refactor: Lint all docker files with Hadolint

.github/workflows/deploy-docker-images.yml

@@ -12,8 +12,23 @@ env:
   images: capella/base capella/remote capella/ease capella/readonly
 
 jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.11"
+      - name: Install pre-commit
+        run: |-
+          python -m pip install pre-commit
+      - name: Run pre-commit
+        run: |-
+          pre-commit run --all-files
+
   deploy-docker-images:
     runs-on: ubuntu-latest
+    needs: [lint]
     strategy:
       matrix:
         capella_version:

.hadolint.yaml

@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: Copyright DB Netz AG and the capella-collab-manager contributors
+# SPDX-License-Identifier: CC0-1.0
+
+failure-threshold: warning
+override:
+  info:
+    - DL3006
+    - DL3008

.pre-commit-config.yaml

@@ -106,3 +106,7 @@ repos:
     hooks:
       - id: pyupgrade
         args: ["--py311-plus"]
+  - repo: https://github.com/hadolint/hadolint
+    rev: v2.12.0
+    hooks:
+      - id: hadolint-docker

base/Dockerfile

@@ -49,10 +49,12 @@ ENV _OLD_VIRTUAL_PATH="$PATH"
 ENV VIRTUAL_ENV=/opt/.venv
 ENV PATH="$VIRTUAL_ENV/bin:$PATH"
 
-RUN ln -s $(which python3.11) /usr/bin/python && \
-    ln -sf $(which python3.11) /usr/bin/python3 && \
-    ln -sf $(which pip3.11) /usr/local/bin/pip && \
-    ln -sf $(which pip3.11) /usr/local/bin/pip3 && \
+RUN ln -s "$(which python3.11)" /usr/bin/python && \
+    ln -sf "$(which python3.11)" /usr/bin/python3 && \
+    ln -sf "$(which pip3.11)" /usr/local/bin/pip && \
+    ln -sf "$(which pip3.11)" /usr/local/bin/pip3 && \
     python -m venv /opt/.venv && \
     chmod -R 777 /opt/.venv/bin/ && \
     chmod -R 777 /opt/.venv/lib/python3.11/site-packages
+
+USER techuser

builder/Dockerfile

@@ -10,7 +10,7 @@ ENV SHELL=/bin/bash
 RUN apt-get update && \
     apt-get install -y maven
 
-RUN pip install --break-system-packages lxml
+RUN pip install --break-system-packages --no-cache-dir lxml==4.9.3
 
 COPY inject_architecture_into_pom.py /opt/inject_architecture_into_pom.py
 COPY build_capella_from_source.sh /opt/build_capella_from_source.sh

capella/Dockerfile

@@ -12,13 +12,16 @@ SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 ENV SHELL=/bin/bash
 
 FROM base as old_gtk_true
+
+ONBUILD USER root
+
 # Install WebKit with GTK
 ONBUILD COPY libs /tmp/libs
 ONBUILD ARG INJECT_PACKAGES=false
-ONBUILD RUN if [[ "$INJECT_PACKAGES" = "true" ]]; then \
+ONBUILD RUN if [ "$INJECT_PACKAGES" = "true" ]; then \
     apt-get update && \
     # Inject old packages manually
-    apt-get install -y $(find /tmp/libs -iname "*.deb"); \
+    find /tmp/libs -iname "*.deb" -exec apt-get install -y {} \; ; \
     rm -rf /var/lib/apt/lists/*; \
     rm -r /tmp/libs; \
     else \
@@ -38,6 +41,8 @@ ONBUILD RUN if [[ "$INJECT_PACKAGES" = "true" ]]; then \
     rm -rf /var/lib/apt/lists/*;
 
 FROM base as old_gtk_false
+
+ONBUILD USER root
 ONBUILD COPY libs /tmp/libs
 ONBUILD RUN apt-get update && \
     apt-get install -y \
@@ -55,7 +60,7 @@ FROM base_new as build_online
 # https://github.com/moby/moby/issues/26533#issuecomment-246966836
 ONBUILD ARG CAPELLA_VERSION="5.2.0"
 ONBUILD COPY ./download_archive.py /opt/.download_archive.py
-ONBUILD RUN pip install requests lxml && \
+ONBUILD RUN pip install --no-cache-dir requests==2.31.0 lxml==4.9.3 && \
     python .download_archive.py ${CAPELLA_VERSION};
 
