57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
## ---------------------------------------------------------------------
## STAGE 2: Pare that back to the bare essentials.
## ---------------------------------------------------------------------
FROM scratch AS os
WORKDIR /jail
ARG UID=499
ENV PATH "/bin:/usr/bin:/jail/bin"
### Lay BusyBox down as the first base layer. Coupled with the host's
### kernel, this is the "OS" used to RUN the subsequent setup script.
COPY --from=builder /tmp/bbx/busybox /bin/
RUN [ "/bin/busybox", "--install", "/bin" ]
### Set up that base OS for our specific use without tying it to
### anything likely to change often. So long as the user leaves
### UID alone, this layer will be durable.
RUN set -x \
&& echo "root:x:0:0:Admin:/:/false" > /etc/passwd \
&& echo "root:x:0:root" > /etc/group \
&& echo "fossil:x:${UID}:${UID}:User:/jail:/false" >> /etc/passwd \
&& echo "fossil:x:${UID}:fossil" >> /etc/group \
&& install -d -m 700 -o fossil -g fossil log museum \
&& install -d -m 755 -o fossil -g fossil dev \
&& install -d -m 755 -o root -g root /usr/bin \
&& install -d -m 400 -o root -g root /run \
&& ln -s /jail/bin/fossil /usr/bin/f \
&& echo -e '#!/bin/sh\nfossil sha1sum "$@"' > /usr/bin/sha1sum \
&& echo -e '#!/bin/sh\nfossil sha3sum "$@"' > /usr/bin/sha3sum \
&& echo -e '#!/bin/sh\nfossil sqlite3 --no-repository "$@"' > \
/usr/bin/sqlite3 \
&& chmod +x /usr/bin/sha?sum /usr/bin/sqlite3
## ---------------------------------------------------------------------
## STAGE 3: Run!
## ---------------------------------------------------------------------
EXPOSE 8080/tcp
|
|
<
<
|
|
|
|
|
|
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
## ---------------------------------------------------------------------
## STAGE 2: Pare that back to the bare essentials.
## ---------------------------------------------------------------------
FROM scratch AS os
WORKDIR /jail
ARG UID=499
ENV PATH "/bin:/jail/bin"
### Lay BusyBox down as the first base layer. Coupled with the host's
### kernel, this is the "OS" used to RUN the subsequent setup script.
COPY --from=builder /tmp/bbx/busybox /bin/
RUN [ "/bin/busybox", "--install", "/bin" ]
### Set up that base OS for our specific use without tying it to
### anything likely to change often. So long as the user leaves
### UID alone, this layer will be durable.
RUN set -x \
&& echo "root:x:0:0:Admin:/:/false" > /etc/passwd \
&& echo "root:x:0:root" > /etc/group \
&& echo "fossil:x:${UID}:${UID}:User:/jail:/false" >> /etc/passwd \
&& echo "fossil:x:${UID}:fossil" >> /etc/group \
&& install -d -m 700 -o fossil -g fossil log museum \
&& install -d -m 755 -o fossil -g fossil dev \
&& install -d -m 1777 -o root -g root /tmp \
&& mknod -m 666 dev/null c 1 3 \
&& mknod -m 444 dev/urandom c 1 9
### Do Fossil-specific things atop those base layers; this will change
### as often as the Fossil build-from-source layer above.
COPY --from=builder /tmp/fossil bin/
RUN set -x \
&& ln -s /jail/bin/fossil /bin/f \
&& echo -e '#!/bin/sh\nfossil sha1sum "$@"' > /bin/sha1sum \
&& echo -e '#!/bin/sh\nfossil sha3sum "$@"' > /bin/sha3sum \
&& echo -e '#!/bin/sh\nfossil sqlite3 --no-repository "$@"' > \
/bin/sqlite3 \
&& chmod +x /bin/sha?sum /bin/sqlite3
## ---------------------------------------------------------------------
## STAGE 3: Run!
## ---------------------------------------------------------------------
EXPOSE 8080/tcp
|