fix: remove unreference COPY in Dockerfile

update Actions

.github/workflows/image-publish-dev.yaml

@@ -0,0 +1,50 @@
+#
+name: Create and publish a Docker image
+
+# Configures this workflow to run every time a change is pushed to the branch called `release`.
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+
+# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds.
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu.
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
+    permissions:
+      contents: read
+      packages: write
+      # 
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get commit tag
+        id: repository
+        run: echo "tag=$(git describe --tags HEAD)" > $GITHUB_ENV
+        
+      # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
+      # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
+      # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: |
+            ghcr.io/minoplhy/docker-ripe-atlas:dev

.github/workflows/image-publish.yaml

@@ -27,7 +27,7 @@ jobs:
         uses: actions/checkout@v4
       # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
       - name: Log in to the Container registry
-        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -35,14 +35,14 @@ jobs:
       # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
       # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
       # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
       # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
       - name: Build and push Docker image
-        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: true

Dockerfile

@@ -1,18 +1,19 @@
 ## builder
-FROM debian:12 as builder
+FROM alpine:3.21 as builder
 LABEL image="ripe-atlas-builder"
-ARG DEBIAN_FRONTEND=noninteractive
 ARG GIT_URL=https://github.com/RIPE-NCC/ripe-atlas-software-probe.git
 
-WORKDIR /tmp
+WORKDIR /
 
-RUN apt-get update -y && \
+RUN apk update && \
-        apt-get install -y git build-essential debhelper libssl-dev autotools-dev psmisc net-tools
+		apk upgrade && \
+        apk add git alpine-sdk openssl-dev autoconf automake libtool linux-headers musl-dev psmisc net-tools
 RUN git clone --recursive "$GIT_URL" /tmp/ripe-atlas-software-probe
 
 WORKDIR /tmp/ripe-atlas-software-probe
-# version 5100
+# version 5110
-RUN git checkout 5100
+RUN git checkout 5110
+
 RUN autoreconf -iv
 RUN ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=/usr/lib64 --runstatedir=/run --with-user=ripe-atlas --with-group=ripe-atlas --with-measurement-user=ripe-atlas --disable-systemd --enable-chown --enable-setcap-install
 RUN make
@@ -24,21 +25,20 @@ LABEL image="ripe-atlas-artifacts"
 COPY --from=builder /tmp/ripe-atlas-software-probe /
 
 ## the actual image
-FROM debian:12
+FROM alpine:3.21
-LABEL maintainer="dockerhub@public.swineson.me"
+LABEL maintainer="c@3qx.nl"
 LABEL image="ripe-atlas"
 
 COPY --from=builder /tmp/ripe-atlas-software-probe /tmp/ripe-atlas-software-probe
 
 ARG ATLAS_UID=101
-ARG ATLAS_MEAS_UID=102
+ARG ATLAS_GID=656
-ARG ATLAS_GID=999
 RUN ln -s /bin/true /bin/systemctl \
 	&& adduser --system --uid $ATLAS_UID ripe-atlas \
-	&& groupadd --force --system --gid $ATLAS_GID ripe-atlas \
+	&& addgroup --system --gid $ATLAS_GID ripe-atlas \
-	&& apt-get update -y \
+	&& apk update \
-	&& apt-get install -y libcap2-bin iproute2 openssh-client procps net-tools tini debhelper libssl-dev autotools-dev psmisc opensysusers
+	&& apk upgrade \
-
+	&& apk add libcap iproute2 openssh-client procps net-tools tini openssl-dev autoconf automake psmisc alpine-sdk libtool linux-headers bash setpriv
 WORKDIR /tmp/ripe-atlas-software-probe
 RUN make install
 
@@ -46,11 +46,8 @@ RUN make install
 
 COPY entrypoint.sh /usr/local/bin
 RUN chmod +x /usr/local/bin/* \
-	&& rm -rf /var/lib/apt/lists/* \
 	&& rm -rf /tmp/ripe-atlas-software-probe \
-	&& mkdir -p /opt/ripe-atlas \
+	&& apk del autoconf automake psmisc alpine-sdk libtool linux-headers
-	&& chown -R ripe-atlas:ripe-atlas /opt/ripe-atlas \
-	&& chmod 777 /opt/ripe-atlas
 
 WORKDIR /
 VOLUME [ "/etc/ripe-atlas", "/run/ripe-atlas/status", "/var/spool/ripe-atlas" ]

README.md

@@ -79,6 +79,21 @@ Note that building this container image requires [BuildKit](https://docs.docker.
 
