Merge pull request #1183 from openmina/dw/add-hadolint

CI: lint dockerfiles

Author: dannywillems

.github/workflows/lint.yml

@@ -47,3 +47,19 @@ jobs:
           components: clippy, rustfmt
       - name: Run transaction Fuzzing check
         run: make check-tx-fuzzing
+
+  hadolint:
+    name: Hadolint - ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install hadolint
+        run: |
+          wget -O /tmp/hadolint https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64
+          chmod +x /tmp/hadolint
+          sudo mv /tmp/hadolint /usr/local/bin/hadolint
+      - name: Run hadolint
+        run: make lint-dockerfiles

Dockerfile

@@ -1,5 +1,8 @@
 FROM rust:bullseye AS build
-RUN apt-get update && apt-get install -y protobuf-compiler && apt-get clean
+# hadolint ignore=DL3008
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends protobuf-compiler && \
+    apt-get clean
 RUN rustup default 1.84 && rustup component add rustfmt
 WORKDIR /openmina
 COPY . .
@@ -11,21 +14,30 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
 
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
     --mount=type=cache,target=/openmina/target,id=rust-target \
-    cargo build --release --features scenario-generators --bin openmina-node-testing && \
+    cargo build --release --features scenario-generators \
+        --bin openmina-node-testing && \
     cp -r /openmina/target/release /openmina/testing-release-bin/
 
 # necessary for proof generation when running a block producer.
-RUN git clone --depth 1 https://github.com/openmina/circuit-blobs.git \
-    && rm -rf circuit-blobs/berkeley_rc1 circuit-blobs/*/tests
+RUN git clone --depth 1 \
+        https://github.com/openmina/circuit-blobs.git && \
+    rm -rf circuit-blobs/berkeley_rc1 circuit-blobs/*/tests
 
 FROM debian:bullseye
-RUN apt-get update && apt-get install -y libjemalloc2 libssl1.1 libpq5 curl jq procps && apt-get clean
+# hadolint ignore=DL3008
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        libjemalloc2 libssl1.1 libpq5 curl jq procps && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
 
 COPY --from=build /openmina/release-bin/openmina /usr/local/bin/
-COPY --from=build /openmina/testing-release-bin/openmina-node-testing /usr/local/bin/
+COPY --from=build /openmina/testing-release-bin/openmina-node-testing \
+    /usr/local/bin/
 
 RUN mkdir -p /usr/local/lib/openmina/circuit-blobs
-COPY --from=build /openmina/circuit-blobs/ /usr/local/lib/openmina/circuit-blobs/
+COPY --from=build /openmina/circuit-blobs/ \
+    /usr/local/lib/openmina/circuit-blobs/
 
 EXPOSE 3000
 EXPOSE 8302

Makefile

@@ -95,6 +95,22 @@ format-md: ## Format all markdown files to wrap at 80 characters
 lint: ## Run linter (clippy)
 	cargo clippy --all-targets -- -D warnings --allow clippy::mutable_key_type
 
