ingv-oe-dev · fpistagna · Oct 20, 2025 · Oct 3, 2025 · Oct 6, 2025 · Oct 6, 2025
diff --git a/.github/workflows/docker-publish.yaml b/.github/workflows/docker-publish.yaml
@@ -1,52 +1,88 @@
-name: Publish Docker Image
+name: Build and Scan Docker Image
 
 on:
   push:
     branches:
-    - master
+      - master
     tags:
-    - 'v*'
+      - 'v*'
+  pull_request:
+    branches:
+      - master
 
 env:
   REGISTRY: ghcr.io
-  IMAGE_NAME: seiscomp-0.5.3
-  IMAGE_TAG: latest
+  IMAGE_NAME: seiscomp
+
+permissions:
+  contents: read
+  packages: write
+  security-events: write   # Needed to publish results in "Security" tab
 
 jobs:
-  build-and-push:
+  build:
+    name: Build & Push Docker Images
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        seiscomp_version: [5.3.0, 6.9.0]  # Build multiple versions in parallel
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./docker/seiscomp/
+          file: ./docker/seiscomp/Dockerfile
+          push: true
+          build-args: |
+            SEISCOMP_VERSION=${{ matrix.seiscomp_version }}
+          tags: |
+            ${{ env.REGISTRY }}/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ matrix.seiscomp_version }}
+            ${{ env.REGISTRY }}/${{ github.repository }}/${{ env.IMAGE_NAME }}:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  scan:
+    name: Vulnerability Scan (Trivy)
+    needs: build
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read
-      packages: write
+    if: github.event_name == 'pull_request' || startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/master'
 
     steps:
-    - name: Checkout code
-      uses: actions/checkout@v4
-
-    - name: Login to Docker Registry
-      uses: docker/login-action@v3
-      with:
-        registry: ${{ env.REGISTRY }}
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
-
-    - name: Determine image tag
-      id: tag
-      run: |
-        if [[ "${GITHUB_REF}" != refs/heads/master ]]; then
-            echo "IMAGE_TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-        fi
-
-    - name: Build and push image
-      uses: docker/build-push-action@v5
-      with:
-        context: ./docker/seiscomp/
-        file: ./docker/seiscomp/Dockerfile
-        push: true
-        tags: ${{ env.REGISTRY }}/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
-        cache-from: type=gha
-        cache-to: type=gha,mode=max
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Scan Docker image with Trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: image
+          image-ref: ${{ env.REGISTRY }}/${{ github.repository }}/${{ env.IMAGE_NAME }}:latest
+          format: table
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'HIGH,CRITICAL'
+
+      # --- Scan repository filesystem ---
+      - name: Scan source code filesystem with Trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: fs
+          format: table
+          ignore-unfixed: true
+          vuln-type: 'library'
+          severity: 'HIGH,CRITICAL'
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -1,12 +1,17 @@
 # docker-compose.yaml
-version: '3'
-
 services:
+  seiscomp-init-db:
+    extends:
+      file: docker-services.yaml
+      service: seiscomp-init-db
   seiscomp:
     extends:
       file: docker-services.yaml
       service: seiscomp
     volumes:
+      - ${SEISCOMP_LOCALCONF}/global.cfg:/opt/seiscomp/etc/global.cfg
+      - ${SEISCOMP_LOCALCONF}/scmaster.cfg:/opt/seiscomp/etc/scmaster.cfg.orig
+      - ${SEISCOMP_LOCALCONF}/kernel.cfg:/opt/seiscomp/etc/kernel.cfg
       - type: volume
         source: nfs_data
         target: /nfs_data
@@ -17,7 +22,7 @@ services:
       file: docker-services.yaml
       service: db
     volumes:
-      - "db_data:/bitnami/mariadb"
+      - "db_data:/var/lib/mysql"
   frontend:
     extends:
       file: docker-services.yaml

