Use dedicated users to run services

This commit is contained in:
wpetit 2018-11-10 11:34:16 +01:00
parent 516d4899b4
commit 7d7f4ccfc2
7 changed files with 49 additions and 23 deletions

1
.dockerignore Normal file
View File

@ -0,0 +1 @@
/data

View File

@ -4,7 +4,6 @@ ARG HTTP_PROXY=
ARG HTTPS_PROXY=
ARG http_proxy=
ARG https_proxy=
ARG FDROIDSERVER_VERSION=1.0.10
RUN apk add --no-cache \
@ -20,6 +19,8 @@ RUN pip3 install --upgrade pip
RUN pip3 install fdroidserver==${FDROIDSERVER_VERSION}
RUN apk del build-base
COPY supervisor.ini /etc/supervisor.d/supervisor.ini
COPY docker-entrypoint.sh /docker-entrypoint.sh
RUN chmod +x /docker-entrypoint.sh
@ -29,8 +30,8 @@ WORKDIR /fdroid
COPY config.py /fdroid/config.py.tmpl
COPY fdroid-update.sh /fdroid-update.sh
RUN chmod +x /fdroid-update.sh
COPY fdroid-update.sh /fdroid/fdroid-update.sh
RUN chmod +x /fdroid/fdroid-update.sh
COPY fdroid-icon.png /fdroid/fdroid-icon.png
@ -38,11 +39,17 @@ VOLUME /fdroid/repo
VOLUME /fdroid/metadata
VOLUME /fdroid/keystore
EXPOSE 22
EXPOSE 80
EXPOSE 2222
EXPOSE 8080
ENV FDROID_ARCHIVE_OLDER=3
ENV FDROID_REPO_ICON=fdroid-icon.png
ENV FDROID_ARCHIVE_ICON=fdroid-icon.png
RUN sed -i "s/^#HostKey.*$/HostKey \/fdroid\/ssh_host_rsa_key/" /etc/ssh/sshd_config
RUN sed -i "s/^#Port.*$/Port 2222/" /etc/ssh/sshd_config
RUN addgroup -S fdroid && adduser -D -h /fdroid -s /bin/bash -G fdroid fdroid
RUN chown -R fdroid: /fdroid
CMD /docker-entrypoint.sh

View File

@ -1,3 +1,5 @@
SSH_PUBLIC_KEY := $(shell cat ~/.ssh/id_rsa.pub)
build:
docker build \
--build-arg "HTTP_PROXY=$(HTTP_PROXY)" \
@ -9,8 +11,8 @@ build:
run:
docker run -it --rm \
-p 2222:22 \
-p 8080:80 \
-p 2222:2222 \
-p 8080:8080 \
-v "$(PWD)/data/repo:/fdroid/repo" \
-v "$(PWD)/data/metadata:/fdroid/metadata" \
-v "$(PWD)/data/keystore:/fdroid/keystore" \
@ -20,6 +22,7 @@ run:
-e "FDROID_KEYSTORE_PASS=mykeystorepass" \
-e "FDROID_KEYSTORE_KEYPASS=mykeystorekeypass" \
-e "FDROID_KEYSTORE_KEY_ALIAS=fdroidkey" \
-e "SSH_PUBLIC_KEY=$(SSH_PUBLIC_KEY)" \
-e "FDROID_KEYSTORE_DNAME=CN=cadoles.com, OU=ID, O=Cadoles, L=Dijon, S=France, C=FR" \
fdroid-repository:latest \
$(DOCKER_CMD)

View File

@ -2,14 +2,15 @@
set -xeo pipefail
if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
echo "Generating SSH key..."
sed -i "s/^#HostKey.*$/HostKey \/etc\/ssh\/ssh_host_rsa_key/" /etc/ssh/sshd_config
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
if [ ! -f /fdroid/ssh_host_rsa_key ]; then
echo "Generating host SSH key..."
ssh-keygen -f /fdroid/ssh_host_rsa_key -N '' -t rsa
chown fdroid: /fdroid/ssh_host_rsa_key
fi
mkdir -p /root/.ssh
echo "${SSH_RSA_PUBLIC_KEY}" > /root/.ssh/authorized_keys
mkdir -p /fdroid/.ssh
echo "${SSH_PUBLIC_KEY}" > /fdroid/.ssh/authorized_keys
chmod 0600 /fdroid/.ssh/authorized_keys
if [ ! -f /fdroid/keystore/keystore.jks ]; then
keytool -genkey -noprompt \
@ -25,6 +26,8 @@ echo "Updating configuration from environment..."
envsubst < config.py.tmpl > config.py
chmod 0600 config.py
/fdroid-update.sh
chown -R fdroid: /fdroid
/usr/bin/supervisord
su - fdroid /fdroid/fdroid-update.sh
/usr/bin/supervisord -c /etc/supervisor.d/supervisor.ini

View File

@ -1,4 +1,13 @@
#!/bin/bash
fdroid update -c --rename-apks --clean
fdroid update --rename-apks --clean
set -eo pipefail
EVENT=$1
DIR=$2
FILE=$3
if [ -z "$FILE" ] || [[ "$FILE" == *.apk ]]; then
fdroid update -c --rename-apks --clean --use-date-from-apk
fdroid update --rename-apks --clean --use-date-from-apk
fi

View File

@ -8,7 +8,8 @@ set +a
docker run -it -d \
--restart always \
-p 80:80 \
-p 80:8080 \
-p 2222:2222 \
-v "${PWD}/data/repo:/fdroid/repo" \
-v "${PWD}/data/metadata:/fdroid/metadata" \
-v "${PWD}/data/keystore:/fdroid/keystore" \
@ -19,4 +20,5 @@ docker run -it -d \
-e "FDROID_KEYSTORE_KEYPASS=${KEYSTORE_KEY_PASS}" \
-e "FDROID_KEYSTORE_KEY_ALIAS=${KEYSTORE_KEY_ALIAS}" \
-e "FDROID_KEYSTORE_DNAME=${KEYSTORE_DNAME}" \
-e "SSH_PUBLIC_KEY=${SSH_PUBLIC_KEY}" \
bornholm/fdroid-repository:latest

View File

@ -1,10 +1,11 @@
[supervisord]
nodaemon=true
user=root
[program:sshd]
command = /usr/sbin/sshd -D
directory = /fdroid
user = root
user = fdroid
autostart = true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
@ -13,9 +14,9 @@ stderr_logfile_maxbytes=0
[program:fdroid-update]
command = inotifyd /fdroid-update.sh /fdroid/repo:w
command = inotifyd /fdroid/fdroid-update.sh /fdroid/repo:w
directory = /fdroid
user = root
user = fdroid
autostart = true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
@ -23,9 +24,9 @@ stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
[program:darkhttpd]
command = darkhttpd /fdroid/repo
command = darkhttpd /fdroid/repo --port 8080
directory = /fdroid
user = root
user = fdroid
autostart = true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0