refactor docker build for ariang and frp

leonismoe · Jan 20, 2024 · b47c8ed · b47c8ed
1 parent ebe7ebc
commit b47c8ed
Show file tree

Hide file tree

Showing 27 changed files with 377 additions and 670 deletions.
diff --git a/.editorconfig b/.editorconfig
@@ -23,6 +23,10 @@ trim_trailing_whitespace = false
 insert_final_newline = false
 trim_trailing_whitespace = false
 
+[*.{sh,c,h,cpp,hpp,go}]
+indent_size = 4
+tab_width = 4
+
 [_scripts/*]
 indent_size = 4
 tab_width = 4
diff --git a/.github/workflows/build-ariang.yml b/.github/workflows/build-ariang.yml
@@ -12,7 +12,6 @@ env:
   VERSION: ${{ github.event.inputs.version }}
   DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
 
-
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -24,6 +23,9 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v2
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Log into DockerHub
         if: ${{ github.event_name != 'pull_request' && github.actor == env.DOCKERHUB_USERNAME }}
         uses: docker/login-action@v1
@@ -39,40 +41,10 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build ariang
+      - name: Build docker image
         env:
           DOCKER_REPO: "${{ github.actor }}/ariang"
+          GHCR_REPO: "ghcr.io/${{ github.actor }}/ariang"
         working-directory: ariang
         run: |
-          ./hooks/build
-
-          export DOCKER_REPO="ghcr.io/$DOCKER_REPO"
-          ./hooks/build
-
-      - name: Extract version
-        working-directory: ariang
-        run: |
-          . .env.local
-          echo "VERSION=$VERSION" >> $GITHUB_ENV
-          echo "LATEST_VERSION=$LATEST_VERSION" >> $GITHUB_ENV
-
-      - name: Push to DockerHub
-        if: ${{ github.event_name != 'pull_request' && github.actor == env.DOCKERHUB_USERNAME }}
-        working-directory: ariang
-        run: |
-          export DOCKER_REPO="${{ github.actor }}/ariang"
-          ./hooks/push
-
-      - name: Push to GitHub Packages
-        if: ${{ github.event_name != 'pull_request' }}
-        working-directory: ariang
-        run: |
-          export DOCKER_REPO="ghcr.io/${{ github.actor }}/ariang"
-          ./hooks/push
-
-      - name: Cleanup
-        run: |
-          if [ ! -z "$(docker images -q -f 'reference=${{ github.actor }}/ariang*')" ]; then
-            docker rmi $(docker images -q -f 'reference=${{ github.actor }}/ariang*')
-          fi
-          docker image prune -f
+          ./build.sh
diff --git a/.github/workflows/build-frp.yml b/.github/workflows/build-frp.yml
@@ -12,18 +12,24 @@ env:
   VERSION: ${{ github.event.inputs.version }}
   DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
 
