Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve Dockerfile security #278

Open
rrrnld opened this issue Nov 19, 2021 · 2 comments
Open

Improve Dockerfile security #278

rrrnld opened this issue Nov 19, 2021 · 2 comments
Labels
enhancement New feature or request

Comments

@rrrnld
Copy link

rrrnld commented Nov 19, 2021
edited
Loading

I have made some improvements to the project's Dockerfile locally, but I don't know how they would translate into the docker-compose-based setup because I don't use it. This is my Dockerfile:

# SPDX-FileCopyrightText: 2021 The NGI Pointer Secure-Scuttlebutt Team of 2020/2021
#
# SPDX-License-Identifier: Unlicense

FROM golang:1.16-alpine as build

RUN apk add --no-cache \
      build-base \
      git \
      sqlite \
      sqlite-dev

RUN mkdir /app
WORKDIR /app
COPY . /app


RUN cd /app/cmd/server && go build && \
    cd /app/cmd/insert-user && go build

FROM alpine:3.14

COPY --from=build /app /app
WORKDIR /app

EXPOSE 8008
EXPOSE 3000

ENV REPO /app/.ssb-go-room-secrets
RUN mkdir /app/.ssb-go-room-secrets
RUN adduser -D -h /app roomie && \
    chown -R roomie /app && \
    chmod +x ./start.sh

USER roomie

CMD ./start.sh

I'm using multi-stage builds so the container running the app only contains a bare minimum alpine install and the go-ssb-room binaries. I also changed the container's user so it doesn't run root, which is recommended best practice.

I am happy to create a pull request if somebody tells me how I'd deal with the different locations of .ssb-go-room-secrets in the different setups. Maybe pass the $REPO environment var in docker-compose.yml?
@rrrnld rrrnld changed the title Improve genreal security Improve Dockerfile security Nov 19, 2021
@decentral1se
Copy link
Member

LGTM @heyarne! I'm not a dev on this project but I'd like to see this turn into a PR 🙏

I am happy to create a pull request if somebody tells me how I'd deal with the different locations of .ssb-go-room-secrets in the different setups. Maybe pass the $REPO environment var in docker-compose.yml?

Would it be possible to retain the original location and instead just chown it? So then the home of the new user is /app/ but they also have permissions on /.ssb-go-room-secrets. This gives better backwards compat for people doing an upgrade.

I think the change your suggesting is the following. This seems fine but people might forget to update their configs.

Maybe that is OK if there is a big warning on the release notes + docs on the migration away from the root user.

diff --git a/docker-compose.yml b/docker-compose.yml
index f8b07fe..bfee332 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -11,5 +11,7 @@ services:
     ports:
       -  "3000:3000" # Proxypass this port through NGINX or Apache as your HTTP landing & dashboard page
       - "0.0.0.0:8008:8008" # This is the port SSB clients connect to
+    environment:
+      REPO=/app
     volumes:
       - ./ssb-go-room-secrets:/ssb-go-room-secrets

@decentral1se
Copy link
Member

decentral1se commented Mar 26, 2022
edited
Loading

FYI some folks are using env_file also: #281 (comment)

@decentral1se decentral1se added the enhancement New feature or request label Nov 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rrrnld @decentral1se