Fossil SCM
Updated the "nojail" patch for our Dockerfile to track the recent changes: rename back from Dockerfile.in and the layer refactoring. It does essentially the same thing as before.
Commit
19abf0ac13b6a280702c14f8fecae2817a88a4aab4878f75c2483074f00920f9
Parent
9d12e9644015936…
2 files changed
+31
-22
-1
+31
-22
| --- containers/Dockerfile-nojail.patch | ||
| +++ containers/Dockerfile-nojail.patch | ||
| @@ -1,43 +1,52 @@ | ||
| 1 | -Index: Dockerfile.in | |
| 1 | +Index: Dockerfile | |
| 2 | 2 | ================================================================== |
| ---- Dockerfile.in | ||
| 3 | -+++ Dockerfile.in | |
| 4 | -@@ -27,37 +27,35 @@ | |
| 5 | - && if apk add upx ; then upx -9 fossil bbx/busybox ; fi | |
| 6 | - | |
| 7 | - # STAGE 2: Pare that back to the bare essentials. | |
| 3 | +--- Dockerfile | |
| ++++ Dockerfile | ||
| 4 | +@@ -61,13 +61,13 @@ | |
| 5 | + ## --------------------------------------------------------------------- | |
| 6 | + ## STAGE 2: Pare that back to the bare essentials. | |
| 7 | + ## --------------------------------------------------------------------- | |
| 8 | 8 | |
| 9 | 9 | FROM scratch |
| 10 | 10 | -WORKDIR /jail |
| 11 | 11 | +WORKDIR / |
| 12 | 12 | ARG UID=499 |
| 13 | 13 | -ENV PATH "/bin:/jail/bin" |
| 14 | 14 | +ENV PATH "/bin" |
| 15 | - COPY --from=builder /tmp/fossil bin/ | |
| 15 | + | |
| 16 | + ### Lay BusyBox down as the first base layer. Coupled with the host's | |
| 17 | + ### kernel, this is the "OS." | |
| 16 | 18 | COPY --from=builder /tmp/bbx/busybox /bin/ |
| 17 | 19 | RUN [ "/bin/busybox", "--install", "/bin" ] |
| 20 | +@@ -78,20 +78,17 @@ | |
| 18 | 21 | RUN set -x \ |
| 19 | -- && mkdir -m 700 dev museum \ | |
| 20 | -- && mknod -m 600 dev/null c 1 3 \ | |
| 21 | -- && mknod -m 600 dev/urandom c 1 9 \ | |
| 22 | -+ && mkdir -m 700 museum \ | |
| 23 | 22 | && echo 'root:x:0:0:SysAdmin:/:/bin/nologin' > /etc/passwd \ |
| 24 | 23 | && echo 'root:x:0:root' > /etc/group \ |
| 25 | - && addgroup -g ${UID} fossil \ | |
| 26 | - && adduser -h `pwd` -g 'Fossil User' -G fossil -u ${UID} -S fossil \ | |
| 24 | + && addgroup -S -g ${UID} fossil \ | |
| 25 | + && adduser -S -h `pwd` -g 'Fossil User' -G fossil -u ${UID} fossil \ | |
| 26 | +- && install -d -m 700 -o fossil -g fossil log museum \ | |
| 27 | +- && install -d -m 755 -o fossil -g fossil dev \ | |
| 28 | +- && mknod -m 666 dev/null c 1 3 \ | |
| 29 | +- && mknod -m 444 dev/urandom c 1 9 | |
| 30 | ++ && install -d -m 700 -o fossil -g fossil log museum | |
| 31 | + | |
| 32 | + ### Do Fossil-specific things atop those base layers; this will change | |
| 33 | + ### as often as the Fossil build-from-source layer above. | |
| 34 | + COPY --from=builder /tmp/fossil bin/ | |
| 35 | + RUN set -x \ | |
| 36 | +- && ln -s /jail/bin/fossil /bin/f \ | |
| 37 | ++ && ln -s /bin/fossil /bin/f \ | |
| 27 | 38 | && echo -e '#!/bin/sh\nfossil sha1sum "$@"' > /bin/sha1sum \ |
| 28 | 39 | && echo -e '#!/bin/sh\nfossil sha3sum "$@"' > /bin/sha3sum \ |
| 29 | - && echo -e '#!/bin/sh\nfossil sqlite3 --no-repository "$@"' > /bin/sqlite3 \ | |
| 30 | -- && ln -s /jail/bin/fossil /bin/f \ | |
| 31 | -+ && ln -s /bin/fossil /bin/f \ | |
| 32 | - && chmod +x /bin/sha?sum /bin/sqlite3 \ | |
| 33 | -- && chown fossil:fossil . museum | |
| 34 | -+ && chown fossil:fossil museum | |
