Build (optional) multi arch support into our build toolkit

Author: WyriHaximus

.github/workflows/ci.yml

@@ -1,5 +1,7 @@
 # syntax=docker/dockerfile:experimental
 FROM php:7.2-cli-alpine3.7 as cli
+ARG TARGETOS
+ARG TARGETARCH
 
 # Add usabilla user and group
 RUN set -x \
@@ -15,6 +17,7 @@ COPY src/php/utils/docker/ /usr/local/bin/
 # Install PHP extensions
 # hadolint ignore=DL4006
 RUN set -x \
+    && apk upgrade --no-cache \
     # Install curl-dev in order to address the curl binary issue in some Alpine versions
     && apk add --no-cache curl-dev \
     # Adding sodium purely for the 7.1 image, it's already in 7.2 and up: https://www.php.net/manual/en/sodium.installation.php \
@@ -31,9 +34,6 @@ RUN set -x \
     && docker-php-source-tarball clean && rm /usr/local/bin/php-cgi && rm /usr/local/bin/phpdbg && rm -rf /tmp/pear ~/.pearrc \
     && apk del .phpize-deps \
 
-    # Patch CVE-2018-14618 (curl), CVE-2018-16842 (libxml2), CVE-2019-11068 (libxslt)
-    && apk upgrade --no-cache curl libxml2 libxslt \
-
     # Create a symlink to the recommended production configuration
     # ref: https://github.com/docker-library/docs/tree/master/php#configuration
     && ln -s $PHP_INI_DIR/php.ini-production $PHP_INI_DIR/php.ini

Dockerfile-cli

@@ -1,5 +1,7 @@
 # syntax=docker/dockerfile:experimental
 FROM php:7.2-fpm-alpine3.7 as fpm
+ARG TARGETOS
+ARG TARGETARCH
 
 ENV FCGI_CONNECT=/var/run/php-fpm.sock
 ENV PHP_FPM_PM=dynamic
@@ -26,6 +28,7 @@ COPY src/php/utils/install-* /usr/local/bin/
 # Install PHP extensions
 # hadolint ignore=DL4006
 RUN set -x \
+    && apk upgrade --no-cache \
     # Install curl-dev in order to address the curl binary issue in some Alpine versions
     && apk add --no-cache curl-dev \
     # Adding sodium purely for the 7.1 image, it's already in 7.2 and up: https://www.php.net/manual/en/sodium.installation.php \
@@ -43,9 +46,6 @@ RUN set -x \
     && apk del .phpize-deps \
     && apk add --no-cache fcgi \
 
-    # Patch CVE-2018-14618 (curl), CVE-2018-16842 (libxml2), CVE-2019-11068 (libxslt)
-    && apk upgrade --no-cache curl libxml2 libxslt \
-
     # Create a symlink to the recommended production configuration
     # ref: https://github.com/docker-library/docs/tree/master/php#configuration
     && ln -s $PHP_INI_DIR/php.ini-production $PHP_INI_DIR/php.ini

Dockerfile-fpm

@@ -1,4 +1,4 @@
-FROM nginx:1.15-alpine as http
+FROM nginx:1.15-alpine AS http
 
 # Add usabilla user and group
 RUN set -x \
@@ -21,8 +21,8 @@ ENV NGINX_LARGE_CLIENT_HEADER_BUFFERS="4 8k"
 ENV NGINX_CORS_ENABLE=false
 ENV NGINX_CORS_ALLOW_ORIGIN="*"
 
-# Patch gCVE-2019-11068 (libxslt)
-RUN apk upgrade --no-cache libxslt
+RUN set -x \
+    && apk upgrade --no-cache
 
 # Nginx helper scripts
 COPY src/http/nginx/docker-nginx-* /usr/local/bin/
@@ -37,6 +37,6 @@ CMD ["docker-nginx-entrypoint"]
 # this can be overriden in the child images
 HEALTHCHECK NONE
 
