Some code refactoring for the dockerfiles.

lokinet/contrib/lokinet-auth.ini

@@ -1,3 +1,4 @@
+#What is this ip?
 [network]
 auth=lmq
-auth-lmq=tcp://10.0.3.1:5555
+auth-lmq=tcp://10.0.3.1:5555 

lokinet/contrib/lokinet-authserv.service

@@ -1,3 +1,11 @@
+# where is logic.py coming from? 
+# /var/lib/lokinet-exit-provider/logic.py
+# what is the format/options of /data/lokinet-exit-broker.env / what are it's default contents?
+# I assume that it's an authentication server of some kind for the exit node
+# I could be wrong but I believe that this is meant to behave as a separate authenticaton server
+# if it is then when running without systemd, then maybe I'd want to run it in a separate container. 
+
+
 [Unit]
 Description=Lokinet authserv: exit authentication server
 Wants=network.target
@@ -12,4 +20,4 @@ ExecStart=/usr/bin/python3 -m lokinet.auth --cmd /var/lib/lokinet-exit-provider/
 Restart=always
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target

lokinet/contrib/lokinet-exit-broker.service

@@ -1,3 +1,6 @@
+# Need some clarification on what this does.
+
+
 [Unit]
 Description=Lokinet exit broker: exit broker webapp thing
 Wants=nginx.service
@@ -12,4 +15,4 @@ ExecStart=/usr/bin/gunicorn3 exit_broker:app
 Restart=always
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target

lokinet/contrib/lokinet-exit-rc.local.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 
 # wait for lokinet
+# to do what? How can we tell if lokinet has done what it needs to do?
 sleep 10
 
 # flush iptables
@@ -18,6 +19,8 @@ if_range=$(ip addr show $if_name | grep inet\  | sed 's/inet //' | cut -d' ' -f5
 # add ipv4 forward rule
 iptables -t nat -A POSTROUTING -s $if_range -o $exit_if -j MASQUERADE
 
+
+#I'm not sure what the loop below is supposed to do. It only runs once on port 25?
 # drop outbound ports
 for port in 25 ; do
         iptables -A FORWARD -p tcp --dport $port -j REJECT --reject-with tcp-reset -s $if_range

lokinet/contrib/lokinet-exit-sysctl.conf

@@ -1,3 +1,10 @@
+# This file can become redundant when using compose.
+#    sysctls:
+#      - net.ipv4.ip_forward=1
+#      - net.ipv6.conf.all.forwarding=1
+#
+
+
 # ip forwarding allowed
 net.ipv4.ip_forward=1
-net.ipv6.conf.all.forwarding=1
+net.ipv6.conf.all.forwarding=1

lokinet/contrib/lokinet-exit.crontab

@@ -1,3 +1,7 @@
+# This file could become redundant together with the usage of cron; since it's repeating continously - why not use an infinite loop for the address update?
+# 
+# lokinet-kill-scans.sh script seems like a bad idea .. details in the file
+
 # lokinet exit cronjobs
 
 SHELL=/bin/bash

lokinet/contrib/lokinet-exit.ini

@@ -1,3 +1,7 @@
+# This file could also become redundant if we have a script generate run time values based on arguments/env variables/docker secrets
+# I am not sure what other options can be configured. 
+
+
 [network]
 exit=true
 keyfile=/data/exit.private
@@ -6,4 +10,4 @@ paths=8
 
 [router]
 min-connections=18
-max-connections=20
+max-connections=20

lokinet/contrib/lokinet-firewall.crontab

@@ -1,3 +1,11 @@
+# it seems that the purpose of this cronjob is to download/apply a block list through iptables
+# This is problematic for several reasons
+# 1. Some legit IPs could be blocked and would be hard to find 
+# 2. Running it is not optional
+# 3. Rather than run in the 'container', it should run separately inside a privileged container using the host namespace, the reason being 
+# that the container is attached to DOCKER-USER chain instead of INPUT, the rules will be applied only to containers. 
+# any packets coming into the INPUT chain will bypass these rules that now reside under the FORWARD chain.
+
 # lokinet firewall cronjobs
 
