#
# Attempts are made to follow the guidelines at
# https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/
#

FROM library/ubuntu:16.04

# If there are security updates for any of the packages we install,
# bump the date in this environment variable to invalidate the Docker
# build cache and force installation of the new packages.  Otherwise,
# Docker's image/layer cache may prevent the security update from
# being retrieved.
ENV SECURITY_UPDATES="2017-15-01"

# Tell apt/dpkg/debconf that we're non-interactive so it won't write
# annoying warnings as it installs the software we ask for.  Making
# this an `ARG` sets it in the environment for the duration of the
# _build_ only - preventing this from having any effect on a container
# running this image (which shouldn't really be installing more
# software but who knows...).
ARG DEBIAN_FRONTEND=noninteractive

# We'll do an upgrade because the base Ubuntu image isn't guaranteed
# to include the latest security updates.  This is counter to best
# practice recommendations but security updates are important.
RUN apt-get --quiet update && \
    apt-get --quiet install -y unattended-upgrades && \
    unattended-upgrade --minimal_upgrade_steps && \
rm -rf /var/lib/apt/lists/*

# libffi-dev should probably be a build-dep for python-nacl and python-openssl
# but isn't for some reason.  Also, versioneer depends on the git cli to
# compute the source version.
RUN apt-get --quiet update && apt-get --quiet install -y \
    libffi-dev \
    python-virtualenv \
    git \
&& rm -rf /var/lib/apt/lists/*

# Source repositories seem to be disabled on the Xenial image now.  Enable
# them so we can actually get some build deps.
RUN sed -i -e 's/^# deb-src/deb-src/' /etc/apt/sources.list

# magic-wormhole depends on these and pip wants to build them both from
# source.
RUN apt-get --quiet update && apt-get --quiet build-dep -y \
    python-openssl \
    python-nacl \
&& rm -rf /var/lib/apt/lists/*

# Create a virtualenv into which to install magicwormhole in to.
RUN virtualenv /app/env

# Get a newer version of pip.  The version in the virtualenv installed from
# Ubuntu might not be very recent, depending on when the build happens.
RUN /app/env/bin/pip install --upgrade pip

# Create a less privileged account to actually use to run the server.
ENV WORMHOLE_USER_NAME="wormhole"

# Force the allocated user to uid 1000 because we hard-code 1000 below.
RUN adduser --uid 1000 --disabled-password --gecos "" "${WORMHOLE_USER_NAME}"

# Facilitate network connections to the application.  The rendezvous server
# listens on 4000 by default.  The transit relay server on 4001.
EXPOSE 4000
EXPOSE 4001

# Put the source somewhere pip will be able to see it.
ADD . /magic-wormhole

# Get the app we want to run!
WORKDIR /magic-wormhole
RUN /app/env/bin/pip install .

# Run the application with this working directory.
WORKDIR /app/run

# And give it to the user the application will run as.
RUN chown ${WORMHOLE_USER_NAME} /app/run

# Switch to a non-root user.
USER 1000

# This makes starting a server succinct.
ENTRYPOINT ["/app/env/bin/wormhole-server", "start", "--no-daemon"]

# By default, start up a pretty reasonable server.  This can easily be
# overridden by another command which will get added to the entrypoint.
CMD ["--rendezvous", "tcp:4000", "--transit", "tcp:4001"]