Merge pull request #2736 from RedisInsight/feature/RI-5036/optimize-docker-image

RI-5036: Remove mdns, avahi, gnome-keyring; use alpine image instead …

Author: Artem

.circleci/config.yml

@@ -462,6 +462,8 @@ jobs:
                 command: |
                   cd tests/e2e && export TEST_FILES=$(circleci tests glob "tests/web/**/*.e2e.ts" | circleci tests split --split-by=timings) && cd ../..
                   TEST_BIG_DB_DUMP=$TEST_BIG_DB_DUMP \
+                  RI_SERVER_TLS_CERT="$RI_SERVER_TLS_CERT" \
+                  RI_SERVER_TLS_KEY="$RI_SERVER_TLS_KEY" \
                   docker-compose \
                   -f tests/e2e/rte.docker-compose.yml \
                   -f tests/e2e/docker.web.docker-compose.yml \
@@ -476,6 +478,8 @@ jobs:
                 command: |
                   cd tests/e2e && export TEST_FILES=$(circleci tests glob "tests/web/**/*.e2e.ts" | circleci tests split --split-by=timings) && cd ../..
                   TEST_BIG_DB_DUMP=$TEST_BIG_DB_DUMP \
+                  RI_SERVER_TLS_CERT="$RI_SERVER_TLS_CERT" \
+                  RI_SERVER_TLS_KEY="$RI_SERVER_TLS_KEY" \
                   docker-compose \
                   -f tests/e2e/rte.docker-compose.yml \
                   -f tests/e2e/local.web.docker-compose.yml \
@@ -618,11 +622,11 @@ jobs:
             export RI_CLOUD_CAPI_URL=$RI_CLOUD_CAPI_URL_STAGE
 
             if [ << parameters.env >> == 'stage' ]; then
-              UPGRADES_LINK=$UPGRADES_LINK_STAGE SEGMENT_WRITE_KEY=$SEGMENT_WRITE_KEY_STAGE yarn package:stage --linux << parameters.target >>
+              RI_UPGRADES_LINK=$RI_UPGRADES_LINK_STAGE RI_SEGMENT_WRITE_KEY=$RI_SEGMENT_WRITE_KEY_STAGE yarn package:stage --linux << parameters.target >>
               exit 0;
             fi
 
-            UPGRADES_LINK='' SEGMENT_WRITE_KEY='' yarn package:stage --linux << parameters.target >>
+            RI_UPGRADES_LINK='' RI_SEGMENT_WRITE_KEY='' yarn package:stage --linux << parameters.target >>
       - when:
           condition:
             equal: [ true, << parameters.redisstack >> ]
@@ -710,12 +714,12 @@ jobs:
             export RI_CLOUD_IDP_GH_ID=$RI_CLOUD_IDP_GH_ID_STAGE
             export RI_CLOUD_API_URL=$RI_CLOUD_API_URL_STAGE
             export RI_CLOUD_CAPI_URL=$RI_CLOUD_CAPI_URL_STAGE
-            export UPGRADES_LINK=''
-            export SEGMENT_WRITE_KEY=''
+            export RI_UPGRADES_LINK=''
+            export RI_SEGMENT_WRITE_KEY=''
 
             if [ << parameters.env >> == 'stage' ]; then
-              export UPGRADES_LINK=$UPGRADES_LINK_STAGE
-              export SEGMENT_WRITE_KEY=$SEGMENT_WRITE_KEY_STAGE
+              export RI_UPGRADES_LINK=$RI_UPGRADES_LINK_STAGE
+              export RI_SEGMENT_WRITE_KEY=$RI_SEGMENT_WRITE_KEY_STAGE
             fi
 
