Skip to content

fix: dockerfile and startup script for orion proxy #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: dockerfile and startup script for orion proxy #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 46 additions & 25 deletions docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,43 +1,64 @@
# Stage 1: The Builder
FROM rust:1.84 AS orion-builder
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The base image tag rust:1.84 may not be valid or the latest. Using an invalid or outdated tag can cause build failures or introduce unexpected behavior. Verify the correct tag for the Rust builder image and consider using a specific versioned tag (e.g., rust:1.79.0-bookworm) or a floating tag (e.g., rust:1-bookworm) to balance stability and updates.


#RUN rustup component add rustfmt
# install build-time dependencies for the Rust application.
RUN apt-get update && \
apt-get install -y protobuf-compiler && \
rm -rf /var/lib/apt/lists/*

# set the working directory inside the container.
WORKDIR /tmp/orion

RUN <<EOF
apt update
apt install -y protobuf-compiler
EOF
# copy the dependency manifests first to leverage Docker's layer caching.
COPY Cargo.toml Cargo.lock ./

# create a dummy main.rs file and workspace members. This is a common pattern
RUN mkdir -p src && echo 'fn main() {}' > src/main.rs

COPY ./orion-xds ./orion-xds
COPY ./orion-proxy ./orion-proxy
COPY ./orion-data-plane-api ./orion-data-plane-api
COPY ./orion-error ./orion-error
COPY ./orion-lib ./orion-lib
COPY ./envoy-data-plane-api ./envoy-data-plane-api
COPY ./orion-configuration ./orion-configuration
RUN set -e; \
for member in \
orion-lib \
orion-xds \
orion-proxy \
orion-error \
orion-configuration \
orion-data-plane-api \
envoy-data-plane-api; \
do \
mkdir -p "${member}/src"; \
printf '[package]\nname = "%s"\nversion = "0.1.0"\nedition = "2021"\n\n[lib]\npath = "src/lib.rs"\n' \
"${member}" > "${member}/Cargo.toml"; \
touch "${member}/src/lib.rs"; \
done

# fetch and download all dependencies defined in Cargo.lock.
RUN cargo fetch

COPY rustfmt.toml ./
COPY Cargo.toml ./
COPY Cargo.lock ./

# copy the rest of the application source code.
COPY . .
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The COPY . . command copies the entire project into the Docker image, including potentially sensitive or unnecessary files. Create a .dockerignore file to exclude files and directories not needed for the build, such as .git, target/, and editor-specific files. This reduces image size and improves build caching.


# build the application in release mode for performance.
RUN cargo build --release

### Split into two files; one to build and one to actually run it
###https://docs.docker.com/develop/develop-images/multistage-build/

# Stage 2: The Final Runtime Image
FROM debian:bookworm-slim
RUN <<EOF
apt update
apt upgrade -y
apt install -y ca-certificates libssl3
EOF

COPY ./docker/start_proxy.sh ./start_proxy.sh
# install the root CA certificates package.
RUN apt-get update && \
apt-get install -y --no-install-recommends ca-certificates && \
rm -rf /var/lib/apt/lists/*

# copy the runtime configuration file into the final image.
COPY ./orion-proxy/conf/orion-runtime.yaml /etc/orion/

# copy the startup script and make it executable.
COPY --chmod=+x ./docker/start_proxy.sh /start_proxy.sh

# copy only the compiled application binary from the builder stage.
COPY --from=orion-builder /tmp/orion/target/release/orion /orion

# expose the ports the application listens on.
EXPOSE 8080 8000 50051

# set the command that will be run when the container starts.
ENTRYPOINT ["/start_proxy.sh"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The container currently runs as the root user. For enhanced security, create a dedicated non-root user and group for the application and switch to that user before running the application. Ensure the new user has the necessary permissions on /etc/orion/orion-runtime.yaml.

RUN groupadd --system orion && useradd --system --no-create-home --gid orion orion && chown -R orion:orion /etc/orion
USER orion

12 changes: 6 additions & 6 deletions docker/start_proxy.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
#!/bin/bash
#./replace_control_plane.sh
#./orion --config orion-config.yaml
set -e

if [[ -n "${CONTROL_PLANE_IP}" ]]; then
sed -i "s|CONTROL_PLANE_IP|${CONTROL_PLANE_IP}|g" /etc/orion/orion-runtime.yaml
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The sed command attempts to replace CONTROL_PLANE_IP in /etc/orion/orion-runtime.yaml, but this placeholder might not exist in the configuration file. Verify that orion-runtime.yaml contains the CONTROL_PLANE_IP placeholder. If it doesn't, the sed command will have no effect, and the control plane IP will not be configured as intended.

fi

echo "$@"
#echo "Config file "
export RUST_BACKTRACE=1
#more /orion-config/orion-bootstrap.yaml
./orion --config /orion-config/orion-bootstrap.yaml
exec /orion --config /etc/orion/orion-runtime.yaml