magic-wormhole/Dockerfile

#
# Attempts are made to follow the guidelines at
# https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/
#

FROM library/ubuntu:16.04

# If there are security updates for any of the packages we install,
# bump the date in this environment variable to invalidate the Docker
# build cache and force installation of the new packages.  Otherwise,
# Docker's image/layer cache may prevent the security update from
# being retrieved.
ENV SECURITY_UPDATES="2017-15-01"

# Tell apt/dpkg/debconf that we're non-interactive so it won't write
# annoying warnings as it installs the software we ask for.  Making
# this an `ARG` sets it in the environment for the duration of the
# _build_ only - preventing this from having any effect on a container
# running this image (which shouldn't really be installing more
# software but who knows...).
ARG DEBIAN_FRONTEND=noninteractive

# We'll do an upgrade because the base Ubuntu image isn't guaranteed
# to include the latest security updates.  This is counter to best
# practice recommendations but security updates are important.
RUN apt-get --quiet update && \
    apt-get --quiet install -y unattended-upgrades && \
    unattended-upgrade --minimal_upgrade_steps && \
rm -rf /var/lib/apt/lists/*

# libffi-dev should probably be a build-dep for python-nacl and python-openssl
# but isn't for some reason.
RUN apt-get --quiet update && apt-get --quiet install -y \
    libffi-dev \
    python-virtualenv \
&& rm -rf /var/lib/apt/lists/*

# Source repositories seem to be disabled on the Xenial image now.  Enable
# them so we can actually get some build deps.
RUN sed -i -e 's/^# deb-src/deb-src/' /etc/apt/sources.list

# magic-wormhole depends on these and pip wants to build them both from
# source.
RUN apt-get --quiet update && apt-get --quiet build-dep -y \
    python-openssl \
    python-nacl \
&& rm -rf /var/lib/apt/lists/*

# Create a virtualenv into which to install magicwormhole in to.
RUN virtualenv /app/env

# Get a newer version of pip.
RUN /app/env/bin/pip install --upgrade pip

# Create the website account, the user as which the infrastructure
# server will run.
ENV WORMHOLE_USER_NAME="wormhole"

# Force the allocated user to uid 1000 because we hard-code 1000
# below.
RUN adduser --uid 1000 --disabled-password --gecos "" "${WORMHOLE_USER_NAME}"

# Run the application with this working directory.
WORKDIR /app/run

# And give it to the user the application will run as.
RUN chown ${WORMHOLE_USER_NAME} /app/run

# Facilitate network connections to the application.  The rendezvous server
# listens on 4000 by default.  The transit relay server on 4001.
EXPOSE 4000
EXPOSE 4001

# Put the source somewhere pip will be able to see it.
ADD . /src

# Get the app we want to run!
RUN /app/env/bin/pip install /src

# Switch to a non-root user.
USER 1000

# This makes starting a server succinct.
ENTRYPOINT ["/app/env/bin/wormhole-server", "start", "--no-daemon"]

# By default, start up a pretty reasonable server.  This can easily be
# overridden by another command which will get added to the entrypoint.
CMD ["--rendezvous", "tcp:4000", "--transit", "tcp:4001"]
Here is a stab. 2017-05-01 15:10:48 +00:00			`#`
			`# Attempts are made to follow the guidelines at`
			`# https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/`
			`#`

			`FROM library/ubuntu:16.04`

			`# If there are security updates for any of the packages we install,`
			`# bump the date in this environment variable to invalidate the Docker`
			`# build cache and force installation of the new packages. Otherwise,`
			`# Docker's image/layer cache may prevent the security update from`
			`# being retrieved.`
			`ENV SECURITY_UPDATES="2017-15-01"`

			`# Tell apt/dpkg/debconf that we're non-interactive so it won't write`
			`# annoying warnings as it installs the software we ask for. Making`
			# this an `ARG` sets it in the environment for the duration of the
			`# _build_ only - preventing this from having any effect on a container`
			`# running this image (which shouldn't really be installing more`
			`# software but who knows...).`
			`ARG DEBIAN_FRONTEND=noninteractive`