-
 jobs:
   build:
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
 
+    strategy:
+      matrix:
+        program: [frpc, frps]
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Log into DockerHub
         if: ${{ github.event_name != 'pull_request' && github.actor == env.DOCKERHUB_USERNAME }}
         uses: docker/login-action@v1
@@ -39,50 +45,11 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build frpc
-        env:
-          DOCKER_REPO: "${{ github.actor }}/frpc"
-        working-directory: frp/frpc
-        run: |
-          ../hooks/build
-
-          export DOCKER_REPO="ghcr.io/$DOCKER_REPO"
-          ../hooks/build
-
-      - name: Build frps
+      - name: Build
         env:
-          DOCKER_REPO: "${{ github.actor }}/frps"
-        working-directory: frp/frps
-        run: |
-          ../hooks/build
-
-          export DOCKER_REPO="ghcr.io/$DOCKER_REPO"
-          ../hooks/build
-
-      - name: Extract version
-        working-directory: frp/frps
-        run: |
-          . .env.local
-          echo "VERSION=$VERSION" >> $GITHUB_ENV
-          echo "LATEST_VERSION=$LATEST_VERSION" >> $GITHUB_ENV
-
-      - name: Push to DockerHub
-        if: ${{ github.event_name != 'pull_request' && github.actor == env.DOCKERHUB_USERNAME }}
+          DOCKER_REPO: "${{ github.actor }}/${{ matrix.program }}"
+          GHCR_REPO: "ghcr.io/${{ github.actor }}/${{ matrix.program }}"
+          PROGRAM: ${{ matrix.program }}
         working-directory: frp
         run: |
-          (cd frpc && export DOCKER_REPO="${{ github.actor }}/frpc" && ../hooks/push)
-          (cd frps && export DOCKER_REPO="${{ github.actor }}/frps" && ../hooks/push)
-
-      - name: Push to GitHub Packages
-        if: ${{ github.event_name != 'pull_request' }}
-        working-directory: frp
-        run: |
-          (cd frpc && export DOCKER_REPO="ghcr.io/${{ github.actor }}/frpc" && ../hooks/push)
-          (cd frps && export DOCKER_REPO="ghcr.io/${{ github.actor }}/frps" && ../hooks/push)
-
-      - name: Cleanup
-        run: |
-          if [ ! -z "$(docker images -q -f 'reference=${{ github.actor }}/frp*')" ]; then
-            docker rmi $(docker images -q -f 'reference=${{ github.actor }}/frp*')
-          fi
-          docker image prune -f
+          ./build.sh $PROGRAM
diff --git a/README.md b/README.md
@@ -1,2 +1,3 @@
 # Docker Images
+
 Just a set of docker build files, but they are too small to be in their own repository.
diff --git a/ariang/.env b/ariang/.env
diff --git a/ariang/Dockerfile b/ariang/Dockerfile
@@ -1,63 +1,110 @@
-FROM alpine AS prepare
-
-RUN set -xe \
-    && apk add --no-cache git make gcc libc-dev \
-    && mkdir /build \
-    && cd /build \
-    && git clone --depth=1 https://github.com/BR903/ELFkickers.git \
-    && cd ELFkickers \
-    && make PROGRAMS=sstrip \
-    && cp sstrip/sstrip /build \
-    && cd .. \
-    && rm -rf ELFkickers \
-    && apk del make gcc libc-dev
-
-WORKDIR /build
-ARG CHECKOUT_VERSION
-ARG NODE_VERSION=10.24.1
-
-RUN set -xe \
-    && apk add --no-cache curl xxd qpdf \
-    && curl -sSO https://unofficial-builds.nodejs.org/download/release/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64-musl.tar.xz \
-    && tar -Jxf node-v${NODE_VERSION}-linux-x64-musl.tar.xz \
-    && rm -f node-v${NODE_VERSION}-linux-x64-musl.tar.xz \
-    && export PATH=/build/node-v${NODE_VERSION}-linux-x64-musl/bin:$PATH \
-    && git clone https://github.com/mayswind/AriaNg.git \
-    && cd AriaNg \
-    && export LATEST_VERSION=`git tag --sort=v:refname | grep '^\d' | tail -n1` \
-    && export VERSION="${CHECKOUT_VERSION:-$LATEST_VERSION}" \
-    && echo VERSION=$VERSION > /build/.env \
-    && echo LATEST_VERSION=$LATEST_VERSION >> /build/.env \
-    && git checkout $VERSION \
-    && npm i \
-    && npx gulp build-bundle \
-    && cp dist/index.html /build/ \
-    && cd /build \
-    && rm -rf AriaNg node-v${NODE_VERSION}-linux-x64-musl \
-    && zlib-flate -compress=9 < index.html > index.html.deflate \
-    && xxd -i index.html.deflate > index_html_deflate.c \
-    && apk del curl xxd qpdf
-
-ARG MUSLCC_TARGET
-FROM muslcc/x86_64:${MUSLCC_TARGET} AS build
-
-COPY --from=prepare /build /build
-COPY httpd.c /build
-
-WORKDIR /build
-
-RUN set -xe \
-    && sed -i "s/\\\${CONTENT_LENGTH}/$(stat -c%s index.html.deflate)/" httpd.c \
-    && gcc -Os --static -s -fno-stack-protector -ffunction-sections -fdata-sections -Wl,--gc-sections httpd.c -o httpd \
-    && /build/sstrip httpd
+# syntax=docker/dockerfile:1
 
