From eb94d04c79334a459faba233253f2eed546394e6 Mon Sep 17 00:00:00 2001 From: FL42 <46161216+fl42@users.noreply.github.com> Date: Sun, 22 Nov 2020 14:16:06 +0100 Subject: [PATCH 01/10] fix: run api as signal-api user, fix permissions on startup --- Dockerfile | 6 +++++- entrypoint.sh | 10 ++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100755 entrypoint.sh diff --git a/Dockerfile b/Dockerfile index 31b777f..e6ebcfb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,8 +41,12 @@ RUN cd /tmp/signal-cli-rest-api-src && swag init && go build # Start a fresh container for release container FROM adoptopenjdk:11-jre-hotspot +RUN groupadd -g 1000 signal-api \ + && useradd -M -d /home -s /bin/bash -u 1000 -g 1000 signal-api + COPY --from=buildcontainer /tmp/signal-cli-rest-api-src/signal-cli-rest-api /usr/bin/signal-cli-rest-api COPY --from=buildcontainer /tmp/signal-cli /opt/signal-cli +COPY entrypoint.sh /entrypoint.sh RUN ln -s /opt/signal-cli/bin/signal-cli /usr/bin/signal-cli RUN mkdir -p /signal-cli-config/ @@ -50,4 +54,4 @@ RUN mkdir -p /home/.local/share/signal-cli EXPOSE 8080 -ENTRYPOINT ["signal-cli-rest-api"] +ENTRYPOINT ["/entrypoint.sh"] diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 0000000..cc6b4da --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +set -x +set -e + +# Fix permissions to ensure backward compatibility +chown 1000:1000 -R /home/.local/share/signal-cli + +# Start API +exec su -s /bin/sh -c "exec signal-cli-rest-api" signal-api From 486f47995fe2200a319cb8ccf5ba8cfa30703936 Mon Sep 17 00:00:00 2001 From: FL42 <46161216+fl42@users.noreply.github.com> Date: Fri, 27 Nov 2020 22:29:45 +0100 Subject: [PATCH 02/10] refactor: use one RUN statement --- Dockerfile | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index e6ebcfb..549fa9f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,16 +41,15 @@ RUN cd /tmp/signal-cli-rest-api-src && swag init && go build # Start a fresh container for release container FROM adoptopenjdk:11-jre-hotspot -RUN groupadd -g 1000 signal-api \ - && useradd -M -d /home -s /bin/bash -u 1000 -g 1000 signal-api - COPY --from=buildcontainer /tmp/signal-cli-rest-api-src/signal-cli-rest-api /usr/bin/signal-cli-rest-api COPY --from=buildcontainer /tmp/signal-cli /opt/signal-cli COPY entrypoint.sh /entrypoint.sh -RUN ln -s /opt/signal-cli/bin/signal-cli /usr/bin/signal-cli -RUN mkdir -p /signal-cli-config/ -RUN mkdir -p /home/.local/share/signal-cli +RUN groupadd -g 1000 signal-api \ + && useradd -M -d /home -s /bin/bash -u 1000 -g 1000 signal-api \ + && ln -s /opt/signal-cli/bin/signal-cli /usr/bin/signal-cli \ + && mkdir -p /signal-cli-config/ \ + && mkdir -p /home/.local/share/signal-cli EXPOSE 8080 From 48448cdca1da1e9f11b3c0333aecaf414f94c141 Mon Sep 17 00:00:00 2001 From: FL42 <46161216+fl42@users.noreply.github.com> Date: Fri, 27 Nov 2020 22:29:59 +0100 Subject: [PATCH 03/10] feat: show warning when exec in container --- entrypoint.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index cc6b4da..a596994 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -6,5 +6,11 @@ set -e # Fix permissions to ensure backward compatibility chown 1000:1000 -R /home/.local/share/signal-cli -# Start API +# Show warning on docker exec +cat <> /root/.bashrc +echo "WARNING: signal-cli-rest-api runs as signal-api (not as root!)" +echo "Run 'su signal-api' before using signal-cli!" +EOF + +# Start API as signal-api user exec su -s /bin/sh -c "exec signal-cli-rest-api" signal-api From 8d3e11941e714e3010f8bfbe7a6574959d738341 Mon Sep 17 00:00:00 2001 From: FL42 <46161216+fl42@users.noreply.github.com> Date: Fri, 