Update dockerfile and actions (#732)

* Update dockerfile and actions

* Add docker.yml

* Update mix.exs

* use v2

* add permissions

* use snake case

* kebab case

* Add needed permissions to dev and prod workflows

* default to instance role

.github/workflows/dev-green.yml

@@ -1,35 +1,38 @@
-name: Deploy to Dev-green
+name: Deploy to Dev Green
 
 on:
   workflow_dispatch:
+  push:
+    branches: [main]
 
 jobs:
-  Build:
-    runs-on: windows-2019
+  deploy:
+    name: Deploy
+    runs-on: ubuntu-latest
     permissions:
       id-token: write
-      contents: read
+      contents: read    
+    environment: dev-green-linux
+    concurrency: dev-green-linux
+    env:
+      ECS_CLUSTER: linux-staging
+      ECS_SERVICE: realtime-signs-dev-green
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - uses: mbta/actions/build-push-ecr@v2
         id: build-push
         with:
           role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
           docker-repo: ${{ secrets.DOCKER_REPO }}
-  deploy:
-    name: Deploy
-    needs: build
-    uses: mbta/workflows/.github/workflows/deploy-on-prem.yml@v2
-    with:
-      app-name: realtime-signs
-      environment: dev-green
-      on-prem-cluster: hsctd-dev-managers
-      splunk-index: realtime-signs-dev-green
-      task-cpu: .5
-      task-memory: 2048M
-      task-port: 8080
-    secrets:
-      aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
-      docker-repo: ${{ secrets.DOCKER_REPO }}
-      slack-webhook: ${{ secrets.SLACK_WEBHOOK }}
+      - uses: mbta/actions/deploy-ecs@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          ecs-cluster: ${{ env.ECS_CLUSTER }}
+          ecs-service: ${{ env.ECS_SERVICE }}
+          docker-tag: ${{ steps.build-push.outputs.docker-tag }}
+          launch-type: EXTERNAL
+      - uses: mbta/actions/notify-slack-deploy@v1
+        if: ${{ !cancelled() }}
+        with:
+          webhook-url: ${{ secrets.SLACK_WEBHOOK }}
+          job-status: ${{ job.status }}

.github/workflows/dev.yml

@@ -6,32 +6,33 @@ on:
     branches: [main]
 
 jobs:
-  Build:
-    runs-on: windows-2019
+  deploy:
+    name: Deploy
+    runs-on: ubuntu-latest
     permissions:
       id-token: write
-      contents: read
+      contents: read  
+    environment: dev-linux
+    concurrency: dev-linux
+    env:
+      ECS_CLUSTER: linux-staging
+      ECS_SERVICE: realtime-signs-dev
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - uses: mbta/actions/build-push-ecr@v2
         id: build-push
         with:
           role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
           docker-repo: ${{ secrets.DOCKER_REPO }}
-  deploy:
-    name: Deploy
-    needs: build
-    uses: mbta/workflows/.github/workflows/deploy-on-prem.yml@v2
-    with:
-      app-name: realtime-signs
-      environment: dev
-      on-prem-cluster: hsctd-dev-managers
-      splunk-index: realtime-signs-dev
-      task-cpu: .5
-      task-memory: 2048M
-      task-port: 80
-    secrets:
-      aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
-      docker-repo: ${{ secrets.DOCKER_REPO }}
-      slack-webhook: ${{ secrets.SLACK_WEBHOOK }}
+      - uses: mbta/actions/deploy-ecs@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          ecs-cluster: ${{ env.ECS_CLUSTER }}
+          ecs-service: ${{ env.ECS_SERVICE }}
+          docker-tag: ${{ steps.build-push.outputs.docker-tag }}
+          launch-type: EXTERNAL
+      - uses: mbta/actions/notify-slack-deploy@v1
+        if: ${{ !cancelled() }}
+        with:
+          webhook-url: ${{ secrets.SLACK_WEBHOOK }}
+          job-status: ${{ job.status }}

.github/workflows/docker.yml

@@ -0,0 +1,18 @@
+name: Build container
+
+on:
+  push:
+    branches-ignore:
+      - master
+
+concurrency:
+  group: docker-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  linux:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - run: docker build .

.github/workflows/prod.yml

@@ -6,16 +6,32 @@ on:
 jobs:
   deploy:
     name: Deploy
-    uses: mbta/workflows/.github/workflows/deploy-on-prem.yml@v2
-    with:
-      app-name: realtime-signs
-      environment: prod
-      on-prem-cluster: hsctd-prod-managers
-      splunk-index: realtime-signs-prod
-      task-cpu: .5
-      task-memory: 2048M
-      task-port: 80
-    secrets:
-      aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
-      docker-repo: ${{ secrets.DOCKER_REPO }}
-      slack-webhook: ${{ secrets.SLACK_WEBHOOK }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read  
+    environment: prod-linux
+    concurrency: prod-linux
+    env:
+      ECS_CLUSTER: linux-prod
+      ECS_SERVICE: realtime-signs-prod
+
+    steps:
+      - uses: actions/checkout@v3
+      - uses: mbta/actions/build-push-ecr@v2
+        id: build-push
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          docker-repo: ${{ secrets.DOCKER_REPO }}
+      - uses: mbta/actions/deploy-ecs@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          ecs-cluster: ${{ env.ECS_CLUSTER }}
+          ecs-service: ${{ env.ECS_SERVICE }}
+          docker-tag: ${{ steps.build-push.outputs.docker-tag }}
+          launch-type: EXTERNAL
+      - uses: mbta/actions/notify-slack-deploy@v1
+        if: ${{ !cancelled() }}
+        with:
+          webhook-url: ${{ secrets.SLACK_WEBHOOK }}
+          job-status: ${{ job.status }}

