From a3ada604962b126b20c86a41e8aac5ca451b8a33 Mon Sep 17 00:00:00 2001
From: "Austin S. Hemmelgarn" <austin@netdata.cloud>
Date: Wed, 9 Dec 2020 07:18:35 -0500
Subject: [PATCH] Added numerous improvements to our Docker image. (#10308)

* Initial cleanup of Docker entrypoint script.

* Add linting for our Docker files.

* Fix warnings reported by hadolint.

* Add support for automatic claiming on startup.

* Optimize Docker image structure.

This shuffles some things around in the Docker image to cut down on the
total number of layers and make the image more caching friendly, which
will cut down on overall time required to both initially pull the image
and time spent pulling updated versions of the image.

It also shrinks the image size by about 2MB.
---
 .github/workflows/review.yml | 21 +++++++++++++++++
 packaging/docker/Dockerfile  | 45 ++++++++++++++++++------------------
 packaging/docker/run.sh      | 14 +++++++----
 3 files changed, 54 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml
index 50cabe0a47..ca8f6de130 100644
--- a/.github/workflows/review.yml
+++ b/.github/workflows/review.yml
@@ -5,6 +5,7 @@ on:
   pull_request:
 env:
   run_eslint: 0
+  run_hadolint: 0
   run_shellcheck: 0
   run_yamllint: 0
 jobs:
@@ -29,6 +30,26 @@ jobs:
           reporter: github-pr-check
           eslint_flags: '.'
 
+  hadolint:
+    name: hadolint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Git clone repository
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Check files
+        run: |
+          if git diff --name-only origin/${{ github.base_ref }} HEAD | grep -Eq '*Dockerfile*' ; then
+            echo 'run_hadolint=1' >> $GITHUB_ENV
+          fi
+      - name: Run hadolint
+        if: env.run_hadolint == 1
+        uses: reviewdog/action-hadolint@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          reporter: github-pr-check
+
   shellcheck:
     name: shellcheck
     runs-on: ubuntu-latest
diff --git a/packaging/docker/Dockerfile b/packaging/docker/Dockerfile
index 9d0928b9ca..65171d55eb 100644
--- a/packaging/docker/Dockerfile
+++ b/packaging/docker/Dockerfile
@@ -28,7 +28,7 @@ WORKDIR /opt/netdata.git
 RUN chmod +x netdata-installer.sh && \
    cp -rp /deps/* /usr/local/ && \
    ./netdata-installer.sh --dont-wait --dont-start-it ${EXTRA_INSTALL_OPTS} \
-   $([ "$RELEASE_CHANNEL" = stable ] && echo --stable-channel)
+   "$([ "$RELEASE_CHANNEL" = stable ] && echo --stable-channel)"
 
 # files to one directory
 RUN mkdir -p /app/usr/sbin/ \
@@ -49,6 +49,7 @@ RUN mkdir -p /app/usr/sbin/ \
     mv /usr/sbin/netdata-claim.sh    /app/usr/sbin/ && \
     mv /usr/sbin/netdatacli    /app/usr/sbin/ && \
     mv packaging/docker/run.sh        /app/usr/sbin/ && \
+    mv packaging/docker/health.sh     /app/usr/sbin/ && \
     cp -rp /deps/* /app/usr/local/ && \
     chmod +x /app/usr/sbin/run.sh
 
@@ -57,12 +58,6 @@ ARG ARCH
 # This image contains preinstalled dependecies
 FROM netdata/base:${ARCH}
 
