From eb3b3494214ef4f9b7d5d2df20c06c5e927682ef Mon Sep 17 00:00:00 2001 From: Andrey Arapov Date: Fri, 28 Dec 2018 21:44:29 +0100 Subject: [PATCH] refactor --- Dockerfile | 60 +++++++++++++++------------------------------- EXTRA.md | 11 +++++++++ LICENSE | 2 +- docker-compose.yml | 7 +++--- launch | 15 +++--------- sha512sum.txt | 1 + 6 files changed, 38 insertions(+), 58 deletions(-) create mode 100644 EXTRA.md create mode 100644 sha512sum.txt diff --git a/Dockerfile b/Dockerfile index 99dc806..c64ec3c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,48 +1,26 @@ -FROM ubuntu:bionic -MAINTAINER Andrey Arapov +FROM alpine:latest +# https://dist.torproject.org/torbrowser/8.0.4/tor-browser-linux64-8.0.4_en-US.tar.xz +RUN wget -O tor.tar.xz https://files.nixaid.com/tor-browser-linux64-8.0.4_en-US.tar.xz && \ + wget -O tor.tar.xz.asc https://www.torproject.org/dist/torbrowser/8.0.4/tor-browser-linux64-8.0.4_en-US.tar.xz.asc +COPY sha512sum.txt . +RUN apk add --update gnupg && \ + sha512sum -c sha512sum.txt && \ + gpg --keyserver keyserver.ubuntu.com --recv-keys "EF6E286DDA85EA2A4BA7DE684E2C6E8793298290" && \ + gpg --verify tor.tar.xz.asc && \ + unxz tor.tar.xz -# To avoid problems with Dialog and curses wizards -ENV DEBIAN_FRONTEND noninteractive +FROM ubuntu:bionic -# Keep the image updated and install the dependencies RUN apt-get update && \ - apt-get -y upgrade && \ - apt-get -y dist-upgrade && \ - apt-get -fy install && \ - apt-get -y install xz-utils libdbus-glib-1-2 libgtk-3-0 libxt6 \ - libgl1-mesa-glx pulseaudio attr gpg && \ + DEBIAN_FRONTEND=noninteractive apt-get -y install gosu libdbus-1-3 libx11-xcb1 libx11-6 libxext6 libxrender1 libxt6 libatk1.0-0 libcairo-gobject2 libcairo2 libssl1.0.0 libdbus-glib-1-2 libevent-2.1-6 libfontconfig1 libfreetype6 libgtk-3-0 libgtk2.0-0 libgdk-pixbuf2.0-0 libglib2.0-0 libglib2.0-0 libglib2.0-0 libglib2.0-0 libgtk-3-0 libgtk2.0-0 libpango-1.0-0 libpangocairo-1.0-0 libpangoft2-1.0-0 libssl1.0.0 libxcb-shm0 libxcb1 && \ rm -rf /var/lib/apt/lists -# bzip2 libgtk-3-0 libasound2 libpango1.0-0 libv4l-0 libgl1-mesa-glx x264 - -# Workaround: pulseaudio client library likes to remove /dev/shm/pulse-shm-* -# files created by the host, causing sound to stop working. -# To fix this, we either want to disable the shm or mount /dev/shm -# in read-only mode when starting the container. -RUN echo "enable-shm = no" >> /etc/pulse/client.conf - - -ENV USER user -ENV UID 1000 -ENV GROUPS video,audio -ENV HOME /home/$USER -RUN useradd -u $UID -m -d $HOME -s /usr/sbin/nologin -G $GROUPS $USER - -ENV TORVER 8.0.3 -ENV TORKEY "EF6E286DDA85EA2A4BA7DE684E2C6E8793298290" -ADD https://www.torproject.org/dist/torbrowser/${TORVER}/tor-browser-linux64-${TORVER}_en-US.tar.xz /tmp/tor.tar.xz -ADD https://www.torproject.org/dist/torbrowser/${TORVER}/tor-browser-linux64-${TORVER}_en-US.tar.xz.asc /tmp/tor.tar.xz.asc - -RUN cd /tmp && \ - gpg --keyserver keyserver.ubuntu.com --recv-keys $TORKEY && \ - gpg --verify tor.tar.xz.asc && \ - tar xf tor.tar.xz -C $HOME && \ - rm -f tor.tar.xz && \ - chown -Rh $USER:$USER $HOME - -WORKDIR $HOME - -VOLUME [ "/tmp", "$HOME/tor-browser" ] +COPY --from=0 tor.tar . +RUN mkdir -p /home/user && \ + tar -xf tor.tar -C /home/user && \ + rm -vf tor.tar && \ + chown -Rh 1000:1000 -- /home/user COPY ./launch /launch -ENTRYPOINT [ "/bin/bash", "/launch" ] +ENTRYPOINT [ "/bin/sh", "/launch" ] +LABEL maintainer="Andrey Arapov " diff --git a/EXTRA.md b/EXTRA.md new file mode 100644 index 0000000..0b6d5f2 --- /dev/null +++ b/EXTRA.md @@ -0,0 +1,11 @@ +## Extra + +Mostly notes for myself. + +``` +find /opt/ -xdev -type f -execdir sh -c "LD_LIBRARY_PATH=/opt/tor-browser_en-US/Browser/ ldd '{}' | grep 'not found'" \; | awk '{print $1}' | sort | uniq | tr '\n' ',' ; echo + +dpkg -S /usr/lib/x86_64-linux-gnu/{libX11-xcb.so.1,libX11.so.6} | cut -f1 -d: | xargs + +lsof -Pn -p $(pidof XYZ) 2>/dev/null | grep -w REG | awk '{print $8}' | xargs dpkg -S 2>/dev/null | cut -f1 -d: | sort | uniq | xargs +``` diff --git a/LICENSE b/LICENSE index 11239ec..a096314 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -Copyright (c) 2016, Andrey Arapov +Copyright (c) 2016-2018, Andrey Arapov Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above diff --git a/docker-compose.yml b/docker-compose.yml index 42ce24b..2a51f2a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,8 +1,9 @@ -version: '2' +version: '3.7' services: tor: - image: andrey01/tor:8.0.3 + init: true + build: . network_mode: bridge volumes: - /tmp/.X11-unix:/tmp/.X11-unix:ro @@ -13,8 +14,6 @@ services: - PULSE_SERVER=unix:$XDG_RUNTIME_DIR/pulse/native cap_add: - IPC_LOCK # lock memory to prevent sensitive values from being swapped to disk. - # Turns off anonymous page swapping - mem_swappiness: 0 shm_size: 4G ports: - 127.0.0.1:9150:9150/tcp diff --git a/launch b/launch index 2e0aced..4d8f46d 100644 --- a/launch +++ b/launch @@ -5,15 +5,6 @@ set -x # exec 2>&1 -# -# Befriend with grsecurity patched Linux kernel -# -if [ -r /proc/sys/kernel/grsecurity/tpe_gid ]; then - groupadd -r -g $(cat /proc/sys/kernel/grsecurity/tpe_gid) grsec-tpe - usermod -aG grsec-tpe $USER - setfattr -n user.pax.flags -v "rm" \ - $HOME/tor-browser/Browser/firefox \ - $HOME/tor-browser/Browser/TorBrowser/Tor/tor -fi - -su -s /bin/sh -p $USER -c "cd ./tor-browser_en-US/Browser && ./start-tor-browser" +id user >/dev/null 2>&1 || useradd -s /usr/sbin/nologin -d /home/user -u ${UID:-1000} -G audio,video user +gosu user namei -lx /home/user/tor-browser_en-US/Browser/start-tor-browser || chown -Rh user:user -- /home/user/tor-browser_en-US +gosu user /home/user/tor-browser_en-US/Browser/start-tor-browser $@ diff --git a/sha512sum.txt b/sha512sum.txt new file mode 100644 index 0000000..616f113 --- /dev/null +++ b/sha512sum.txt @@ -0,0 +1 @@ +c72c712de1358f2ef10caed4d95256e6b60fa6a84b88ff8e516fc99a6c09bc99d523e27bea6f2364c23290e15ad74109efeb4382c17b62f913c6596c8853430f tor.tar.xz