From 35071b55fc7aac2eda392da453872326c49767d4 Mon Sep 17 00:00:00 2001 From: Jordan Webb Date: Fri, 19 Aug 2022 23:17:22 -0500 Subject: [PATCH 1/8] Redo Dockerfile - Build the currently checked-out code, instead of cloning the repo inside the Dockerfile. This makes it much easier to build a container for a particular branch or commit; people working on personal forks will be able to build containers for their forks without modifying the Dockerfile. - Switch from Alpine to distroless; I couldn't actually get the current version of the Dockerfile to build, it kept dying with some error about gvisor. Aside from building with no trouble, the new Dockerfile reduces the size of the image from 23MB to 9MB. - Move Dockerfile into the root; this is a matter of taste, but allows one to simply `docker build` the directory instead of having to also specify the path to the Dockerfile. As part of this, I removed the `config` and `Makefile` from the `docker` directory, since they seemed specific to someone's setup and incomplete without that context. --- .dockerignore | 6 ++++++ Dockerfile | 15 +++++++++++++++ docker/Dockerfile | 14 -------------- docker/Makefile | 10 ---------- docker/config | 12 ------------ 5 files changed, 21 insertions(+), 36 deletions(-) create mode 100644 .dockerignore create mode 100644 Dockerfile delete mode 100644 docker/Dockerfile delete mode 100644 docker/Makefile delete mode 100644 docker/config diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..fc3c142 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,6 @@ +.dockerignore +.github +.gitignore +Dockerfile +LICENSE +README.md diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..0a3313a --- /dev/null +++ b/Dockerfile @@ -0,0 +1,15 @@ +# Start by building the application. +FROM golang:1.18 as build + +WORKDIR /usr/src/wireproxy +COPY . . + +RUN CGO_ENABLED=0 go build ./cmd/wireproxy + +# Now copy it into our base image. +FROM gcr.io/distroless/static-debian11:nonroot +COPY --from=build /usr/src/wireproxy/wireproxy /usr/bin/wireproxy + +VOLUME [ "/etc/wireproxy"] +ENTRYPOINT [ "/usr/bin/wireproxy" ] +CMD [ "--config", "/etc/wireproxy/config" ] diff --git a/docker/Dockerfile b/docker/Dockerfile deleted file mode 100644 index c435176..0000000 --- a/docker/Dockerfile +++ /dev/null @@ -1,14 +0,0 @@ -FROM golang:alpine AS go-build - -RUN apk --no-cache add --update git -RUN git clone https://github.com/octeep/wireproxy.git -RUN cd ./wireproxy && go build ./cmd/wireproxy - - -FROM alpine:latest - -RUN apk upgrade -COPY --from=go-build /go/wireproxy/wireproxy /usr/bin/ - -VOLUME [ "/etc/wireproxy"] -ENTRYPOINT [ "/usr/bin/wireproxy", "--config", "/etc/wireproxy/config" ] diff --git a/docker/Makefile b/docker/Makefile deleted file mode 100644 index f22f322..0000000 --- a/docker/Makefile +++ /dev/null @@ -1,10 +0,0 @@ -build: - docker build -t wireproxy . - -run: - docker run \ - --rm --tty --interactive \ - --name=wireproxy \ - --publish 2534:2534 \ - --volume "${PWD}/config:/etc/wireproxy/config:ro" \ - wireproxy \ No newline at end of file diff --git a/docker/config b/docker/config deleted file mode 100644 index 0e5362f..0000000 --- a/docker/config +++ /dev/null @@ -1,12 +0,0 @@ -[Interface] -Address = ###Interface - Address### -PrivateKey = ###Interface - PrivateKey### -DNS = ###Interface - DNS### - -[Peer] -PublicKey = ###Peer - PublicKey### -Endpoint = ###Peer - Endpoint### - -# Socks5 create a socks5 proxy on your LAN, and any traffic would be routed via wireguard -[Socks5] -BindAddress = 0.0.0.0:2534 From 11ed0782577f1c65dd04dcd9f07d64dc119d957d Mon Sep 17 00:00:00 2001 From: Jordan Webb Date: Sat, 20 Aug 2022 08:38:58 -0500 Subject: [PATCH 2/8] Add workflow to build container --- .github/workflows/container.yml | 58 +++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .github/workflows/container.yml diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml new file mode 100644 index 0000000..1215292 --- /dev/null +++ b/.github/workflows/container.yml @@ -0,0 +1,58 @@ +name: Build container +on: + push: + branches: + - master + pull_request: + + # Allow for manually running + workflow_dispatch: + inputs: + container_tag: + description: Tag for container + default: "latest" + required: true + +jobs: + container: + runs-on: ubuntu-20.04 + env: + CONTAINER_NAME: ghcr.io/${{ github.repository }} + BUILD_PLATFORMS: linux/amd64,linux/arm,linux/arm64,linux/ppc64le,linux/s390x + RAW_CONTAINER_TAG: ${{ github.event.inputs.container_tag || github.event.pull_request.head.ref || 'latest' }} + + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v2.0.0 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - uses: actions/checkout@v3 + with: + submodules: recursive + + # Needed for buildx gha cache to work + - name: Expose GitHub Runtime + uses: crazy-max/ghaction-github-runtime@v2 + + - name: Build container + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + CONTAINER_TAG=$(echo "$RAW_CONTAINER_TAG" | sed 's/[^a-zA-Z0-9]\+/-/') + + docker buildx build \ + --platform "$BUILD_PLATFORMS" \ + --tag "$CONTAINER_NAME:$CONTAINER_TAG" \ + --cache-from type=gha \ + --cache-to type=gha,mode=max \ + --pull --push . From 0affd64fc89fee7fdef71cffbadaabe3ca3fecdc Mon Sep 17 00:00:00 2001 From: Jordan Webb Date: Sat, 20 Aug 2022 09:26:17 -0500 Subject: [PATCH 3/8] Add metadata to image --- .github/workflows/container.yml | 9 +++++++++ Dockerfile | 4 ++++ 2 files changed, 13 insertions(+) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 1215292..4bc6c93 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -20,6 +20,7 @@ jobs: CONTAINER_NAME: ghcr.io/${{ github.repository }} BUILD_PLATFORMS: linux/amd64,linux/arm,linux/arm64,linux/ppc64le,linux/s390x RAW_CONTAINER_TAG: ${{ github.event.inputs.container_tag || github.event.pull_request.head.ref || 'latest' }} + RAW_REF_NAME: ${{ github.event.pull_request.head.ref || github.ref }} steps: - name: Set up QEMU @@ -49,10 +50,18 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | CONTAINER_TAG=$(echo "$RAW_CONTAINER_TAG" | sed 's/[^a-zA-Z0-9]\+/-/') + REF_NAME=$(echo "$RAW_REF_NAME" | sed -r 's#^refs/(heads|tags)/##') docker buildx build \ --platform "$BUILD_PLATFORMS" \ --tag "$CONTAINER_NAME:$CONTAINER_TAG" \ + --label "org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}" \ + --label "org.opencontainers.image.documentation=${{ github.server_url }}/${{ github.repository }}" \ + --label "org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}/packages" \ + --label "org.opencontainers.image.ref.name=$REF_NAME" \ + --label "org.opencontainers.image.revision=${{ github.sha }}" \ + --label "org.opencontainers.image.vendor=${{ github.repository_owner }}" \ + --label "org.opencontainers.image.created=$(date -u --rfc-3339=seconds)" \ --cache-from type=gha \ --cache-to type=gha,mode=max \ --pull --push . diff --git a/Dockerfile b/Dockerfile index 0a3313a..cfe3f48 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,3 +13,7 @@ COPY --from=build /usr/src/wireproxy/wireproxy /usr/bin/wireproxy VOLUME [ "/etc/wireproxy"] ENTRYPOINT [ "/usr/bin/wireproxy" ] CMD [ "--config", "/etc/wireproxy/config" ] + +LABEL org.opencontainers.image.title wireproxy +LABEL org.opencontainers.image.description "Wireguard client that exposes itself as a socks5 proxy" +LABEL org.opencontainers.image.licenses ISC From 03cc7c81f118200aaf6b04f4ad12ae5e364fa63d Mon Sep 17 00:00:00 2001 From: Jordan Webb Date: Sun, 21 Aug 2022 09:03:58 -0500 Subject: [PATCH 4/8] Try giving the workflow packages: write --- .github/workflows/container.