+.PHONY: lint-dockerfiles
+lint-dockerfiles: ## Check all Dockerfiles using hadolint
+	@if [ "$$GITHUB_ACTIONS" = "true" ]; then \
+		OUTPUT=$$(find . -name "Dockerfile*" -type f -exec hadolint {} \;); \
+		if [ -n "$$OUTPUT" ]; then \
+			echo "$$OUTPUT"; \
+			exit 1; \
+		fi; \
+	else \
+		OUTPUT=$$(find . -name "Dockerfile*" -type f -exec sh -c 'docker run --rm -i hadolint/hadolint < "$$1"' _ {} \;); \
+		if [ -n "$$OUTPUT" ]; then \
+			echo "$$OUTPUT"; \
+			exit 1; \
+		fi; \
+	fi
+
 .PHONY: setup-wasm-toolchain
 setup-wasm-toolchain: ## Setup the WebAssembly toolchain, using nightly
 		@ARCH=$$(uname -m); \
@@ -133,3 +149,66 @@ test-release: ## Run tests in release mode
 .PHONY: test-vrf
 test-vrf: ## Run VRF tests, requires nightly Rust
 	@cd vrf && cargo +nightly test --release -- -Z unstable-options --report-time
+
+# Docker build targets
+DOCKER_ORG ?= openmina
+GIT_COMMIT := $(shell git rev-parse --short=8 HEAD)
+
+.PHONY: docker-build-all
+docker-build-all: docker-build-bootstrap-sandbox docker-build-debugger \
+	docker-build-frontend docker-build-fuzzing docker-build-heartbeats-processor \
+	docker-build-light docker-build-light-focal docker-build-openmina \
+	docker-build-openmina-testing docker-build-producer-dashboard \
+	docker-build-test ## Build all Docker images
+
+.PHONY: docker-build-bootstrap-sandbox
+docker-build-bootstrap-sandbox: ## Build bootstrap sandbox Docker image
+	docker build -t $(DOCKER_ORG)/openmina-bootstrap-sandbox:$(GIT_COMMIT) \
+		tools/bootstrap-sandbox/
+
+.PHONY: docker-build-debugger
+docker-build-debugger: ## Build debugger Docker image
+	docker build -t $(DOCKER_ORG)/openmina-debugger:$(GIT_COMMIT) \
+		-f node/testing/docker/Dockerfile.debugger node/testing/docker/
+
+.PHONY: docker-build-frontend
+docker-build-frontend: ## Build frontend Docker image
+	docker build -t $(DOCKER_ORG)/openmina-frontend:$(GIT_COMMIT) frontend/
+
+.PHONY: docker-build-fuzzing
+docker-build-fuzzing: ## Build fuzzing Docker image
+	docker build -t $(DOCKER_ORG)/openmina-fuzzing:$(GIT_COMMIT) tools/fuzzing/
+
+.PHONY: docker-build-heartbeats-processor
+docker-build-heartbeats-processor: ## Build heartbeats processor Docker image
+	docker build -t $(DOCKER_ORG)/openmina-heartbeats-processor:$(GIT_COMMIT) \
+		tools/heartbeats-processor/
+
+.PHONY: docker-build-light
+docker-build-light: ## Build light Docker image
+	docker build -t $(DOCKER_ORG)/openmina-light:$(GIT_COMMIT) \
+		-f node/testing/docker/Dockerfile.light node/testing/docker/
+
+.PHONY: docker-build-light-focal
+docker-build-light-focal: ## Build light focal Docker image
+	docker build -t $(DOCKER_ORG)/openmina-light-focal:$(GIT_COMMIT) \
+		-f node/testing/docker/Dockerfile.light.focal node/testing/docker/
+
+.PHONY: docker-build-openmina
+docker-build-openmina: ## Build main OpenMina Docker image
+	docker build -t $(DOCKER_ORG)/openmina:$(GIT_COMMIT) .
+
+.PHONY: docker-build-openmina-testing
+docker-build-openmina-testing: ## Build OpenMina testing Docker image
+	docker build -t $(DOCKER_ORG)/openmina-testing:$(GIT_COMMIT) \
+		-f node/testing/docker/Dockerfile.openmina node/testing/docker/
+
+.PHONY: docker-build-producer-dashboard
+docker-build-producer-dashboard: ## Build producer dashboard Docker image
+	docker build -t $(DOCKER_ORG)/openmina-producer-dashboard:$(GIT_COMMIT) \
+		-f docker/producer-dashboard/Dockerfile .
+
+.PHONY: docker-build-test
+docker-build-test: ## Build test Docker image
+	docker build -t $(DOCKER_ORG)/openmina-test:$(GIT_COMMIT) \
+		-f node/testing/docker/Dockerfile.test node/testing/docker/

docker/producer-dashboard/Dockerfile

@@ -4,13 +4,17 @@ WORKDIR /usr/src/openmina-producer-dashboard
 
 COPY ../ .
 
-RUN cd producer-dashboard && SQLX_OFFLINE=true cargo install --path .
+WORKDIR /usr/src/openmina-producer-dashboard/producer-dashboard
+RUN SQLX_OFFLINE=true cargo install --path .
 