diff --git a/docker-services.yaml b/docker-services.yaml
@@ -1,10 +1,35 @@
 version: '3'
 services:
+  # Init container to setup DB and initial configuration
+  seiscomp-init-db:
+    build:
+      context: ./docker/seiscomp/
+      args:
+        SEISCOMP_VERSION: ${IMAGE_VERSION}
+    image: ${IMAGE_NAME}-${IMAGE_VERSION}:${IMAGE_TAG}
+    container_name: seiscomp-init-db
+    command: ["/home/sysop/init-db.sh"]
+    environment:
+      SEISCOMP_ROOT: "/opt/seiscomp"
+      DB_HOST: "${DB_HOST}"
+      MARIADB_ROOT_PASSWORD: ${MARIADB_ROOT_PASSWORD}
+      SEISCOMP_DB: ${SEISCOMP_DB}
+      SEISCOMP_USER: ${SEISCOMP_USER}
+      SEISCOMP_USER_PWD: ${SEISCOMP_USER_PWD}
+      SEISCOMP_SAMPLES_M: ${SEISCOMP_SAMPLES_M}
+      SEISCOMP_FDSNWS_LOG_PATH: ${SEISCOMP_FDSNWS_LOG_PATH}
+    depends_on:
+      db:
+        condition: service_healthy
+    user: sysop:sysop
+    restart: "no"
   seiscomp:
     build:
       context: ./docker/seiscomp/
+      args:
+        SEISCOMP_VERSION: ${IMAGE_VERSION}
     restart: unless-stopped
-    image: ${IMAGE_NAME}${IMAGE_VERSION}:${IMAGE_TAG}
+    image: ${IMAGE_NAME}-${IMAGE_VERSION}:${IMAGE_TAG}
     container_name: seiscomp
     environment:
       SEISCOMP_ROOT: "/opt/seiscomp"
@@ -19,18 +44,14 @@ services:
     user: sysop:sysop
     tty: true
     healthcheck:
-      test: ["CMD", "wget", "http://localhost:8080", "-O", "/dev/null"]
+      test: ["CMD-SHELL", "/opt/seiscomp/bin/seiscomp status fdsnws | grep 'is running'"]
       start_period: 5s
-      interval: 5s
+      interval: 10s
       timeout: 5s
       retries: 10
     depends_on:
-      db:
-        condition: service_healthy
-    volumes:
-      - ${SEISCOMP_LOCALCONF}/global.cfg:/opt/seiscomp/etc/global.cfg
-      - ${SEISCOMP_LOCALCONF}/scmaster.cfg:/opt/seiscomp/etc/scmaster.cfg.orig
-      - ${SEISCOMP_LOCALCONF}/kernel.cfg:/opt/seiscomp/etc/kernel.cfg
+      seiscomp-init-db:
+        condition: service_completed_successfully
   db:
     image: mariadb:11.8.3
     container_name: db
@@ -39,8 +60,6 @@ services:
     environment:
       MARIADB_ROOT_USER: "root"
       MARIADB_ROOT_PASSWORD: "${MARIADB_ROOT_PASSWORD}"
-    ports:
-      - "3306"
     healthcheck:
       test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
       start_period: 10s
@@ -53,7 +72,7 @@ services:
     restart: unless-stopped
     depends_on:
       seiscomp:
-        condition: service_started
+        condition: service_healthy
     ports:
       - "80:80"
       - "443:443"
diff --git a/docker/seiscomp/Dockerfile b/docker/seiscomp/Dockerfile
@@ -1,34 +1,61 @@
-FROM ubuntu:22.04
-
-LABEL Maintainer="Fabrizio Pistagna <fabrizio.pistagna@ingv.it>, Mario Torrisi <mario.torrisi@ingv.it>"
+# ---- STAGE 1: Builder ----
+FROM ubuntu:22.04 AS builder
 
-RUN apt update
-RUN apt install -y wget sudo dialog nano iputils-ping mysql-client \
-    python3 python3-dev python3-dateutil python3-twisted \
-    dumb-init
-RUN /usr/sbin/ldconfig
+ENV DEBIAN_FRONTEND=noninteractive
 
-RUN adduser sysop
-RUN addgroup admin
-RUN usermod -a -G admin,adm,audio sysop
+# Install only tools required for downloading & extracting SeisComP
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    wget ca-certificates tar \
+ && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /opt
 
