build: use build secrets in Dockerfile

Signed-off-by: Viet Nguyen Duc <[email protected]>

Author: VietND96

Base/Dockerfile

@@ -14,7 +14,6 @@ ARG CS_VERSION=2.1.10
 #Arguments to define the user running Selenium
 ARG SEL_USER=seluser
 ARG SEL_GROUP=${SEL_USER}
-ARG SEL_PASSWD=secret
 ARG HOME=/home/${SEL_USER}
 ARG UID=1200
 ARG GID=1201
@@ -39,7 +38,8 @@ ENV DEBIAN_FRONTEND=noninteractive \
 # Miscellaneous packages
 # Includes minimal runtime used for executing non GUI Java programs
 #========================
-RUN  if [ "$(dpkg --print-architecture)" = "amd64" ]; then \
+RUN --mount=type=secret,id=SEL_PASSWD \
+  if [ "$(dpkg --print-architecture)" = "amd64" ]; then \
       echo "deb http://archive.ubuntu.com/ubuntu noble main universe\n" > /etc/apt/sources.list \
       && echo "deb http://archive.ubuntu.com/ubuntu noble-updates main universe\n" >> /etc/apt/sources.list \
       && echo "deb http://security.ubuntu.com/ubuntu noble-security main universe\n" >> /etc/apt/sources.list ; \
@@ -86,7 +86,7 @@ RUN  if [ "$(dpkg --print-architecture)" = "amd64" ]; then \
          --uid ${SEL_UID} \
   && usermod -a -G sudo ${SEL_USER} \
   && echo 'ALL ALL = (ALL) NOPASSWD: ALL' >> /etc/sudoers \
-  && echo "${SEL_USER}:${SEL_PASSWD}" | chpasswd \
+  && echo "${SEL_USER}:$(cat /run/secrets/SEL_PASSWD)" | chpasswd \
 #==========
 # Selenium & relaxing permissions for OpenShift and other non-sudo environments
 #==========
@@ -99,7 +99,6 @@ RUN  if [ "$(dpkg --print-architecture)" = "amd64" ]; then \
   && chmod -R 775 /opt/selenium /var/run/supervisor /var/log/supervisor /etc/passwd ${HOME} \
   && wget --no-verbose https://github.com/${AUTHORS}/selenium/releases/download/${RELEASE}/selenium-server-${VERSION}.jar \
     -O /opt/selenium/selenium-server.jar \
-  && echo "${SEL_PASSWD}" > /opt/selenium/initialPasswd \
   && chgrp -R 0 /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor \
   && chmod -R g=u /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor \
   && setfacl -Rm u:${SEL_USER}:rwx /opt /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor \

Makefile

@@ -22,6 +22,7 @@ FFMPEG_TAG_VERSION := $(or $(FFMPEG_TAG_VERSION),$(FFMPEG_TAG_VERSION),ffmpeg-7.
 FFMPEG_BASED_NAME := $(or $(FFMPEG_BASED_NAME),$(FFMPEG_BASED_NAME),linuxserver)
 FFMPEG_BASED_TAG := $(or $(FFMPEG_BASED_TAG),$(FFMPEG_BASED_TAG),7.0.1)
 PLATFORMS := $(or $(PLATFORMS),$(shell echo $$PLATFORMS),linux/amd64)
+SEL_PASSWD := $(or $(SEL_PASSWD),$(SEL_PASSWD),secret)
 
 all: hub \
 	distributor \
@@ -75,7 +76,8 @@ gen_certs:
 	./Base/certs/gen-cert-helper.sh -d ./Base/certs
 
 base: prepare_resources gen_certs
-	cd ./Base && docker buildx build --platform $(PLATFORMS) $(BUILD_ARGS) --build-arg VERSION=$(BASE_VERSION) --build-arg RELEASE=$(BASE_RELEASE) --build-arg AUTHORS=$(AUTHORS) --sbom=true --attest type=provenance,mode=max -t $(NAME)/base:$(TAG_VERSION) .
+	cd ./Base && SEL_PASSWD=$(SEL_PASSWD) docker buildx build --platform $(PLATFORMS) $(BUILD_ARGS) --build-arg VERSION=$(BASE_VERSION) --build-arg RELEASE=$(BASE_RELEASE) --build-arg AUTHORS=$(AUTHORS) \
+	--secret id=SEL_PASSWD --sbom=true --attest type=provenance,mode=max -t $(NAME)/base:$(TAG_VERSION) .
 
 base_nightly:
 	BASE_VERSION=$(BASE_VERSION_NIGHTLY) BASE_RELEASE=$(BASE_RELEASE_NIGHTLY) make base
@@ -99,7 +101,7 @@ event_bus: base
 	cd ./EventBus && docker buildx build --platform $(PLATFORMS) $(BUILD_ARGS) $(FROM_IMAGE_ARGS) -t $(NAME)/event-bus:$(TAG_VERSION) .
 
 node_base: base
-	cd ./NodeBase && docker buildx build --platform $(PLATFORMS) $(BUILD_ARGS) $(FROM_IMAGE_ARGS) -t $(NAME)/node-base:$(TAG_VERSION) .
+	cd ./NodeBase && SEL_PASSWD=$(SEL_PASSWD) docker buildx build --platform $(PLATFORMS) $(BUILD_ARGS) $(FROM_IMAGE_ARGS) --secret id=SEL_PASSWD -t $(NAME)/node-base:$(TAG_VERSION) .
 