Dockerfile

@@ -1,51 +1,52 @@
 ARG ELIXIR_VERSION=1.14.0
 ARG ERLANG_VERSION=25.0.4
-ARG WINDOWS_VERSION=1809
+ARG ALPINE_VERSION=3.18.0
 # See also: ERTS_VERSION in the from image below
 
-ARG BUILD_IMAGE=mbtatools/windows-elixir:$ELIXIR_VERSION-erlang-$ERLANG_VERSION-windows-$WINDOWS_VERSION
-ARG FROM_IMAGE=mcr.microsoft.com/windows/servercore:$WINDOWS_VERSION
-
-FROM $BUILD_IMAGE as build
+FROM hexpm/elixir:${ELIXIR_VERSION}-erlang-${ERLANG_VERSION}-alpine-${ALPINE_VERSION} as build
 
 ENV MIX_ENV=prod
 
-# log which version of Windows we're using
-RUN ver
+RUN mkdir /realtime_signs
 
-RUN mkdir C:\realtime_signs
+WORKDIR /realtime_signs
 
-WORKDIR C:\\realtime_signs
+RUN apk add --no-cache git
+RUN mix local.hex --force && mix local.rebar --force
 
 COPY mix.exs mix.lock ./
 RUN mix deps.get
 
-COPY config/config.exs config\\config.exs
-COPY config/prod.exs config\\prod.exs
+COPY config/config.exs config/config.exs
+COPY config/prod.exs config/prod.exs
 
 RUN mix deps.compile
 
 COPY lib lib
 COPY priv priv
 
-COPY config/runtime.exs config\\runtime.exs
-RUN mix release
+COPY config/runtime.exs config/runtime.exs
+RUN mix release linux
+
+# The one the elixir image was built with
+FROM alpine:${ALPINE_VERSION}
+
+RUN apk add --no-cache libssl1.1 dumb-init libstdc++ libgcc ncurses-libs && \
+    mkdir /work /realtime_signs && \
+    adduser -D realtime_signs && chown realtime_signs /work
 
-FROM $FROM_IMAGE
-ARG ERTS_VERSION=13.0.4
+COPY --from=build /realtime_signs/_build/prod/rel/linux /realtime_signs
 
-USER ContainerAdministrator
-COPY --from=build C:\\Erlang\\vcredist_x64.exe vcredist_x64.exe
-RUN .\vcredist_x64.exe /install /quiet /norestart \
-    && del vcredist_x64.exe
+RUN chown realtime_signs /realtime_signs/lib/tzdata-*/priv /realtime_signs/lib/tzdata*/priv/*
 
-COPY --from=build C:\\realtime_signs\\_build\\prod\\rel\\realtime_signs C:\\realtime_signs
+# Set exposed ports
+ENV MIX_ENV=prod TERM=xterm LANG=C.UTF-8 \
+    ERL_CRASH_DUMP_SECONDS=0 RELEASE_TMP=/work
 
-WORKDIR C:\\realtime_signs
+USER realtime_signs
+WORKDIR /work
 
-# Ensure Erlang can run
-RUN dir && \
-    erts-%ERTS_VERSION%\bin\erl -noshell -noinput +V
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 
-EXPOSE 80
-CMD ["C:\\realtime_signs\\bin\\realtime_signs.bat", "start"]
+HEALTHCHECK CMD ["/realtime_signs/bin/linux", "rpc", "1 + 1"]
+CMD ["/realtime_signs/bin/linux", "start"]

config/prod.exs

@@ -19,8 +19,9 @@ config :realtime_signs,
   restart_fn: &System.restart/0
 
 config :ex_aws,
-  access_key_id: [{:system, "AWS_ACCESS_KEY_ID"}, {:awscli, "default", 30}],
+  access_key_id: [{:system, "AWS_ACCESS_KEY_ID"}, {:awscli, "default", 30}, :instance_role],
   secret_access_key: [
     {:system, "AWS_SECRET_ACCESS_KEY"},
-    {:awscli, "default", 30}
+    {:awscli, "default", 30},
+    :instance_role
   ]

mix.exs

@@ -18,9 +18,8 @@ defmodule RealtimeSigns.Mixfile do
         ignore_warnings: ".dialyzer.ignore-warnings"
       ],
       releases: [
-        realtime_signs: [
-          include_executables_for: [:windows],
-          applications: [runtime_tools: :permanent]
+        linux: [
+          include_executables_for: [:unix]
         ]
       ]
     ]