refactor

4 years ago · eb3b349421
parent cb8de888f7
commit eb3b349421
6 changed files with 38 additions and 58 deletions
--- a/60
+++ b/60
@ -1,48 +1,26 @@
-FROM ubuntu:bionic
-MAINTAINER Andrey Arapov <andrey.arapov@nixaid.com>
+FROM alpine:latest
+# https://dist.torproject.org/torbrowser/8.0.4/tor-browser-linux64-8.0.4_en-US.tar.xz
+RUN wget -O tor.tar.xz https://files.nixaid.com/tor-browser-linux64-8.0.4_en-US.tar.xz && \
+    wget -O tor.tar.xz.asc https://www.torproject.org/dist/torbrowser/8.0.4/tor-browser-linux64-8.0.4_en-US.tar.xz.asc
+COPY sha512sum.txt .
+RUN apk add --update gnupg && \
+    sha512sum -c sha512sum.txt && \
+    gpg --keyserver keyserver.ubuntu.com --recv-keys "EF6E286DDA85EA2A4BA7DE684E2C6E8793298290" && \
+    gpg --verify tor.tar.xz.asc && \
+    unxz tor.tar.xz

-# To avoid problems with Dialog and curses wizards
-ENV DEBIAN_FRONTEND noninteractive
+FROM ubuntu:bionic

-# Keep the image updated and install the dependencies
 RUN apt-get update && \
-    apt-get -y upgrade && \
-    apt-get -y dist-upgrade && \
-    apt-get -fy install && \
-    apt-get -y install xz-utils libdbus-glib-1-2 libgtk-3-0 libxt6 \
-                       libgl1-mesa-glx pulseaudio attr gpg && \
+  DEBIAN_FRONTEND=noninteractive apt-get -y install gosu libdbus-1-3 libx11-xcb1 libx11-6 libxext6 libxrender1 libxt6 libatk1.0-0 libcairo-gobject2 libcairo2 libssl1.0.0 libdbus-glib-1-2 libevent-2.1-6 libfontconfig1 libfreetype6 libgtk-3-0 libgtk2.0-0 libgdk-pixbuf2.0-0 libglib2.0-0 libglib2.0-0 libglib2.0-0 libglib2.0-0 libgtk-3-0 libgtk2.0-0 libpango-1.0-0 libpangocairo-1.0-0 libpangoft2-1.0-0 libssl1.0.0 libxcb-shm0 libxcb1 && \
    rm -rf /var/lib/apt/lists

-# bzip2 libgtk-3-0 libasound2 libpango1.0-0 libv4l-0 libgl1-mesa-glx x264
-
-# Workaround: pulseaudio client library likes to remove /dev/shm/pulse-shm-*
-#             files created by the host, causing sound to stop working.
-#             To fix this, we either want to disable the shm or mount /dev/shm
-#             in read-only mode when starting the container.
-RUN echo "enable-shm = no" >> /etc/pulse/client.conf
-
-
-ENV USER user
-ENV UID 1000
-ENV GROUPS video,audio
-ENV HOME /home/$USER
-RUN useradd -u $UID -m -d $HOME -s /usr/sbin/nologin -G $GROUPS $USER
-
-ENV TORVER 8.0.3
-ENV TORKEY "EF6E286DDA85EA2A4BA7DE684E2C6E8793298290"
-ADD https://www.torproject.org/dist/torbrowser/${TORVER}/tor-browser-linux64-${TORVER}_en-US.tar.xz /tmp/tor.tar.xz
-ADD https://www.torproject.org/dist/torbrowser/${TORVER}/tor-browser-linux64-${TORVER}_en-US.tar.xz.asc /tmp/tor.tar.xz.asc
-
-RUN cd /tmp && \
-    gpg --keyserver keyserver.ubuntu.com --recv-keys $TORKEY && \
-    gpg --verify tor.tar.xz.asc && \
-    tar xf tor.tar.xz -C $HOME && \
-    rm -f tor.tar.xz && \
-    chown -Rh $USER:$USER $HOME
-
-WORKDIR $HOME
-
-VOLUME [ "/tmp", "$HOME/tor-browser" ]
+COPY --from=0 tor.tar .
+RUN mkdir -p /home/user && \
+    tar -xf tor.tar -C /home/user && \
+    rm -vf tor.tar && \
+    chown -Rh 1000:1000 -- /home/user