-FROM http as http-dev
+FROM http AS http-dev
 
 ENV NGINX_EXPOSE_VERSION=on

Dockerfile-http

@@ -52,7 +52,7 @@ build-http: clean-tags
 # Adding arbitrary version 1.0 in order to make sure if we break compatibility we have to up it
 build-prometheus-exporter-file: BUILDINGIMAGE=prometheus-exporter-file
 build-prometheus-exporter-file: clean-tags
-	./build-prometheus-exporter-file.sh 1.18 prometheus-exporter-file1.0 prometheus-exporter-file1
+	./build-prometheus-exporter-file.sh 1.29 prometheus-exporter-file1.0 prometheus-exporter-file1
 
 .NOTPARALLEL: clean-tags
 clean-tags:
@@ -103,8 +103,4 @@ test-prometheus-exporter-file-e2e: ./tmp/build-prometheus-exporter-file.tags
 	xargs -I % ./test-prometheus-exporter-file-e2e.sh % < ./tmp/build-prometheus-exporter-file.tags
 
 scan-vulnerability:
-	docker compose -f test/security/docker-compose.yml -p clair-ci up -d
-	RETRIES=0 && while ! wget -T 10 -q -O /dev/null http://localhost:6060/v1/namespaces ; do sleep 1 ; echo -n "." ; if [ $${RETRIES} -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; RETRIES=$$(($${RETRIES}+1)) ; done
-	mkdir -p ./tmp/clair/usabillabv
-	cat ./tmp/build-*.tags | xargs -I % sh -c 'clair-scanner --ip 172.17.0.1 -r "./tmp/clair/%.json" -l ./tmp/clair/clair.log % || echo "% is vulnerable"'
-	docker compose -f test/security/docker-compose.yml -p clair-ci down
+	cat ./tmp/build-*.tags | xargs -I % sh -c 'docker run -v /tmp/trivy:/var/lib/trivy -v /var/run/docker.sock:/var/run/docker.sock -t aquasec/trivy:latest --cache-dir /var/lib/trivy image --skip-files "/usr/local/bin/shush" --exit-code 1 --no-progress % || (echo "% is vulnerable" && exit 1)'

Makefile

@@ -15,22 +15,32 @@ declare -r IMAGE_ORIGINAL_TAG="nginx:1.[0-9][0-9]?-alpine"
 
 declare -r IMAGE_TAG="nginx:${VERSION_NGINX}-alpine"
 declare -r USABILLA_TAG_PREFIX="usabillabv/php"
-declare -r USABILLA_TAG="${USABILLA_TAG_PREFIX}:nginx${VERSION_NGINX}"
-declare -r USABILLA_TAG_DEV="${USABILLA_TAG}-dev"
-
-TAG_FILE="./tmp/build-${IMAGE}.tags"
-
+if [[ ! -v DOCKER_BUILD_PLATFORM ]]; then
+   declare -r DOCKER_BUILD_FLAGS=""
+   declare -r USABILLA_TAG_SUFFIX=""
+else
+   declare -r DOCKER_BUILD_FLAGS="--platform=${DOCKER_BUILD_PLATFORM}"
+   # shellcheck disable=SC2155
+   declare -r USABILLA_TAG_SUFFIX="-${DOCKER_BUILD_PLATFORM//\//-}"
+fi
+declare -r USABILLA_TAG="${USABILLA_TAG_PREFIX}:nginx${VERSION_NGINX}${USABILLA_TAG_SUFFIX}"
+declare -r USABILLA_TAG_DEV="${USABILLA_TAG_PREFIX}:nginx${VERSION_NGINX}-dev${USABILLA_TAG_SUFFIX}"
+
+declare -r TAG_FILE="./tmp/build-${IMAGE}${USABILLA_TAG_SUFFIX}.tags"
+
+# shellcheck disable=SC2086
 sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${IMAGE}" | docker build --pull -t "${USABILLA_TAG}" \
-    --build-arg=NGINX_VHOST_TEMPLATE=php-fpm --target="${IMAGE}" -f - . \
+    --build-arg=NGINX_VHOST_TEMPLATE=php-fpm --target="${IMAGE}" ${DOCKER_BUILD_FLAGS} -f - . \
     && echo "${USABILLA_TAG}" >> "${TAG_FILE}"
 
