Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some code refactoring for the dockerfiles. #14

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Some code refactoring for the dockerfiles. #14

wants to merge 11 commits into from

Conversation

beardstack
Copy link

Improving the docker builds by removing bloat, removing extra RUN commands, unnecessary apps, passing chmod arguments to COPY/ADD directives directly instead of extra RUN 'chmod' commands and cleaning up repos resulting in a base image of 200MB image vs 274MB.

@beardstack @jagerman
Update lokinet/lokinet-exit.dockerfile
5f755f9 
These ones are privileged

Co-authored-by: Jason Rhinelander <jason@imaginary.ca>
@jagerman
Copy link
Member

jagerman commented Nov 4, 2022

Mostly minor things left as comments; the cleanup/refactoring here looks good to me overall. Thanks for your efforts, @beardstack !

@beardstack
Copy link
Author

You're welcome. I'd like to help more on the docker side of things as I build my own systems. For now I'm trying to make it work with user namespaces but I'm having some trouble. I don't really like how the images is pancaked with a bunch of tools. It's best practice to separate apps in different containers and run containers separately (nginx, iptables, fail2ban, cron).

majestrate and others added 2 commits November 4, 2022 16:05
@majestrate @jagerman
use 755 for permissions
7898d6e 
Co-authored-by: Jason Rhinelander <jason@imaginary.ca>
@majestrate @jagerman
use 755 for permissions
7b895b3 
Co-authored-by: Jason Rhinelander <jason@imaginary.ca>
@majestrate
Copy link
Contributor

You're welcome. I'd like to help more on the docker side of things as I build my own systems. For now I'm trying to make it work with user namespaces but I'm having some trouble. I don't really like how the images is pancaked with a bunch of tools. It's best practice to separate apps in different containers and run containers separately (nginx, iptables, fail2ban, cron).

iptables and fail2ban will break down given how lokinet would work in a docker setup. in general, i do not know what docker does with networking that allows fail2ban and iptables to continue working as intended but it likely would conflict with lokinet. this is a continual issue with docker, the way they do networking is blackbox from the perspective of layer 3 (it is "easier" for end users i hear but it has made my life harder)

@beardstack
Copy link
Author

You're welcome. I'd like to help more on the docker side of things as I build my own systems. For now I'm trying to make it work with user namespaces but I'm having some trouble. I don't really like how the images is pancaked with a bunch of tools. It's best practice to separate apps in different containers and run containers separately (nginx, iptables, fail2ban, cron).

iptables and fail2ban will break down given how lokinet would work in a docker setup. in general, i do not know what docker does with networking that allows fail2ban and iptables to continue working as intended but it likely would conflict with lokinet. this is a continual issue with docker, the way they do networking is blackbox from the perspective of layer 3 (it is "easier" for end users i hear but it has made my life harder)

I definitely does make thing a bit "stranger" and more complicated until it's set up and working. I run my fail2ban containers externally from my services.. for instance typically by volume sharing/mounting log files. Benefits would really depend on the use case but generally it would allow a tighter and more granular security for the containers. In a way, since I run multiple services on a single host.it also simplifies management a fair bit.

services:
  fail2ban-ssh:
    cap_add:
    - NET_ADMIN
    - NET_RAW
    container_name: fail2ban_ssh
    environment:
      APP_SVC_NAME: fail2ban_ssh
      F2B_ACTION: '%(action_mwl)s'
      F2B_DB_PURGE_AGE: 3d
      F2B_DEST_EMAIL: ******
      F2B_IPTABLES_CHAIN: INPUT
      F2B_LOG_LEVEL: INFO
      F2B_LOG_TARGET: STDOUT
      F2B_MAX_RETRY: '4'
      F2B_SENDER: ******
      SSMTP_HOST: ***
      SSMTP_HOSTNAME: *****
      SSMTP_PASSWORD: *****
      SSMTP_PORT: '587'
      SSMTP_TLS: "YES"
      SSMTP_USER: *****
      TZ: America/Toronto
    image: crazymax/fail2ban:latest
    labels:
      com.centurylinklabs.watchtower.monitor-only: "true"
    network_mode: host
    restart: unless-stopped
    userns_mode: host
    volumes:
    - /docker-config-mount/sites/localhost/fail2ban/config/sshd:/data:rw
    - /var/log:/var/log:ro
    - /etc/localtime:/etc/localtime:ro
    - /usr/share/zoneinfo:/usr/share/zoneinfo:ro
    
  fail2ban-traefik:
    cap_add:
    - NET_ADMIN
    - NET_RAW
    container_name: fail2ban_traefik
    environment:
      APP_SVC_NAME: fail2ban_traefik
      F2B_ACTION: '%(action_mwl)s'
      F2B_DB_PURGE_AGE: 3d
      F2B_DEST_EMAIL: *****
      F2B_IPTABLES_CHAIN: DOCKER-USER
      F2B_LOG_LEVEL: INFO
      F2B_LOG_TARGET: STDOUT
      F2B_MAX_RETRY: '4'
      F2B_SENDER: *****
      SSMTP_HOST: *****
      SSMTP_HOSTNAME: *****
      SSMTP_PASSWORD: *****
      SSMTP_PORT: '587'
      SSMTP_TLS: "YES"
      SSMTP_USER: *****
      TZ: America/Toronto
    image: crazymax/fail2ban:latest
    labels:
      com.centurylinklabs.watchtower.monitor-only: "true"
    network_mode: host
    restart: unless-stopped
    userns_mode: host
    volumes:
    - /var/log:/var/log:ro
    - /docker-config-mount/sites/localhost/fail2ban/config/traefik:/data:rw
    - /etc/localtime:/etc/localtime:ro
    - /usr/share/zoneinfo:/usr/share/zoneinfo:ro
version: '3.2'

beardstack
beardstack commented Nov 4, 2022
View reviewed changes
Copy link
Author

@beardstack beardstack left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No harm in using 755

majestrate
majestrate reviewed Nov 13, 2022
View reviewed changes
lokinet/contrib/lokinet-auth.ini
@@ -1,3 +1,4 @@
#What is this ip?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please make separate issues for each of these questions instead of in a git commit on a PR so they are tracked and we can close them as they get addressed.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good! I figured out a number of things on my own but I'm not sure how to close the PR - Please do if you can.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@majestrate majestrate majestrate left review comments

@jagerman jagerman jagerman left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@beardstack @jagerman @majestrate