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 4bc6c93..7d731cf 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -16,6 +16,10 @@ on: jobs: container: runs-on: ubuntu-20.04 + + permissions: + packages: write + env: CONTAINER_NAME: ghcr.io/${{ github.repository }} BUILD_PLATFORMS: linux/amd64,linux/arm,linux/arm64,linux/ppc64le,linux/s390x From ca546486175d32a06c8601360893f5d049bbf2c4 Mon Sep 17 00:00:00 2001 From: Jordan Webb Date: Sun, 21 Aug 2022 09:18:14 -0500 Subject: [PATCH 5/8] Try moving permissions key to top-level --- .github/workflows/container.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 7d731cf..4e3dd36 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -13,13 +13,13 @@ on: default: "latest" required: true +permissions: + packages: write + jobs: container: runs-on: ubuntu-20.04 - permissions: - packages: write - env: CONTAINER_NAME: ghcr.io/${{ github.repository }} BUILD_PLATFORMS: linux/amd64,linux/arm,linux/arm64,linux/ppc64le,linux/s390x From 59e69fbd632b04b99d0a6e9f5ff467640661c128 Mon Sep 17 00:00:00 2001 From: Jordan Webb Date: Sun, 21 Aug 2022 23:04:34 -0500 Subject: [PATCH 6/8] Try publishing to Docker Hub instead --- .github/workflows/container.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 4e3dd36..7302e7a 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-20.04 env: - CONTAINER_NAME: ghcr.io/${{ github.repository }} + CONTAINER_NAME: docker.io/${{ secrets.DOCKER_HUB_USERNAME }}/wireproxy BUILD_PLATFORMS: linux/amd64,linux/arm,linux/arm64,linux/ppc64le,linux/s390x RAW_CONTAINER_TAG: ${{ github.event.inputs.container_tag || github.event.pull_request.head.ref || 'latest' }} RAW_REF_NAME: ${{ github.event.pull_request.head.ref || github.ref }} @@ -34,12 +34,12 @@ jobs: id: buildx uses: docker/setup-buildx-action@v2.0.0 - - name: Login to GitHub Container Registry + - name: Login to Docker Hub uses: docker/login-action@v2 with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + registry: docker.io + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - uses: actions/checkout@v3 with: From 3114c9f8c77aca320312425dfc8caa5c172c3bce Mon Sep 17 00:00:00 2001 From: octeep Date: Tue, 23 Aug 2022 19:37:37 +0800 Subject: [PATCH 7/8] Revert "Try publishing to Docker Hub instead" This reverts commit b2546b3219ea4735c99f14151f04dbdab060aa5f. --- .github/workflows/container.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 7302e7a..4e3dd36 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-20.04 env: - CONTAINER_NAME: docker.io/${{ secrets.DOCKER_HUB_USERNAME }}/wireproxy + CONTAINER_NAME: ghcr.io/${{ github.repository }} BUILD_PLATFORMS: linux/amd64,linux/arm,linux/arm64,linux/ppc64le,linux/s390x RAW_CONTAINER_TAG: ${{ github.event.inputs.container_tag || github.event.pull_request.head.ref || 'latest' }} RAW_REF_NAME: ${{ github.event.pull_request.head.ref || github.ref }} @@ -34,12 +34,12 @@ jobs: id: buildx uses: docker/setup-buildx-action@v2.0.0 - - name: Login to Docker Hub + - name: Login to GitHub Container Registry uses: docker/login-action@v2 with: - registry: docker.io - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - uses: actions/checkout@v3 with: From c230b33f47bc4be43ca7f994792cdb4444f7c208 Mon Sep 17 00:00:00 2001 From: octeep Date: Tue, 23 Aug 2022 19:40:09 +0800 Subject: [PATCH 8/8] Do not push to registry on PRs --- .github/workflows/container.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 4e3dd36..3600a36 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -68,4 +68,4 @@ jobs: --label "org.opencontainers.image.created=$(date -u --rfc-3339=seconds)" \ --cache-from type=gha \ --cache-to type=gha,mode=max \ - --pull --push . + --pull ${{ github.event_name == 'push' && '--push' || '' }} .