From 4816bbd3f49ca4e0a053fc7c1e2b4029a475ac2b Mon Sep 17 00:00:00 2001 From: Brian Aydemir Date: Sun, 28 Dec 2025 19:10:28 +0000 Subject: [PATCH 1/3] Add additional CAs to the trust store when containers start up --- images/dev-container-entrypoint.sh | 20 ++++++++++++++++---- images/entrypoint.sh | 12 +++++++++++- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/images/dev-container-entrypoint.sh b/images/dev-container-entrypoint.sh index 5f9c96417..8b0c14170 100755 --- a/images/dev-container-entrypoint.sh +++ b/images/dev-container-entrypoint.sh @@ -1,7 +1,7 @@ #!/bin/bash # *************************************************************** # -# Copyright (C) 2024, Pelican Project, Morgridge Institute for Research +# Copyright (C) 2025, Pelican Project, Morgridge Institute for Research # # Licensed under the Apache License, Version 2.0 (the "License"); you # may not use this file except in compliance with the License. You may @@ -17,10 +17,22 @@ # # *************************************************************** -# Run pre-commit install -pre-commit install +# Add additional CAs and certificates to the trust store. +if [ -d /certs ]; then + shopt -s nullglob + for ca_cert in /certs/*.crt; do + cp "${ca_cert}" /etc/pki/ca-trust/source/anchors/ + done + update-ca-trust extract + shopt -u nullglob +fi + +# Install the pre-commit hook. +if [ -d ./.git ]; then + pre-commit install +fi -# Default to bash but if a command is passed, run it +# Default to bash but if a command is passed, run it. if [ $# -eq 0 ]; then exec /bin/bash else diff --git a/images/entrypoint.sh b/images/entrypoint.sh index 7251ddf62..aa065bf56 100755 --- a/images/entrypoint.sh +++ b/images/entrypoint.sh @@ -2,7 +2,7 @@ # *************************************************************** # -# Copyright (C) 2024, Pelican Project, Morgridge Institute for Research +# Copyright (C) 2025, Pelican Project, Morgridge Institute for Research # # Licensed under the Apache License, Version 2.0 (the "License"); you # may not use this file except in compliance with the License. You may @@ -20,6 +20,16 @@ # Usage: entrypoint.sh [osdf|pelican] [daemon name] [args...] +# Add additional CAs and certificates to the trust store. +if [ -d /certs ]; then + shopt -s nullglob + for ca_cert in /certs/*.crt; do + cp "${ca_cert}" /etc/pki/ca-trust/source/anchors/ + done + update-ca-trust extract + shopt -u nullglob +fi + # Set up OA4MP only if this is an origin. if [ "$2" == "origin" ]; then #### From a0bda085fae2fa3ecf02ad7c2ac7e24912e6fd99 Mon Sep 17 00:00:00 2001 From: Brian Aydemir Date: Sun, 28 Dec 2025 19:12:21 +0000 Subject: [PATCH 2/3] Install additional packages into the dev container image 'graphviz' is necessary for some of `go tool pprof`'s visualizations. 'psmisc' includes `killall`, which is useful for cleaning up after accidental mass-invocations of some command, such as the file transfer plugin. --- images/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/images/Dockerfile b/images/Dockerfile index 7900ff6b7..3bd9760bc 100644 --- a/images/Dockerfile +++ b/images/Dockerfile @@ -709,10 +709,12 @@ RUN --mount=type=cache,id=dnf-${TARGETPLATFORM},target=/var/cache/dnf,sharing=lo gdb \ gcc-c++ \ git \ + graphviz \ jq \ make \ nano \ procps \ + psmisc \ python3-pip \ systemd \ valgrind \ From 615d4296a091ce04a9add9ba447f69c86d2e76d0 Mon Sep 17 00:00:00 2001 From: Brian Aydemir Date: Sun, 28 Dec 2025 19:15:47 +0000 Subject: [PATCH 3/3] Minor optimizations to facilitate repeated container image builds --- images/Dockerfile | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/images/Dockerfile b/images/Dockerfile index 3bd9760bc..4d6aa6472 100644 --- a/images/Dockerfile +++ b/images/Dockerfile @@ -155,9 +155,9 @@ RUN --mount=type=cache,id=go-cache,target=/root/.cache/go-build,sharing=shared \ set -eux if ${IS_NONRELEASE_BUILD}; then - goreleaser build --clean --single-target --snapshot + goreleaser build --id pelican-server --clean --single-target --snapshot else - goreleaser build --clean --single-target + goreleaser build --id pelican-server --clean --single-target fi # NOTE (brianaydemir): GoReleaser creates a dist directory whose path @@ -208,7 +208,7 @@ RUN --mount=type=cache,id=dnf-${TARGETPLATFORM},target=/var/cache/dnf,sharing=lo printf '%s\n' "metadata_expire=1800" >> /etc/dnf/dnf.conf - dnf install -y tini 'dnf-command(versionlock)' + dnf install -y tini 'dnf-command(versionlock)' python3-pip mkdir -p /etc/pelican/config.d mkdir -p /usr/share/pelican/config.d @@ -531,13 +531,14 @@ ENV JAVA_HOME="/usr/lib/jvm/jre" \ ################################################################# # Pelican Director ################################################################# -FROM pelican-software-base AS director +FROM pelican-software-base AS director-base +RUN python3 -m pip install --no-cache-dir geoip2 + +FROM director-base AS director ARG TARGETOS TARGETARCH COPY --from=pelican-build /pelican-build/dist/${TARGETOS}_${TARGETARCH}/pelican-server_${TARGETOS}_${TARGETARCH}/pelican-server /usr/local/sbin/pelican-server COPY images/entrypoint.sh /entrypoint.sh COPY scripts/geoquery.py /usr/local/sbin/geoquery -RUN dnf install -y python3-pip \ - && python3 -m pip install geoip2 ENTRYPOINT ["/entrypoint.sh", "pelican-server", "director"] CMD ["serve"] @@ -573,7 +574,7 @@ CMD ["serve"] FROM origin AS osdf-origin ARG TARGETPLATFORM -RUN --mount=type=cache,id=dnf-${TARGETPLATFORM},target=/var/cache/dnf,sharing=locked <