Move build configuration to separate compose file

This will:

- remove confusing warnings during deploy suggesting to build images,
which is not supported by us
- prevent accidental building of images during deployment

docker/build.env

@@ -1,7 +1,7 @@
 # special environment file to be used for building, includes all compose files so all images are build
 
 # include all compose files
-COMPOSE_FILE=docker/docker-compose.yml:docker/docker-compose-development.yml:docker/docker-compose-integration-tests.yml:docker/docker-compose-test.yml:docker/docker-compose-tools.yml:docker/docker-compose-test-runner-develop.yml:docker/docker-compose-integration-tests.yml
+COMPOSE_FILE=docker/docker-compose.yml:docker/docker-compose-build.yml:docker/docker-compose-development.yml:docker/docker-compose-integration-tests.yml:docker/docker-compose-test.yml:docker/docker-compose-tools.yml:docker/docker-compose-test-runner-develop.yml:docker/docker-compose-integration-tests.yml
 COMPOSE_PROFILES=connectiontest,cron,routinator,batch,build
 
 # don't expose HTTP(S) and DNS ports to the outside, this also causes issues due to being privileged ports

docker/docker-compose-build.yml

@@ -0,0 +1,105 @@
+services:
+  webserver:
+    build:
+      context: ..
+      dockerfile: docker/webserver.Dockerfile
+
+  app:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile
+      target: app
+
+  db-migrate:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile
+      target: app
+
+  worker: &worker
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile
+      target: app
+
+  worker-nassl:
+    <<: *worker
+
+  worker-slow:
+    <<: *worker
+
+  beat:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile
+      target: app
+
+  unbound:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile
+      target: unbound
+
+  resolver-permissive:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile
+      target: unbound
+
+  resolver-validating:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile
+      target: unbound
+
+  cron:
+    build:
+      context: ..
+      dockerfile: docker/util.Dockerfile
+
+  cron-docker:
+    build:
+      context: ..
+      dockerfile: docker/util.Dockerfile
+
+  grafana:
+    build:
+      context: ..
+      dockerfile: docker/grafana.Dockerfile
+
+  test:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile
+      target: linttest
+      args:
+        RELEASE: 0.0.0-dev0
+
+  test-runner:
+    build:
+      context: ..
+      dockerfile: docker/test-runner.Dockerfile
+
+  test-runner-development-environment:
+    build:
+      context: ..
+      dockerfile: docker/test-runner.Dockerfile
+
+  test-runner-live:
+    build:
+      context: ..
+      dockerfile: docker/test-runner.Dockerfile
+
+  tools:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile
+      target: linttest
+      args:
+        RELEASE: 0.0.0-dev0
+
+  mock-resolver:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile
+      target: unbound

docker/docker-compose-integration-tests.yml

@@ -27,9 +27,6 @@ services:
   # test runner for integration tests in isolated environment
   test-runner:
     image: ${DOCKER_IMAGE_TEST_RUNNER:-${DOCKER_REGISTRY:-ghcr.io/internetstandards}/test-runner:$RELEASE}
-    build:
-      context: ..
-      dockerfile: docker/test-runner.Dockerfile
     # don't run anything, just make this container available to run tests in on demand
     command: python3 -m pytest -v integration_tests/integration/
     networks:
@@ -140,10 +137,6 @@ services:
   # internal resolver for the browser running the integration tests, makes sure test target hostname are resolved
   mock-resolver:
     image: ${DOCKER_IMAGE_UNBOUND:-${DOCKER_REGISTRY:-ghcr.io/internetstandards}/unbound:$RELEASE}
-    build:
-      context: ..
-      dockerfile: docker/Dockerfile
-      target: unbound
 
     entrypoint: /opt/unbound/sbin/unbound
     command: ["-d", "-c", "/opt/unbound/etc/unbound/mock.conf"]

docker/docker-compose-test-runner-develop.yml

@@ -2,9 +2,6 @@ services:
   # test runner intended to run live tests against targets on public internet
   test-runner-development-environment:
     image: ${DOCKER_IMAGE_TEST_RUNNER:-${DOCKER_REGISTRY:-ghcr.io/internetstandards}/test-runner:$RELEASE}
-    build:
-      context: ..
-      dockerfile: docker/test-runner.Dockerfile
     environment:
       - APP_URLS
       - BATCH_API_AUTH

docker/docker-compose-test-runner-live.yml

@@ -2,9 +2,6 @@ services:
   # test runner intended to run live tests against targets on public internet
   test-runner-live:
     image: ${DOCKER_IMAGE_TEST_RUNNER:-${DOCKER_REGISTRY:-ghcr.io/internetstandards}/test-runner:$RELEASE}
-    build:
-      context: ..
-      dockerfile: docker/test-runner.Dockerfile
     # don't run anything, just make this container available to run tests in on demand
     command: python3 -m pytest -v integration-tests/live/
     environment:

docker/docker-compose-test.yml

@@ -2,12 +2,6 @@ services:
   # environment for checks, linting and unit tests
   test:
     image: ${DOCKER_IMAGE_LINTTEST:-${DOCKER_REGISTRY:-ghcr.io/internetstandards}/linttest:$RELEASE}
-    build:
-      context: ..
-      dockerfile: docker/Dockerfile
-      target: linttest
-      args:
-        RELEASE: 0.0.0-dev0
 
