Skip to content

Commit

Permalink
intitial create
Browse files Browse the repository at this point in the history
  • Loading branch information
2xburnt committed Oct 2, 2024
1 parent 3823a9a commit 7875844
Show file tree
Hide file tree
Showing 4 changed files with 25 additions and 285 deletions.
44 changes: 9 additions & 35 deletions .github/workflows/docker-build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,20 +8,12 @@ on:
env:
repo_names: |
ghcr.io/${{ github.repository }}
platforms: linux/amd64,linux/arm64

jobs:
build-images:
name: Build ${{ matrix.os }}/${{ matrix.arch }}
runs-on: ${{ format('burnt-labs-{0}', matrix.arch) }}

strategy:
fail-fast: false
matrix:
os:
- linux
arch:
- amd64
- arm64
build-docker-images:
name: Build Docker Images
runs-on: ubuntu-latest

permissions:
id-token: write
Expand All @@ -39,42 +31,24 @@ jobs:
uses: docker/setup-buildx-action@v3
with:
driver: docker
platforms: ${{ matrix.os }}/${{ matrix.arch }}

- name: Prepare environment
run: |
echo "TAG_VERSION=${GITHUB_SHA:0:7}" | tee -a $GITHUB_ENV
echo "CONTAINER=$(basename $(echo ${{ env.repo_names }} | head -n1 ))" | tee -a $GITHUB_ENV
echo "DOCKER_FN=$CONTAINER-${{ matrix.os }}-${{ matrix.arch }}.tar" | tee -a $GITHUB_ENV
platforms: ${{ env.platforms }}

- name: Metadata for container
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.repo_names }}
tags: |
type=sha
type=raw,value={{sha}}
type=semver,pattern={{version}},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
- name: Build Docker Image
id: build-docker
uses: docker/build-push-action@v5
with:
target: release
push: false
push: true
load: true
labels: ${{ steps.meta.outputs.labels }}
platforms: ${{ matrix.os }}/${{ matrix.arch }}
platforms: ${{ env.platforms }}
tags: ${{ steps.meta.outputs.tags }}

- name: Save Docker Image
working-directory: ${{ runner.temp }}
run: |
docker save ${{ steps.meta.outputs.tags }} > ${{ runner.temp }}/${DOCKER_FN}
- name: Upload Docker Image
uses: actions/upload-artifact@v4
with:
name: ${{ env.DOCKER_FN }}
path: ${{ runner.temp }}/${{ env.DOCKER_FN }}
if-no-files-found: error
retention-days: 3
97 changes: 0 additions & 97 deletions .github/workflows/docker-push.yaml

This file was deleted.

19 changes: 7 additions & 12 deletions .github/workflows/docker-scout.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,23 +29,18 @@ jobs:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

- name: Download images
uses: actions/download-artifact@v4
- name: Metadata for container
id: meta
uses: docker/metadata-action@v5
with:
path: ${{ runner.temp }}
pattern: docker-${{ matrix.os }}-${{ matrix.arch }}.tar
merge-multiple: true

- name: Load images
working-directory: ${{ runner.temp }}
run: |
ls -la
docker load < ${{ env.DOCKER_FN }}
images: ${{ env.repo_names }}
tags: |
type=raw,value={{sha}}
- name: Run Docker Scout
uses: docker/scout-action@v1
with:
command: cves
only-fixed: true
platform: ${{ matrix.os }}/${{ matrix.arch }}
image: xion:${{ matrix.os }}-${{ matrix.arch }}
image: ${{ steps.meta.outputs.tags }}
150 changes: 9 additions & 141 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,24 +7,12 @@ ARG ALPINE_VERSION="3.20"
# Builder
# --------------------------------------------------------

FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS builder
FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS release

# Always set by buildkit
ARG TARGETPLATFORM
ARG TARGETARCH
ARG TARGETOS
ARG XIOND_BINARY

# needed in makefile
ARG COMMIT
ARG VERSION

# Consume Args to env
ENV COMMIT=${COMMIT} \
VERSION=${VERSION} \
GOOS=${TARGETOS} \
GOARCH=${TARGETARCH} \
XIOND_BINARY=${XIOND_BINARY}

# Install dependencies
RUN set -eux; \
Expand All @@ -36,142 +24,22 @@ RUN set -eux; \
git

# Set the workdir
WORKDIR /go/src/github.com/burnt-labs/xion
WORKDIR /go/src/cosmossdk.io/tools/cosmovisor

# Download go dependencies
COPY go.mod go.sum ./
# install cosmovisor
RUN --mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/root/pkg/mod \
set -eux; \
go install cosmossdk.io/tools/cosmovisor/cmd/cosmovisor@v1.5.0; \
go mod download
go install cosmossdk.io/tools/cosmovisor/cmd/cosmovisor@v1.5.0;

