fix(docker): multi-arch image build (amd64+arm64) -- closes #223 #445
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| # ------------------------------------------------------------------ | ||
| # INACTIVE BY DEFAULT -- manual trigger only (workflow_dispatch). | ||
| # | ||
| # This workflow builds and publishes a multi-architecture Docker image | ||
| # (linux/amd64 + linux/arm64) to Docker Hub. | ||
| # | ||
| # TO ACTIVATE: | ||
| # 1. Add two repository secrets (Settings > Secrets and variables > Actions): | ||
| # DOCKERHUB_USERNAME - your Docker Hub username | ||
| # DOCKERHUB_TOKEN - a Docker Hub access token (not your password) | ||
| # 2. Optionally add automatic triggers by uncommenting the lines below: | ||
| # push: | ||
| # branches: [master] | ||
| # paths: ['VMs/Dockerfile'] | ||
| # release: | ||
| # types: [published] | ||
| # | ||
| # Until you do both steps, this workflow does nothing on its own. | ||
| # ------------------------------------------------------------------ | ||
|
|
||
| name: Docker Publish | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| # Uncomment the triggers below when ready to automate: | ||
| # push: | ||
| # branches: [master] | ||
| # paths: ['VMs/Dockerfile'] | ||
| # release: | ||
| # types: [published] | ||
|
|
||
| env: | ||
| IMAGE_NAME: owasp/benchmark | ||
| PLATFORMS: linux/amd64,linux/arm64 | ||
|
|
||
| jobs: | ||
| build-and-push: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up QEMU (multi-arch emulation) | ||
| uses: docker/setup-qemu-action@v3 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Log in to Docker Hub | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
|
||
| - name: Build and push multi-arch image | ||
| uses: docker/build-push-action@v6 | ||
| with: | ||
| context: VMs | ||
| file: VMs/Dockerfile | ||
| platforms: ${{ env.PLATFORMS }} | ||
| push: true | ||
| tags: ${{ env.IMAGE_NAME }}:latest | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,44 +1,45 @@ | ||
| # This dockerfile builds a container that pulls down and runs the latest version of BenchmarkJava | ||
| FROM ubuntu:22.04 | ||
|
Contributor
There was a problem hiding this comment. Shouldn't this simply be latest, like it was previously?
Contributor
Author
There was a problem hiding this comment.
It can be, if you want it to be. Pinning it to 22.04 guarantees the environment builds exactly the same way every time. That said, if you strongly prefer it to track the bleeding edge and don't mind the occasional upstream breakage, I'm happy to change it back to latest! Let me know what you prefer. |
||
| LABEL org.opencontainers.image.authors="Dave Wichers dave.wichers@owasp.org" | ||
|
|
||
| RUN apt-get update \ | ||
| && DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata \ | ||
| && apt-get install -q -y \ | ||
| openjdk-17-jre-headless \ | ||
| openjdk-17-jdk \ | ||
| git \ | ||
| maven \ | ||
| wget \ | ||
| iputils-ping \ | ||
| && apt-get clean \ | ||
| && rm -rf /var/lib/apt/lists/* | ||
|
|
||
| RUN mkdir /owasp | ||
| WORKDIR /owasp | ||
|
|
||
| # Download, build, install Benchmark Utilities required by crawler and scorecard generation | ||
| RUN git clone https://github.com/OWASP-Benchmark/BenchmarkUtils.git \ | ||
| && cd BenchmarkUtils \ | ||
| && mvn install | ||
|
|
||
| # Download, build BenchmarkJava | ||
| RUN git clone https://github.com/OWASP-Benchmark/BenchmarkJava \ | ||
| && git config --global --add safe.directory /owasp/BenchmarkJava \ | ||
| && cd BenchmarkJava \ | ||
| && mvn clean package cargo:install | ||
|
|
||
| RUN useradd -d /home/bench -m -s /bin/bash bench \ | ||
| && echo bench:bench | chpasswd | ||
|
|
||
| RUN chown -R bench /owasp/ | ||
| ENV PATH=/owasp/BenchmarkJava:$PATH | ||
|
|
||
| # Start up Benchmark once for 60 seconds then kill it, so additional runtime | ||
| # dependencies are downloaded and cached in the image. | ||
| # exit 0 prevents the timeout return code from failing the Docker build. | ||
| WORKDIR /owasp/BenchmarkJava | ||
| RUN timeout 60 ./runBenchmark.sh; exit 0 | ||
|
|
||
| EXPOSE 8443 | ||
| CMD ["./runBenchmark.sh"] | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,16 +1,28 @@ | ||
| #!/usr/bin/env bash | ||
| set -euo pipefail | ||
|
|
||
| IMAGE="owasp/benchmark" | ||
| TAG="latest" | ||
| PLATFORMS="linux/amd64,linux/arm64" | ||
| BUILDER_NAME="benchmark-multiarch" | ||
|
|
||
| # Create (or re-use) a buildx builder that supports multi-platform builds. | ||
| if ! docker buildx inspect "$BUILDER_NAME" >/dev/null 2>&1; then | ||
| echo "Creating buildx builder: $BUILDER_NAME" | ||
| docker buildx create --name "$BUILDER_NAME" --use | ||
| else | ||
| docker buildx use "$BUILDER_NAME" | ||
| fi | ||
|
|
||
| # Build and push a multi-architecture image in one step. | ||
| # --push is required because multi-arch manifest lists cannot be loaded into | ||
| # the local daemon. The image is pushed directly to Docker Hub. | ||
| echo "Building ${IMAGE}:${TAG} for ${PLATFORMS} ..." | ||
| docker buildx build \ | ||
| --platform "$PLATFORMS" \ | ||
| --tag "${IMAGE}:${TAG}" \ | ||
| --push \ | ||
| . | ||
|
|
||
| echo "Done. Published ${IMAGE}:${TAG} for ${PLATFORMS}." | ||
|
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@davewichers (how) do you publish docker images? https://hub.docker.com/r/owasp/benchmark this one is some months old. This workflow could help automating this, but if you prefer manual publish, we do not need it.