27 Nov 2020 22:32:53 +0100 Subject: [PATCH 04/10] fix: propagate args --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index a596994..fbae9e3 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -13,4 +13,4 @@ echo "Run 'su signal-api' before using signal-cli!" EOF # Start API as signal-api user -exec su -s /bin/sh -c "exec signal-cli-rest-api" signal-api +exec su -s /bin/sh -c "exec signal-cli-rest-api $@" signal-api From cce3f4772267e8de1b83f0779c4ed3a07deb4f3f Mon Sep 17 00:00:00 2001 From: FL42 <46161216+fl42@users.noreply.github.com> Date: Fri, 27 Nov 2020 23:31:48 +0100 Subject: [PATCH 05/10] refactor: use setpriv instead of su --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index fbae9e3..1439eb8 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -13,4 +13,4 @@ echo "Run 'su signal-api' before using signal-cli!" EOF # Start API as signal-api user -exec su -s /bin/sh -c "exec signal-cli-rest-api $@" signal-api +exec setpriv --reuid=1000 --regid=1000 --init-groups --inh-caps=-all signal-cli-rest-api $@ From 5ef870fa0ce5a753b920fce96a93f5c846bb7be0 Mon Sep 17 00:00:00 2001 From: Bernhard B Date: Fri, 25 Dec 2020 11:05:09 +0100 Subject: [PATCH 06/10] Revert "Merge commit 'refs/pull/41/head' of https://github.com/bbernhard/signal-cli-rest-api" This reverts commit 21764cefa4561cd96c1e148509e66aba5af458d6, reversing changes made to 5c33d818179551634cb86751835506c57988d557. --- Dockerfile | 11 ++++------- entrypoint.sh | 16 ---------------- 2 files changed, 4 insertions(+), 23 deletions(-) delete mode 100755 entrypoint.sh diff --git a/Dockerfile b/Dockerfile index 196ca55..9940fae 100644 --- a/Dockerfile +++ b/Dockerfile @@ -43,14 +43,11 @@ FROM adoptopenjdk:11-jdk-hotspot-bionic COPY --from=buildcontainer /tmp/signal-cli-rest-api-src/signal-cli-rest-api /usr/bin/signal-cli-rest-api COPY --from=buildcontainer /tmp/signal-cli /opt/signal-cli -COPY entrypoint.sh /entrypoint.sh -RUN groupadd -g 1000 signal-api \ - && useradd -M -d /home -s /bin/bash -u 1000 -g 1000 signal-api \ - && ln -s /opt/signal-cli/bin/signal-cli /usr/bin/signal-cli \ - && mkdir -p /signal-cli-config/ \ - && mkdir -p /home/.local/share/signal-cli +RUN ln -s /opt/signal-cli/bin/signal-cli /usr/bin/signal-cli +RUN mkdir -p /signal-cli-config/ +RUN mkdir -p /home/.local/share/signal-cli EXPOSE 8080 -ENTRYPOINT ["/entrypoint.sh"] +ENTRYPOINT ["signal-cli-rest-api"] diff --git a/entrypoint.sh b/entrypoint.sh deleted file mode 100755 index 1439eb8..0000000 --- a/entrypoint.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh - -set -x -set -e - -# Fix permissions to ensure backward compatibility -chown 1000:1000 -R /home/.local/share/signal-cli - -# Show warning on docker exec -cat <> /root/.bashrc -echo "WARNING: signal-cli-rest-api runs as signal-api (not as root!)" -echo "Run 'su signal-api' before using signal-cli!" -EOF - -# Start API as signal-api user -exec setpriv --reuid=1000 --regid=1000 --init-groups --inh-caps=-all signal-cli-rest-api $@ From 37c91b9fa507a33c2096b0b0944040072f11e3d7 Mon Sep 17 00:00:00 2001 From: Bernhard B Date: Fri, 25 Dec 2020 12:38:50 +0100 Subject: [PATCH 07/10] temporarily revert to signal-cli 0.6.12 version * with signal-cli version 0.7 groups v2 were introduced, which require some bigger changes in the Dockerfile (zkgroup support) --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9940fae..345001b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM golang:1.13-buster AS buildcontainer -ARG SIGNAL_CLI_VERSION=0.7.0 +ARG SIGNAL_CLI_VERSION=0.6.12 ARG SWAG_VERSION=1.6.7 ENV GIN_MODE=release From ce6107f6d70eacc23ebb2b360552fedb66236d6d