From bc002d509cccf8ca662b8701b9c7b74f51f5d12c Mon Sep 17 00:00:00 2001 From: rare-magma Date: Sun, 4 Aug 2024 22:03:25 +0200 Subject: [PATCH] ci: add docker build pipeline Signed-off-by: rare-magma --- .dockerignore | 9 +++++++ .github/workflows/docker.yml | 46 ++++++++++++++++++++++++++++++++++++ Dockerfile | 1 + README.md | 4 ++-- docker-compose.yml | 30 +++++++++++++++++++---- 5 files changed, 83 insertions(+), 7 deletions(-) create mode 100644 .dockerignore create mode 100644 .github/workflows/docker.yml diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..f32b59f --- /dev/null +++ b/.dockerignore @@ -0,0 +1,9 @@ +.github/ +*.conf +*.png +*.json +*.service +*.timer +*.yml +Makefile +*.md diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml new file mode 100644 index 0000000..90421dc --- /dev/null +++ b/.github/workflows/docker.yml @@ -0,0 +1,46 @@ +name: Create and publish a container image + +on: + push: + branches: main + schedule: + - cron: "2 02 4 * *" + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build-and-push-image: + runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + contents: read + packages: write + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to the container registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + uses: docker/build-push-action@v6 + with: + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest + labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 19def7d..d54429b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,6 +2,7 @@ FROM docker.io/library/alpine:latest ENV RUNNING_IN_DOCKER=true ENTRYPOINT ["/bin/bash"] CMD ["/app/cloudflare_exporter.sh"] +COPY cloudflare_exporter.sh /app/cloudflare_exporter.sh RUN addgroup -g 10001 user \ && adduser -H -D -u 10000 -G user user RUN apk add --quiet --no-cache bash coreutils curl jq diff --git a/README.md b/README.md index 9af33fc..5547d6c 100644 --- a/README.md +++ b/README.md @@ -49,8 +49,8 @@ Bash script that uploads the Cloudflare Analytics API data to influxdb on an hou 1. Run it. ```bash - docker run --rm --init --tty --interactive --volume $(pwd):/app localhost/cloudflare-exporter - ``` + docker run --rm --init --tty --interactive --read-only --cap-drop ALL --security-opt no-new-privileges:true --cpus 2 -m 64m --pids-limit 16 --volume ./cloudflare_exporter.conf:/app/cloudflare_exporter.conf:ro --volume ./cloudflare_zone_list.json:/app/cloudflare_zone_list.json:ro ghcr.io/rare-magma/cloudflare-exporter:latest + ``` ### With the Makefile diff --git a/docker-compose.yml b/docker-compose.yml index 0196d11..2bd7e81 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,7 +1,18 @@ version: "3" services: scheduler: - image: ghcr.io/reddec/compose-scheduler:1.0.1 + image: ghcr.io/reddec/compose-scheduler:1.1.0 + read_only: true + cap_drop: + - ALL + security_opt: + - no-new-privileges:true + deploy: + resources: + limits: + cpus: "2" + memory: 250m + pids: 1024 privileged: true restart: unless-stopped volumes: @@ -10,10 +21,19 @@ services: cloudflare-exporter: image: cloudflare-exporter:latest init: true - build: - context: . - dockerfile: ./Dockerfile + read_only: true + cap_drop: + - ALL + security_opt: + - no-new-privileges:true + deploy: + resources: + limits: + cpus: "2" + memory: 64m + pids: 16 volumes: - - ./:/app:z + - ./cloudflare_exporter.conf:/app/cloudflare_exporter.conf:ro + - ./cloudflare_zone_list.json:/app/cloudflare_zone_list.json:ro labels: net.reddec.scheduler.cron: "5 * * * *"