 If you are on older versions: Docker does not enable IPv6 by default. If you want IPv6 support, some level of setup and a basic understanding of IPv6 is required. Swarm mode & some Kubernetes implementation supports IPv6 too with extra configuration.
 
+### IPv6 on Alpine Linux host
+
+At the time of writing, `docker` package on Alpine Linux has problem connecting to outside of container on IPv6, this is caused by somehow docker package Alpine Linux doesn't set NAT routing on ip6tables, this could be fixed by
+
+1. Add the following ip6tables rule directly:
+	```shell
+	ip6tables -t nat -A POSTROUTING -s <Docker IPv6 subnet>/64 -o <Internet Interface> -j MASQUERADE
+	```
+2. if you're using AWALL add following in `private/`:
+	```json
+	"snat": [ 
+		{ "src": ["<Docker IPv6 subnet>/64"], "out": "<Internet Interface>", "family" : "inet6" }
+	],
+	```
+
 #### Using native address assignment
 
 If you happened to have a block of static IPv6 addresses routed to your host, you can directly assign one of the addresses to the container. Edit `/etc/docker/daemon.json` and add native IPv6 address blocks, then restart the Docker daemon. An example:

docker-compose-ipv6.yaml

@@ -0,0 +1,41 @@
+services:
+  ripe-atlas:
+    image: ghcr.io/minoplhy/docker-ripe-atlas:latest
+    restart: always
+    environment:
+      RXTXRPT: "yes"
+    volumes:
+      - "./etc:/etc/ripe-atlas"
+      - "./run:/run/ripe-atlas/status"
+      - ./spool:/var/spool/ripe-atlas
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETUID
+      - SETGID
+      - DAC_OVERRIDE
+      - NET_RAW
+    networks:
+      - atlas-network
+    mem_limit: "64000000000"
+    mem_reservation: 64m
+    labels:
+      - "traefik.enable=false"
+      - "com.centurylinklabs.watchtower.enable=true"
+    logging:
+      driver: json-file
+      options:
+         max-size: 10m
+    # network_mode: "host" # if possible, avoid double NAT
+    # security_opt:
+    #   - seccomp:unconfined
+networks:
+  atlas-network:
+    driver: bridge
+    enable_ipv6: true
+    ipam:
+       config:
+         - subnet: 2001:db8:1:2::/64
+    driver_opts:
+      com.docker.network.bridge.name: atlas-network

entrypoint.sh

@@ -7,10 +7,7 @@ if ! sleep 0 >/dev/null 2>&1; then
 fi
 
 export ATLAS_UID="${ATLAS_UID:-101}"
-export ATLAS_GID="${ATLAS_GID:-999}"
+export ATLAS_GID="${ATLAS_GID:-656}"
-
-usermod -u $ATLAS_UID ripe-atlas
-groupmod -g $ATLAS_GID ripe-atlas
 
 # create essential files and fix permission
 mkdir -p /var/spool/ripe-atlas
@@ -21,10 +18,16 @@ mkdir -p /run/ripe-atlas/status
 chown -R ripe-atlas:ripe-atlas /run/ripe-atlas/status || true
 mkdir -p /etc/ripe-atlas
 chown -R ripe-atlas:ripe-atlas /etc/ripe-atlas || true
+
+mkdir -p /var/spool/ripe-atlas/crons/7
+chown -R ripe-atlas:ripe-atlas /var/spool/ripe-atlas/crons/7 || true
+touch /run/ripe-atlas/pids/perd-7.pid.vol
+chown -R ripe-atlas:ripe-atlas /run/ripe-atlas/pids || true
+
 #mkdir -p /var/atlas-probe/state
 #chown -R ripe-atlas:ripe-atlas /var/atlas-probe/state || true
 
 # (init) set atlas mode to prod
 echo "prod" > /etc/ripe-atlas/mode || true
 
-exec setpriv --reuid=$ATLAS_UID --regid=$ATLAS_GID --init-groups "$@"
+exec setpriv --reuid $ATLAS_UID --regid $ATLAS_GID --init-groups "$@"