BRE-924/update-unified-to-alpine (#380)

* switch to alpine

* add su-exec package and update script

* build testing

* add missing dep for app stage

* test entrypoint fix

* troubleshooting hbs nginx

* reset build workflow to latest main

docker-unified/Dockerfile

@@ -2,15 +2,14 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-FROM --platform=$BUILDPLATFORM debian AS web-setup
+FROM --platform=$BUILDPLATFORM alpine:3.21 AS web-setup
 
 # Add packages
-RUN apt-get update && apt-get install -y \
+RUN apk add --no-cache \
     curl \
     jq \
     unzip \
-    git \
-    && rm -rf /var/lib/apt/lists/*
+    git
 
 WORKDIR /tmp
 
@@ -34,7 +33,7 @@ RUN VERSION=$(cat version.txt) \
 ###############################################
 #                 Build stage                 #
 ###############################################
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0 AS dotnet-build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0-alpine3.21 AS dotnet-build
 
 # Docker buildx supplies the value for this arg
 ARG TARGETPLATFORM
@@ -42,18 +41,17 @@ ARG TARGETPLATFORM
 # Determine proper runtime value for .NET
 # We put the value in a file to be read by later layers.
 RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
-      RID=linux-x64 ; \
+      RID=linux-musl-x64 ; \
     elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
-      RID=linux-arm64 ; \
+      RID=linux-musl-arm64 ; \
     elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
-      RID=linux-arm ; \
+      RID=linux-musl-arm ; \
     fi \
     && echo "RID=$RID" > /tmp/rid.txt
 
 # Add packages
-RUN apt-get update && apt-get install -y \
-    npm \
-    && rm -rf /var/lib/apt/lists/*
+RUN apk add --no-cache \
+    npm
 
 # Copy csproj files as distinct layers
 WORKDIR /source
@@ -172,7 +170,7 @@ RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Scim --no-restore --no-s
 ###############################################
 #                  App stage                  #
 ###############################################
-FROM mcr.microsoft.com/dotnet/aspnet:8.0
+FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine3.21
 ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
 LABEL com.bitwarden.project="unified"
@@ -208,7 +206,7 @@ ENV globalSettings__logDirectoryByProject="false"
 ENV globalSettings__logRollBySizeLimit="1073741824"
 
 # Add packages
-RUN apt-get update && apt-get install -y \
+RUN apk add --no-cache \
     curl \
     jq \
     nginx \
@@ -216,7 +214,9 @@ RUN apt-get update && apt-get install -y \
     supervisor \
     tzdata \
     unzip \
-    && rm -rf /var/lib/apt/lists/*
+    su-exec \
+    icu-libs \
+    gcompat
 
 # Create required directories
 RUN mkdir -p /etc/bitwarden/attachments/send

docker-unified/entrypoint.sh

@@ -1,15 +1,15 @@
-#!/bin/bash
+#!/bin/sh
 
 # Set up user group
 PGID="${PGID:-1000}"
-addgroup --gid $PGID bitwarden
+addgroup -g $PGID bitwarden
 
 # Set up user
 PUID="${PUID:-1000}"
-adduser --no-create-home --shell /bin/bash --disabled-password --uid $PUID --gid $PGID --gecos "" bitwarden
+adduser -D -H -u $PUID -G bitwarden bitwarden
 
 # Translate environment variables for application settings
-VAULT_SERVICE_URI=https://$BW_DOMAIN
+VAULT_SERVICE_URI=https://${BW_DOMAIN:-localhost}
 MYSQL_CONNECTION_STRING="server=$BW_DB_SERVER;port=${BW_DB_PORT:-3306};database=$BW_DB_DATABASE;user=$BW_DB_USERNAME;password=$BW_DB_PASSWORD"
 POSTGRESQL_CONNECTION_STRING="Host=$BW_DB_SERVER;Port=${BW_DB_PORT:-5432};Database=$BW_DB_DATABASE;Username=$BW_DB_USERNAME;Password=$BW_DB_PASSWORD"
 SQLSERVER_CONNECTION_STRING="Server=$BW_DB_SERVER,${BW_DB_PORT:-1433};Database=$BW_DB_DATABASE;User Id=$BW_DB_USERNAME;Password=$BW_DB_PASSWORD;Encrypt=True;TrustServerCertificate=True"
@@ -64,7 +64,10 @@ cp /etc/bitwarden/identity.pfx /app/Identity/identity.pfx
 cp /etc/bitwarden/identity.pfx /app/Sso/identity.pfx
 
 # Generate SSL certificates
-if [ "$BW_ENABLE_SSL" = "true" -a ! -f /etc/bitwarden/${BW_SSL_KEY:-ssl.key} ]; then
+if [ "$BW_ENABLE_SSL" = "true" ] && [ ! -f /etc/bitwarden/${BW_SSL_KEY:-ssl.key} ]; then
+  TMP_OPENSSL_CONF="/tmp/openssl_san.cnf"
+  cat /usr/lib/ssl/openssl.cnf > "$TMP_OPENSSL_CONF"
+  printf "\n[SAN]\nsubjectAltName=DNS:${BW_DOMAIN:-localhost}\nbasicConstraints=CA:true\n" >> "$TMP_OPENSSL_CONF"
   openssl req \
   -x509 \
   -newkey rsa:4096 \
@@ -75,8 +78,9 @@ if [ "$BW_ENABLE_SSL" = "true" -a ! -f /etc/bitwarden/${BW_SSL_KEY:-ssl.key} ];
   -out /etc/bitwarden/${BW_SSL_CERT:-ssl.crt} \
   -reqexts SAN \
   -extensions SAN \
-  -config <(cat /usr/lib/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${BW_DOMAIN:-localhost}\nbasicConstraints=CA:true")) \
+  -config "$TMP_OPENSSL_CONF" \
   -subj "/C=US/ST=California/L=Santa Barbara/O=Bitwarden Inc./OU=Bitwarden/CN=${BW_DOMAIN:-localhost}"
+  rm "$TMP_OPENSSL_CONF"
 fi
 
 # Launch a loop to rotate nginx logs on a daily basis
@@ -105,4 +109,8 @@ chown -R $PUID:$PGID \
     /var/run/nginx \
     /run
 
-exec setpriv --reuid=$PUID --regid=$PGID --init-groups /usr/bin/supervisord
+if command -v su-exec >/dev/null 2>&1; then
+  exec su-exec $PUID:$PGID /usr/bin/supervisord
+else
+  exec /usr/bin/supervisord
+fi