projects / discourse_docker.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SECURITY: base image updates
[discourse_docker.git] / image / base / Dockerfile
1 # NAME: discourse/base
2 # VERSION: release
3 FROM debian:buster-slim
4
5 ENV PG_MAJOR 10
6 ENV RUBY_ALLOCATOR /usr/lib/libjemalloc.so.1
7 ENV RAILS_ENV production
8
9 #LABEL maintainer="Sam Saffron \"https://twitter.com/samsaffron\""
10
11 RUN echo 2.0.`date +%Y%m%d` > /VERSION
12
13 RUN apt update && apt install -y gnupg sudo curl
14 RUN echo "debconf debconf/frontend select Teletype" | debconf-set-selections
15 RUN apt update && apt -y install fping
16 RUN sh -c "fping proxy && echo 'Acquire { Retries \"0\"; HTTP { Proxy \"http://proxy:3128\";}; };' > /etc/apt/apt.conf.d/40proxy && apt update || true"
17 RUN apt -y install software-properties-common
18 RUN apt-mark hold initscripts
19 RUN apt -y upgrade
20
21 RUN apt install -y locales locales-all
22 ENV LC_ALL en_US.UTF-8
23 ENV LANG en_US.UTF-8
24 ENV LANGUAGE en_US.UTF-8
25
26 RUN curl https://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc | apt-key add -
27 RUN echo "deb http://apt.postgresql.org/pub/repos/apt/ buster-pgdg main" | \
28 tee /etc/apt/sources.list.d/postgres.list
29 RUN curl --silent --location https://deb.nodesource.com/setup_10.x | sudo bash -
30 RUN apt -y update
31 RUN apt -y install build-essential git wget rsync \
32 libxslt-dev libcurl4-openssl-dev \
33 libssl-dev libyaml-dev libtool \
34 libxml2-dev gawk parallel \
35 postgresql-${PG_MAJOR} postgresql-client-${PG_MAJOR} \
36 postgresql-contrib-${PG_MAJOR} libpq-dev libreadline-dev \
37 cron anacron \
38 psmisc rsyslog vim whois brotli libunwind-dev \
39 libtcmalloc-minimal4
40 RUN sed -i -e 's/start -q anacron/anacron -s/' /etc/cron.d/anacron
41 RUN sed -i.bak 's/$ModLoad imklog/#$ModLoad imklog/' /etc/rsyslog.conf
42 RUN dpkg-divert --local --rename --add /sbin/initctl
43 RUN sh -c "test -f /sbin/initctl || ln -s /bin/true /sbin/initctl"
44 RUN apt -y install openssh-server
45 RUN cd / &&\
46 apt -y install runit socat &&\
47 mkdir -p /etc/runit/1.d &&\
48 apt clean &&\
49 rm -f /etc/apt/apt.conf.d/40proxy &&\
50 locale-gen en_US &&\
51 apt install -y nodejs &&\
52 npm install -g uglify-js@"<3" &&\
53 npm install -g svgo
54
55 ADD install-nginx /tmp/install-nginx
56 RUN /tmp/install-nginx
57
58 RUN apt -y install advancecomp jhead jpegoptim libjpeg-turbo-progs optipng
59
60 RUN mkdir /jemalloc-stable && cd /jemalloc-stable &&\
61 wget https://github.com/jemalloc/jemalloc/releases/download/3.6.0/jemalloc-3.6.0.tar.bz2 &&\
62 tar -xjf jemalloc-3.6.0.tar.bz2 && cd jemalloc-3.6.0 && ./configure --prefix=/usr && make && make install &&\
63 cd / && rm -rf /jemalloc-stable
64
65 RUN mkdir /jemalloc-new && cd /jemalloc-new &&\
66 wget https://github.com/jemalloc/jemalloc/releases/download/5.2.0/jemalloc-5.2.0.tar.bz2 &&\
67 tar -xjf jemalloc-5.2.0.tar.bz2 && cd jemalloc-5.2.0 && ./configure --prefix=/usr --with-install-suffix=5.1.0 && make build_lib && make install_lib &&\