| 35 | - | |
| 36 | - # Now we can run the stripped-down environment in a chroot jail, while | |
| 37 | - # leaving open the option to debug it live via the Busybox shell. | |
| 40 | + && echo -e '#!/bin/sh\nfossil sqlite3 --no-repository "$@"' > \ | |
| 41 | + /bin/sqlite3 \ | |
| 42 | + && chmod +x /bin/sha?sum /bin/sqlite3 | |
| 43 | +@@ -100,12 +97,12 @@ | |
| 44 | + ## --------------------------------------------------------------------- | |
| 45 | + ## STAGE 3: Run! | |
| 46 | + ## --------------------------------------------------------------------- | |
| 38 | 47 | |
| 39 | 48 | EXPOSE 8080/tcp |
| 40 | 49 | +USER fossil |
| 41 | 50 | CMD [ \ |
| 42 | 51 | "bin/fossil", "server", \ |
| 43 | 52 |
| --- containers/Dockerfile-nojail.patch | |
| +++ containers/Dockerfile-nojail.patch | |
| @@ -1,43 +1,52 @@ | |
| 1 | Index: Dockerfile.in |
| 2 | ================================================================== |
| ---- Dockerfile.in | |
| 3 | +++ Dockerfile.in |
| 4 | @@ -27,37 +27,35 @@ |
| 5 | && if apk add upx ; then upx -9 fossil bbx/busybox ; fi |
| 6 | |
| 7 | # STAGE 2: Pare that back to the bare essentials. |
| ++++ Dockerfile | |
| 8 | |
| 9 | FROM scratch |
| 10 | -WORKDIR /jail |
| 11 | +WORKDIR / |
| 12 | ARG UID=499 |
| 13 | -ENV PATH "/bin:/jail/bin" |
| 14 | +ENV PATH "/bin" |
| 15 | COPY --from=builder /tmp/fossil bin/ |
| 16 | COPY --from=builder /tmp/bbx/busybox /bin/ |
| 17 | RUN [ "/bin/busybox", "--install", "/bin" ] |
| 18 | RUN set -x \ |
| 19 | - && mkdir -m 700 dev museum \ |
| 20 | - && mknod -m 600 dev/null c 1 3 \ |
| 21 | - && mknod -m 600 dev/urandom c 1 9 \ |
| 22 | + && mkdir -m 700 museum \ |
| 23 | && echo 'root:x:0:0:SysAdmin:/:/bin/nologin' > /etc/passwd \ |
| 24 | && echo 'root:x:0:root' > /etc/group \ |
| 25 | && addgroup -g ${UID} fossil \ |
| 26 | && adduser -h `pwd` -g 'Fossil User' -G fossil -u ${UID} -S fossil \ |
| 27 | && echo -e '#!/bin/sh\nfossil sha1sum "$@"' > /bin/sha1sum \ |
| 28 | && echo -e '#!/bin/sh\nfossil sha3sum "$@"' > /bin/sha3sum \ |
| 29 | && echo -e '#!/bin/sh\nfossil sqlite3 --no-repository "$@"' > /bin/sqlite3 \ |
| 30 | - && ln -s /jail/bin/fossil /bin/f \ |
| 31 | + && ln -s /bin/fossil /bin/f \ |
| 32 | && chmod +x /bin/sha?sum /bin/sqlite3 \ |
| 33 | - && chown fossil:fossil . museum |
| 34 | + && chown fossil:fossil museum |
| 35 | |
| 36 | # Now we can run the stripped-down environment in a chroot jail, while |
| 37 | # leaving open the option to debug it live via the Busybox shell. |
| 38 | |
| 39 | EXPOSE 8080/tcp |
| 40 | +USER fossil |
| 41 | CMD [ \ |
| 42 | "bin/fossil", "server", \ |
| 43 |
| --- containers/Dockerfile-nojail.patch | |
| +++ containers/Dockerfile-nojail.patch | |
| @@ -1,43 +1,52 @@ | |
| 1 | Index: Dockerfile |
| 2 | ================================================================== |
| ---- Dockerfile.in | |
| 3 | --- Dockerfile |
| ++++ Dockerfile | |
| 4 | @@ -61,13 +61,13 @@ |
| 5 | ## --------------------------------------------------------------------- |
| 6 | ## STAGE 2: Pare that back to the bare essentials. |
| 7 | ## --------------------------------------------------------------------- |
| 8 | |
| 9 | FROM scratch |
| 10 | -WORKDIR /jail |
| 11 | +WORKDIR / |
| 12 | ARG UID=499 |
| 13 | -ENV PATH "/bin:/jail/bin" |
| 14 | +ENV PATH "/bin" |
| 15 | |
