You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@guacamole.apache.org by GitBox <gi...@apache.org> on 2020/06/25 15:52:55 UTC
[GitHub] [guacamole-server] IT-Experte opened a new pull request #292: GUACAMOLE-1110: Size and security improvements for Docker images
IT-Experte opened a new pull request #292:
URL: https://github.com/apache/guacamole-server/pull/292
Dockage image size will reduced by install only package dependencies (without recommendations). The guacd process runs as a non-privileged user and will be checked by netcat.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-server] benrubson commented on pull request #292: GUACAMOLE-1110: Size and security improvements for Docker images
Posted by GitBox <gi...@apache.org>.
benrubson commented on pull request #292:
URL: https://github.com/apache/guacamole-server/pull/292#issuecomment-739503033
Please see https://github.com/apache/guacamole-server/pull/314 which completes this, creating a proper group for the `guacd` service user. Thx 👍
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-server] IT-Experte commented on a change in pull request #292: GUACAMOLE-1110: Size and security improvements for Docker images
Posted by GitBox <gi...@apache.org>.
IT-Experte commented on a change in pull request #292:
URL: https://github.com/apache/guacamole-server/pull/292#discussion_r447120625
##########
File path: Dockerfile
##########
@@ -100,15 +101,21 @@ ARG RUNTIME_DEPENDENCIES=" \
COPY --from=builder ${PREFIX_DIR} ${PREFIX_DIR}
# Bring runtime environment up to date and install runtime dependencies
-RUN apt-get update && \
- apt-get install -y $RUNTIME_DEPENDENCIES && \
- apt-get install -y $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
+RUN apt-get update && \
+ apt-get install -y --no-install-recommends $RUNTIME_DEPENDENCIES && \
+ apt-get install -y --no-install-recommends $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
rm -rf /var/lib/apt/lists/*
# Link FreeRDP plugins into proper path
RUN ${PREFIX_DIR}/bin/link-freerdp-plugins.sh \
${PREFIX_DIR}/lib/freerdp2/libguac*.so
+# Checks the operating status every 5 minutes with a timeout of 5 seconds
+HEALTHCHECK --interval=5m --timeout=5s CMD nc -z 127.0.0.1 4822 || exit 1
+
+# Run with user nobody
+USER nobody
Review comment:
I tested Debian 10 (stable) with (libfreerdp2.0.0~git20190204) and Debian 11 (testing) with (libfreerdp2.1.1 dfsg1-1 b1).
Guacd 1.2 and libfreerdp2.0 is working well. Guacd print out a warning message, but Filetransfer and clipboard are working. Guacd 1.2 and libfreerdp2.1.1 is not working.
Should I change the user "Nobody" to a new user "guacd" with a writable home directory?
----
WARNING: FreeRDP initialization may fail: Writability of the current user's home directory ("/nonexistent") could not be determined: No such file or directory
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-server] mike-jumper merged pull request #292: GUACAMOLE-1110: Size and security improvements for Docker images
Posted by GitBox <gi...@apache.org>.
mike-jumper merged pull request #292:
URL: https://github.com/apache/guacamole-server/pull/292
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-server] IT-Experte commented on a change in pull request #292: GUACAMOLE-1110: Size and security improvements for Docker images
Posted by GitBox <gi...@apache.org>.
IT-Experte commented on a change in pull request #292:
URL: https://github.com/apache/guacamole-server/pull/292#discussion_r446032160
##########
File path: Dockerfile
##########
@@ -100,15 +101,21 @@ ARG RUNTIME_DEPENDENCIES=" \
COPY --from=builder ${PREFIX_DIR} ${PREFIX_DIR}
# Bring runtime environment up to date and install runtime dependencies
-RUN apt-get update && \
- apt-get install -y $RUNTIME_DEPENDENCIES && \
- apt-get install -y $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
+RUN apt-get update && \
+ apt-get install -y --no-install-recommends $RUNTIME_DEPENDENCIES && \
+ apt-get install -y --no-install-recommends $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
rm -rf /var/lib/apt/lists/*
# Link FreeRDP plugins into proper path
RUN ${PREFIX_DIR}/bin/link-freerdp-plugins.sh \
${PREFIX_DIR}/lib/freerdp2/libguac*.so
+# Checks the operating status every 5 minutes with a timeout of 5 seconds
+HEALTHCHECK --interval=5m --timeout=5s CMD nc -z 127.0.0.1 4822 || exit 1
Review comment:
Yes it works too, but you have to install package iproute2 for program ss. This package need 4204 kB additional disk space. Package netcat-openbsd only consume 114 kB space.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [GitHub] [guacamole-server] IT-Experte opened a new pull request
#292: GUACAMOLE-1110: Size and security improvements for Docker images
Posted by Priyanka Chaturvedi <pr...@deeplogictech.com>.