68 cd / && rm -rf /jemalloc-new
69
70 RUN echo 'gem: --no-document' >> /usr/local/etc/gemrc &&\
71 mkdir /src && cd /src && git clone https://github.com/sstephenson/ruby-build.git &&\
72 cd /src/ruby-build && ./install.sh &&\
73 cd / && rm -rf /src/ruby-build && (ruby-build 2.6.5 /usr/local)
74
75 RUN gem update --system
76
77 RUN gem install bundler --force &&\
78 rm -rf /usr/local/share/ri/2.6.5/system &&\
79 cd / && git clone https://github.com/discourse/pups.git
80
81 ADD install-redis /tmp/install-redis
82 RUN /tmp/install-redis
83
84 ADD install-imagemagick /tmp/install-imagemagick
85 RUN /tmp/install-imagemagick
86
87 # Validate install
88 RUN ruby -Eutf-8 -e "v = \`convert -version\`; %w{png tiff jpeg freetype}.each { |f| unless v.include?(f); STDERR.puts('no ' + f + ' support in imagemagick'); exit(-1); end }"
89
90 ADD install-pngcrush /tmp/install-pngcrush
91 RUN /tmp/install-pngcrush
92
93 ADD install-gifsicle /tmp/install-gifsicle
94 RUN /tmp/install-gifsicle
95
96 ADD install-pngquant /tmp/install-pngquant
97 RUN /tmp/install-pngquant
98
99 # This tool allows us to disable huge page support for our current process
100 # since the flag is preserved through forks and execs it can be used on any
101 # process
102 ADD thpoff.c /src/thpoff.c
103 RUN gcc -o /usr/local/sbin/thpoff /src/thpoff.c && rm /src/thpoff.c
104
105 # clean up for docker squash
106 RUN rm -fr /usr/share/man &&\
107 rm -fr /usr/share/doc &&\
108 rm -fr /usr/share/vim/vim74/tutor &&\
109 rm -fr /usr/share/vim/vim74/doc &&\
110 rm -fr /usr/share/vim/vim74/lang &&\
111 rm -fr /usr/local/share/doc &&\
112 rm -fr /usr/local/share/ruby-build &&\
113 rm -fr /root/.gem &&\
114 rm -fr /root/.npm &&\
115 rm -fr /tmp/* &&\
116 rm -fr /usr/share/vim/vim74/spell/en*
117
118
119 # this can probably be done, but I worry that people changing PG locales will have issues
120 # cd /usr/share/locale && rm -fr `ls -d */ | grep -v en`
121
122 RUN mkdir -p /etc/runit/3.d
123
124 ADD runit-1 /etc/runit/1
125 ADD runit-1.d-cleanup-pids /etc/runit/1.d/cleanup-pids
126 ADD runit-1.d-anacron /etc/runit/1.d/anacron
127 ADD runit-1.d-00-fix-var-logs /etc/runit/1.d/00-fix-var-logs
128 ADD runit-2 /etc/runit/2
129 ADD runit-3 /etc/runit/3
130 ADD boot /sbin/boot
131
132 ADD cron /etc/service/cron/run
133 ADD rsyslog /etc/service/rsyslog/run
134 ADD cron.d_anacron /etc/cron.d/anacron
135
136 # Discourse specific bits
137 RUN useradd discourse -s /bin/bash -m -U &&\
138 mkdir -p /var/www &&\
139 cd /var/www &&\
140 git clone https://github.com/discourse/discourse.git &&\
141 cd discourse &&\
142 git remote set-branches --add origin tests-passed &&\
143 chown -R discourse:discourse /var/www/discourse &&\
144 cd /var/www/discourse &&\
145 sudo -u discourse bundle install --deployment --jobs 4 --without test development &&\
146 bundle exec rake maxminddb:get &&\
147 find /var/www/discourse/vendor/bundle -name tmp -type d -exec rm -rf {} +