BRE-924/update-unified-to-alpine (#380)

* switch to alpine * add su-exec package and update script * build testing * add missing dep for app stage * test entrypoint fix * troubleshooting hbs nginx * reset build workflow to latest main
5 months ago · 92c70a2b3b
2 changed files with 29 additions and 21 deletions
--- a/docker-unified/Dockerfile
+++ b/docker-unified/Dockerfile
@ -2,15 +2,14 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-FROM --platform=$BUILDPLATFORM debian AS web-setup
+FROM --platform=$BUILDPLATFORM alpine:3.21 AS web-setup
 # Add packages
-RUN apt-get update && apt-get install -y \
+RUN apk add --no-cache \
    curl \
    jq \
    unzip \
-    git \
+    git
    && rm -rf /var/lib/apt/lists/*
 WORKDIR /tmp
@ -34,7 +33,7 @@ RUN VERSION=$(cat version.txt) \
 ###############################################
 #                 Build stage                 #
 ###############################################
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0 AS dotnet-build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0-alpine3.21 AS dotnet-build
 # Docker buildx supplies the value for this arg
 ARG TARGETPLATFORM
@ -42,18 +41,17 @@ ARG TARGETPLATFORM
 # Determine proper runtime value for .NET
 # We put the value in a file to be read by later layers.
 RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
-      RID=linux-x64 ; \
+      RID=linux-musl-x64 ; \
    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
-      RID=linux-arm64 ; \
+      RID=linux-musl-arm64 ; \
    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
-      RID=linux-arm ; \
+      RID=linux-musl-arm ; \
    fi \
    && echo "RID=$RID" > /tmp/rid.txt
 # Add packages
-RUN apt-get update && apt-get install -y \
+RUN apk add --no-cache \
-    npm \
+    npm
    && rm -rf /var/lib/apt/lists/*
 # Copy csproj files as distinct layers
 WORKDIR /source
@ -172,7 +170,7 @@ RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Scim --no-restore --no-s
 ###############################################
 #                  App stage                  #
 ###############################################
-FROM mcr.microsoft.com/dotnet/aspnet:8.0
+FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine3.21
 ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
 LABEL com.bitwarden.project="unified"
@ -208,7 +206,7 @@ ENV globalSettings__logDirectoryByProject="false"
 ENV globalSettings__logRollBySizeLimit="1073741824"
 # Add packages
-RUN apt-get update && apt-get install -y \
+RUN apk add --no-cache \
    curl \
    jq \
    nginx \
@ -216,7 +214,9 @@ RUN apt-get update && apt-get install -y \
    supervisor \
    tzdata \
    unzip \
-    && rm -rf /var/lib/apt/lists/*
+    su-exec \
    icu-libs \
    gcompat
 # Create required directories
 RUN mkdir -p /etc/bitwarden/attachments/send
--- a/docker-unified/entrypoint.sh
+++ b/docker-unified/entrypoint.sh
@ -1,15 +1,15 @@
-#!/bin/bash
+#!/bin/sh
 # Set up user group
 PGID="${PGID:-1000}"
-addgroup --gid $PGID bitwarden
+addgroup -g $PGID bitwarden
 # Set up user
 PUID="${PUID:-1000}"
-adduser --no-create-home --shell /bin/bash --disabled-password --uid $PUID --gid $PGID --gecos "" bitwarden
+adduser -D -H -u $PUID -G bitwarden bitwarden
 # Translate environment variables for application settings
-VAULT_SERVICE_URI=https://$BW_DOMAIN
+VAULT_SERVICE_URI=https://${BW_DOMAIN:-localhost}
 MYSQL_CONNECTION_STRING="server=$BW_DB_SERVER;port=${BW_DB_PORT:-3306};database=$BW_DB_DATABASE;user=$BW_DB_USERNAME;password=$BW_DB_PASSWORD"
 POSTGRESQL_CONNECTION_STRING="Host=$BW_DB_SERVER;Port=${BW_DB_PORT:-5432};Database=$BW_DB_DATABASE;Username=$BW_DB_USERNAME;Password=$BW_DB_PASSWORD"
 SQLSERVER_CONNECTION_STRING="Server=$BW_DB_SERVER,${BW_DB_PORT:-1433};Database=$BW_DB_DATABASE;User Id=$BW_DB_USERNAME;Password=$BW_DB_PASSWORD;Encrypt=True;TrustServerCertificate=True"
@ -64,7 +64,10 @@ cp /etc/bitwarden/identity.pfx /app/Identity/identity.pfx
 cp /etc/bitwarden/identity.pfx /app/Sso/identity.pfx
 # Generate SSL certificates
-if [ "$BW_ENABLE_SSL" = "true" -a ! -f /etc/bitwarden/${BW_SSL_KEY:-ssl.key} ]; then
+if [ "$BW_ENABLE_SSL" = "true" ] && [ ! -f /etc/bitwarden/${BW_SSL_KEY:-ssl.key} ]; then
  TMP_OPENSSL_CONF="/tmp/openssl_san.cnf"
  cat /usr/lib/ssl/openssl.cnf > "$TMP_OPENSSL_CONF"
  printf "\n[SAN]\nsubjectAltName=DNS:${BW_DOMAIN:-localhost}\nbasicConstraints=CA:true\n" >> "$TMP_OPENSSL_CONF"
  openssl req \
  -x509 \
  -newkey rsa:4096 \
@ -75,8 +78,9 @@ if [ "$BW_ENABLE_SSL" = "true" -a ! -f /etc/bitwarden/${BW_SSL_KEY:-ssl.key} ];
  -out /etc/bitwarden/${BW_SSL_CERT:-ssl.crt} \
  -reqexts SAN \
  -extensions SAN \
-  -config <(cat /usr/lib/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${BW_DOMAIN:-localhost}\nbasicConstraints=CA:true")) \
+  -config "$TMP_OPENSSL_CONF" \
  -subj "/C=US/ST=California/L=Santa Barbara/O=Bitwarden Inc./OU=Bitwarden/CN=${BW_DOMAIN:-localhost}"
  rm "$TMP_OPENSSL_CONF"
 fi
 # Launch a loop to rotate nginx logs on a daily basis
@ -105,4 +109,8 @@ chown -R $PUID:$PGID \
    /var/run/nginx \
    /run
-exec setpriv --reuid=$PUID --regid=$PGID --init-groups /usr/bin/supervisord
+if command -v su-exec >/dev/null 2>&1; then
  exec su-exec $PUID:$PGID /usr/bin/supervisord
 else
  exec /usr/bin/supervisord
 fi