starred/panel-pelican-dev
1
0
Fork 0
mirror of https://github.com/pelican-dev/panel.git synced 2026-05-04 18:00:48 +03:00
Code Issues 41 Packages Projects Releases 10 Wiki Activity

[PR #932] [MERGED] Rootless Docker/Optimized build #1065

New Issue
Closed
opened 2026-02-05 18:02:41 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2026-02-05 18:02:41 +03:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/pelican-dev/panel/pull/932
Author: @PseudoResonance
Created: 1/19/2025
Status: Merged
Merged: 1/23/2025
Merged by: @alexevladgabriel

Base: mainHead: rootless-docker

📝 Commits (8)

  • 0ddf5c8 Rootless Dockerfile/Optimized build
  • 74f65c9 Remove install-php-extensions utility after use and name final stage
  • 20e46b5 Test arm64 runner
  • ed1473f Allow Docker workflow caching multi-arch separately
  • fd3cce2 Fix Docker publish workflow branches
  • 30f765e Move Caddyfile/crontab config into docker directory, remove redundant supervisord user
  • 6de2a72 Further restrict permissions
  • 0336e55 Supervisord logs

📊 Changes

9 files changed (+115 additions, -64 deletions)

View changed files

📝 .dockerignore (+22 -3)
📝 .github/workflows/docker-publish.yml (+4 -2)
📝 Dockerfile (+71 -35)
📝 compose.yml (+1 -0)
📝 docker/Caddyfile (+0 -0)
📝 docker/README.md (+0 -0)
docker/crontab (+1 -0)
📝 docker/entrypoint.sh (+4 -16)
📝 docker/supervisord.conf (+12 -8)

📄 Description

This is a replacement for #894

Changes

  • Add unneeded files to .dockerignore (I chose to leave security/license in the image, as those could be useful if someone inspects it)
  • In addition to #918, split Dockerfile into more stages to allow Composer/Yarn to install concurrently
    Ex: The stages 2-1, 2-2 can run independently of each other, and so can 3-1 and 3-2.
  • Don't log supervisord to a file, as file logging in a Docker container makes no sense
  • Redirect process output to supervisord/container output for log processors
    It's generally important to not simply discard all logs. Let the Docker host handle logfile rotation if using file logging, or let the host redirect to their desired log processor, such as Grafana Loki.
  • Run all processes as non-root
  • Replace cron with supercronic, as it's designed to easily run as non-root and redirect output wherever you want it
  • Minimize files with write permission for non-root user
    The majority of the build should ideally be left as root, so that in the event there is a vulnerability, the user would be unable to easily overwrite the working code. I don't think there's a good solution to the Laravel cache however.
  • Move docker folder out of .github, as it has nothing to do with GitHub
  • Use php-extension-installer wrapper that handles automatically adding build dependencies and removing dev dependencies after building to simplify package list.

Additional Information

As in #894, I separated the install/build stages for Composer/Yarn so that the install stage can be skipped from cache if the code is unchanged. I know there were questions about it in the last PR, but this is standard practice in Dockerfiles. First copy the list of dependencies to install and install them, then copy the remainder of the code.

After these changes, I was able to iterate on the build process and rebuild the docker image in mere seconds, compared to the several minutes it took previously, as the whole image had to be rebuilt every time because the code was copied early on.

Important Note

I am using COPY --exclude=Caddyfile --exclude=docker/ . ./ to copy files, which is a new addition to the Dockerfile copy directive which is currently only present in the 1.7 labs spec of Dockerfile. It's been around for a year now and I don't expect this basic use of it to break. This does require declaring the 1.7-labs spec at the top of the file though, which should eventually be removed when exclude is merged to stable.