 SHELL=/bin/bash

lokinet/contrib/lokinet-kill-scans.sh

@@ -1,7 +1,12 @@
 #!/bin/bash
 #
 # run every minute with cron
-#
+# If I understand correctly, this script is responsible for blocking IPs that are attempting to DDOS the server with SYN FLOOD type attacks.
+# There are some issues with this script, it would be much better to implement it using fail2ban with an expiry time, ability to whitelist and notify
+# I could be wrong but it could cause an issue if the SYN/ACK packets are coming from IPs masquerading as legit SNs as a way to impact the network?
+# https://serverfault.com/questions/640873/how-to-ban-syn-flood-attacks-using-fail2ban
+# This seems like a more elegant solution
+
 
 for ip  in $( conntrack -p tcp -L | grep SYN_SENT | cut -d'=' -f 2 | cut -d' ' -f 1 | sort | uniq -c | awk '$1 > 1000 { print $2 ; }' ) ; do
         echo "banning $ip"

lokinet/contrib/lokinet-nginx.ini

@@ -1,2 +1,4 @@
+#What is the purpose of this file?
+
 [network]
 keyfile=/data/nginx.private

lokinet/contrib/lokinet-update-exit-address.sh

@@ -1,3 +1,6 @@
+# what is the purpose of the lokinet-addr.txt file?
+# what process uses it?
+
 #!/bin/bash
 print-lokinet-address.sh > /data/lokinet-addr.txt
 chmod 444 /data/lokinet-addr.txt

lokinet/contrib/lokinet-update-firewall.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# There's definitely a better way to do this.
+
 # get lokinet's address
 if_name=lokitun0
 if_range=$(ip addr show $if_name | grep inet\  | sed 's/inet //' | cut -d' ' -f5)

lokinet/lokinet-base.dockerfile

@@ -1,24 +1,33 @@
-FROM debian:stable AS lokinet-base
+#use argument instead of lsb-release
+ARG DEBIAN_RELEASE=bullseye 
+
+FROM debian:${DEBIAN_RELEASE}-slim AS lokinet-base
 ENV container docker
+
+ENV RELEASE=${DEBIAN_RELEASE:-bullseye}
+#Add oxen public key 
+ADD --chmod=644 --chown=_apt https://deb.oxen.io/pub.gpg /etc/apt/trusted.gpg.d/lokinet.gpg
+
 # set up packages
-RUN /bin/bash -c 'echo "man-db man-db/auto-update boolean false" | debconf-set-selections'
-RUN /bin/bash -c 'apt-get -o=Dpkg::Use-Pty=0 -q update && apt-get -o=Dpkg::Use-Pty=0 -q dist-upgrade -y && apt-get -o=Dpkg::Use-Pty=0 -q install -y --no-install-recommends ca-certificates curl iptables dnsutils lsb-release systemd systemd-sysv cron conntrack iproute2 python3-pip wget'
-RUN /bin/bash -c 'curl -so /etc/apt/trusted.gpg.d/lokinet.gpg https://deb.oxen.io/pub.gpg'
-RUN /bin/bash -c 'echo "deb https://deb.oxen.io $(lsb_release -sc) main" > /etc/apt/sources.list.d/lokinet.list'
-RUN /bin/bash -c 'apt-get -o=Dpkg::Use-Pty=0 -q update && apt-get -o=Dpkg::Use-Pty=0 -q dist-upgrade -y && apt-get -o=Dpkg::Use-Pty=0 -q install -y --no-install-recommends lokinet'
+RUN DEBIAN_FRONTEND=noninteractive \
+    && echo "deb https://deb.oxen.io ${RELEASE} main" > /etc/apt/sources.list.d/lokinet.list \     
+    && echo "man-db man-db/auto-update boolean false" | debconf-set-selections \
+    && apt-get update -y \
+    && apt-get dist-upgrade -y \
+    && apt-get install -y --no-install-recommends ca-certificates iptables dnsutils systemd systemd-sysv cron conntrack iproute2 \
+    && apt-get update -y \    
+    && apt-get install -y --no-install-recommends lokinet \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* \
+    && mkdir -p /var/lib/lokinet/conf.d \
+    && mkdir /data && chown _lokinet:_loki /data
 
