From f664971acfac9acd739df4a65730703dad893822 Mon Sep 17 00:00:00 2001
From: James Hodgkinson <james@terminaloutcomes.com>
Date: Tue, 5 Jul 2022 11:39:38 +1000
Subject: [PATCH] Building kanidm cli in docker, disabling ARM kanidmd (#879)

* adding kanidm image and config
* removing npm deps from build and dockerfiles
* moving to a non-root user in the dockerfile
---
 .github/dependabot.yml                     |  8 ++
 .github/workflows/docker_build_kanidm.yml  | 49 ++++++++++++
 .github/workflows/docker_build_kanidmd.yml | 12 +--
 DEVELOPER_README.md                        |  7 +-
 kanidm_tools/Dockerfile                    | 86 ++++++++++++++++++++++
 kanidmd/Dockerfile                         |  7 +-
 6 files changed, 159 insertions(+), 10 deletions(-)
 create mode 100644 .github/workflows/docker_build_kanidm.yml
 create mode 100644 kanidm_tools/Dockerfile

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 083feca26..0503e242c 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -112,3 +112,11 @@ updates:
       time: "06:00"
       timezone: Australia/Brisbane
     open-pull-requests-limit: 99
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: weekly
+      time: "06:00"
+      timezone: Australia/Brisbane
+    open-pull-requests-limit: 99
\ No newline at end of file
diff --git a/.github/workflows/docker_build_kanidm.yml b/.github/workflows/docker_build_kanidm.yml
new file mode 100644
index 000000000..8de240db9
--- /dev/null
+++ b/.github/workflows/docker_build_kanidm.yml
@@ -0,0 +1,49 @@
+---
+name: Container - Kanidm
+
+# this will build regardless,
+# but only push to the container registry
+# when you're committing on the master branch.
+
+"on":
+  pull_request:
+  push:
+    branches:
+      - master
+
+jobs:
+  kanidm_build:
+    runs-on: ubuntu-latest
+    continue-on-error: true # yolo
+    strategy:
+      fail-fast: false
+      matrix:
+        target:
+          - linux/arm64
+          - linux/amd64
+    if: github.event_name == 'push'
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      -  # https://github.com/docker/login-action/#github-container-registry
+        name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push kanidmd
+        id: docker_build_kanidm
+        uses: docker/build-push-action@v2
+        with:
+          push: ${{ github.ref == 'refs/heads/master' }}
+          platforms: ${{matrix.target}}
+          # https://github.com/docker/build-push-action/issues/254
+          tags: ghcr.io/kanidm/kanidm:devel
+          build-args: |
+            "KANIDM_FEATURES="
+            "KANIDM_BUILD_OPTIONS=-j1"
+          file: kanidm_tools/Dockerfile
diff --git a/.github/workflows/docker_build_kanidmd.yml b/.github/workflows/docker_build_kanidmd.yml
index 0f6592a73..232834dbe 100644
--- a/.github/workflows/docker_build_kanidmd.yml
+++ b/.github/workflows/docker_build_kanidmd.yml
@@ -12,23 +12,25 @@ name: Container - Kanidmd
       - master
 
 jobs:
-  kanidm_build:
+  kanidmd_build:
     runs-on: ubuntu-latest
+    continue-on-error: true # yolo
     strategy:
+      fail-fast: false
       matrix:
         target:
-          - linux/arm64
+          # - linux/arm64
           - linux/amd64
     if: github.event_name == 'push'
     steps:
       - uses: actions/checkout@v3
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       -  # https://github.com/docker/login-action/#github-container-registry
         name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
diff --git a/DEVELOPER_README.md b/DEVELOPER_README.md
index 3fa7258f3..18064f1be 100644
--- a/DEVELOPER_README.md
+++ b/DEVELOPER_README.md
@@ -33,7 +33,7 @@ using the Tumbleweed release, it's packaged in `zypper`.
 
 You will also need some system libraries to build this:
 
-    libudev-devel sqlite3-devel libopenssl-devel npm-default
+    libudev-devel sqlite3-devel libopenssl-devel
 
 #### Fedora
 
@@ -177,12 +177,13 @@ The Web UI uses Rust WebAssembly rather than Javascript. To build this you need
 to set up the environment:
 
     cargo install wasm-pack
-    npm install --global rollup
 
 Then you are able to build the UI:
 
     cd kanidmd_web_ui/
-    ./build_wasm.sh
+    ./build_wasm_dev.sh
+
+To build for release, run `build_wasm_release.sh`.
 
