From 63a9519987b2b9a7f9108a16c3ed22ec7f23aed1 Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Sun, 4 Feb 2024 03:20:37 +0000 Subject: [PATCH 01/18] minimal docker image from `scratch` --- Dockerfile | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++- entrypoint.sh | 2 +- 2 files changed, 72 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index c656f87..ec8fbb9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,8 @@ -FROM --platform=linux/amd64 debian:latest +# syntax = docker/dockerfile:1.2 +############################################### +# Build stage # +############################################### +FROM --platform=linux/amd64 debian:latest as builder ENV DEBIAN_FRONTEND=noninteractive WORKDIR /usr/local/bin @@ -7,4 +11,70 @@ COPY entrypoint.sh . RUN export VER=$(curl -H "Accept: application/vnd.github+json" https://api.github.com/repos/bitwarden/clients/releases | jq -r 'sort_by(.published_at) | reverse | .[].name | select( index("CLI") )' | sed 's:.*CLI v::' | head -n 1) && \ curl -LO "https://github.com/bitwarden/clients/releases/download/cli-v{$VER}/bw-linux-{$VER}.zip" \ && unzip *.zip && chmod +x ./bw + +############################################### +# App stage # +############################################### +FROM --platform=linux/amd64 scratch as app +SHELL ["/bin/bash"] + +# binaries +COPY --from=builder /bin/bash /bin/bash +COPY --from=builder /usr/bin/curl /usr/bin/curl +COPY --from=builder /usr/bin/jq /usr/bin/jq +COPY --from=builder /usr/bin/sleep /usr/bin/sleep +COPY --from=builder /usr/local/bin/bw /usr/local/bin/bw + +# shared libraries +COPY --from=builder /lib/x86_64-linux-gnu/libtinfo.so.6 /lib/x86_64-linux-gnu/libtinfo.so.6 +COPY --from=builder /lib/x86_64-linux-gnu/libdl.so.2 /lib/x86_64-linux-gnu/libdl.so.2 +COPY --from=builder /lib/x86_64-linux-gnu/libstdc++.so.6 /lib/x86_64-linux-gnu/libstdc++.so.6 +COPY --from=builder /lib/x86_64-linux-gnu/libm.so.6 /lib/x86_64-linux-gnu/libm.so.6 +COPY --from=builder /lib/x86_64-linux-gnu/libgcc_s.so.1 /lib/x86_64-linux-gnu/libgcc_s.so.1 +COPY --from=builder /lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/libpthread.so.0 +COPY --from=builder /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libc.so.6 +COPY --from=builder /lib/x86_64-linux-gnu/libselinux.so.1 /lib/x86_64-linux-gnu/libselinux.so.1 +COPY --from=builder /lib/x86_64-linux-gnu/libpcre2-8.so.0 /lib/x86_64-linux-gnu/libpcre2-8.so.0 +COPY --from=builder /lib/x86_64-linux-gnu/libonig.so.5 /lib/x86_64-linux-gnu/libonig.so.5 +COPY --from=builder /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 +COPY --from=builder /lib/x86_64-linux-gnu/libjq.so.1 /lib/x86_64-linux-gnu/libjq.so.1 + +# curl shared libraries +COPY --from=builder /lib/x86_64-linux-gnu/libcurl.so.4 /lib/x86_64-linux-gnu/libcurl.so.4 +COPY --from=builder /lib/x86_64-linux-gnu/libz.so.1 /lib/x86_64-linux-gnu/libz.so.1 +COPY --from=builder /lib/x86_64-linux-gnu/libnghttp2.so.14 /lib/x86_64-linux-gnu/libnghttp2.so.14 +COPY --from=builder /lib/x86_64-linux-gnu/libidn2.so.0 /lib/x86_64-linux-gnu/libidn2.so.0 +COPY --from=builder /lib/x86_64-linux-gnu/librtmp.so.1 /lib/x86_64-linux-gnu/librtmp.so.1 +COPY --from=builder /lib/x86_64-linux-gnu/libssh2.so.1 /lib/x86_64-linux-gnu/libssh2.so.1 +COPY --from=builder /lib/x86_64-linux-gnu/libpsl.so.5 /lib/x86_64-linux-gnu/libpsl.so.5 +COPY --from=builder /lib/x86_64-linux-gnu/libssl.so.3 /lib/x86_64-linux-gnu/libssl.so.3 +COPY --from=builder /lib/x86_64-linux-gnu/libcrypto.so.3 /lib/x86_64-linux-gnu/libcrypto.so.3 +COPY --from=builder /lib/x86_64-linux-gnu/libgssapi_krb5.so.2 /lib/x86_64-linux-gnu/libgssapi_krb5.so.2 +COPY --from=builder /lib/x86_64-linux-gnu/libldap-2.5.so.0 /lib/x86_64-linux-gnu/libldap-2.5.so.0 +COPY --from=builder /lib/x86_64-linux-gnu/liblber-2.5.so.0 /lib/x86_64-linux-gnu/liblber-2.5.so.0 +COPY --from=builder /lib/x86_64-linux-gnu/libzstd.so.1 /lib/x86_64-linux-gnu/libzstd.so.1 +COPY --from=builder /lib/x86_64-linux-gnu/libbrotlidec.so.1 /lib/x86_64-linux-gnu/libbrotlidec.so.1 +COPY --from=builder /lib/x86_64-linux-gnu/libunistring.so.2 /lib/x86_64-linux-gnu/libunistring.so.2 +COPY --from=builder /lib/x86_64-linux-gnu/libgnutls.so.30 /lib/x86_64-linux-gnu/libgnutls.so.30 +COPY --from=builder /lib/x86_64-linux-gnu/libhogweed.so.6 /lib/x86_64-linux-gnu/libhogweed.so.6 +COPY --from=builder /lib/x86_64-linux-gnu/libnettle.so.8 /lib/x86_64-linux-gnu/libnettle.so.8 +COPY --from=builder /lib/x86_64-linux-gnu/libgmp.so.10 /lib/x86_64-linux-gnu/libgmp.so.10 +COPY --from=builder /lib/x86_64-linux-gnu/libkrb5.so.3 /lib/x86_64-linux-gnu/libkrb5.so.3 +COPY --from=builder /lib/x86_64-linux-gnu/libk5crypto.so.3 /lib/x86_64-linux-gnu/libk5crypto.so.3 +COPY --from=builder /lib/x86_64-linux-gnu/libcom_err.so.2 /lib/x86_64-linux-gnu/libcom_err.so.2 +COPY --from=builder /lib/x86_64-linux-gnu/libkrb5support.so.0 /lib/x86_64-linux-gnu/libkrb5support.so.0 +COPY --from=builder /lib/x86_64-linux-gnu/libsasl2.so.2 /lib/x86_64-linux-gnu/libsasl2.so.2 +COPY --from=builder /lib/x86_64-linux-gnu/libbrotlicommon.so.1 /lib/x86_64-linux-gnu/libbrotlicommon.so.1 +COPY --from=builder /lib/x86_64-linux-gnu/libp11-kit.so.0 /lib/x86_64-linux-gnu/libp11-kit.so.0 +COPY --from=builder /lib/x86_64-linux-gnu/libtasn1.so.6 /lib/x86_64-linux-gnu/libtasn1.so.6 +COPY --from=builder /lib/x86_64-linux-gnu/libkeyutils.so.1 /lib/x86_64-linux-gnu/libkeyutils.so.1 +COPY --from=builder /lib/x86_64-linux-gnu/libresolv.so.2 /lib/x86_64-linux-gnu/libresolv.so.2 +COPY --from=builder /lib/x86_64-linux-gnu/libffi.so.8 /lib/x86_64-linux-gnu/libffi.so.8 + +# ca-certificates +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt + +# entrypoint +COPY entrypoint.sh /usr/local/bin/entrypoint.sh + ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ] diff --git a/entrypoint.sh b/entrypoint.sh index 2908f6d..6e9f5a4 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env bash +#!/bin/bash # to enable interactive CLI usage if [[ $# -gt 0 ]]; then From 3b09ad8ddb2bbd225b06217ac8d6dc19764a1219 Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Sun, 4 Feb 2024 03:24:36 +0000 Subject: [PATCH 02/18] use new tag for the `scratch` image --- .github/workflows/docker-image.