 FROM base_new as build_offline
@@ -115,7 +120,7 @@ ARG MEMORY_LIMIT=5500m
 RUN echo '-Dorg.eclipse.equinox.p2.transport.ecf.retry=15' >> /opt/capella/capella.ini && \
     echo '-Dorg.eclipse.ecf.provider.filetransfer.retrieve.readTimeout=10000' >> /opt/capella/capella.ini && \
     sed -i "s/-Xmx[^ ]*/-Xmx$MEMORY_LIMIT/g" /opt/capella/capella.ini
-RUN pip install PyYAML && python install_dropins.py
+RUN pip install --no-cache-dir PyYAML==6.0.1 && python install_dropins.py
 
 COPY ./versions/${CAPELLA_VERSION}/patches /opt/patches
 RUN PATCH_DIR=/opt/patches /opt/patch.sh
@@ -157,3 +162,5 @@ COPY startup.sh /startup.sh
 ENTRYPOINT [ "/tini", "--", "/startup.sh" ]
 
 ENV BASE_TYPE=capella
+
+USER techuser

ease/Dockerfile

@@ -9,6 +9,8 @@ FROM $BASE_IMAGE as prebuild
 SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 ENV SHELL=/bin/bash
 
+USER root
+
 # Somehow OpenJDK does not install in one shot due to a (cyclic?) dependency on
 # package ca-certificates-java. Performing the install again fixes it.
 RUN apt-get update && \
@@ -25,7 +27,9 @@ RUN git config --global user.name $GIT_USERNAME && \
 # Use Virtual Display
 ENV DISPLAY :99
 
-RUN pip install py4j
+RUN pip install --no-cache-dir py4j==0.10.9.7
+
+USER techuser
 
 # Offline build (fixed version)
 FROM prebuild as build_offline
@@ -42,8 +46,6 @@ ONBUILD ENV SWTBOT_REPOSITORY=https://download.eclipse.org/technology/swtbot/rel
 
 FROM build_${BUILD_TYPE}
 
-USER techuser
-
 # Install EASE Dependencies
 # - org.py4j.feature.feature.group
 RUN /opt/capella/capella \
@@ -88,7 +90,7 @@ USER root
 RUN rm -rf /tmp/extensions
 RUN echo "-Dorg.eclipse.swtbot.search.timeout=1000" >> /opt/capella/capella.ini
 
-RUN pip install pyease
+RUN pip install --no-cache-dir pyease==0.2.0
 
 ENV EASE_WORKSPACE /workspace
 ENV EASE_SCRIPTS_LOCATION /opt/scripts
@@ -109,4 +111,7 @@ RUN chmod +rx /etc/git_askpass.py
 
 COPY startup.sh /opt/startup.sh
 RUN chmod +x /opt/startup.sh
+
+USER techuser
+
 ENTRYPOINT [ "/opt/startup.sh" ]

ease/debug/Dockerfile

@@ -6,20 +6,24 @@ FROM $BASE_IMAGE
 
 USER root
 
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 RUN apt-get update && apt-get install -y wget
 ARG NETWORK_ACCESS=unrestricted
 
 COPY libs /tmp/libs
 RUN if [ "$NETWORK_ACCESS" = "restricted" ]; then \
     apt-get update && \
-    apt-get install -y $(find /tmp/libs -iname "*.deb"); \
+    find /tmp/libs -iname "*.deb" -exec apt-get install -y {} \; ; \
     else \
     wget -qO - https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/raw/master/pub.gpg \
     | gpg --dearmor \
     | dd of=/usr/share/keyrings/vscodium-archive-keyring.gpg && \
     echo 'deb [ signed-by=/usr/share/keyrings/vscodium-archive-keyring.gpg ] https://download.vscodium.com/debs vscodium main' \
     | tee /etc/apt/sources.list.d/vscodium.list && \
-    apt-get update && apt install -y codium; \
+    apt-get update && apt-get install -y codium; \
     fi && \
     rm -rf /var/lib/apt/lists/* && \
     rm -r /tmp/libs;
+
+USER techuser

eclipse/Dockerfile

@@ -11,6 +11,7 @@ SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 ENV SHELL=/bin/bash
 
 FROM base as build_online
+ONBUILD USER root
 ONBUILD ENV EGIT_REPOSITORY=https://download.eclipse.org/egit/updates/
 
