almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

WIP: Image works!

Browse source
This commit is contained in:
Alex Pyrgiotis 2024-12-12 22:47:19 +02:00
parent a9e4f5f4fd
commit f72adcf7c3
No known key found for this signature in database
GPG key ID: B6C15EBA0357C9AA
1 changed files with 22 additions and 142 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

164
Dockerfile
View file

@ -9,26 +9,28 @@ RUN \
--mount=type=bind,source=./repro-sources-list.sh,target=/usr/local/bin/repro-sources-list.sh \ --mount=type=bind,source=./repro-sources-list.sh,target=/usr/local/bin/repro-sources-list.sh \
repro-sources-list.sh && \ repro-sources-list.sh && \
apt-get update && \ apt-get update && \
apt-get install -y gcc && \ apt-get install -y --no-install-recommends python3-fitz libreoffice-nogui libreoffice-java-common python3 python3-magic default-jdk-headless fonts-noto-cjk && \
: "Clean up for improving reproducibility (optional)" && \ : "Clean up for improving reproducibility (optional)" && \
rm -rf /var/log/* /var/cache/ldconfig/aux-cache rm -rf /var/log/* /var/cache/ldconfig/aux-cache /var/lib/apt/lists/*
RUN apt-get update \ RUN mkdir -p /opt/dangerzone/dangerzone && \
&& apt-get install -y --no-install-recommends \ touch /opt/dangerzone/dangerzone/__init__.py && \
python3-fitz libreoffice-core-nogui python3 python3-magic default-jdk-headless fonts-noto-cjk \ addgroup --gid 1000 dangerzone && \
&& rm -rf /var/lib/apt/lists/* adduser --uid 1000 --ingroup dangerzone --shell /bin/true --home /home/dangerzone dangerzone
RUN mkdir -p /opt/dangerzone/dangerzone
RUN touch /opt/dangerzone/dangerzone/__init__.py
COPY conversion /opt/dangerzone/dangerzone/conversion COPY conversion /opt/dangerzone/dangerzone/conversion
# Add the unprivileged user. Set the UID/GID of the dangerzone user/group to ###########################################
# 1000, since we will point to it from the OCI config. # gVisor wrapper image
#
# NOTE: A tmpfs will be mounted over /home/dangerzone directory, FROM alpine:latest as gvisor-image
# so nothing within it from the image will be persisted.
RUN addgroup --gid 1000 dangerzone \ RUN GVISOR_URL="https://storage.googleapis.com/gvisor/releases/release/latest/$(uname -m)"; \
&& adduser --uid 1000 --ingroup dangerzone --shell /bin/true --home /home/dangerzone dangerzone wget "${GVISOR_URL}/runsc" "${GVISOR_URL}/runsc.sha512" && \
sha512sum -c runsc.sha512 && \
rm -f runsc.sha512 && \
chmod 555 runsc && \
mv runsc /usr/bin/
########################################### ###########################################
# gVisor wrapper image # gVisor wrapper image
@ -41,25 +43,14 @@ RUN \
--mount=type=bind,source=./repro-sources-list.sh,target=/usr/local/bin/repro-sources-list.sh \ --mount=type=bind,source=./repro-sources-list.sh,target=/usr/local/bin/repro-sources-list.sh \
repro-sources-list.sh && \ repro-sources-list.sh && \
apt-get update && \ apt-get update && \
apt-get install -y gcc && \ apt-get install -y --no-install-recommends python3 && \
: "Clean up for improving reproducibility (optional)" && \ : "Clean up for improving reproducibility (optional)" && \
rm -rf /var/log/* /var/cache/ldconfig/aux-cache rm -rf /var/log/* /var/cache/ldconfig/aux-cache /var/lib/apt/lists/*
RUN addgroup --gid 1000 dangerzone && \
adduser --uid 1000 --ingroup dangerzone --shell /bin/true --home /home/dangerzone dangerzone
RUN apt-get update \ COPY --from=gvisor-image /usr/bin/runsc /usr/bin/runsc
&& apt-get install -y --no-install-recommends python3 wget ca-certificates \
&& rm -rf /var/lib/apt/lists/*
RUN GVISOR_URL="https://storage.googleapis.com/gvisor/releases/release/latest/$(uname -m)"; \
wget "${GVISOR_URL}/runsc" "${GVISOR_URL}/runsc.sha512" && \
sha512sum -c runsc.sha512 && \
rm -f runsc.sha512 && \
chmod 555 runsc && \
mv runsc /usr/bin/
# Add the unprivileged `dangerzone` user.
RUN addgroup --gid 1000 dangerzone \
&& adduser --uid 1000 --ingroup dangerzone --shell /bin/true --home /home/dangerzone dangerzone
