almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-29 10:12:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Merge pull request #120 from firstlookmedia/podman

Browse source 
Switch back to Podman in Linux
This commit is contained in:
Micah Lee 2021-06-22 13:57:33 -04:00 committed by GitHub
commit 9df7c4095a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 67 additions and 253 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
.circleci/config.yml
View file

@ -81,37 +81,6 @@ jobs:
package_cloud push firstlookmedia/code/ubuntu/groovy deb_dist/dangerzone_${VERSION}-1_all.deb
package_cloud push firstlookmedia/code/ubuntu/groovy deb_dist/dangerzone_${VERSION}-1.dsc
build-ubuntu-focal:
docker:
- image: ubuntu:20.04
steps:
- run:
name: Install dependencies
command: |
export DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true
apt-get update
apt-get install -y git ssh ruby-dev rubygems python-all dh-python python3 python3-stdeb python3-pyside2.qtcore python3-pyside2.qtgui python3-pyside2.qtwidgets python3-appdirs python3-click python3-xdg python3-requests python3-colorama
gem install -N rake
gem install -N package_cloud
- checkout
- run:
name: Create the .deb package
command: |
./install/linux/build_deb.py
dpkg -i deb_dist/dangerzone_*-1_all.deb
- run:
name: Deploy to packagecloud.io
# Linux Mint 20 (ulyana) and 20.1 (ulyssa) are based on Ubuntu 20.04 LTS
# https://en.wikipedia.org/wiki/Linux_Mint_version_history
command: |
VERSION=$(cat share/version.txt)
package_cloud push firstlookmedia/code/ubuntu/focal deb_dist/dangerzone_${VERSION}-1_all.deb
package_cloud push firstlookmedia/code/ubuntu/focal deb_dist/dangerzone_${VERSION}-1.dsc
package_cloud push firstlookmedia/code/linuxmint/ulyana deb_dist/dangerzone_${VERSION}-1_all.deb
package_cloud push firstlookmedia/code/linuxmint/ulyana deb_dist/dangerzone_${VERSION}-1.dsc
package_cloud push firstlookmedia/code/linuxmint/ulyssa deb_dist/dangerzone_${VERSION}-1_all.deb
package_cloud push firstlookmedia/code/linuxmint/ulyssa deb_dist/dangerzone_${VERSION}-1.dsc
build-debian-bullseye:
docker:
- image: debian:bullseye
@ -136,30 +105,6 @@ jobs:
package_cloud push firstlookmedia/code/debian/bullseye deb_dist/dangerzone_${VERSION}-1_all.deb
package_cloud push firstlookmedia/code/debian/bullseye deb_dist/dangerzone_${VERSION}-1.dsc
build-debian-buster:
docker:
- image: debian:buster
steps:
- run:
name: Install dependencies
command: |
apt-get update
apt-get install -y git ssh ruby-dev rubygems python-all dh-python python3 python3-stdeb python3-pyside2.qtcore python3-pyside2.qtgui python3-pyside2.qtwidgets python3-appdirs python3-click python3-xdg python3-requests python3-colorama
gem install --no-ri --no-rdoc rake
gem install --no-ri --no-rdoc package_cloud
- checkout
- run:
name: Create the .deb package
command: |
./install/linux/build_deb.py
dpkg -i deb_dist/dangerzone_*-1_all.deb
- run:
name: Deploy to packagecloud.io
command: |
VERSION=$(cat share/version.txt)
package_cloud push firstlookmedia/code/debian/buster deb_dist/dangerzone_${VERSION}-1_all.deb
package_cloud push firstlookmedia/code/debian/buster deb_dist/dangerzone_${VERSION}-1.dsc
build-fedora-34:
docker:
# The package_cloud ruby gem doesn't work properly when installed in fedora 34,
@ -252,24 +197,12 @@ workflows:
only: /^v.*/
branches:
ignore: /.*/
- build-ubuntu-focal:
filters:
tags:
only: /^v.*/
branches:
ignore: /.*/
- build-debian-bullseye:
filters:
tags:
only: /^v.*/
branches:
ignore: /.*/
- build-debian-buster:
filters:
tags:
only: /^v.*/
branches:
ignore: /.*/
- build-fedora-34:
filters:
tags:

12
BUILD.md
View file

@ -5,11 +5,9 @@
Install dependencies:
```sh
sudo apt install -y dh-python python3 python3-stdeb python3-pyside2.qtcore python3-pyside2.qtgui python3-pyside2.qtwidgets python3-appdirs python3-click python3-xdg python3-requests python3-colorama
sudo apt install -y podman dh-python python3 python3-stdeb python3-pyside2.qtcore python3-pyside2.qtgui python3-pyside2.qtwidgets python3-appdirs python3-click python3-xdg python3-requests python3-colorama
```
You also need docker, either by installing the [Docker snap package](https://snapcraft.io/docker), installing the `docker.io` package, or by installing `docker-ce` by following [these instructions for Ubuntu](https://docs.docker.com/install/linux/docker-ce/ubuntu/) or [for Debian](https://docs.docker.com/install/linux/docker-ce/debian/).
