Fossil SCM
Removed all the "BBXVER" stuff in the containers doc now that we aren't fetching the BusyBox sources and building a custom version to install outside the jail.
Commit
b14165549cf1abf5221dec8349f7f41c97f1a15cd201a6fe96cf3efd4ef1773e
Parent
2516fca74d93ddf…
1 file changed
+14
-34
+14
-34
| --- www/containers.md | ||
| +++ www/containers.md | ||
| @@ -397,15 +397,17 @@ | ||
| 397 | 397 | [terminating TLS with a front-end proxy](./ssl.wiki#server). You’re |
| 398 | 398 | more likely to say something like “`-p localhost:12345:8080`” and then |
| 399 | 399 | configure the reverse proxy to translate external HTTPS calls into |
| 400 | 400 | HTTP directed at this internal port 12345.) |
| 401 | 401 | |
| 402 | -* **`NET_RAW`**: Fossil itself doesn’t use raw sockets, and our build | |
| 403 | - process leaves out all the BusyBox utilities that require them. | |
| 404 | - Although that set includes common tools like `ping`, we foresee no | |
| 405 | - compelling reason to use that or any of these other elided utilities | |
| 406 | - — `ether-wake`, `netstat`, `traceroute`, and `udhcp` — inside the | |
| 402 | +* **`NET_RAW`**: Fossil itself doesn’t use raw sockets, and while | |
| 403 | + you could [swap out the run layer](#run) for something more | |
| 404 | + functional that *does* make use of raw sockets, there’s little call | |
| 405 | + for it. The best reason I can come up with is to be able to run | |
| 406 | + utilities like `ping` and `traceroute`, but since we aren’t doing | |
| 407 | + anything clever with the networking configuration, there’s no | |
| 408 | + particularly compelling reason to run these from inside the | |
| 407 | 409 | container. If you need to ping something, do it on the host. |
| 408 | 410 | |
| 409 | 411 | If we did not take this hard-line stance, an attacker that broke |
| 410 | 412 | into the container and gained root privileges might use raw sockets |
| 411 | 413 | to do a wide array of bad things to any network the container is |
| @@ -468,44 +470,22 @@ | ||
| 468 | 470 | |
| 469 | 471 | ## 5. <a id="args"></a>Container Build Arguments |
| 470 | 472 | |
| 471 | 473 | ### <a id="pkg-vers"></a> 5.1 Package Versions |
| 472 | 474 | |
| 473 | -You can override the default versions of Fossil and BusyBox that get | |
| 474 | -fetched in the build step. To get the latest-and-greatest of everything, | |
| 475 | -you could say: | |
| 476 | - | |
| 477 | -``` | |
| 478 | - $ docker build -t fossil \ | |
| 479 | - --build-arg FSLVER=trunk \ | |
| 480 | - --build-arg BBXVER=master . | |
| 481 | -``` | |
| 482 | - | |
| 483 | -(But don’t, for reasons we will get to.) | |
| 484 | - | |
| 485 | -Because the BusyBox configuration file we ship was created with and | |
| 486 | -tested against a specific stable release, that’s the version we pull by | |
| 487 | -default. It does try to merge the defaults for any new configuration | |
| 488 | -settings into the stock set, but since it’s possible this will fail, we | |
| 489 | -don’t blindly update the BusyBox version merely because a new release | |
| 490 | -came out. Someone needs to get around to vetting it against our stock | |
| 491 | -configuration first. | |
| 492 | - | |
| 493 | -As for Fossil, it defaults to fetching the same version as the checkout | |
| 494 | -you’re running the build command from, based on checkin ID. You could | |
| 495 | -use this to get a release build, for instance: | |
| 496 | - | |
| 497 | -``` | |
| 498 | - $ docker build -t fossil \ | |
| 499 | - --build-arg FSLVER=version-2.20 . | |
| 475 | +The default version of Fossil fetched in the build is the version in the | |
| 476 | +checkout directory at the time you run it. You could override it to get | |
| 477 | +a release build like so: | |
| 478 | + | |
| 479 | +``` | |
| 480 | + $ docker build -t fossil --build-arg FSLVER=version-2.20 . | |
| 500 | 481 | ``` |
| 501 | 482 | |
| 502 | 483 | Or equivalently, using Fossil’s `Makefile` convenience target: |
| 503 | 484 | |
| 504 | 485 | ``` |
| 505 | - $ make container-image \ | |
| 506 | - DBFLAGS='--build-arg FSLVER=version-2.20' | |
| 486 | + $ make container-image DBFLAGS='--build-arg FSLVER=version-2.20' | |
| 507 | 487 | ``` |
| 508 | 488 | |
| 509 | 489 | While you could instead use the generic |
| 510 | 490 | “`release`” tag here, it’s better to use a specific version number |
| 511 | 491 | since Docker caches downloaded files and tries to |
| 512 | 492 |
| --- www/containers.md | |
| +++ www/containers.md | |
| @@ -397,15 +397,17 @@ | |
| 397 | [terminating TLS with a front-end proxy](./ssl.wiki#server). You’re |
| 398 | more likely to say something like “`-p localhost:12345:8080`” and then |
| 399 | configure the reverse proxy to translate external HTTPS calls into |
