Skip to content

Commit 9fabc17

Browse files
ericfitzclaude
ericfitz
and
claude
committed
feat(containers): add Oracle Linux container builds for OCI deployment
Add container infrastructure for deploying TMI to Oracle Cloud Infrastructure with Oracle Autonomous Database support: - Dockerfile.server-oracle: Multi-stage build using Oracle Linux 9 with Oracle Instant Client 23ai for native ADB connectivity - Dockerfile.redis-oracle: Redis 8.4.0 compiled from source on Oracle Linux 9-slim - scripts/build-container-oracle.sh: Build script with OCI Container Registry integration, security scanning, and SBOM generation New Makefile targets: - build-container-oracle: Build TMI server with Oracle ADB support - build-container-redis-oracle: Build Redis on Oracle Linux - build-containers-oracle: Build both containers - *-push variants: Build and push to OCI Container Registry Key features: - CGO enabled for Oracle godror driver - Security patches applied during build - Multi-architecture support (amd64/arm64) - Non-root container users - Docker Scout security scanning - Syft SBOM generation Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1 parent f49d62b commit 9fabc17

File tree

4 files changed

+1059
-1
lines changed

4 files changed

+1059
-1
lines changed

Dockerfile.redis-oracle

Lines changed: 266 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,266 @@
1+
# Multi-stage Oracle Linux Redis build
2+
# Builds Redis from source on Oracle Linux 9 for OCI deployment
3+
#
4+
# This Dockerfile creates a Redis container compatible with the TMI Oracle server container.
5+
# Both use Oracle Linux 9 as the base for consistency in OCI deployments.
6+
#
7+
# Build arguments:
8+
# BUILD_DATE - ISO8601 build timestamp
9+
# GIT_COMMIT - Short git commit hash
10+
# REDIS_VERSION - Redis version to build (default: 8.4.0)
11+
#
12+
# Runtime environment variables:
13+
# REDIS_PASSWORD - Optional password for Redis authentication
14+
# REDIS_PORT - Port to listen on (default: 6379)
15+
# REDIS_PROTECTED_MODE - Enable protected mode (default: yes)
16+
# REDIS_DISABLE_COMMANDS - Comma-separated list of commands to disable
17+
18+
# Stage 1: Build environment using Oracle Linux 9
19+
FROM container-registry.oracle.com/os/oraclelinux:9 AS builder
20+
21+
# Metadata for tracking
22+
LABEL security.scan-date="AUTO_GENERATED"
23+
LABEL security.patch-level="high-critical"
24+
LABEL maintainer="TMI Security Team"
25+
LABEL stage="builder"
26+
27+
# Build arguments
28+
ARG BUILD_DATE
29+
ARG GIT_COMMIT
30+
ARG REDIS_VERSION=8.4.0
31+
32+
# Install security patches and build dependencies
33+
RUN dnf -y update && \
34+
dnf -y install \
35+
# Build essentials
36+
gcc \
37+
gcc-c++ \
38+
make \
39+
# Required for Redis build
40+
tcl \
41+
# Download tools
42+
wget \
43+
curl \
44+
# CA certificates
45+
ca-certificates && \
46+
dnf clean all && \
47+
rm -rf /var/cache/dnf
48+
49+
# Download and compile Redis from source
50+
ENV REDIS_DOWNLOAD_URL=http://download.redis.io/releases/redis-${REDIS_VERSION}.tar.gz
51+
52+
RUN wget -O redis.tar.gz "$REDIS_DOWNLOAD_URL" && \
53+
mkdir -p /usr/src/redis && \
54+
tar -xzf redis.tar.gz -C /usr/src/redis --strip-components=1 && \
55+
rm redis.tar.gz && \
56+
cd /usr/src/redis && \
57+
make BUILD_TLS=no && \
58+
make install PREFIX=/redis-build
59+
60+