Run from source tree:
```sh
@ -27,11 +25,9 @@ Create a .deb:
Install dependencies:
```sh
sudo dnf install -y rpm-build python3 python3-setuptools python3-pyside2 python3-appdirs python3-click python3-pyxdg python3-requests python3-colorama
sudo dnf install -y rpm-build podman python3 python3-setuptools python3-pyside2 python3-appdirs python3-click python3-pyxdg python3-requests python3-colorama
```
You also need docker, either by installing the `docker` package, or by installing `docker-ce` by following [these instructions](https://docs.docker.com/install/linux/docker-ce/fedora/).
Run from source tree:
```sh
@ -46,6 +42,8 @@ Create a .rpm:
## macOS
Install [Docker Desktop](https://www.docker.com/products/docker-desktop).
Install python@3.9 from Homebrew:
```
@ -87,6 +85,8 @@ The output is in the `dist` folder.
## Windows
Install [Docker Desktop](https://www.docker.com/products/docker-desktop).
These instructions include adding folders to the path in Windows. To do this, go to Start and type "advanced system settings", and open "View advanced system settings" in the Control Panel. Click Environment Variables. Under "System variables" double-click on Path. From there you can add and remove folders that are available in the PATH.
Download Python 3.9.0, 32-bit (x86) from https://www.python.org/downloads/release/python-390/. I downloaded python-3.9.0.exe. When installing it, make sure to check the "Add Python 3.9 to PATH" checkbox on the first page of the installer.

4
dangerzone/cli.py
View file

@ -9,7 +9,7 @@ from .common import Common
def print_header(s):
click.echo("")
click.echo(Style.BRIGHT + Fore.LIGHTWHITE_EX + s)
click.echo(Style.BRIGHT + s)
def exec_container(global_common, args):
@ -22,7 +22,7 @@ def exec_container(global_common, args):
# Hack to add colors to the command executing
if line.startswith(b"> "):
print(
Fore.YELLOW + "> " + Fore.LIGHTCYAN_EX + line.decode()[2:],
Style.DIM + "> " + Style.NORMAL + Fore.CYAN + line.decode()[2:],
end="",
)
else:

31
dangerzone/common.py
View file

@ -2,6 +2,7 @@ import os
import stat
import platform
import tempfile
import appdirs
class Common(object):
@ -11,26 +12,16 @@ class Common(object):
def __init__(self):
# Temporary directory to store pixel data and safe PDFs
if platform.system() == "Windows":
self.pixel_dir = tempfile.TemporaryDirectory(prefix="dangerzone-pixel-")
self.safe_dir = tempfile.TemporaryDirectory(prefix="dangerzone-safe-")
elif platform.system() == "Darwin":
# In macOS, temp dirs must be in /tmp (or a few other paths) for Docker to mount them
self.pixel_dir = tempfile.TemporaryDirectory(
prefix="/tmp/dangerzone-pixel-"
)
self.safe_dir = tempfile.TemporaryDirectory(prefix="/tmp/dangerzone-safe-")
else:
# In Linux, temp dirs must be in the homedir for the snap package version of Docker to mount them
cache_dir = os.path.expanduser("~/.cache/dangerzone")
os.makedirs(cache_dir, exist_ok=True)
self.pixel_dir = tempfile.TemporaryDirectory(
prefix=os.path.join(cache_dir, "pixel-")
)
self.safe_dir = tempfile.TemporaryDirectory(
prefix=os.path.join(cache_dir, "safe-")
)
cache_dir = appdirs.user_cache_dir("dangerzone")
os.makedirs(cache_dir, exist_ok=True)
self.pixel_dir = tempfile.TemporaryDirectory(
prefix=os.path.join(cache_dir, "pixel-")
)
self.safe_dir = tempfile.TemporaryDirectory(
prefix=os.path.join(cache_dir, "safe-")
)
try:
# Make the folders world-readable to ensure that the container has permission
# to access it even if it's owned by root or someone else
permissions = (