| 400 | HTTP directed at this internal port 12345.) |
| 401 | |
| 402 | * **`NET_RAW`**: Fossil itself doesn’t use raw sockets, and our build |
| 403 | process leaves out all the BusyBox utilities that require them. |
| 404 | Although that set includes common tools like `ping`, we foresee no |
| 405 | compelling reason to use that or any of these other elided utilities |
| 406 | — `ether-wake`, `netstat`, `traceroute`, and `udhcp` — inside the |
| 407 | container. If you need to ping something, do it on the host. |
| 408 | |
| 409 | If we did not take this hard-line stance, an attacker that broke |
| 410 | into the container and gained root privileges might use raw sockets |
| 411 | to do a wide array of bad things to any network the container is |
| @@ -468,44 +470,22 @@ | |
| 468 | |
| 469 | ## 5. <a id="args"></a>Container Build Arguments |
| 470 | |
| 471 | ### <a id="pkg-vers"></a> 5.1 Package Versions |
| 472 | |
| 473 | You can override the default versions of Fossil and BusyBox that get |
| 474 | fetched in the build step. To get the latest-and-greatest of everything, |
| 475 | you could say: |
| 476 | |
| 477 | ``` |
| 478 | $ docker build -t fossil \ |
| 479 | --build-arg FSLVER=trunk \ |
| 480 | --build-arg BBXVER=master . |
| 481 | ``` |
| 482 | |
| 483 | (But don’t, for reasons we will get to.) |
| 484 | |
| 485 | Because the BusyBox configuration file we ship was created with and |
| 486 | tested against a specific stable release, that’s the version we pull by |
| 487 | default. It does try to merge the defaults for any new configuration |
| 488 | settings into the stock set, but since it’s possible this will fail, we |
| 489 | don’t blindly update the BusyBox version merely because a new release |
| 490 | came out. Someone needs to get around to vetting it against our stock |
| 491 | configuration first. |
| 492 | |
| 493 | As for Fossil, it defaults to fetching the same version as the checkout |
| 494 | you’re running the build command from, based on checkin ID. You could |
| 495 | use this to get a release build, for instance: |
| 496 | |
| 497 | ``` |
| 498 | $ docker build -t fossil \ |
| 499 | --build-arg FSLVER=version-2.20 . |
| 500 | ``` |
| 501 | |
| 502 | Or equivalently, using Fossil’s `Makefile` convenience target: |
| 503 | |
| 504 | ``` |
| 505 | $ make container-image \ |
| 506 | DBFLAGS='--build-arg FSLVER=version-2.20' |
| 507 | ``` |
| 508 | |
| 509 | While you could instead use the generic |
| 510 | “`release`” tag here, it’s better to use a specific version number |
| 511 | since Docker caches downloaded files and tries to |
| 512 |
| --- www/containers.md | |
| +++ www/containers.md | |
| @@ -397,15 +397,17 @@ | |
| 397 | [terminating TLS with a front-end proxy](./ssl.wiki#server). You’re |
| 398 | more likely to say something like “`-p localhost:12345:8080`” and then |
| 399 | configure the reverse proxy to translate external HTTPS calls into |
| 400 | HTTP directed at this internal port 12345.) |
| 401 | |
| 402 | * **`NET_RAW`**: Fossil itself doesn’t use raw sockets, and while |
| 403 | you could [swap out the run layer](#run) for something more |
| 404 | functional that *does* make use of raw sockets, there’s little call |
| 405 | for it. The best reason I can come up with is to be able to run |
| 406 | utilities like `ping` and `traceroute`, but since we aren’t doing |
| 407 | anything clever with the networking configuration, there’s no |
| 408 | particularly compelling reason to run these from inside the |
| 409 | container. If you need to ping something, do it on the host. |
| 410 | |
| 411 | If we did not take this hard-line stance, an attacker that broke |
| 412 | into the container and gained root privileges might use raw sockets |
| 413 | to do a wide array of bad things to any network the container is |
| @@ -468,44 +470,22 @@ | |
| 470 | |
| 471 | ## 5. <a id="args"></a>Container Build Arguments |
| 472 | |
| 473 | ### <a id="pkg-vers"></a> 5.1 Package Versions |
| 474 | |
| 475 | The default version of Fossil fetched in the build is the version in the |
| 476 | checkout directory at the time you run it. You could override it to get |
| 477 | a release build like so: |
| 478 | |
| 479 | ``` |
| 480 | $ docker build -t fossil --build-arg FSLVER=version-2.20 . |
| 481 | ``` |
| 482 | |
| 483 | Or equivalently, using Fossil’s `Makefile` convenience target: |
| 484 | |
| 485 | ``` |
| 486 | $ make container-image DBFLAGS='--build-arg FSLVER=version-2.20' |
| 487 | ``` |
| 488 | |
| 489 | While you could instead use the generic |
| 490 | “`release`” tag here, it’s better to use a specific version number |
| 491 | since Docker caches downloaded files and tries to |
| 492 |