Mon Sep 17 00:00:00 2001 From: Bernhard B Date: Fri, 25 Dec 2020 12:52:52 +0100 Subject: [PATCH 08/10] Revert "Revert "Merge commit 'refs/pull/41/head' of https://github.com/bbernhard/signal-cli-rest-api"" This reverts commit 5ef870fa0ce5a753b920fce96a93f5c846bb7be0. --- Dockerfile | 11 +++++++---- entrypoint.sh | 16 ++++++++++++++++ 2 files changed, 23 insertions(+), 4 deletions(-) create mode 100755 entrypoint.sh diff --git a/Dockerfile b/Dockerfile index 345001b..2c3c989 100644 --- a/Dockerfile +++ b/Dockerfile @@ -43,11 +43,14 @@ FROM adoptopenjdk:11-jdk-hotspot-bionic COPY --from=buildcontainer /tmp/signal-cli-rest-api-src/signal-cli-rest-api /usr/bin/signal-cli-rest-api COPY --from=buildcontainer /tmp/signal-cli /opt/signal-cli +COPY entrypoint.sh /entrypoint.sh -RUN ln -s /opt/signal-cli/bin/signal-cli /usr/bin/signal-cli -RUN mkdir -p /signal-cli-config/ -RUN mkdir -p /home/.local/share/signal-cli +RUN groupadd -g 1000 signal-api \ + && useradd -M -d /home -s /bin/bash -u 1000 -g 1000 signal-api \ + && ln -s /opt/signal-cli/bin/signal-cli /usr/bin/signal-cli \ + && mkdir -p /signal-cli-config/ \ + && mkdir -p /home/.local/share/signal-cli EXPOSE 8080 -ENTRYPOINT ["signal-cli-rest-api"] +ENTRYPOINT ["/entrypoint.sh"] diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 0000000..1439eb8 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +set -x +set -e + +# Fix permissions to ensure backward compatibility +chown 1000:1000 -R /home/.local/share/signal-cli + +# Show warning on docker exec +cat <> /root/.bashrc +echo "WARNING: signal-cli-rest-api runs as signal-api (not as root!)" +echo "Run 'su signal-api' before using signal-cli!" +EOF + +# Start API as signal-api user +exec setpriv --reuid=1000 --regid=1000 --init-groups --inh-caps=-all signal-cli-rest-api $@ From dc3d15eadc1e238021ef05224671534da982e9a4 Mon Sep 17 00:00:00 2001 From: Bernhard B Date: Fri, 25 Dec 2020 12:58:32 +0100 Subject: [PATCH 09/10] add missing setpriv to Dockerfile --- Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Dockerfile b/Dockerfile index 2c3c989..26eefd8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,6 +41,10 @@ RUN cd /tmp/signal-cli-rest-api-src && swag init && go build # Start a fresh container for release container FROM adoptopenjdk:11-jdk-hotspot-bionic +RUN apt-get update \ + && apt-get install -y --no-install-recommends setpriv \ + && rm -rf /var/lib/apt/lists/* + COPY --from=buildcontainer /tmp/signal-cli-rest-api-src/signal-cli-rest-api /usr/bin/signal-cli-rest-api COPY --from=buildcontainer /tmp/signal-cli /opt/signal-cli COPY entrypoint.sh /entrypoint.sh From 313e87c102562445288e94f8ce1355fb1a828c0d Mon Sep 17 00:00:00 2001 From: Bernhard B Date: Fri, 25 Dec 2020 17:04:52 +0100 Subject: [PATCH 10/10] add --no-log-init flag when creating a user with useradd * there seems to be a bug in the Go archiver which could lead to disk exhaustion under certain circumstances. This flag will be added to be on the safe side. see https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user for details. --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 26eefd8..6a9f5f6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -50,7 +50,7 @@ COPY --from=buildcontainer /tmp/signal-cli /opt/signal-cli COPY entrypoint.sh /entrypoint.sh RUN groupadd -g 1000 signal-api \ - && useradd -M -d /home -s /bin/bash -u 1000 -g 1000 signal-api \ + && useradd --no-log-init -M -d /home -s /bin/bash -u 1000 -g 1000 signal-api \ && ln -s /opt/signal-cli/bin/signal-cli /usr/bin/signal-cli \ && mkdir -p /signal-cli-config/ \ && mkdir -p /home/.local/share/signal-cli