109 lines
4.8 KiB
Docker
109 lines
4.8 KiB
Docker
# Per-bottle sidecar bundle image (PRD 0024).
|
|
#
|
|
# Collapses the four prior per-sidecar images (pipelock, egress,
|
|
# git-gate, supervise) into one. A small stdlib-Python init
|
|
# supervisor at /app/sidecar_init.py spawns all four daemons,
|
|
# forwards SIGTERM, and propagates per-daemon stdout/stderr to the
|
|
# container log with a `[name]` prefix. See PRD 0024 for the
|
|
# rationale.
|
|
#
|
|
# Layout (preserved verbatim from the prior four Dockerfiles so the
|
|
# compose renderer's bind-mount paths and docker-cp targets keep
|
|
# working):
|
|
#
|
|
# /usr/local/bin/pipelock pipelock binary
|
|
# /usr/bin/gitleaks gitleaks binary
|
|
# /app/egress_addon.py + siblings mitmproxy addon (egress)
|
|
# /app/egress-entrypoint.sh mitmdump launcher
|
|
# /app/supervise_server.py + .py supervise MCP server
|
|
# /app/sidecar_init.py PID 1 supervisor
|
|
# /etc/pipelock.yaml bind-mounted at run time
|
|
# /etc/egress/routes.yaml bind-mounted at run time
|
|
# /etc/git-gate/pre-receive docker-cp'd at start time
|
|
# /git-gate-entrypoint.sh docker-cp'd at start time
|
|
# /git-gate/creds/* docker-cp'd at start time
|
|
# /git/* bare repos, populated at runtime
|
|
# /run/supervise/queue/ bind-mounted at run time
|
|
# /home/mitmproxy/.mitmproxy/ mitmproxy CA dir
|
|
#
|
|
# Exposed ports inside the container:
|
|
# 8888 pipelock (HTTPS_PROXY)
|
|
# 9099 egress (mitmproxy, pipelock's upstream — not externally
|
|
# addressed by the agent)
|
|
# 9418 git-gate (git-daemon)
|
|
# 9100 supervise (MCP HTTP)
|
|
|
|
# Stage 1: pipelock binary. The upstream pipelock image is a
|
|
# scratch image with the binary at /pipelock (entrypoint).
|
|
# Pinned by digest in lockstep with
|
|
# bot_bottle/backend/docker/pipelock.py:PIPELOCK_IMAGE.
|
|
FROM ghcr.io/luckypipewrench/pipelock@sha256:3b1a39417b98406ddc5dc2d8fcb42865ddc0c68a43d355db55f0f8cb06bc6de9 AS pipelock-src
|
|
|
|
# Stage 2: gitleaks binary. The upstream gitleaks image is alpine
|
|
# with the binary at /usr/bin/gitleaks. Pinned by digest in lockstep
|
|
# with Dockerfile.git-gate's prior base (now deleted at chunk 3).
|
|
FROM zricethezav/gitleaks@sha256:c00b6bd0aeb3071cbcb79009cb16a60dd9e0a7c60e2be9ab65d25e6bc8abbb7f AS gitleaks-src
|
|
|
|
# Stage 3: assembly. mitmproxy/mitmproxy is debian-slim-based with
|
|
# Python + mitmdump pre-installed — heavier than the others, so
|
|
# this stage starts there and pulls the standalone binaries in.
|
|
FROM mitmproxy/mitmproxy:11.1.3
|
|
|
|
# Run as root inside the bundle. The bundle is the isolation
|
|
# boundary; per-daemon user separation inside it is not load-bearing
|
|
# and complicates the supervisor's spawn path.
|
|
USER root
|
|
|
|
# Runtime system deps:
|
|
# git supplies the `git daemon` subcommand (no separate package)
|
|
# plus the core `git` binary the pre-receive hook invokes.
|
|
# openssh-client supplies the upstream SSH transport the
|
|
# pre-receive hook uses to forward accepted refs.
|
|
# ca-certificates is needed for both pipelock and mitmdump
|
|
# upstream TLS (the base image already has it; listed for
|
|
# explicitness).
|
|
RUN apt-get update \
|
|
&& apt-get install -y --no-install-recommends \
|
|
git openssh-client ca-certificates \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Pull the standalone binaries into the final image.
|
|
COPY --from=pipelock-src /pipelock /usr/local/bin/pipelock
|
|
COPY --from=gitleaks-src /usr/bin/gitleaks /usr/bin/gitleaks
|
|
|
|
# Project Python: addon + server modules + the init supervisor.
|
|
# Kept flat under /app/ so mitmdump's loader resolves them as
|
|
# top-level siblings (absolute imports), matching the prior
|
|
# Dockerfile.egress / Dockerfile.supervise layout.
|
|
COPY bot_bottle/egress_addon_core.py /app/egress_addon_core.py
|
|
COPY bot_bottle/egress_addon.py /app/egress_addon.py
|
|
COPY bot_bottle/yaml_subset.py /app/yaml_subset.py
|
|
COPY bot_bottle/supervise.py /app/supervise.py
|
|
COPY bot_bottle/supervise_server.py /app/supervise_server.py
|
|
COPY bot_bottle/sidecar_init.py /app/sidecar_init.py
|
|
COPY bot_bottle/egress_entrypoint.sh /app/egress-entrypoint.sh
|
|
RUN chmod +x /app/egress-entrypoint.sh
|
|
|
|
# Pre-create runtime directories the compose renderer + start
|
|
# step expect to exist. `docker cp` does not create intermediate
|
|
# dirs, and bind mounts won't either if the parent is missing.
|
|
RUN mkdir -p \
|
|
/etc/egress \
|
|
/etc/git-gate \
|
|
/git-gate/creds \
|
|
/git \
|
|
/run/supervise/queue \
|
|
/home/mitmproxy/.mitmproxy
|
|
|
|
# Documentation only — the compose renderer publishes whichever
|
|
# subset the bottle uses.
|
|
EXPOSE 8888 9099 9418 9100
|
|
|
|
# WORKDIR matches Dockerfile.supervise's prior layout so the
|
|
# in-app same-dir import in supervise_server.py stays deterministic.
|
|
WORKDIR /app
|
|
|
|
# PID 1 is the supervisor. It owns signal handling and exit-code
|
|
# propagation; no `exec` chain in the entrypoint itself.
|
|
ENTRYPOINT ["python3", "/app/sidecar_init.py"]
|