 The "developer" profile for kanidmd will automatically use the pkg output in this folder.
 
diff --git a/kanidm_tools/Dockerfile b/kanidm_tools/Dockerfile
new file mode 100644
index 000000000..ede3dde27
--- /dev/null
+++ b/kanidm_tools/Dockerfile
@@ -0,0 +1,86 @@
+# This builds the kanidm CLI tool
+
+ARG BASE_IMAGE=opensuse/tumbleweed:latest
+FROM ${BASE_IMAGE} AS repos
+# To help mirrors not be as bad
+RUN zypper install -y mirrorsorcerer
+RUN /usr/sbin/mirrorsorcerer -x; true
+RUN zypper refresh --force
+RUN zypper dup -y
+
+FROM repos AS builder
+
+RUN zypper install -y \
+        cargo \
+        gcc \
+        rust wasm-pack \
+        clang lld \
+        make automake autoconf \
+        libopenssl-devel \
+        pam-devel \
+        libudev-devel \
+        sqlite3-devel \
+        sccache \
+        rsync
+RUN zypper clean -a
+
+COPY . /usr/src/kanidm
+
+ARG SCCACHE_REDIS=""
+ARG KANIDM_FEATURES
+ARG KANIDM_BUILD_PROFILE
+ARG KANIDM_BUILD_OPTIONS=""
+
+RUN mkdir /scratch
+RUN echo $KANIDM_BUILD_PROFILE
+RUN echo $KANIDM_FEATURES
+
+ENV CARGO_HOME=/scratch/.cargo
+ENV RUSTFLAGS="-Clinker=clang"
+
+WORKDIR /usr/src/kanidm/
+
+ENV RUSTFLAGS="-Clinker=clang -Clink-arg=-fuse-ld=/usr/bin/ld.lld"
+
+RUN if [ "${SCCACHE_REDIS}" != "" ]; \
+then \
+  export CARGO_INCREMENTAL=false && \
+  export CC="/usr/bin/sccache /usr/bin/clang" && \
+  export RUSTC_WRAPPER=sccache && \
+  sccache --start-server; \
+else \
+  export CC="/usr/bin/clang"; \
+fi
+
+# build the CLI
+RUN if [ -z "${KANIDM_FEATURES}" ]; then \
+  cargo build -p kanidm_tools --bin kanidm ${KANIDM_BUILD_OPTIONS} \
+    --target-dir="/usr/src/kanidm/target/" \
+    --release; \
+else \
+  cargo build -p kanidm_tools --bin kanidm ${KANIDM_BUILD_OPTIONS} \
+    --target-dir="/usr/src/kanidm/target/" \
+    --features="${KANIDM_FEATURES}" \
+    --release; \
+fi
+
+RUN if [ "${SCCACHE_REDIS}" != "" ]; then sccache -s; fi
+
+RUN ls -al /usr/src/kanidm/target/release
+
+FROM repos
+
+RUN zypper install -y timezone busybox-adduser
+RUN zypper clean -a
+
+COPY --from=builder /usr/src/kanidm/target/release/kanidm /sbin/
+RUN chmod +x /sbin/kanidm
+ENV RUST_BACKTRACE 1
+
+RUN adduser -D -H kanidm
+RUN zypper remove -y busybox-adduser
+
+USER kanidm
+
+ENTRYPOINT [ "/sbin/kanidm" ]
+
diff --git a/kanidmd/Dockerfile b/kanidmd/Dockerfile
index 381db19c0..bdff6a20c 100644
--- a/kanidmd/Dockerfile
+++ b/kanidmd/Dockerfile
@@ -16,7 +16,9 @@ RUN zypper install -y \
         make automake autoconf \
         libopenssl-devel pam-devel \
         sqlite3-devel \
-        sccache
+        sccache \
+        gcc \
+        rsync
 RUN zypper clean -a
 
 COPY . /usr/src/kanidm
@@ -81,9 +83,10 @@ RUN zypper clean -a
 
 COPY --from=builder /usr/src/kanidm/target/release/kanidmd /sbin/
 COPY --from=builder /usr/src/kanidm/kanidmd_web_ui/pkg /pkg
+RUN chmod +x /sbin/kanidmd
 
 EXPOSE 8443 3636
 VOLUME /data
 
 ENV RUST_BACKTRACE 1
-CMD ["/sbin/kanidmd", "server", "-c", "/data/server.toml"]
+CMD [ "/sbin/kanidmd", "server", "-c", "/data/server.toml"]