docker image artifact

google · Jan 23, 2024 · 2b87263 · 2b87263
1 parent 0a3580a
commit 2b87263
Show file tree

Hide file tree

Showing 8 changed files with 135 additions and 82 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -184,11 +184,8 @@ jobs:
           path: gcs_upload_dir/
           retention-days: 1
 
-  docker-compose-test:
+  build-docker-image:
     if: ${{ github.event_name == 'push' }}
-    permissions:
-      contents: 'read'
-      id-token: 'write'
     runs-on: ubuntu-22.04
     needs:
       - build-centos
@@ -197,68 +194,105 @@ jobs:
       - build-windows
     steps:
       - uses: actions/checkout@v3
-      - name: Start docker-compose stack
+      - name: Download installers from GitHub artifacts
+        id: download
+        uses: actions/download-artifact@v4
+        with:
+          pattern: '*installer*'
+          path: _installers
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.DOCKER_REPOSITORY }}
+      - name: Build and export
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile
+          tags: | 
+            ${{ env.DOCKER_REPOSITORY }}:testing
+            ${{ steps.meta.outputs.tags }}
+          outputs: type=docker,dest=/tmp/grr_base_image.tar
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: grr_base_image
+          path: /tmp/grr_base_image.tar
+
+
+  docker-compose-test:
+    if: ${{ github.event_name == 'push' }}
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    runs-on: ubuntu-22.04
+    needs:
+      - build-docker-image
+    steps:
+      - uses: actions/checkout@v3
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: grr_base_image
+          path: /tmp
+      - name: Load image
+        run: |
+          docker load --input /tmp/grr_base_image.tar
+      - name: Start docker compose stack
         shell: bash
         run: |
-          docker-compose pull --include-deps
-          docker-compose up -d
+          docker compose -f docker-compose.yaml -f docker-compose.testing.yaml up -d --wait
       - name: Test
         shell: bash
         run: |
-          docker build -f ./Dockerfile . -t grr-testing
+          # docker compose exec linux-client /configs/create_fake_user.sh
           docker run \
             --add-host=host.docker.internal:host-gateway \
             -v $(pwd):/github_workspace \
             -w /github_workspace \
             --entrypoint appveyor/e2e_tests/run_docker_compose_e2e_test.sh \
-            grr-testing \
+            ${{ env.DOCKER_REPOSITORY }}:testing \
             $(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' grr-linux-client)
-      - name: Stop docker-compose stack
+      - name: Stop the docker compose stack
         if: always()
         shell: bash
         run: |
-          docker-compose down --volumes
+          docker compose down --volumes
 
-  build-push-docker-base-image:
+  push-docker-image:
     env:
       REGISTRY: ghcr.io
-      IMAGE_NAME: ${{ github.repository }}
+    permissions:
+      contents: 'read'
+      id-token: 'write'
     runs-on: ubuntu-22.04
     needs:
-      - docker-compose-test
+      - build-docker-image # TODO update after test
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-      - name: Download installers from GitHub artifacts
-        id: download
+      - name: Download artifact
         uses: actions/download-artifact@v4
         with:
-          pattern: '*_installer*'
-          path: _installers
+          name: grr_base_image
+          path: /tmp
+      - name: Load image
+        run: |
+          docker load --input /tmp/grr_base_image.tar
       - name: Login to GitHub Container registry
-        # if: ${{ github.event_name == 'push' }}
+        if: ${{ github.event_name == 'push' }}
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract metadata (tags, labels) for Docker
-        # if: ${{ github.event_name == 'push' }}
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
-      - name: Build and push Docker image
-        # if: ${{ github.event_name == 'push' }}
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: Dockerfile
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+      - name: Push Docker image
+        if: ${{ github.event_name == 'push' }}
+        run: |
+          # Remove the tag used to identify the image for testing again.
+          docker rmi ${{ env.DOCKER_REPOSITORY }}:testing
+          docker push --all-tags ${{ env.DOCKER_REPOSITORY }}
 
   upload-artifacts:
     if: ${{ github.event_name == 'push' }}

diff --git a/Dockerfile b/Dockerfile
@@ -13,7 +13,7 @@
 #   "-component" "admin_ui"
 #   "-config" "/configs/server/grr.server.yaml"
 
-FROM ubuntu:22.04 AS builder
+FROM ubuntu:22.04
 
 LABEL maintainer="[email protected]"
 
