bump firefox and java; refactor

This commit is contained in:
Andy 2016-08-22 19:55:14 +02:00
parent db5fdd3c43
commit 7ebbed7882
Signed by: arno
GPG Key ID: 368DDA2E9A471EAC
3 changed files with 32 additions and 27 deletions

View File

@ -8,7 +8,7 @@ ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && \ RUN apt-get update && \
apt-get -y upgrade && \ apt-get -y upgrade && \
apt-get -fy install && \ apt-get -fy install && \
apt-get -y install bzip2 libgtk2.0-0 libgtk-3-0 libdbus-glib-1-2 libxt6 paxctl \ apt-get -y install bzip2 libgtk2.0-0 libgtk-3-0 libdbus-glib-1-2 libxt6 attr \
pulseaudio libgl1-mesa-glx x264 \ pulseaudio libgl1-mesa-glx x264 \
libpango1.0-0 libv4l-0 \ libpango1.0-0 libv4l-0 \
fonts-dejavu-core fonts-freefont-ttf fonts-guru-extra \ fonts-dejavu-core fonts-freefont-ttf fonts-guru-extra \
@ -37,30 +37,13 @@ RUN echo "enable-shm = no" >> /etc/pulse/client.conf
# Mozilla Firefox # Mozilla Firefox
# Deps: bzip2 libgtk-3-0 libdbus-glib-1-2 libxt6 # Deps: bzip2 libgtk-3-0 libdbus-glib-1-2 libxt6
ENV FIREFOX_VER 47.0.1 ENV FIREFOX_VER 48.0.1
ADD https://download-installer.cdn.mozilla.net/pub/firefox/releases/$FIREFOX_VER/linux-x86_64/en-US/firefox-$FIREFOX_VER.tar.bz2 /tmp/firefox.tar.bz2 ADD https://download-installer.cdn.mozilla.net/pub/firefox/releases/$FIREFOX_VER/linux-x86_64/en-US/firefox-$FIREFOX_VER.tar.bz2 /tmp/firefox.tar.bz2
RUN cd /tmp && \ RUN cd /tmp && \
mkdir /opt/mozilla && \ mkdir /opt/mozilla && \
tar xf firefox.tar.bz2 -C /opt/mozilla/ && \ tar xf firefox.tar.bz2 -C /opt/mozilla/ && \
rm -f firefox.tar.bz2 rm -f firefox.tar.bz2 && \
chown -Rh root:root /opt/mozilla
# Make Mozilla Firefox grsec friendly
# more info: https://en.wikibooks.org/wiki/Grsecurity/Application-specific_Settings#Firefox_.28or_Iceweasel_in_Debian.29
#
# To build the Docker image, I currently had to disable the following grsec protections:
# # grep -E "chroot_deny_chmod|chroot_deny_mknod|chroot_caps" /etc/sysctl.d/grsec.conf
# kernel.grsecurity.chroot_deny_chmod = 0
# kernel.grsecurity.chroot_deny_mknod = 0
# kernel.grsecurity.chroot_caps = 0 (relates to a systemd package)
#
# (runtime only, since xattrs are not preserved in Docker's final image)
# m: Disable MPROTECT // grsec: denied RWX mmap of <anonymous mapping>
# RUN setfattr -n user.pax.flags -v "m" /opt/mozilla/firefox/firefox
#
# (permanent change, by converting the binary headers PT_GNU_STACK into PT_PAX_FLAGS)
# m: Disable MPROTECT // grsec: denied RWX mmap of <anonymous mapping>
RUN paxctl -c -v -m /opt/mozilla/firefox/firefox
# Google Hangouts # Google Hangouts
# Deps: libasound2 libgtk2.0-0 libpango1.0-0 libv4l-0 # Deps: libasound2 libgtk2.0-0 libpango1.0-0 libv4l-0
@ -73,9 +56,9 @@ RUN cd /tmp && \
