Build separate image for publisher

Dockerfile

@@ -1,19 +1,20 @@
+# MARK: base
 FROM ubuntu:jammy-20240911.1@sha256:3d1556a8a18cf5307b121e0a98e93f1ddf1f3f8e092f1fddfd941254785b95d7 as base
 
+# MARK: courier
 # This stage is used to keep the cache valid across different systems (even when the file permissions change).
 # Use this stage as a courier to copy files from the build context to the image.
 # Derived from:
 # https://github.com/devcontainers/cli/issues/153#issuecomment-1278293424
 FROM base AS courier
 
-COPY --chmod=444 requirements.txt /
-COPY src /app
-COPY rootfs /rootfs
+COPY server /server
 
-RUN find /app /rootfs -type f -exec chmod ugo+r-w {} \; \
-    && find /app /rootfs -type d -exec chmod ugo+rx-w {} \;
+RUN find /server -type f -exec chmod ugo+r-w {} \; \
+    && find /server -type d -exec chmod ugo+rx-w {} \;
 
-FROM base
+# MARK: cvmfs_base
+FROM base AS cvmfs_base
 
 ARG DEBIAN_FRONTEND=noninteractive
 
@@ -37,6 +38,12 @@ RUN apt-get update && apt-get install -y \
     cvmfs-server \
     && rm -rf /var/lib/apt/lists/* 
 
+# MARK: publisher
+FROM cvmfs_base AS publisher
+
+# MARK: server
+FROM cvmfs_base AS server
+
 # Install cvmfs-gateway for the notification system: https://cvmfs.readthedocs.io/en/stable/cpt-notification-system.html
 # This is installed separately because it requires a hack to work around the missing
 # systemctl.
@@ -47,8 +54,6 @@ echo "This is a dummy systemctl so that cvmfs-gateway can be installed. Performi
 ' > /usr/bin/systemctl \
     && chmod +x /usr/bin/systemctl \
     && apt-get update && apt-get install -y --no-install-recommends \
-    cvmfs \
-    cvmfs-server \
     cvmfs-gateway \
     && rm -rf /var/lib/apt/lists/* \
     && rm /usr/bin/systemctl
@@ -60,10 +65,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 ENV PIP_BREAK_SYSTEM_PACKAGES=1
 
-COPY --from=courier /requirements.txt /tmp/
+COPY --from=courier /server/requirements.txt /tmp/
 RUN python3 -m pip install -r /tmp/requirements.txt && rm /tmp/requirements.txt
 
-COPY --from=courier /app /app
-COPY --from=courier /rootfs /
+COPY --from=courier /server/src /app
+COPY --from=courier /server/rootfs /
 
 WORKDIR /app

README.md

@@ -59,7 +59,7 @@ docker exec -it cvmfs tail -f /var/log/cvmfs.log
 The [publisher](https://cvmfs.readthedocs.io/en/stable/cpt-repository-gateway.html#publisher-configuration) can be used to publish new data to the CVMFS server.
 
 ```bash
-docker run -it --rm --cap-add SYS_ADMIN --device /dev/fuse -v $(pwd)/tmp/cvmfs-keys:/tmp/imported-keys:ro --tmpfs /var/spool/cvmfs cvmfs-ephemeral-cvmfs-server
+docker-compose run cvmfs-publisher
 ```
 
 The arguments `--tmpfs /var/spool/cvmfs` is used to avoid the following error. Bind mounting this also works.
@@ -71,7 +71,16 @@ cvmfs_server mkfs -w http://thor-slurm1.cluster.watonomous.ca:8080/cvmfs/cvmfs-s
     -k /tmp/imported-keys/ -o $(whoami) cvmfs-server.example.local
 ```
 
-Then perform `cvmfs_server transaction` like normal.
+Then perform `cvmfs_server transaction` like normal:
+
+```bash
+cvmfs_server transaction
+echo "Hello, World! $(date)" > /cvmfs/cvmfs-server.example.local/hello-$(date +%s).txt
+cvmfs_server publish
+
+# optional: notify clients
+cvmfs_swissknife notify -p -u http://thor-slurm1.cluster.watonomous.ca:4929/api/v1 -r http://thor-slurm1.cluster.watonomous.ca:8080/cvmfs/cvmfs-server.example.local
+```
 
 
 ### Notifications

docker-compose.yml

@@ -2,13 +2,14 @@ services:
   cvmfs-server:
     build:
       context: .
+      target: server
 
     ports:
       - "8080:80"
       - "4929:4929"
 
     volumes:
-      - ./src:/app
+      - ./server/src:/app
       # Persist the keys so that the client doesn't need to be reconfigured
       - ./tmp/cvmfs-keys:/etc/cvmfs/keys/
 
@@ -26,3 +27,21 @@ services:
       - apparmor:unconfined
     devices:
       - /dev/fuse
+
+  cvmfs-publisher:
+    build:
+      context: .
+      target: publisher
+
+    volumes:
+      - ./tmp/cvmfs-keys:/tmp/imported-keys:ro
+
+    tmpfs:
+      - /var/spool/cvmfs
+
+    cap_add:
+      - SYS_ADMIN
+    security_opt:
+      - apparmor:unconfined
+    devices:
+      - /dev/fuse