move tor data directory to mount point /var/lib/tor to be able to make container's root fs read-only

https://github.com/fphammerle/docker-tor-obfs4-bridge/commit/8d6514c2bda98488876f67116aa4c306a9dc28c2

CHANGELOG.md

@@ -5,6 +5,15 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- create mount point at `/var/lib/tor`
+  to be able to make container's root filesystem read-only
+
+### Changed
+- moved tor's data directory from `/home/onion/.tor` to `/var/lib/tor`
+- run `tor` as user `tor` instead of `onion`
+- docker-compose & ansible-playbook: read-only root filesystem
+
 ### Fixed
 - docker-compose & ansible-playbook: drop capabilities
 

Dockerfile

@@ -5,9 +5,9 @@ ARG TOR_PACKAGE_VERSION=0.4.3.5-r0
 RUN apk add --no-cache \
         netcat-openbsd=$NETCAT_PACKAGE_VERSION \
         tor=$TOR_PACKAGE_VERSION \
-    && adduser -S onion \
     && mkdir -m u=rwx,g=,o= /onion-service \
-    && chown onion /onion-service
+    && chown tor /onion-service
+VOLUME /var/lib/tor
 VOLUME /onion-service
 
 #RUN apk add --no-cache \
@@ -23,7 +23,7 @@ ENV VIRTUAL_PORT 80
 ENV TARGET 1.2.3.4:8080
 ENTRYPOINT ["/entrypoint.sh"]
 
-USER onion
+USER tor
 CMD ["tor", "-f", "/tmp/torrc"]
 
 HEALTHCHECK CMD \

README.md

@@ -31,6 +31,9 @@ $ sudo docker create --name onion_service \
 $ sudo docker start onion_service
 ```
 
+optionally add `--read-only --tmpfs /tmp:rw,size=4k`
+to make the container's root filesystem read only
+
 ## retrieve hostname
 
 ```sh

ansible-playbook.yml

@@ -1,16 +1,23 @@
 - hosts: [some-host]
   become: true
   tasks:
-  - docker_volume:
-      name: onion_service_key
   - docker_container:
       name: onion_service
-      # 0.2-tor0.3.3.7-amd64
-      image: fphammerle/onion-service@sha256:51b5ee67fea1587421fd3dd982cc58f7554b68fe051d316d6d120e560675d2b8
+      # TODO replace with fingerprint
+      image: fphammerle/onion-service:2.0.0-tor0.4.3.5-amd64
       env:
         VIRTUAL_PORT: 80
         TARGET: 1.2.3.4:8080
-      volumes: ['onion_service_key:/onion-service']
+      volumes:
+      - onion_service_data:/var/lib/tor
+      - onion_service_key:/onion-service
+      mounts:
+      - type: tmpfs
+        target: /tmp # torrc
+        # nosuid,nodev,noexec added by default
+        tmpfs_mode: '1777'
+        tmpfs_size: 4k
+      read_only: yes
       cap_drop: [ALL]
       security_opts: [no-new-privileges]
       memory: 128M

docker-compose.yml

@@ -1,6 +1,7 @@
-version: '2.2'
+version: '2.3'
 
 volumes:
+  data:
   key:
 
 services:
@@ -8,7 +9,19 @@ services:
     build: .
     image: fphammerle/onion-service
     volumes:
-    - key:/onion-service:rw
+    - type: volume
+      source: data
+      target: /var/lib/tor
+    - type: volume
+      source: key
+      target: /onion-service
+    - type: tmpfs
+      target: /tmp # torrc
+      tmpfs:
+        # nosuid,nodev,noexec added by default
+        mode: '1777'
+        size: 4k
+    read_only: yes
     environment:
       VIRTUAL_PORT: 80
       TARGET: 1.2.3.4:8080

torrc.template

@@ -1,5 +1,8 @@
 Log notice stdout
 
+# default: ~/.tor
+DataDirectory /var/lib/tor
+
 # https://gitweb.torproject.org/torspec.git/tree/control-spec.txt
 ControlPort localhost:9051