			`# We'll do an upgrade because the base Ubuntu image isn't guaranteed`
			`# to include the latest security updates. This is counter to best`
			`# practice recommendations but security updates are important.`
			`RUN apt-get --quiet update && \`
			`apt-get --quiet install -y unattended-upgrades && \`
			`unattended-upgrade --minimal_upgrade_steps && \`
			`rm -rf /var/lib/apt/lists/*`

We have to do libffi-dev ourselves. 2017-05-01 17:16:54 +00:00			`# libffi-dev should probably be a build-dep for python-nacl and python-openssl`
			`# but isn't for some reason.`
Here is a stab. 2017-05-01 15:10:48 +00:00			`RUN apt-get --quiet update && apt-get --quiet install -y \`
We have to do libffi-dev ourselves. 2017-05-01 17:16:54 +00:00			`libffi-dev \`
Here is a stab. 2017-05-01 15:10:48 +00:00			`python-virtualenv \`
			`&& rm -rf /var/lib/apt/lists/*`

Enable deb-src lines. This fixes the failure to get python-openssl build deps. 2017-05-02 12:43:25 +00:00			`# Source repositories seem to be disabled on the Xenial image now. Enable`
			`# them so we can actually get some build deps.`
			`RUN sed -i -e 's/^# deb-src/deb-src/' /etc/apt/sources.list`

We have to do libffi-dev ourselves. 2017-05-01 17:16:54 +00:00			`# magic-wormhole depends on these and pip wants to build them both from`
			`# source.`
maybe this is a good way to get the build deps 2017-05-01 15:41:20 +00:00			`RUN apt-get --quiet update && apt-get --quiet build-dep -y \`
Go back to the real package name This alternate name didn't help. 2017-05-02 12:43:08 +00:00			`python-openssl \`
maybe this is a good way to get the build deps 2017-05-01 15:41:20 +00:00			`python-nacl \`
			`&& rm -rf /var/lib/apt/lists/*`

Here is a stab. 2017-05-01 15:10:48 +00:00			`# Create a virtualenv into which to install magicwormhole in to.`
			`RUN virtualenv /app/env`

			`# Get a newer version of pip.`
			`RUN /app/env/bin/pip install --upgrade pip`

			`# Create the website account, the user as which the infrastructure`
			`# server will run.`
			`ENV WORMHOLE_USER_NAME="wormhole"`

			`# Force the allocated user to uid 1000 because we hard-code 1000`
			`# below.`
			`RUN adduser --uid 1000 --disabled-password --gecos "" "${WORMHOLE_USER_NAME}"`

			`# Run the application with this working directory.`
			`WORKDIR /app/run`

			`# And give it to the user the application will run as.`
			`RUN chown ${WORMHOLE_USER_NAME} /app/run`

Usability improvements 2017-05-02 13:07:16 +00:00			`# Facilitate network connections to the application. The rendezvous server`
			`# listens on 4000 by default. The transit relay server on 4001.`
Here is a stab. 2017-05-01 15:10:48 +00:00			`EXPOSE 4000`
Usability improvements 2017-05-02 13:07:16 +00:00			`EXPOSE 4001`
Here is a stab. 2017-05-01 15:10:48 +00:00
			`# Put the source somewhere pip will be able to see it.`
			`ADD . /src`

			`# Get the app we want to run!`
			`RUN /app/env/bin/pip install /src`

			`# Switch to a non-root user.`
			`USER 1000`

Usability improvements 2017-05-02 13:07:16 +00:00			`# This makes starting a server succinct.`
			`ENTRYPOINT ["/app/env/bin/wormhole-server", "start", "--no-daemon"]`

			`# By default, start up a pretty reasonable server. This can easily be`
			`# overridden by another command which will get added to the entrypoint.`
			`CMD ["--rendezvous", "tcp:4000", "--transit", "tcp:4001"]`