From cc25df768e13064a1e32ea0dc828be2e5e7db33d Mon Sep 17 00:00:00 2001 From: Steven Allen Date: Wed, 15 Jan 2020 17:01:47 -0800 Subject: [PATCH 1/4] feat(docker): bump the go version --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index af24b921c..ef13174b6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.13.4-buster +FROM golang:1.13.6-buster LABEL maintainer="Steven Allen " ENV SRC_DIR /go-ipfs From 8ed357d053dfea21abb6b25db8a03ee4c5ef1d16 Mon Sep 17 00:00:00 2001 From: Steven Allen Date: Wed, 15 Jan 2020 17:02:07 -0800 Subject: [PATCH 2/4] feat(docker): bump the tini version --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ef13174b6..355429f28 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,7 +19,7 @@ RUN cd $SRC_DIR \ # Get su-exec, a very minimal tool for dropping privileges, # and tini, a very minimal init daemon for containers ENV SUEXEC_VERSION v0.2 -ENV TINI_VERSION v0.16.1 +ENV TINI_VERSION v0.18.0 RUN set -x \ && cd /tmp \ && git clone https://github.com/ncopa/su-exec.git \ From ee9b46891b6e14c36e69368df54e1e03b37b3b4b Mon Sep 17 00:00:00 2001 From: Steven Allen Date: Wed, 15 Jan 2020 17:02:23 -0800 Subject: [PATCH 3/4] feat(docker): build with openssl by default --- Dockerfile | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 355429f28..e819c3f93 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,12 @@ FROM golang:1.13.6-buster LABEL maintainer="Steven Allen " +# Install deps +RUN apt-get update && apt-get install -y \ + libssl-dev \ + ca-certificates \ + fuse + ENV SRC_DIR /go-ipfs # Download packages first so they can be cached. @@ -14,7 +20,7 @@ COPY . $SRC_DIR # Also: fix getting HEAD commit hash via git rev-parse. RUN cd $SRC_DIR \ && mkdir .git/objects \ - && make build + && make build GOFLAGS=-tags=openssl # Get su-exec, a very minimal tool for dropping privileges, # and tini, a very minimal init daemon for containers @@ -30,12 +36,6 @@ RUN set -x \ && wget -q -O tini https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini \ && chmod +x tini -# Get the TLS CA certificates, they're not provided by busybox. -RUN apt-get update && apt-get install -y ca-certificates - -# Install FUSE -RUN apt-get update && apt-get install -y fuse - # Now comes the actual target image, which aims to be as small as possible. FROM busybox:1.31.0-glibc LABEL maintainer="Steven Allen " @@ -55,6 +55,10 @@ RUN chmod 4755 /usr/local/bin/fusermount # This shared lib (part of glibc) doesn't seem to be included with busybox. COPY --from=0 /lib/x86_64-linux-gnu/libdl.so.2 /lib/libdl.so.2 +# Copy over SSL libraries. +COPY --from=0 /usr/lib/x86_64-linux-gnu/libssl.so* /usr/lib/ +COPY --from=0 /usr/lib/x86_64-linux-gnu/libcrypto.so* /usr/lib/ + # Swarm TCP; should be exposed to the public EXPOSE 4001 # Daemon API; must not be exposed publicly but to client services under you control From c2fd41c998a0c8772484ac97865efa9b9a577a09 Mon Sep 17 00:00:00 2001 From: Steven Allen Date: Wed, 15 Jan 2020 17:14:57 -0800 Subject: [PATCH 4/4] fix(docker): fix the start_ipfs permissions Otherwise, we inherit the permissions from the host machine. These depend on the host machine's umask. --- Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index e819c3f93..941c34912 100644 --- a/Dockerfile +++ b/Dockerfile @@ -52,6 +52,9 @@ COPY --from=0 /etc/ssl/certs /etc/ssl/certs # Add suid bit on fusermount so it will run properly RUN chmod 4755 /usr/local/bin/fusermount +# Fix permissions on start_ipfs (ignore the build machine's permissions) +RUN chmod 0755 /usr/local/bin/start_ipfs + # This shared lib (part of glibc) doesn't seem to be included with busybox. COPY --from=0 /lib/x86_64-linux-gnu/libdl.so.2 /lib/libdl.so.2