Other Options

Instead of using supercronic and supervisord and everything to run as non-root, sidecar containers can also be added. This is how some other projects, like Nextcloud, deal with running cron tasks, and running a more configurable HTTP server.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/pelican-dev/panel/pull/932 **Author:** [@PseudoResonance](https://github.com/PseudoResonance) **Created:** 1/19/2025 **Status:** ✅ Merged **Merged:** 1/23/2025 **Merged by:** [@alexevladgabriel](https://github.com/alexevladgabriel) **Base:** `main` ← **Head:** `rootless-docker` --- ### 📝 Commits (8) - [`0ddf5c8`](https://github.com/pelican-dev/panel/commit/0ddf5c874dc1853d8f464bfde7d8361fa9d9469e) Rootless Dockerfile/Optimized build - [`74f65c9`](https://github.com/pelican-dev/panel/commit/74f65c91e9edf6604464a2a8a95b7c654acb6f4d) Remove install-php-extensions utility after use and name final stage - [`20e46b5`](https://github.com/pelican-dev/panel/commit/20e46b5bd85653142dec2a8acd3eaac018aab026) Test arm64 runner - [`ed1473f`](https://github.com/pelican-dev/panel/commit/ed1473f15b2d251e3ca77444e50ee6db94394c3a) Allow Docker workflow caching multi-arch separately - [`fd3cce2`](https://github.com/pelican-dev/panel/commit/fd3cce280e017f66a290322cb0fff6d774062e05) Fix Docker publish workflow branches - [`30f765e`](https://github.com/pelican-dev/panel/commit/30f765e95f90137bdb7746901943dadc3289c1c0) Move Caddyfile/crontab config into docker directory, remove redundant supervisord user - [`6de2a72`](https://github.com/pelican-dev/panel/commit/6de2a72bfdc6b4bf3573377a4da61705df143c1c) Further restrict permissions - [`0336e55`](https://github.com/pelican-dev/panel/commit/0336e5533cbacdd3abc39d4fecaa31dbd9b7df6c) Supervisord logs ### 📊 Changes **9 files changed** (+115 additions, -64 deletions) <details> <summary>View changed files</summary> 📝 `.dockerignore` (+22 -3) 📝 `.github/workflows/docker-publish.yml` (+4 -2) 📝 `Dockerfile` (+71 -35) 📝 `compose.yml` (+1 -0) 📝 `docker/Caddyfile` (+0 -0) 📝 `docker/README.md` (+0 -0) ➕ `docker/crontab` (+1 -0) 📝 `docker/entrypoint.sh` (+4 -16) 📝 `docker/supervisord.conf` (+12 -8) </details> ### 📄 Description This is a replacement for #894 ### Changes - Add unneeded files to .dockerignore (I chose to leave security/license in the image, as those could be useful if someone inspects it) - In addition to #918, split Dockerfile into more stages to allow Composer/Yarn to install concurrently Ex: The stages 2-1, 2-2 can run independently of each other, and so can 3-1 and 3-2. - Don't log supervisord to a file, as file logging in a Docker container makes no sense - Redirect process output to supervisord/container output for log processors It's generally important to not simply discard all logs. Let the Docker host handle logfile rotation if using file logging, or let the host redirect to their desired log processor, such as Grafana Loki. - Run all processes as non-root - Replace cron with supercronic, as it's designed to easily run as non-root and redirect output wherever you want it - Minimize files with write permission for non-root user The majority of the build should ideally be left as root, so that in the event there is a vulnerability, the user would be unable to easily overwrite the working code. I don't think there's a good solution to the Laravel cache however. - Move docker folder out of .github, as it has nothing to do with GitHub - Use [php-extension-installer](https://github.com/mlocati/docker-php-extension-installer) wrapper that handles automatically adding build dependencies and removing dev dependencies after building to simplify package list. ### Additional Information As in #894, I separated the install/build stages for Composer/Yarn so that the install stage can be skipped from cache if the code is unchanged. I know there were questions about it in the last PR, but this is standard practice in Dockerfiles. First copy the list of dependencies to install and install them, then copy the remainder of the code. After these changes, I was able to iterate on the build process and rebuild the docker image in mere seconds, compared to the several minutes it took previously, as the whole image had to be rebuilt every time because the code was copied early on. ### Important Note I am using `COPY --exclude=Caddyfile --exclude=docker/ . ./` to copy files, which is a new addition to the Dockerfile copy directive which is currently only present in the 1.7 labs spec of Dockerfile. It's been around for a year now and I don't expect this basic use of it to break. This does require declaring the 1.7-labs spec at the top of the file though, which should eventually be removed when exclude is merged to stable. ### Other Options Instead of using supercronic and supervisord and everything to run as non-root, sidecar containers can also be added. This is how some other projects, like Nextcloud, deal with running cron tasks, and running a more configurable HTTP server. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2026-02-05 18:02:41 +03:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
not confirmed
pull-request
Mirrored from GitHub Pull Request
 👑 sponsor
💰 fund
🔴 hard
🟡 medium
🟡 medium
🟡 medium
🟢 easy
🟢 easy
🟢 easy
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/panel-pelican-dev#1065
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?