 COPY ./launch /launch
-ENTRYPOINT [ "/bin/bash", "/launch" ]
+ENTRYPOINT [ "/bin/sh", "/launch" ]
+LABEL maintainer="Andrey Arapov <andrey.arapov@nixaid.com>"
--- a/EXTRA.md
+++ b/EXTRA.md
@ -0,0 +1,11 @@
+## Extra
+
+Mostly notes for myself.
+
+```
+find /opt/ -xdev -type f -execdir sh -c "LD_LIBRARY_PATH=/opt/tor-browser_en-US/Browser/ ldd '{}' | grep 'not found'" \; | awk '{print $1}' | sort | uniq | tr '\n' ',' ; echo
+
+dpkg -S /usr/lib/x86_64-linux-gnu/{libX11-xcb.so.1,libX11.so.6} | cut -f1 -d: | xargs
+
+lsof -Pn -p $(pidof XYZ) 2>/dev/null | grep -w REG | awk '{print $8}' | xargs dpkg -S 2>/dev/null | cut -f1 -d: | sort | uniq | xargs
+```
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-Copyright (c) 2016, Andrey Arapov
+Copyright (c) 2016-2018, Andrey Arapov

 Permission to use, copy, modify, and/or distribute this software for any
 purpose with or without fee is hereby granted, provided that the above
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,8 +1,9 @@
-version: '2'
+version: '3.7'

 services:
  tor:
-    image: andrey01/tor:8.0.3
+    init: true
+    build: .
    network_mode: bridge
    volumes:
      - /tmp/.X11-unix:/tmp/.X11-unix:ro
@ -13,8 +14,6 @@ services:
      - PULSE_SERVER=unix:$XDG_RUNTIME_DIR/pulse/native
    cap_add:
      - IPC_LOCK # lock memory to prevent sensitive values from being swapped to disk.
-    # Turns off anonymous page swapping
-    mem_swappiness: 0
    shm_size: 4G
    ports:
      - 127.0.0.1:9150:9150/tcp
--- a/15
+++ b/15
@ -5,15 +5,6 @@ set -x
 #
 exec 2>&1

-#
-# Befriend with grsecurity patched Linux kernel
-#
-if [ -r /proc/sys/kernel/grsecurity/tpe_gid ]; then
-  groupadd -r -g $(cat /proc/sys/kernel/grsecurity/tpe_gid) grsec-tpe
-  usermod -aG grsec-tpe $USER
-  setfattr -n user.pax.flags -v "rm" \
-        $HOME/tor-browser/Browser/firefox \
-        $HOME/tor-browser/Browser/TorBrowser/Tor/tor
-fi
-
-su -s /bin/sh -p $USER -c "cd ./tor-browser_en-US/Browser && ./start-tor-browser"
+id user >/dev/null 2>&1 || useradd -s /usr/sbin/nologin -d /home/user -u ${UID:-1000} -G audio,video user
+gosu user namei -lx /home/user/tor-browser_en-US/Browser/start-tor-browser || chown -Rh user:user -- /home/user/tor-browser_en-US
+gosu user /home/user/tor-browser_en-US/Browser/start-tor-browser $@
--- a/sha512sum.txt
+++ b/sha512sum.txt
@ -0,0 +1 @@
+c72c712de1358f2ef10caed4d95256e6b60fa6a84b88ff8e516fc99a6c09bc99d523e27bea6f2364c23290e15ad74109efeb4382c17b62f913c6596c8853430f  tor.tar.xz
				`@ -0,0 +1 @@`
				`c72c712de1358f2ef10caed4d95256e6b60fa6a84b88ff8e516fc99a6c09bc99d523e27bea6f2364c23290e15ad74109efeb4382c17b62f913c6596c8853430f tor.tar.xz`