feat: migrate from Ubuntu to Alpine base image (#82)

Djaytan · web-flow · commit 42a7bef84164 · 2025-05-03T16:44:37.000+02:00
BREAKING-CHANGE: migrating from Ubuntu to Alpine may cause incompatibilities with downstream OCI images based on it
diff --git a/.github/semantic-release/release.sh b/.github/semantic-release/release.sh
@@ -1,11 +1,11 @@
-#!/usr/bin/env bash
+#!/usr/bin/env sh
 
-set -Eeuo pipefail
+set -eu
 
 RELEASE_VERSION=$1
 RELEASE_CHANNEL=${2:-'default'}
 
-if [[ -z "$ROOT_PROJECT_DIR" ]]; then
+if [ -z "$ROOT_PROJECT_DIR" ]; then
   echo 'Error: environment variable "ROOT_PROJECT_DIR" is not set.'
   exit 1
 fi
@@ -17,7 +17,7 @@ export IMAGE_VERSION="$RELEASE_VERSION"
 
 # The default channel binds to the default Git branch (i.e. "main")
 # If we release from "main" branch -> we add the "latest" tag
-IS_LATEST_RELEASE="$([ "$RELEASE_CHANNEL" == 'default' ] && echo 'true' || echo 'false')"
+IS_LATEST_RELEASE="$([ "$RELEASE_CHANNEL" = 'default' ] && echo 'true' || echo 'false')"
 export IS_LATEST_RELEASE
 
 docker buildx bake release --print
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -32,7 +32,8 @@ jobs:
       # -> "objects.githubusercontent.com": Uploading of security reports
       # -> "raw.githubusercontent.com": Retrieve license file when building OCI image
       # -> "*.docker.io" & "*.docker.com": Standard interactions with Docker
-      # -> "*.ubuntu.com": Standard interactions with Ubuntu APT repositories
+      # -> "*.alpinelinux.org": Standard interactions with Alpine Linux package repositories
+      # -> "cdn.fwupd.org": Firmware updates (Alpine)
       # -> "api.papermc.io": Dynamic retrieval of the PaperMC server
       # -> "mirror.gcr.io": Downloading of the Trivy security scanner
       # -> "piston-data.mojang.com": Downloading of the Mojang server
@@ -47,14 +48,12 @@ jobs:
             api.github.com:443
             objects.githubusercontent.com:443
             raw.githubusercontent.com:443
-            index.docker.io:443
-            registry-1.docker.io:443
-            auth.docker.io:443
+            *.docker.io:443
             production.cloudflare.docker.com:443
-            archive.ubuntu.com:80
-            security.ubuntu.com:80
-            api.papermc.io:443
+            dl-cdn.alpinelinux.org:443
+            cdn.fwupd.org:443
             mirror.gcr.io:443
+            api.papermc.io:443
             piston-data.mojang.com:443
             api.minecraftservices.com:443
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -45,7 +45,8 @@ jobs:
       # -> "objects.githubusercontent.com": Uploading of security reports
       # -> "raw.githubusercontent.com": Retrieve license file when building OCI image
       # -> "*.docker.io" & "*.docker.com": Standard interactions with Docker
-      # -> "*.ubuntu.com": Standard interactions with Ubuntu APT repositories
+      # -> "*.alpinelinux.org": Standard interactions with Alpine Linux package repositories
+      # -> "cdn.fwupd.org": Firmware updates (Alpine)
       # -> "api.papermc.io": Dynamic retrieval of the PaperMC server
       # -> "mirror.gcr.io": Downloading of the Trivy security scanner
       # -> "api.nuget.org" & "registry.npmjs.org": Downloading semantic-release CLI
@@ -60,13 +61,10 @@ jobs:
             objects.githubusercontent.com:443
             raw.githubusercontent.com:443
             uploads.github.com:443
-            index.docker.io:443
-            registry-1.docker.io:443
-            auth.docker.io:443
+            *.docker.io:443
             production.cloudflare.docker.com:443
-            archive.ubuntu.com:80
-            security.ubuntu.com:80
-            ports.ubuntu.com:80
+            dl-cdn.alpinelinux.org:443
+            cdn.fwupd.org:443
             api.papermc.io:443
             api.nuget.org:443
             registry.npmjs.org:443
diff --git a/README.md b/README.md
@@ -13,6 +13,14 @@ Dockerized and fine-grained customizable PaperMC server.
 