# Cosmwasm - Download correct libwasmvm version
RUN set -eux; \
WASMVM_REPO="github.com/CosmWasm/wasmvm"; \
WASMVM_MOD_VERSION="$(grep ${WASMVM_REPO} go.mod | cut -d ' ' -f 1)"; \
WASMVM_VERSION="$(go list -m ${WASMVM_MOD_VERSION} | cut -d ' ' -f 2)"; \
[ ${TARGETPLATFORM} = "linux/amd64" ] && LIBWASM="libwasmvm_muslc.x86_64.a"; \
[ ${TARGETPLATFORM} = "linux/arm64" ] && LIBWASM="libwasmvm_muslc.aarch64.a"; \
[ ${TARGETOS} = "darwin" ] && LIBWASM="libwasmvmstatic_darwin.a"; \
[ -z "$LIBWASM" ] && echo "Arch ${TARGETARCH} not recognized" && exit 1; \
wget "https://${WASMVM_REPO}/releases/download/${WASMVM_VERSION}/${LIBWASM}" -O "/lib/${LIBWASM}"; \
# verify checksum
EXPECTED=$(wget -q "https://${WASMVM_REPO}/releases/download/${WASMVM_VERSION}/checksums.txt" -O- | grep "${LIBWASM}" | awk '{print $1}'); \
sha256sum "/lib/${LIBWASM}" | grep "${EXPECTED}"; \
cp /lib/${LIBWASM} /lib/libwasmvm_muslc.a;

# Copy local files
COPY . .

# Build xiond binary
RUN --mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/root/pkg/mod \
if [ -e "${XIOND_BINARY:-}" ]; then \
cp "${XIOND_BINARY}" /go/bin/xiond; \
else \
export CGO_ENABLED=1 LINK_STATICALLY=true BUILD_TAGS=muslc; \
make test-version; \
make install; \
fi

# --------------------------------------------------------
# Heighliner
# --------------------------------------------------------

# Build final image from scratch
FROM scratch AS heighliner

WORKDIR /bin
ENV PATH=/bin

# Install busybox
COPY --from=busybox:1.36-musl /bin/busybox /bin/busybox

# users and group
COPY --from=busybox:1.36-musl /etc/passwd /etc/group /etc/

# Install trusted CA certificates
COPY --from=builder /etc/ssl/cert.pem /etc/ssl/cert.pem

# Install xiond
COPY --from=builder /go/bin/xiond /bin/xiond

# Install jq
COPY --from=ghcr.io/strangelove-ventures/infra-toolkit:v0.1.4 /usr/local/bin/jq /bin/jq

# link shell
RUN ["busybox", "ln", "/bin/busybox", "sh"]

# Add hard links for read-only utils
# Will then only have one copy of the busybox minimal binary file with all utils pointing to the same underlying inode
RUN set -eux; \
for bin in \
cat \
date \
df \
du \
env \
grep \
head \
less \
ls \
md5sum \
pwd \
sha1sum \
sha256sum \
sha3sum \
sha512sum \
sleep \
stty \
tail \
tar \
tee \
tr \
watch \
which \
; do busybox ln /bin/busybox $bin; \
for LIBWASM in "libwasmvm_muslc.x86_64.a" "libwasmvm_muslc.aarch64.a" "libwasmvmstatic_darwin.a"; \
wget "https://${WASMVM_REPO}/releases/download/${WASMVM_VERSION}/${LIBWASM}" -O "/lib/${LIBWASM}"; \
# verify checksum
EXPECTED=$(wget -q "https://${WASMVM_REPO}/releases/download/${WASMVM_VERSION}/checksums.txt" -O- | grep "${LIBWASM}" | awk '{print $1}'); \
sha256sum "/lib/${LIBWASM}" | grep "${EXPECTED}"; \
done;

RUN set -eux; \
busybox mkdir -p /tmp /home/heighliner; \
busybox addgroup --gid 1025 -S heighliner; \
busybox adduser --uid 1025 -h /home/heighliner -S heighliner -G heighliner; \
busybox chown 1025:1025 /tmp /home/heighliner; \
busybox unlink busybox;

WORKDIR /home/heighliner
USER heighliner

# --------------------------------------------------------
# Runner
# --------------------------------------------------------

FROM alpine:${ALPINE_VERSION} AS release
COPY --from=builder /go/bin/xiond /usr/bin/xiond
COPY --from=builder /go/bin/cosmovisor /usr/bin/cosmovisor

# api
EXPOSE 1317
# grpc
EXPOSE 9090
# p2p
EXPOSE 26656
# rpc
EXPOSE 26657
# prometheus
EXPOSE 26660

RUN set -euxo pipefail; \
apk add --no-cache bash openssl curl htop jq lz4 tini; \
addgroup --gid 1000 -S xiond; \
adduser --uid 1000 -S xiond \
--disabled-password \
--gecos xiond \
--ingroup xiond; \
mkdir -p /home/xiond; \
chown -R xiond:xiond /home/xiond

USER xiond:xiond
WORKDIR /home/xiond/.xiond
CMD ["/usr/bin/xiond"]

0 comments on commit 7875844

Please sign in to comment.