From 24e432d9cb3530df686b2874d00ab031686b9cf0 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Tue, 10 Jan 2017 20:55:25 +0000 Subject: [PATCH] Use riddler to generate config.json - use jq to fix up the output where there are still issues - some issues will need fixing up in future too - can remove fixes later - still plan to restructure the code around containers to make it easier and clearer Signed-off-by: Justin Cormack --- alpine/base/riddler/Dockerfile | 23 ++++ alpine/base/riddler/Makefile | 29 ++++ alpine/base/riddler/riddler.sh | 28 ++++ alpine/containers/binfmt/.gitignore | 1 + alpine/containers/binfmt/Makefile | 13 +- alpine/containers/binfmt/config.json | 168 ------------------------ alpine/containers/riddler.sh | 6 + alpine/containers/rng-tools/.gitignore | 1 + alpine/containers/rng-tools/Makefile | 13 +- alpine/containers/rng-tools/config.json | 158 ---------------------- 10 files changed, 102 insertions(+), 338 deletions(-) create mode 100644 alpine/base/riddler/Dockerfile create mode 100644 alpine/base/riddler/Makefile create mode 100755 alpine/base/riddler/riddler.sh delete mode 100644 alpine/containers/binfmt/config.json create mode 100755 alpine/containers/riddler.sh delete mode 100644 alpine/containers/rng-tools/config.json diff --git a/alpine/base/riddler/Dockerfile b/alpine/base/riddler/Dockerfile new file mode 100644 index 000000000..92394a073 --- /dev/null +++ b/alpine/base/riddler/Dockerfile @@ -0,0 +1,23 @@ +FROM golang:1.7-alpine + +RUN \ + apk update && apk upgrade && \ + apk add \ + docker \ + gcc \ + git \ + jq \ + linux-headers \ + musl-dev \ + && true + +COPY Dockerfile / +COPY riddler.sh /usr/bin/ + +RUN git clone https://github.com/jessfraz/riddler.git /go/src/github.com/jessfraz/riddler + +WORKDIR /go/src/github.com/jessfraz/riddler +RUN git checkout 23befa0b232877b5b502b828e24161d801bd67f6 +RUN go build -o /usr/bin/riddler . + +ENTRYPOINT ["/usr/bin/riddler.sh"] diff --git a/alpine/base/riddler/Makefile b/alpine/base/riddler/Makefile new file mode 100644 index 000000000..916455efa --- /dev/null +++ b/alpine/base/riddler/Makefile @@ -0,0 +1,29 @@ +.PHONY: tag push + +BASE=golang:1.7-alpine +IMAGE=riddler + +default: push + +hash: Dockerfile riddler.sh + DOCKER_CONTENT_TRUST=1 docker pull $(BASE) + tar cf - $^ | docker build --no-cache -t $(IMAGE):build - + docker run --entrypoint=/bin/sh --rm $(IMAGE):build -c 'cat /Dockerfile /usr/bin/riddler.sh /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > hash + +push: hash + docker pull mobylinux/$(IMAGE):$(shell cat hash) || \ + (docker tag $(IMAGE):build mobylinux/$(IMAGE):latest && \ + docker push mobylinux/$(IMAGE):$(shell cat hash)) + docker rmi $(IMAGE):build + rm -f hash + +tag: hash + docker pull mobylinux/$(IMAGE):$(shell cat hash) || \ + docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) + docker rmi $(IMAGE):build + rm -f hash + +clean: + rm -f hash + +.DELETE_ON_ERROR: diff --git a/alpine/base/riddler/riddler.sh b/alpine/base/riddler/riddler.sh new file mode 100755 index 000000000..2c2f32cb5 --- /dev/null +++ b/alpine/base/riddler/riddler.