* chore(Dockerfile): pin images by digest this ensures consistent builds with images pinned by SHA
* introduces a GitHub Action will create a PR to update the images when there is a new version, and will pin to that newer version SHA.
* Bump debian to 12 'bookworm'
* Bump pypi libraries
* except frontend-1, as only debian 11 is currently supported by openresty
* Bump debian packages
* chore(frontend): use bitnami/openresty as base image for frontend Dockerfile
openresty/openresty was not being patched as frequently as we would like, resulting in numerous
vulnerabilities without resolution. bitnami/openresty is being patched more frequently.
Some additional changes were necessary when porting our frontend between these distributions:
- html files are in /app
- nginx.conf is in /opt/bitnami/openresty/nginx/conf/nginx.conf
- envsubst is not available by default in bitnami/openresty and needs to be copied in
- Nginx.conf - we wrap the server block in http block and overwrite root nginx.conf
- using the existing bitnami/openresty nginx.conf as a server block alone causes issues with bitnami/openresty, as bitnami/openresty provides a root nginx.conf which conflicts with directives in Speckle's server block
- we copy the directives from openresty/openresty (which are known to work with Speckle's server block), and apply them alongside Speckle's server block. This creates a new root nginx.conf which we can overwrite the default on the image.
- nginx should use a port available to non sudo/root user, we have selected 8080 instead of previous 80
- need to explicitly output nginx logs to stderr / stdout
Created a readonly root file system on Kubernetes. This requires the following changes:
- emptyDir volumes are mounted in kubernetes to allow bitnami/openresty to write to specific locations
- explicitly include and copy mime.types file to nginx configuration directory
Due to the change to non-privileged port number (8080), the following subsequent changes were required:
- Update 1-click deployment script to match frontend at port 8080
- Updates docker-compose-speckle.yaml file
Co-authored-by: Gergő Jedlicska <gergo@jedlicska.com>
* Moves speckle-server, webhook-service, fileimport-service, monitoring-deployment, and test-deployment images to Distroless.
Partially addresses https://github.com/specklesystems/speckle-server/issues/883
* preview-service uses similar image for building and production stages
* explicitly include chromium-common dependency to prevent error in preview service
* Bump chromium packages due to package versions not being found
* Handle machine-id in distroless
- distroless has no shell, so node-machine-id will result in an error
- this commit introduces error handling and defaults to a uuid v4 in the case of an error
* Update binary location for readiness and liveness checks to match the binary location in Distroless
* Allow node binary path to be set as environment variable in fileimport service
* chore(node): upgrades to node 18
Node 16 was out of support (but not security upgrades), so bumping to next stable version.
https://github.com/specklesystems/speckle-server/issues/1187
* Update server liveness and readiness probes for node 18
* Bump web-ifc to 0.0.36
* Apply `--no-experimental-fetch` flag to fileimport-service to prevent issues in web-ifc (via emscripten) with node 18
- perf(server, webhook-service): production images are based on distroless
Reduces image file size by >40% for images which can use distroless base image. As
well as improving boot-up & restart time (via smaller download & load size), Distroless reduces the
attack surface area by removing almost all binaries & packages (e.g. shell, chown) that are not
necessary to run node.
- ensures distroless node images run tini
- removes fonts-dejavu-core and fontconfig from speckle-server
- Remove man and doc files if they exist
- args hoisted to top of Dockerfile and consolidated
- env vars consolidated to prevent additional layers
address https://github.com/specklesystems/speckle-server/issues/883
* yarn first go
* fix frontend build cache loader
* yarn workspaces built server Docker
* build(yarn): add workspaces plugin config
* chore(package defs): clean package*.json -s
* chore(gitignore): ignore yarn error log
* build(yarn): update yarn lock
* build(preview-service webpack): add extra resolved path to preview service webpack config
because of yarn package hoisting, there are no package level node_modules folder anymore.
* build(docker): update dockerignore with yarn specific configs
* build(docker): update Dockerfiles for yarn workspaces utilization
* ci(circleci): update server test job to yarn
* ci(circle): disable cache restore
* ci(circleci): trying the node orb yarn-run
* ci(circleci): yarn-run again
* ci(circleci): disable node orb
* ci(circleci): change base node image for tests
* ci(circleci): add yarn cache
* ci(circleci): remove node install step
* ci(circleci): add server specific cache archives
* ci(circleci): test build and publish
* ci(circleci): change npm auth method to suit yarn
* ci(circleci): trying new builder image
* ci(circleci): another base image, maybe this works
* ci(circleci): force a specific docker engine version
* ci(circleci): add yarn version plugin and its changes
* ci(circleci): cleanup and remove temp branch config
* chore(package defs): moving from npm run to yarn
* explicitly specifying webpack4 as a frontend dep
* chore(package defs): replace npm with yarn everywhere
* docs(root readme): update with some yarn specific docs
* chore(root workspace): update dev scripts and package lock
* ci(circleci): enable package publish step with yarn
Co-authored-by: Fabians <fabis94@live.com>
Kristaps Fabians Geikins