# # Attempts are made to follow the guidelines at # https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/ # FROM library/ubuntu:16.04 # If there are security updates for any of the packages we install, # bump the date in this environment variable to invalidate the Docker # build cache and force installation of the new packages. Otherwise, # Docker's image/layer cache may prevent the security update from # being retrieved. ENV SECURITY_UPDATES="2017-15-01" # Tell apt/dpkg/debconf that we're non-interactive so it won't write # annoying warnings as it installs the software we ask for. Making # this an `ARG` sets it in the environment for the duration of the # _build_ only - preventing this from having any effect on a container # running this image (which shouldn't really be installing more # software but who knows...). ARG DEBIAN_FRONTEND=noninteractive # We'll do an upgrade because the base Ubuntu image isn't guaranteed # to include the latest security updates. This is counter to best # practice recommendations but security updates are important. RUN apt-get --quiet update && \ apt-get --quiet install -y unattended-upgrades && \ unattended-upgrade --minimal_upgrade_steps && \ rm -rf /var/lib/apt/lists/* # libffi-dev should probably be a build-dep for python-nacl and python-openssl # but isn't for some reason. RUN apt-get --quiet update && apt-get --quiet install -y \ libffi-dev \ python-virtualenv \ && rm -rf /var/lib/apt/lists/* # Source repositories seem to be disabled on the Xenial image now. Enable # them so we can actually get some build deps. RUN sed -i -e 's/^# deb-src/deb-src/' /etc/apt/sources.list # magic-wormhole depends on these and pip wants to build them both from # source. RUN apt-get --quiet update && apt-get --quiet build-dep -y \ python-openssl \ python-nacl \ && rm -rf /var/lib/apt/lists/* # Create a virtualenv into which to install magicwormhole in to. RUN virtualenv /app/env # Get a newer version of pip. RUN /app/env/bin/pip install --upgrade pip # Create the website account, the user as which the infrastructure # server will run. ENV WORMHOLE_USER_NAME="wormhole" # Force the allocated user to uid 1000 because we hard-code 1000 # below. RUN adduser --uid 1000 --disabled-password --gecos "" "${WORMHOLE_USER_NAME}" # Run the application with this working directory. WORKDIR /app/run # And give it to the user the application will run as. RUN chown ${WORMHOLE_USER_NAME} /app/run # Facilitate network connections to the application. EXPOSE 4000 # Put the source somewhere pip will be able to see it. ADD . /src # Get the app we want to run! RUN /app/env/bin/pip install /src # Switch to a non-root user. USER 1000 CMD /app/env/bin/wormhole-server start \ --rendezvous tcp:4000 \ --no-daemon