diff --git a/.github/workflows/docker-lint.yml b/.github/workflows/docker-lint.yml index b13418d1b50..b1a2cd8742d 100644 --- a/.github/workflows/docker-lint.yml +++ b/.github/workflows/docker-lint.yml @@ -27,28 +27,20 @@ jobs: - name: Checkout uses: actions/checkout@v4 - - name: Install npm and dockerfilelint + - name: Install hadolint run: | - sudo apt-get update - sudo apt-get install nodejs npm -y --no-install-recommends - npm install -g dockerfilelint - wget https://github.com/replicatedhq/dockerfilelint/pull/201.patch -O /usr/local/lib/node_modules/dockerfilelint/201.patch - CURRENT_DIR=$PWD - cd /usr/local/lib/node_modules/dockerfilelint/ - git apply 201.patch - cd $CURRENT_DIR - cat << RULES > ./.dockerfilelintrc - rules: - sudo_usage: off - RULES + sudo wget https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -O /usr/bin/hadolint + sudo chmod +x /usr/bin/hadolint - name: run lint run: | DOCKERFILES="$(find ./Containers -name Dockerfile)" mapfile -t DOCKERFILES <<< "$DOCKERFILES" for file in "${DOCKERFILES[@]}"; do - dockerfilelint "$file" --config ./ | tee -a ./dockerfilelint.log + # DL3018 warning: Pin versions in apk add. Instead of `apk add ` use `apk add =` + # DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check + hadolint "$file" --ignore DL3018 --ignore DL4006 | tee -a ./hadolint.log done - if grep "^Issues: [0-9]" ./dockerfilelint.log; then + if grep -q "DL[0-9]\+\|SC[0-9]\+" ./hadolint.log; then exit 1 fi diff --git a/Containers/borgbackup/Dockerfile b/Containers/borgbackup/Dockerfile index cac1f947340..0fcdfced507 100644 --- a/Containers/borgbackup/Dockerfile +++ b/Containers/borgbackup/Dockerfile @@ -16,6 +16,7 @@ VOLUME /root COPY --chmod=770 *.sh / ENTRYPOINT ["/start.sh"] +# hadolint ignore=DL3002 USER root LABEL com.centurylinklabs.watchtower.enable="false" diff --git a/Containers/clamav/Dockerfile b/Containers/clamav/Dockerfile index 2d1fb25ce93..94f8a229914 100644 --- a/Containers/clamav/Dockerfile +++ b/Containers/clamav/Dockerfile @@ -5,7 +5,7 @@ COPY clamav.conf /tmp/clamav.conf RUN set -ex; \ apk add --no-cache tzdata; \ - cat /tmp/clamav.conf | tee -a /etc/clamav/clamd.conf; \ + cat /tmp/clamav.conf > /etc/clamav/clamd.conf; \ rm /tmp/clamav.conf; \ mkdir -p /var/run/clamav /run/lock; \ chown -R clamav:clamav /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock; \ diff --git a/Containers/collabora/Dockerfile b/Containers/collabora/Dockerfile index efa16079f32..01bf66d8b24 100644 --- a/Containers/collabora/Dockerfile +++ b/Containers/collabora/Dockerfile @@ -3,6 +3,7 @@ FROM collabora/code:23.05.4.1.1 USER root +# hadolint ignore=DL3008 RUN set -ex; \ \ apt-get update; \ diff --git a/Containers/docker-socket-proxy/Dockerfile b/Containers/docker-socket-proxy/Dockerfile index 7dd94c997e0..188cb2c28ff 100644 --- a/Containers/docker-socket-proxy/Dockerfile +++ b/Containers/docker-socket-proxy/Dockerfile @@ -1,5 +1,6 @@ FROM haproxy:2.8.3-alpine3.18 +# hadolint ignore=DL3002 USER root ENV NEXTCLOUD_HOST nextcloud-aio-nextcloud RUN set -ex; \ diff --git a/Containers/fulltextsearch/Dockerfile b/Containers/fulltextsearch/Dockerfile index 8468a552f13..d51f5cb23e2 100644 --- a/Containers/fulltextsearch/Dockerfile +++ b/Containers/fulltextsearch/Dockerfile @@ -3,6 +3,7 @@ FROM elasticsearch:8.10.1 USER root +# hadolint ignore=DL3008 RUN set -ex; \ \ export DEBIAN_FRONTEND=noninteractive; \ diff --git a/Containers/mastercontainer/Dockerfile b/Containers/mastercontainer/Dockerfile index efef5a6f5b3..52172ae28de 100644 --- a/Containers/mastercontainer/Dockerfile +++ b/Containers/mastercontainer/Dockerfile @@ -16,6 +16,7 @@ COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker WORKDIR /var/www/docker-aio +# hadolint ignore=SC2086,DL3047,DL3003,DL3004 RUN set -ex; \ apk add --no-cache shadow; \ groupmod -g 333 xfs; \ @@ -50,7 +51,7 @@ RUN set -ex; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --virtual .nextcloud-aio-rundeps $runDeps; \ + apk add --no-cache --virtual .nextcloud-aio-rundeps $runDeps; \ apk del .build-deps; \ grep -q '^pm = dynamic' /usr/local/etc/php-fpm.d/www.conf; \ sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \ @@ -120,6 +121,7 @@ COPY --chmod=664 Caddyfile /Caddyfile COPY --chmod=664 supervisord.conf /supervisord.conf COPY mastercontainer.conf /etc/apache2/sites-available/mastercontainer.conf +# hadolint ignore=DL3002 USER root ENTRYPOINT ["/start.sh"] diff --git a/Containers/nextcloud/Dockerfile b/Containers/nextcloud/Dockerfile index e76230552a7..70e73bdffdc 100644 --- a/Containers/nextcloud/Dockerfile +++ b/Containers/nextcloud/Dockerfile @@ -16,6 +16,7 @@ VOLUME /mnt/ncdata VOLUME /var/www/html # Custom: change id of www-data user as it needs to be the same like on old installations +# hadolint ignore=SC2086,DL3003 RUN set -ex; \ apk add --no-cache shadow; \ deluser www-data; \ @@ -85,7 +86,7 @@ RUN set -ex; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --virtual .nextcloud-phpext-rundeps $runDeps; \ + apk add --no-cache --virtual .nextcloud-phpext-rundeps $runDeps; \ apk del .build-deps; \ \ # set recommended PHP.ini settings @@ -170,7 +171,7 @@ RUN set -ex; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --virtual .nextcloud-phpext-rundeps $runDeps; \ + apk add --no-cache --virtual .nextcloud-phpext-rundeps $runDeps; \ apk del .build-deps; \ \ mkdir -p \ @@ -219,6 +220,7 @@ RUN set -ex; \ # Give root a random password echo "root:$(openssl rand -base64 12)" | chpasswd +# hadolint ignore=DL3002 USER root ENTRYPOINT ["/start.sh"] CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"] diff --git a/Containers/talk-recording/Dockerfile b/Containers/talk-recording/Dockerfile index 03da749d5e2..b5228ae5ec7 100644 --- a/Containers/talk-recording/Dockerfile +++ b/Containers/talk-recording/Dockerfile @@ -30,7 +30,7 @@ RUN set -ex; \ echo "root:$(openssl rand -base64 12)" | chpasswd; \ git clone --recursive https://github.com/nextcloud/spreed --depth=1 --single-branch --branch "$RECORDING_VERSION" /src; \ mv -v /src/recording/pyproject.toml /src/recording/src/pyproject.toml; \ - python3 -m pip install /src/recording/src; \ + python3 -m pip install --no-cache-dir /src/recording/src; \ rm -rf /src; \ touch /etc/recording.conf; \ chown recording:recording -R \ diff --git a/Containers/watchtower/Dockerfile b/Containers/watchtower/Dockerfile index 3c5889f7e7a..ffa4ac5e9cf 100644 --- a/Containers/watchtower/Dockerfile +++ b/Containers/watchtower/Dockerfile @@ -8,6 +8,7 @@ COPY --from=watchtower /watchtower /watchtower COPY --chmod=775 start.sh /start.sh +# hadolint ignore=DL3002 USER root ENTRYPOINT ["/start.sh"]