ETOOBUSY 🚀 minimal blogging for the impatient

Generating "Example on Certificates"

· #security #openssl #docker #dibs

TL;DR

Curious how the Docker image polettix/certificate-example, referred in Example on Certificates, was generated? I used dibs with a possibly overkill configuration file.

dibs.yml 6.01 KiB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 
---
name: certificates-example

variables:
   - &base_image        'alpine:3.6'
   - &target_image_name 'polettix/certificate-example'
   - &username          'user'
   - &groupname         'user'
   - &appdir            '/app'
   - &version           '1.0.0'

   - &bases_reference_tag '1.0'

   - &builder_image_name  'ce-builder'
   - &builder_image ['join', ':', *builder_image_name, *bases_reference_tag]

   - &bundler_image_name  'ce-bundler'
   - &bundler_image ['join', ':', *bundler_image_name, *bases_reference_tag]

   - unexpanded:
      tags: &version_tags ['*', 'latest']

packs:
   basic:
      type:   git
      origin: https://github.com/polettix/dibspack-basic.git

actions:

   # Some "umbrella" actions
   default: quick
   quick: [build-quick, bundle-quick]
   full:  [build, bundle]
   boot:  [bases, quick]
   bases: [build-base, bundle-base]


   ##################################################
   #                                                #
   # BUILDER                                        #
   #                                                #
   ##################################################

   # base image, saved so that we don't have to re-install main
   # pre-requisites over and over.
   build-base:
      envile:
         DIBS_PREREQS: build
      actions:
         - base-layers
         - name: save builder image
           image_name: *builder_image_name
           tags: *bases_reference_tag

   # actual building operations "build" and "build-quick". They
   # produce the same artifact, the quick one skips going through
   # pre-requisites assuming they are already in place.
   build:
      envile:
         DIBS_PREREQS: build
      actions:
         - from: *builder_image
         - ensure-prereqs
         - build-operations

   build-quick:
      envile:
         DIBS_PREREQS: build
      actions:
         - from: *builder_image
         - build-operations

   # the bulk of building operations is factored into this action
   # so that it's reused by both "build" and "build-quick"
   build-operations:
      - src-in-app
      - build-perl-modules
      - cache-application


   ##################################################
   #                                                #
   # BUNDLER                                        #
   #                                                #
   ##################################################

   # base image, saved so that we don't have to re-install main
   # pre-requisites over and over.
   bundle-base:
      envile:
         DIBS_PREREQS: bundle
      actions:
         - base-layers
         - name: save bundler image
           image_name: *bundler_image_name
           tags: *bases_reference_tag

   # actual bundling operations "bundle" and "bundle-quick". They
   # produce the same artifact, the quick one skips going through
   # pre-requisites assuming they are already in place.
   bundle:
      envile:
         DIBS_PREREQS: bundle
      actions:
         - from: *bundler_image
         - ensure-prereqs
         - bundle-operations

   bundle-quick:
      envile:
         DIBS_PREREQS: bundle
      actions:
         - from: *bundler_image
         - bundle-operations

   # the bulk of bundling operations is factored into this action
   # so that it's reused by both "bundle" and "bundle-quick"
   bundle-operations:
      - install-application
      - save-bundle


   ##################################################
   #                                                #
   # SUPPORTING ACTIONS                             #
   #                                                #
   ##################################################

   # this is how base images are built
   base-layers:
      - from: *base_image
      - add-normal-user
      - ensure-prereqs

   # add a non-root user to the lot. Probably overkill here.
   add-normal-user:
      name: add a regular, unprivileged user
      pack: basic
      path: wrapexec/suexec
      args: ['-u', *username, '-g', *groupname, '-h', *appdir]
      user: root

   # install prereqs from src/prereqs/*
   ensure-prereqs:
      name: install OS-level prerequisites
      pack: basic
      path: prereqs
      user: root

   # copy all src inside *appdir, assigning ownership to the
   # unprivileged user
   src-in-app:
      name: 'copy source in directory for build'
      args: [ *username, *groupname, *appdir ]
      user: root
      pack:
         run: |
            #!/bin/sh
            exec >&2
            username="${1:-"user"}"
            groupname="${2:-"user"}"
            app_dir="${3:-"/app"}"
            src_dir="$(cat DIBS_DIR_SRC)"
            rm -rf "$app_dir"
            cp -a "$src_dir" "$app_dir"
            rm -rf "$app_dir/local"
            mkdir -p "$app_dir/.profile.d"
            cat >"$app_dir/.profile" <<'END'
            #!/bin/sh
            for f in "$HOME/.profile.d"/*.sh ; do
               . "$f"
            done
            END
            set -x
            chown -R "$username:$groupname" "$app_dir"

   # invoke building of Perl modules, from the "basic" pack
   build-perl-modules:
      name: 'build perl modules'
      pack: basic
      path: perl/build
      args: ['-w', *appdir, '-V', *version]
      user: *username

   # save the compiled application in the cache, usually it's the
   # final step of a build process
   cache-application:
      name: 'copy build application in cache'
      pack: basic
      path: install/with-dibsignore
      args: ['--src', *appdir, '--dst', {path_cache: 'perl-app'}]
      user: root

   # install a built application from the cache to the final place
   # inside the bundle image.
   install-application:
      name: 'install application to target path'
      pack: basic
      path: install/plain-copy
      args: [{path_cache: 'perl-app'}, *appdir]
      user: root
      commit:
         entrypoint: [ "/bin/sh" ]
         cmd: [ "-l" ]
         workdir: *appdir

   # when the application is in place, we can save the target image
   save-bundle:
      name: 'save bundle image'
      image_name: *target_image_name
      tags: *version_tags

Local version here.

As anticipated, the dibsfile is possibly overkill, but it allows doing modifications and re-generation of images very, very quickly.

Additionally, the file is refactored so that the duplication of actions is very low. This adds to the complexity, but also to the readability in my very humble opinion.

To use it, remember that you have to pull the base_image first, i.e. alpine:3.8 in this case:

$ docker pull alpine:3.8

I tried with the newer alpine:3.9 but there seems to be issues compiling Net::SSLeay so I reverted to the previous release.

After you are done, put the file in a directory and name it dibs.yml, then create a src sub-directory according to what explained in dibs… and you should be all set. Hopefully there will be a full repository in some future, stay tuned!

Comments? Octodon, , GitHub, Reddit, or drop me a line!

ETOOBUSY © 2025 by polettix ― Powered by Jekyll and the TextLog theme