Cleanup runner image (#106)

* Cleanup runner image and use debian as base * Make use of a single Dockerfile * Rename runner cli from underscore to dash to be consistent * Correct docker illuminatio calls
inovex · Aug 4, 2020 · b5d4383 · b5d4383
1 parent a67aade
commit b5d4383
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 67 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -127,8 +127,8 @@ jobs:
       services:
         - docker
       script:
-      - docker build -t "${TRAVIS_REPO_SLUG}"-runner:latest -f illuminatio-runner.dockerfile .
       - docker build -t "${TRAVIS_REPO_SLUG}":latest .
+      - docker tag "${TRAVIS_REPO_SLUG}":latest "${TRAVIS_REPO_SLUG}"-runner:latest
 
     # build and push the latest images for master commits
     - stage: build
@@ -137,8 +137,8 @@ jobs:
       services:
         - docker
       script:
-      - docker build -t "${TRAVIS_REPO_SLUG}"-runner:latest -f illuminatio-runner.dockerfile .
       - docker build -t "${TRAVIS_REPO_SLUG}":latest .
+      - docker tag "${TRAVIS_REPO_SLUG}":latest "${TRAVIS_REPO_SLUG}"-runner:latest
       - echo "${DOCKER_PASSWORD}" | docker login -u "${DOCKER_USERNAME}" --password-stdin
       - docker push "${TRAVIS_REPO_SLUG}"-runner:latest
       - docker push "${TRAVIS_REPO_SLUG}":latest
@@ -150,8 +150,8 @@ jobs:
       services:
         - docker
       script:
-      - docker build -t "${TRAVIS_REPO_SLUG}"-runner:"${TRAVIS_TAG}" -f illuminatio-runner.dockerfile .
       - docker build -t "${TRAVIS_REPO_SLUG}":"${TRAVIS_TAG}" .
+      - docker tag "${TRAVIS_REPO_SLUG}":"${TRAVIS_TAG}" "${TRAVIS_REPO_SLUG}"-runner:"${TRAVIS_TAG}"
       - echo "${DOCKER_PASSWORD}" | docker login -u "${DOCKER_USERNAME}" --password-stdin
       - docker push "${TRAVIS_REPO_SLUG}"-runner:"${TRAVIS_TAG}"
       - docker push "${TRAVIS_REPO_SLUG}":"${TRAVIS_TAG}"

diff --git a/Dockerfile b/Dockerfile
@@ -1,24 +1,38 @@
-FROM python:3.7.4-alpine3.10 AS builder
+FROM python:3.8-slim-buster AS builder
 
-COPY . /illuminatio
-COPY .git /illuminatio/.git
+RUN mkdir -p /src/app && \
+    apt-get update && \
+    apt-get install -y git wget
 
-WORKDIR /illuminatio
+ENV CRICTL_VERSION="v1.18.0"
+RUN wget https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-amd64.tar.gz && \
+    tar zxvf crictl-${CRICTL_VERSION}-linux-amd64.tar.gz -C /usr/local/bin && \
+    rm -f crictl-${CRICTL_VERSION}-linux-amd64.tar.gz
 
-RUN apk add --no-cache git && \
-    adduser -S illuminatio  -s /bin/nologin -u 1000 && \
-    chmod 1777 /tmp
+COPY setup.cfg /src/app
+COPY setup.py /src/app
+COPY .git /src/app/.git
+COPY src /src/app/src
+COPY ./requirements.txt /src/app/requirements.txt
 
-RUN pip install --no-warn-script-location --user . && \
-    chown -R illuminatio /root/.local
+WORKDIR /src/app
+RUN pip3 --no-cache-dir install . -r ./requirements.txt
 
-# Final image
-FROM python:3.7.4-alpine3.10
+# Actual Runner image
+FROM python:3.8-slim-buster
 
-RUN adduser -S illuminatio -H -s /bin/nologin -u 1000
-USER 1000
+# Install illuminatio from builder
+COPY --from=builder /src/app/src /src/app/src
+COPY --from=builder /usr/local/lib/python3.8/site-packages /usr/local/lib/python3.8/site-packages
+COPY --from=builder /usr/local/bin/illuminatio-runner /usr/local/bin/illuminatio-runner
+COPY --from=builder /usr/local/bin/illuminatio /usr/local/bin/illuminatio
+COPY --from=builder /usr/local/bin/crictl /usr/local/bin/crictl
 
-COPY --from=builder /root/.local /home/illuminatio/.local
-ENV PATH=/home/illuminatio/.local/bin:$PATH
+ENV PYTHONPATH=/usr/local/lib/python3.8/site-packages
 
-ENTRYPOINT [ "illuminatio" ]
+# Currently nmap is required for running the scans
+RUN apt-get update && \
+    apt-get install -y nmap && \
+    rm -rf /var/lib/apt/lists/*
+
+CMD [ "/usr/local/bin/illuminatio-runner" ]
diff --git a/README.md b/README.md
@@ -38,7 +38,7 @@ pip3 install illuminatio
 or directly from the repository:
 
 ```bash
-pip install git+https://github.com/inovex/illuminatio
+pip3 install git+https://github.com/inovex/illuminatio
 ```
 
 ### Kubectl plugin
@@ -168,15 +168,15 @@ Instead of installing the `illumnatio` cli on your machine you can also use our
 You will need to provide the `kubeconfig` to the container and probably some certificates:
 
 ```bash
-docker run -ti -v ~/.kube:/home/illuminatio/.kube:ro inovex/illuminatio clean run
+docker run -ti -v ~/.kube:/home/illuminatio/.kube:ro inovex/illuminatio illuminatio clean run
 ```
 
 ### Minikube
 
 Minikube will store the certificates in the users home so we need to pass these to the container:
 
 ```bash
-docker run -ti -v "${HOME}/.minikube":"${HOME}/.minikube" -v "${HOME}/.kube:"/home/illuminatio/.kube:ro inovex/illuminatio clean run
+docker run -ti -v "${HOME}/.minikube":"${HOME}/.minikube" -v "${HOME}/.kube:"/home/illuminatio/.kube:ro inovex/illuminatio illuminatio clean run
 ```
 
 If the minikube VM is not reachable from your container try to pass the `--net=host` flag to the docker run command.

diff --git a/illuminatio-runner.dockerfile b/illuminatio-runner.dockerfile
diff --git a/local_dev/run_e2e_tests.sh b/local_dev/run_e2e_tests.sh
@@ -6,7 +6,7 @@ set -eu
 DOCKER_REGISTRY=${DOCKER_REGISTRY:-"localhost"}
 ILLUMINATIO_IMAGE="${DOCKER_REGISTRY}:5000/illuminatio-runner:dev"
 
-docker build -t "${ILLUMINATIO_IMAGE}" -f illuminatio-runner.dockerfile .
+docker build -t "${ILLUMINATIO_IMAGE}" .
 
 # Use minikube docker daemon to push to the insecure registry
 

diff --git a/setup.cfg b/setup.cfg
@@ -65,7 +65,7 @@ exclude =
 [options.entry_points]
 console_scripts =
     illuminatio = illuminatio.illuminatio:cli
-    illuminatio_runner = illuminatio.illuminatio_runner:cli
+    illuminatio-runner = illuminatio.illuminatio_runner:cli
 
 [test]
 # py.test options when running `python setup.py test`