Merge pull request #47 from EnigmaCurry/setuid

Adds new multi-stage Dockerfile for lbrycrd and mountable config files.
This commit is contained in:
Leopere 2019-04-16 19:44:54 -04:00 committed by GitHub
commit d82e79100f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 52 additions and 57 deletions

View file

@ -1,45 +1,30 @@
## This base image is for running latest lbrycrdd FROM ubuntu:18.04 as prep
# For some reason I may switch this image over to Alpine when I can RCA why it won't start.
FROM ubuntu:18.04
LABEL MAINTAINER="leopere [at] nixc [dot] us" LABEL MAINTAINER="leopere [at] nixc [dot] us"
## TODO: Implement version pinning. `apt-get install curl=<version>`
RUN addgroup --gid 1000 lbrycrd && \ RUN apt-get update && \
adduser lbrycrd --uid 1000 --gid 1000 --gecos GECOS --shell /bin/bash --disabled-password --home /data && \ apt-get -y install unzip curl build-essential && \
apt-get update && \
apt-get -y install unzip wget curl && \
apt-get autoclean -y && \ apt-get autoclean -y && \
rm -rf /var/lib/apt/lists/* rm -rf /var/lib/apt/lists/*
WORKDIR /
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
COPY stuff/start.sh start
COPY stuff/healthcheck.sh healthcheck
COPY stuff/fix-permissions.c fix-permissions.c
RUN curl -L -o ./lbrycrd-linux.zip $(curl -s https://api.github.com/repos/lbryio/lbrycrd/releases | grep -F 'lbrycrd-linux.zip' | grep download | head -n 1 | cut -d'"' -f4) && \
unzip ./lbrycrd-linux.zip && \
gcc fix-permissions.c -o fix-permissions && \
chmod +x ./lbrycrdd ./lbrycrd-cli ./lbrycrd-tx ./start ./healthcheck ./fix-permissions
## TODO: Consider adding debugpaste or variant FROM ubuntu:18.04 as app
# RUN wget -O /usr/bin/debugpaste https://github.com/nixc-us/debugpaste-it/raw/master/bin/debugpaste_64 && \ COPY --from=prep /lbrycrdd /lbrycrd-cli /lbrycrd-tx /start /healthcheck /fix-permissions /usr/bin/
# chmod +x /usr/bin/debugpaste RUN addgroup --gid 1000 lbrycrd && \
adduser lbrycrd --uid 1000 --gid 1000 --gecos GECOS --shell /bin/bash --disabled-password --home /data && \
RUN wget -O /usr/bin/lbrycrd-linux.zip https://github.com/lbryio/lbrycrd/releases/download/v0.12.2.2/lbrycrd-linux.zip && \ chmod a+s /usr/bin/fix-permissions
cd /usr/bin/ && \
unzip lbrycrd-linux.zip && \
rm lbrycrd-linux.zip && \
chmod +x lbrycrdd lbrycrd-cli lbrycrd-tx
COPY stuff/debugpaste-it.sh /usr/local/bin/debugpaste-it
COPY stuff/start.sh /usr/local/bin/start
COPY stuff/docker-entrypoint.sh /usr/local/bin/docker-entrypoint
COPY stuff/healthcheck.sh /usr/local/bin/healthcheck
# USER lbrycrd
# RUN mkdir /data
VOLUME ["/data"] VOLUME ["/data"]
WORKDIR /data WORKDIR /data
## TODO: Implement healthcheck. ## TODO: Implement healthcheck.
# HEALTHCHECK ["healthcheck"] # HEALTHCHECK ["healthcheck"]
EXPOSE 9246 9245
## Exposing daemon port and RPC port USER lbrycrd
EXPOSE 9245 9246
## TODO: Decide what's important for lbrycrd and possibly add an entrypoint.
## Maybe catch things that might match things that can be easily executed in the
## lbrycrd cli and if nothing is entered just default to the containers shell.
## For now this is a placeholder that executes /bin/bash on `docker exec`
# ENTRYPOINT ["docker-entrypoint"]
CMD ["start"] CMD ["start"]

View file

@ -0,0 +1,9 @@
#include <unistd.h>
int main() {
// This program needs to run with setuid == root
// This needs to be in a compiled language because you cannot setuid bash scripts
setuid(0);
execle("/bin/bash", "bash", "-c",
"/bin/chown -R lbrycrd:lbrycrd /data && /bin/chmod -R 755 /data/",
(char*) NULL, (char*) NULL);
}

View file

@ -6,35 +6,36 @@
# ## not specified it will only create an index for transactions that are related to the wallet or have unspent outputs. # ## not specified it will only create an index for transactions that are related to the wallet or have unspent outputs.
# ## This is specific to chainquery. # ## This is specific to chainquery.
## Ensure perms are correct prior to running main binary # The config file does not exist in the container image. It must be mounted, or
mkdir -p /data/.lbrycrd # if not, a default config is generated using environment variables.
chown -R lbrycrd:lbrycrd /data CONFIG_PATH=/etc/lbry/lbrycrd.conf
chmod -R 755 /data/ if [ -f "$CONFIG_PATH" ]
then
## TODO: Consider a config directory for future magic. echo "Using the config file that was mounted into the container."
# chown -R 1000:1000 /etc/lbrycrd else
# chmod -R 755 /etc/lbrycrd echo "Creating a fresh config file from environment variables."
rm -f /var/run/lbrycrd.pid
## Set config params ## Set config params
## TODO: Make this more automagic in the future. mkdir -p `dirname $CONFIG_PATH`
echo "rpcuser=$RPC_USER" > /data/.lbrycrd/lbrycrd.conf echo "rpcuser=$RPC_USER" > $CONFIG_PATH
echo "rpcpassword=$RPC_PASSWORD" >> /data/.lbrycrd/lbrycrd.conf echo "rpcpassword=$RPC_PASSWORD" >> $CONFIG_PATH
echo "rpcallowip=$RPC_ALLOW_IP" >> /data/.lbrycrd/lbrycrd.conf echo "rpcallowip=$RPC_ALLOW_IP" >> $CONFIG_PATH
echo "rpcport=9245" >> /data/.lbrycrd/lbrycrd.conf echo "rpcport=9245" >> $CONFIG_PATH
echo "rpcbind=0.0.0.0" >> /data/.lbrycrd/lbrycrd.conf echo "rpcbind=0.0.0.0" >> $CONFIG_PATH
#echo "bind=0.0.0.0" >> /data/.lbrycrd/lbrycrd.conf #echo "bind=0.0.0.0" >> $CONFIG_PATH
fi
## Ensure perms are correct prior to running main binary
/usr/bin/fix-permissions
## Control this invocation through envvar. ## Control this invocation through envvar.
case $RUN_MODE in case $RUN_MODE in
default ) default )
su -c "lbrycrdd -server -conf=/data/.lbrycrd/lbrycrd.conf -printtoconsole" lbrycrd lbrycrdd -server -conf=$CONFIG_PATH -printtoconsole
;; ;;
reindex ) reindex )
su -c "lbrycrdd -server -txindex -reindex -conf=/data/.lbrycrd/lbrycrd.conf -printtoconsole" lbrycrd lbrycrdd -server -txindex -reindex -conf=$CONFIG_PATH -printtoconsole
;; ;;
chainquery ) chainquery )
su -c "lbrycrdd -server -txindex -conf=/data/.lbrycrd/lbrycrd.conf -printtoconsole" lbrycrd lbrycrdd -server -txindex -conf=$CONFIG_PATH -printtoconsole
;; ;;
esac esac