@@ -66,4 +66,4 @@ RUN ${VIRTUAL_ENV}/bin/python grr/proto/makefile.py && \
 
 WORKDIR /
 
-ENTRYPOINT [ "grr_server" ]
+ENTRYPOINT [ "grr_server" ]
diff --git a/Dockerfile.client b/Dockerfile.client
diff --git a/docker-compose.testing.yaml b/docker-compose.testing.yaml
@@ -0,0 +1,13 @@
+
+services: 
+  grr-admin-ui:
+    image: ghcr.io/google/grr:testing
+
+  grr-fleetspeak-frontend:
+    build: ghcr.io/google/grr:testing
+
+  grr-worker:
+    build: ghcr.io/google/grr:testing
+
+  linux-client:
+    build: ghcr.io/google/grr:testing
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -26,9 +26,7 @@ services:
       retries: 10
 
   grr-admin-ui:
-    build:
-      dockerfile: Dockerfile
-      context: .
+    image: ghcr.io/google/grr:latest
     container_name: grr-admin-ui
     hostname: admin-ui
     restart: always
@@ -53,9 +51,7 @@ services:
       - --verbose
 
   grr-fleetspeak-frontend:
-    build:
-      dockerfile: Dockerfile
-      context: .
+    image: ghcr.io/google/grr:latest
     container_name: grr-fleetspeak-frontend
     hostname: grr-fleetspeak-frontend
     depends_on: 
@@ -129,9 +125,7 @@ services:
     ]
 
   grr-worker:
-    build:
-      dockerfile: Dockerfile
-      context: .
+    image: ghcr.io/google/grr:latest
     container_name: grr-worker
     volumes:
       - ./docker_config_files/server/:/configs/
@@ -152,24 +146,22 @@ services:
       - --verbose
 
   linux-client:
-    build:
-      dockerfile: Dockerfile.client
-      context: .
+    image: ghcr.io/google/grr:latest
     container_name: grr-linux-client
     restart: always
-    depends_on: 
+    depends_on:
       - db
       - fleetspeak-frontend
     volumes:
       - ./docker_config_files/client/:/configs/
+      # Mount the client_installers folder, to preserve 
+      # the repacked templates across restarts.
       - client_installers:/client_installers
     tty: true
     stdin_open: true
     networks:
       - server-network
-    command: 
-      - -config
-      - /configs/client.config
+    entrypoint: /configs/init_grr_client.sh
 
 volumes:
   db_data:

diff --git a/docker_config_files/client/create_fake_user.sh b/docker_config_files/client/create_fake_user.sh
@@ -0,0 +1,9 @@
+
+# End-to-end test require a user on a client, which e.g. sets the
+# home directory for file collection.
+
+useradd -m testuser &&
+echo "[7] [01234] [ts/3] [testuser] [pts/3       ] [100.100.10.10       ] [100.100.10.10  ] [Thu Jan 01 00:00:00 1970 UTC]" > wtmp.txt && \
+    utmpdump /var/log/wtmp >> wtmp.txt && \
+    utmpdump --reverse < wtmp.txt > /var/log/wtmp && \
+    utmpdump /var/log/wtmp
diff --git a/docker_config_files/client/init_grr_client.sh b/docker_config_files/client/init_grr_client.sh
@@ -0,0 +1,30 @@
+#! /bin/bash
+
+# GRR client docker compose initialization script.
+# This script runs when starting the client in the
+# docker-compose stack. It repacks the client using the
+# provided configuration files and installs the resulting
+# debian package if no installers or fleetspeak-client
+# binary are found.
+#
+# This script assumes the client-config files 
+# (docker_config_files/client) to be mounted at /configs.
+
+TEMPLATE_DIR="/client_templates"
+INSTALLERS_DIR="/client_installers"
+
+
+if [ -z "$(ls -A ${INSTALLERS_DIR})" ]; then 
+    echo "Repack clients"
+    grr_client_build repack_multiple \
+        --templates ${TEMPLATE_DIR}/*/*.zip \
+        --repack_configs /configs/grr.client.yaml \
+        --output_dir ${INSTALLERS_DIR}
+fi
+
+if ! command -v fleetspeak-client &> /dev/null; then
+    echo "Install Client from debian package"
+    dpkg -i  ${INSTALLERS_DIR}/grr.client/*.deb   
+fi
+
+fleetspeak-client -config /configs/client.config
diff --git a/docker_config_files/mysql/.env b/docker_config_files/mysql/.env
@@ -9,4 +9,4 @@ FLEETSPEAK_DB_PASSWORD="fleetspeak-password"
 
 GRR_DB="grr"
 GRR_DB_USER="grru"
-GRR_DB_PASSWORD="grrp"
+GRR_DB_PASSWORD="grrp"