+FROM --platform=$BUILDPLATFORM node:lts AS build
+
+ARG GIT_BRANCH
+
+RUN <<EOF
+    set -ex
+    if [ ! -z "$NPM_REGISTRY" ]; then
+        npm config set registry $NPM_REGISTRY
+    fi
+
+    mkdir -p /build
+    cd /build
+    git clone --depth 1 --branch $GIT_BRANCH https://github.com/mayswind/AriaNg.git
+    cd AriaNg
+    npm install
+    npm run build
+EOF
+
+FROM --platform=$BUILDPLATFORM tonistiigi/xx AS xx
+
+FROM --platform=$BUILDPLATFORM alpine:edge AS xbuild
+
+COPY --from=xx / /
+
+RUN <<EOF
+    set -ex
+    if [ ! -z "$APK_MIRROR" ]; then
+        sed -i "s/dl-cdn.alpinelinux.org/$APK_MIRROR/g" /etc/apk/repositories
+    fi
+EOF
+
+RUN --mount=type=cache,target=/var/cache/apk,sharing=locked \
+    --mount=type=cache,target=/var/lib/apk,sharing=locked \
+    --mount=type=tmpfs,target=/var/cache \
+    --mount=type=tmpfs,target=/var/lock \
+    --mount=type=tmpfs,target=/var/log \
+    --mount=type=tmpfs,target=/var/tmp \
+    --mount=type=tmpfs,target=/tmp \
+    --mount=type=tmpfs,target=/run \
+    <<EOF
+    set -ex
+
+    apk add clang git libcap lld make
+EOF
+
+RUN <<EOF
+    set -ex
+
+    mkdir -p /build
+    cd /build
+    git clone --depth 1 https://github.com/BR903/ELFkickers.git
+    cd ELFkickers
+    make PROGRAMS=sstrip
+    cp sstrip/sstrip /usr/local/bin
+EOF
+
+RUN <<EOF
+    set -ex
+
+    mkdir -p /build
+    cd /build
+    git clone --depth 1 https://github.com/emikulic/darkhttpd.git
+EOF
+
+ARG TARGETPLATFORM
+
+RUN --mount=type=cache,target=/var/cache/apk,id=apk-cache-$TARGETARCH$TARGETVARIANT,sharing=locked \
+    --mount=type=cache,target=/var/lib/apk,id=apk-lib-$TARGETARCH$TARGETVARIANT,sharing=locked \
+    --mount=type=tmpfs,target=/var/cache \
+    --mount=type=tmpfs,target=/var/lock \
+    --mount=type=tmpfs,target=/var/log \
+    --mount=type=tmpfs,target=/var/tmp \
+    --mount=type=tmpfs,target=/tmp \
+    --mount=type=tmpfs,target=/run \
+    <<EOF
+    set -ex
+
+    xx-apk add gcc musl-dev
+EOF
+
+RUN <<EOF
+    set -ex
+
+    cd /build/darkhttpd
+    make darkhttpd-static CC=xx-clang CFLAGS='-Os -D_FORTIFY_SOURCE=2 -Dstrip=true -fstack-clash-protection -fstack-protector-strong -pipe -Wall -Wextra -Werror=format-security -Werror=implicit-function-declaration -Wl,-z,defs -Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack'
+    setcap cap_net_bind_service=+ep darkhttpd-static
+    sstrip darkhttpd-static || true
+    xx-verify darkhttpd-static
+
+    mkdir -p /build/root/etc
+    cp darkhttpd-static /build/root/darkhttpd
+    echo 'nobody:x:65534:65534:nobody:/www:/darkhttpd' > /build/root/etc/passwd
+    echo 'nobody:x:65534:' > /build/root/etc/group
+EOF
+
+COPY --from=build /build/AriaNg/dist /build/root/www
 
 FROM scratch
 
-COPY --from=build /build/httpd /ariang
+COPY --from=xbuild /build/root/ /
 
 ARG VERSION
 LABEL version=${VERSION}
 
 EXPOSE 8080
-CMD ["/ariang"]
+
+ENTRYPOINT ["/darkhttpd"]
+CMD ["/www", "--chroot", "--uid", "nobody", "--gid", "nobody", "--port", "8080"]
diff --git a/ariang/build.sh b/ariang/build.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+set -e
+
+DOCKER_REPO="${DOCKER_REPO:-leonismoe/ariang}"
+
+LATEST=0
+
+if [ -z "$VERSION" ]; then
+    GIT_BRANCH="$(curl -fsSL https://github.com/mayswind/AriaNg/releases.atom | grep -oE 'releases/tag/[^"]+' | head -n1 | cut -d/ -f3)"
+    VERSION=${GIT_BRANCH#v}
+    LATEST=1
+else
+    GIT_BRANCH="$VERSION"
+fi
+
+docker buildx build --pull --push \
+    -t $DOCKER_REPO:$VERSION \
+    --platform linux/amd64,linux/arm64/v8,linux/arm/v6,linux/arm/v7,linux/386,linux/ppc64le,linux/s390x,linux/riscv64 \
+    --build-arg VERSION=$VERSION \
+    --build-arg GIT_BRANCH=$GIT_BRANCH \
+    .
+
+if [ $LATEST -eq 1 ]; then
+    docker buildx imagetools create -t $DOCKER_REPO:latest $DOCKER_REPO:$VERSION
+fi
+
+if [ ! -z "$GHCR_REPO" ]; then
+    docker buildx imagetools create -t $GHCR_REPO:$VERSION $DOCKER_REPO:$VERSION
+    if [ $LATEST -eq 1 ]; then
+        docker buildx imagetools create -t $GHCR_REPO:latest $DOCKER_REPO:$VERSION
+    fi
+fi