From 336b35d513f74b0dea7fb956b69f7335ddc0a691 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Mon, 1 May 2017 11:10:48 -0400 Subject: [PATCH 01/10] Here is a stab. --- Dockerfile | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 Dockerfile diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..5246e0e --- /dev/null +++ b/Dockerfile @@ -0,0 +1,74 @@ +# +# Attempts are made to follow the guidelines at +# https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/ +# + +FROM library/ubuntu:16.04 + +# If there are security updates for any of the packages we install, +# bump the date in this environment variable to invalidate the Docker +# build cache and force installation of the new packages. Otherwise, +# Docker's image/layer cache may prevent the security update from +# being retrieved. +ENV SECURITY_UPDATES="2017-15-01" + +# Tell apt/dpkg/debconf that we're non-interactive so it won't write +# annoying warnings as it installs the software we ask for. Making +# this an `ARG` sets it in the environment for the duration of the +# _build_ only - preventing this from having any effect on a container +# running this image (which shouldn't really be installing more +# software but who knows...). +ARG DEBIAN_FRONTEND=noninteractive + +# We'll do an upgrade because the base Ubuntu image isn't guaranteed +# to include the latest security updates. This is counter to best +# practice recommendations but security updates are important. +RUN apt-get --quiet update && \ + apt-get --quiet install -y unattended-upgrades && \ + unattended-upgrade --minimal_upgrade_steps && \ +rm -rf /var/lib/apt/lists/* + +RUN apt-get --quiet update && apt-get --quiet install -y \ + python-dev \ + libffi-dev \ + openssl \ + libssl-dev \ + \ + python-virtualenv \ +&& rm -rf /var/lib/apt/lists/* + +# Create a virtualenv into which to install magicwormhole in to. +RUN virtualenv /app/env + +# Get a newer version of pip. +RUN /app/env/bin/pip install --upgrade pip + +# Create the website account, the user as which the infrastructure +# server will run. +ENV WORMHOLE_USER_NAME="wormhole" + +# Force the allocated user to uid 1000 because we hard-code 1000 +# below. +RUN adduser --uid 1000 --disabled-password --gecos "" "${WORMHOLE_USER_NAME}" + +# Run the application with this working directory. +WORKDIR /app/run + +# And give it to the user the application will run as. +RUN chown ${WORMHOLE_USER_NAME} /app/run + +# Facilitate network connections to the application. +EXPOSE 4000 + +# Put the source somewhere pip will be able to see it. +ADD . /src + +# Get the app we want to run! +RUN /app/env/bin/pip install /src + +# Switch to a non-root user. +USER 1000 + +CMD /app/env/bin/wormhole-server start \ + --rendezvous tcp:4000 \ + --no-daemon From dbe815503c2b082d429c4ebad8e763ff49d4993d Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Mon, 1 May 2017 11:17:28 -0400 Subject: [PATCH 02/10] maybe this is nice --- .dockerignore | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .dockerignore diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..c89c221 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,10 @@ +.appveyor.yml +.coveragerc +docs +.git +.gitattributes +.gitignore +misc +snapcraft.yaml +tox.ini +.travis.yml From 6984413a66688674f0a600e607bfecb46b5bbec3 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Mon, 1 May 2017 11:20:48 -0400 Subject: [PATCH 03/10] 16.04 apparently lacks this --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 5246e0e..0bffba9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,6 +29,7 @@ RUN apt-get --quiet update && \ rm -rf /var/lib/apt/lists/* RUN apt-get --quiet update && apt-get --quiet install -y \ + gcc \ python-dev \ libffi-dev \ openssl \ From 55df2ac429708451ff480dc87bbf3dd9cf3f9786 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Mon, 1 May 2017 11:41:20 -0400 Subject: [PATCH 04/10] maybe this is a good way to get the build deps --- Dockerfile | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0bffba9..d1709b1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,15 +29,14 @@ RUN apt-get --quiet update && \ rm -rf /var/lib/apt/lists/* RUN apt-get --quiet update && apt-get --quiet install -y \ - gcc \ - python-dev \ - libffi-dev \ - openssl \ - libssl-dev \ - \ python-virtualenv \ && rm -rf /var/lib/apt/lists/* +RUN apt-get --quiet update && apt-get --quiet build-dep -y \ + python-nacl \ + python-openssl \ +&& rm -rf /var/lib/apt/lists/* + # Create a virtualenv into which to install magicwormhole in to. RUN virtualenv /app/env From 8965cd2daa56e442ca0899e2c33f62e740ebbead Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Mon, 1 May 2017 13:16:54 -0400 Subject: [PATCH 05/10] We have to do libffi-dev ourselves. --- Dockerfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Dockerfile b/Dockerfile index d1709b1..7459bd0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -28,10 +28,15 @@ RUN apt-get --quiet update && \ unattended-upgrade --minimal_upgrade_steps && \ rm -rf /var/lib/apt/lists/* +# libffi-dev should probably be a build-dep