# https://java.com/en/download/manual.jsp # https://java.com/en/download/manual.jsp
# https://www.java.com/verify # https://www.java.com/verify
ENV JAVA_VER 8 ENV JAVA_VER 8
ENV JAVA_JRE_UVER 91 ENV JAVA_JRE_UVER 101
ENV JAVA_JRE_FVER 1.8.0_91 ENV JAVA_JRE_FVER 1.8.0_101
ENV JAVA_BUNDLE_ID 207765 ENV JAVA_BUNDLE_ID 211989
ENV JAVA_FONTS "/usr/share/fonts/truetype" ENV JAVA_FONTS "/usr/share/fonts/truetype"
ENV _JAVA_OPTIONS "-Dawt.useSystemAAFontSettings=on \ ENV _JAVA_OPTIONS "-Dawt.useSystemAAFontSettings=on \
-Dswing.aatext=true \ -Dswing.aatext=true \
@ -92,6 +75,7 @@ ADD http://javadl.sun.com/webapps/download/AutoDL?BundleId=$JAVA_BUNDLE_ID /tmp/
RUN mkdir -p /opt/java/64 && \ RUN mkdir -p /opt/java/64 && \
tar xf /tmp/jre.tar.gz -C /opt/java/64/ && \ tar xf /tmp/jre.tar.gz -C /opt/java/64/ && \
rm -f /tmp/jre.tar.gz && \ rm -f /tmp/jre.tar.gz && \
chown -Rh root:root /opt/java/64/ && \
cd /opt/java/64/ && \ cd /opt/java/64/ && \
ln -sv jre${JAVA_JRE_FVER} jre && \ ln -sv jre${JAVA_JRE_FVER} jre && \
ln -sv /opt/java/64/jre/lib/amd64/libnpjp2.so /usr/lib/mozilla/plugins/ && \ ln -sv /opt/java/64/jre/lib/amd64/libnpjp2.so /usr/lib/mozilla/plugins/ && \
@ -107,10 +91,10 @@ ENV GROUPS video,audio
ENV HOME /home/$USER ENV HOME /home/$USER
RUN useradd -u $UID -m -d $HOME -s /usr/sbin/nologin -G $GROUPS $USER RUN useradd -u $UID -m -d $HOME -s /usr/sbin/nologin -G $GROUPS $USER
USER $USER
WORKDIR $HOME WORKDIR $HOME
# Java JRE requires /tmp directory to be writable # Java JRE requires /tmp directory to be writable
VOLUME [ "/tmp" ] VOLUME [ "/tmp" ]
ENTRYPOINT [ "/opt/mozilla/firefox/firefox" ] COPY ./launch /launch
ENTRYPOINT [ "/bin/bash", "/launch" ]

View File

@ -7,7 +7,6 @@ services:
firefox: firefox:
# docker build -t andrey01/firefox . # docker build -t andrey01/firefox .
image: andrey01/firefox image: andrey01/firefox
read_only: true
network_mode: bridge network_mode: bridge
devices: devices:
- /dev/dri - /dev/dri

22
launch Normal file
View File

@ -0,0 +1,22 @@
#!/bin/bash
#
# Make errors visible upon `docker logs -f steam` command
#
exec 2>&1
#
# Befriend with grsecurity patched Linux kernel
#
if [ -r /proc/sys/kernel/grsecurity/tpe_gid ]; then
groupadd -r -g $(cat /proc/sys/kernel/grsecurity/tpe_gid) grsec-tpe
usermod -aG grsec-tpe $USER
setfattr -n user.pax.flags -v "m" \
/opt/mozilla/firefox/firefox \
/opt/mozilla/firefox/plugin-container \
/opt/java/64/jre/bin/java \
/opt/java/64/jre/lib/amd64/libnpjp2.so
# /lib/x86_64-linux-gnu/ld-2.23.so
fi
su -s /bin/sh -p user -c "/opt/mozilla/firefox/firefox $@"