CI/CD and Dockerfile updates #278
Conversation
|
Yes ^^! |
|
Thanks for this. Looks fantastic. I've been trying to figure out how to publish releases via GH Actions because I don't have a Windows box to build on, and CGO makes cross-compiling a no-go.
I'm not sure exactly how this Docker image works. "Scratch image" means there's no OS, right? As I understand it, the proper way to use Docker (normally) is to create a user account in the guest OS to run the application, so it isn't running as root and therefore doesn't inherit the Docker daemon/container's root rights. But with no OS, Shiori would be effectively running as root, and the user would have to configure their Docker daemon to run this image under another user? Which Docker doesn't do by default? |
|
You would have to set doctor to run with what is called a user name spaces. This can be done but it is not default. Alternatively you could run it under some thing like podman. My suggestion would be to use a very small container such as Alpine create a user And run it that way. If you look at my previous paul requests you can see an example where I actually created a user and ran as a non-root user.
Thomas J Munn
… On Oct 7, 2020, at 09:50, Dean Jackson ***@***.***> wrote:
Thanks for this. Looks fantastic. I've been trying to figure out how to publish releases via GH Actions because I don't have a Windows box to build on, and CGO makes cross-compiling a no-go.
docker image does run as root (could be a security issue) this could be easily changed but may also be harder to setup for some
I'm not sure exactly how this Docker image works. "Scratch image" means there's no OS, right? As I understand it, the proper way to use Docker (normally) is to create a user account in the guest OS to run the application, so it isn't running as root and therefore doesn't inherit the Docker daemon/container's root rights.
But with no OS, Shiori would be effectively running as root, and the user would have to configure their Docker daemon to run this image under another user? Which Docker doesn't do by default?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
Docker image is now running as a user. It is still using the scratch image. Using a scratch image removes vulnerabilities that could be in the OS or preinstalled packages. |
Yeah, that's the solution I'm familiar with. And which is missing from so many Dockerfiles… 😭
I'm more worried about Shiori running as root, tbh. That should be the only service that's actually accessible (and exploitable). And it just makes me twitch… @symgryph Does this look good to you? In your PR, you were compressing the |
|
Meh. "shiori" and "goshiori" are already taken on Docker Hub. Anyone got any good suggestions? I've created a "deanishe" account, but I'd rather host Shiori under its own namespace. |
|
If the pull request doesn’t get merged in a reasonable amount of time perhaps we should just fork a docker repo. That way we would control the docker file And still be able to use shiori.
Thomas J Munn
… On Oct 9, 2020, at 02:18, Dean Jackson ***@***.***> wrote:
If you look at my previous paul requests you can see an example where I actually created a user and ran as a non-root user.
Yeah, that's the solution I'm familiar with. And which is missing from so many Dockerfiles… 😭
Using a scratch image removes vulnerabilities that could be in the OS or preinstalled packages.
I'm more worried about Shiori running as root, tbh. That should be the only service that's actually accessible (and exploitable). And it just makes me twitch…
@symgryph Does this look good to you? In your PR, you were compressing the shiori binary? Does that add much?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
Ask for compressing the surety executable I was just using upx. Basically you get a reduction in image size for small penalty when you first start up the service as it has to be decompressed.
Thomas J Munn
… On Oct 9, 2020, at 02:30, Dean Jackson ***@***.***> wrote:
Meh. "shiori" and "goshiori" are already taken on Docker Hub. Anyone got any good suggestions?
I've created a "deanishe" account, but I'd rather host Shiori under its own namespace.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
ohnoshori!
Thomas J Munn
… On Oct 9, 2020, at 02:30, Dean Jackson ***@***.***> wrote:
Meh. "shiori" and "goshiori" are already taken on Docker Hub. Anyone got any good suggestions?
I've created a "deanishe" account, but I'd rather host Shiori under its own namespace.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
showshiori
ogshioti
Thomas J Munn
… On Oct 9, 2020, at 09:25, Thomas Munn ***@***.***> wrote:
ohnoshori!
Thomas J Munn
>> On Oct 9, 2020, at 02:30, Dean Jackson ***@***.***> wrote:
>>
>
> Meh. "shiori" and "goshiori" are already taken on Docker Hub. Anyone got any good suggestions?
>
> I've created a "deanishe" account, but I'd rather host Shiori under its own namespace.
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
Fork docker stuff? I think we’re gonna have no choice but to Fork at least the dock or portions of this. The pull Requests never seem to be being processed. Offers to help are refused Not sure what else to do. I don’t wanna abandon shiori but I may not have any choice. |
|
This is great... @deanishe is this something that can move forward? |
|
@deanishe Docker account updated to 'deanishe' if you come up with something better I can create a new pr. For now add your docker hub access token to the github actions secret DOCKER_HUB_ACCESS_TOKEN and deanishe to DOCKER_HUB_ACCESS_TOKEN merge the PR and it should be good. |
|
is this ever going to get merged? i don’t mean to be a meanie, but there seems to be absolutely no progress. |
|
@symgryph: I have a fork i'm working on validating stability -- lets see how that goes? |
|
If you need help with your repo I would be happy To help with some of the security work. I do security full-time for both containers etc. I can also help me with docker optimization if you wish. What is the repo called? Please provide url or link.
Thomas J Munn
… On Nov 17, 2020, at 19:19, James Cox ***@***.***> wrote:
@symgryph: I have a fork i'm working on validating stability -- lets see how that goes?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
Is there a docker image for testing? |
|
Can you post your fork? I would like to test out your docker image. |
|
I should be able to find some time to update this PR. I'll look into slimming it down a little as well. |
That's just wonderful! Thank you for your dedication after all this time :) |
fmartingr
force-pushed
the
master
branch
2 times, most recently
from
23e55e3 to
f967212
Compare
fmartingr
force-pushed
the
master
branch
2 times, most recently
from
d1ffd75 to
d70a8f2
Compare
|
Closed by #365 |
Dockerfile changes
Releases
-extldflags -s -wflags for a smaller binary this strips dwarf tables used in debuggers and doesn't affect stack traces.Continous Integration
A go-shiori account will need to be made on docker hub
A personal access token will need to be created on docker hub
The following gihub actions secrets will need to be set in github
-Examples:
https://github.com/n8225/shiori/actions
https://github.com/n8225/shiori/releases
https://hub.docker.com/r/nrew225/shiori
Related Issues: #263 #260
Closes #254 #267 #238 #273