Fossil SCM
Added explicit instructions for patching the Dockerfile for the nojail/podman method and for mapping a single Fossil repo into the container rather than a directory. Also included my best current advice on using WAL mode in these contexts.
Commit
87a23d2a7ca12b8218d82afa27b5a1b63edea55a8429dfc610bcf3ec13ace013
Parent
5adf6c40d9478e6…
1 file changed
+21
-4
+21
-4
| --- www/containers.md | ||
| +++ www/containers.md | ||
| @@ -447,13 +447,10 @@ | ||
| 447 | 447 | [DNT]: ./server/debian/nginx.md |
| 448 | 448 | |
| 449 | 449 | |
| 450 | 450 | ### <a id="podman"></a>Podman |
| 451 | 451 | |
| 452 | -The biggest downside of that method is that you don’t have all of the | |
| 453 | -user-land tools for managing the containers. | |
| 454 | - | |
| 455 | 452 | A lighter-weight alternative to Docker Engine that doesn’t give up so |
| 456 | 453 | much of its administrator affordances is [Podman], initially created by |
| 457 | 454 | Red Hat and thus popular on that family of OSes, although it will run on |
| 458 | 455 | any flavor of Linux. On Ubuntu 22.04, it’s about a quarter the size of |
| 459 | 456 | Docker Engine. It can even be made to run [on macOS via Homebrew][pmmac] |
| @@ -485,11 +482,31 @@ | ||
| 485 | 482 | 2. Anything that depends on the `/jail` directory and the fact that it |
| 486 | 483 | becomes the file system’s root once the Fossil server is up and running. |
| 487 | 484 | |
| 488 | 485 | [The changes to fix this](/file/containers/Dockerfile-nojail.patch) |
| 489 | 486 | aren’t complicated. Simply apply that patch to our stock `Dockerfile` |
| 490 | -and rebuild. | |
| 487 | +and rebuild: | |
| 488 | + | |
| 489 | +``` | |
| 490 | + $ patch -p0 < containers/Dockerfile-nojail.patch | |
| 491 | + $ make reconfig # re-generate Dockerfile from the changed .in file | |
| 492 | + $ docker build -t fossil:nojail . | |
| 493 | + $ docker create \ | |
| 494 | + --name fossil-nojail \ | |
| 495 | + --publish 9999:8080 \ | |
| 496 | + --volume ~/museum/my-project.fossil:/museum/repo.fossil \ | |
| 497 | + fossil:nojail | |
| 498 | +``` | |
| 499 | + | |
| 500 | +This shows a new trick: mapping a single file into the container, rather | |
| 501 | +than mapping a whole directory. That’s only suitable if you aren’t using | |
| 502 | +WAL mode on that repository, or you aren’t going to use that repository | |
| 503 | +outside the container. It isn’t yet clear to me if WAL can work safely | |
| 504 | +across the container boundary, so for now, I advise that you either do | |
| 505 | +not use WAL mode with these containers, or that you clone the repository | |
| 506 | +locally for use outside the container and rely on Fossil’s autosync | |
| 507 | +feature to keep the two copies synchronized. | |
| 491 | 508 | |
| 492 | 509 | Do realize that by doing this, if an attacker ever managed to get shell |
| 493 | 510 | access on your container, they’d have a BusyBox installation to play |
| 494 | 511 | around in. That shouldn’t be enough to let them break out of the |
| 495 | 512 | container entirely, but they’ll have powerful tools like `wget`, and |
| 496 | 513 |
| --- www/containers.md | |
| +++ www/containers.md | |
| @@ -447,13 +447,10 @@ | |
| 447 | [DNT]: ./server/debian/nginx.md |
| 448 | |
| 449 | |
| 450 | ### <a id="podman"></a>Podman |
| 451 | |
| 452 | The biggest downside of that method is that you don’t have all of the |
| 453 | user-land tools for managing the containers. |
| 454 | |
| 455 | A lighter-weight alternative to Docker Engine that doesn’t give up so |
| 456 | much of its administrator affordances is [Podman], initially created by |
| 457 | Red Hat and thus popular on that family of OSes, although it will run on |
| 458 | any flavor of Linux. On Ubuntu 22.04, it’s about a quarter the size of |
| 459 | Docker Engine. It can even be made to run [on macOS via Homebrew][pmmac] |
| @@ -485,11 +482,31 @@ | |
| 485 | 2. Anything that depends on the `/jail` directory and the fact that it |
| 486 | becomes the file system’s root once the Fossil server is up and running. |
| 487 | |
| 488 | [The changes to fix this](/file/containers/Dockerfile-nojail.patch) |
| 489 | aren’t complicated. Simply apply that patch to our stock `Dockerfile` |
| 490 | and rebuild. |
| 491 | |
| 492 | Do realize that by doing this, if an attacker ever managed to get shell |
| 493 | access on your container, they’d have a BusyBox installation to play |
| 494 | around in. That shouldn’t be enough to let them break out of the |
| 495 | container entirely, but they’ll have powerful tools like `wget`, and |
| 496 |
| --- www/containers.md | |
| +++ www/containers.md | |
| @@ -447,13 +447,10 @@ | |
| 447 | [DNT]: ./server/debian/nginx.md |
| 448 | |
| 449 | |
| 450 | ### <a id="podman"></a>Podman |
| 451 | |
| 452 | A lighter-weight alternative to Docker Engine that doesn’t give up so |
| 453 | much of its administrator affordances is [Podman], initially created by |
| 454 | Red Hat and thus popular on that family of OSes, although it will run on |
| 455 | any flavor of Linux. On Ubuntu 22.04, it’s about a quarter the size of |
| 456 | Docker Engine. It can even be made to run [on macOS via Homebrew][pmmac] |
| @@ -485,11 +482,31 @@ | |
| 482 | 2. Anything that depends on the `/jail` directory and the fact that it |
| 483 | becomes the file system’s root once the Fossil server is up and running. |
| 484 | |
| 485 | [The changes to fix this](/file/containers/Dockerfile-nojail.patch) |
| 486 | aren’t complicated. Simply apply that patch to our stock `Dockerfile` |
| 487 | and rebuild: |
| 488 | |
| 489 | ``` |
| 490 | $ patch -p0 < containers/Dockerfile-nojail.patch |
| 491 | $ make reconfig # re-generate Dockerfile from the changed .in file |
| 492 | $ docker build -t fossil:nojail . |
| 493 | $ docker create \ |
| 494 | --name fossil-nojail \ |
| 495 | --publish 9999:8080 \ |
| 496 | --volume ~/museum/my-project.fossil:/museum/repo.fossil \ |
| 497 | fossil:nojail |
| 498 | ``` |
| 499 | |
| 500 | This shows a new trick: mapping a single file into the container, rather |
| 501 | than mapping a whole directory. That’s only suitable if you aren’t using |
| 502 | WAL mode on that repository, or you aren’t going to use that repository |
| 503 | outside the container. It isn’t yet clear to me if WAL can work safely |
| 504 | across the container boundary, so for now, I advise that you either do |
| 505 | not use WAL mode with these containers, or that you clone the repository |
| 506 | locally for use outside the container and rely on Fossil’s autosync |
| 507 | feature to keep the two copies synchronized. |
| 508 | |
| 509 | Do realize that by doing this, if an attacker ever managed to get shell |
| 510 | access on your container, they’d have a BusyBox installation to play |
| 511 | around in. That shouldn’t be enough to let them break out of the |
| 512 | container entirely, but they’ll have powerful tools like `wget`, and |
| 513 |