Merge pull request #581 from openziti/container-switch-to-redhat-ubi

use Red Hat base image for run container
openziti · Jan 10, 2023 · 317df60 · 317df60
2 parents 3c00f60 + 9582fa8
commit 317df60
Show file tree

Hide file tree

Showing 5 changed files with 69 additions and 133 deletions.
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,4 +1,5 @@
-FROM debian:buster-slim as fetch-ziti-artifacts
+# this builds docker.io/openziti/ziti-edge-tunnel
+FROM registry.access.redhat.com/ubi8/ubi-minimal as fetch-ziti-artifacts
 # This build stage grabs artifacts that are copied into the final image.
 # It uses the same base as the final image to maximize docker cache hits.
 
@@ -9,32 +10,44 @@ ARG GITHUB_REPO
 
 WORKDIR /tmp
 
-RUN apt-get -q update && apt-get -q install -y --no-install-recommends curl ca-certificates unzip
-# workaround for `openssl rehash` not working on arm.
-RUN /bin/bash -c "if ! compgen -G '/etc/ssl/certs/*.[0-9]' > /dev/null; then c_rehash /etc/ssl/certs; fi"
+### Add necessary Red Hat repos and packages
+RUN INSTALL_PKGS="curl unzip" && \
+    microdnf -y update --setopt=install_weak_deps=0 --setopt=tsflags=nodocs && \
+    microdnf -y install --setopt=install_weak_deps=0 --setopt=tsflags=nodocs ${INSTALL_PKGS}
 
 COPY fetch-github-releases.sh .
-RUN bash -x ./fetch-github-releases.sh ziti-edge-tunnel
+RUN bash ./fetch-github-releases.sh ziti-edge-tunnel
 
 ################
 #
 #  Main Image
 #
 ################
 
-FROM debian:buster-slim
+FROM registry.access.redhat.com/ubi8/ubi-minimal
 
-RUN mkdir -p /usr/local/bin /etc/ssl/certs
-# libsystemd: install the shared object, necessary in conjunction with      --volume "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket"     to communicate with the host's dbus socket to configure systemd-resolved
-# iproute2: install /sbin/ip, necessary in conjunction with    --device="/dev/net/tun:/dev/net/tun"    to up the tun device, assign routes, and assign source IP 
-RUN apt-get -q update && apt-get -q install -y --no-install-recommends iproute2 libsystemd0
-# Use 32-bit arm binaries on arm64 until we have 64-bit arm builds. This also affects fetch-github-releases.sh.
-RUN /bin/bash -c 'if [[ "$(uname -m)" == "aarch64" ]]; then dpkg --add-architecture armhf; apt update; apt install -y libc6:armhf; fi'
-COPY --from=fetch-ziti-artifacts /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs
+### Required OpenShift Labels 
+LABEL name="openziti/ziti-edge-tunnel" \
+      maintainer="[email protected]" \
+      vendor="NetFoundry" \
+      summary="OpenZiti Tunneler" \
+      description="Configure a proxy and nameserver for OpenZiti Services"
+
+### add licenses to this directory
+RUN mkdir -m0755 /licenses
+COPY ./LICENSE-Apache /licenses/apache.txt
+
+### Add necessary Red Hat repos and packages
+RUN INSTALL_PKGS="iproute procps" && \
+    microdnf -y update --setopt=install_weak_deps=0 --setopt=tsflags=nodocs && \
+    microdnf -y install --setopt=install_weak_deps=0 --setopt=tsflags=nodocs ${INSTALL_PKGS}
+
+RUN mkdir -p /usr/local/bin
 COPY --from=fetch-ziti-artifacts /tmp/ziti-edge-tunnel /usr/local/bin
 COPY ./docker-entrypoint.sh /
 RUN chmod +x /docker-entrypoint.sh
-RUN mkdir -p /ziti-edge-tunnel
+RUN mkdir -m0777 /ziti-edge-tunnel
+USER root
 
 ENTRYPOINT [ "/docker-entrypoint.sh" ]
 CMD [ "run" ]
diff --git a/docker/Dockerfile.copy b/docker/Dockerfile.copy
diff --git a/docker/Dockerfile.ziti-host b/docker/Dockerfile.ziti-host
@@ -1,51 +1,14 @@
 # this builds docker.io/openziti/ziti-host
-FROM registry.access.redhat.com/ubi8/ubi as fetch-ziti-artifacts
-# This build stage grabs artifacts that are copied into the final image.
-# It uses the same base as the final image to maximize docker cache hits.
+FROM docker.io/openziti/ziti-edge-tunnel
 
