go-ssb-room icon indicating copy to clipboard operation
go-ssb-room copied to clipboard

Published 20 hours ago verified publisher icon ssbc

Improve Dockerfile security

Open rrrnld opened this issue 3 years ago • 2 comments

I have made some improvements to the project's Dockerfile locally, but I don't know how they would translate into the docker-compose-based setup because I don't use it. This is my Dockerfile:

# SPDX-FileCopyrightText: 2021 The NGI Pointer Secure-Scuttlebutt Team of 2020/2021
#
# SPDX-License-Identifier: Unlicense

FROM golang:1.16-alpine as build

RUN apk add --no-cache \
      build-base \
      git \
      sqlite \
      sqlite-dev

RUN mkdir /app
WORKDIR /app
COPY . /app


RUN cd /app/cmd/server && go build && \
    cd /app/cmd/insert-user && go build

FROM alpine:3.14

COPY --from=build /app /app
WORKDIR /app

EXPOSE 8008
EXPOSE 3000

ENV REPO /app/.ssb-go-room-secrets
RUN mkdir /app/.ssb-go-room-secrets
RUN adduser -D -h /app roomie && \
    chown -R roomie /app && \
    chmod +x ./start.sh

USER roomie

CMD ./start.sh

I'm using multi-stage builds so the container running the app only contains a bare minimum alpine install and the go-ssb-room binaries. I also changed the container's user so it doesn't run root, which is recommended best practice.

I am happy to create a pull request if somebody tells me how I'd deal with the different locations of .ssb-go-room-secrets in the different setups. Maybe pass the $REPO environment var in docker-compose.yml?

rrrnld avatar Nov 19 '21 10:11 rrrnld

LGTM @heyarne! I'm not a dev on this project but I'd like to see this turn into a PR :pray:

I am happy to create a pull request if somebody tells me how I'd deal with the different locations of .ssb-go-room-secrets in the different setups. Maybe pass the $REPO environment var in docker-compose.yml?

Would it be possible to retain the original location and instead just chown it? So then the home of the new user is /app/ but they also have permissions on /.ssb-go-room-secrets. This gives better backwards compat for people doing an upgrade.

I think the change your suggesting is the following. This seems fine but people might forget to update their configs.

Maybe that is OK if there is a big warning on the release notes + docs on the migration away from the root user.

diff --git a/docker-compose.yml b/docker-compose.yml
index f8b07fe..bfee332 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -11,5 +11,7 @@ services:
     ports:
       -  "3000:3000" # Proxypass this port through NGINX or Apache as your HTTP landing & dashboard page
       - "0.0.0.0:8008:8008" # This is the port SSB clients connect to
+    environment:
+      REPO=/app
     volumes:
       - ./ssb-go-room-secrets:/ssb-go-room-secrets

decentral1se avatar Mar 26 '22 11:03 decentral1se

FYI some folks are using env_file also: https://github.com/ssb-ngi-pointer/go-ssb-room/issues/281#issuecomment-1050662979

decentral1se avatar Mar 26 '22 11:03 decentral1se