 </div>
 
+## Features
+
+* Alpine-based image
+* Lightweight (~360 MB)
+* Multi-architecture support (amd64 & arm64)
+
+TODO
+
 ## Contributing
 
 If you want to help us improve the project, you can learn more about ways to do so [here](docs/CONTRIBUTING.md).
@@ -30,7 +38,13 @@ our [Security Policy](docs/SECURITY.md).
 
 ## Licence
 
-This project is under the [GNU GPL v3.0](https://www.gnu.org/licenses/gpl-3.0.html) license.
+This project inherits its licensing from the included upstream projects. As such, it is licensed under
+the [GNU GPL v3.0](https://www.gnu.org/licenses/gpl-3.0.html) license, as it inherits from PaperMC, which in turn inherits it from the original Bukkit and
+CraftBukkit projects.
+
+The distributed OCI image is based on [the Alpine one](https://hub.docker.com/_/alpine).
+As with all Docker images, these likely also contain other software which may be under other licenses. Details about Alpine packages can be
+found [here](https://pkgs.alpinelinux.org/packages).
 
-As the distributed OCI image is based on [the Ubuntu one](https://hub.docker.com/_/ubuntu), additional licensing information can be
-found [here](https://ubuntu.com/legal/intellectual-property-policy).
+As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with
+any relevant licenses for all software contained within.
diff --git a/src/localdev.sh b/src/localdev.sh
@@ -1,8 +1,15 @@
-#!/usr/bin/env bash
+#!/usr/bin/env sh
+# TODO: OWASP RULE#3 https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-3-limit-capabilities-grant-only-specific-capabilities-needed-by-a-container
+# TODO: OWASP RULE#4 https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-prevent-in-container-privilege-escalation
+# TODO: OWASP RULE#7 https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-7-limit-resources-memory-cpu-file-descriptors-processes-restarts
+# TODO: Same OWASP rules in test.sh file
+# TODO: document security recommendations adapted to this project
+# TODO: document requirements for OWASP RULE#8 https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-7-limit-resources-memory-cpu-file-descriptors-processes-restarts
+# TODO: try OWASP RULE#8 here
 
-set -Eeuo pipefail
+set -eu
 
-SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd -P)
+SCRIPT_DIR=$(cd "$(dirname "$0")" > /dev/null 2>&1 && pwd -P)
 
 cd "${SCRIPT_DIR}/main/docker"
 
diff --git a/src/main/docker/Dockerfile b/src/main/docker/Dockerfile
@@ -16,7 +16,8 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
-FROM docker.io/eclipse-temurin:21-jdk-noble@sha256:5d935f3e86b5b629fc8994503e89b73137b24048a5b465fbaa605de80c678b54 AS jre-build
+# TODO: migrate to Podman? https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#podman-as-an-alternative-to-docker
+FROM docker.io/eclipse-temurin:21-jdk-alpine@sha256:2f2f553ce09d25e2d2f0f521ab94cd73f70c9b21327a29149c23a2b63b8e29a0 AS jre-build
 
 # Create a custom Java runtime
 #
@@ -29,11 +30,11 @@ RUN ${JAVA_HOME}/bin/jlink \
     --no-header-files \
     --output /jre
 
-FROM docker.io/ubuntu:noble@sha256:72297848456d5d37d1262630108ab308d3e9ec7ed1c3286a32fe09856619a782 AS papermc-server-build
+FROM docker.io/alpine:3.21.3@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c AS papermc-server-build
 
 ARG MINECRAFT_VERSION
 
-RUN if [[ -z "$MINECRAFT_VERSION" ]]; then \
+RUN if [ -z "$MINECRAFT_VERSION" ]; then \
         echo "Error: MINECRAFT_VERSION argument is not set." >&2; \
         exit 1; \
     fi
@@ -43,17 +44,14 @@ RUN echo "Building PaperMC server for Minecraft version: $MINECRAFT_VERSION"
 WORKDIR /build
 
 # Install required dependencies
-RUN apt-get update && \
-    apt-get upgrade -y && \
-    apt-get install -y --no-install-recommends ca-certificates curl jq && \
-    rm -rf /var/lib/apt/lists/*
+RUN apk add --no-cache ca-certificates curl jq
 