-RUN /usr/bin/wget https://www.seiscomp.de/downloader/seiscomp-5.3.0-ubuntu22.04-x86_64.tar.gz
-RUN /usr/bin/wget https://www.seiscomp.de/downloader/seiscomp-maps.tar.gz
-RUN /usr/bin/wget https://www.seiscomp.de/downloader/seiscomp-5.3.0-doc.tar.gz
+# Download and extract SeisComP (specific version for reproducibility)
+ARG SEISCOMP_VERSION=5.3.0
+RUN wget -q https://www.seiscomp.de/downloader/seiscomp-${SEISCOMP_VERSION}-ubuntu22.04-x86_64.tar.gz \
+ && wget -q https://www.seiscomp.de/downloader/seiscomp-maps.tar.gz \
+ && wget -q https://www.seiscomp.de/downloader/seiscomp-${SEISCOMP_VERSION}-doc.tar.gz \
+ && tar xzf seiscomp-${SEISCOMP_VERSION}-ubuntu22.04-x86_64.tar.gz \
+ && tar xzf seiscomp-maps.tar.gz \
+ && tar xzf seiscomp-${SEISCOMP_VERSION}-doc.tar.gz \
+ && rm seiscomp-*.tar.gz
+
+# ---- STAGE 2: Runtime ----
+FROM ubuntu:22.04
+ARG SEISCOMP_VERSION=5.3.0
+LABEL maintainer="Fabrizio Pistagna <fabrizio.pistagna@ingv.it>, Mario Torrisi <mario.torrisi@ingv.it>"
+LABEL org.opencontainers.image.description="Docker image for SeisComP (version ${SEISCOMP_VERSION}) - an open-source software for seismological data acquisition, processing, distribution, and interactive analysis."
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install runtime dependencies (Python 3.10 + libraries required by SeisComP)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    iputils-ping mysql-client \
+    python3 python3-dateutil python3-twisted python3-numpy \
+    libpython3.10 libxml2 \
+    libboost-filesystem1.74.0 libboost-iostreams1.74.0 \
+    libboost-thread1.74.0 libboost-program-options1.74.0 \
+    libboost-regex1.74.0 libboost-system1.74.0 \
+    libmysqlclient21 libmariadb3 libpq5 \
+    dumb-init \
+ && rm -rf /var/lib/apt/lists/*
+
+# Create non-root user and group with static IDs for consistency
+RUN groupadd --gid 1001 sysop \
+ && useradd --uid 1001 --gid 1001 -ms /bin/bash sysop \
+ && usermod -a -G adm,audio sysop
 
-RUN tar xzf seiscomp-5.3.0-ubuntu22.04-x86_64.tar.gz
-RUN tar xzf seiscomp-maps.tar.gz
-RUN tar xzf seiscomp-5.3.0-doc.tar.gz
-RUN rm seiscomp-*
-RUN chown -R sysop:admin /opt/seiscomp
+WORKDIR /opt
 
-RUN echo 'sysop ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
+# Copy SeisComP files from builder stage and set ownership in one step
+COPY --from=builder --chown=sysop:admin /opt/seiscomp /opt/seiscomp
 
+# Switch to non-root user
 USER sysop
-WORKDIR /opt
-RUN yes | ./seiscomp/bin/seiscomp install-deps base
-COPY ./conf/init.sh /init.sh
+
+# Copy initialization scripts and ensure they have executable permissions
+COPY --chown=sysop:admin --chmod=755 scripts/init-db.sh /home/sysop/init-db.sh
+COPY --chown=sysop:admin --chmod=755 scripts/start-seiscomp.sh /home/sysop/start-seiscomp.sh
+
+# Use dumb-init as entrypoint and define a default command
 ENTRYPOINT ["/usr/bin/dumb-init", "--"]
-CMD ["bash", "-c", "/init.sh && exec tail -f /opt/seiscomp/var/log/*.log"]
+CMD ["/home/sysop/start-seiscomp.sh"]
diff --git a/docker/seiscomp/conf/docker-entrypoint.sh b/docker/seiscomp/conf/docker-entrypoint.sh
diff --git a/docker/seiscomp/conf/init.sh b/docker/seiscomp/conf/init.sh