fix: convert from long RUN statements to a setup.sh script#173
fix: convert from long RUN statements to a setup.sh script#173JohnVillalovos wants to merge 2 commits intomasterfrom
RUN statements to a setup.sh script#173Conversation
JohnVillalovos
force-pushed
the
jlvillal/remove_shell
branch
from
1f0e1e5 to
fb24c4c
Compare
There was a problem hiding this comment.
Pull request overview
Removes the Dockerfile-level SHELL override (to avoid relying on a non-OCI instruction) and instead makes the heredoc RUN blocks explicitly run under bash, preserving pipefail behavior within those scripts.
Changes:
- Removed
SHELL ["/bin/bash", "-o", "pipefail", "-c"]from the Dockerfile. - Updated heredoc
RUNblocks to invokebashdirectly and set-o pipefailviaset -xeuo pipefail.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
JohnVillalovos
force-pushed
the
jlvillal/remove_shell
branch
7 times, most recently
from
db2577b to
b921d1b
Compare
Convert the multiple `RUN` statements into a `setup.sh` bash script. Add a CI job to check the shell scripts.
JohnVillalovos
force-pushed
the
jlvillal/remove_shell
branch
2 times, most recently
from
b8e890a to
d350b05
Compare
JohnVillalovos
changed the title
SHELL and specify bash in RUNRUN statements to a setup.sh script
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 5 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
JohnVillalovos
force-pushed
the
jlvillal/remove_shell
branch
from
d350b05 to
ccbaac8
Compare
|
Since most (but not all) was using 2 space indents I did that. And added a header to the files so that editors would know. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 5 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
setup.sh
Outdated
| LB_SHORT_SHA=$(echo "${TARBALL_FILENAME}" | sed -E 's/.*-g([0-9a-f]+)\.tar\.gz/\1/') | ||
| if [ -n "${LB_SHORT_SHA}" ]; then | ||
| printf '%s\n' "${LB_SHORT_SHA}" >/var/www/html/config/version-suffix.txt | ||
| else | ||
| echo "ERROR determining the LB_SHORT_SHA value from TARBALL_FILENAME ${TARBALL_FILENAME}" >&2 | ||
| exit 1 |
There was a problem hiding this comment.
LB_SHORT_SHA extraction uses sed -E 's/.*-g([0-9a-f]+)\.tar\.gz/\1/' without -n/p, so if the filename format ever differs (no match), sed returns the entire original filename. Since the code only checks -n, it would then write a non-SHA string to version-suffix.txt. Make the extraction fail closed (only output on match) and treat non-matches as an error.
| cat >/etc/apache2/conf-available/remoteip.conf <<EOF | ||
| RemoteIPHeader X-Real-IP | ||
| RemoteIPInternalProxy 10.0.0.0/8 | ||
| RemoteIPInternalProxy 172.16.0.0/12 | ||
| RemoteIPInternalProxy 192.168.0.0/16 | ||
| EOF | ||
| a2enconf remoteip | ||
| a2enmod rewrite | ||
| a2enmod headers | ||
| a2enmod remoteip |
There was a problem hiding this comment.
The remoteip.conf configuration trusts entire private IP ranges via RemoteIPInternalProxy (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), so any client on those networks is treated as a trusted proxy and can control the X-Real-IP header. An attacker on an internal or VPN network could forge X-Real-IP to spoof their client IP, potentially bypassing IP-based access controls or skewing logs and security analytics that rely on REMOTE_ADDR. Restrict RemoteIPInternalProxy to the specific reverse proxy IPs or subnets actually in front of Apache, rather than broad RFC1918 ranges.
ikke-t
left a comment
ikke-t
left a comment
There was a problem hiding this comment.
I assume apart from linter and while loop and dockerfile all are just white space changes?
I didn't test these, but read thrm through. Nothing apart removing setup.sh from container catches my eye.
JohnVillalovos
force-pushed
the
jlvillal/remove_shell
branch
2 times, most recently
from
673cd5f to
eb82df2
Compare
|
I have updated the PR and made
Yes. That is correct.
Done |
JohnVillalovos
force-pushed
the
jlvillal/remove_shell
branch
from
eb82df2 to
33977eb
Compare
Also run `shfmt -i 4 -ci -w bin/*sh`
JohnVillalovos
force-pushed
the
jlvillal/remove_shell
branch
from
33977eb to
1324de3
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 5 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| if ! [ -d /var/www/html/tpl_c ]; then | ||
| mkdir /var/www/html/tpl_c | ||
| fi | ||
| mkdir /var/www/html/Web/uploads/reservation |
There was a problem hiding this comment.
mkdir /var/www/html/Web/uploads/reservation will fail the build if that directory already exists (or if the parent path is missing). Make this idempotent (e.g., use -p) so newer LibreBooking releases that already include the directory won’t break the image build.
| mkdir /var/www/html/Web/uploads/reservation | |
| mkdir -p /var/www/html/Web/uploads/reservation |
| export APP_GH_ADD_SHA="${APP_GH_ADD_SHA}" | ||
| chmod +x /usr/local/bin/setup.sh | ||
| /usr/local/bin/setup.sh | ||
| rm /usr/local/bin/setup.sh |
There was a problem hiding this comment.
It is useless to rm /usr/local/bin/setup.sh, for setup.sh is present in the previous image layer (added by the previous COPY statement)
| #!/bin/bash | ||
| # vim: set expandtab ts=2 sw=2 ai : | ||
|
|
||
| set -e |
There was a problem hiding this comment.
Any particular reason why you don't combine the various set statements in 1 line?
| apt-get upgrade --yes | ||
| apt-get install --yes --no-install-recommends \ | ||
| cron \ | ||
| git \ |
There was a problem hiding this comment.
We could get rid of git, unless we prefer to keep it and use it to retrieve the sources of librebooking/librebooking and determine the last SHA
| -i /etc/apache2/sites-available/000-default.conf \ | ||
| -e 's/<VirtualHost *:80>/<VirtualHost *:8080>/' | ||
|
|
||
| set -xeuo pipefail |
There was a problem hiding this comment.
Why do we repeat set -xeuo pipefail here?
|
Aside from your comments, above, I tested a build with podman and ran a |
Convert the multiple
RUNstatements into asetup.shbash script.shfmt -i 2 -ci -w bin/*sh