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +set -e + +# riddler always adds the apparmor options if this is not present +EXTRA_OPTIONS="--security-opt apparmor=unconfined" + +ARGS="$@" +CONTAINER=$(docker create $EXTRA_OPTIONS $ARGS) +riddler $CONTAINER > /dev/null +docker rm $CONTAINER > /dev/null + +# unfixed known issues +# noNewPrivileges is always set by riddler, but that is fine for our use cases + +# These fixes should be removed when riddler is fixed +# process.rlimits, just a constant at present, not useful +# memory swappiness is too big by default +# remove user namespaces +# --read-only sets /dev ro +# /sysfs ro unless privileged - cannot detect so will do if grant all caps +# +cat config.json | \ + jq 'del(.process.rlimits)' | \ + jq 'del (.linux.resources.memory.swappiness)' | \ + jq 'del(.linux.uidMappings) | del(.linux.gidMappings) | .linux.namespaces = (.linux.namespaces|map(select(.type!="user")))' | \ + jq 'if .root.readonly==true then .mounts = (.mounts|map(if .destination=="/dev" then .options |= .+ ["ro"] else . end)) else . end' | \ + jq '.mounts = if .process.capabilities | length != 38 then (.mounts|map(if .destination=="/sys" then .options |= .+ ["ro"] else . end)) else . end' diff --git a/alpine/containers/binfmt/.gitignore b/alpine/containers/binfmt/.gitignore index 3070ce201..343ba0fed 100644 --- a/alpine/containers/binfmt/.gitignore +++ b/alpine/containers/binfmt/.gitignore @@ -1,2 +1,3 @@ rootfs +config.json qemu-* diff --git a/alpine/containers/binfmt/Makefile b/alpine/containers/binfmt/Makefile index 60425b948..0a2556bb2 100644 --- a/alpine/containers/binfmt/Makefile +++ b/alpine/containers/binfmt/Makefile @@ -2,7 +2,7 @@ QEMU_IMAGE=mobylinux/qemu-user-static@sha256:cbeba25809c7c3feebc9e20522145e33d8abe5956674afa52814fc57c6644497 QEMU_BINARIES=qemu-arm-static qemu-aarch64-static qemu-ppc64le-static -default: rootfs +default: config.json $(QEMU_BINARIES): docker run --rm --net=none $(QEMU_IMAGE) tar cf - -C /usr/bin $@ | tar xf - @@ -11,8 +11,8 @@ EXCLUDE=--exclude .dockerenv --exclude Dockerfile \ --exclude dev/console --exclude dev/pts --exclude dev/shm \ --exclude etc/hostname --exclude etc/hosts --exclude etc/mtab --exclude etc/resolv.conf -rootfs: Dockerfile main.go 00_moby.conf $(QEMU_BINARIES) - mkdir -p $@ +config.json: Dockerfile main.go 00_moby.conf $(QEMU_BINARIES) + mkdir -p rootfs BUILD=$$( tar cf - $^ | docker build -q - ) && \ [ -n "$$BUILD" ] && \ echo "Built $$BUILD" && \ @@ -20,10 +20,11 @@ rootfs: Dockerfile main.go 00_moby.conf $(QEMU_BINARIES) [ -n "$$IMAGE" ] && \ echo "Built $$IMAGE" && \ CONTAINER=$$( docker create $$IMAGE /dev/null ) && \ - docker export $$CONTAINER | tar -xf - -C $@ $(EXCLUDE) && \ - docker rm $$CONTAINER + docker export $$CONTAINER | tar -xf - -C rootfs $(EXCLUDE) && \ + docker rm $$CONTAINER && \ + ../riddler.sh --cap-drop all --read-only -v /proc/sys/fs/binfmt_misc:/binfmt_misc $$IMAGE /usr/bin/binfmt -dir /etc/binfmt.d/ -mount /binfmt_misc >$@ clean: - rm -rf rootfs $(QEMU_BINARIES) + rm -rf rootfs config.json $(QEMU_BINARIES) .DELETE_ON_ERROR: diff --git a/alpine/containers/binfmt/config.json b/alpine/containers/binfmt/config.json deleted file mode 100644 index 9e76a5c4c..000000000 --- a/alpine/containers/binfmt/config.json +++ /dev/null @@ -1,168 +0,0 @@ -{ - "ociVersion": "1.0.0-rc2-dev", - "platform": { - "os": "linux", - "arch": "amd64" - }, - "process": { - "terminal": false, - "user": { - "uid": 0, - "gid": 0 - }, - "args": [ - "/usr/bin/binfmt", - "-dir", - "/etc/binfmt.d/", - "-mount", - "/binfmt_misc" - ], - "env": [ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - ], - "cwd": "/", - "capabilities": [], - "rlimits": [ - { - "type": "RLIMIT_NOFILE", - "hard": 1024, - "soft": 1024 - } - ], - "noNewPrivileges": true - }, - "root": { - "path": "rootfs", - "readonly": true - }, - "hostname": "elegant_albattani", - "mounts": [ - { - "destination": "/proc", - "type": "proc", - "source": "proc" - }, - { - "destination": "/dev", - "type": "tmpfs", - "source": "tmpfs", - "options": [ - "nosuid", - "strictatime", - "mode=755", - "size=65536k" - ] - }, - { - "destination": "/dev/pts", - "type": "devpts", - "source": "devpts", - "options": [ - "nosuid", - "noexec", - "newinstance", - "ptmxmode=0666", - "mode=0620", - "gid=5" - ] - }, - { - "destination": "/dev/shm", - "type": "tmpfs", - "source": "shm", - "options": [ - "nosuid", - "noexec", - "nodev", - "mode=1777", - "size=65536k" - ] - }, - { - "destination": "/dev/mqueue", - "type": "mqueue", - "source": "mqueue", - "options": [ - "nosuid", - "noexec", - "nodev" - ] - }, - { - "destination": "/sys", - "type": "sysfs", - "source": "sysfs", - "options": [ - "nosuid", - "noexec", - "nodev" - ] - }, - { - "destination": "/sys/fs/cgroup", - "type": "cgroup", - "source": "cgroup", - "options": [ - "nosuid", - "noexec", - "nodev", - "relatime", - "ro" - ] - }, - { - "destination": "/binfmt_misc", - "type": "bind", - "source": "/proc/sys/fs/binfmt_misc", - "options": [ - "rw", - "rbind", - "rprivate" - ] - } - ], - "hooks": {}, - "linux": { - "resources": { - "devices": [ - { - "allow": false, - "access": "rwm" - } - ] - }, - "namespaces": [ - { - "type": "pid" - }, - { - "type": "network" - }, - { - "type": "ipc" - }, - { - "type": "uts" - }, - { - "type": "mount" - } - ], - "maskedPaths": [ - "/proc/kcore", - "/proc/latency_stats", - "/proc/timer_list", - "/proc/timer_stats", - "/proc/sched_debug", - "/sys/firmware" - ], - "readonlyPaths": [ - "/proc/asound", - "/proc/bus", - "/proc/fs", - "/proc/irq", - "/proc/sys", - "/proc/sysrq-trigger" - ] - } -} diff --git a/alpine/containers/riddler.sh b/alpine/containers/riddler.sh new file mode 100755 index 000000000..d3404b30a --- /dev/null +++ b/alpine/containers/riddler.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +# tag: 801f33408e43e6a22985aa994ab0bcba41659ec6 +RIDDLER=mobylinux/riddler@sha256:2dda30eb24ac531a9f2164e9592a21538b5841f2ca8459b0c190da46ea7dfafd + +docker run --rm -v /var/run/docker.sock:/var/run/docker.sock $RIDDLER "$@" diff --git a/alpine/containers/rng-tools/.gitignore b/alpine/containers/rng-tools/.gitignore index e84b41adc..9dc1aea6a 100644 --- a/alpine/containers/rng-tools/.gitignore +++ b/alpine/containers/rng-tools/.gitignore @@ -1,2 +1,3 @@ rootfs +config.json tini diff --git a/alpine/containers/rng-tools/Makefile b/alpine/containers/rng-tools/Makefile index aea73c59a..17cfcbaae 100644 --- a/alpine/containers/rng-tools/Makefile +++ b/alpine/containers/rng-tools/Makefile @@ -2,7 +2,7 @@ TINI_IMAGE=mobylinux/tini@sha256:7da8c5b371e0d7d3fb1778e96c0bc634e39ace7bf1e7a73bffbf1f8360127fdb TINI_BINARY=tini -default: rootfs +default: config.json $(TINI_BINARY): Dockerfile docker run --rm --net=none $(TINI_IMAGE) tar cf - -C /bin $@ | tar xf - @@ -11,8 +11,8 @@ EXCLUDE=--exclude .dockerenv --exclude Dockerfile \ --exclude dev/console --exclude dev/pts --exclude dev/shm \ --exclude etc/hostname --exclude etc/hosts --exclude etc/mtab --exclude etc/resolv.conf -rootfs: Dockerfile fix-textrels-on-PIC-x86.patch sha256sums $(TINI_BINARY) - mkdir -p $@ +config.json: Dockerfile fix-textrels-on-PIC-x86.patch sha256sums $(TINI_BINARY) + mkdir -p rootfs BUILD=$$( tar cf - $^ | docker build -q - ) && \ [ -n "$$BUILD" ] && \ echo "Built $$BUILD" && \ @@ -20,10 +20,11 @@ rootfs: Dockerfile fix-textrels-on-PIC-x86.patch sha256sums $(TINI_BINARY) [ -n "$$IMAGE" ] && \ echo "Built $$IMAGE" && \ CONTAINER=$$( docker create $$IMAGE /dev/null ) && \ - docker export $$CONTAINER | tar -xf - -C $@ $(EXCLUDE) && \ - docker rm $$CONTAINER + docker export $$CONTAINER | tar -xf - -C rootfs $(EXCLUDE) && \ + docker rm $$CONTAINER && \ + ../riddler.sh --cap-drop all --cap-add SYS_ADMIN --read-only $$IMAGE /bin/tini /usr/sbin/rngd -f >$@ clean: - rm -rf rootfs $(TINI_BINARY) + rm -rf rootfs config.json $(TINI_BINARY) .DELETE_ON_ERROR: diff --git a/alpine/containers/rng-tools/config.json b/alpine/containers/rng-tools/config.json deleted file mode 100644 index 208937afa..000000000 --- a/alpine/containers/rng-tools/config.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "ociVersion": "1.0.0-rc2-dev", - "platform": { - "os": "linux", - "arch": "amd64" - }, - "process": { - "terminal": false, - "user": { - "uid": 0, - "gid": 0 - }, - "args": [ - "/bin/tini", - "/usr/sbin/rngd", - "-f" - ], - "env": [ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - ], - "cwd": "/", - "capabilities": [ - "CAP_SYS_ADMIN" - ], - "rlimits": [ - { - "type": "RLIMIT_NOFILE", - "hard": 1024, - "soft": 1024 - } - ], - "noNewPrivileges": true - }, - "root": { - "path": "rootfs", - "readonly": true - }, - "hostname": "gloomy_saha", - "mounts": [ - { - "destination": "/proc", - "type": "proc", - "source": "proc" - }, - { - "destination": "/dev", - "type": "tmpfs", - "source": "tmpfs", - "options": [ - "nosuid", - "strictatime", - "mode=755", - "size=65536k" - ] - }, - { - "destination": "/dev/pts", - "type": "devpts", - "source": "devpts", - "options": [ - "nosuid", - "noexec", - "newinstance", - "ptmxmode=0666", - "mode=0620", - "gid=5" - ] - }, - { - "destination": "/dev/shm", - "type": "tmpfs", - "source": "shm", - "options": [ - "nosuid", - "noexec", - "nodev", - "mode=1777", - "size=65536k" - ] - }, - { - "destination": "/dev/mqueue", - "type": "mqueue", - "source": "mqueue", - "options": [ - "nosuid", - "noexec", - "nodev" - ] - }, - { - "destination": "/sys", - "type": "sysfs", - "source": "sysfs", - "options": [ - "nosuid", - "noexec", - "nodev" - ] - }, - { - "destination": "/sys/fs/cgroup", - "type": "cgroup", - "source": "cgroup", - "options": [ - "nosuid", - "noexec", - "nodev", - "relatime", - "ro" - ] - } - ], - "hooks": {}, - "linux": { - "resources": { - "devices": [ - { - "allow": false, - "access": "rwm" - } - ] - }, - "namespaces": [ - { - "type": "pid" - }, - { - "type": "network" - }, - { - "type": "ipc" - }, - { - "type": "uts" - }, - { - "type": "mount" - } - ], - "maskedPaths": [ - "/proc/kcore", - "/proc/latency_stats", - "/proc/timer_list", - "/proc/timer_stats", - "/proc/sched_debug", - "/sys/firmware" - ], - "readonlyPaths": [ - "/proc/asound", - "/proc/bus", - "/proc/fs", - "/proc/irq", - "/proc/sys", - "/proc/sysrq-trigger" - ] - } -}