             # handle manual builds
@@ -792,9 +796,9 @@ jobs:
             export RI_CLOUD_CAPI_URL=$RI_CLOUD_CAPI_URL_STAGE
 
             if [ << parameters.env >> == 'stage' ]; then
-              UPGRADES_LINK=$UPGRADES_LINK_STAGE SEGMENT_WRITE_KEY=$SEGMENT_WRITE_KEY_STAGE yarn package:stage --win << parameters.target >>
+              RI_UPGRADES_LINK=$RI_UPGRADES_LINK_STAGE RI_SEGMENT_WRITE_KEY=$RI_SEGMENT_WRITE_KEY_STAGE yarn package:stage --win << parameters.target >>
             else
-              UPGRADES_LINK='' SEGMENT_WRITE_KEY='' yarn package:stage --win << parameters.target >>
+              RI_UPGRADES_LINK='' RI_SEGMENT_WRITE_KEY='' yarn package:stage --win << parameters.target >>
             fi
 
             rm -rf release/win-unpacked
@@ -860,20 +864,18 @@ jobs:
       - run:
           name: Build Docker image (API + UI)
           command: |
-            TELEMETRY=$SEGMENT_WRITE_KEY_DEV
+            TELEMETRY=$RI_SEGMENT_WRITE_KEY_DEV
 
             if [ << parameters.env >> == 'production' ]; then
-              TELEMETRY=$SEGMENT_WRITE_KEY
+              TELEMETRY=$RI_SEGMENT_WRITE_KEY
             fi
 
             if [ << parameters.env >> == 'staging' ]; then
-              TELEMETRY=$SEGMENT_WRITE_KEY_STAGE
+              TELEMETRY=$RI_SEGMENT_WRITE_KEY_STAGE
             fi
 
             docker build --build-arg NODE_ENV=<< parameters.env >> \
-            --build-arg SERVER_TLS_CERT="$SERVER_TLS_CERT" \
-            --build-arg SERVER_TLS_KEY="$SERVER_TLS_KEY" \
-            --build-arg SEGMENT_WRITE_KEY="$TELEMETRY" \
+            --build-arg RI_SEGMENT_WRITE_KEY="$TELEMETRY" \
             -t riv2:latest .
 
             mkdir -p docker-release
@@ -1154,6 +1156,9 @@ workflows:
             - Setup sign certificates (stage)
       - linux:
           name: Build app - Linux (stage)
+          env: stage
+          redisstack: false
+          target: AppImage
           requires:
             - Setup build (stage)
       - docker:

.circleci/e2e/test.app-image.sh

@@ -17,5 +17,5 @@ docker-compose -f tests/e2e/rte.docker-compose.yml up --force-recreate -d -V
 # run tests
 COMMON_URL=$(tail -n 1 apppath)/resources/app.asar/dist/renderer/index.html \
 ELECTRON_PATH=$(tail -n 1 apppath)/redisinsight \
-SOCKETS_CORS=true \
+RI_SOCKETS_CORS=true \
 yarn --cwd tests/e2e dotenv -e .desktop.env yarn --cwd tests/e2e test:desktop:ci

.circleci/e2e/test.exe.cmd

@@ -6,7 +6,7 @@ set OSS_STANDALONE_HOST=%E2E_CLOUD_DATABASE_HOST%
 set OSS_STANDALONE_PORT=%E2E_CLOUD_DATABASE_PORT%
 set OSS_STANDALONE_USERNAME=%E2E_CLOUD_DATABASE_USERNAME%
 set OSS_STANDALONE_PASSWORD=%E2E_CLOUD_DATABASE_PASSWORD%
-set SOCKETS_CORS=true
+set RI_SOCKETS_CORS=true
 
 call yarn --cwd tests/e2e install
 

.circleci/redisstack/app-image.repack.sh

@@ -4,7 +4,7 @@ set -e
 ARCH=${ARCH:-x86_64}
 WORKING_DIRECTORY=$(pwd)
 SOURCE_APP=${SOURCE_APP:-"RedisInsight-linux-$ARCH.AppImage"}
-APP_FOLDER_NAME="RedisInsight-linux"
+RI_APP_FOLDER_NAME="RedisInsight-linux"
 TAR_NAME="RedisInsight-app-linux.$ARCH.tar.gz"
 TMP_FOLDER="/tmp/RedisInsight-app-$ARCH"
 
@@ -17,9 +17,9 @@ cp "./release/$SOURCE_APP" "$TMP_FOLDER"
 cd "$TMP_FOLDER" || exit 1
 