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 5370532..16e9615 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -25,8 +25,8 @@ jobs: run: docker login -u $DOCKER_USER -p $DOCKER_PASSWORD - name: docker build run: | - docker build . --file Dockerfile --tag $DOCKER_USER/bw-cli:latest \ - --tag $DOCKER_USER/bw-cli:${{ github.event.inputs.version }} \ - --tag $DOCKER_USER/bw-cli:v${{ github.event.inputs.version }} + docker build . --file Dockerfile --tag $DOCKER_USER/bw-cli:latest-scratch \ + --tag $DOCKER_USER/bw-cli:scratch-${{ github.event.inputs.version }} \ + --tag $DOCKER_USER/bw-cli:scratch-v${{ github.event.inputs.version }} - name: docker push run: docker push -a $DOCKER_USER/bw-cli From deb206798bf11ade7148820823b8a82458e6c31b Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Sat, 3 Feb 2024 20:22:26 -0800 Subject: [PATCH 03/18] rm unnecessary COPY in build stage --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ec8fbb9..1b94eb9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,6 @@ ENV DEBIAN_FRONTEND=noninteractive WORKDIR /usr/local/bin RUN apt update && apt install -y curl unzip libsecret-1-0 jq -COPY entrypoint.sh . RUN export VER=$(curl -H "Accept: application/vnd.github+json" https://api.github.com/repos/bitwarden/clients/releases | jq -r 'sort_by(.published_at) | reverse | .[].name | select( index("CLI") )' | sed 's:.*CLI v::' | head -n 1) && \ curl -LO "https://github.com/bitwarden/clients/releases/download/cli-v{$VER}/bw-linux-{$VER}.zip" \ && unzip *.zip && chmod +x ./bw From 7e852163231927d142379836e0edc1559b893714 Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Wed, 3 Apr 2024 04:08:50 -0700 Subject: [PATCH 04/18] fix: unlock broken when no SERVE_PORT provided (#5) --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 6e9f5a4..8a046b6 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -28,7 +28,7 @@ BW_SERVE_PID=$! echo "\`bw serve\` pid: $BW_SERVE_PID" if [[ "$UNLOCK_VAULT" == "true" ]]; then - while ! curl -sX POST -H "Content-Type: application/json" -d "{\"password\": \"$VAULT_PASSWORD\"}" "http://localhost:$SERVE_PORT/unlock" >/dev/null; do + while ! curl -sX POST -H "Content-Type: application/json" -d "{\"password\": \"$VAULT_PASSWORD\"}" "http://localhost:${SERVE_PORT:-8087}/unlock" >/dev/null; do sleep 1 done echo "Vault unlocked!" From 8b767df065fcfb6abdb3cb602f9d15ad59fdf891 Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Tue, 7 May 2024 05:02:22 -0700 Subject: [PATCH 05/18] rm libsecret; not used --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 1b94eb9..c44f9e7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,9 @@ FROM --platform=linux/amd64 debian:latest as builder ENV DEBIAN_FRONTEND=noninteractive WORKDIR /usr/local/bin -RUN apt update && apt install -y curl unzip libsecret-1-0 jq + +RUN apt update && apt install -y curl unzip jq + RUN export VER=$(curl -H "Accept: application/vnd.github+json" https://api.github.com/repos/bitwarden/clients/releases | jq -r 'sort_by(.published_at) | reverse | .[].name | select( index("CLI") )' | sed 's:.*CLI v::' | head -n 1) && \ curl -LO "https://github.com/bitwarden/clients/releases/download/cli-v{$VER}/bw-linux-{$VER}.zip" \ && unzip *.zip && chmod +x ./bw From 6408264eb71d0ae7a5df0feb09ca358adc29f8e4 Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Tue, 7 May 2024 05:04:11 -0700 Subject: [PATCH 06/18] rm unnecessary exports --- Dockerfile | 2 +- entrypoint.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index c44f9e7..4fe7fa0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,7 +9,7 @@ WORKDIR /usr/local/bin RUN apt update && apt install -y curl unzip jq -RUN export VER=$(curl -H "Accept: application/vnd.github+json" https://api.github.com/repos/bitwarden/clients/releases | jq -r 'sort_by(.published_at) | reverse | .