Merge pull request #47 from EnigmaCurry/setuid

Adds new multi-stage Dockerfile for lbrycrd and mountable config files.
2019-04-16 19:44:54 -04:00 · 2019-04-16 19:44:54 -04:00 · d82e79100f
commit d82e79100f
parent 1d575c28cf 7b063e217f
3 changed files with 52 additions and 57 deletions
--- a/lbrycrd/Dockerfile
+++ b/lbrycrd/Dockerfile
@ -1,45 +1,30 @@
-## This base image is for running latest lbrycrdd
-# For some reason I may switch this image over to Alpine when I can RCA why it won't start.
-FROM ubuntu:18.04
+FROM ubuntu:18.04 as prep
 LABEL MAINTAINER="leopere [at] nixc [dot] us"
-
-RUN addgroup --gid 1000 lbrycrd && \
-    adduser lbrycrd --uid 1000 --gid 1000 --gecos GECOS --shell /bin/bash --disabled-password --home /data && \
-    apt-get update && \
-    apt-get -y install unzip wget curl && \
+## TODO: Implement version pinning. `apt-get install curl=<version>`
+RUN apt-get update && \
+  apt-get -y install unzip curl build-essential && \
  apt-get autoclean -y && \
  rm -rf /var/lib/apt/lists/*
+WORKDIR /
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+COPY stuff/start.sh start
+COPY stuff/healthcheck.sh healthcheck
+COPY stuff/fix-permissions.c fix-permissions.c
+RUN curl -L -o ./lbrycrd-linux.zip $(curl -s https://api.github.com/repos/lbryio/lbrycrd/releases | grep -F 'lbrycrd-linux.zip' | grep download | head -n 1 | cut -d'"' -f4) && \
+  unzip ./lbrycrd-linux.zip && \
+  gcc fix-permissions.c -o fix-permissions && \
+  chmod +x ./lbrycrdd ./lbrycrd-cli ./lbrycrd-tx ./start ./healthcheck ./fix-permissions

-## TODO: Consider adding debugpaste or variant
-# RUN wget -O /usr/bin/debugpaste https://github.com/nixc-us/debugpaste-it/raw/master/bin/debugpaste_64 && \
-#     chmod +x /usr/bin/debugpaste
-
-RUN wget -O /usr/bin/lbrycrd-linux.zip https://github.com/lbryio/lbrycrd/releases/download/v0.12.2.2/lbrycrd-linux.zip && \
-    cd /usr/bin/ && \
-    unzip lbrycrd-linux.zip && \
-    rm lbrycrd-linux.zip && \
-    chmod +x lbrycrdd lbrycrd-cli lbrycrd-tx
-
-COPY stuff/debugpaste-it.sh /usr/local/bin/debugpaste-it
-COPY stuff/start.sh /usr/local/bin/start
-COPY stuff/docker-entrypoint.sh /usr/local/bin/docker-entrypoint
-COPY stuff/healthcheck.sh /usr/local/bin/healthcheck
-
-# USER lbrycrd
-# RUN mkdir /data
+FROM ubuntu:18.04 as app
+COPY --from=prep /lbrycrdd /lbrycrd-cli /lbrycrd-tx /start /healthcheck /fix-permissions /usr/bin/
+RUN addgroup --gid 1000 lbrycrd && \
+  adduser lbrycrd --uid 1000 --gid 1000 --gecos GECOS --shell /bin/bash --disabled-password --home /data && \
+  chmod a+s /usr/bin/fix-permissions
 VOLUME ["/data"]
 WORKDIR /data
-
 ## TODO: Implement healthcheck.
 # HEALTHCHECK ["healthcheck"]
+EXPOSE 9246 9245