-# make config dir for lokinet
-RUN /bin/bash -c 'mkdir -p /var/lib/lokinet/conf.d'
-# set up private data dir for lokinet
-RUN /bin/bash -c 'mkdir /data && chown _lokinet:_loki /data'
 
 # print lokinet util
-COPY contrib/print-lokinet-address.sh /usr/local/bin/print-lokinet-address.sh
-RUN /bin/bash -c 'chmod 700 /usr/local/bin/print-lokinet-address.sh'
+COPY --chmod=755 contrib/print-lokinet-address.sh /usr/local/bin/print-lokinet-address.sh
 
 # dns
-COPY contrib/lokinet.resolveconf.txt /etc/resolv.conf
-RUN /bin/bash -c 'chmod 644 /etc/resolv.conf'
+COPY --chmod=644 contrib/lokinet.resolveconf.txt /etc/resolv.conf
 
 STOPSIGNAL SIGRTMIN+3
 ENTRYPOINT ["/sbin/init", "verbose", "systemd.unified_cgroup_hierarchy=0", "systemd.legacy_systemd_cgroup_controller=0"]

lokinet/lokinet-exit-custom.dockerfile

@@ -1,3 +1,3 @@
 FROM registry.oxen.rocks/lokinet-exit:latest
 
-RUN /bin/bash -c 'ln -s /var/lib/lokinet/conf.d/custom.ini /data/custom.ini'
+RUN ln -s /var/lib/lokinet/conf.d/custom.ini /data/custom.ini

lokinet/lokinet-exit.dockerfile

@@ -5,17 +5,11 @@ COPY contrib/lokinet-exit.ini /var/lib/lokinet/conf.d/exit.ini
 
 # set up system configs
 COPY contrib/lokinet-exit-sysctl.conf /etc/sysctl.d/00-lokinet-exit.conf
-COPY contrib/lokinet-exit-rc.local.sh /etc/rc.local
-RUN /bin/bash -c 'chmod 700 /etc/rc.local'
-
-COPY contrib/print-lokinet-address.sh /usr/local/bin/print-lokinet-address.sh
-RUN /bin/bash -c 'chmod 700 /usr/local/bin/print-lokinet-address.sh'
+COPY --chmod=700 contrib/lokinet-exit-rc.local.sh /etc/rc.local
 
 # setup cron jobs
-COPY contrib/lokinet-kill-scans.sh /usr/local/bin/lokinet-kill-scans.sh
-RUN /bin/bash -c 'chmod 700 /usr/local/bin/lokinet-kill-scans.sh'
-COPY contrib/lokinet-update-exit-address.sh /usr/local/bin/lokinet-update-exit-address.sh
-RUN /bin/bash -c 'chmod 700 /usr/local/bin/lokinet-update-exit-address.sh'
+COPY --chmod=700 contrib/lokinet-kill-scans.sh /usr/local/sbin/lokinet-kill-scans.sh
+COPY --chmod=700 contrib/lokinet-update-exit-address.sh /usr/local/sbin/lokinet-update-exit-address.sh
+
+COPY --chmod=644 contrib/lokinet-exit.crontab /etc/cron.d/lokinet-exit
 
-COPY contrib/lokinet-exit.crontab /etc/cron.d/lokinet-exit
-RUN /bin/bash -c 'chmod 644 /etc/cron.d/lokinet-exit'

lokinet/lokinet-nginx.dockerfile

@@ -1,6 +1,9 @@
 FROM registry.oxen.rocks/lokinet-base:latest
 
-RUN /bin/bash -c 'apt-get -o=Dpkg::Use-Pty=0 -q update && apt-get -o=Dpkg::Use-Pty=0 -q dist-upgrade -y && apt-get -o=Dpkg::Use-Pty=0 -q install -y --no-install-recommends nginx'
+RUN DEBIAN_FRONTEND=noninteractive \
+    && apt-get update -y \
+    && apt-get dist-upgrade -y \
+    && apt-get install -y --no-install-recommends nginx
 
 # set up configs for lokinet nginx
 COPY contrib/lokinet-nginx.ini /var/lib/lokinet/conf.d/nginx.ini