+# shellcheck disable=SC2086
 sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${IMAGE}" | docker build --pull -t "${USABILLA_TAG_DEV}" \
-    --build-arg=NGINX_VHOST_TEMPLATE=php-fpm --target="${IMAGE}-dev" -f - . \
+    --build-arg=NGINX_VHOST_TEMPLATE=php-fpm --target="${IMAGE}-dev" ${DOCKER_BUILD_FLAGS} -f - . \
     && echo "$USABILLA_TAG_DEV" >> "${TAG_FILE}"
 
 for IMAGE_EXTRA_TAG in "${@:2}"
 do
     declare NEW_TAG="${USABILLA_TAG_PREFIX}:${IMAGE_EXTRA_TAG}"
-    docker tag "${USABILLA_TAG}" "${NEW_TAG}" && echo "${NEW_TAG}" >> "${TAG_FILE}"
-    docker tag "${USABILLA_TAG_DEV}" "${NEW_TAG}-dev" && echo "${NEW_TAG}-dev" >> "${TAG_FILE}"
+    docker tag "${USABILLA_TAG}" "${NEW_TAG}${USABILLA_TAG_SUFFIX}" && echo "${NEW_TAG}${USABILLA_TAG_SUFFIX}" >> "${TAG_FILE}"
+    docker tag "${USABILLA_TAG_DEV}" "${NEW_TAG}-dev${USABILLA_TAG_SUFFIX}" && echo "${NEW_TAG}-dev${USABILLA_TAG_SUFFIX}" >> "${TAG_FILE}"
 done

build-http.sh

@@ -16,13 +16,24 @@ declare -r VERSION_ALPINE=$3
 declare -r IMAGE_ORIGINAL_TAG="7.[0-9]-${IMAGE}-alpine3.[0-9]"
 
 declare -r IMAGE_TAG="${VERSION_PHP}-${IMAGE}-alpine${VERSION_ALPINE}"
-declare -r USABILLA_TAG="usabillabv/php:${VERSION_PHP}-${IMAGE}-alpine${VERSION_ALPINE}"
-declare -r USABILLA_TAG_DEV="${USABILLA_TAG}-dev"
-
-declare -r TAG_FILE="./tmp/build-${IMAGE}.tags"
-
-sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${IMAGE}" | docker build --pull -t "${USABILLA_TAG}" --target="${IMAGE}" -f - . \
+if [[ ! -v DOCKER_BUILD_PLATFORM ]]; then
+   declare -r DOCKER_BUILD_FLAGS=""
+   declare -r USABILLA_TAG_SUFFIX=""
+else
+   declare -r DOCKER_BUILD_FLAGS="--platform=${DOCKER_BUILD_PLATFORM}"
+   # shellcheck disable=SC2155
+   declare -r USABILLA_TAG_SUFFIX="-${DOCKER_BUILD_PLATFORM//\//-}"
+fi
+declare -r USABILLA_TAG_PREFIX="usabillabv/php:${VERSION_PHP}-${IMAGE}-alpine${VERSION_ALPINE}"
+declare -r USABILLA_TAG="${USABILLA_TAG_PREFIX}${USABILLA_TAG_SUFFIX}"
+declare -r USABILLA_TAG_DEV="${USABILLA_TAG_PREFIX}-dev${USABILLA_TAG_SUFFIX}"
+
+declare -r TAG_FILE="./tmp/build-${IMAGE}${USABILLA_TAG_SUFFIX}.tags"
+
+# shellcheck disable=SC2086
+sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${IMAGE}" | docker build --pull -t "${USABILLA_TAG}" --target="${IMAGE}" ${DOCKER_BUILD_FLAGS} -f - . \
     && echo "$USABILLA_TAG" >> "$TAG_FILE"
 
-sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${IMAGE}" | docker build --pull -t "${USABILLA_TAG_DEV}" --target="${IMAGE}-dev" -f - . \
+# shellcheck disable=SC2086
+sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${IMAGE}" | docker build --pull -t "${USABILLA_TAG_DEV}" --target="${IMAGE}-dev" ${DOCKER_BUILD_FLAGS} -f - . \
     && echo "$USABILLA_TAG_DEV" >> "$TAG_FILE"

build-php.sh

@@ -17,16 +17,25 @@ declare -r IMAGE_ORIGINAL_TAG="nginx:1.[0-9][0-9]?-alpine"
 
 declare -r IMAGE_TAG="nginx:${VERSION_NGINX}-alpine"
 declare -r USABILLA_TAG_PREFIX="usabillabv/php"
-declare -r USABILLA_TAG="${USABILLA_TAG_PREFIX}:${IMAGE}"
-
-TAG_FILE="./tmp/build-${IMAGE}.tags"
-
+if [[ ! -v DOCKER_BUILD_PLATFORM ]]; then
+   declare -r DOCKER_BUILD_FLAGS=""
+   declare -r USABILLA_TAG_SUFFIX=""
+else
+   declare -r DOCKER_BUILD_FLAGS="--platform=${DOCKER_BUILD_PLATFORM}"
+   # shellcheck disable=SC2155
+   declare -r USABILLA_TAG_SUFFIX="-${DOCKER_BUILD_PLATFORM//\//-}"
+fi
+declare -r USABILLA_TAG="${USABILLA_TAG_PREFIX}:${IMAGE}${USABILLA_TAG_SUFFIX}"
+
+declare -r TAG_FILE="./tmp/build-${IMAGE}${USABILLA_TAG_SUFFIX}.tags"
+
+# shellcheck disable=SC2086
 sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${DOCKER_FILE}" | docker build --pull -t "${USABILLA_TAG}" \
-    --build-arg=NGINX_VHOST_TEMPLATE=prometheus-exporter-file --target="http" -f - . \
+    --build-arg=NGINX_VHOST_TEMPLATE=prometheus-exporter-file --target="http" ${DOCKER_BUILD_FLAGS} -f - . \
     && echo "${USABILLA_TAG}" >> "${TAG_FILE}"
 
 for USABILLA_TAG_EXTRA in "${@:2}"
 do
-    docker tag "${USABILLA_TAG}" "${USABILLA_TAG_PREFIX}:${USABILLA_TAG_EXTRA}" \
-    && echo "${USABILLA_TAG_PREFIX}:${USABILLA_TAG_EXTRA}" >> "${TAG_FILE}"
+    docker tag "${USABILLA_TAG}" "${USABILLA_TAG_PREFIX}:${USABILLA_TAG_EXTRA}${USABILLA_TAG_SUFFIX}" \
+    && echo "${USABILLA_TAG_PREFIX}:${USABILLA_TAG_EXTRA}${USABILLA_TAG_SUFFIX}" >> "${TAG_FILE}"
 done

build-prometheus-exporter-file.sh

@@ -4,7 +4,7 @@ set -xeu
 
 VERSION="1.2.2"
 
-curl -sL -o /usr/local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v"$VERSION"/dumb-init_"$VERSION"_amd64
+curl -sL -o /usr/local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v"$VERSION"/dumb-init_"$VERSION"_"${TARGETARCH}"
 
 chmod +x /usr/local/bin/dumb-init
 

src/php/utils/install-dumb-init

@@ -2,9 +2,9 @@
 
 set -xe
 
-curl -sL -o /usr/local/bin/shush https://github.com/realestate-com-au/shush/releases/download/v1.5.0/shush_linux_amd64
+curl -sL -o /usr/local/bin/shush "https://github.com/realestate-com-au/shush/releases/download/v1.5.5/shush_linux_${TARGETARCH}"
 
-echo "cdec941dc5f45dda2d981169aa1845540d2c5bf98bfd1d8a85deaa6a6a43a4d1  /usr/local/bin/shush" | sha256sum -c
+(echo "d0e091405a18b6d11a65ea1d7449802c0cbac51971031897089d038e6f7cc750  /usr/local/bin/shush" | sha256sum -c) || (echo "138af0f1eec3af50176d542fead8824c3ca0f6ba27a4a50e1db8af5959a13116  /usr/local/bin/shush" | sha256sum -c)
 
 chmod +x /usr/local/bin/shush