mirror of
https://github.com/freedomofpress/dangerzone.git
synced 2025-04-29 18:22:37 +02:00
189 lines
6.6 KiB
Docker
189 lines
6.6 KiB
Docker
###########################################
|
|
# Build PyMuPDF
|
|
|
|
FROM debian:bookworm-20230904-slim as dangerzone-image
|
|
ENV DEBIAN_FRONTEND=noninteractive
|
|
RUN \
|
|
--mount=type=cache,target=/var/cache/apt,sharing=locked \
|
|
--mount=type=cache,target=/var/lib/apt,sharing=locked \
|
|
--mount=type=bind,source=./repro-sources-list.sh,target=/usr/local/bin/repro-sources-list.sh \
|
|
repro-sources-list.sh && \
|
|
apt-get update && \
|
|
apt-get install -y gcc && \
|
|
: "Clean up for improving reproducibility (optional)" && \
|
|
rm -rf /var/log/* /var/cache/ldconfig/aux-cache
|
|
|
|
RUN apt-get update \
|
|
&& apt-get install -y --no-install-recommends \
|
|
python3-fitz libreoffice-core-nogui python3 python3-magic default-jdk-headless fonts-noto-cjk \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
RUN mkdir -p /opt/dangerzone/dangerzone
|
|
RUN touch /opt/dangerzone/dangerzone/__init__.py
|
|
COPY conversion /opt/dangerzone/dangerzone/conversion
|
|
|
|
# Add the unprivileged user. Set the UID/GID of the dangerzone user/group to
|
|
# 1000, since we will point to it from the OCI config.
|
|
#
|
|
# NOTE: A tmpfs will be mounted over /home/dangerzone directory,
|
|
# so nothing within it from the image will be persisted.
|
|
RUN addgroup --gid 1000 dangerzone \
|
|
&& adduser --uid 1000 --ingroup dangerzone --shell /bin/true --home /home/dangerzone dangerzone
|
|
|
|
###########################################
|
|
# gVisor wrapper image
|
|
|
|
FROM debian:bookworm-20230904-slim
|
|
ENV DEBIAN_FRONTEND=noninteractive
|
|
RUN \
|
|
--mount=type=cache,target=/var/cache/apt,sharing=locked \
|
|
--mount=type=cache,target=/var/lib/apt,sharing=locked \
|
|
--mount=type=bind,source=./repro-sources-list.sh,target=/usr/local/bin/repro-sources-list.sh \
|
|
repro-sources-list.sh && \
|
|
apt-get update && \
|
|
apt-get install -y gcc && \
|
|
: "Clean up for improving reproducibility (optional)" && \
|
|
rm -rf /var/log/* /var/cache/ldconfig/aux-cache
|
|
|
|
|
|
RUN apt-get update \
|
|
&& apt-get install -y --no-install-recommends python3 wget ca-certificates \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
RUN GVISOR_URL="https://storage.googleapis.com/gvisor/releases/release/latest/$(uname -m)"; \
|
|
wget "${GVISOR_URL}/runsc" "${GVISOR_URL}/runsc.sha512" && \
|
|
sha512sum -c runsc.sha512 && \
|
|
rm -f runsc.sha512 && \
|
|
chmod 555 runsc && \
|
|
mv runsc /usr/bin/
|
|
|
|
# Add the unprivileged `dangerzone` user.
|
|
RUN addgroup --gid 1000 dangerzone \
|
|
&& adduser --uid 1000 --ingroup dangerzone --shell /bin/true --home /home/dangerzone dangerzone
|
|
|
|
# Switch to the dangerzone user for the rest of the script.
|
|
USER dangerzone
|
|
|
|
# Copy the Dangerzone image, as created by the previous steps, into the home
|
|
# directory of the `dangerzone` user.
|
|
RUN mkdir /home/dangerzone/dangerzone-image
|
|
COPY --from=dangerzone-image / /home/dangerzone/dangerzone-image/rootfs
|
|
|
|
# Create a directory that will be used by gVisor as the place where it will
|
|
# store the state of its containers.
|
|
RUN mkdir /home/dangerzone/.containers
|
|
|
|
COPY gvisor_wrapper/entrypoint.py /
|
|
|
|
ENTRYPOINT ["/entrypoint.py"]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