@ -44,6 +35,8 @@ class Common(object):
)
os.chmod(self.pixel_dir.name, permissions)
os.chmod(self.safe_dir.name, permissions)
except:
pass
# Name of input and out files
self.document_filename = None

61
dangerzone/container.py
View file

@ -4,13 +4,21 @@ import subprocess
import sys
import pipes
import shutil
import os
# What is the container runtime for this platform?
if platform.system() == "Darwin":
container_runtime = "/usr/local/bin/docker"
container_tech = "docker"
container_runtime = shutil.which("docker")
elif platform.system() == "Windows":
container_tech = "docker"
container_runtime = shutil.which("docker.exe")
elif platform.system() == "Linux":
container_tech = "podman"
container_runtime = shutil.which("podman")
else:
print("Unknown operating system, defaulting to Docker")
container_tech = "docker"
container_runtime = shutil.which("docker")
# Define startupinfo for subprocesses
@ -28,6 +36,17 @@ def exec_container(args):
print("> " + args_str)
sys.stdout.flush()
# In Tails, tell the container runtime to download over Tor
if (
platform.system() == "Linux"
and os.getlogin() == "amnesia"
and os.getuid() == 1000
):
env = os.environ.copy()
env["HTTP_PROXY"] = "socks5://127.0.0.1:9050"
else:
env = None
with subprocess.Popen(
args,
stdin=None,
@ -36,6 +55,7 @@ def exec_container(args):
bufsize=1,
universal_newlines=True,
startupinfo=startupinfo,
env=env,
) as p:
p.communicate()
return p.returncode
@ -51,7 +71,7 @@ def container_main():
@container_main.command()
@click.option("--container-name", default="flmcode/dangerzone")
@click.option("--container-name", default="docker.io/flmcode/dangerzone")
def ls(container_name):
"""docker image ls [container_name]"""
sys.exit(exec_container(["image", "ls", container_name]))
@ -60,37 +80,36 @@ def ls(container_name):
@container_main.command()
def pull():
"""docker pull flmcode/dangerzone"""
sys.exit(exec_container(["pull", "flmcode/dangerzone"]))
sys.exit(exec_container(["pull", "docker.io/flmcode/dangerzone"]))
@container_main.command()
@click.option("--document-filename", required=True)
@click.option("--pixel-dir", required=True)
@click.option("--container-name", default="flmcode/dangerzone")
@click.option("--container-name", default="docker.io/flmcode/dangerzone")
def documenttopixels(document_filename, pixel_dir, container_name):
"""docker run --network none -v [document_filename]:/tmp/input_file -v [pixel_dir]:/dangerzone [container_name] document-to-pixels"""
sys.exit(
exec_container(
[
"run",
"--network",
"none",
"--security-opt=no-new-privileges:true",
"-v",
f"{document_filename}:/tmp/input_file",
"-v",
f"{pixel_dir}:/dangerzone",
container_name,
"document-to-pixels",
]
)
)
args = ["run", "--network", "none"]
# docker uses --security-opt, podman doesn't
if container_tech == "docker":
args += ["--security-opt=no-new-privileges:true"]
args += [
"-v",
f"{document_filename}:/tmp/input_file",
"-v",
f"{pixel_dir}:/dangerzone",
container_name,
"document-to-pixels",
]
sys.exit(exec_container(args))
@container_main.command()
@click.option("--pixel-dir", required=True)
@click.option("--safe-dir", required=True)
@click.option("--container-name", default="flmcode/dangerzone")
@click.option("--container-name", default="docker.io/flmcode/dangerzone")
@click.option("--ocr", required=True)
@click.option("--ocr-lang", required=True)
def pixelstopdf(pixel_dir, safe_dir, container_name, ocr, ocr_lang):

15
dangerzone/global_common.py
View file

@ -384,7 +384,7 @@ class GlobalCommon(object):
if self.custom_container:
return self.custom_container
else:
return "flmcode/dangerzone"
return "docker.io/flmcode/dangerzone"
def get_resource_path(self, filename):
if getattr(sys, "dangerzone_dev", False):
@ -439,18 +439,11 @@ class GlobalCommon(object):
return "/usr/bin/dangerzone-container"
def exec_dangerzone_container(self, args):
# Prefix the args with the retainer runtime, and in the case linux when the user isn't in the docker group, pkexec
if platform.system() == "Linux":
if self.settings.get("linux_prefers_typing_password"):
args = ["/usr/bin/pkexec", self.dz_container_path] + args
else:
args = [self.dz_container_path] + args
else:
args = [self.dz_container_path] + args
args = [self.dz_container_path] + args
args_str = " ".join(pipes.quote(s) for s in args)
print(Style.DIM + "> " + Style.NORMAL + Fore.CYAN + args_str)
# Execute dangerzone-container
args_str = " ".join(pipes.quote(s) for s in args)
print(Fore.YELLOW + "> " + Fore.CYAN + args_str)
return subprocess.Popen(
args,
startupinfo=self.get_subprocess_startupinfo(),

12
dangerzone/gui/__init__.py
View file

@ -71,18 +71,6 @@ def gui_main(custom_container, filename):
# Allow Ctrl-C to smoothly quit the program instead of throwing an exception
signal.signal(signal.SIGINT, signal.SIG_DFL)
# If we're using Linux and docker, see if we need to add the user to the docker group or if the user prefers typing their password
if platform.system() == "Linux":
if not gui_common.ensure_docker_group_preference():
return
try:
if not gui_common.ensure_docker_service_is_started():
click.echo("Failed to start docker service")
return
except AuthorizationFailed:
click.echo("Authorization failed")
return
# See if we need to install Docker...
if (platform.system() == "Darwin" or platform.system() == "Windows") and (
not is_docker_installed() or not is_docker_ready(global_common)

89
dangerzone/gui/common.py
View file

@ -142,95 +142,6 @@ class GuiCommon(object):
return pdf_viewers
def ensure_docker_group_preference(self):
# If the user prefers typing their password
if self.global_common.settings.get("linux_prefers_typing_password") == True:
return True
# Get the docker group
try:
groupinfo = grp.getgrnam("docker")
except:
# Ignore if group is not found
return True
# See if the user is in the group
username = getpass.getuser()
if username not in groupinfo.gr_mem:
# User is not in the docker group, ask if they prefer typing their password
message = "<b>Dangerzone requires Docker</b><br><br>In order to use Docker, your user must be in the 'docker' group or you'll need to type your password each time you run dangerzone.<br><br><b>Adding your user to the 'docker' group is more convenient but less secure</b>, and will require just typing your password once. Which do you prefer?"
return_code = Alert(
self,
self.global_common,
message,
ok_text="I'll type my password each time",
extra_button_text="Add my user to the 'docker' group",
).launch()
if return_code == QtWidgets.QDialog.Accepted:
# Prefers typing password
self.global_common.settings.set("linux_prefers_typing_password", True)
self.global_common.settings.save()
return True
elif return_code == 2:
# Prefers being in the docker group
self.global_common.settings.set("linux_prefers_typing_password", False)
self.global_common.settings.save()
# Add user to the docker group
p = subprocess.run(
[
"/usr/bin/pkexec",
"/usr/sbin/usermod",
"-a",
"-G",
"docker",
username,
]
)
if p.returncode == 0:
message = "Great! Now you must log out of your computer and log back in, and then you can use Dangerzone."
