diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2b16e66..65ef6fc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,6 +12,11 @@ jobs: - name: Check out code uses: actions/checkout@v2 + - uses: gacts/github-slug@v1 + id: slug + + - uses: docker/setup-buildx-action@v1 + - name: Login to default Container Registry uses: docker/login-action@v1 # Action page: with: @@ -25,21 +30,13 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GHCR_PASSWORD }} - - name: Generate image tag value - id: tag - run: echo "::set-output name=value::`echo ${GITHUB_REF##*/} | sed -e 's/^[vV ]*//'`" # `/refs/tags/v1.2.3` -> `1.2.3` - - - name: Build image - run: | - docker build \ - --tag "tarampampam/3proxy:${{ steps.tag.outputs.value }}" \ - --tag "tarampampam/3proxy:latest" \ - --tag "ghcr.io/${{ github.actor }}/3proxy:${{ steps.tag.outputs.value }}" \ - --tag "ghcr.io/${{ github.actor }}/3proxy:latest" \ - -f ./Dockerfile . - - - name: Push into default registry - run: docker push "tarampampam/3proxy:${{ steps.tag.outputs.value }}" && docker push "tarampampam/3proxy:latest" - - - name: Push into ghcr.io - run: docker push "ghcr.io/tarampampam/3proxy:${{ steps.tag.outputs.value }}" && docker push "ghcr.io/tarampampam/3proxy:latest" + - uses: docker/build-push-action@v2 # Action page: + with: + context: . + file: Dockerfile + push: true + tags: | + tarampampam/3proxy:${{ steps.slug.outputs.version-semantic }} + tarampampam/3proxy:latest + ghcr.io/${{ github.actor }}/${{ github.event.repository.name }}:${{ steps.slug.outputs.version-semantic }} + ghcr.io/${{ github.actor }}/${{ github.event.repository.name }}:latest diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index b36bc3a..4c90589 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -2,13 +2,23 @@ name: tests on: push: - branches: - - master - tags-ignore: - - '**' - pull_request: + branches: [master, main] + tags-ignore: ['**'] + pull_request: {} jobs: # Docs: + gitleaks: + name: Gitleaks + runs-on: ubuntu-20.04 + steps: + - name: Check out code + uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Check for GitLeaks + uses: zricethezav/gitleaks-action@v1.6.0 # Action page: + build-image: name: Build docker image runs-on: ubuntu-20.04 @@ -36,6 +46,28 @@ jobs: # Docs: path: ./docker-image.tar retention-days: 1 + scan-image: + name: Scan docker image + runs-on: ubuntu-20.04 + needs: [build-image] + steps: + - name: Download built docker image + uses: actions/download-artifact@v2 + with: + name: docker-image + path: .artifact + + - name: Prepare image to run + working-directory: .artifact + run: docker load < docker-image.tar + + - name: Scan image + uses: anchore/scan-action@v3 # action page: + with: + image: 3proxy:local + fail-build: true + severity-cutoff: low # negligible, low, medium, high or critical + try-to-use: name: Build and use docker image (auth ${{ matrix.auth }}) runs-on: ubuntu-20.04 diff --git a/CHANGELOG.md b/CHANGELOG.md index c923144..e2aad69 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,16 @@ All notable changes to this package will be documented in this file. The format is based on [Keep a Changelog][keepachangelog] and this project adheres to [Semantic Versioning][semver]. +## v1.5.0 + +### Fixed + +- Docker image building optimized + +### Added + +- Healthcheck in the dockerfile + ## v1.4.0 ### Changed diff --git a/Dockerfile b/Dockerfile index 0b199c3..f0c0d79 100644 --- a/Dockerfile +++ b/Dockerfile @@ -36,37 +36,27 @@ RUN set -x \ # Prepare filesystem for 3proxy running FROM busybox:1.34.0-glibc as buffer +# create a directory for the future root filesystem +WORKDIR /tmp/rootfs + +# prepare the root filesystem +RUN set -x \ + && mkdir -p ./etc ./bin ./usr/local/3proxy/libexec ./etc/3proxy \ + && echo '3proxy:x:10001:10001::/nonexistent:/sbin/nologin' > ./etc/passwd \ + && echo '3proxy:x:10001:' > ./etc/group \ + && wget -O ./bin/dumb-init "https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64" \ + && chmod +x ./bin/dumb-init + # Copy binaries -COPY --from=builder /lib/x86_64-linux-gnu/libdl.so.* /lib/ -COPY --from=builder /tmp/3proxy/bin/3proxy /bin/ -COPY --from=builder /tmp/3proxy/bin/*.ld.so /usr/local/3proxy/libexec/ +COPY --from=builder /lib/x86_64-linux-gnu/libdl.so.* ./lib/ +COPY --from=builder /tmp/3proxy/bin/3proxy ./bin/3proxy +COPY --from=builder /tmp/3proxy/bin/*.ld.so ./usr/local/3proxy/libexec/ +COPY 3proxy.cfg ./etc/3proxy/3proxy.cfg +COPY docker-entrypoint.sh ./docker-entrypoint.sh -# Create unprivileged user -RUN set -x \ - && adduser \ - --disabled-password \ - --gecos "" \ - --home /nonexistent \ - --shell /sbin/nologin \ - --no-create-home \ - --uid 10001 \ - 3proxy +RUN chown -R 10001:10001 ./etc/3proxy -# Prepare files and directories -RUN set -x \ - && chown -R 10001:10001 /usr/local/3proxy \ - && chmod -R 550 /usr/local/3proxy \ - && chmod -R 555 /usr/local/3proxy/libexec \ - && chown -R root /usr/local/3proxy/libexec \ - && mkdir /etc/3proxy \ - && chown -R 10001:10001 /etc/3proxy - -# Copy our config and entrypoint script -COPY 3proxy.cfg /etc/3proxy/3proxy.cfg -COPY docker-entrypoint.sh /docker-entrypoint.sh - -# Split all buffered layers into one -FROM scratch +FROM busybox:1.34.0-glibc LABEL \ org.opencontainers.image.title="3proxy" \ @@ -77,11 +67,15 @@ LABEL \ org.opencontainers.image.licenses="WTFPL" # Import from builder -COPY --from=buffer / / +COPY --from=buffer /tmp/rootfs / # Use an unprivileged user USER 3proxy:3proxy -ENTRYPOINT ["/docker-entrypoint.sh"] +# Docs: +HEALTHCHECK --interval=5s --timeout=2s --retries=2 --start-period=2s CMD \ + netstat -ltn | grep 3128 && netstat -ltn | grep 1080 -CMD ["/bin/3proxy", "/etc/3proxy/3proxy.cfg"] +ENTRYPOINT ["/bin/dumb-init", "--"] + +CMD ["/docker-entrypoint.sh", "/bin/3proxy", "/etc/3proxy/3proxy.cfg"]