 ./"$SOURCE_APP" --appimage-extract
-mv squashfs-root "$APP_FOLDER_NAME"
+mv squashfs-root "$RI_APP_FOLDER_NAME"
 
-tar -czvf "$TAR_NAME" "$APP_FOLDER_NAME"
+tar -czvf "$TAR_NAME" "$RI_APP_FOLDER_NAME"
 
 cp "$TAR_NAME" "$WORKING_DIRECTORY/release/redisstack/"
 cd "$WORKING_DIRECTORY" || exit 1

.circleci/redisstack/dmg.repack.sh

@@ -4,8 +4,8 @@ set -e
 ARCH=${ARCH:-x64}
 WORKING_DIRECTORY=$(pwd)
 TAR_NAME="RedisInsight-app-darwin.$ARCH.tar.gz"
-APP_FOLDER_NAME="RedisInsight.app"
-TMP_FOLDER="/tmp/$APP_FOLDER_NAME"
+RI_APP_FOLDER_NAME="RedisInsight.app"
+TMP_FOLDER="/tmp/$RI_APP_FOLDER_NAME"
 
 rm -rf "$TMP_FOLDER"
 
@@ -15,7 +15,7 @@ mkdir -p "$TMP_FOLDER"
 hdiutil attach "./release/RedisInsight-mac-$ARCH.dmg"
 cp -a /Volumes/RedisInsight*/RedisInsight.app "/tmp"
 cd "/tmp" || exit 1
-tar -czvf "$TAR_NAME" "$APP_FOLDER_NAME"
+tar -czvf "$TAR_NAME" "$RI_APP_FOLDER_NAME"
 cp "$TAR_NAME" "$WORKING_DIRECTORY/release/redisstack/"
 cd "$WORKING_DIRECTORY" || exit 1
 hdiutil unmount /Volumes/RedisInsight*/

DOCKER_README.md

@@ -0,0 +1,26 @@
+# Docker
+
+Included in this repository is a Dockerfile that can be used to deploy a hosted instance of Redis Insight.
+
+# Usage
+
+To build and run the image locally with Docker buildx, simply
+
+```
+$ docker buildx build -t redis-insight:latest
+$ docker run -d -p5000:5000 redis-insight:latest
+```
+
+These commands will build the image and then start the container. Redis Insight can then be accessed on localhost port 5000, `http://localhost:5000`.
+
+# Configuration
+
+Redis Insight supports several configuration values that can be supplied via container environment variables. The following may be provided:
+
+| Variable | Purpose | Default | Additional Info                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
+| ---------|---------|-----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| RI_APP_PORT | The port the app listens on | 5000 | See [Express Documentation](https://expressjs.com/en/api.html#app.listen)                                                                                                                                                                                                                                                                                                                                                                                                                                      |
+| RI_APP_HOST | The host the app listens on | 0.0.0.0 | See [Express Documentation](https://expressjs.com/en/api.html#app.listen)                                                                                                                                                                                                                                                                                                                                                                                                                                      |
+| RI_SERVER_TLS_KEY | Private key for HTTPS | | Private key in [PEM format](https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/#ftoc-heading-3). May be a path to a file or a string in PEM format.                                                                                                                                                                                                                                                                                                                                 |
+| RI_SERVER_TLS_CERT | Certificate for supplied private key | | Public certificate in [PEM format](https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/#ftoc-heading-3)                                                                                                                                                                                                                                                                                                                                                                              |
+| RI_ENCRYPTION_KEY | Key to encrypt data with | | Redisinsight stores some data such as connection details locally (using [sqlite3](https://github.com/TryGhost/node-sqlite3)). It might be usefull to store sensitive data such as passwords, or private keys encrypted. For this case RedisInsight supports encryption with provided key.<br />Note: The Key must be the same for the same RedisInsight instance to be able to decrypt exising data. If for some reason the key was changed, you will have to enter the credentials again to connect to the Redis database. |

