forked from magic-wormhole/magic-wormhole
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
90 lines (71 loc) · 3.29 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#
# Attempts are made to follow the guidelines at
# https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/
#
FROM library/ubuntu:16.04
# If there are security updates for any of the packages we install,
# bump the date in this environment variable to invalidate the Docker
# build cache and force installation of the new packages. Otherwise,
# Docker's image/layer cache may prevent the security update from
# being retrieved.
ENV SECURITY_UPDATES="2017-15-01"
# Tell apt/dpkg/debconf that we're non-interactive so it won't write
# annoying warnings as it installs the software we ask for. Making
# this an `ARG` sets it in the environment for the duration of the
# _build_ only - preventing this from having any effect on a container
# running this image (which shouldn't really be installing more
# software but who knows...).
ARG DEBIAN_FRONTEND=noninteractive
# We'll do an upgrade because the base Ubuntu image isn't guaranteed
# to include the latest security updates. This is counter to best
# practice recommendations but security updates are important.
RUN apt-get --quiet update && \
apt-get --quiet install -y unattended-upgrades && \
unattended-upgrade --minimal_upgrade_steps && \
rm -rf /var/lib/apt/lists/*
# libffi-dev should probably be a build-dep for python-nacl and python-openssl
# but isn't for some reason. Also, versioneer depends on the git cli to
# compute the source version.
RUN apt-get --quiet update && apt-get --quiet install -y \
libffi-dev \
python-virtualenv \
git \
&& rm -rf /var/lib/apt/lists/*
# Source repositories seem to be disabled on the Xenial image now. Enable
# them so we can actually get some build deps.
RUN sed -i -e 's/^# deb-src/deb-src/' /etc/apt/sources.list
# magic-wormhole depends on these and pip wants to build them both from
# source.
RUN apt-get --quiet update && apt-get --quiet build-dep -y \
python-openssl \
python-nacl \
&& rm -rf /var/lib/apt/lists/*
# Create a virtualenv into which to install magicwormhole in to.
RUN virtualenv /app/env
# Get a newer version of pip. The version in the virtualenv installed from
# Ubuntu might not be very recent, depending on when the build happens.
RUN /app/env/bin/pip install --upgrade pip
# Create a less privileged account to actually use to run the server.
ENV WORMHOLE_USER_NAME="wormhole"
# Force the allocated user to uid 1000 because we hard-code 1000 below.
RUN adduser --uid 1000 --disabled-password --gecos "" "${WORMHOLE_USER_NAME}"
# Facilitate network connections to the application. The rendezvous server
# listens on 4000 by default. The transit relay server on 4001.
EXPOSE 4000
EXPOSE 4001
# Put the source somewhere pip will be able to see it.
ADD . /magic-wormhole
# Get the app we want to run!
WORKDIR /magic-wormhole
RUN /app/env/bin/pip install .
# Run the application with this working directory.
WORKDIR /app/run
# And give it to the user the application will run as.
RUN chown ${WORMHOLE_USER_NAME} /app/run
# Switch to a non-root user.
USER 1000
# This makes starting a server succinct.
ENTRYPOINT ["/app/env/bin/wormhole-server", "start", "--no-daemon"]
# By default, start up a pretty reasonable server. This can easily be
# overridden by another command which will get added to the entrypoint.
CMD ["--rendezvous", "tcp:4000", "--transit", "tcp:4001"]