From 7d7f4ccfc29c6f8982126661da4fbb938e74e17a Mon Sep 17 00:00:00 2001 From: William Petit Date: Sat, 10 Nov 2018 11:34:16 +0100 Subject: [PATCH] Use dedicated users to run services --- .dockerignore | 1 + Dockerfile | 17 ++++++++++++----- Makefile | 7 +++++-- docker-entrypoint.sh | 19 +++++++++++-------- fdroid-update.sh | 13 +++++++++++-- misc/start.sh | 4 +++- supervisor.ini | 11 ++++++----- 7 files changed, 49 insertions(+), 23 deletions(-) create mode 100644 .dockerignore diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..249cda9 --- /dev/null +++ b/.dockerignore @@ -0,0 +1 @@ +/data \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 3318ade..6450277 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,6 @@ ARG HTTP_PROXY= ARG HTTPS_PROXY= ARG http_proxy= ARG https_proxy= - ARG FDROIDSERVER_VERSION=1.0.10 RUN apk add --no-cache \ @@ -20,6 +19,8 @@ RUN pip3 install --upgrade pip RUN pip3 install fdroidserver==${FDROIDSERVER_VERSION} +RUN apk del build-base + COPY supervisor.ini /etc/supervisor.d/supervisor.ini COPY docker-entrypoint.sh /docker-entrypoint.sh RUN chmod +x /docker-entrypoint.sh @@ -29,8 +30,8 @@ WORKDIR /fdroid COPY config.py /fdroid/config.py.tmpl -COPY fdroid-update.sh /fdroid-update.sh -RUN chmod +x /fdroid-update.sh +COPY fdroid-update.sh /fdroid/fdroid-update.sh +RUN chmod +x /fdroid/fdroid-update.sh COPY fdroid-icon.png /fdroid/fdroid-icon.png @@ -38,11 +39,17 @@ VOLUME /fdroid/repo VOLUME /fdroid/metadata VOLUME /fdroid/keystore -EXPOSE 22 -EXPOSE 80 +EXPOSE 2222 +EXPOSE 8080 ENV FDROID_ARCHIVE_OLDER=3 ENV FDROID_REPO_ICON=fdroid-icon.png ENV FDROID_ARCHIVE_ICON=fdroid-icon.png +RUN sed -i "s/^#HostKey.*$/HostKey \/fdroid\/ssh_host_rsa_key/" /etc/ssh/sshd_config +RUN sed -i "s/^#Port.*$/Port 2222/" /etc/ssh/sshd_config + +RUN addgroup -S fdroid && adduser -D -h /fdroid -s /bin/bash -G fdroid fdroid +RUN chown -R fdroid: /fdroid + CMD /docker-entrypoint.sh \ No newline at end of file diff --git a/Makefile b/Makefile index 96f1be4..9a13a1f 100644 --- a/Makefile +++ b/Makefile @@ -1,3 +1,5 @@ +SSH_PUBLIC_KEY := $(shell cat ~/.ssh/id_rsa.pub) + build: docker build \ --build-arg "HTTP_PROXY=$(HTTP_PROXY)" \ @@ -9,8 +11,8 @@ build: run: docker run -it --rm \ - -p 2222:22 \ - -p 8080:80 \ + -p 2222:2222 \ + -p 8080:8080 \ -v "$(PWD)/data/repo:/fdroid/repo" \ -v "$(PWD)/data/metadata:/fdroid/metadata" \ -v "$(PWD)/data/keystore:/fdroid/keystore" \ @@ -20,6 +22,7 @@ run: -e "FDROID_KEYSTORE_PASS=mykeystorepass" \ -e "FDROID_KEYSTORE_KEYPASS=mykeystorekeypass" \ -e "FDROID_KEYSTORE_KEY_ALIAS=fdroidkey" \ + -e "SSH_PUBLIC_KEY=$(SSH_PUBLIC_KEY)" \ -e "FDROID_KEYSTORE_DNAME=CN=cadoles.com, OU=ID, O=Cadoles, L=Dijon, S=France, C=FR" \ fdroid-repository:latest \ $(DOCKER_CMD) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index a2d0b3d..4907a1f 100644 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -2,14 +2,15 @@ set -xeo pipefail -if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then - echo "Generating SSH key..." - sed -i "s/^#HostKey.