diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0f0c40e..4184ed8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -41,6 +41,11 @@ jobs: - name: Git Checkout uses: actions/checkout@v3 #https://github.com/actions/checkout + - name: Check Dockerfile + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: image/Dockerfile + - name: Cache trivy cache uses: actions/cache@v3 with: diff --git a/image/Dockerfile b/image/Dockerfile index 1901e31..356f2c2 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -11,13 +11,17 @@ # https://hub.docker.com/_/debian?tab=tags&name=bullseye-slim ARG BASE_IMAGE=debian:bullseye-slim +# see https://github.com/hadolint/hadolint/wiki/DL3006 +# hadolint ignore=DL3006 FROM ${BASE_IMAGE} LABEL maintainer="Vegard IT GmbH (vegardit.com)" +# see https://github.com/hadolint/hadolint/wiki/DL3002 +# hadolint ignore=DL3002 USER root -SHELL ["/bin/bash", "-c"] +SHELL ["/bin/bash", "-euo", "pipefail", "-c"] ARG DEBIAN_FRONTEND=noninteractive ARG LC_ALL=C @@ -29,47 +33,55 @@ ARG INSTALL_SUPPORT_TOOLS=0 ARG PQCHECKER_URL=https://github.com/pqchecker/pqchecker-binaries/raw/main/deb/8/pqchecker_2.0.0_amd64.deb ARG PQCHECKER_MD5=c005ce596e97d13e39485e711dcbc7e1 -RUN --mount=type=bind,source=.shared,target=/mnt/shared \ - set -eu && \ - /mnt/shared/cmd/debian-install-os-updates.sh && \ - /mnt/shared/cmd/debian-install-support-tools.sh && \ - # - echo "#################################################" && \ - echo "Installing tini..." && \ - echo "#################################################" && \ - apt-get install --no-install-recommends -y tini && \ - # - echo "#################################################" && \ - echo "Installing slapd..." && \ - echo "#################################################" && \ - echo 'slapd slapd/root_password password whatever' | debconf-set-selections && \ - echo 'slapd slapd/root_password_again password whatever' | debconf-set-selections && \ - apt-get install --no-install-recommends -y slapd ldap-utils && \ - echo "OpenLDAP $(apt-cache show slapd | grep Version)" >> /opt/build_info && \ +# see https://github.com/hadolint/hadolint/wiki/DL3008 +# hadolint ignore=DL3008,SC2016 +RUN --mount=type=bind,source=.shared,target=/mnt/shared <> /opt/build_info # workaround for 'service slapd stop' not working, see https://stackoverflow.com/a/58792698/5116073 - sed -i 's/--exec $SLAPD 2/--name slapd 2/' /etc/init.d/slapd && \ - # - echo "#################################################" && \ - echo "Installing pqChecker password quality checker module..." && \ - echo "#################################################" && \ + sed -i 's/--exec $SLAPD 2/--name slapd 2/' /etc/init.d/slapd + + echo "#################################################" + echo "Installing pqChecker password quality checker module..." + echo "#################################################" # https://www.meddeb.net/pqchecker/ - apt-get install --no-install-recommends -y curl && \ - curl -k -o /tmp/pqchecker.deb -SL "${PQCHECKER_URL}" && \ - echo "${PQCHECKER_MD5} /tmp/pqchecker.deb" | md5sum -c - && \ - dpkg -i /tmp/pqchecker.deb && \ - rm /tmp/pqchecker.deb && \ - apt-get remove --auto-remove -y curl && \ - # - echo "#################################################" && \ - echo "Moving config and data directories..." && \ - echo "#################################################" && \ - mv /etc/ldap/slapd.d /etc/ldap/slapd.d_orig && \ - mkdir /etc/ldap/slapd.d && \ - mv /var/lib/ldap /var/lib/ldap_orig && \ - mkdir /var/lib/ldap && \ - # + apt-get install --no-install-recommends -y curl + curl -k -o /tmp/pqchecker.deb -SL "${PQCHECKER_URL}" + echo "${PQCHECKER_MD5} /tmp/pqchecker.deb" | md5sum -c - + dpkg -i /tmp/pqchecker.deb + rm /tmp/pqchecker.deb + apt-get remove --auto-remove -y curl + + echo "#################################################" + echo "Moving config and data directories..." + echo "#################################################" + mv /etc/ldap/slapd.d /etc/ldap/slapd.d_orig + mkdir /etc/ldap/slapd.d + mv /var/lib/ldap /var/lib/ldap_orig + mkdir /var/lib/ldap + /mnt/shared/cmd/debian-cleanup.sh +EOF + ARG BUILD_DATE ARG GIT_BRANCH ARG GIT_COMMIT_HASH @@ -83,6 +95,8 @@ LABEL \ org.label-schema.vcs-url=$GIT_REPO_URL # Default configuration: can be overridden at the docker command line +# see https://github.com/hadolint/hadolint/wiki/DL3044 +# hadolint ignore=DL3044 ENV \ INIT_SH_FILE='' \ # @@ -107,15 +121,20 @@ ENV \ LDAP_OPENLDAP_UID='' \ LDAP_OPENLDAP_GID='' -RUN \ - set -eu && \ - echo -e "\ -GIT_REPO: $GIT_REPO_URL\n\ -GIT_BRANCH: $GIT_BRANCH\n\ -GIT_COMMIT: $GIT_COMMIT_HASH @ $GIT_COMMIT_DATE\n\ -IMAGE_BUILD: $BUILD_DATE\n" >/opt/build_info && \ +RUN </opt/build_info cat /opt/build_info +EOF + COPY image/ldifs /opt/ldifs COPY image/run.sh /opt/run.sh COPY .shared/lib/bash-init.sh /opt/bash-init.sh