cleanup Dockerfile and configure hadolint

.github/workflows/build.yml

@@ -41,6 +41,11 @@ jobs:
     - name: Git Checkout
       uses: actions/checkout@v3 #https://github.com/actions/checkout
 
+    - name: Check Dockerfile
+      uses: hadolint/hadolint-action@v3.1.0
+      with:
+        dockerfile: image/Dockerfile
+
     - name: Cache trivy cache
       uses: actions/cache@v3
       with:

image/Dockerfile

@@ -11,13 +11,17 @@
 # https://hub.docker.com/_/debian?tab=tags&name=bullseye-slim
 ARG BASE_IMAGE=debian:bullseye-slim
 
+# see https://github.com/hadolint/hadolint/wiki/DL3006
+# hadolint ignore=DL3006
 FROM ${BASE_IMAGE}
 
 LABEL maintainer="Vegard IT GmbH (vegardit.com)"
 
+# see https://github.com/hadolint/hadolint/wiki/DL3002
+# hadolint ignore=DL3002
 USER root
 
-SHELL ["/bin/bash", "-c"]
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 
 ARG DEBIAN_FRONTEND=noninteractive
 ARG LC_ALL=C
@@ -29,47 +33,55 @@ ARG INSTALL_SUPPORT_TOOLS=0
 ARG PQCHECKER_URL=https://github.com/pqchecker/pqchecker-binaries/raw/main/deb/8/pqchecker_2.0.0_amd64.deb
 ARG PQCHECKER_MD5=c005ce596e97d13e39485e711dcbc7e1
 
-RUN --mount=type=bind,source=.shared,target=/mnt/shared \
-  set -eu && \
-  /mnt/shared/cmd/debian-install-os-updates.sh && \
-  /mnt/shared/cmd/debian-install-support-tools.sh && \
-  #
-  echo "#################################################" && \
-  echo "Installing tini..." && \
-  echo "#################################################" && \
-  apt-get install --no-install-recommends -y tini && \
-  #
-  echo "#################################################" && \
-  echo "Installing slapd..." && \
-  echo "#################################################" && \
-  echo 'slapd slapd/root_password password whatever' | debconf-set-selections && \
-  echo 'slapd slapd/root_password_again password whatever' | debconf-set-selections && \
-  apt-get install --no-install-recommends -y slapd ldap-utils && \
-  echo "OpenLDAP $(apt-cache show slapd | grep Version)" >> /opt/build_info && \
+# see https://github.com/hadolint/hadolint/wiki/DL3008
+# hadolint ignore=DL3008,SC2016
+RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
+
+  /mnt/shared/cmd/debian-install-os-updates.sh
+  /mnt/shared/cmd/debian-install-support-tools.sh
+
+  function curl() {
+    command curl -sSfL --connect-timeout 10 --max-time 30 --retry 3 --retry-all-errors "$@"
+  }
+
+  echo "#################################################"
+  echo "Installing tini..."
+  echo "#################################################"
+  apt-get install --no-install-recommends -y tini
+
+  echo "#################################################"
+  echo "Installing slapd..."
+  echo "#################################################"
+  echo 'slapd slapd/root_password password whatever' | debconf-set-selections
+  echo 'slapd slapd/root_password_again password whatever' | debconf-set-selections
+  apt-get install --no-install-recommends -y slapd ldap-utils
+  echo "OpenLDAP $(apt-cache show slapd | grep Version)" >> /opt/build_info
   # workaround for 'service slapd stop' not working, see https://stackoverflow.com/a/58792698/5116073
-  sed -i 's/--exec $SLAPD 2/--name slapd 2/' /etc/init.d/slapd && \
-  #
-  echo "#################################################" && \
-  echo "Installing pqChecker password quality checker module..." && \
-  echo "#################################################" && \
+  sed -i 's/--exec $SLAPD 2/--name slapd 2/' /etc/init.d/slapd
+
+  echo "#################################################"
+  echo "Installing pqChecker password quality checker module..."
+  echo "#################################################"
   # https://www.meddeb.net/pqchecker/
-  apt-get install --no-install-recommends -y curl && \
-  curl -k -o /tmp/pqchecker.deb -SL "${PQCHECKER_URL}" && \
-  echo "${PQCHECKER_MD5} /tmp/pqchecker.deb" | md5sum -c - && \
-  dpkg -i /tmp/pqchecker.deb && \
-  rm /tmp/pqchecker.deb && \
-  apt-get remove --auto-remove -y curl && \
-  #
-  echo "#################################################" && \
-  echo "Moving config and data directories..." && \
-  echo "#################################################" && \
-  mv /etc/ldap/slapd.d /etc/ldap/slapd.d_orig && \
-  mkdir /etc/ldap/slapd.d && \
-  mv /var/lib/ldap /var/lib/ldap_orig && \
-  mkdir /var/lib/ldap && \
-  #
+  apt-get install --no-install-recommends -y curl
+  curl -k -o /tmp/pqchecker.deb -SL "${PQCHECKER_URL}"
+  echo "${PQCHECKER_MD5} /tmp/pqchecker.deb" | md5sum -c -
+  dpkg -i /tmp/pqchecker.deb
+  rm /tmp/pqchecker.deb
+  apt-get remove --auto-remove -y curl
+
+  echo "#################################################"
+  echo "Moving config and data directories..."
+  echo "#################################################"
+  mv /etc/ldap/slapd.d /etc/ldap/slapd.d_orig
+  mkdir /etc/ldap/slapd.d
+  mv /var/lib/ldap /var/lib/ldap_orig
+  mkdir /var/lib/ldap
+
   /mnt/shared/cmd/debian-cleanup.sh
 
+EOF
+
 ARG BUILD_DATE
 ARG GIT_BRANCH
 ARG GIT_COMMIT_HASH
@@ -83,6 +95,8 @@ LABEL \
   org.label-schema.vcs-url=$GIT_REPO_URL
 
 # Default configuration: can be overridden at the docker command line
+# see https://github.com/hadolint/hadolint/wiki/DL3044
+# hadolint ignore=DL3044
 ENV \
   INIT_SH_FILE='' \
   #
@@ -107,15 +121,20 @@ ENV \
   LDAP_OPENLDAP_UID='' \
   LDAP_OPENLDAP_GID=''
 
-RUN \
-  set -eu && \
-  echo -e "\
-GIT_REPO:    $GIT_REPO_URL\n\
-GIT_BRANCH:  $GIT_BRANCH\n\
-GIT_COMMIT:  $GIT_COMMIT_HASH @ $GIT_COMMIT_DATE\n\
-IMAGE_BUILD: $BUILD_DATE\n" >/opt/build_info && \
+RUN <<EOF
+
+  echo "#################################################"
+  echo "Writing build_info..."
+  echo "#################################################"
+  echo "
+GIT_REPO:    $GIT_REPO_URL
+GIT_BRANCH:  $GIT_BRANCH
+GIT_COMMIT:  $GIT_COMMIT_HASH @ $GIT_COMMIT_DATE
+IMAGE_BUILD: $BUILD_DATE" >/opt/build_info
   cat /opt/build_info
 
+EOF
+
 COPY image/ldifs /opt/ldifs
 COPY image/run.sh /opt/run.sh
 COPY .shared/lib/bash-init.sh /opt/bash-init.sh