mirror of
https://github.com/ipfs/kubo.git
synced 2026-02-21 18:37:45 +08:00
5b2e305fef
As of now,
$ docker pull ipfs/go-ipfs
Using default tag: latest
latest: Pulling from ipfs/go-ipfs
Digest: sha256:31cc5713ef3e3e81bf868cbb56c19de2d15d661743d8b6077804dee26e929ac5
Status: Image is up to date for ipfs/go-ipfs:latest
ipfs daemon will start as root user:
$ docker run --rm --entrypoint=/bin/sh ipfs/go-ipfs -c whoami
root
but later on will drop priviledges:
$ docker logs ipfs/go-ipfs |head -n 1
Changing user to ipfs
With this change applied, ipfs daemon starts as ipfs user right from
the begining:
$ docker run --rm --entrypoint=/bin/sh ipfs/go-ipfs -c whoami
ipfs
License: MIT
Signed-off-by: Mykola Nikishov <mn@mn.com.ua>
87 lines
2.9 KiB
Docker
87 lines
2.9 KiB
Docker
FROM golang:1.11-stretch
|
|
MAINTAINER Lars Gierth <lgierth@ipfs.io>
|
|
|
|
# There is a copy of this Dockerfile called Dockerfile.fast,
|
|
# which is optimized for build time, instead of image size.
|
|
#
|
|
# Please keep these two Dockerfiles in sync.
|
|
|
|
ENV GX_IPFS ""
|
|
ENV SRC_DIR /go/src/github.com/ipfs/go-ipfs
|
|
|
|
COPY . $SRC_DIR
|
|
|
|
# Build the thing.
|
|
# Also: fix getting HEAD commit hash via git rev-parse.
|
|
# Also: allow using a custom IPFS API endpoint.
|
|
RUN cd $SRC_DIR \
|
|
&& mkdir .git/objects \
|
|
&& ([ -z "$GX_IPFS" ] || echo $GX_IPFS > /root/.ipfs/api) \
|
|
&& make build
|
|
|
|
# Get su-exec, a very minimal tool for dropping privileges,
|
|
# and tini, a very minimal init daemon for containers
|
|
ENV SUEXEC_VERSION v0.2
|
|
ENV TINI_VERSION v0.16.1
|
|
RUN set -x \
|
|
&& cd /tmp \
|
|
&& git clone https://github.com/ncopa/su-exec.git \
|
|
&& cd su-exec \
|
|
&& git checkout -q $SUEXEC_VERSION \
|
|
&& make \
|
|
&& cd /tmp \
|
|
&& wget -q -O tini https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini \
|
|
&& chmod +x tini
|
|
|
|
# Get the TLS CA certificates, they're not provided by busybox.
|
|
RUN apt-get update && apt-get install -y ca-certificates
|
|
|
|
# Now comes the actual target image, which aims to be as small as possible.
|
|
FROM busybox:1-glibc
|
|
MAINTAINER Lars Gierth <lgierth@ipfs.io>
|
|
|
|
# Get the ipfs binary, entrypoint script, and TLS CAs from the build container.
|
|
ENV SRC_DIR /go/src/github.com/ipfs/go-ipfs
|
|
COPY --from=0 $SRC_DIR/cmd/ipfs/ipfs /usr/local/bin/ipfs
|
|
COPY --from=0 $SRC_DIR/bin/container_daemon /usr/local/bin/start_ipfs
|
|
COPY --from=0 /tmp/su-exec/su-exec /sbin/su-exec
|
|
COPY --from=0 /tmp/tini /sbin/tini
|
|
COPY --from=0 /etc/ssl/certs /etc/ssl/certs
|
|
|
|
# This shared lib (part of glibc) doesn't seem to be included with busybox.
|
|
COPY --from=0 /lib/x86_64-linux-gnu/libdl-2.24.so /lib/libdl.so.2
|
|
|
|
# Swarm TCP; should be exposed to the public
|
|
EXPOSE 4001
|
|
# Daemon API; must not be exposed publicly but to client services under you control
|
|
EXPOSE 5001
|
|
# Web Gateway; can be exposed publicly with a proxy, e.g. as https://ipfs.example.org
|
|
EXPOSE 8080
|
|
# Swarm Websockets; must be exposed publicly when the node is listening using the websocket transport (/ipX/.../tcp/8081/ws).
|
|
EXPOSE 8081
|
|
|
|
# Create the fs-repo directory
|
|
ENV IPFS_PATH /data/ipfs
|
|
RUN mkdir -p $IPFS_PATH \
|
|
&& adduser -D -h $IPFS_PATH -u 1000 -G users ipfs \
|
|
&& chown ipfs:users $IPFS_PATH
|
|
|
|
# Switch to a non-privileged user
|
|
USER ipfs
|
|
|
|
# Expose the fs-repo as a volume.
|
|
# start_ipfs initializes an fs-repo if none is mounted.
|
|
# Important this happens after the USER directive so permission are correct.
|
|
VOLUME $IPFS_PATH
|
|
|
|
# The default logging level
|
|
ENV IPFS_LOGGING ""
|
|
|
|
# This just makes sure that:
|
|
# 1. There's an fs-repo, and initializes one if there isn't.
|
|
# 2. The API and Gateway are accessible from outside the container.
|
|
ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/start_ipfs"]
|
|
|
|
# Execute the daemon subcommand by default
|
|
CMD ["daemon", "--migrate=true"]
|