-## Exposing daemon port and RPC port
-EXPOSE 9245 9246
-
-## TODO: Decide what's important for lbrycrd and possibly add an entrypoint.
-## Maybe catch things that might match things that can be easily executed in the
-## lbrycrd cli and if nothing is entered just default to the containers shell.
-## For now this is a placeholder that executes /bin/bash on `docker exec`
-# ENTRYPOINT ["docker-entrypoint"]
-
+USER lbrycrd
 CMD ["start"]
--- a/lbrycrd/stuff/fix-permissions.c
+++ b/lbrycrd/stuff/fix-permissions.c
@ -0,0 +1,9 @@
+#include <unistd.h>
+int main() {
+  // This program needs to run with setuid == root
+  // This needs to be in a compiled language because you cannot setuid bash scripts
+  setuid(0);
+  execle("/bin/bash", "bash", "-c",
+         "/bin/chown -R lbrycrd:lbrycrd /data && /bin/chmod -R 755 /data/",
+         (char*) NULL, (char*) NULL);
+}
--- a/lbrycrd/stuff/start.sh
+++ b/lbrycrd/stuff/start.sh
@ -6,35 +6,36 @@
 # ## not specified it will only create an index for transactions that are related to the wallet or have unspent outputs.
 # ## This is specific to chainquery.

-## Ensure perms are correct prior to running main binary
-mkdir -p /data/.lbrycrd
-chown -R lbrycrd:lbrycrd /data
-chmod -R 755 /data/
-
-## TODO: Consider a config directory for future magic.
-# chown -R 1000:1000 /etc/lbrycrd
-# chmod -R 755 /etc/lbrycrd
-rm -f /var/run/lbrycrd.pid
-
-
+# The config file does not exist in the container image. It must be mounted, or
+# if not, a default config is generated using environment variables.
+CONFIG_PATH=/etc/lbry/lbrycrd.conf
+if [ -f "$CONFIG_PATH" ]
+then
+    echo "Using the config file that was mounted into the container."
+else
+    echo "Creating a fresh config file from environment variables."
    ## Set config params
-## TODO: Make this more automagic in the future.
-echo "rpcuser=$RPC_USER" > /data/.lbrycrd/lbrycrd.conf
-echo "rpcpassword=$RPC_PASSWORD" >> /data/.lbrycrd/lbrycrd.conf
-echo "rpcallowip=$RPC_ALLOW_IP" >> /data/.lbrycrd/lbrycrd.conf
-echo "rpcport=9245" >> /data/.lbrycrd/lbrycrd.conf
-echo "rpcbind=0.0.0.0" >> /data/.lbrycrd/lbrycrd.conf
-#echo "bind=0.0.0.0" >> /data/.lbrycrd/lbrycrd.conf
+    mkdir -p `dirname $CONFIG_PATH`
+    echo "rpcuser=$RPC_USER" > $CONFIG_PATH
+    echo "rpcpassword=$RPC_PASSWORD" >> $CONFIG_PATH
+    echo "rpcallowip=$RPC_ALLOW_IP" >> $CONFIG_PATH
+    echo "rpcport=9245" >> $CONFIG_PATH
+    echo "rpcbind=0.0.0.0" >> $CONFIG_PATH
+    #echo "bind=0.0.0.0" >> $CONFIG_PATH
+fi
+
+## Ensure perms are correct prior to running main binary
+/usr/bin/fix-permissions

 ## Control this invocation through envvar.
 case $RUN_MODE in
  default )
-    su -c "lbrycrdd -server -conf=/data/.lbrycrd/lbrycrd.conf -printtoconsole" lbrycrd
+    lbrycrdd -server -conf=$CONFIG_PATH -printtoconsole
    ;;
  reindex )
-    su -c "lbrycrdd -server -txindex -reindex -conf=/data/.lbrycrd/lbrycrd.conf -printtoconsole" lbrycrd
+    lbrycrdd -server -txindex -reindex -conf=$CONFIG_PATH -printtoconsole
    ;;
  chainquery )
-    su -c "lbrycrdd -server -txindex -conf=/data/.lbrycrd/lbrycrd.conf -printtoconsole" lbrycrd
+    lbrycrdd -server -txindex -conf=$CONFIG_PATH -printtoconsole
    ;;
 esac