 FROM ubuntu:noble AS mina-builder
 
-RUN apt-get update && apt-get install -y openssl ca-certificates
+# hadolint ignore=DL3008
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends openssl ca-certificates
 
 # Build mina from source
+# hadolint ignore=DL3008
 RUN apt-get update && \
   apt-get -y --no-install-recommends install \
     libboost-dev \
@@ -37,16 +41,18 @@ RUN apt-get update && \
     unzip \
     rsync
 
-
-RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \
+    sh -s -- -y
 
 WORKDIR /go
 RUN git clone https://github.com/MinaProtocol/mina.git
 
 ENV DUNE_PROFILE=devnet
 
 WORKDIR /go/mina
-COPY ../docker/producer-dashboard/output_binprot_breadcrumbs.patch .
+COPY ../docker/producer-dashboard/output_binprot_breadcrumbs.patch \
+    .
 RUN git checkout 3.0.1 && \
     git submodule update --init --recursive && \
     git config --local --add submodule.recurse true
@@ -55,34 +61,49 @@ RUN git apply ./output_binprot_breadcrumbs.patch
 
 # RUN make libp2p_helper
 
-RUN curl -s -L https://github.com/ocaml/opam/releases/download/2.1.2/opam-2.1.2-x86_64-linux -o /usr/local/bin/opam && chmod +x /usr/local/bin/opam
+RUN curl -s -L \
+        https://github.com/ocaml/opam/releases/download/2.1.2/opam-2.1.2-x86_64-linux \
+        -o /usr/local/bin/opam && \
+    chmod +x /usr/local/bin/opam
 
+# hadolint ignore=DL3008
 RUN apt-get -y --no-install-recommends install m4 pkg-config
 
-RUN opam init --disable-sandboxing
-RUN opam switch create .
-RUN eval $(opam config env)
-RUN opam switch import -y opam.export
-RUN ./scripts/pin-external-packages.sh
+RUN opam init --disable-sandboxing && \
+    opam switch create . && \
+    eval "$(opam config env)" && \
+    opam switch import -y opam.export && \
+    ./scripts/pin-external-packages.sh
 
-RUN curl -L https://go.dev/dl/go1.19.linux-amd64.tar.gz -o go1.19.tar.gz \
-    && tar -C /usr/local -xzf go1.19.tar.gz \
-    && rm go1.19.tar.gz
+RUN curl -L https://go.dev/dl/go1.19.linux-amd64.tar.gz \
+        -o go1.19.tar.gz && \
+    tar -C /usr/local -xzf go1.19.tar.gz && \
+    rm go1.19.tar.gz
 ENV PATH="/usr/local/go/bin:${PATH}"
 RUN make libp2p_helper
 
 ENV PATH="/root/.cargo/bin:${PATH}"
+# hadolint ignore=DL3008
 RUN apt-get -y --no-install-recommends install zlib1g-dev
-RUN eval $(opam config env) && make build_all_sigs
-# RUN /bin/bash -c "source ~/.cargo/env && eval $(opam config env) && make build_all_sigs"
+RUN eval "$(opam config env)" && make build_all_sigs
+# RUN /bin/bash -c "source ~/.cargo/env && eval $(opam config env) && \
+#     make build_all_sigs"
 
 FROM ubuntu:noble
 
-RUN apt-get update && apt-get install -y libpq5 libjemalloc2
-
-COPY --from=app-builder /usr/local/cargo/bin/openmina-producer-dashboard /usr/local/bin/openmina-producer-dashboard
-COPY --from=mina-builder /go/mina/src/app/libp2p_helper/result/bin/libp2p_helper /usr/local/bin/coda-libp2p_helper
-COPY --from=mina-builder /go/mina/_build/default/src/app/cli/src/mina_testnet_signatures.exe /usr/local/bin/mina
+# hadolint ignore=DL3008
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends libpq5 libjemalloc2 && \
+    rm -rf /var/lib/apt/lists/*
+
+COPY --from=app-builder /usr/local/cargo/bin/openmina-producer-dashboard \
+    /usr/local/bin/openmina-producer-dashboard
+COPY --from=mina-builder \
+    /go/mina/src/app/libp2p_helper/result/bin/libp2p_helper \
+    /usr/local/bin/coda-libp2p_helper
+COPY --from=mina-builder \
+    /go/mina/_build/default/src/app/cli/src/mina_testnet_signatures.exe \
+    /usr/local/bin/mina
 
 # TODO: replace
 ENTRYPOINT [ "openmina-producer-dashboard" ]

frontend/Dockerfile

@@ -1,23 +1,27 @@
 FROM node:18 AS BUILD_IMAGE
-# Doesn't matter what we put here - it get's overwritten by the docker build command
+# Doesn't matter what we put here - it get's overwritten by the docker \
+# build command
 ARG BUILD_CONFIGURATION=production
 WORKDIR /app
 COPY . .
-RUN npm install
-RUN node_modules/.bin/ng build --configuration ${BUILD_CONFIGURATION}
-RUN npm prune --production
-
-RUN echo "---------- USING APACHE ----------"
+RUN npm install && \
+    node_modules/.bin/ng build --configuration \
+        ${BUILD_CONFIGURATION} && \
+    npm prune --production && \
+    echo "---------- USING APACHE ----------"
 
