diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..c89c221 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,10 @@ +.appveyor.yml +.coveragerc +docs +.git +.gitattributes +.gitignore +misc +snapcraft.yaml +tox.ini +.travis.yml diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..a55371b --- /dev/null +++ b/Dockerfile @@ -0,0 +1,87 @@ +# +# Attempts are made to follow the guidelines at +# https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/ +# + +FROM library/ubuntu:16.04 + +# If there are security updates for any of the packages we install, +# bump the date in this environment variable to invalidate the Docker +# build cache and force installation of the new packages. Otherwise, +# Docker's image/layer cache may prevent the security update from +# being retrieved. +ENV SECURITY_UPDATES="2017-15-01" + +# Tell apt/dpkg/debconf that we're non-interactive so it won't write +# annoying warnings as it installs the software we ask for. Making +# this an `ARG` sets it in the environment for the duration of the +# _build_ only - preventing this from having any effect on a container +# running this image (which shouldn't really be installing more +# software but who knows...). +ARG DEBIAN_FRONTEND=noninteractive + +# We'll do an upgrade because the base Ubuntu image isn't guaranteed +# to include the latest security updates. This is counter to best +# practice recommendations but security updates are important. +RUN apt-get --quiet update && \ + apt-get --quiet install -y unattended-upgrades && \ + unattended-upgrade --minimal_upgrade_steps && \ +rm -rf /var/lib/apt/lists/* + +# libffi-dev should probably be a build-dep for python-nacl and python-openssl +# but isn't for some reason. +RUN apt-get --quiet update && apt-get --quiet install -y \ + libffi-dev \ + python-virtualenv \ +&& rm -rf /var/lib/apt/lists/* + +# Source repositories seem to be disabled on the Xenial image now. Enable +# them so we can actually get some build deps. +RUN sed -i -e 's/^# deb-src/deb-src/' /etc/apt/sources.list + +# magic-wormhole depends on these and pip wants to build them both from +# source. +RUN apt-get --quiet update && apt-get --quiet build-dep -y \ + python-openssl \ + python-nacl \ +&& rm -rf /var/lib/apt/lists/* + +# Create a virtualenv into which to install magicwormhole in to. +RUN virtualenv /app/env + +# Get a newer version of pip. The version in the virtualenv installed from +# Ubuntu might not be very recent, depending on when the build happens. +RUN /app/env/bin/pip install --upgrade pip + +# Create a less privileged account to actually use to run the server. +ENV WORMHOLE_USER_NAME="wormhole" + +# Force the allocated user to uid 1000 because we hard-code 1000 below. +RUN adduser --uid 1000 --disabled-password --gecos "" "${WORMHOLE_USER_NAME}" + +# Run the application with this working directory. +WORKDIR /app/run + +# And give it to the user the application will run as. +RUN chown ${WORMHOLE_USER_NAME} /app/run + +# Facilitate network connections to the application. The rendezvous server +# listens on 4000 by default. The transit relay server on 4001. +EXPOSE 4000 +EXPOSE 4001 + +# Put the source somewhere pip will be able to see it. +ADD . /src + +# Get the app we want to run! +RUN /app/env/bin/pip install /src + +# Switch to a non-root user. +USER 1000 + +# This makes starting a server succinct. +ENTRYPOINT ["/app/env/bin/wormhole-server", "start", "--no-daemon"] + +# By default, start up a pretty reasonable server. This can easily be +# overridden by another command which will get added to the entrypoint. +CMD ["--rendezvous", "tcp:4000", "--transit", "tcp:4001"]