From 0ce7773ca1402d83de4f4d6ea74decfaf6b683ef Mon Sep 17 00:00:00 2001 From: Alex Pyrgiotis Date: Mon, 13 Jan 2025 18:11:57 +0200 Subject: [PATCH] Render the Dockerfile from a template and some params Allow updating the Dockerfile from a template and some envs, so that it's easier to bump the dates in it. --- BUILD.md | 6 ++++ Dockerfile | 6 ++-- Dockerfile.env | 9 ++++++ Dockerfile.in | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++ Makefile | 3 ++ RELEASE.md | 1 + 6 files changed, 103 insertions(+), 3 deletions(-) create mode 100644 Dockerfile.env create mode 100644 Dockerfile.in diff --git a/BUILD.md b/BUILD.md index bd1b377..7a47da3 100644 --- a/BUILD.md +++ b/BUILD.md @@ -515,3 +515,9 @@ poetry run .\install\windows\build-app.bat ``` When you're done you will have `dist\Dangerzone.msi`. + +## Updating the container image + +The Dangezone container image is reproducible. This means that every time we +build it, the result will be bit-for-bit the same, with some minor exceptions. +Read more on how you can update it in `docs/developer/reproducibility.md`. diff --git a/Dockerfile b/Dockerfile index c5eaf7b..0290668 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,10 +4,10 @@ ARG DEBIAN_IMAGE_DATE=20250113 -FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim +FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim as dangerzone-image -ARG GVISOR_ARCHIVE_DATE=20250113 -ARG DEBIAN_ARCHIVE_DATE=20250120 +ARG GVISOR_ARCHIVE_DATE=20250120 +ARG DEBIAN_ARCHIVE_DATE=20250127 ARG H2ORESTART_CHECKSUM=7760dc2963332c50d15eee285933ec4b48d6a1de9e0c0f6082946f93090bd132 ARG H2ORESTART_VERSION=v0.7.0 diff --git a/Dockerfile.env b/Dockerfile.env new file mode 100644 index 0000000..2ab94bd --- /dev/null +++ b/Dockerfile.env @@ -0,0 +1,9 @@ +# Can be bumped to the latest date in https://hub.docker.com/_/debian/tags?name=bookworm- +DEBIAN_IMAGE_DATE=20250113 +# Can be bumped to today's date +DEBIAN_ARCHIVE_DATE=20250127 +# Can be bumped to the latest date in https://github.com/google/gvisor/tags +GVISOR_ARCHIVE_DATE=20250120 +# Can be bumped to the latest version and checksum from https://github.com/ebandal/H2Orestart/releases +H2ORESTART_CHECKSUM=7760dc2963332c50d15eee285933ec4b48d6a1de9e0c0f6082946f93090bd132 +H2ORESTART_VERSION=v0.7.0 diff --git a/Dockerfile.in b/Dockerfile.in new file mode 100644 index 0000000..2824cf1 --- /dev/null +++ b/Dockerfile.in @@ -0,0 +1,81 @@ +# NOTE: Updating the packages to their latest versions requires bumping the +# Dockerfile args below. For more info about this file, read +# docs/developer/reproducibility.md. + +ARG DEBIAN_IMAGE_DATE={{DEBIAN_IMAGE_DATE}} + +FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim + +ARG GVISOR_ARCHIVE_DATE={{GVISOR_ARCHIVE_DATE}} +ARG DEBIAN_ARCHIVE_DATE={{DEBIAN_ARCHIVE_DATE}} +ARG H2ORESTART_CHECKSUM={{H2ORESTART_CHECKSUM}} +ARG H2ORESTART_VERSION={{H2ORESTART_VERSION}} + +ENV DEBIAN_FRONTEND=noninteractive + +# The following way of installing packages is taken from +# https://github.com/reproducible-containers/repro-sources-list.sh/blob/master/Dockerfile.debian-12, +# and adapted to allow installing gVisor from each own repo as well. +RUN \ + --mount=type=cache,target=/var/cache/apt,sharing=locked \ + --mount=type=cache,target=/var/lib/apt,sharing=locked \ + --mount=type=bind,source=./container_helpers/repro-sources-list.sh,target=/usr/local/bin/repro-sources-list.sh \ + --mount=type=bind,source=./container_helpers/gvisor.key,target=/tmp/gvisor.key \ + : "Hacky way to set a date for the Debian snapshot repos" && \ + touch -d ${DEBIAN_ARCHIVE_DATE} /etc/apt/sources.list.d/debian.sources && \ + touch -d ${DEBIAN_ARCHIVE_DATE} /etc/apt/sources.list && \ + repro-sources-list.sh && \ + : "Setup APT to install gVisor from its separate APT repo" && \ + apt-get update && \ + apt-get upgrade -y && \ + apt-get install -y --no-install-recommends apt-transport-https ca-certificates gnupg && \ + gpg -o /usr/share/keyrings/gvisor-archive-keyring.gpg --dearmor /tmp/gvisor.key && \ + echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gvisor-archive-keyring.gpg] https://storage.googleapis.com/gvisor/releases ${GVISOR_ARCHIVE_DATE} main" > /etc/apt/sources.list.d/gvisor.list && \ + : "Install the necessary gVisor and Dangerzone dependencies" && \ + apt-get update && \ + apt-get install -y --no-install-recommends \ + python3 python3-fitz libreoffice-nogui libreoffice-java-common \ + python3 python3-magic default-jre-headless fonts-noto-cjk fonts-dejavu \ + runsc unzip wget && \ + : "Clean up for improving reproducibility (optional)" && \ + rm -rf /var/cache/fontconfig/ && \ + rm -rf /etc/ssl/certs/java/cacerts && \ + rm -rf /var/log/* /var/cache/ldconfig/aux-cache + +# Download H2ORestart from GitHub using a pinned version and hash. Note that +# it's available in Debian repos, but not in Bookworm yet. +RUN mkdir /libreoffice_ext && cd libreoffice_ext \ + && H2ORESTART_FILENAME=h2orestart.oxt \ + && wget https://github.com/ebandal/H2Orestart/releases/download/$H2ORESTART_VERSION/$H2ORESTART_FILENAME \ + && echo "$H2ORESTART_CHECKSUM $H2ORESTART_FILENAME" | sha256sum -c \ + && install -dm777 "/usr/lib/libreoffice/share/extensions/" \ + && rm /root/.wget-hsts + +# Create an unprivileged user both for gVisor and for running Dangerzone. +RUN addgroup --gid 1000 dangerzone +RUN adduser --uid 1000 --ingroup dangerzone --shell /bin/true \ + --disabled-password --home /home/dangerzone dangerzone + +# Copy Dangerzone's conversion logic under /opt/dangerzone, and allow Python to +# import it. +RUN mkdir -p /opt/dangerzone/dangerzone +RUN touch /opt/dangerzone/dangerzone/__init__.py + +# Copy only the Python code, and not any produced .pyc files. +COPY conversion/*.py /opt/dangerzone/dangerzone/conversion/ + +# Let the entrypoint script write the OCI config for the inner container under +# /config.json. +RUN touch /config.json +RUN chown dangerzone:dangerzone /config.json + +# Switch to the dangerzone user for the rest of the script. +USER dangerzone + +# Create a directory that will be used by gVisor as the place where it will +# store the state of its containers. +RUN mkdir /home/dangerzone/.containers + +COPY container_helpers/entrypoint.py / + +ENTRYPOINT ["/entrypoint.py"] diff --git a/Makefile b/Makefile index a8a714c..17a35d3 100644 --- a/Makefile +++ b/Makefile @@ -47,6 +47,9 @@ test-large: test-large-init ## Run large test set python -m pytest --tb=no tests/test_large_set.py::TestLargeSet -v $(JUNIT_FLAGS) --junitxml=$(TEST_LARGE_RESULTS) python $(TEST_LARGE_RESULTS)/report.py $(TEST_LARGE_RESULTS) +Dockerfile: Dockerfile.env Dockerfile.in + poetry run jinja2 Dockerfile.in Dockerfile.env > Dockerfile + .PHONY: build-clean build-clean: doit clean diff --git a/RELEASE.md b/RELEASE.md index 75642d2..21f092c 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -15,6 +15,7 @@ Here is a list of tasks that should be done before issuing the release: - [ ] Update the "Version" field in `install/linux/dangerzone.spec` - [ ] Bump the Debian version by adding a new changelog entry in `debian/changelog` - [ ] [Bump the minimum Docker Desktop versions](https://github.com/freedomofpress/dangerzone/blob/main/RELEASE.md#bump-the-minimum-docker-desktop-version) in `isolation_provider/container.py` +- [ ] Bump the dates in the `Dockerfile` - [ ] Update screenshot in `README.md`, if necessary - [ ] CHANGELOG.md should be updated to include a list of all major changes since the last release - [ ] A draft release should be created. Copy the release notes text from the template at [`docs/templates/release-notes`](https://github.com/freedomofpress/dangerzone/tree/main/docs/templates/)