*$/HostKey \/etc\/ssh\/ssh_host_rsa_key/" /etc/ssh/sshd_config - ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa +if [ ! -f /fdroid/ssh_host_rsa_key ]; then + echo "Generating host SSH key..." + ssh-keygen -f /fdroid/ssh_host_rsa_key -N '' -t rsa + chown fdroid: /fdroid/ssh_host_rsa_key fi -mkdir -p /root/.ssh -echo "${SSH_RSA_PUBLIC_KEY}" > /root/.ssh/authorized_keys +mkdir -p /fdroid/.ssh +echo "${SSH_PUBLIC_KEY}" > /fdroid/.ssh/authorized_keys +chmod 0600 /fdroid/.ssh/authorized_keys if [ ! -f /fdroid/keystore/keystore.jks ]; then keytool -genkey -noprompt \ @@ -25,6 +26,8 @@ echo "Updating configuration from environment..." envsubst < config.py.tmpl > config.py chmod 0600 config.py -/fdroid-update.sh +chown -R fdroid: /fdroid -/usr/bin/supervisord \ No newline at end of file +su - fdroid /fdroid/fdroid-update.sh + +/usr/bin/supervisord -c /etc/supervisor.d/supervisor.ini \ No newline at end of file diff --git a/fdroid-update.sh b/fdroid-update.sh index 034874f..c45cb1b 100644 --- a/fdroid-update.sh +++ b/fdroid-update.sh @@ -1,4 +1,13 @@ #!/bin/bash -fdroid update -c --rename-apks --clean -fdroid update --rename-apks --clean \ No newline at end of file +set -eo pipefail + +EVENT=$1 +DIR=$2 +FILE=$3 + +if [ -z "$FILE" ] || [[ "$FILE" == *.apk ]]; then + fdroid update -c --rename-apks --clean --use-date-from-apk + fdroid update --rename-apks --clean --use-date-from-apk +fi + diff --git a/misc/start.sh b/misc/start.sh index 8dcbb28..431b5ad 100644 --- a/misc/start.sh +++ b/misc/start.sh @@ -8,7 +8,8 @@ set +a docker run -it -d \ --restart always \ - -p 80:80 \ + -p 80:8080 \ + -p 2222:2222 \ -v "${PWD}/data/repo:/fdroid/repo" \ -v "${PWD}/data/metadata:/fdroid/metadata" \ -v "${PWD}/data/keystore:/fdroid/keystore" \ @@ -19,4 +20,5 @@ docker run -it -d \ -e "FDROID_KEYSTORE_KEYPASS=${KEYSTORE_KEY_PASS}" \ -e "FDROID_KEYSTORE_KEY_ALIAS=${KEYSTORE_KEY_ALIAS}" \ -e "FDROID_KEYSTORE_DNAME=${KEYSTORE_DNAME}" \ + -e "SSH_PUBLIC_KEY=${SSH_PUBLIC_KEY}" \ bornholm/fdroid-repository:latest \ No newline at end of file diff --git a/supervisor.ini b/supervisor.ini index a74aaf2..da88832 100644 --- a/supervisor.ini +++ b/supervisor.ini @@ -1,10 +1,11 @@ [supervisord] nodaemon=true +user=root [program:sshd] command = /usr/sbin/sshd -D directory = /fdroid -user = root +user = fdroid autostart = true stdout_logfile=/dev/stdout stdout_logfile_maxbytes=0 @@ -13,9 +14,9 @@ stderr_logfile_maxbytes=0 [program:fdroid-update] -command = inotifyd /fdroid-update.sh /fdroid/repo:w +command = inotifyd /fdroid/fdroid-update.sh /fdroid/repo:w directory = /fdroid -user = root +user = fdroid autostart = true stdout_logfile=/dev/stdout stdout_logfile_maxbytes=0 @@ -23,9 +24,9 @@ stderr_logfile=/dev/stderr stderr_logfile_maxbytes=0 [program:darkhttpd] -command = darkhttpd /fdroid/repo +command = darkhttpd /fdroid/repo --port 8080 directory = /fdroid -user = root +user = fdroid autostart = true stdout_logfile=/dev/stdout stdout_logfile_maxbytes=0