bump firefox and java; refactor
This commit is contained in:
parent
db5fdd3c43
commit
7ebbed7882
GPG Key ID:
368DDA2E9A471EAC
36
Dockerfile
36
Dockerfile
@ -8,7 +8,7 @@ ENV DEBIAN_FRONTEND noninteractive
|
||||
RUN apt-get update && \
|
||||
apt-get -y upgrade && \
|
||||
apt-get -fy install && \
|
||||
apt-get -y install bzip2 libgtk2.0-0 libgtk-3-0 libdbus-glib-1-2 libxt6 paxctl \
|
||||
apt-get -y install bzip2 libgtk2.0-0 libgtk-3-0 libdbus-glib-1-2 libxt6 attr \
|
||||
pulseaudio libgl1-mesa-glx x264 \
|
||||
libpango1.0-0 libv4l-0 \
|
||||
fonts-dejavu-core fonts-freefont-ttf fonts-guru-extra \
|
||||
@ -37,30 +37,13 @@ RUN echo "enable-shm = no" >> /etc/pulse/client.conf
|
||||
|
||||
# Mozilla Firefox
|
||||
# Deps: bzip2 libgtk-3-0 libdbus-glib-1-2 libxt6
|
||||
ENV FIREFOX_VER 47.0.1
|
||||
ENV FIREFOX_VER 48.0.1
|
||||
ADD https://download-installer.cdn.mozilla.net/pub/firefox/releases/$FIREFOX_VER/linux-x86_64/en-US/firefox-$FIREFOX_VER.tar.bz2 /tmp/firefox.tar.bz2
|
||||
RUN cd /tmp && \
|
||||
mkdir /opt/mozilla && \
|
||||
tar xf firefox.tar.bz2 -C /opt/mozilla/ && \
|
||||
rm -f firefox.tar.bz2
|
||||
|
||||
# Make Mozilla Firefox grsec friendly
|
||||
# more info: https://en.wikibooks.org/wiki/Grsecurity/Application-specific_Settings#Firefox_.28or_Iceweasel_in_Debian.29
|
||||
#
|
||||
# To build the Docker image, I currently had to disable the following grsec protections:
|
||||
# # grep -E "chroot_deny_chmod|chroot_deny_mknod|chroot_caps" /etc/sysctl.d/grsec.conf
|
||||
# kernel.grsecurity.chroot_deny_chmod = 0
|
||||
# kernel.grsecurity.chroot_deny_mknod = 0
|
||||
# kernel.grsecurity.chroot_caps = 0 (relates to a systemd package)
|
||||
#
|
||||
# (runtime only, since xattrs are not preserved in Docker's final image)
|
||||
# m: Disable MPROTECT // grsec: denied RWX mmap of <anonymous mapping>
|
||||
# RUN setfattr -n user.pax.flags -v "m" /opt/mozilla/firefox/firefox
|
||||
#
|
||||
# (permanent change, by converting the binary headers PT_GNU_STACK into PT_PAX_FLAGS)
|
||||
# m: Disable MPROTECT // grsec: denied RWX mmap of <anonymous mapping>
|
||||
RUN paxctl -c -v -m /opt/mozilla/firefox/firefox
|
||||
|
||||
rm -f firefox.tar.bz2 && \
|
||||
chown -Rh root:root /opt/mozilla
|
||||
|
||||
# Google Hangouts
|
||||
# Deps: libasound2 libgtk2.0-0 libpango1.0-0 libv4l-0
|
||||
@ -73,9 +56,9 @@ RUN cd /tmp && \
|
||||
# https://java.com/en/download/manual.jsp
|
||||
# https://www.java.com/verify
|
||||
ENV JAVA_VER 8
|
||||
ENV JAVA_JRE_UVER 91
|
||||
ENV JAVA_JRE_FVER 1.8.0_91
|
||||
ENV JAVA_BUNDLE_ID 207765
|
||||
ENV JAVA_JRE_UVER 101
|
||||
ENV JAVA_JRE_FVER 1.8.0_101
|
||||
ENV JAVA_BUNDLE_ID 211989
|
||||
ENV JAVA_FONTS "/usr/share/fonts/truetype"
|
||||
ENV _JAVA_OPTIONS "-Dawt.useSystemAAFontSettings=on \
|
||||
-Dswing.aatext=true \
|
||||
@ -92,6 +75,7 @@ ADD http://javadl.sun.com/webapps/download/AutoDL?BundleId=$JAVA_BUNDLE_ID /tmp/
|
||||
RUN mkdir -p /opt/java/64 && \
|
||||
tar xf /tmp/jre.tar.gz -C /opt/java/64/ && \
|
||||
rm -f /tmp/jre.tar.gz && \
|
||||
chown -Rh root:root /opt/java/64/ && \
|
||||
cd /opt/java/64/ && \
|
||||
ln -sv jre${JAVA_JRE_FVER} jre && \
|
||||
ln -sv /opt/java/64/jre/lib/amd64/libnpjp2.so /usr/lib/mozilla/plugins/ && \
|
||||
@ -107,10 +91,10 @@ ENV GROUPS video,audio
|
||||
ENV HOME /home/$USER
|
||||
RUN useradd -u $UID -m -d $HOME -s /usr/sbin/nologin -G $GROUPS $USER
|
||||
|
||||
USER $USER
|
||||
WORKDIR $HOME
|
||||
|
||||
# Java JRE requires /tmp directory to be writable
|
||||
VOLUME [ "/tmp" ]
|
||||
|
||||
ENTRYPOINT [ "/opt/mozilla/firefox/firefox" ]
|
||||
COPY ./launch /launch
|
||||
ENTRYPOINT [ "/bin/bash", "/launch" ]
|
||||
|
||||
@ -7,7 +7,6 @@ services:
|
||||
firefox:
|
||||
# docker build -t andrey01/firefox .
|
||||
image: andrey01/firefox
|
||||
read_only: true
|
||||
network_mode: bridge
|
||||
devices:
|
||||
- /dev/dri
|
||||
|
||||
22
launch
Normal file
22
launch
Normal file
@ -0,0 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# Make errors visible upon `docker logs -f steam` command
|
||||
#
|
||||
exec 2>&1
|
||||
|
||||
#
|
||||
# Befriend with grsecurity patched Linux kernel
|
||||
#
|
||||
if [ -r /proc/sys/kernel/grsecurity/tpe_gid ]; then
|
||||
groupadd -r -g $(cat /proc/sys/kernel/grsecurity/tpe_gid) grsec-tpe
|
||||
usermod -aG grsec-tpe $USER
|
||||
setfattr -n user.pax.flags -v "m" \
|
||||
/opt/mozilla/firefox/firefox \
|
||||
/opt/mozilla/firefox/plugin-container \
|
||||
/opt/java/64/jre/bin/java \
|
||||
/opt/java/64/jre/lib/amd64/libnpjp2.so
|
||||
# /lib/x86_64-linux-gnu/ld-2.23.so
|
||||
fi
|
||||
|
||||
su -s /bin/sh -p user -c "/opt/mozilla/firefox/firefox $@"
|
||||
Loading…
Reference in New Issue
Block a user