 
 FROM httpd:2.4
 
+# hadolint ignore=DL3008
 RUN apt-get update && \
-    apt-get install -y curl && \
+    apt-get install -y --no-install-recommends curl && \
     rm -rf /var/lib/apt/lists/*
 
-COPY --from=BUILD_IMAGE /app/dist/frontend/browser /usr/local/apache2/htdocs/
-COPY --from=BUILD_IMAGE /app/httpd.conf /usr/local/apache2/conf/httpd.conf
+COPY --from=BUILD_IMAGE /app/dist/frontend/browser \
+    /usr/local/apache2/htdocs/
+COPY --from=BUILD_IMAGE /app/httpd.conf \
+    /usr/local/apache2/conf/httpd.conf
 
 COPY docker/startup.sh /usr/local/bin/startup.sh
 RUN chmod +x /usr/local/bin/startup.sh

node/testing/docker/Dockerfile.debugger

@@ -5,4 +5,7 @@ FROM minaprotocol/mina-daemon:2.0.0rampup4-14047c5-focal-berkeley
 
 COPY --from=debugger /usr/bin/bpf-recorder /usr/bin/bpf-recorder
 
-RUN apt-get update && apt-get -y install libelf-dev
+# hadolint ignore=DL3008
+RUN apt-get update && \
+    apt-get -y install --no-install-recommends libelf-dev && \
+    rm -rf /var/lib/apt/lists/*

node/testing/docker/Dockerfile.light

@@ -1,7 +1,8 @@
 FROM golang:1.18.10-buster AS builder
 
+# hadolint ignore=DL3008
 RUN apt-get update && \
-  apt-get -y install \
+  apt-get -y install --no-install-recommends \
     apt-transport-https \
     ca-certificates \
     pkg-config \
@@ -35,7 +36,9 @@ RUN apt-get update && \
     rsync \
     liblmdb-dev
 
-RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \
+    sh -s -- -y
 
 WORKDIR /go
 RUN git clone https://github.com/MinaProtocol/mina.git
@@ -49,23 +52,31 @@ RUN git checkout -b 2.0.0rampup4 2.0.0rampup4 && \
 
 RUN make libp2p_helper
 
-RUN curl -s -L https://github.com/ocaml/opam/releases/download/2.1.2/opam-2.1.2-x86_64-linux -o /usr/local/bin/opam && chmod +x /usr/local/bin/opam
+RUN curl -s -L \
+        https://github.com/ocaml/opam/releases/download/2.1.2/opam-2.1.2-x86_64-linux \
+        -o /usr/local/bin/opam && \
+    chmod +x /usr/local/bin/opam
 
 RUN opam init --disable-sandboxing \
   && opam switch create . \
-  && eval $(opam config env) \
+  && eval "$(opam config env)" \
   && opam switch import -y opam.export \
   && ./scripts/pin-external-packages.sh
 
 COPY patch patch
 
 RUN git apply patch
 
-RUN rm /bin/sh && ln -s /bin/bash /bin/sh
+SHELL ["/bin/bash", "-c"]
 
-RUN source ~/.cargo/env && eval $(opam config env) && make build_all_sigs
+RUN source ~/.cargo/env && eval "$(opam config env)" && \
+    make build_all_sigs
 
 FROM minaprotocol/mina-daemon:2.0.0rampup4-14047c5-buster-berkeley
 
-COPY --from=builder /go/mina/src/app/libp2p_helper/result/bin/libp2p_helper /usr/local/bin/coda-libp2p_helper
-COPY --from=builder /go/mina/_build/default/src/app/cli/src/mina_testnet_signatures.exe /usr/local/bin/mina
+COPY --from=builder \
+    /go/mina/src/app/libp2p_helper/result/bin/libp2p_helper \
+    /usr/local/bin/coda-libp2p_helper
+COPY --from=builder \
+    /go/mina/_build/default/src/app/cli/src/mina_testnet_signatures.exe \
+    /usr/local/bin/mina