Please unsubscribe me, from the mailing list.
On Thu, Jun 25, 2020 at 9:22 PM GitBox <gi...@apache.org> wrote:
>
> IT-Experte opened a new pull request #292:
> URL: https://github.com/apache/guacamole-server/pull/292
>
>
> Dockage image size will reduced by install only package dependencies
> (without recommendations). The guacd process runs as a non-privileged user
> and will be checked by netcat.
>
>
> ----------------------------------------------------------------
> This is an automated message from the Apache Git Service.
> To respond to the message, please log on to GitHub and use the
> URL above to go to the specific comment.
>
> For queries about this service, please contact Infrastructure at:
> users@infra.apache.org
>
>
>
--
Thanks
Priyanka Chaturvedi
[GitHub] [guacamole-server] necouchman commented on a change in pull request #292: GUACAMOLE-1110: Size and security improvements for Docker images
Posted by GitBox <gi...@apache.org>.
necouchman commented on a change in pull request #292:
URL: https://github.com/apache/guacamole-server/pull/292#discussion_r446368401
##########
File path: Dockerfile
##########
@@ -100,15 +101,21 @@ ARG RUNTIME_DEPENDENCIES=" \
COPY --from=builder ${PREFIX_DIR} ${PREFIX_DIR}
# Bring runtime environment up to date and install runtime dependencies
-RUN apt-get update && \
- apt-get install -y $RUNTIME_DEPENDENCIES && \
- apt-get install -y $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
+RUN apt-get update && \
+ apt-get install -y --no-install-recommends $RUNTIME_DEPENDENCIES && \
+ apt-get install -y --no-install-recommends $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
rm -rf /var/lib/apt/lists/*
# Link FreeRDP plugins into proper path
RUN ${PREFIX_DIR}/bin/link-freerdp-plugins.sh \
${PREFIX_DIR}/lib/freerdp2/libguac*.so
+# Checks the operating status every 5 minutes with a timeout of 5 seconds
+HEALTHCHECK --interval=5m --timeout=5s CMD nc -z 127.0.0.1 4822 || exit 1
+
+# Run with user nobody
+USER nobody
Review comment:
The current Guacamole image uses a FreeRDP 2.x build, so it's really just a matter of verifying that the `nobody` account within the Docker image has a writable home directory, and that FreeRDP connections work as expected after this change. If you've verified that both of those are the case, then that's fine - just want to be sure.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-server] IT-Experte commented on a change in pull request #292: GUACAMOLE-1110: Size and security improvements for Docker images
Posted by GitBox <gi...@apache.org>.
IT-Experte commented on a change in pull request #292:
URL: https://github.com/apache/guacamole-server/pull/292#discussion_r447593441
##########
File path: Dockerfile
##########
@@ -100,15 +101,21 @@ ARG RUNTIME_DEPENDENCIES=" \
COPY --from=builder ${PREFIX_DIR} ${PREFIX_DIR}
# Bring runtime environment up to date and install runtime dependencies
-RUN apt-get update && \
- apt-get install -y $RUNTIME_DEPENDENCIES && \
- apt-get install -y $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
+RUN apt-get update && \
+ apt-get install -y --no-install-recommends $RUNTIME_DEPENDENCIES && \
+ apt-get install -y --no-install-recommends $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
rm -rf /var/lib/apt/lists/*
# Link FreeRDP plugins into proper path
RUN ${PREFIX_DIR}/bin/link-freerdp-plugins.sh \
${PREFIX_DIR}/lib/freerdp2/libguac*.so
+# Checks the operating status every 5 minutes with a timeout of 5 seconds
+HEALTHCHECK --interval=5m --timeout=5s CMD nc -z 127.0.0.1 4822 || exit 1
+
+# Run with user nobody
+USER nobody
Review comment:
At the time of image creation, a new user is created to run the process. File Transfer works without any warning into logs (in both directions).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-server] IT-Experte commented on a change in pull request #292: GUACAMOLE-1110: Size and security improvements for Docker images
Posted by GitBox <gi...@apache.org>.