# Create redis user and set up runtime directory structure
61+
# Use GID/UID 6379 (Redis port) to avoid conflicts with existing system users
62+
RUN groupadd -r redis --gid=6379 && \
63+
useradd -r -g redis --uid=6379 --home-dir=/var/lib/redis --shell=/sbin/nologin redis && \
64+
mkdir -p /runtime/usr/local/bin && \
65+
mkdir -p /runtime/var/lib/redis && \
66+
mkdir -p /runtime/var/log/redis && \
67+
mkdir -p /runtime/etc/redis && \
68+
# Copy Redis binaries
69+
cp /redis-build/bin/redis-server /runtime/usr/local/bin/ && \
70+
cp /redis-build/bin/redis-cli /runtime/usr/local/bin/ && \
71+
cp /redis-build/bin/redis-benchmark /runtime/usr/local/bin/ && \
72+
cp /redis-build/bin/redis-check-aof /runtime/usr/local/bin/ && \
73+
cp /redis-build/bin/redis-check-rdb /runtime/usr/local/bin/ && \
74+
# Set ownership
75+
chown -R 6379:6379 /runtime/var/lib/redis && \
76+
chown -R 6379:6379 /runtime/var/log/redis && \
77+
chown -R 6379:6379 /runtime/etc/redis && \
78+
chmod 755 /runtime/var/lib/redis
79+
80+
# Create Redis configuration
81+
RUN cat > /runtime/etc/redis/redis.conf << 'EOF'
82+
# Redis configuration for TMI
83+
port 6379
84+
bind 0.0.0.0
85+
protected-mode yes
86+
87+
# Authentication - set via REDIS_PASSWORD environment variable
88+
# requirepass will be configured by entrypoint if REDIS_PASSWORD is set
89+
90+
# Persistence
91+
save 900 1
92+
save 300 10
93+
save 60 10000
94+
95+
# Logging
96+
loglevel notice
97+
logfile /var/log/redis/redis-server.log
98+
99+
# Disable dangerous commands by default
100+
rename-command FLUSHDB ""
101+
rename-command FLUSHALL ""
102+
rename-command DEBUG ""
103+
104+
# Memory management
105+
maxmemory 256mb
106+
maxmemory-policy allkeys-lru
107+
108+
# Directories
109+
dir /var/lib/redis
110+
111+
# Additional security
112+
tcp-keepalive 300
113+
timeout 0
114+
tcp-backlog 511
115+
databases 16
116+
117+
# Slow log
118+
slowlog-log-slower-than 10000
119+
slowlog-max-len 128
120+
121+
# Client output buffer limits
122+
client-output-buffer-limit normal 0 0 0
123+
client-output-buffer-limit replica 256mb 64mb 60
124+
client-output-buffer-limit pubsub 32mb 8mb 60
125+
EOF
126+
127+
# Create entrypoint script
128+
RUN cat > /runtime/docker-entrypoint.sh << 'ENTRYPOINT_EOF'
129+
#!/bin/bash
130+
set -e
131+
132+
# Redis configuration
133+
REDIS_CONF="${REDIS_CONF:-/etc/redis/redis.conf}"
134+
REDIS_DATA_DIR="${REDIS_DATA_DIR:-/var/lib/redis}"
135+
REDIS_LOG_DIR="${REDIS_LOG_DIR:-/var/log/redis}"
136+
137+
# Environment variables for configuration
138+
REDIS_PORT="${REDIS_PORT:-6379}"
139+
REDIS_PROTECTED_MODE="${REDIS_PROTECTED_MODE:-yes}"
140+
REDIS_DISABLE_COMMANDS="${REDIS_DISABLE_COMMANDS:-FLUSHDB,FLUSHALL,DEBUG}"
141+
142+
# Create directories if they don't exist
143+
mkdir -p "$REDIS_DATA_DIR"
144+
mkdir -p "$REDIS_LOG_DIR"
145+
mkdir -p "$(dirname "$REDIS_CONF")"
146+
147+
# Generate Redis configuration
148+
cat > "$REDIS_CONF" << EOREDIS
149+
# Redis configuration for TMI (generated at runtime)
150+
port ${REDIS_PORT}
151+
bind 0.0.0.0
152+
protected-mode ${REDIS_PROTECTED_MODE}
153+
154+
# Authentication
155+
$([ -n "$REDIS_PASSWORD" ] && echo "requirepass $REDIS_PASSWORD" || echo "# No password set")
156+
157+
# Persistence
158+
save 900 1
159+
save 300 10
160+
save 60 10000
161+
162+
# Logging
163+
loglevel notice
164+
logfile ${REDIS_LOG_DIR}/redis-server.log
