diff --git a/Dockerfile b/Dockerfile index b210764e327..7104e28b63d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,5 @@ -FROM golang:1.14.4-buster -LABEL maintainer="Steven Allen " - -# Install deps -RUN apt-get update && apt-get install -y \ - libssl-dev \ - ca-certificates \ - fuse +FROM golang:1.12.9-buster +MAINTAINER Steven Allen ENV SRC_DIR /go-ipfs @@ -16,38 +10,35 @@ RUN cd $SRC_DIR \ COPY . $SRC_DIR -# Preload an in-tree but disabled-by-default plugin by adding it to the IPFS_PLUGINS variable -# e.g. docker build --build-arg IPFS_PLUGINS="foo bar baz" -ARG IPFS_PLUGINS - # Build the thing. # Also: fix getting HEAD commit hash via git rev-parse. RUN cd $SRC_DIR \ && mkdir .git/objects \ - && make build GOTAGS=openssl IPFS_PLUGINS=$IPFS_PLUGINS + && make build # Get su-exec, a very minimal tool for dropping privileges, # and tini, a very minimal init daemon for containers ENV SUEXEC_VERSION v0.2 -ENV TINI_VERSION v0.19.0 -RUN set -eux; \ - dpkgArch="$(dpkg --print-architecture)"; \ - case "${dpkgArch##*-}" in \ - "amd64" | "armhf" | "arm64") tiniArch="tini-$dpkgArch" ;;\ - *) echo >&2 "unsupported architecture: ${dpkgArch}"; exit 1 ;; \ - esac; \ - cd /tmp \ +ENV TINI_VERSION v0.16.1 +RUN set -x \ + && cd /tmp \ && git clone https://github.com/ncopa/su-exec.git \ && cd su-exec \ && git checkout -q $SUEXEC_VERSION \ && make \ && cd /tmp \ - && wget -q -O tini https://github.com/krallin/tini/releases/download/$TINI_VERSION/$tiniArch \ + && wget -q -O tini https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini \ && chmod +x tini +# Get the TLS CA certificates, they're not provided by busybox. +RUN apt-get update && apt-get install -y ca-certificates + +# Install FUSE +RUN apt-get update && apt-get install -y fuse + # Now comes the actual target image, which aims to be as small as possible. -FROM busybox:1.31.1-glibc -LABEL maintainer="Steven Allen " +FROM busybox:1.31.0-glibc +MAINTAINER Steven Allen # Get the ipfs binary, entrypoint script, and TLS CAs from the build container. ENV SRC_DIR /go-ipfs @@ -61,20 +52,11 @@ COPY --from=0 /etc/ssl/certs /etc/ssl/certs # Add suid bit on fusermount so it will run properly RUN chmod 4755 /usr/local/bin/fusermount -# Fix permissions on start_ipfs (ignore the build machine's permissions) -RUN chmod 0755 /usr/local/bin/start_ipfs - # This shared lib (part of glibc) doesn't seem to be included with busybox. -COPY --from=0 /lib/*-linux-gnu*/libdl.so.2 /lib/ - -# Copy over SSL libraries. -COPY --from=0 /usr/lib/*-linux-gnu*/libssl.so* /usr/lib/ -COPY --from=0 /usr/lib/*-linux-gnu*/libcrypto.so* /usr/lib/ +COPY --from=0 /lib/x86_64-linux-gnu/libdl-2.24.so /lib/libdl.so.2 # Swarm TCP; should be exposed to the public EXPOSE 4001 -# Swarm UDP; should be exposed to the public -EXPOSE 4001/udp # Daemon API; must not be exposed publicly but to client services under you control EXPOSE 5001 # Web Gateway; can be exposed publicly with a proxy, e.g. as https://ipfs.example.org @@ -94,7 +76,7 @@ RUN mkdir /ipfs /ipns \ # Expose the fs-repo as a volume. # start_ipfs initializes an fs-repo if none is mounted. -# Important this happens after the USER directive so permissions are correct. +# Important this happens after the USER directive so permission are correct. VOLUME $IPFS_PATH # The default logging level