-ARG ZITI_VERSION
-
-ARG GITHUB_BASE_URL
-ARG GITHUB_REPO
-
-WORKDIR /tmp
-
-### Add necessary Red Hat repos and packages
-RUN REPOLIST=ubi-8-baseos-rpms \
-    INSTALL_PKGS="curl unzip" && \
-    yum -y update-minimal --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs \
-      --security --sec-severity=Important --sec-severity=Critical && \
-    yum -y install --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs ${INSTALL_PKGS}
-
-COPY fetch-github-releases.sh .
-RUN bash ./fetch-github-releases.sh ziti-edge-tunnel
-
-################
-#
-#  Main Image
-#
-################
-
-FROM registry.access.redhat.com/ubi8/ubi
 
 ### Required OpenShift Labels 
 LABEL name="openziti/ziti-host" \
       maintainer="[email protected]" \
       vendor="NetFoundry" \
-      summary="OpenZiti hosting tunneler" \
-      description="Publish any server that is reachable by this container as an OpenZiti service"
-    #   version="0.2.2" \
-    #   release="0.19.11" \
-
-### add licenses to this directory
-RUN mkdir -m0755 /licenses
-COPY ./LICENSE-Apache /licenses/apache.txt
+      summary="OpenZiti Hosting Tunneler" \
+      description="Configure a reverse proxy for OpenZiti Services"
 
-RUN mkdir -p /usr/local/bin
-COPY --from=fetch-ziti-artifacts /tmp/ziti-edge-tunnel /usr/local/bin
-COPY ./docker-entrypoint.sh /
-RUN chmod +x /docker-entrypoint.sh
-RUN mkdir -m0777 /ziti-edge-tunnel
 USER nobody
 
 ENTRYPOINT [ "/docker-entrypoint.sh" ]

diff --git a/docker/README.md b/docker/README.md
@@ -1,20 +1,21 @@
 # Run The OpenZiti Tunneler with Docker
 
-## What’s the difference between the two containers?
+## Contents
 
-The newer container is `openziti/ziti-host`. This container focuses on the most common use case for a containerized tunneler: hosting Ziti services. It employs the “run-host” mode of the tunneler (service hosting only without a proxy or nameserver). This container drops privileges to improve security (non-root) and builds on the Red Hat Universal Base Image.
-
-The original container was `openziti/ziti-edge-tunnel`. This container provides a privileged proxy and nameserver with the “run” mode of the tunneler.
+- [Conventions](#conventions)
+- Use cases:
+  - [Hosting OpenZiti services](#use-case-hosting-openziti-services)
+  - [Connecting to OpenZiti services with an intercepting proxy](#use-case-intercepting-proxy-and-nameserver)
 
 ## Conventions
 
-### Configuring the Ziti Identity
+### Configuring the OpenZiti Identity
 
-It is necessary to supply a Ziti identity enrollment token or an enrolled Ziti identity configuration JSON to the container as a volume-mounted file or as environment variables. The following variable, volumes, and files are common to both container images described below.
+It is necessary to supply an identity enrollment token or an enrolled identity configuration JSON to the container as a volume-mounted file or as environment variables. The following variable, volumes, and files are common to both container images described below.
 
 #### Configuration with Environment Variable
 
-- `ZITI_IDENTITY_JSON`: This is the Ziti identity as represented as JSON. This variable overrides other methods of supplying the Ziti identity JSON. It is not advisable to mount a volume on the container filesystem when using this method because the Ziti identity is written to a temporary file and will cause an error if the file already exists.
+- `ZITI_IDENTITY_JSON`: This is the identity represented as JSON. This variable overrides other methods of supplying the identity JSON. It is not advisable to mount a volume on the container filesystem when using this method because the identity is written to a temporary file and will cause an error if the file already exists.
 