| 16 | ### Lay BusyBox down as the first base layer. Coupled with the host's |
| 17 | ### kernel, this is the "OS." |
| 18 | COPY --from=builder /tmp/bbx/busybox /bin/ |
| 19 | RUN [ "/bin/busybox", "--install", "/bin" ] |
| 20 | @@ -78,20 +78,17 @@ |
| 21 | RUN set -x \ |
| 22 | && echo 'root:x:0:0:SysAdmin:/:/bin/nologin' > /etc/passwd \ |
| 23 | && echo 'root:x:0:root' > /etc/group \ |
| 24 | && addgroup -S -g ${UID} fossil \ |
| 25 | && adduser -S -h `pwd` -g 'Fossil User' -G fossil -u ${UID} fossil \ |
| 26 | - && install -d -m 700 -o fossil -g fossil log museum \ |
| 27 | - && install -d -m 755 -o fossil -g fossil dev \ |
| 28 | - && mknod -m 666 dev/null c 1 3 \ |
| 29 | - && mknod -m 444 dev/urandom c 1 9 |
| 30 | + && install -d -m 700 -o fossil -g fossil log museum |
| 31 | |
| 32 | ### Do Fossil-specific things atop those base layers; this will change |
| 33 | ### as often as the Fossil build-from-source layer above. |
| 34 | COPY --from=builder /tmp/fossil bin/ |
| 35 | RUN set -x \ |
| 36 | - && ln -s /jail/bin/fossil /bin/f \ |
| 37 | + && ln -s /bin/fossil /bin/f \ |
| 38 | && echo -e '#!/bin/sh\nfossil sha1sum "$@"' > /bin/sha1sum \ |
| 39 | && echo -e '#!/bin/sh\nfossil sha3sum "$@"' > /bin/sha3sum \ |
| 40 | && echo -e '#!/bin/sh\nfossil sqlite3 --no-repository "$@"' > \ |
| 41 | /bin/sqlite3 \ |
| 42 | && chmod +x /bin/sha?sum /bin/sqlite3 |
| 43 | @@ -100,12 +97,12 @@ |
| 44 | ## --------------------------------------------------------------------- |
| 45 | ## STAGE 3: Run! |
| 46 | ## --------------------------------------------------------------------- |
| 47 | |
| 48 | EXPOSE 8080/tcp |
| 49 | +USER fossil |
| 50 | CMD [ \ |
| 51 | "bin/fossil", "server", \ |
| 52 |
-1
| --- www/containers.md | ||
| +++ www/containers.md | ||
| @@ -800,11 +800,10 @@ | ||
| 800 | 800 | aren’t complicated. Simply apply that patch to our stock `Dockerfile` |
| 801 | 801 | and rebuild: |
| 802 | 802 | |
| 803 | 803 | ``` |
| 804 | 804 | $ patch -p0 < containers/Dockerfile-nojail.patch |
| 805 | - $ make reconfig # re-generate Dockerfile from the changed .in file | |
| 806 | 805 | $ docker build -t fossil:nojail . |
| 807 | 806 | $ docker create \ |
| 808 | 807 | --name fossil-nojail \ |
| 809 | 808 | --publish 127.0.0.1:9999:8080 \ |
| 810 | 809 | --volume ~/museum:/museum \ |
| 811 | 810 |
| --- www/containers.md | |
| +++ www/containers.md | |
| @@ -800,11 +800,10 @@ | |
| 800 | aren’t complicated. Simply apply that patch to our stock `Dockerfile` |
| 801 | and rebuild: |
| 802 | |
| 803 | ``` |
| 804 | $ patch -p0 < containers/Dockerfile-nojail.patch |
| 805 | $ make reconfig # re-generate Dockerfile from the changed .in file |
| 806 | $ docker build -t fossil:nojail . |
| 807 | $ docker create \ |
| 808 | --name fossil-nojail \ |
| 809 | --publish 127.0.0.1:9999:8080 \ |
| 810 | --volume ~/museum:/museum \ |
| 811 |
| --- www/containers.md | |
| +++ www/containers.md | |
| @@ -800,11 +800,10 @@ | |
| 800 | aren’t complicated. Simply apply that patch to our stock `Dockerfile` |
| 801 | and rebuild: |
| 802 | |
| 803 | ``` |
| 804 | $ patch -p0 < containers/Dockerfile-nojail.patch |
| 805 | $ docker build -t fossil:nojail . |
| 806 | $ docker create \ |
| 807 | --name fossil-nojail \ |
| 808 | --publish 127.0.0.1:9999:8080 \ |
| 809 | --volume ~/museum:/museum \ |
| 810 |