for python-nacl and python-openssl +# but isn't for some reason. RUN apt-get --quiet update && apt-get --quiet install -y \ + libffi-dev \ python-virtualenv \ && rm -rf /var/lib/apt/lists/* +# magic-wormhole depends on these and pip wants to build them both from +# source. RUN apt-get --quiet update && apt-get --quiet build-dep -y \ python-nacl \ python-openssl \ From 94c5d2ce8d0762eec2d1ac54f61af91d008c7374 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Tue, 2 May 2017 06:55:26 -0400 Subject: [PATCH 06/10] unclear why python-openssl fails the build but it does ``` Picking 'pyopenssl' as source package instead of 'python-openssl' [91mE: Unable to find a source package for python-openssl [0m ``` --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 7459bd0..b5d42b5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -38,8 +38,8 @@ RUN apt-get --quiet update && apt-get --quiet install -y \ # magic-wormhole depends on these and pip wants to build them both from # source. RUN apt-get --quiet update && apt-get --quiet build-dep -y \ + pyopenssl \ python-nacl \ - python-openssl \ && rm -rf /var/lib/apt/lists/* # Create a virtualenv into which to install magicwormhole in to. From fd1bd8f2d7503045b60e54f9aa0c02972d7a115b Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Tue, 2 May 2017 08:43:08 -0400 Subject: [PATCH 07/10] Go back to the real package name This alternate name didn't help. --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b5d42b5..23a8c9d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -38,7 +38,7 @@ RUN apt-get --quiet update && apt-get --quiet install -y \ # magic-wormhole depends on these and pip wants to build them both from # source. RUN apt-get --quiet update && apt-get --quiet build-dep -y \ - pyopenssl \ + python-openssl \ python-nacl \ && rm -rf /var/lib/apt/lists/* From 55f836776be2dee977426716e00ddb9830445f09 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Tue, 2 May 2017 08:43:25 -0400 Subject: [PATCH 08/10] Enable deb-src lines. This fixes the failure to get python-openssl build deps. --- Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Dockerfile b/Dockerfile index 23a8c9d..657696d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,6 +35,10 @@ RUN apt-get --quiet update && apt-get --quiet install -y \ python-virtualenv \ && rm -rf /var/lib/apt/lists/* +# Source repositories seem to be disabled on the Xenial image now. Enable +# them so we can actually get some build deps. +RUN sed -i -e 's/^# deb-src/deb-src/' /etc/apt/sources.list + # magic-wormhole depends on these and pip wants to build them both from # source. RUN apt-get --quiet update && apt-get --quiet build-dep -y \ From 6394df4131772ce2d3d96fc44e09cccdc23022a9 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Tue, 2 May 2017 09:07:16 -0400 Subject: [PATCH 09/10] Usability improvements --- Dockerfile | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 657696d..d93ce63 100644 --- a/Dockerfile +++ b/Dockerfile @@ -66,8 +66,10 @@ WORKDIR /app/run # And give it to the user the application will run as. RUN chown ${WORMHOLE_USER_NAME} /app/run -# Facilitate network connections to the application. +# Facilitate network connections to the application. The rendezvous server +# listens on 4000 by default. The transit relay server on 4001. EXPOSE 4000 +EXPOSE 4001 # Put the source somewhere pip will be able to see it. ADD . /src @@ -78,6 +80,9 @@ RUN /app/env/bin/pip install /src # Switch to a non-root user. USER 1000 -CMD /app/env/bin/wormhole-server start \ - --rendezvous tcp:4000 \ - --no-daemon +# This makes starting a server succinct. +ENTRYPOINT ["/app/env/bin/wormhole-server", "start", "--no-daemon"] + +# By default, start up a pretty reasonable server. This can easily be +# overridden by another command which will get added to the entrypoint. +CMD ["--rendezvous", "tcp:4000", "--transit", "tcp:4001"] From 44816a3fbdd9d280f4d5efe64eddf580ff9cac10 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Tue, 9 May 2017 11:36:53 -0400 Subject: [PATCH 10/10] Some doc improvements --- Dockerfile | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index d93ce63..a55371b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -49,15 +49,14 @@ RUN apt-get --quiet update && apt-get --quiet build-dep -y \ # Create a virtualenv into which to install magicwormhole in to. RUN virtualenv /app/env -# Get a newer version of pip. +# Get a newer version of pip. The version in the virtualenv installed from +# Ubuntu might not be very recent, depending on when the build happens. RUN /app/env/bin/pip install --upgrade pip -# Create the website account, the user as which the infrastructure -# server will run. +# Create a less privileged account to actually use to run the server. ENV WORMHOLE_USER_NAME="wormhole" -# Force the allocated user to uid 1000 because we hard-code 1000 -# below. +# Force the allocated user to uid 1000 because we hard-code 1000 below. RUN adduser --uid 1000 --disabled-password --gecos "" "${WORMHOLE_USER_NAME}" # Run the application with this working directory.