# Switch to the dangerzone user for the rest of the script. # Switch to the dangerzone user for the rest of the script.
USER dangerzone USER dangerzone
@ -76,114 +67,3 @@ RUN mkdir /home/dangerzone/.containers
COPY gvisor_wrapper/entrypoint.py / COPY gvisor_wrapper/entrypoint.py /
ENTRYPOINT ["/entrypoint.py"] ENTRYPOINT ["/entrypoint.py"]
############################################
## Build PyMuPDF
#FROM alpine:latest as pymupdf-build
#ARG ARCH
#ARG REQUIREMENTS_TXT
## Install PyMuPDF via hash-checked requirements file
#COPY ${REQUIREMENTS_TXT} /tmp/requirements.txt
## PyMuPDF provides non-arm musl wheels only.
## Only install build-dependencies if we are actually building the wheel
#RUN case "$ARCH" in \
# "arm64") \
# # This is required for copying later, but is created only in the pre-built wheels
# mkdir -p /usr/lib/python3.12/site-packages/PyMuPDF.libs/ \
# && apk --no-cache add linux-headers g++ linux-headers gcc make python3-dev py3-pip clang-dev ;; \
# *) \
# apk --no-cache add py3-pip ;; \
# esac
#RUN pip install -vv --break-system-packages --require-hashes -r /tmp/requirements.txt
############################################
## Download H2ORestart
#FROM alpine:latest as h2orestart-dl
#ARG H2ORESTART_CHECKSUM=d09bc5c93fe2483a7e4a57985d2a8d0e4efae2efb04375fe4b59a68afd7241e2
#RUN mkdir /libreoffice_ext && cd libreoffice_ext \
# && H2ORESTART_FILENAME=h2orestart.oxt \
# && H2ORESTART_VERSION="v0.6.6" \
# && wget https://github.com/ebandal/H2Orestart/releases/download/$H2ORESTART_VERSION/$H2ORESTART_FILENAME \
# && echo "$H2ORESTART_CHECKSUM $H2ORESTART_FILENAME" | sha256sum -c \
# && install -dm777 "/usr/lib/libreoffice/share/extensions/"
############################################
## Dangerzone image
#FROM alpine:latest AS dangerzone-image
## Install dependencies
#RUN apk --no-cache -U upgrade && \
# apk --no-cache add \
# libreoffice \
# openjdk8 \
# python3 \
# py3-magic \
# font-noto-cjk
#COPY --from=pymupdf-build /usr/lib/python3.12/site-packages/fitz/ /usr/lib/python3.12/site-packages/fitz
#COPY --from=pymupdf-build /usr/lib/python3.12/site-packages/pymupdf/ /usr/lib/python3.12/site-packages/pymupdf
#COPY --from=pymupdf-build /usr/lib/python3.12/site-packages/PyMuPDF.libs/ /usr/lib/python3.12/site-packages/PyMuPDF.libs
#COPY --from=h2orestart-dl /libreoffice_ext/ /libreoffice_ext
#RUN install -dm777 "/usr/lib/libreoffice/share/extensions/"
#RUN mkdir -p /opt/dangerzone/dangerzone
#RUN touch /opt/dangerzone/dangerzone/__init__.py
#COPY conversion /opt/dangerzone/dangerzone/conversion
## Add the unprivileged user. Set the UID/GID of the dangerzone user/group to
## 1000, since we will point to it from the OCI config.
##
## NOTE: A tmpfs will be mounted over /home/dangerzone directory,
## so nothing within it from the image will be persisted.
#RUN addgroup -g 1000 dangerzone && \
# adduser -u 1000 -s /bin/true -G dangerzone -h /home/dangerzone -D dangerzone
############################################
## gVisor wrapper image
#FROM alpine:latest
#RUN apk --no-cache -U upgrade && \
# apk --no-cache add python3
#RUN GVISOR_URL="https://storage.googleapis.com/gvisor/releases/release/latest/$(uname -m)"; \
# wget "${GVISOR_URL}/runsc" "${GVISOR_URL}/runsc.sha512" && \
# sha512sum -c runsc.sha512 && \
# rm -f runsc.sha512 && \
# chmod 555 runsc && \
# mv runsc /usr/bin/
## Add the unprivileged `dangerzone` user.
#RUN addgroup dangerzone && \
# adduser -s /bin/true -G dangerzone -h /home/dangerzone -D dangerzone
## Switch to the dangerzone user for the rest of the script.
#USER dangerzone
## Copy the Dangerzone image, as created by the previous steps, into the home
## directory of the `dangerzone` user.
#RUN mkdir /home/dangerzone/dangerzone-image
#COPY --from=dangerzone-image / /home/dangerzone/dangerzone-image/rootfs
## Create a directory that will be used by gVisor as the place where it will
## store the state of its containers.
#RUN mkdir /home/dangerzone/.containers
#COPY gvisor_wrapper/entrypoint.py /
#ENTRYPOINT ["/entrypoint.py"]