-
Notifications
You must be signed in to change notification settings - Fork 14
Expand file tree
/
Copy pathDockerfile
More file actions
193 lines (154 loc) · 5.43 KB
/
Dockerfile
File metadata and controls
193 lines (154 loc) · 5.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
# -------------- Build-time variables --------------
ARG MASTODON_VERSION=4.5.9
ARG MASTODON_REPOSITORY=mastodon/mastodon
ARG MASTODON_COMMIT=ff7266cf38935cea896db714d94c4ca3803d7744
ARG MASTODON_GPG_FINGERPRINT=968479A1AFF927E37D1A566BB5690EEEBB952194
ARG RUBY_VERSION=3.4
ARG NODE_VERSION=24
ARG ALPINE_VERSION=3.23
ARG HARDENED_MALLOC_TAG=2026030100
ARG HARDENED_MALLOC_COMMIT=3bee8d3e0e4fd82b684521891373f40ab4982a5a
ARG UID=991
ARG GID=991
# ---------------------------------------------------
### Build Mastodon stack base (Ruby + Node)
FROM node:${NODE_VERSION}-alpine${ALPINE_VERSION} AS node
FROM ruby:${RUBY_VERSION}-alpine${ALPINE_VERSION} AS node-ruby
COPY --from=node /usr/local /usr/local
COPY --from=node /opt /opt
### Shared runtime base
FROM node-ruby AS runtime-base
ENV RUN_DB_MIGRATIONS=true \
SIDEKIQ_WORKERS=5 \
BIND=0.0.0.0 \
RAILS_SERVE_STATIC_FILES=true \
RAILS_ENV=production \
NODE_ENV=production \
PATH="${PATH}:/mastodon/bin"
WORKDIR /mastodon
RUN apk -U upgrade \
&& apk add \
ca-certificates \
ffmpeg \
file \
icu-libs \
imagemagick \
libidn \
libpq \
libstdc++ \
libxml2 \
libxslt \
openssl \
readline \
s6 \
tzdata \
vips \
yaml \
gcompat \
&& rm -rf /var/cache/apk/*
### Build hardened_malloc
ARG ALPINE_VERSION
FROM alpine:${ALPINE_VERSION} AS build-malloc
ARG HARDENED_MALLOC_TAG
ARG HARDENED_MALLOC_COMMIT
ARG CONFIG_NATIVE=false
ARG VARIANT=light
COPY signing/hardened_malloc.allowed_signers /tmp/allowed_signers
RUN apk -U upgrade \
&& apk add build-base git openssh-keygen \
&& git config --global gpg.ssh.allowedSignersFile /tmp/allowed_signers \
&& git init -q /tmp/hardened_malloc \
&& cd /tmp/hardened_malloc \
&& git remote add origin https://github.com/GrapheneOS/hardened_malloc \
&& git fetch --depth 1 origin refs/tags/${HARDENED_MALLOC_TAG}:refs/tags/${HARDENED_MALLOC_TAG} \
&& git checkout --detach ${HARDENED_MALLOC_TAG} \
&& rm -rf /var/cache/apk/*
RUN --network=none cd /tmp/hardened_malloc \
&& test "$(git rev-parse HEAD)" = "${HARDENED_MALLOC_COMMIT}" \
&& git verify-tag ${HARDENED_MALLOC_TAG} \
&& make CONFIG_NATIVE=${CONFIG_NATIVE} VARIANT=${VARIANT}
### Fetch and verify Mastodon source
ARG ALPINE_VERSION
FROM alpine:${ALPINE_VERSION} AS mastodon-source
ARG MASTODON_VERSION
ARG MASTODON_REPOSITORY
ARG MASTODON_COMMIT
ARG MASTODON_GPG_FINGERPRINT
COPY patches/mastodon-vite-blurhash.patch /tmp/mastodon-vite-blurhash.patch
COPY signing/github-web-flow.gpg /tmp/web-flow.gpg
RUN apk -U upgrade \
&& apk add git gnupg patch \
&& git init -q /tmp/mastodon \
&& cd /tmp/mastodon \
&& git remote add origin https://github.com/${MASTODON_REPOSITORY}.git \
&& git fetch --depth 1 origin refs/tags/v${MASTODON_VERSION}:refs/tags/v${MASTODON_VERSION} \
&& git checkout --detach v${MASTODON_VERSION} \
&& rm -rf /var/cache/apk/*
RUN --network=none GNUPGHOME="$(mktemp -d)" \
&& export GNUPGHOME \
&& gpg --batch --with-colons --import-options show-only --import /tmp/web-flow.gpg \
| awk -F: '$1 == "fpr" { print $10 }' \
| grep -Fqx "${MASTODON_GPG_FINGERPRINT}" \
&& gpg --batch --import /tmp/web-flow.gpg \
&& cd /tmp/mastodon \
&& test "$(git rev-parse HEAD)" = "${MASTODON_COMMIT}" \
&& git verify-commit HEAD \
&& patch -p1 < /tmp/mastodon-vite-blurhash.patch \
&& rm -rf .git "$GNUPGHOME" /tmp/web-flow.gpg /tmp/mastodon-vite-blurhash.patch
### Build Mastodon application and assets
FROM runtime-base AS build-app
COPY --from=mastodon-source /tmp/mastodon /mastodon
RUN apk -U upgrade \
&& apk add \
build-base \
git \
icu-dev \
libidn-dev \
libtool \
libxml2-dev \
libxslt-dev \
pkgconf \
postgresql-dev \
python3 \
yaml-dev \
&& bundle config build.nokogiri --use-system-libraries \
&& bundle config set --local clean 'true' \
&& bundle config set --local deployment 'true' \
&& bundle config set --local without 'test development' \
&& bundle config set no-cache 'true' \
&& bundle install -j$(getconf _NPROCESSORS_ONLN) \
&& rm -f /usr/local/bin/yarn /usr/local/bin/yarnpkg \
&& corepack enable \
&& yarn install --immutable \
&& rm -rf /var/cache/apk/*
RUN --network=none \
cd /mastodon \
&& OTP_SECRET=precompile_placeholder \
SECRET_KEY_BASE_DUMMY=1 \
bundle exec rails assets:precompile \
&& npm -g --force cache clean \
&& yarn cache clean
### Final image
FROM runtime-base AS mastodon
ARG UID
ARG GID
RUN --network=none addgroup -S -g ${GID} mastodon \
&& adduser -S -D -H -u ${UID} -G mastodon mastodon
COPY --from=build-malloc /tmp/hardened_malloc/out-light/libhardened_malloc-light.so /usr/local/lib/
COPY --from=build-app /usr/local/bundle /usr/local/bundle
COPY --from=build-app /mastodon /mastodon
COPY rootfs/usr/local/bin/run /usr/local/bin/run
COPY rootfs/etc/s6.d /etc/s6.d
ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc-light.so"
# Keep application and init code root-owned; only runtime data stays writable.
RUN --network=none mkdir -p /mastodon/public/system /mastodon/log /mastodon/tmp \
&& chown -R ${UID}:${GID} /mastodon/public/system /mastodon/log /mastodon/tmp \
&& chmod 755 /usr/local/bin /usr/local/bin/run \
&& chmod -R 755 /etc/s6.d
USER mastodon
VOLUME /mastodon/public/system /mastodon/log
EXPOSE 3000 4000
LABEL maintainer="Wonderfall <wonderfall@protonmail.com>" \
description="Your self-hosted, globally interconnected microblogging community"
ENTRYPOINT ["/usr/local/bin/run"]
CMD ["s6-svscan", "/etc/s6.d"]