opendev/system-config
Code Issues Proposed changes
system-config/docker/gitea/Dockerfile
Clark Boylan ef450d1bce Update to Gitea 1.20 
The 1.20 release is here. Upgrade to this version.

Things we change:
 * Nodejs is updated to v20 to match the alpine 3.18 package version
   that gitea switched to.
 * Templates are updated to match upstream 1.20 templates.
 * We drop the deprecated LFS_CONTENT_PATH from our server config and
   add an equivalent [lfs] config section.
 * Normalize app.ini content so that gitea won't write it back out to
   disk which fails due to permissions (and we don't want it overriding
   our configs anyway). For this we need to add WORK_PATH,
   oauth2.JWT_SECRET, and normliazing spacing and quoting for entries.
 * Set JWT_SIGNING_PRIVATE_KEY_FILE explicitly to be located at
   /data/gitea/jwt/private.pem otherwise gitea attempts to create the
   jwt/ directory somewhere it doesn't have permissions to (I think /)
   and won't be persisted across containers.
 * Replace log.ENABLE_ACCESS_LOG with log.logger.access.MODE = file as
   log.ENABLE_ACCESS_LOG is deprecated and doesn't appear to work
   anymore. This appears to be a documentation issue or they deprecated
   and removed things more quickly than originaly anticipated.
 * Add log.ACCESS_LOG_TEMPLATE to readd source port info to the access
   logs.
 * Add a templates/custom/header.tmpl file to set theme-color as the
   config item for this has been removed.

The 1.20.0 changelog [0] lists a number of breaking changes. I have
tried to capture there here as well as potential impacts to us:

 * Fix WORK_DIR for docker (root) image (#25738) (#25811)
   * We set APP_DATA_PATH to /data/gitea in our app.ini config which
     means we aren't relying on the inferred value from WORK_DIR. I
     think this isolates us from this chnage. But we can check for any
     content in /app/gitea on our running containers to be sure.
     Note we hardcode WORK_PATH to /data/gitea because gitea attempts to
     write this back to our config file otherwise as a result of this
     change.
 * Restrict [actions].DEFAULT_ACTIONS_URL to only github or self (#25581) (#25604)
   * We disable actions. This shouldn't affect us.
 * Refactor path & config system (#25330) (#25416)
   * This is related to the first breaking changes. Basically we need
     to check our use of WORK_PATH and determine if we need to hardcode
     it to something. Probably a good idea given how they keep changing
     this on us...
 * Fix all possible setting error related storages and added some tests (#23911) (#25244)
   * We don't use storage configs. This shouldn't affect us.
 * Use a separate admin page to show global stats, remove actions stat (#25062)
   * The breaking change only affects the use of Prometheus which we
     don't have yet.
 * Remove the service worker (#25010)
   * Is listed as a breaking change for UI cleanup that we don't need to
     cleanup. (ui.USE_SERVICE_WORKER can be removed).
 * Remove meta tags theme-color and default-theme (#24960)
   * https://github.com/go-gitea/gitea/pull/24960
   * Addressed by adding a custome templates/custom/header.tmpl file
     that sets this meta tag to the existing value. Note this only
     affects mobile clients so needs to be double checked via a mobile
     device.
 * Use [git.config] for reflog cleaning up (#24958)
   * Affects git.reflog config entries and we don' thave any.
 * Allow all URL schemes in Markdown links by default (#24805)
   * TODO determine if we need to limit link types and add that
     change if so. A point release was made to exclude bad types
     already. Not sure if there are others we need to add.
 * Redesign Scoped Access Tokens (#24767)
   * This breaks scoped tokens with scopes that don't exist anymore.
     I don't think we use scoped tokens.
 * Fix team members API endpoint pagination (#24754)
   * They 1 index the pagination of this endpoint now instead of 0
     indexing it.
 * Rewrite logger system (#24726)
   * They made changes to the loggers and encourage people to check
     their logs work as expected when upgrading. Using our test instance
     logs I don't see anything that is a problem.
 * Increase default LFS auth timeout from 20m to 24h (#24628)
   * We don't LFS but can change the timeout if necssary.
 * Rewrite queue (#24505)
   * Check for 'Removed queue option:' log entries and clean up
     corresponding entries in app.ini. We don't have any of these
     entries in our logs.
 * Remove unused setting time.FORMAT (#24430)
   * We didn't have this entry in app.ini.
 * Refactor setting.Other and remove unused SHOW_FOOTER_BRANDING (#24270)
   * This setting can be removed from app.ini, but we don't set it.
 * Correct the access log format (#24085)
   * We uncorrect it because they removed source port info in the
     correction step. They did this because some log parsers don't
     understand having the port info present, but if you are behind a
     reverse proxy this information is very important. We run gitea behind
     a reverse proxy.
 * Reserve ".png" suffix for user/org names (#23992)
   * .png is no longer a valid user/org name (it didn't work before
     anyway).
 * Prefer native parser for SSH public key parsing (#23798)
   * If you relied on the openssh ssh-keygen executable for public key
     parsing then you must explicitly set config to use it. I don't
     think we do as the golang native parser should handle the keytypes
     we use.
 * Editor preview support for external renderers (#23333)
   * This removed an app.ini settings we don't seem to set.
 * Add Gitea Profile Readmes (#23260)
   * Readmes in .profile repositories will always be shown now. We don't
     have .profiles repos so this doesn't affect us.
 * Refactor ctx in templates (#23105)
   * This affects custom templates as we may need to replace ctx with
     ctxData in our templates.
   * I've searched our templates for 'root', 'ctx', and 'ctxData' and
     have found no instances. Looking at the files modifying by the
     commits related to this change:
     bd7f218dce
     7c01260e1d
     we don't seem to override the affected files. I think we are fine
     as is.