     networks:
       - internal

docker/docker-compose-tools.yml

@@ -1,12 +1,6 @@
 services:
   tools:
     image: ${DOCKER_IMAGE_LINTTEST:-${DOCKER_REGISTRY:-ghcr.io/internetstandards}/linttest:${RELEASE:-latest}}
-    build:
-      context: ..
-      dockerfile: docker/Dockerfile
-      target: linttest
-      args:
-        RELEASE: 0.0.0-dev0
 
     volumes:
       - ../:/source/

docker/docker-compose.yml

@@ -6,9 +6,6 @@
 services:
   webserver:
     image: ${DOCKER_IMAGE_WEBSERVER:-${DOCKER_REGISTRY:-ghcr.io/internetstandards}/webserver:${RELEASE}}
-    build:
-      context: ..
-      dockerfile: docker/webserver.Dockerfile
     restart: unless-stopped
     logging:
       driver: $LOGGING_DRIVER
@@ -70,10 +67,6 @@ services:
 
   app:
     image: ${DOCKER_IMAGE_APP:-${DOCKER_REGISTRY:-ghcr.io/internetstandards}/internet.nl:${RELEASE}}
-    build:
-      context: ..
-      dockerfile: docker/Dockerfile
-      target: app
     restart: unless-stopped
     logging:
       driver: $LOGGING_DRIVER
@@ -180,10 +173,6 @@ services:
 
   db-migrate:
     image: ${DOCKER_IMAGE_APP:-${DOCKER_REGISTRY:-ghcr.io/internetstandards}/internet.nl:${RELEASE}}
-    build:
-      context: ..
-      dockerfile: docker/Dockerfile
-      target: app
     networks:
       - internal
     command: migrate
@@ -218,10 +207,6 @@ services:
 
   worker: &worker
     image: ${DOCKER_IMAGE_APP:-${DOCKER_REGISTRY:-ghcr.io/internetstandards}/internet.nl:${RELEASE}}
-    build:
-      context: ..
-      dockerfile: docker/Dockerfile
-      target: app
     deploy:
       replicas: $WORKER_REPLICAS
     restart: unless-stopped
@@ -357,10 +342,6 @@ services:
 
   beat:
     image: ${DOCKER_IMAGE_APP:-${DOCKER_REGISTRY:-ghcr.io/internetstandards}/internet.nl:${RELEASE}}
-    build:
-      context: ..
-      dockerfile: docker/Dockerfile
-      target: app
     restart: unless-stopped
     logging:
       driver: $LOGGING_DRIVER
@@ -550,10 +531,6 @@ services:
   # unbound DNS server used for connection test
   unbound:
     image: ${DOCKER_IMAGE_UNBOUND:-${DOCKER_REGISTRY:-ghcr.io/internetstandards}/unbound:${RELEASE}}
-    build:
-      context: ..
-      dockerfile: docker/Dockerfile
-      target: unbound
     depends_on:
       redis:
         condition: service_healthy
@@ -599,10 +576,6 @@ services:
   # unbound resolver used for all DNS queries by app, worker, etc that needs to ignore DNSSEC errors and pass them on to the client
   resolver-permissive:
     image: ${DOCKER_IMAGE_UNBOUND:-${DOCKER_REGISTRY:-ghcr.io/internetstandards}/unbound:${RELEASE}}
-    build:
-      context: ..
-      dockerfile: docker/Dockerfile
-      target: unbound
 
     entrypoint: /entrypoint-resolver.sh
     command: ["resolver-permissive.conf"]
@@ -635,10 +608,6 @@ services:
   # unbound resolver used for ldns-dane that require DNSSEC validation
   resolver-validating:
     image: ${DOCKER_IMAGE_UNBOUND:-${DOCKER_REGISTRY:-ghcr.io/internetstandards}/unbound:${RELEASE}}
-    build:
-      context: ..
-      dockerfile: docker/Dockerfile
-      target: unbound
 
     entrypoint: /entrypoint-resolver.sh
     command: ["resolver-validating.conf"]
@@ -670,9 +639,6 @@ services:
 
   cron:
     image: ${DOCKER_IMAGE_UTIL:-${DOCKER_REGISTRY:-ghcr.io/internetstandards}/util:${RELEASE}}
-    build:
-      context: ..
-      dockerfile: docker/util.Dockerfile
     command: crond -f -d7
     environment:
       - HOSTERS_HOF_URL
@@ -728,9 +694,6 @@ services:
   # cron daemon with access to Docker socket but no networking
   cron-docker:
     image: ${DOCKER_IMAGE_UTIL:-${DOCKER_REGISTRY:-ghcr.io/internetstandards}/util:${RELEASE}}
-    build:
-      context: ..
-      dockerfile: docker/util.Dockerfile
     command: crond -f -d7 -c /etc/crontabs-docker
     environment:
       - AUTO_UPDATE_TO
@@ -755,9 +718,6 @@ services:
 
   grafana:
     image: ${DOCKER_IMAGE_GRAFANA:-${DOCKER_REGISTRY:-ghcr.io/internetstandards}/grafana:${RELEASE}}
-    build:
-      context: ..
-      dockerfile: docker/grafana.Dockerfile
 
     environment:
       - GF_AUTH_ANONYMOUS_ENABLED=true