Alert(self, self.global_common, message).launch()
else:
message = "Failed to add your user to the 'docker' group, quitting."
Alert(self, self.global_common, message).launch()
return False
else:
# Cancel
return False
return True
def ensure_docker_service_is_started(self):
if not is_docker_ready(self.global_common):
message = "<b>Dangerzone requires Docker</b><br><br>Docker should be installed, but it looks like it's not running in the background.<br><br>Click Ok to try starting the docker service. You will have to type your login password."
if (
Alert(self, self.global_common, message).launch()
== QtWidgets.QDialog.Accepted
):
p = subprocess.run(
[
"/usr/bin/pkexec",
self.global_common.get_resource_path(
"enable_docker_service.sh"
),
]
)
if p.returncode == 0:
# Make sure docker is now ready
if is_docker_ready(self.global_common):
return True
else:
message = "Restarting docker appeared to work, but the service still isn't responding, quitting."
Alert(self, self.global_common, message).launch()
else:
message = "Failed to start the docker service, quitting."
Alert(self, self.global_common, message).launch()
return False
return True
class Alert(QtWidgets.QDialog):
def __init__(

2
dangerzone/gui/tasks.py
View file

@ -21,7 +21,7 @@ class TaskBase(QtCore.QThread):
if line.startswith(b"> "):
print(
Fore.YELLOW + "> " + Fore.LIGHTCYAN_EX + line.decode()[2:],
Style.DIM + "> " + Style.NORMAL + Fore.CYAN + line.decode()[2:],
end="",
)
else:

2
install/linux/build_rpm.py
View file

@ -29,7 +29,7 @@ def main():
print("* Building RPM package")
subprocess.run(
"python3 setup.py bdist_rpm --requires='python3-pyside2,python3-appdirs,python3-click,python3-pyxdg,python3-requests,python3-colorama,(docker or docker-ce)'",
"python3 setup.py bdist_rpm --requires='podman,python3-pyside2,python3-appdirs,python3-click,python3-pyxdg,python3-requests,python3-colorama'",
shell=True,
cwd=root,
check=True,

16
install/linux/media.firstlook.dangerzone-container.policy
View file

@ -1,16 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
<action id="org.freedesktop.policykit.pkexec.dangerzone">
<description>Run Dangerzone Container</description>
<message>Dangerzone needs you to authenticate to run containers</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/dangerzone-container</annotate>
</action>
</policyconfig>

4
setup.py
View file

@ -34,10 +34,6 @@ setuptools.setup(
["install/linux/media.firstlook.dangerzone.png"],
),
("share/dangerzone", file_list("share")),
(
"share/polkit-1/actions",
["install/linux/media.firstlook.dangerzone-container.policy"],
),
],
classifiers=[
"Programming Language :: Python",

3
share/enable_docker_service.sh
View file

@ -1,3 +0,0 @@
#!/bin/sh
/bin/systemctl restart docker.service
/bin/systemctl enable docker.service

2
stdeb.cfg
View file

@ -1,6 +1,6 @@
[DEFAULT]
Package3: dangerzone
Depends3: python3, python3-pyside2.qtcore, python3-pyside2.qtgui, python3-pyside2.qtwidgets, python3-appdirs, python3-click, python3-xdg, python3-requests, python3-colorama
Depends3: podman, python3, python3-pyside2.qtcore, python3-pyside2.qtgui, python3-pyside2.qtwidgets, python3-appdirs, python3-click, python3-xdg, python3-requests, python3-colorama
Build-Depends: dh-python, python3, python3-all
Suite: bionic
X-Python3-Version: >= 3.6