IT-Experte commented on a change in pull request #292:
URL: https://github.com/apache/guacamole-server/pull/292#discussion_r446033805
##########
File path: Dockerfile
##########
@@ -100,15 +101,21 @@ ARG RUNTIME_DEPENDENCIES=" \
COPY --from=builder ${PREFIX_DIR} ${PREFIX_DIR}
# Bring runtime environment up to date and install runtime dependencies
-RUN apt-get update && \
- apt-get install -y $RUNTIME_DEPENDENCIES && \
- apt-get install -y $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
+RUN apt-get update && \
+ apt-get install -y --no-install-recommends $RUNTIME_DEPENDENCIES && \
+ apt-get install -y --no-install-recommends $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
rm -rf /var/lib/apt/lists/*
# Link FreeRDP plugins into proper path
RUN ${PREFIX_DIR}/bin/link-freerdp-plugins.sh \
${PREFIX_DIR}/lib/freerdp2/libguac*.so
+# Checks the operating status every 5 minutes with a timeout of 5 seconds
+HEALTHCHECK --interval=5m --timeout=5s CMD nc -z 127.0.0.1 4822 || exit 1
+
+# Run with user nobody
+USER nobody
Review comment:
I will check this out and switch to Debian branche testing with include FreeRDP 2.0. (ARG DEBIAN_VERSION=testing)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-server] mike-jumper commented on a change in pull request #292: GUACAMOLE-1110: Size and security improvements for Docker images
Posted by GitBox <gi...@apache.org>.
mike-jumper commented on a change in pull request #292:
URL: https://github.com/apache/guacamole-server/pull/292#discussion_r447171293
##########
File path: Dockerfile
##########
@@ -100,15 +101,21 @@ ARG RUNTIME_DEPENDENCIES=" \
COPY --from=builder ${PREFIX_DIR} ${PREFIX_DIR}
# Bring runtime environment up to date and install runtime dependencies
-RUN apt-get update && \
- apt-get install -y $RUNTIME_DEPENDENCIES && \
- apt-get install -y $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
+RUN apt-get update && \
+ apt-get install -y --no-install-recommends $RUNTIME_DEPENDENCIES && \
+ apt-get install -y --no-install-recommends $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
rm -rf /var/lib/apt/lists/*
# Link FreeRDP plugins into proper path
RUN ${PREFIX_DIR}/bin/link-freerdp-plugins.sh \
${PREFIX_DIR}/lib/freerdp2/libguac*.so
+# Checks the operating status every 5 minutes with a timeout of 5 seconds
+HEALTHCHECK --interval=5m --timeout=5s CMD nc -z 127.0.0.1 4822 || exit 1
+
+# Run with user nobody
+USER nobody
Review comment:
> Should I change the user "Nobody" to a new user "guacd" with a writable home directory?
Yes. That warning is important and things will likely unexpectedly fail. This shouldn't be the default behavior of the image.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-server] necouchman commented on a change in pull request #292: GUACAMOLE-1110: Size and security improvements for Docker images
Posted by GitBox <gi...@apache.org>.
necouchman commented on a change in pull request #292:
URL: https://github.com/apache/guacamole-server/pull/292#discussion_r445781293
##########
File path: Dockerfile
##########
@@ -100,15 +101,21 @@ ARG RUNTIME_DEPENDENCIES=" \
COPY --from=builder ${PREFIX_DIR} ${PREFIX_DIR}
# Bring runtime environment up to date and install runtime dependencies
-RUN apt-get update && \
- apt-get install -y $RUNTIME_DEPENDENCIES && \
- apt-get install -y $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
+RUN apt-get update && \
+ apt-get install -y --no-install-recommends $RUNTIME_DEPENDENCIES && \
+ apt-get install -y --no-install-recommends $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
rm -rf /var/lib/apt/lists/*
# Link FreeRDP plugins into proper path
RUN ${PREFIX_DIR}/bin/link-freerdp-plugins.sh \
${PREFIX_DIR}/lib/freerdp2/libguac*.so
+# Checks the operating status every 5 minutes with a timeout of 5 seconds
+HEALTHCHECK --interval=5m --timeout=5s CMD nc -z 127.0.0.1 4822 || exit 1
Review comment:
My Docker knowledge is fairly limited, so forgive me if this is an ignorant question, but is this a generally acceptable method for doing healthchecks? Is there some advantage to this kind of healthcheck over something like:
```
ss -tnlp|grep -q 4822 || exit 1
```
?