 # Retrieve latest Paper server for the given version
 COPY --chmod=500 get-papermc-server.sh .
 RUN ./get-papermc-server.sh "$MINECRAFT_VERSION"
 
-# TODO: what about an alpine variant?
-FROM docker.io/ubuntu:noble@sha256:72297848456d5d37d1262630108ab308d3e9ec7ed1c3286a32fe09856619a782
+# TODO: make the image UID/GID-agnostic (e.g., for compatibility with OpenShift)
+FROM docker.io/alpine:3.21.3@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c
 
 # JRE setup
 ENV JAVA_HOME=/opt/java
@@ -65,17 +63,20 @@ COPY --from=jre-build /jre ${JAVA_HOME}
 ENV EULA=false
 
 # Keep dependencies up-to-date
-# gettext is required for envsubst
-RUN apt-get update && \
-    apt-get upgrade -y && \
-    apt-get install -y --no-install-recommends gettext && \
-    rm -rf /var/lib/apt/lists/*
+# bash is still required by start.sh for now (to be removed)
+# gettext is required for envsubst: https://pkgs.alpinelinux.org/package/edge/main/x86_64/gettext
+# libudev-zero is the Alpine-equivalent of libudev, which is required by PaperMC: https://pkgs.alpinelinux.org/package/edge/community/x86/libudev-zero
+RUN apk add --no-cache bash gettext libudev-zero
 
 # Create the "papermc" user
-RUN groupadd --system papermc && useradd --system --gid papermc --create-home papermc
+#
+# Long-form parameters are not supported (e.g., --system, --group, --shell)
+# BusyBox "adduser" doc: https://busybox.net/downloads/BusyBox.html#adduser
+RUN addgroup -S papermc && adduser -S -G papermc -h /home/papermc -s /sbin/nologin papermc
 
 # Lock root user for security purposes
-RUN passwd --lock root
+# TODO: remove since unecessary
+RUN passwd -l root
 
 # Now rely exclusively on the PaperMC user (rootless mode)
 USER papermc
diff --git a/src/main/docker/docker-bake.hcl b/src/main/docker/docker-bake.hcl
@@ -67,6 +67,7 @@ target "dev" {
   ]
 }
 
+# TODO: OWASP RULE#13 https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-13-enhance-supply-chain-security
 target "release" {
   description = "Builds the image for production purposes."
   args = {
diff --git a/src/main/docker/get-papermc-server.sh b/src/main/docker/get-papermc-server.sh
@@ -1,6 +1,8 @@
-#!/usr/bin/env bash
+#!/usr/bin/env sh
 # Reference: https://docs.papermc.io/misc/downloads-api
 
+set -eu
+
 MINECRAFT_VERSION=$1
 
 LATEST_BUILD=$(curl -sSf "https://api.papermc.io/v2/projects/paper/versions/${MINECRAFT_VERSION}/builds" | \
diff --git a/src/main/docker/runtime/start.sh b/src/main/docker/runtime/start.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+# TODO: migrate to sh
 
 set -Eeuo pipefail
 
diff --git a/src/test/docker/test.sh b/src/test/docker/test.sh
@@ -1,7 +1,7 @@
-#!/usr/bin/env bash
+#!/usr/bin/env sh
 # Assumption: The OCI image is already built and tagged as 'djaytan/papermc-server:dev'
 
-set -Eeuo pipefail
+set -eu
 
 CONTAINER_NAME='test-papermc-server'
 
@@ -33,7 +33,7 @@ while true; do
   ELAPSED_TIME=$((CURRENT_TIME - START_TIME))
 
   # Check if timeout of 60 seconds has been reached
-  if [[ $ELAPSED_TIME -gt 60 ]]; then
+  if [ $ELAPSED_TIME -gt 60 ]; then
     echo "❌  Server failed to start within 60 seconds."
     exit 1
   fi

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,7 @@ target "dev" {`
`67`	`67`	`]`
`68`	`68`	`}`
`69`	`69`
	`70`	`+# TODO: OWASP RULE#13 https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-13-enhance-supply-chain-security`
`70`	`71`	`target "release" {`
`71`	`72`	`description = "Builds the image for production purposes."`
`72`	`73`	`args = {`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`#!/usr/bin/env bash`
	`2`	`+# TODO: migrate to sh`
`2`	`3`
`3`	`4`	`set -Eeuo pipefail`
`4`	`5`