Skip to content

Commit df298e7

Browse files
committed
Remove gosu so that ports can bind
Remove gosu so that ports can bind using root and then switch running state to nbxyz
1 parent 2185293 commit df298e7

File tree

5 files changed

+54
-10
lines changed

5 files changed

+54
-10
lines changed

.github/workflows/build.yml

Lines changed: 47 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,13 +15,57 @@ jobs:
1515
with:
1616
fetch-depth: '0'
1717

18-
- name: Build the Docker image
19-
run: docker build -t docker-netbootxyz:${{ github.sha }} .
18+
- name: Set up Docker Buildx
19+
uses: docker/setup-buildx-action@v3
20+
21+
- name: Set up QEMU
22+
uses: docker/setup-qemu-action@v3
23+
24+
- name: Login to the Docker Container Registry
25+
uses: docker/login-action@v3
26+
with:
27+
username: ${{ secrets.DOCKERHUB_USER }}
28+
password: ${{ secrets.DOCKERHUB_TOKEN }}
29+
30+
- name: Login to the GitHub Container Registry
31+
uses: docker/login-action@v3
32+
with:
33+
registry: ghcr.io
34+
username: ${{ secrets.GHCR_USER }}
35+
password: ${{ secrets.GHCR_TOKEN }}
36+
37+
- name: Get latest Webapp release version
38+
run: |
39+
WEBAPP_RELEASE=$(curl -sX GET "https://api.github.com/repos/netbootxyz/webapp/releases/latest" | jq -r '. | .tag_name')
40+
echo "WEBAPP_RELEASE=${WEBAPP_RELEASE}" >> $GITHUB_ENV
41+
42+
- name: Build and push PR test image
43+
uses: docker/build-push-action@v6
44+
with:
45+
push: true
46+
context: .
47+
file: ./Dockerfile
48+
platforms: linux/amd64,linux/arm64
49+
build-args: |
50+
WEBAPP_VERSION=${{ env.WEBAPP_RELEASE }}
51+
VERSION=pr-${{ github.event.number }}
52+
BUILD_DATE=$(date +'%Y-%m-%dT%H:%M:%S')
53+
tags: |
54+
netbootxyz/netbootxyz:pr-${{ github.event.number }}
55+
netbootxyz/netbootxyz:pr-${{ github.event.number }}-${{ github.sha }}
56+
ghcr.io/netbootxyz/netbootxyz:pr-${{ github.event.number }}
57+
ghcr.io/netbootxyz/netbootxyz:pr-${{ github.event.number }}-${{ github.sha }}
58+
labels: |
59+
org.opencontainers.image.title=netbootxyz
60+
org.opencontainers.image.description=netboot.xyz PR test image
61+
org.opencontainers.image.version=pr-${{ github.event.number }}
62+
org.opencontainers.image.revision=${{ github.sha }}
63+
org.opencontainers.image.source=https://github.com/netbootxyz/docker-netbootxyz
2064
2165
- name: Run Trivy vulnerability scanner
2266
uses: aquasecurity/trivy-action@0.31.0
2367
with:
24-
image-ref: 'docker-netbootxyz:${{ github.sha }}'
68+
image-ref: 'ghcr.io/netbootxyz/netbootxyz:pr-${{ github.event.number }}'
2569
format: 'table'
2670
exit-code: '1'
2771
ignore-unfixed: true

Dockerfile

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -67,8 +67,6 @@ RUN apk add --no-cache \
6767
sudo \
6868
supervisor \
6969
syslog-ng \
70-
# Security tools
71-
gosu \
7270
# Runtime libraries
7371
nghttp2-dev \
7472
# Create required directories

root/etc/supervisor.conf

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,17 +6,19 @@ logfile=/tmp/supervisord.log
66
pidfile=/run/supervisord.pid
77

88
[program:nginx]
9-
command = gosu nbxyz /usr/sbin/nginx -c /config/nginx/nginx.conf
9+
command = /usr/sbin/nginx -c /config/nginx/nginx.conf
1010
startretries = 2
1111
daemon=off
12+
user=nbxyz
1213
priority = 2
1314
stdout_logfile=/dev/null
1415
stderr_logfile=/dev/null
1516

1617
[program:webapp]
1718
environment=NODE_ENV="production",PORT=%(ENV_WEB_APP_PORT)s
18-
command=gosu nbxyz /usr/bin/node app.js
19+
command=/usr/bin/node app.js
1920
directory=/app
21+
user=nbxyz
2022
priority = 3
2123
stdout_logfile=/dev/null
2224
stderr_logfile=/dev/null

root/start.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,6 @@ echo "https://opencollective.com/netbootxyz"
1616
echo "https://github.com/sponsors/netbootxyz"
1717
echo
1818

19-
# Run supervisord as root (it will use gosu for individual programs)
19+
# Run supervisord as root
2020
echo "[start] Starting supervisord (programs will run as nbxyz)"
2121
exec supervisord -c /etc/supervisor.conf

root/usr/local/bin/dnsmasq-wrapper.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,5 +6,5 @@ echo "[dnsmasq] TFTP root: /config/menus"
66
echo "[dnsmasq] TFTP security: enabled"
77
echo "[dnsmasq] Logging: enabled (dhcp and queries)"
88

9-
# Start dnsmasq via gosu with logging to stderr (which supervisord can capture)
10-
exec gosu nbxyz /usr/sbin/dnsmasq --port=0 --keep-in-foreground --enable-tftp --user=nbxyz --tftp-secure --tftp-root=/config/menus --log-facility=- --log-dhcp --log-queries "$@"
9+
# Start dnsmasq as root to bind to port 69, then drop privileges to nbxyz
10+
exec /usr/sbin/dnsmasq --port=0 --keep-in-foreground --enable-tftp --user=nbxyz --tftp-secure --tftp-root=/config/menus --log-facility=- --log-dhcp --log-queries "$@"

0 commit comments

Comments
 (0)