Dockerfile

@@ -1,88 +1,79 @@
-FROM node:18.15.0-alpine as front
-RUN apk update
-RUN apk add --no-cache --virtual .gyp \
+# this dockerfile has two stages, a build stage and the executable stage.
+# the build stage is responsible for building the frontend, the backend,
+# and the frontend's static assets. ideally, we could build the frontend and backend
+# independently and in parallel in different stages, but there is a dependency
+# on the backend to build those assets. until we fix that, this approach is
+# the best way to minimize the number of node_module restores and build steps
+# while still keeping the final image small.
+
+FROM node:18.18-alpine as build
+
+# update apk repository and install build dependencies
+RUN apk update && apk add --no-cache --virtual .gyp \
         python3 \
         make \
         g++
+
+# set workdir
 WORKDIR /usr/src/app
+
+# restore node_modules for front-end
 COPY package.json yarn.lock babel.config.cjs tsconfig.json ./
 RUN SKIP_POSTINSTALL=1 yarn install
+
+# prepare backend by copying scripts/configs and installing node modules
+# this is required to build the static assets
 COPY configs ./configs
 COPY scripts ./scripts
 COPY redisinsight ./redisinsight
-RUN yarn --cwd redisinsight/api
-ARG SERVER_TLS_CERT
-ARG SERVER_TLS_KEY
-ARG SEGMENT_WRITE_KEY
-ENV SERVER_TLS_CERT=${SERVER_TLS_CERT}
-ENV SERVER_TLS_KEY=${SERVER_TLS_KEY}
-ENV SEGMENT_WRITE_KEY=${SEGMENT_WRITE_KEY}
+RUN yarn --cwd redisinsight/api install
+
+# build the frontend, static assets, and backend api
 RUN yarn build:web
 RUN yarn build:statics
+RUN yarn build:api
 
-FROM node:18.15.0-alpine as back
-WORKDIR /usr/src/app
-COPY redisinsight/api/package.json redisinsight/api/yarn.lock ./
-RUN yarn install
-COPY redisinsight/api ./
-COPY --from=front /usr/src/app/redisinsight/api/static ./static
-COPY --from=front /usr/src/app/redisinsight/api/defaults ./defaults
-RUN yarn run build:prod
-
-FROM node:18.15.0-slim
-# Set up mDNS functionality, to play well with Redis Enterprise
-# clusters on the network.
-RUN set -ex \
- && DEPS="avahi-daemon libnss-mdns" \
- && apt-get update && apt-get install -y --no-install-recommends $DEPS \
- # Disable nss-mdns's two-label limit heuristic so that host names
- # with multiple labels can be resolved.
- # E.g. redis-12000.rediscluster.local, which has 3 labels.
- # (https://github.com/lathiat/nss-mdns#etcmdnsallow)
- && echo '*' > /etc/mdns.allow \
- # Configure NSSwitch to use the mdns4 plugin so mdns.allow is respected
- && sed -i "s/hosts:.*/hosts:          files mdns4 dns/g" /etc/nsswitch.conf \
- # We run a `avahi-daemon` without `dbus` so that we can start it as a
- # non-root user. `dbus` requires root permissions to start. And
- # anyway, there's a way to run `avahi-daemon` without `dbus` so why
- # shouldn't we use it.  https://linux.die.net/man/5/avahi-daemon.conf
- && printf "[server]\nenable-dbus=no\n" >> /etc/avahi/avahi-daemon.conf \
- && chmod 777 /etc/avahi/avahi-daemon.conf \
- # We create the directory because when the first time `avahi-daemon`
- # is run, the directory doesn't exist and the `avahi-daemon` must have
- # permissions to create the directory under `/var`.
- && mkdir -p /var/run/avahi-daemon \
- # Change the permissions of the directories avahi will use.
- && chown avahi:avahi /var/run/avahi-daemon \
- && chmod 777 /var/run/avahi-daemon
-
-RUN apt-get install net-tools
-RUN apt-get install -y dbus-x11 gnome-keyring libsecret-1-0
-RUN dbus-uuidgen > /var/lib/dbus/machine-id
+# install backend _again_ to build native modules and remove dev dependencies,
+# then run autoclean to remove additional unnecessary files
+RUN yarn --cwd ./redisinsight/api install --production
+COPY ./redisinsight/api/.yarnclean.prod ./redisinsight/api/.yarnclean
+RUN yarn --cwd ./redisinsight/api autoclean --force
+
+FROM node:18.18-alpine
 
