Merge PR149: add Docker build script for a rendezvous server.

.dockerignore

@@ -0,0 +1,10 @@
+.appveyor.yml
+.coveragerc
+docs
+.git
+.gitattributes
+.gitignore
+misc
+snapcraft.yaml
+tox.ini
+.travis.yml

Dockerfile

@@ -0,0 +1,87 @@
+#
+# Attempts are made to follow the guidelines at
+# https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/
+#
+
+FROM library/ubuntu:16.04
+
+# If there are security updates for any of the packages we install,
+# bump the date in this environment variable to invalidate the Docker
+# build cache and force installation of the new packages.  Otherwise,
+# Docker's image/layer cache may prevent the security update from
+# being retrieved.
+ENV SECURITY_UPDATES="2017-15-01"
+
+# Tell apt/dpkg/debconf that we're non-interactive so it won't write
+# annoying warnings as it installs the software we ask for.  Making
+# this an `ARG` sets it in the environment for the duration of the
+# _build_ only - preventing this from having any effect on a container
+# running this image (which shouldn't really be installing more
+# software but who knows...).
+ARG DEBIAN_FRONTEND=noninteractive
+
+# We'll do an upgrade because the base Ubuntu image isn't guaranteed
+# to include the latest security updates.  This is counter to best
+# practice recommendations but security updates are important.
+RUN apt-get --quiet update && \
+    apt-get --quiet install -y unattended-upgrades && \
+    unattended-upgrade --minimal_upgrade_steps && \
+rm -rf /var/lib/apt/lists/*
+
+# libffi-dev should probably be a build-dep for python-nacl and python-openssl
+# but isn't for some reason.
+RUN apt-get --quiet update && apt-get --quiet install -y \
+    libffi-dev \
+    python-virtualenv \
+&& rm -rf /var/lib/apt/lists/*
+
+# Source repositories seem to be disabled on the Xenial image now.  Enable
+# them so we can actually get some build deps.
+RUN sed -i -e 's/^# deb-src/deb-src/' /etc/apt/sources.list
+
+# magic-wormhole depends on these and pip wants to build them both from
+# source.
+RUN apt-get --quiet update && apt-get --quiet build-dep -y \
+    python-openssl \
+    python-nacl \
+&& rm -rf /var/lib/apt/lists/*
+
+# Create a virtualenv into which to install magicwormhole in to.
+RUN virtualenv /app/env
+
+# Get a newer version of pip.  The version in the virtualenv installed from
+# Ubuntu might not be very recent, depending on when the build happens.
+RUN /app/env/bin/pip install --upgrade pip
+
+# Create a less privileged account to actually use to run the server.
+ENV WORMHOLE_USER_NAME="wormhole"
+
+# Force the allocated user to uid 1000 because we hard-code 1000 below.
+RUN adduser --uid 1000 --disabled-password --gecos "" "${WORMHOLE_USER_NAME}"
+
+# Run the application with this working directory.
+WORKDIR /app/run
+
+# And give it to the user the application will run as.
+RUN chown ${WORMHOLE_USER_NAME} /app/run
+
+# Facilitate network connections to the application.  The rendezvous server
+# listens on 4000 by default.  The transit relay server on 4001.
+EXPOSE 4000
+EXPOSE 4001
+
+# Put the source somewhere pip will be able to see it.
+ADD . /src
+
+# Get the app we want to run!
+RUN /app/env/bin/pip install /src
+
+# Switch to a non-root user.
+USER 1000
+
+# This makes starting a server succinct.
+ENTRYPOINT ["/app/env/bin/wormhole-server", "start", "--no-daemon"]
+
+# By default, start up a pretty reasonable server.  This can easily be
+# overridden by another command which will get added to the entrypoint.
+CMD ["--rendezvous", "tcp:4000", "--transit", "tcp:4001"]