[].name | select( index("CLI") )' | sed 's:.*CLI v::' | head -n 1) && \ +RUN VER=$(curl -H "Accept: application/vnd.github+json" https://api.github.com/repos/bitwarden/clients/releases | jq -r 'sort_by(.published_at) | reverse | .[].name | select( index("CLI") )' | sed 's:.*CLI v::' | head -n 1) && \ curl -LO "https://github.com/bitwarden/clients/releases/download/cli-v{$VER}/bw-linux-{$VER}.zip" \ && unzip *.zip && chmod +x ./bw diff --git a/entrypoint.sh b/entrypoint.sh index 8a046b6..f3a5fd4 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -10,11 +10,11 @@ STATUS="$(bw status | jq -r '.status')" if [[ -n "$MFA_CODE" ]]; then # shellcheck disable=SC2034 - export MFA_LOGIN="--method 0 --code $MFA_CODE" + MFA_LOGIN="--method 0 --code $MFA_CODE" fi if [[ -n "$BW_CLIENTSECRET" ]]; then - export API_LOGIN="--apikey" + API_LOGIN="--apikey" fi if [[ "$STATUS" == "unauthenticated" ]]; then From 2172b299ff67c52a60b5d769037a3cc7fa8ef9da Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Tue, 7 May 2024 05:31:56 -0700 Subject: [PATCH 07/18] switch to busybox --- Dockerfile | 69 ++++++++++-------------------------------------------- 1 file changed, 12 insertions(+), 57 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4fe7fa0..ba562df 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,6 @@ ############################################### FROM --platform=linux/amd64 debian:latest as builder ENV DEBIAN_FRONTEND=noninteractive - WORKDIR /usr/local/bin RUN apt update && apt install -y curl unzip jq @@ -13,69 +12,25 @@ RUN VER=$(curl -H "Accept: application/vnd.github+json" https://api.github.com/r curl -LO "https://github.com/bitwarden/clients/releases/download/cli-v{$VER}/bw-linux-{$VER}.zip" \ && unzip *.zip && chmod +x ./bw +RUN mkdir /lib-bw && ldd ./bw | tr -s '[:blank:]' '\n' | grep '^/lib' | xargs -I % cp % /lib-bw +RUN mkdir /lib64-bw && ldd ./bw | tr -s '[:blank:]' '\n' | grep '^/lib64' | xargs -I % cp % /lib64-bw + ############################################### # App stage # ############################################### -FROM --platform=linux/amd64 scratch as app -SHELL ["/bin/bash"] - -# binaries -COPY --from=builder /bin/bash /bin/bash -COPY --from=builder /usr/bin/curl /usr/bin/curl -COPY --from=builder /usr/bin/jq /usr/bin/jq -COPY --from=builder /usr/bin/sleep /usr/bin/sleep -COPY --from=builder /usr/local/bin/bw /usr/local/bin/bw +FROM --platform=linux/amd64 busybox:musl -# shared libraries -COPY --from=builder /lib/x86_64-linux-gnu/libtinfo.so.6 /lib/x86_64-linux-gnu/libtinfo.so.6 -COPY --from=builder /lib/x86_64-linux-gnu/libdl.so.2 /lib/x86_64-linux-gnu/libdl.so.2 -COPY --from=builder /lib/x86_64-linux-gnu/libstdc++.so.6 /lib/x86_64-linux-gnu/libstdc++.so.6 -COPY --from=builder /lib/x86_64-linux-gnu/libm.so.6 /lib/x86_64-linux-gnu/libm.so.6 -COPY --from=builder /lib/x86_64-linux-gnu/libgcc_s.so.1 /lib/x86_64-linux-gnu/libgcc_s.so.1 -COPY --from=builder /lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/libpthread.so.0 -COPY --from=builder /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libc.so.6 -COPY --from=builder /lib/x86_64-linux-gnu/libselinux.so.1 /lib/x86_64-linux-gnu/libselinux.so.1 -COPY --from=builder /lib/x86_64-linux-gnu/libpcre2-8.so.0 /lib/x86_64-linux-gnu/libpcre2-8.so.0 -COPY --from=builder /lib/x86_64-linux-gnu/libonig.so.5 /lib/x86_64-linux-gnu/libonig.so.5 -COPY --from=builder /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 -COPY --from=builder /lib/x86_64-linux-gnu/libjq.so.1 /lib/x86_64-linux-gnu/libjq.so.1 +# copy binaries +COPY --from=builder /usr/local/bin/bw /usr/bin/bw -# curl shared libraries -COPY --from=builder /lib/x86_64-linux-gnu/libcurl.so.4 /lib/x86_64-linux-gnu/libcurl.so.4 -COPY --from=builder /lib/x86_64-linux-gnu/libz.so.1 /lib/x86_64-linux-gnu/libz.so.1 -COPY --from=builder /lib/x86_64-linux-gnu/libnghttp2.so.14 /lib/x86_64-linux-gnu/libnghttp2.so.14 -COPY --from=builder /lib/x86_64-linux-gnu/libidn2.so.0 /lib/x86_64-linux-gnu/libidn2.so.0 -COPY --from=builder /lib/x86_64-linux-gnu/librtmp.so.1 /lib/x86_64-linux-gnu/librtmp.so.1 -COPY --from=builder /lib/x86_64-linux-gnu/libssh2.so.1 /lib/x86_64-linux-gnu/libssh2.so.1 -COPY --from=builder /lib/x86_64-linux-gnu/libpsl.so.5 /lib/x86_64-linux-gnu/libpsl.so.5 -COPY --from=builder /lib/x86_64-linux-gnu/libssl.so.3 /lib/x86_64-linux-gnu/libssl.so.3 -COPY --from=builder /lib/x86_64-linux-gnu/libcrypto.so.3 /lib/x86_64-linux-gnu/libcrypto.so.3 -COPY --from=builder /lib/x86_64-linux-gnu/libgssapi_krb5.so.2 /lib/x86_64-linux-gnu/libgssapi_krb5.so.2 -COPY --from=builder /lib/x86_64-linux-gnu/libldap-2.5.so.0 /lib/x86_64-linux-gnu/libldap-2.5.so.0 -COPY --from=builder /lib/x86_64-linux-gnu/liblber-2.5.so.0 /lib/x86_64-linux-gnu/liblber-2.5.so.0 -COPY --from=builder /lib/x86_64-linux-gnu/libzstd.so.1 /lib/x86_64-linux-gnu/libzstd.so.1 -COPY --from=builder /lib/x86_64-linux-gnu/libbrotlidec.so.1 /lib/x86_64-linux-gnu/libbrotlidec.so.1 -COPY --from=builder /lib/x86_64-linux-gnu/libunistring.so.2 /lib/x86_64-linux-gnu/libunistring.so.2 -COPY --from=builder /lib/x86_64-linux-gnu/libgnutls.so.30 /lib/x86_64-linux-gnu/libgnutls.so.30 -COPY --from=builder /lib/x86_64-linux-gnu/libhogweed.so.6 /lib/x86_64-linux-gnu/libhogweed.so.6 -COPY --from=builder /lib/x86_64-linux-gnu/libnettle.so.8 /lib/x86_64-linux-gnu/libnettle.so.8 -COPY --from=builder /lib/x86_64-linux-gnu/libgmp.so.10 /lib/x86_64-linux-gnu/libgmp.so.10 -COPY --from=builder /lib/x86_64-linux-gnu/libkrb5.so.3 /lib/x86_64-linux-gnu/libkrb5.so.3 -COPY --from=builder /lib/x86_64-linux-gnu/libk5crypto.so.3 /lib/x86_64-linux-gnu/libk5crypto.so.3 -COPY --from=builder /lib/x86_64-linux-gnu/libcom_err.so.2 /lib/x86_64-linux-gnu/libcom_err.so.2 -COPY --from=builder /lib/x86_64-linux-gnu/libkrb5support.so.0 /lib/x86_64-linux-gnu/libkrb5support.so.0 -COPY --from=builder /lib/x86_64-linux-gnu/libsasl2.so.2 /lib/x86_64-linux-gnu/libsasl2.so.2 -COPY --from=builder /lib/x86_64-linux-gnu/libbrotlicommon.so.1 /lib/x86_64-linux-gnu/libbrotlicommon.so.1 -COPY --from=builder /lib/x86_64-linux-gnu/libp11-kit.so.0 /lib/x86_64-linux-gnu/libp11-kit.so.0 -COPY --from=builder /lib/x86_64-linux-gnu/libtasn1.so.6 /lib/x86_64-linux-gnu/libtasn1.so.6 -COPY --from=builder /lib/x86_64-linux-gnu/libkeyutils.so.1 /lib/x86_64-linux-gnu/libkeyutils.so.1 -COPY --from=builder /lib/x86_64-linux-gnu/libresolv.so.2 /lib/x86_64-linux-gnu/libresolv.so.2 -COPY --from=builder /lib/x86_64-linux-gnu/libffi.so.8 /lib/x86_64-linux-gnu/libffi.so.8 +# copy shared libraries +COPY --from=builder /lib-bw /lib +COPY --from=builder /lib64-bw /lib64 -# ca-certificates +# copy ca-certificates COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt # entrypoint -COPY entrypoint.sh /usr/local/bin/entrypoint.sh +COPY entrypoint.sh /usr/bin/entrypoint.sh -ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ] +ENTRYPOINT [ "/usr/bin/entrypoint.sh" ] From e86bd1d86e28c72abbf2d3d386d4c7e4933b2cd3 Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Tue, 7 May 2024 05:32:28 -0700 Subject: [PATCH 08/18] remove curl and jq dep; fix bugs --- entrypoint.sh | 44 +++++++++++++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 15 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index f3a5fd4..250cd3f 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,38 +1,52 @@ -#!/bin/bash +#!/bin/sh # to enable interactive CLI usage -if [[ $# -gt 0 ]]; then +if [ $# -gt 0 ]; then bw "$@" exit $? fi -STATUS="$(bw status | jq -r '.status')" +STATUS="$(bw status --pretty | grep 'status' | sed 's/status": "//g' | grep -oE '(\w+)' || echo "Could not get vault status. Exiting..." && exit 1)" -if [[ -n "$MFA_CODE" ]]; then +if [ -n "$MFA_CODE" ]; then # shellcheck disable=SC2034 MFA_LOGIN="--method 0 --code $MFA_CODE" fi -if [[ -n "$BW_CLIENTSECRET" ]]; then +if [ -n "$BW_CLIENTSECRET" ]; then API_LOGIN="--apikey" fi -if [[ "$STATUS" == "unauthenticated" ]]; then +if [ "$STATUS" != "authenticated" ]; then bw config server "$SERVER_HOST_URL" && echo - # shellcheck disable=SC2086 - bw login "$VAULT_EMAIL" "$VAULT_PASSWORD" $API_LOGIN $MFA_LOGIN && echo + # shellcheck disable=SC2086,SC2155 + BW_TMP_SESSION="$(bw login --raw "$VAULT_EMAIL" "$VAULT_PASSWORD" $API_LOGIN $MFA_LOGIN)" && echo fi -bw serve --hostname all --port "${SERVE_PORT:-8087}" & -BW_SERVE_PID=$! -echo "\`bw serve\` pid: $BW_SERVE_PID" +if [ "$UNLOCK_VAULT" = "true" ]; then + if [ -n "$BW_TMP_SESSION" ]; then + export BW_SESSION="$BW_TMP_SESSION" + # unset the temp session key + unset BW_TMP_SESSION + else + # shellcheck disable=SC2155 + export BW_SESSION="$(bw unlock --raw)" + fi + sleep 1 + + if [ "$(bw status --pretty | grep 'status' | sed 's/status": "//g' | grep -oE '(\w+)')" = "unauthenticated" ]; then + echo "Could not authenticate with Bitwarden. Exiting..." && exit 1 + fi -if [[ "$UNLOCK_VAULT" == "true" ]]; then - while ! curl -sX POST -H "Content-Type: application/json" -d "{\"password\": \"$VAULT_PASSWORD\"}" "http://localhost:${SERVE_PORT:-8087}/unlock" >/dev/null; do - sleep 1 - done echo "Vault unlocked!" +else + # unset the temp session key + unset BW_TMP_SESSION fi +bw serve --hostname all --port "${SERVE_PORT:-8087}" & +BW_SERVE_PID=$! +echo "\`bw serve\` pid: $BW_SERVE_PID" + echo "Server can be reached at: http://localhost:${SERVE_PORT:-8087}/status" sleep infinity From 1bcfc42e7b5f331f9bce6cb01db130f3e2671fd6 Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Tue, 7 May 2024 05:34:35 -0700 Subject: [PATCH 09/18] suggest busybox image as the default --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4751abb..2483e75 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ services: container_name: bw_api hostname: bw_api platform: linux/amd64 - image: tangowithfoxtrot/bw-cli:${TAG:-latest} + image: tangowithfoxtrot/bw-cli:${TAG:-busybox-lastest} # environment: # uncomment if you're passing $VAULT_PASSWORD as a secret to unlock the vault # UNLOCK_VAULT: true volumes: From cfafb8cde52761627e30b7cfc5bd941ff95c45c5 Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Tue, 7 May 2024 05:34:51 -0700 Subject: [PATCH 10/18] format --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2483e75..98f8e3f 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,21 @@ # bw-docker + The latest Bitwarden CLI in a Docker container. ## Instructions + ### Interactive CLI + Run `docker build -t bw-cli:latest .` Then, `docker run -v $HOME/.config/Bitwarden\ CLI/:/root/.config/Bitwarden\ CLI/ -it bw-cli:latest login` ### Serve API + Create a local [Vault Management API](https://bitwarden.com/help/vault-management-api/) instance: `docker-compose.yml` ```yaml -version: "3.3" services: bw_api: container_name: bw_api From 234bac297f5b8ccbc912c36b399c7ea578f0feaf Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Tue, 7 May 2024 05:35:14 -0700 Subject: [PATCH 11/18] update image tag --- .github/workflows/docker-image.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 16e9615..6cb441d 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -25,8 +25,9 @@ jobs: run: docker login -u $DOCKER_USER -p $DOCKER_PASSWORD - name: docker build run: | - docker build . --file Dockerfile --tag $DOCKER_USER/bw-cli:latest-scratch \ - --tag $DOCKER_USER/bw-cli:scratch-${{ github.event.inputs.version }} \ - --tag $DOCKER_USER/bw-cli:scratch-v${{ github.event.inputs.version }} + docker build . --file Dockerfile --tag $DOCKER_USER/bw-cli:latest-busybox \ + --tag $DOCKER_USER/bw-cli:busybox-latest \ + --tag $DOCKER_USER/bw-cli:busybox-${{ github.event.inputs.version }} \ + --tag $DOCKER_USER/bw-cli:busybox-v${{ github.event.inputs.version }} - name: docker push run: docker push -a $DOCKER_USER/bw-cli From 49cfd829c2b7f0c0f72daca9787f7bf9160f1aaf Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Sat, 18 May 2024 14:23:08 -0700 Subject: [PATCH 12/18] add attestation --- .github/workflows/docker-image.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 6cb441d..4d06cb5 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -25,9 +25,10 @@ jobs: run: docker login -u $DOCKER_USER -p $DOCKER_PASSWORD - name: docker build run: | - docker build . --file Dockerfile --tag $DOCKER_USER/bw-cli:latest-busybox \ - --tag $DOCKER_USER/bw-cli:busybox-latest \ - --tag $DOCKER_USER/bw-cli:busybox-${{ github.event.inputs.version }} \ - --tag $DOCKER_USER/bw-cli:busybox-v${{ github.event.inputs.version }} + docker build . --file Dockerfile --tag $DOCKER_USER/bw-cli:latest-busybox \| + --provenance=mode=max \ + --tag $DOCKER_USER/bw-cli:busybox-latest \ + --tag $DOCKER_USER/bw-cli:busybox-${{ github.event.inputs.version }} \ + --tag $DOCKER_USER/bw-cli:busybox-v${{ github.event.inputs.version }} - name: docker push run: docker push -a $DOCKER_USER/bw-cli From fc2f9dbe4f4280bdd257870d22e0b6c912145395 Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Sat, 18 May 2024 15:10:46 -0700 Subject: [PATCH 13/18] add sbom attestation