tuxmain/rust-rpxy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: docker non-root uid and gid

Browse source
This commit is contained in:
Jun Kurihara 2023-06-17 13:45:38 +09:00
commit fa03e7d5e7
No known key found for this signature in database
GPG key ID: 48ADFD173ED22B03
11 changed files with 184 additions and 157 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.github/workflows/docker_build_push.yml vendored
View file

@ -38,7 +38,7 @@ jobs:
push: true
tags: |
${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}:latest
file: ./docker/amd64/Dockerfile
file: ./docker/Dockerfile.amd64
- name: Release build and push x86_64-slim
if: ${{ env.BRANCH == 'main' }}
@ -48,7 +48,7 @@ jobs:
push: true
tags: |
${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}:slim, ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}:latest-slim
file: ./docker/amd64-slim/Dockerfile
file: ./docker/Dockerfile.amd64-slim
- name: Nightly build and push x86_64
if: ${{ env.BRANCH == 'develop' }}
@ -58,4 +58,4 @@ jobs:
push: true
tags: |
${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}:nightly
file: ./docker/amd64/Dockerfile
file: ./docker/Dockerfile.amd64

1
.gitignore vendored
View file

@ -1,5 +1,6 @@
.vscode
.private
docker/log
# Generated by Cargo

1
CHANGELOG.md
View file

@ -6,6 +6,7 @@
- Update `h3` with `quinn-0.10` or higher.
- Implement the session persistance function for load balancing using sticky cookie (initial implementation). Enabled in `default-features`.
- Update `Dockerfile`s to change UID and GID to non-root users. Now they can be set as you like by specifying through env vars.
## 0.2.0

2
Cargo.toml
View file

@ -73,7 +73,7 @@ chrono = { version = "0.4.26", default-features = false, features = [
"clock",
], optional = true }
base64 = { version = "0.21.2", optional = true }
sha2 = { version = "0.10.6", default-features = false, optional = true }
sha2 = { version = "0.10.7", default-features = false, optional = true }
[target.'cfg(not(target_env = "msvc"))'.dependencies]

23
docker/amd64/Dockerfile → docker/Dockerfile.amd64
View file

@ -30,26 +30,27 @@ RUN apt-get update && apt-get install -qy --no-install-recommends $BUILD_DEPS &&
FROM base AS runner
ENV TAG_NAME=amd64
ENV RUNTIME_DEPS logrotate ca-certificates
ENV RUNTIME_DEPS logrotate ca-certificates gosu
RUN apt-get update && \
apt-get install -qy --no-install-recommends $RUNTIME_DEPS && \
apt-get -qy clean && \
apt-get -qy autoremove && \
rm -fr /tmp/* /var/tmp/* /var/cache/apt/* /var/lib/apt/lists/* /var/log/apt/* /var/log/*.log && \
mkdir -p /opt/rpxy/sbin &&\
mkdir -p /var/log/rpxy && \
touch /var/log/rpxy/rpxy.log
find / -type d -path /proc -prune -o -type f -perm /u+s -ignore_readdir_race -exec chmod u-s {} \; && \
find / -type d -path /proc -prune -o -type f -perm /g+s -ignore_readdir_race -exec chmod g-s {} \; && \
mkdir -p /rpxy/bin &&\
mkdir -p /rpxy/log
COPY --from=builder /tmp/target/release/rpxy /opt/rpxy/sbin/rpxy
COPY ./docker/${TAG_NAME}/run.sh /
COPY ./docker/entrypoint.sh /
COPY --from=builder /tmp/target/release/rpxy /rpxy/bin/rpxy
COPY ./docker/run.sh /rpxy
COPY ./docker/entrypoint.sh /rpxy
RUN chmod 755 /run.sh && \
chmod 755 /entrypoint.sh
RUN chmod +x /rpxy/run.sh && \
chmod +x /rpxy/entrypoint.sh
EXPOSE 80 443
CMD ["/entrypoint.sh"]
CMD ["/usr/bin/bash" "/rpxy/entrypoint.sh"]
ENTRYPOINT ["/entrypoint.sh"]
ENTRYPOINT ["/usr/bin/bash", "/rpxy/entrypoint.sh"]