 chrome: node_base
 	case "$(PLATFORMS)" in \
@@ -200,7 +202,7 @@ standalone_edge_beta: edge_beta
 	cd ./Standalone && docker buildx build --platform $(PLATFORMS) $(BUILD_ARGS) --build-arg NAMESPACE=$(NAME) --build-arg VERSION=beta --build-arg BASE=node-edge -t $(NAME)/standalone-edge:beta .
 
 video:
-	cd ./Video && docker buildx build --platform $(PLATFORMS) $(BUILD_ARGS) --build-arg NAMESPACE=$(FFMPEG_BASED_NAME) --build-arg BASED_TAG=$(FFMPEG_BASED_TAG) -t $(NAME)/video:$(FFMPEG_TAG_VERSION)-$(BUILD_DATE) .
+	cd ./Video && SEL_PASSWD=$(SEL_PASSWD) docker buildx build --platform $(PLATFORMS) $(BUILD_ARGS) --build-arg NAMESPACE=$(FFMPEG_BASED_NAME) --build-arg BASED_TAG=$(FFMPEG_BASED_TAG) --secret id=SEL_PASSWD --sbom=true --attest type=provenance,mode=max -t $(NAME)/video:$(FFMPEG_TAG_VERSION)-$(BUILD_DATE) .
 
 count_image_layers:
 	docker history $(NAME)/base:$(TAG_VERSION) -q | wc -l

NodeBase/Dockerfile

@@ -67,7 +67,8 @@ ENV LANG_WHICH=${LANG_WHICH} \
     # Following line fixes https://github.com/SeleniumHQ/docker-selenium/issues/87
     DBUS_SESSION_BUS_ADDRESS=/dev/null
 
-RUN apt-get update -qqy \
+RUN --mount=type=secret,id=SEL_PASSWD \
+  apt-get update -qqy \
   && apt-get -qqy --no-install-recommends install \
 #==============
 # Xvfb
@@ -130,7 +131,7 @@ RUN apt-get update -qqy \
 # Generating the VNC password using initial password in Base image
 # Changing ownership to ${SEL_USER}, so the service can be started
 #==============================
-  && x11vnc -storepasswd $(cat /opt/selenium/initialPasswd) ${HOME}/.vnc/passwd \
+  && x11vnc -storepasswd $(cat /run/secrets/SEL_PASSWD) ${HOME}/.vnc/passwd \
   && chown -R "${SEL_USER}:${SEL_GROUP}" ${HOME}/.vnc \
   && chmod -R 775 ${HOME} /tmp/.X11-unix \
   && chgrp -R 0 ${HOME} /tmp/.X11-unix \

Video/Dockerfile

@@ -7,7 +7,6 @@ ARG RCLONE_VERSION=current
 #Arguments to define the user running the container
 ARG SEL_USER=seluser
 ARG SEL_GROUP=${SEL_USER}
-ARG SEL_PASSWD=secret
 ARG HOME=/home/${SEL_USER}
 ARG UID=1200
 ARG GID=1201
@@ -34,7 +33,7 @@ ENV DEBIAN_FRONTEND=noninteractive \
 RUN apt-get -qqy update \
   && apt-get upgrade -yq \
   && apt-get -qqy --no-install-recommends install \
-    supervisor x11-xserver-utils x11-utils libxcb1-dev curl jq python3-pip tzdata acl unzip python3-psutil \
+    supervisor x11-xserver-utils x11-utils libxcb1-dev curl jq python3-pip tzdata acl unzip python3-psutil python3-setuptools \
   && rm -rf /var/lib/apt/lists/* /var/cache/apt/*
 
 #===================
@@ -57,7 +56,8 @@ ENV SEL_USER=${SEL_USER} \
 #========================================
 # Add normal user and group with passwordless sudo
 #========================================
-RUN groupadd ${SEL_GROUP} \
+RUN --mount=type=secret,id=SEL_PASSWD \
+  groupadd ${SEL_GROUP} \
          --gid ${SEL_GID} \
   && useradd ${SEL_USER} \
          --create-home \
@@ -66,7 +66,7 @@ RUN groupadd ${SEL_GROUP} \
          --uid ${SEL_UID} \
   && usermod -a -G sudo ${SEL_USER} \
   && echo 'ALL ALL = (ALL) NOPASSWD: ALL' >> /etc/sudoers \
-  && echo "${SEL_USER}:${SEL_PASSWD}" | chpasswd
+  && echo "${SEL_USER}:$(cat /run/secrets/SEL_PASSWD)" | chpasswd
 
 #======================================
 # Add Supervisor configuration files
@@ -83,9 +83,8 @@ RUN curl -fLo /tmp/rclone.zip https://downloads.rclone.org/rclone-${RCLONE_VERSI
   && rm -rf /tmp/rclone-*
 COPY --chown="${SEL_UID}:${SEL_GID}" upload.sh upload.conf /opt/bin/
 ENV SE_VIDEO_UPLOAD_ENABLED=false \
-    SE_UPLOAD_DESTINATION_PREFIX="" \
     SE_VIDEO_INTERNAL_UPLOAD=false \
-    UPLOAD_OPTS="-P"
+    SE_UPLOAD_DESTINATION_PREFIX=""
 
 RUN  mkdir -p /var/run/supervisor /var/log/supervisor ${VIDEO_FOLDER} \
   && chown -R ${SEL_USER}:${SEL_GROUP} /var/run/supervisor /var/log/supervisor ${VIDEO_FOLDER} ${HOME} \