 #### Configuration with Files from Mounted Volume
 
@@ -24,21 +25,23 @@ You may bind a host directory to the container filesystem in `/ziti-edge-tunnel`
 - `ZITI_ENROLL_TOKEN`: Optionally, you may supply the enrollment token JWT as a string if `${ZITI_IDENTITY_BASENAME}.jwt` is not mounted
 - `ZITI_IDENTITY_WAIT`: Optionally, you may configure the container to wait max seconds for the JWT or JSON file to appear in the mounted volume
 
-## Container Image `openziti/ziti-host`
+## Use Case: Hosting OpenZiti Services
+
+This use case involves deploying the OpenZiti tunneler as a reverse proxy to publish regular network servers to your OpenZiti Network. You may locate the published servers in a Docker bridge network (use network mode `bridge`) or the Docker host's network (use network mode `host`). See [the Linux tunneler doc](https://openziti.github.io/ziti/clients/linux.html) for general info about the OpenZiti tunneler. Use the `openziti/ziti-host` container image for this case.
 
-This image runs `ziti-edge-tunnel run-host` on the Red Hat 8 Universal Base Image to optimize deployability within the Red Hat ecosystem, e.g., OpenShift. The hosting-only mode (`ziti-edge-tunnel run-host`) of the Linux tunneler is helpful for publishing containerized servers. YOu may locate the published servers in a Docker bridge network (use network mode `bridge`) or the Docker host's network (use network mode `host`).
+### Container Image `openziti/ziti-host`
 
-See [the Linux tunneler doc](https://openziti.github.io/ziti/clients/linux.html) for general info about the OpenZiti Linux tunneler.
+This image runs `ziti-edge-tunnel run-host` to invoke the hosting-only mode of the tunneler. The main difference from the parent image (`openziti/ziti-edge-tunnel`) is the command argument and run-as user. This container runs as "nobody" and doesn't require special privileges.
 
-### Image Tags for `openziti/ziti-host`
+#### Image Tags for `openziti/ziti-host`
 
 The `openziti/ziti-host` image is published in Docker Hub and automatically updated with new releases. You may subscribe to `:latest` (default) or pin a version for stability e.g. `:0.19.11`.
 
-### Dockerfile for `openziti/ziti-host`
+#### Dockerfile for `openziti/ziti-host`
 
-The Dockerfile for `openziti/ziti-host` is [./Dockerfile.ziti-host](./Dockerfile.ziti-host). There's no build or test automation for this image yet.
+The Dockerfile for `openziti/ziti-host` is [./Dockerfile.ziti-host](./Dockerfile.ziti-host).
 
-### Hosting a Ziti Service with `openziti/ziti-host`
+#### Hosting an OpenZiti Service with `openziti/ziti-host`
 
 Publish servers that are reachable on the Docker host's network, e.g., `tcp:localhost:54321`:
 
@@ -117,7 +120,7 @@ This example uses [the included Docker Compose project](./docker-compose.yml) to
 
 1. Access the demo server via your OpenZiti Network: [http://hello-docker.ziti](http://hello-docker.ziti)
 
-### Docker Compose Examples for `openziti/ziti-host`
+#### Docker Compose Examples for `openziti/ziti-host`
 
 Get a single, enrolled identity configuration from an environment variable. You could define the variable with an `.env` file in the same directory as `docker-compose.yml`.
 