-# Copy files over
-RUN mkdir -p /opt/src
-COPY --from=builder /app /
-COPY --from=builder /wheels /wheels
-COPY packaging/docker/health.sh /health.sh
-
 # Configure system
 ARG NETDATA_UID=201
 ARG NETDATA_GID=201
@@ -70,17 +65,28 @@ ENV DOCKER_GRP netdata
 ENV DOCKER_USR netdata
 # If DO_NOT_TRACK is set, it will disable anonymous stats collection and reporting
 #ENV DO_NOT_TRACK=1
-RUN \
+
+# Copy files over
+RUN mkdir -p /opt/src /var/log/netdata && \
+    # Link log files to stdout
+    ln -sf /dev/stdout /var/log/netdata/access.log && \
+    ln -sf /dev/stdout /var/log/netdata/debug.log && \
+    ln -sf /dev/stderr /var/log/netdata/error.log && \
     # fping from alpine apk is on a different location. Moving it.
-    mv /usr/sbin/fping /usr/local/bin/fping && \
+    ln -snf /usr/sbin/fping /usr/local/bin/fping && \
     chmod 4755 /usr/local/bin/fping && \
-    mkdir -p /var/log/netdata && \
     # Add netdata user
     addgroup -g ${NETDATA_GID} -S "${DOCKER_GRP}" && \
-    adduser -S -H -s /usr/sbin/nologin -u ${NETDATA_GID} -h /etc/netdata -G "${DOCKER_GRP}" "${DOCKER_USR}" && \
-    # Apply the permissions as described in
-    # https://docs.netdata.cloud/docs/netdata-security/#netdata-directories, but own everything by root group due to https://github.com/netdata/netdata/pull/6543
-    chown -R root:root \
+    adduser -S -H -s /usr/sbin/nologin -u ${NETDATA_GID} -h /etc/netdata -G "${DOCKER_GRP}" "${DOCKER_USR}"
+
+# Long-term this should leverage BuildKit’s mount option.
+COPY --from=builder /wheels /wheels
+COPY --from=builder /app /
+
+# Apply the permissions as described in
+# https://docs.netdata.cloud/docs/netdata-security/#netdata-directories, but own everything by root group due to https://github.com/netdata/netdata/pull/6543
+# hadolint ignore=DL3013
+RUN chown -R root:root \
         /etc/netdata \
         /usr/share/netdata \
         /usr/libexec/netdata && \
@@ -99,17 +105,12 @@ RUN \
     # Group write permissions due to: https://github.com/netdata/netdata/pull/6543
     find /var/lib/netdata /var/cache/netdata -type d -exec chmod 0770 {} \; && \
     find /var/lib/netdata /var/cache/netdata -type f -exec chmod 0660 {} \; && \
-    # Link log files to stdout
-    ln -sf /dev/stdout /var/log/netdata/access.log && \
-    ln -sf /dev/stdout /var/log/netdata/debug.log && \
-    ln -sf /dev/stderr /var/log/netdata/error.log
-
-# Install any Python wheels
-RUN pip install /wheels/*
+    pip --no-cache-dir install /wheels/* && \
+    rm -rf /wheels
 
 ENV NETDATA_LISTENER_PORT 19999
 EXPOSE $NETDATA_LISTENER_PORT
 
 ENTRYPOINT ["/usr/sbin/run.sh"]
 
-HEALTHCHECK --interval=60s --timeout=10s --retries=3 CMD /health.sh
+HEALTHCHECK --interval=60s --timeout=10s --retries=3 CMD /usr/sbin/health.sh
diff --git a/packaging/docker/run.sh b/packaging/docker/run.sh
index 726f3849d5..432d199075 100755
--- a/packaging/docker/run.sh
+++ b/packaging/docker/run.sh
@@ -2,16 +2,17 @@
 #
 # Entry point script for netdata
 #
-# Copyright: SPDX-License-Identifier: GPL-3.0-or-later
+# Copyright: 2018 and later Netdata Inc.
+# SPDX-License-Identifier: GPL-3.0-or-later
 #
 # Author  : Pavlos Emm. Katsoulakis <paul@netdata.cloud>
+# Author  : Austin S. Hemmelgarn <austin@netdata.cloud>
 set -e
 
 if [ ! "${DO_NOT_TRACK:-0}" -eq 0 ] || [ -n "$DO_NOT_TRACK" ]; then
   touch /etc/netdata/.opt-out-from-anonymous-statistics
 fi
 
-echo "Netdata entrypoint script starting"
 if [ -n "${PGID}" ]; then
   echo "Creating docker group ${PGID}"
   addgroup -g "${PGID}" "docker" || echo >&2 "Could not add group docker with ID ${PGID}, its already there probably"
@@ -19,6 +20,11 @@ if [ -n "${PGID}" ]; then
   usermod -a -G "${PGID}" "${DOCKER_USR}" || echo >&2 "Could not add netdata user to group docker with ID ${PGID}"
 fi
 
-exec /usr/sbin/netdata -u "${DOCKER_USR}" -D -s /host -p "${NETDATA_LISTENER_PORT}" -W set web "web files group" root -W set web "web files owner" root "$@"
+if [ -n "${NETDATA_CLAIM_URL}" ] && [ -n "${NETDATA_CLAIM_TOKEN}" ] && [ ! -f /var/lib/netdata/claim.d/claimed_id ]; then
+  /usr/sbin/netdata-claim.sh -token "${NETDATA_CLAIM_TOKEN}" \
+                             -url "${NETDATA_CLAIM_URL}" \
+                             ${NETDATA_CLAIM_ROOMS:+-rooms "${NETDATA_CLAIM_ROOMS}"} \
+                             ${NETDATA_CLAIM_PROXY:+-proxy "${NETDATA_CLAIM_PROXY}"}
+fi
 
-echo "Netdata entrypoint script, completed!"
+exec /usr/sbin/netdata -u "${DOCKER_USR}" -D -s /host -p "${NETDATA_LISTENER_PORT}" -W set web "web files group" root -W set web "web files owner" root "$@"