL_KEY:-ssl.key} ]; then + TMP_OPENSSL_CONF="/tmp/openssl_san.cnf" + cat /usr/lib/ssl/openssl.cnf > "$TMP_OPENSSL_CONF" + printf "\n[SAN]\nsubjectAltName=DNS:${BW_DOMAIN:-localhost}\nbasicConstraints=CA:true\n" >> "$TMP_OPENSSL_CONF" openssl req \ -x509 \ -newkey rsa:4096 \ @@ -75,8 +78,9 @@ if [ "$BW_ENABLE_SSL" = "true" -a ! -f /etc/bitwarden/${BW_SSL_KEY:-ssl.key} ]; -out /etc/bitwarden/${BW_SSL_CERT:-ssl.crt} \ -reqexts SAN \ -extensions SAN \ - -config <(cat /usr/lib/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${BW_DOMAIN:-localhost}\nbasicConstraints=CA:true")) \ + -config "$TMP_OPENSSL_CONF" \ -subj "/C=US/ST=California/L=Santa Barbara/O=Bitwarden Inc./OU=Bitwarden/CN=${BW_DOMAIN:-localhost}" + rm "$TMP_OPENSSL_CONF" fi # Launch a loop to rotate nginx logs on a daily basis @@ -105,4 +109,8 @@ chown -R $PUID:$PGID \ /var/run/nginx \ /run -exec setpriv --reuid=$PUID --regid=$PGID --init-groups /usr/bin/supervisord \ No newline at end of file +if command -v su-exec >/dev/null 2>&1; then + exec su-exec $PUID:$PGID /usr/bin/supervisord +else + exec /usr/bin/supervisord +fi \ No newline at end of file