 FROM base as build_offline
@@ -64,3 +65,5 @@ ENV ECLIPSE_INSTALLATION_PATH=/opt/eclipse
 ENV ECLIPSE_EXECUTABLE=/opt/eclipse/eclipse
 
 ENV BASE_TYPE=eclipse
+
+USER techuser

jupyter-notebook/Dockerfile

@@ -4,8 +4,10 @@
 ARG BASE_IMAGE=base
 FROM $BASE_IMAGE
 
-RUN apt update && \
-    apt install --yes --no-install-recommends \
+USER root
+
+RUN apt-get update && \
+    apt-get install --yes --no-install-recommends \
     git \
     git-lfs \
     libgirepository1.0-dev \
@@ -30,7 +32,7 @@ ENV _OLD_VIRTUAL_PATH="$PATH"
 ENV VIRTUAL_ENV=/home/techuser/.venv
 ENV PATH="$VIRTUAL_ENV/bin:$PATH"
 
-RUN python3 -m pip install -r /etc/skel/requirements_template.txt jupyterlab jupyter-collaboration && \
+RUN python3 -m pip install --no-cache-dir -r /etc/skel/requirements_template.txt jupyterlab jupyter-collaboration && \
     jupyter labextension disable "@jupyterlab/extensionmanager-extension" && \
     jupyter labextension disable "@jupyterlab/apputils-extension:announcements" && \
     mkdir /home/techuser/.jupyter && chown techuser /home/techuser/.jupyter
@@ -44,4 +46,4 @@ EXPOSE $JUPYTER_PORT
 
 WORKDIR $HOME
 
-ENTRYPOINT "/docker-entrypoint.sh"
+ENTRYPOINT ["/docker-entrypoint.sh"]

readonly/Dockerfile

@@ -9,7 +9,7 @@ ENV SHELL=/bin/bash
 
 USER root
 
-RUN pip install lxml
+RUN pip install --no-cache-dir lxml==4.9.3
 COPY load_models.py /opt/scripts/load_models.py
 RUN chown -R techuser /opt/capella
 ENV EASE_LOG_LOCATION=/proc/1/fd/1

remote/Dockerfile

@@ -30,7 +30,7 @@ COPY wallpaper.png /tmp/wallpaper.png
 COPY bg-saved.cfg /home/techuser/.config/nitrogen/bg-saved.cfg
 
 # Copy Supervisor Configuration
-RUN pip install supervisor
+RUN pip install --no-cache-dir supervisor==4.2.5
 COPY supervisord.conf /etc/supervisord.conf
 
 # Allow any user to start the RDP server
@@ -50,7 +50,7 @@ COPY startup.sh .startup.sh
 RUN chmod 755 .startup.sh /home/techuser/.config/openbox/autostart
 
 # Prepare idletime metric endpoint
-RUN pip install prometheus-client
+RUN pip install --no-cache-dir prometheus-client==0.17.1
 
 COPY metrics.py .metrics.py
 RUN chown techuser /home/techuser/.metrics.py

t4c/Dockerfile

@@ -34,7 +34,7 @@ COPY export.py /opt/scripts/export.py
 # Install T4C
 COPY ./updateSite/$CAPELLA_VERSION /opt/updateSite
 WORKDIR /opt/updateSite
-RUN chmod +r $(ls /opt/updateSite/*.zip)
+RUN find /opt/updateSite -type f -name "*.zip" -exec chmod +r {} \;
 
 USER techuser
 ## Install T4C Plugins via the P2 API from Eclipse
@@ -60,4 +60,6 @@ RUN chown techuser /opt/capella/capella.ini && \
 WORKDIR /opt
 ENV BASE_TYPE=t4c
 
+USER techuser
+
 ENTRYPOINT [ "/tini", "--", "/docker_entrypoint.sh" ]

tests/local-git-server/Dockerfile

@@ -18,8 +18,8 @@ COPY lighttpd.conf /etc/lighttpd/lighttpd.conf
 RUN mkdir -p /var/www/git/git-test-repo.git
 
 WORKDIR /var/www/git/git-test-repo.git
-RUN git init -b main --bare
-RUN git config --local http.receivepack true
+RUN git init -b main --bare && \
+    git config --local http.receivepack true
 
 WORKDIR /