23
docker/amd64-slim/Dockerfile → docker/Dockerfile.amd64-slim
View file

@ -20,26 +20,27 @@ LABEL maintainer="Jun Kurihara"
ENV TAG_NAME=amd64-slim
ENV TARGET_DIR=x86_64-unknown-linux-musl
ENV RUNTIME_DEPS logrotate ca-certificates
ENV RUNTIME_DEPS logrotate ca-certificates su-exec
RUN apk add --no-cache ${RUNTIME_DEPS} && \
update-ca-certificates && \
mkdir -p /opt/rpxy/sbin &&\
mkdir -p /var/log/rpxy && \
touch /var/log/rpxy/rpxy.log
find / -type d -path /proc -prune -o -type f -perm /u+s -exec chmod u-s {} \; && \
find / -type d -path /proc -prune -o -type f -perm /g+s -exec chmod g-s {} \; && \
mkdir -p /rpxy/bin &&\
mkdir -p /rpxy/log
COPY --from=builder /tmp/target/${TARGET_DIR}/release/rpxy /opt/rpxy/sbin/rpxy
COPY ./docker/${TAG_NAME}/run.sh /
COPY ./docker/entrypoint.sh /
COPY --from=builder /tmp/target/${TARGET_DIR}/release/rpxy /rpxy/bin/rpxy
COPY ./docker/run.sh /rpxy
COPY ./docker/entrypoint.sh /rpxy
RUN chmod 755 /run.sh && \
chmod 755 /entrypoint.sh
RUN chmod +x /rpxy/run.sh && \
chmod +x /rpxy/entrypoint.sh
ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
ENV SSL_CERT_DIR=/etc/ssl/certs
EXPOSE 80 443
CMD ["/entrypoint.sh"]
CMD ["/rpxy/entrypoint.sh"]
ENTRYPOINT ["/entrypoint.sh"]
ENTRYPOINT ["/rpxy/entrypoint.sh"]

60
docker/amd64-slim/run.sh
View file

@ -1,60 +0,0 @@
#!/usr/bin/env sh
LOG_FILE=/var/log/rpxy/rpxy.log
CONFIG_FILE=/etc/rpxy.toml
LOG_SIZE=10M
LOG_NUM=10
# logrotate
if [ $LOGROTATE_NUM ]; then
LOG_NUM=${LOGROTATE_NUM}
fi
if [ $LOGROTATE_SIZE ]; then
LOG_SIZE=${LOGROTATE_SIZE}
fi
cat > /etc/logrotate.conf << EOF
# see "man logrotate" for details
# rotate log files weekly
weekly
# use the adm group by default, since this is the owning group
# of /var/log/syslog.
su root adm
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
#dateext
# uncomment this if you want your log files compressed
#compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# system-specific logs may be also be configured here.
EOF
cat > /etc/logrotate.d/rpxy.conf << EOF
${LOG_FILE} {
dateext
daily
missingok
rotate ${LOG_NUM}
notifempty
compress
delaycompress
dateformat -%Y-%m-%d-%s
size ${LOG_SIZE}
copytruncate
}
EOF
cp -f /etc/periodic/daily/logrotate /etc/periodic/15min
crond restart
# debug level logging
if [ -z $LOG_LEVEL ]; then
LOG_LEVEL=info
fi
echo "rpxy: Logging with level ${LOG_LEVEL}"
RUST_LOG=${LOG_LEVEL} /opt/rpxy/sbin/rpxy --config ${CONFIG_FILE}

61
docker/amd64/run.sh
View file

@ -1,61 +0,0 @@
#!/usr/bin/env sh
LOG_FILE=/var/log/rpxy/rpxy.log
CONFIG_FILE=/etc/rpxy.toml
LOG_SIZE=10M
LOG_NUM=10
# logrotate
if [ $LOGROTATE_NUM ]; then
LOG_NUM=${LOGROTATE_NUM}
fi
if [ $LOGROTATE_SIZE ]; then
LOG_SIZE=${LOGROTATE_SIZE}
fi
cat > /etc/logrotate.conf << EOF
# see "man logrotate" for details
# rotate log files weekly
weekly
# use the adm group by default, since this is the owning group
# of /var/log/syslog.
su root adm
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
#dateext
# uncomment this if you want your log files compressed
#compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# system-specific logs may be also be configured here.
EOF
cat > /etc/logrotate.d/rpxy << EOF
${LOG_FILE} {
dateext
daily
missingok
rotate ${LOG_NUM}
notifempty
compress
delaycompress
dateformat -%Y-%m-%d-%s
size ${LOG_SIZE}
copytruncate
}
EOF
cp -p /etc/cron.daily/logrotate /etc/cron.hourly/
service cron start
# debug level logging
if [ -z $LOG_LEVEL ]; then
LOG_LEVEL=info
fi
echo "rpxy: Logging with level ${LOG_LEVEL}"
RUST_LOG=${LOG_LEVEL} /opt/rpxy/sbin/rpxy --config ${CONFIG_FILE}

9
docker/docker-compose.yml
View file

@ -3,19 +3,24 @@ services:
rpxy-rp:
image: jqtype/rpxy
container_name: rpxy
init: true
restart: unless-stopped
ports:
- 127.0.0.1:8080:8080
- 127.0.0.1:8443:8443
build:
context: ../
dockerfile: ./docker/amd64/Dockerfile
dockerfile: ./docker/Dockerfile.amd64
environment:
- LOG_LEVEL=debug
- LOG_TO_FILE=false
- LOG_TO_FILE=true
- HOST_USER=jun
- HOST_UID=501
- HOST_GID=501
tty: false
privileged: true
volumes:
- ./log:/rpxy/log
- ../example-certs/server.crt:/certs/server.crt:ro
- ../example-certs/server.key:/certs/server.key:ro
- ../config-example.toml:/etc/rpxy.toml:ro