############################################
|
|
## Build PyMuPDF
|
|
|
|
#FROM alpine:latest as pymupdf-build
|
|
#ARG ARCH
|
|
#ARG REQUIREMENTS_TXT
|
|
|
|
## Install PyMuPDF via hash-checked requirements file
|
|
#COPY ${REQUIREMENTS_TXT} /tmp/requirements.txt
|
|
|
|
## PyMuPDF provides non-arm musl wheels only.
|
|
## Only install build-dependencies if we are actually building the wheel
|
|
#RUN case "$ARCH" in \
|
|
# "arm64") \
|
|
# # This is required for copying later, but is created only in the pre-built wheels
|
|
# mkdir -p /usr/lib/python3.12/site-packages/PyMuPDF.libs/ \
|
|
# && apk --no-cache add linux-headers g++ linux-headers gcc make python3-dev py3-pip clang-dev ;; \
|
|
# *) \
|
|
# apk --no-cache add py3-pip ;; \
|
|
# esac
|
|
#RUN pip install -vv --break-system-packages --require-hashes -r /tmp/requirements.txt
|
|
|
|
|
|
############################################
|
|
## Download H2ORestart
|
|
#FROM alpine:latest as h2orestart-dl
|
|
#ARG H2ORESTART_CHECKSUM=d09bc5c93fe2483a7e4a57985d2a8d0e4efae2efb04375fe4b59a68afd7241e2
|
|
#RUN mkdir /libreoffice_ext && cd libreoffice_ext \
|
|
# && H2ORESTART_FILENAME=h2orestart.oxt \
|
|
# && H2ORESTART_VERSION="v0.6.6" \
|
|
# && wget https://github.com/ebandal/H2Orestart/releases/download/$H2ORESTART_VERSION/$H2ORESTART_FILENAME \
|
|
# && echo "$H2ORESTART_CHECKSUM $H2ORESTART_FILENAME" | sha256sum -c \
|
|
# && install -dm777 "/usr/lib/libreoffice/share/extensions/"
|
|
|
|
|
|
############################################
|
|
## Dangerzone image
|
|
|
|
#FROM alpine:latest AS dangerzone-image
|
|
|
|
## Install dependencies
|
|
#RUN apk --no-cache -U upgrade && \
|
|
# apk --no-cache add \
|
|
# libreoffice \
|
|
# openjdk8 \
|
|
# python3 \
|
|
# py3-magic \
|
|
# font-noto-cjk
|
|
|
|
#COPY --from=pymupdf-build /usr/lib/python3.12/site-packages/fitz/ /usr/lib/python3.12/site-packages/fitz
|
|
#COPY --from=pymupdf-build /usr/lib/python3.12/site-packages/pymupdf/ /usr/lib/python3.12/site-packages/pymupdf
|
|
#COPY --from=pymupdf-build /usr/lib/python3.12/site-packages/PyMuPDF.libs/ /usr/lib/python3.12/site-packages/PyMuPDF.libs
|
|
#COPY --from=h2orestart-dl /libreoffice_ext/ /libreoffice_ext
|
|
|
|
#RUN install -dm777 "/usr/lib/libreoffice/share/extensions/"
|
|
|
|
#RUN mkdir -p /opt/dangerzone/dangerzone
|
|
#RUN touch /opt/dangerzone/dangerzone/__init__.py
|
|
#COPY conversion /opt/dangerzone/dangerzone/conversion
|
|
|
|
## Add the unprivileged user. Set the UID/GID of the dangerzone user/group to
|
|
## 1000, since we will point to it from the OCI config.
|
|
##
|
|
## NOTE: A tmpfs will be mounted over /home/dangerzone directory,
|
|
## so nothing within it from the image will be persisted.
|
|
#RUN addgroup -g 1000 dangerzone && \
|
|
# adduser -u 1000 -s /bin/true -G dangerzone -h /home/dangerzone -D dangerzone
|
|
|
|
############################################
|
|
## gVisor wrapper image
|
|
|
|
#FROM alpine:latest
|
|
|
|
#RUN apk --no-cache -U upgrade && \
|
|
# apk --no-cache add python3
|
|
|
|
#RUN GVISOR_URL="https://storage.googleapis.com/gvisor/releases/release/latest/$(uname -m)"; \
|
|
# wget "${GVISOR_URL}/runsc" "${GVISOR_URL}/runsc.sha512" && \
|
|
# sha512sum -c runsc.sha512 && \
|
|
# rm -f runsc.sha512 && \
|
|
# chmod 555 runsc && \
|
|
# mv runsc /usr/bin/
|
|
|
|
## Add the unprivileged `dangerzone` user.
|
|
#RUN addgroup dangerzone && \
|
|
# adduser -s /bin/true -G dangerzone -h /home/dangerzone -D dangerzone
|
|
|
|
## Switch to the dangerzone user for the rest of the script.
|
|
#USER dangerzone
|
|
|
|
## Copy the Dangerzone image, as created by the previous steps, into the home
|
|
## directory of the `dangerzone` user.
|
|
#RUN mkdir /home/dangerzone/dangerzone-image
|
|
#COPY --from=dangerzone-image / /home/dangerzone/dangerzone-image/rootfs
|
|
|
|
## Create a directory that will be used by gVisor as the place where it will
|
|
## store the state of its containers.
|
|
#RUN mkdir /home/dangerzone/.containers
|
|
|
|
#COPY gvisor_wrapper/entrypoint.py /
|
|
|
|
#ENTRYPOINT ["/entrypoint.py"]
|