@@ -176,35 +179,36 @@ volumes:
     ziti-identity:
 ```
 
-### Kubernetes Deployments for `openziti/ziti-host`
+#### Kubernetes Deployments for `openziti/ziti-host`
 
 This deployment is a zero-trust ingress (North-South) solution for exposing cluster services to authorized clients.
 
 - [Helm Chart `openziti/ziti-host`](https://openziti.github.io/helm-charts/#ziti-host)
 - [Deployment manifest](./ziti-host-deployment.yaml)
 
-## Container Image `openziti/ziti-edge-tunnel`
+## Use Case: Intercepting Proxy and Nameserver
+
+This use case involves deploying the OpenZiti tunneler as an intercepting proxy with a built-in nameserver. Use the `openziti/ziti-edge-tunnel` container image for this case.
+
+The "run" mode requires elevated privileges to configure the OS with a DNS resolver and IP routes.
 
-This image runs `ziti-edge-tunnel run`, the OpenZiti tunneler, on a Debian Linux base. This run mode provides a Ziti nameserver and transparent proxy that captures
-network traffic destined for Ziti services.
+### Container Image `openziti/ziti-edge-tunnel`
 
-See [the Linux tunneler doc](https://openziti.github.io/ziti/clients/linux.html) for general info about the OpenZiti Linux tunneler.
+This image runs `ziti-edge-tunnel run`, the intercepting proxy mode of the tunneler. The Red Hat 8 Universal Base Image (UBI) is the base image of this container.
 
-This container image requires access to a Ziti enrollment token (JWT). It typically uses a persistent
-volume mounted at `/ziti-edge-tunnel` to persist the permanent identity JSON configuration file. The entrypoint script will
-consume the JWT to create the JSON file during container startup.
+See [the Linux tunneler doc](https://openziti.github.io/ziti/clients/linux.html) for general info about the OpenZiti tunneler.
 
-### Tags for `openziti/ziti-edge-tunnel`
+#### Tags for `openziti/ziti-edge-tunnel`
 
-The container image `openziti/ziti-edge-tunnel` is published in Docker Hub and frequently updated with new releases. You may subscribe to `:latest` (default) or pin a version for stability, e.g., `:0.19.11`.
+The container image `openziti/ziti-edge-tunnel` is published in Docker Hub and automatically updated with new releases. You may subscribe to `:latest` (default) or pin a version for stability, e.g., `:0.19.11`.
 
-### Dockerfile for `openziti/ziti-edge-tunnel`
+#### Dockerfile for `openziti/ziti-edge-tunnel`
 
-The main Dockerfile for `openziti/ziti-edge-tunnel` is [./Dockerfile](./Dockerfile). This image is routinely published to Docker Hub with each release of the OpenZiti tunneler.
+The Dockerfile for `openziti/ziti-edge-tunnel` is [./Dockerfile](./Dockerfile).
 
-### Accessing Ziti Services with `openziti/ziti-edge-tunnel`
+#### Accessing OpenZiti Services with `openziti/ziti-edge-tunnel`
 
-Transparent Proxy `run` mode configures an OpenZiti nameserver running on the local device and captures any layer 4 traffic that matches an authorized service destination.
+Intercepting proxy `run` mode captures DNS names and layer-4 traffic that match authorized destinations.
 
 ```bash
 # current directory contains enrollment token file ziti_id.jwt
@@ -219,7 +223,7 @@ docker run \
     openziti/ziti-edge-tunnel
 ```
 
-### Docker Compose Examples for `openziti/ziti-edge-tunnel`
+#### Docker Compose Examples for `openziti/ziti-edge-tunnel`
 
 This example uses [the Docker Compose project](./docker-compose.yml) included in this repo.
 
@@ -247,9 +251,9 @@ services:
         privileged: true
 ```
 
-### Kubernetes Deployments for `openziti/ziti-edge-tunnel`
+#### Kubernetes Deployments for `openziti/ziti-edge-tunnel`
 
-[Daemonset manifest](./ziti-tun-daemonset.yaml): provides a nameserver `100.64.0.2`, but containers don't automatically use it until you configure cluster DNS. CoreDNS doesn't currently have a fallthrough mechanism, but you can use conventional names for your Ziti services' like `*.ziti`, and configure CoreDNS to forward queries that match that namespace to the Ziti nameserver.
+[Daemonset manifest](./ziti-tun-daemonset.yaml): provides a nameserver `100.64.0.2`, but containers don't automatically use it until you configure cluster DNS. CoreDNS doesn't currently have a fallthrough mechanism, but you can use conventional names for your OpenZiti services' like `*.ziti`, and configure CoreDNS to forward queries that match that namespace to the OpenZiti nameserver.
 
 ```yaml
 apiVersion: v1

diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh
@@ -23,11 +23,11 @@ function alldone() {
     # of resolver config, tun devices and associated routes
     [[ "${ZITI_EDGE_TUNNEL_PID:-}" =~ ^[0-9]+$ ]] && {
         kill -TERM "$ZITI_EDGE_TUNNEL_PID"
-        # let entrypoint script exit after ziti-tunnel PID
-        wait "$ZITI_EDGE_TUNNEL_PID"
+        # let entrypoint script exit after ziti-edge-tunnel PID
+        kill -0 "$ZITI_EDGE_TUNNEL_PID" && wait "$ZITI_EDGE_TUNNEL_PID"
     }
 }
-trap alldone EXIT
+trap alldone SIGTERM SIGINT EXIT
 
 IDENTITIES_DIR="/ziti-edge-tunnel"
 if ! [[ -d "${IDENTITIES_DIR}" ]]; then
@@ -160,7 +160,6 @@ else
 fi
 
 echo "INFO: running ziti-edge-tunnel"
-set -x
 ziti-edge-tunnel "${TUNNEL_RUN_MODE}" "${TUNNEL_OPTS[@]}" "${@}" &
 ZITI_EDGE_TUNNEL_PID=$!
 wait $ZITI_EDGE_TUNNEL_PID