+# runtime args and environment variables
 ARG NODE_ENV=production
-ARG SERVER_TLS_CERT
-ARG SERVER_TLS_KEY
-ARG SEGMENT_WRITE_KEY
-ENV SERVER_TLS_CERT=${SERVER_TLS_CERT}
-ENV SERVER_TLS_KEY=${SERVER_TLS_KEY}
-ENV SEGMENT_WRITE_KEY=${SEGMENT_WRITE_KEY}
+ARG RI_SEGMENT_WRITE_KEY
+ENV RI_SEGMENT_WRITE_KEY=${RI_SEGMENT_WRITE_KEY}
 ENV NODE_ENV=${NODE_ENV}
-ENV SERVER_STATIC_CONTENT=true
-ENV BUILD_TYPE='DOCKER_ON_PREMISE'
+ENV RI_SERVE_STATICS=true
+ENV RI_BUILD_TYPE='DOCKER_ON_PREMISE'
+ENV RI_APP_FOLDER_ABSOLUTE_PATH='/data'
+
+# this resolves CVE-2023-5363
+# TODO: remove this line once we update to base image that doesn't have this vulnerability
+RUN apk update && apk upgrade --no-cache libcrypto3 libssl3
+
+# set workdir
 WORKDIR /usr/src/app
-COPY --from=back /usr/src/app/dist ./redisinsight/api/dist
-COPY --from=front /usr/src/app/redisinsight/ui/dist ./redisinsight/ui/dist
 
-# Build BE prod dependencies here to build native modules
-COPY redisinsight/api/package.json redisinsight/api/yarn.lock ./redisinsight/api/
-RUN yarn --cwd ./redisinsight/api install --production
-COPY redisinsight/api/.yarnclean.prod ./redisinsight/api/.yarnclean
-RUN yarn --cwd ./redisinsight/api autoclean --force
+# copy artifacts built in previous stage to this one
+COPY --from=build --chown=node:node /usr/src/app/redisinsight/api/dist ./redisinsight/api/dist
+COPY --from=build --chown=node:node /usr/src/app/redisinsight/api/node_modules ./redisinsight/api/node_modules
+COPY --from=build --chown=node:node /usr/src/app/redisinsight/ui/dist ./redisinsight/ui/dist
 
-COPY ./docker-entry.sh ./
+# folder to store local database, plugins, logs and all other files
+RUN mkdir -p /data && chown -R node:node /data
+
+# copy the docker entry point script and make it executable
+COPY --chown=node:node ./docker-entry.sh ./
 RUN chmod +x docker-entry.sh
 
+# since RI is hard-code to port 5000, expose it from the container
 EXPOSE 5000
 
+# don't run the node process as root
+USER node
+
+# serve the application 🚀
 ENTRYPOINT ["./docker-entry.sh", "node", "redisinsight/api/dist/src/main"]

api.Dockerfile

@@ -26,7 +26,7 @@ RUN dbus-uuidgen > /var/lib/dbus/machine-id
 
 ARG NODE_ENV=production
 ENV NODE_ENV=${NODE_ENV}
-ENV BUILD_TYPE='DOCKER_ON_PREMISE'
+ENV RI_BUILD_TYPE='DOCKER_ON_PREMISE'
 
