Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

4 issues in Dockerfile (--no-install-recommends not used, RUN not combined, running as root, no commit for tor lib) #166

Open
emanuelb opened this issue Jul 17, 2021 · 1 comment
Open

4 issues in Dockerfile (--no-install-recommends not used, RUN not combined, running as root, no commit for tor lib) #166

emanuelb opened this issue Jul 17, 2021 · 1 comment

Comments

@emanuelb
Copy link

  1. Add --no-install-recommends for apt-get install commands:

adding --no-install-recommends for apt-get install commands will probably/may reduce the amount of packages installed (then the package list may need to be increased with some required dependencies for the usage which are part of the recommended list, like for example ca-certificates package)

phoenix/Dockerfile

Line 50 in 67e5a97

apt-get install -y software-properties-common locales && \

phoenix/Dockerfile

Line 53 in 67e5a97

apt-get install -y openjdk-8-jdk wget git unzip dos2unix

  1. Combine RUN commands

phoenix/Dockerfile

Lines 77 to 82 in 67e5a97

# make sure we don't read properties the host environment
RUN rm -f /home/ubuntu/phoenix/local.properties
# make sure we use unix EOL files
RUN find /home/ubuntu/phoenix -type f -print0 | xargs -0 dos2unix --
# make gradle wrapper executable
RUN chmod +x /home/ubuntu/phoenix/gradlew

phoenix/Dockerfile

Lines 55 to 63 in 67e5a97

# fetch and unpack the android sdk
RUN mkdir /usr/local/android-sdk && \
cd /usr/local/android-sdk && \
wget -q ${ANDROID_SDK_URL} && \
unzip ${ANDROID_SDK_FILENAME} && \
rm ${ANDROID_SDK_FILENAME}
# install sdk packages
RUN echo y | $ANDROID_HOME/tools/bin/sdkmanager "build-tools;${ANDROID_BUILD_TOOLS_VERSION}" "cmake;${CMAKE_VERSION}" "ndk;${ANDROID_NDK_VERSION}" "patcher;v4" "platforms;${ANDROID_API_LEVELS}"

each RUN command create layer, it's better to use less RUN commands instead, such as:

RUN set -ex; \
         command1; \
         command2;
  1. Checkout specific commit of Tor_Onion_Proxy_Library

phoenix/Dockerfile

Line 66 in 67e5a97

RUN git clone https://github.com/ACINQ/Tor_Onion_Proxy_Library && \

Doesn't use git checkout to check commit/tag, thus always will use latest commit which is not reproducible.

  1. Running as root in container

Currently every command is run under root in the container, it's better to run whats possible under regular user instead.
Use USER directive to change to user created with useradd -ms /bin/bash appuser (ubuntu) or adduser -D appuser (alpine) commands
@emanuelb emanuelb mentioned this issue Jul 17, 2021
Open
@t-bast
Copy link
Member

t-bast commented Jul 19, 2021

We've been working on migrating Phoenix to a completely new stack based on Kotlin multi-platform:

Any work on deterministic builds will be done over there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@emanuelb @t-bast