pohui_pohui/firmware
1
0
Fork 0
mirror of https://github.com/meshtastic/firmware.git synced 2025-02-08 05:31:25 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Fix for Dockerfile-related security defects and rewrite to follow best practices

Browse Source
This commit is contained in:
Dmitry Galenko 2022-11-20 12:57:55 +01:00
parent 48ea54748f
commit 0e04bea39e
1 changed files with 38 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
Dockerfile
View File

@ -1,15 +1,41 @@
FROM debian:bullseye-slim AS builder FROM debian:bullseye-slim AS builder
RUN apt-get update
RUN DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get -y install wget python3 g++ zip python3-venv git vim ENV DEBIAN_FRONTEND=noninteractive
RUN wget https://raw.githubusercontent.com/platformio/platformio-core-installer/master/get-platformio.py -O get-platformio.py; chmod +x get-platformio.py ENV TZ=Etc/UTC
RUN python3 get-platformio.py
RUN git clone https://github.com/meshtastic/firmware --recurse-submodules # http://bugs.python.org/issue19846
RUN cd firmware # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
RUN chmod +x ./firmware/bin/build-native.sh ENV LANG C.UTF-8
RUN . ~/.platformio/penv/bin/activate; cd firmware; sh ./bin/build-native.sh
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
# Install build deps
USER root
RUN apt-get update && \
apt-get -y install wget python3 g++ zip python3-venv git vim ca-certificates
# create a non-priveleged user & group
RUN groupadd -g 1000 mesh && useradd -ml -u 1000 -g 1000 mesh
USER mesh
RUN wget https://raw.githubusercontent.com/platformio/platformio-core-installer/master/get-platformio.py -qO /tmp/get-platformio.py && \
chmod +x /tmp/get-platformio.py && \
python3 /tmp/get-platformio.py && \
git clone https://github.com/meshtastic/firmware --recurse-submodules /tmp/firmware && \
cd /tmp/firmware && \
chmod +x /tmp/firmware/bin/build-native.sh && \
source ~/.platformio/penv/bin/activate && \
./bin/build-native.sh
FROM frolvlad/alpine-glibc FROM frolvlad/alpine-glibc
WORKDIR /root/
COPY --from=builder /firmware/release/meshtasticd_linux_amd64 ./ RUN apk --update add --no-cache g++ shadow && \
RUN apk --update add --no-cache g++ groupadd -g 1000 mesh && useradd -ml -u 1000 -g 1000 mesh
COPY --from=builder /tmp/firmware/release/meshtasticd_linux_amd64 /home/mesh/
USER mesh
WORKDIR /home/mesh
CMD sh -cx "./meshtasticd_linux_amd64 --hwid '$RANDOM'" CMD sh -cx "./meshtasticd_linux_amd64 --hwid '$RANDOM'"
HEALTHCHECK NONE