 WORKDIR /usr/src/app
 

configs/webpack.config.main.prod.ts

@@ -55,19 +55,18 @@ export default merge(baseConfig, {
       NODE_ENV: 'production',
       DEBUG_PROD: false,
       START_MINIMIZED: false,
-      APP_ENV: 'electron',
-      SERVER_TLS: true,
-      SERVER_TLS_CERT: process.env.SERVER_TLS_CERT || '',
-      SERVER_TLS_KEY: process.env.SERVER_TLS_KEY || '',
-      APP_FOLDER_NAME: process.env.APP_FOLDER_NAME || '',
-      UPGRADES_LINK: process.env.UPGRADES_LINK || '',
-      RI_HOSTNAME: '127.0.0.1',
-      BUILD_TYPE: 'ELECTRON',
-      APP_VERSION: version,
-      AWS_BUCKET_NAME: 'AWS_BUCKET_NAME' in process.env ? process.env.AWS_BUCKET_NAME : '',
-      SEGMENT_WRITE_KEY: 'SEGMENT_WRITE_KEY' in process.env ? process.env.SEGMENT_WRITE_KEY : 'SOURCE_WRITE_KEY',
-      CONNECTIONS_TIMEOUT_DEFAULT: 'CONNECTIONS_TIMEOUT_DEFAULT' in process.env
-        ? process.env.CONNECTIONS_TIMEOUT_DEFAULT
+      RI_APP_TYPE: 'electron',
+      RI_SERVER_TLS_CERT: process.env.RI_SERVER_TLS_CERT || '',
+      RI_SERVER_TLS_KEY: process.env.RI_SERVER_TLS_KEY || '',
+      RI_SERVE_STATICS: false,
+      RI_APP_FOLDER_NAME: process.env.RI_APP_FOLDER_NAME || '',
+      RI_UPGRADES_LINK: process.env.RI_UPGRADES_LINK || '',
+      RI_APP_HOST: '127.0.0.1',
+      RI_BUILD_TYPE: 'ELECTRON',
+      RI_APP_VERSION: version,
+      RI_SEGMENT_WRITE_KEY: 'RI_SEGMENT_WRITE_KEY' in process.env ? process.env.RI_SEGMENT_WRITE_KEY : 'SOURCE_WRITE_KEY',
+      RI_CONNECTIONS_TIMEOUT_DEFAULT: 'RI_CONNECTIONS_TIMEOUT_DEFAULT' in process.env
+        ? process.env.RI_CONNECTIONS_TIMEOUT_DEFAULT
         : toString(30 * 1000), // 30 sec
       // cloud auth
       RI_CLOUD_IDP_AUTHORIZE_URL: 'RI_CLOUD_IDP_AUTHORIZE_URL' in process.env ? process.env.RI_CLOUD_IDP_AUTHORIZE_URL: '',

configs/webpack.config.main.stage.ts

@@ -1,10 +1,8 @@
 import webpack from 'webpack';
 import { merge } from 'webpack-merge';
-import { toString } from 'lodash';
 import { BundleAnalyzerPlugin } from 'webpack-bundle-analyzer';
 import mainProdConfig from './webpack.config.main.prod';
 import DeleteSourceMaps from '../scripts/DeleteSourceMaps';
-import { version } from '../redisinsight/package.json';
 
 DeleteSourceMaps();
 
@@ -18,22 +16,6 @@ export default merge(mainProdConfig, {
 
     new webpack.EnvironmentPlugin({
       NODE_ENV: 'staging',
-      DEBUG_PROD: false,
-      START_MINIMIZED: false,
-      APP_ENV: 'electron',
-      SERVER_TLS: true,
-      SERVER_TLS_CERT: process.env.SERVER_TLS_CERT || '',
-      SERVER_TLS_KEY: process.env.SERVER_TLS_KEY || '',
-      APP_FOLDER_NAME: process.env.APP_FOLDER_NAME || '',
-      UPGRADES_LINK: process.env.UPGRADES_LINK || '',
-      RI_HOSTNAME: '127.0.0.1',
-      BUILD_TYPE: 'ELECTRON',
-      APP_VERSION: version,
-      AWS_BUCKET_NAME: 'AWS_BUCKET_NAME' in process.env ? process.env.AWS_BUCKET_NAME : '',
-      SEGMENT_WRITE_KEY: 'SEGMENT_WRITE_KEY' in process.env ? process.env.SEGMENT_WRITE_KEY : 'SOURCE_WRITE_KEY',
-      CONNECTIONS_TIMEOUT_DEFAULT: 'CONNECTIONS_TIMEOUT_DEFAULT' in process.env
-        ? process.env.CONNECTIONS_TIMEOUT_DEFAULT
-        : toString(30 * 1000), // 30 sec
     }),
   ],
 });