165+
166+
# Disable dangerous commands
167+
$(echo "$REDIS_DISABLE_COMMANDS" | tr ',' '\n' | while read cmd; do
168+
[ -n "$cmd" ] && echo "rename-command $cmd \"\""
169+
done)
170+
171+
# Memory management
172+
maxmemory 256mb
173+
maxmemory-policy allkeys-lru
174+
175+
# Directories
176+
dir ${REDIS_DATA_DIR}
177+
178+
# Additional security
179+
tcp-keepalive 300
180+
timeout 0
181+
tcp-backlog 511
182+
databases 16
183+
184+
# Slow log
185+
slowlog-log-slower-than 10000
186+
slowlog-max-len 128
187+
188+
# Client output buffer limits
189+
client-output-buffer-limit normal 0 0 0
190+
client-output-buffer-limit replica 256mb 64mb 60
191+
client-output-buffer-limit pubsub 32mb 8mb 60
192+
EOREDIS
193+
194+
# Set proper permissions
195+
chmod 644 "$REDIS_CONF"
196+
197+
# Start Redis
198+
echo "Starting Redis ${REDIS_VERSION} on port ${REDIS_PORT}"
199+
exec /usr/local/bin/redis-server "$REDIS_CONF"
200+
ENTRYPOINT_EOF
201+
202+
RUN chmod +x /runtime/docker-entrypoint.sh
203+
204+
# Stage 2: Runtime image using Oracle Linux 9 (minimal)
205+
FROM container-registry.oracle.com/os/oraclelinux:9-slim
206+
207+
# Metadata for tracking
208+
LABEL security.oracle-linux="9-slim"
209+
LABEL security.scan-date="AUTO_GENERATED"
210+
LABEL security.patch-level="runtime-minimal"
211+
LABEL maintainer="TMI Security Team"
212+
LABEL org.opencontainers.image.title="TMI Redis (Oracle Linux)"
213+
LABEL org.opencontainers.image.description="Redis on Oracle Linux 9 for OCI deployment"
214+
LABEL org.opencontainers.image.name="tmi/tmi-redis-oracle"
215+
216+
# Build arguments for labels
217+
ARG BUILD_DATE
218+
ARG GIT_COMMIT
219+
ARG REDIS_VERSION=8.4.0
220+
221+
LABEL org.opencontainers.image.created="${BUILD_DATE}"
222+
LABEL org.opencontainers.image.revision="${GIT_COMMIT}"
223+
LABEL org.opencontainers.image.version="${REDIS_VERSION}"
224+
225+
# Install security patches and minimal runtime dependencies
226+
RUN microdnf -y update && \
227+
microdnf clean all && \
228+
rm -rf /var/cache/yum
229+
230+
# Create redis user (use 6379 to avoid conflicts with system users)
231+
RUN groupadd -r redis --gid=6379 && \
232+
useradd -r -g redis --uid=6379 --home-dir=/var/lib/redis --shell=/sbin/nologin redis
233+
234+
# Create required directories
235+
RUN mkdir -p /var/lib/redis /var/log/redis /etc/redis && \
236+
chown -R redis:redis /var/lib/redis /var/log/redis /etc/redis
237+
238+
# Copy Redis binaries and configuration from builder
239+
COPY --from=builder /runtime/usr/local/bin/ /usr/local/bin/
240+
COPY --from=builder /runtime/etc/redis/redis.conf /etc/redis/redis.conf
241+
COPY --from=builder /runtime/docker-entrypoint.sh /docker-entrypoint.sh
242+
243+
# Set ownership
244+
RUN chown redis:redis /etc/redis/redis.conf && \
245+
chmod +x /usr/local/bin/redis-* && \
246+
chmod +x /docker-entrypoint.sh
247+
248+
# Environment variables
249+
ENV PATH="/usr/local/bin:$PATH"
250+
ENV REDIS_VERSION=${REDIS_VERSION}
251+
252+
# Expose Redis port
253+
EXPOSE 6379
254+
255+
# Health check
256+
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
257+
CMD redis-cli ping | grep -q PONG || exit 1
258+
259+
# Run as redis user
260+
USER redis:redis
261+
262+
# Set working directory
263+
WORKDIR /var/lib/redis
264+
265+
# Entrypoint
266+
ENTRYPOINT ["/docker-entrypoint.sh"]

0 commit comments

Comments
 (0)