diff --git a/Dockerfile b/Dockerfile index 2668e17..ce5f5c0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,25 +1,15 @@ # -------------- Build-time variables -------------- -ARG MASTODON_VERSION=3.4.4 +ARG MASTODON_VERSION=main ARG MASTODON_REPOSITORY=mastodon/mastodon -ARG RUBY_VERSION=2.7 -ARG NODE_VERSION=14 -ARG ALPINE_VERSION=3.14 +ARG ALPINE_VERSION=3.15 ARG HARDENED_MALLOC_VERSION=8 -ARG LIBICONV_VERSION=1.16 ARG UID=991 ARG GID=991 # --------------------------------------------------- -### Build Mastodon stack base (Ruby + Node) -FROM node:${NODE_VERSION}-alpine${ALPINE_VERSION} as node -FROM ruby:${RUBY_VERSION}-alpine${ALPINE_VERSION} as node-ruby -COPY --from=node /usr/local /usr/local -COPY --from=node /opt /opt - - ### Build Hardened Malloc ARG ALPINE_VERSION FROM alpine:${ALPINE_VERSION} as build-malloc @@ -35,28 +25,59 @@ RUN apk --no-cache add build-base git gnupg && cd /tmp \ && make CONFIG_NATIVE=${CONFIG_NATIVE} -### Build GNU Libiconv (needed for nokogiri) +### Build Mastodon ARG ALPINE_VERSION -FROM alpine:${ALPINE_VERSION} as build-gnulibiconv -ARG LIBICONV_VERSION - -RUN apk --no-cache add build-base \ - && wget -q https://ftp.gnu.org/pub/gnu/libiconv/libiconv-${LIBICONV_VERSION}.tar.gz \ - && mkdir /tmp/libiconv && tar xf libiconv-${LIBICONV_VERSION}.tar.gz -C /tmp/libiconv --strip-components 1 \ - && cd /tmp/libiconv && mkdir output && ./configure --prefix=$PWD/output \ - && make -j$(getconf _NPROCESSORS_ONLN) && make install - - -### Build Mastodon (production environment) -FROM node-ruby as mastodon - -COPY --from=build-gnulibiconv /tmp/libiconv/output /usr/local -COPY --from=build-malloc /tmp/hardened_malloc/libhardened_malloc.so /usr/local/lib/ +FROM alpine:${ALPINE_VERSION} as mastodon-build ARG MASTODON_VERSION ARG MASTODON_REPOSITORY +# Install build dependencies +RUN apk --no-cache add -t build-dependencies \ + build-base \ + gnu-libiconv-dev \ + icu-dev \ + libidn-dev \ + libtool \ + libxml2-dev \ + libxslt-dev \ + postgresql-dev \ + protobuf-dev \ + python3 \ + ruby-dev \ + imagemagick \ + yarn \ + ruby \ + ruby-bundler + +RUN adduser -g ${GID} -u ${UID} --disabled-password --gecos "" mastodon \ + && mkdir /mastodon \ + && chown mastodon:mastodon /mastodon +USER mastodon +WORKDIR /mastodon + +RUN wget -qO- https://github.com/${MASTODON_REPOSITORY}/archive/refs/heads/${MASTODON_VERSION}.tar.gz | tar xz --strip 1 + +ENV RAILS_SERVE_STATIC_FILES=true \ + RAILS_ENV=production \ + NODE_ENV=production + +RUN bundle config build.nokogiri --use-system-libraries \ + && bundle config set --local clean 'true' && bundle config set --local deployment 'true' \ + && bundle config set --local without 'test development' && bundle config set no-cache 'true' \ + && bundle install -j$(getconf _NPROCESSORS_ONLN) + +RUN yarn install --pure-lockfile --ignore-engines \ + && OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder bundle exec rails assets:precompile \ + && yarn cache clean + + +### Mastodon runtime +ARG ALPINE_VERSION + +FROM alpine:${ALPINE_VERSION} as mastodon + ARG UID ARG GID @@ -66,10 +87,7 @@ ENV RUN_DB_MIGRATIONS=true \ RAILS_SERVE_STATIC_FILES=true \ RAILS_ENV=production \ NODE_ENV=production \ - PATH="${PATH}:/mastodon/bin" \ - LD_PRELOAD="/usr/local/lib/libhardened_malloc.so" - -WORKDIR /mastodon + PATH="${PATH}:/mastodon/bin" # Install runtime dependencies RUN apk --no-cache add \ @@ -90,38 +108,26 @@ RUN apk --no-cache add \ yaml \ readline \ gcompat \ -# Install build dependencies - && apk --no-cache add -t build-dependencies \ - build-base \ - icu-dev \ - libidn-dev \ - libtool \ - libxml2-dev \ - libxslt-dev \ - postgresql-dev \ - protobuf-dev \ - python3 \ - imagemagick \ -# Install Mastodon - && wget -qO- https://github.com/${MASTODON_REPOSITORY}/archive/v${MASTODON_VERSION}.tar.gz | tar xz --strip 1 \ - && bundle config build.nokogiri --use-system-libraries --with-iconv-lib=/usr/local/lib --with-iconv-include=/usr/local/include \ - && bundle config set --local clean 'true' && bundle config set --local deployment 'true' \ - && bundle config set --local without 'test development' && bundle config set no-cache 'true' \ - && bundle install -j$(getconf _NPROCESSORS_ONLN) \ - && yarn install --pure-lockfile --ignore-engines \ - && OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder bundle exec rails assets:precompile \ -# Clean - && npm -g --force cache clean && yarn cache clean \ - && apk del build-dependencies \ -# Prepare mastodon user - && adduser -g ${GID} -u ${UID} --disabled-password --gecos "" mastodon \ - && chown -R mastodon:mastodon /mastodon - -COPY --chown=mastodon:mastodon rootfs / - -RUN chmod +x /usr/local/bin/* /etc/s6.d/*/* /etc/s6.d/.s6-svscan/* + gnu-libiconv \ + nodejs \ + ruby \ + ruby-bundler \ +# For hardened_malloc + libgcc \ + libstdc++ +RUN adduser -g ${GID} -u ${UID} --disabled-password --gecos "" mastodon USER mastodon +WORKDIR /mastodon + +COPY --chown=mastodon:mastodon --from=mastodon-build /mastodon /mastodon + +ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc.so" +COPY --from=build-malloc /tmp/hardened_malloc/libhardened_malloc.so /usr/local/lib/ + +COPY --chown=mastodon:mastodon rootfs/usr/local/bin/run /usr/local/bin/run +COPY --chown=mastodon:mastodon rootfs/etc/s6.d /etc/s6.d +RUN chmod +x /usr/local/bin/* /etc/s6.d/*/* /etc/s6.d/.s6-svscan/* VOLUME /mastodon/public/system /mastodon/log