141
docker/entrypoint.sh
View file

@ -1,14 +1,143 @@
#!/usr/bin/env sh
LOG_FILE=/var/log/rpxy/rpxy.log
LOG_DIR=/rpxy/log
LOG_FILE=${LOG_DIR}/rpxy.log
LOG_SIZE=10M
LOG_NUM=10
if [ -z ${LOG_TO_FILE} ]; then
LOG_TO_FILE=false
LOGGING=${LOG_TO_FILE:-false}
USER=${HOST_USER:-rpxy}
USER_ID=${HOST_UID:-900}
GROUP_ID=${HOST_GID:-900}
#######################################
# Setup logrotate
function setup_logrotate () {
if [ $LOGROTATE_NUM ]; then
LOG_NUM=${LOGROTATE_NUM}
fi
if [ $LOGROTATE_SIZE ]; then
LOG_SIZE=${LOGROTATE_SIZE}
fi
if "${LOG_TO_FILE}"; then
cat > /etc/logrotate.conf << EOF
# see "man logrotate" for details
# rotate log files weekly
weekly
# use the adm group by default, since this is the owning group
# of /var/log/syslog.
# su root adm
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
#dateext
# uncomment this if you want your log files compressed
#compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# system-specific logs may be also be configured here.
EOF
cat > /etc/logrotate.d/rpxy.conf << EOF
${LOG_FILE} {
dateext
daily
missingok
rotate ${LOG_NUM}
notifempty
compress
delaycompress
dateformat -%Y-%m-%d-%s
size ${LOG_SIZE}
copytruncate
su ${USER} ${USER}
}
EOF
}
#######################################
function setup_ubuntu () {
# Check the existence of the user, if not exist, create it.
if [ ! $(id ${USER}) ]; then
echo "rpxy: Create user ${USER} with ${USER_ID}:${GROUP_ID}"
groupadd -g ${GROUP_ID} ${USER}
useradd -u ${USER_ID} -g ${GROUP_ID} ${USER}
fi
# for crontab when logging
if "${LOGGING}"; then
# Set up logrotate
setup_logrotate
# Setup cron
mkdir -p /etc/cron.15min/
cp -p /etc/cron.daily/logrotate /etc/cron.15min/
echo "*/15 * * * * root cd / && run-parts --report /etc/cron.15min" >> /etc/crontab
# cp -p /etc/cron.daily/logrotate /etc/cron.hourly/
service cron start
fi
}
#######################################
function setup_alpine () {
# Check the existence of the user, if not exist, create it.
if [ ! $(id ${USER}) ]; then
echo "rpxy: Create user ${USER} with ${USER_ID}:${GROUP_ID}"
addgroup -g ${GROUP_ID} ${USER}
adduser -H -D -u ${USER_ID} -G ${USER} ${USER}
fi
# for crontab when logging
if "${LOGGING}"; then
# Set up logrotate
setup_logrotate
# Setup cron
cp -f /etc/periodic/daily/logrotate /etc/periodic/15min
crond -b -l 8
fi
}
#######################################
if [ $(whoami) != "root" -o $(id -u) -ne 0 -a $(id -g) -ne 0 ]; then
echo "Do not execute 'docker run' or 'docker-compose up' with a specific user through '-u'."
echo "If you want to run 'rpxy' with a specific user, use HOST_USER, HOST_UID and HOST_GID environment variables."
exit 1
fi
# Check gosu or su-exec, determine linux distribution, and set up user
if [ $(command -v gosu) ]; then
# Ubuntu Linux
alias gosu='gosu'
setup_ubuntu
LINUX="Ubuntu"
elif [ $(command -v su-exec) ]; then
# Alpine Linux
alias gosu='su-exec'
setup_alpine
LINUX="Alpine"
else
echo "Unknown distribution!"
exit 1
fi
# Check the given user and its uid:gid
if [ $(id -u ${USER}) -ne ${USER_ID} -a $(id -g ${USER}) -ne ${GROUP_ID} ]; then
echo "${USER} exists or was previously created. However, its uid and gid are inconsistent. Please recreate your container."
exit 1
fi
# Change permission according to the given user
chown -R ${USER_ID}:${USER_ID} /rpxy
# Run rpxy
echo "rpxy: Start with user: ${USER} (${USER_ID}:${USER_ID})"
if "${LOGGING}"; then
echo "rpxy: Start with writing log file"
/run.sh 2>&1 | tee $LOG_FILE
gosu ${USER} sh -c "/rpxy/run.sh 2>&1 | tee ${LOG_FILE}"
else
echo "rpxy: Start without writing log file"
/run.sh 2>&1
gosu ${USER} sh -c "/rpxy/run.sh 2>&1"
fi

10
docker/run.sh Normal file
View file

@ -0,0 +1,10 @@
#!/usr/bin/env sh
CONFIG_FILE=/etc/rpxy.toml
# debug level logging
if [ -z $LOG_LEVEL ]; then
LOG_LEVEL=info
fi
echo "rpxy: Logging with level ${LOG_LEVEL}"
RUST_LOG=${LOG_LEVEL} /rpxy/bin/rpxy --config ${CONFIG_FILE}