The 1.20.1 changelog indicates there are no breaking changes, and git
diff shows no changes to the templates between 1.20.0 and 1.20.1.

The 1.20.2 changelog indicates there are no breaking changes, and git
diff shows no changes to the templates between 1.20.1 and 1.20.2.

The 1.20.3 changelog indicates there is a single breaking change:
 * Fix the wrong derive path (#26271) (#26318)
   * If I'm reading the code correctly, I think the problem was storage
     configuration inheriting the base storage config and particularly
     the related path. Then when archival storage looked for its config
     the path was the root gitea storage path and it would inadverdently
     delete all repos when deleting a single repo or something like
     that. We don't use these features and these are mirrors anyway so I
     don't think this really affects us.

[0] https://github.com/go-gitea/gitea/blob/v1.20.3/CHANGELOG.md

Change-Id: I265f0ad16c0e757a11c1d889996ffe2198625a1a
2023-08-21 08:49:46 -07:00

136 lines
4.6 KiB
Docker
Raw Blame History

# syntax=docker/dockerfile:1.3
# Copyright (c) 2018 Red Hat, Inc.
# Copyright (c) 2016 The Gitea Authors
# Copyright (c) 2015 The Gogs Authors
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
# Wed May 3 20:59:00 UTC 2023 - trigger rebuild
###################################
#Build stage
FROM docker.io/library/golang:1.20-bullseye AS build-env
LABEL maintainer="infra-root@openstack.org"
ARG GITEA_VERSION="v1.20.3"
ENV TAGS "bindata $TAGS"
#Build deps
RUN apt-get update && apt-get -y install build-essential git apt-transport-https curl gnupg2 \
&& curl -sS https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add - \
&& echo "deb https://deb.nodesource.com/node_20.x bullseye main" | tee /etc/apt/sources.list.d/nodesource.list \
&& apt-get update \
&& apt-get -q --option "Dpkg::Options::=--force-confold" --assume-yes install nodejs \
&& mkdir -p ${GOPATH}/src/code.gitea.io/gitea
#Setup repo
RUN git clone https://github.com/go-gitea/gitea ${GOPATH}/src/code.gitea.io/gitea
WORKDIR ${GOPATH}/src/code.gitea.io/gitea
#Checkout version if set
RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
&& make clean-all build
# This is a utility the upstream image builds to translate env vars into
# the app.ini config. We primarily rely on ansible for this instead but
# build an include it anyway to stay in sync with upstream tooling.
RUN go build contrib/environment-to-ini/environment-to-ini.go
# Make things executable since they aren't all that way in git
RUN chmod 755 gitea \
environment-to-ini \
docker/root/usr/bin/entrypoint \
docker/root/usr/local/bin/gitea
###################################
# Basic system setup common to all containers in our pod
FROM docker.io/library/debian:bullseye-slim as base
RUN apt-get update && apt-get -y install \
bash \
ca-certificates \
curl \
gettext \
git \
openssh-client \
tzdata \
gnupg \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
RUN addgroup --system --gid 1000 git \
&& adduser \
--system --no-create-home --disabled-login \
--home /data/git \
--shell /bin/bash \
--uid 1000 \
--gid 1000 \
git \
&& echo "git:$(dd if=/dev/urandom bs=24 count=1 status=none | base64)" | chpasswd \
&& mkdir /custom
# Copy the /etc config files and entrypoint script
COPY --from=build-env /go/src/code.gitea.io/gitea/docker/root /
# Copy the app
COPY --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
COPY --from=build-env /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
# Copy our custom templates and some additional image files
COPY custom/ /custom/
# Copy our opendev logo contents to the custom location
RUN --mount=type=bind,from=opendevorg/assets,target=/tmp/assets cp -r /tmp/assets/* /custom/public/img/
ENV GITEA_CUSTOM /custom
###################################
# The gitea image
FROM base as gitea
RUN apt-get update && apt-get -y install pandoc \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
EXPOSE 3000
ENV USER git
VOLUME ["/data"]
ENTRYPOINT ["/usr/bin/entrypoint"]
CMD ["/usr/local/bin/gitea", "web"]
USER 1000:1000
###################################
# The openssh server image
FROM base as gitea-openssh
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confold" \
install openssh-server \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* \
&& mkdir /run/sshd
COPY sshd-entrypoint.sh /usr/bin/entrypoint
EXPOSE 22
VOLUME ["/data"]
ENTRYPOINT ["/usr/bin/entrypoint"]
CMD ["/usr/sbin/sshd", "-D", "-e"]
View Git Blame Copy Permalink