Signed-off-by: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> --- .github/workflows/docker-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 4d06cb5..bbe5431 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -27,6 +27,7 @@ jobs: run: | docker build . --file Dockerfile --tag $DOCKER_USER/bw-cli:latest-busybox \| --provenance=mode=max \ + --sbom=true \ --tag $DOCKER_USER/bw-cli:busybox-latest \ --tag $DOCKER_USER/bw-cli:busybox-${{ github.event.inputs.version }} \ --tag $DOCKER_USER/bw-cli:busybox-v${{ github.event.inputs.version }} From 4b95161a47db0e0def1d59795ecf5cc970775dbb Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Sat, 25 May 2024 09:41:28 -0700 Subject: [PATCH 14/18] ignore local-only override files --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 03bd412..90f5182 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ *.env +*.override.* From 2d4c453d3572e943ac51ded6cb6926b2d1ae5b98 Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Sat, 25 May 2024 11:16:20 -0700 Subject: [PATCH 15/18] fix: vault not unlocking --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 250cd3f..2354397 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -30,7 +30,7 @@ if [ "$UNLOCK_VAULT" = "true" ]; then unset BW_TMP_SESSION else # shellcheck disable=SC2155 - export BW_SESSION="$(bw unlock --raw)" + export BW_SESSION="$(bw unlock --raw "$VAULT_PASSWORD")" fi sleep 1 From 7743f6cfb1041af75cbe2898910f9b19589eab1a Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Sat, 25 May 2024 11:16:53 -0700 Subject: [PATCH 16/18] remove curl healthcheck --- README.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/README.md b/README.md index 98f8e3f..a5a01b5 100644 --- a/README.md +++ b/README.md @@ -29,10 +29,4 @@ services: # - "$HOME/Library/Application Support/Bitwarden CLI:/root/.config/Bitwarden CLI" # macOS ports: - "127.0.0.1:${SERVE_PORT:-8087}:${SERVE_PORT:-8087}" - healthcheck: - test: curl -f http://localhost:${SERVE_PORT:-8087}/status || exit 1 - interval: 5s - timeout: 2s - retries: 3 - start_period: 5s ``` From 72a8438c422482fd2cab736e40c42f20a132ba9a Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Sat, 25 May 2024 11:19:30 -0700 Subject: [PATCH 17/18] rm deprecated version --- docker-compose.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index c3d9924..d3fb9dd 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,3 @@ -version: "3.3" services: bw_api: container_name: bw_api From 2923831b7a95b224965c1c8d5e28812dc8c07768 Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Sat, 25 May 2024 11:20:30 -0700 Subject: [PATCH 18/18] update compose file --- docker-compose.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index d3fb9dd..487cfc5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,7 @@ services: container_name: bw_api hostname: bw_api platform: linux/amd64 - image: tangowithfoxtrot/bw-cli:${TAG:-latest} + image: tangowithfoxtrot/bw-cli:${TAG:-busybox-latest} # build: # context: . # dockerfile: Dockerfile @@ -16,9 +16,3 @@ services: # - "$HOME/Library/Application Support/Bitwarden CLI:/root/.config/Bitwarden CLI" # macOS ports: - "127.0.0.1:${SERVE_PORT:-8087}:${SERVE_PORT:-8087}" - healthcheck: - test: curl -f http://localhost:${SERVE_PORT:-8087}/status || exit 1 - interval: 5s - timeout: 2s - retries: 3 - start_period: 5s