5 Commits 032a435e8d ... 4e848f6c54

Author SHA1 Message Date
  Fabian Peter Hammerle 4e848f6c54 added image labels org.opencontainers.image.revision, .source & .title 3 years ago
  Fabian Peter Hammerle 470654bd86 docker-compose: read-only root filesystem 3 years ago
  Fabian Peter Hammerle a3d2b183ea repeat removal of setuid & setgid bits after install of ipfs 3 years ago
  Fabian Peter Hammerle 67788b31da docker-compose: drop capabilities 3 years ago
  Fabian Peter Hammerle a41f58f3cb docker-compose: use custom container name "ipfs" instead of auto-generated "[PROJECT_NAME]_ipfs_1" 3 years ago
4 changed files with 38 additions and 6 deletions
  1. 10 0
      CHANGELOG.md
  2. 10 2
      Dockerfile
  3. 16 4
      docker-compose.yml
  4. 2 0
      entrypoint.sh

+ 10 - 0
CHANGELOG.md

@@ -5,6 +5,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- image labels:
+  - `org.opencontainers.image.revision` (git commit hash via build arg)
+  - `org.opencontainers.image.source` (repo url)
+  - `org.opencontainers.image.title`
+
+### Changed
+- docker-compose: use custom container name "ipfs" instead of auto-generated "\[PROJECT_NAME\]\_ipfs\_1"
+- docker-compose: read-only root filesystem
+- docker-compose: drop capabilities
 
 ## [0.2.2] - 2020-09-24
 ### Fixed

+ 10 - 2
Dockerfile

@@ -1,7 +1,7 @@
 # on alpine with libc6-compat=1.1.24-r9:
 # > Error relocating /usr/local/bin/ipfs: __fprintf_chk: symbol not found
 # > Error relocating /usr/local/bin/ipfs: __vfprintf_chk: symbol not found
-FROM debian:buster-slim
+FROM debian:10.8-slim
 
 ARG JQ_PACKAGE_VERSION=1.5+dfsg-2+b1
 ARG TINI_PACKAGE_VERSION=0.18.0-1
@@ -30,7 +30,9 @@ RUN apt-get update \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists \
     && mv /tmp/go-ipfs/ipfs /usr/local/bin \
-    && rm -r /tmp/go-ipfs
+    && rm -r /tmp/go-ipfs \
+    && find / -xdev -type f -perm /u+s -exec chmod --changes u-s {} \; \
+    && find / -xdev -type f -perm /g+s -exec chmod --changes g-s {} \;
 
 ENV IPFS_CONFIG_PATH="${IPFS_PATH}/config" \
     IPFS_INIT_PROFILE=server \
@@ -49,3 +51,9 @@ EXPOSE 5001/tcp
 # http gateway
 EXPOSE 8080/tcp
 CMD ["ipfs", "daemon"]
+
+# https://github.com/opencontainers/image-spec/blob/v1.0.1/annotations.md
+ARG REVISION=
+LABEL org.opencontainers.image.title="go-ipfs" \
+    org.opencontainers.image.source="https://github.com/fphammerle/docker-ipfs" \
+    org.opencontainers.image.revision="$REVISION"

+ 16 - 4
docker-compose.yml

@@ -1,4 +1,4 @@
-version: '2'
+version: '2.3'
 
 volumes:
   ipfs_repo:
@@ -6,13 +6,25 @@ volumes:
 services:
   ipfs:
     build: .
-    image: fphammerle/ipfs
+    image: docker.io/fphammerle/ipfs
+    container_name: ipfs
+    read_only: true
     volumes:
-    - ipfs_repo:/ipfs-repo:rw
+    - type: volume
+      source: ipfs_repo
+      target: /ipfs-repo
+      read_only: no
+    - type: tmpfs
+      target: /tmp # entrypoint.sh
+      tmpfs:
+        # nosuid,nodev,noexec added by default
+        mode: '1777'
+        size: 16k # default config has approx 5kB
     ports:
     - '4001:4001'
     - '127.0.0.1:5001:5001'
-    security_opt: ['no-new-privileges']
+    cap_drop: [ALL]
+    security_opt: [no-new-privileges]
     restart: unless-stopped
 
 # https://docs.docker.com/compose/compose-file/compose-file-v2/

+ 2 - 0
entrypoint.sh

@@ -1,6 +1,8 @@
 #!/bin/sh
 set -eu
 
+# "sponge" also writes to /tmp
+# https://salsa.debian.org/nsc/moreutils/-/blob/debian/0.62-1/sponge.c#L262
 ipfs_config_jq_edit() {
     tmp=$(mktemp)
     (set -x; jq "$@" < "$IPFS_CONFIG_PATH" > "$tmp")