##########
File path: Dockerfile
##########
@@ -100,15 +101,21 @@ ARG RUNTIME_DEPENDENCIES=" \
COPY --from=builder ${PREFIX_DIR} ${PREFIX_DIR}
# Bring runtime environment up to date and install runtime dependencies
-RUN apt-get update && \
- apt-get install -y $RUNTIME_DEPENDENCIES && \
- apt-get install -y $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
+RUN apt-get update && \
+ apt-get install -y --no-install-recommends $RUNTIME_DEPENDENCIES && \
+ apt-get install -y --no-install-recommends $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
rm -rf /var/lib/apt/lists/*
# Link FreeRDP plugins into proper path
RUN ${PREFIX_DIR}/bin/link-freerdp-plugins.sh \
${PREFIX_DIR}/lib/freerdp2/libguac*.so
+# Checks the operating status every 5 minutes with a timeout of 5 seconds
+HEALTHCHECK --interval=5m --timeout=5s CMD nc -z 127.0.0.1 4822 || exit 1
+
+# Run with user nobody
+USER nobody
Review comment:
I'm curious if this will work with FreeRDP 2.x in this particular Docker environment, particularly given the issues we've seen with FreeRDP requiring a writable home directory for the user (including the user running guacd)?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-server] IT-Experte commented on a change in pull request #292: GUACAMOLE-1110: Size and security improvements for Docker images
Posted by GitBox <gi...@apache.org>.
IT-Experte commented on a change in pull request #292:
URL: https://github.com/apache/guacamole-server/pull/292#discussion_r446033805
##########
File path: Dockerfile
##########
@@ -100,15 +101,21 @@ ARG RUNTIME_DEPENDENCIES=" \
COPY --from=builder ${PREFIX_DIR} ${PREFIX_DIR}
# Bring runtime environment up to date and install runtime dependencies
-RUN apt-get update && \
- apt-get install -y $RUNTIME_DEPENDENCIES && \
- apt-get install -y $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
+RUN apt-get update && \
+ apt-get install -y --no-install-recommends $RUNTIME_DEPENDENCIES && \
+ apt-get install -y --no-install-recommends $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
rm -rf /var/lib/apt/lists/*
# Link FreeRDP plugins into proper path
RUN ${PREFIX_DIR}/bin/link-freerdp-plugins.sh \
${PREFIX_DIR}/lib/freerdp2/libguac*.so
+# Checks the operating status every 5 minutes with a timeout of 5 seconds
+HEALTHCHECK --interval=5m --timeout=5s CMD nc -z 127.0.0.1 4822 || exit 1
+
+# Run with user nobody
+USER nobody
Review comment:
I will check this out and switch to Debian branche testing with include FreeRDP 2.1.1. (ARG DEBIAN_VERSION=testing)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-server] necouchman commented on a change in pull request #292: GUACAMOLE-1110: Size and security improvements for Docker images
Posted by GitBox <gi...@apache.org>.
necouchman commented on a change in pull request #292:
URL: https://github.com/apache/guacamole-server/pull/292#discussion_r446367713
##########
File path: Dockerfile
##########
@@ -100,15 +101,21 @@ ARG RUNTIME_DEPENDENCIES=" \
COPY --from=builder ${PREFIX_DIR} ${PREFIX_DIR}
# Bring runtime environment up to date and install runtime dependencies
-RUN apt-get update && \
- apt-get install -y $RUNTIME_DEPENDENCIES && \
- apt-get install -y $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
+RUN apt-get update && \
+ apt-get install -y --no-install-recommends $RUNTIME_DEPENDENCIES && \
+ apt-get install -y --no-install-recommends $(cat "${PREFIX_DIR}"/DEPENDENCIES) && \
rm -rf /var/lib/apt/lists/*
# Link FreeRDP plugins into proper path
RUN ${PREFIX_DIR}/bin/link-freerdp-plugins.sh \
${PREFIX_DIR}/lib/freerdp2/libguac*.so
+# Checks the operating status every 5 minutes with a timeout of 5 seconds
+HEALTHCHECK --interval=5m --timeout=5s CMD nc -z 127.0.0.1 4822 || exit 1
Review comment:
Okay, fair enough.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org