Skip to content
Snippets Groups Projects
Unverified Commit 36208ce4 authored by Oliver's avatar Oliver
Browse files

docker: Add initial docker configuration


This commit adds a Dockerfile, allowing us to create docker containers
to offer official docker container images.

Signed-off-by: default avatarOlliver Schinagl <oliver@schinagl.nl>
parent b4c55f3a
No related branches found
No related tags found
No related merge requests found
.git/
changes/
# SPDX-License-Identifier: BSD-3-Clause
#
# Copyright (C) 2021 Olliver Schinagl <oliver@schinagl.nl>
# hadolint ignore=DL3007 latest is the latest stable for alpine
FROM index.docker.io/library/alpine:latest AS builder
LABEL maintainer="Olliver Schinagl <oliver@schinagl.nl>"
WORKDIR /src
COPY . /src/
# hadolint ignore=DL3008 We want the latest stable versions
RUN apk add --no-cache \
autoconf \
automake \
binutils \
ca-certificates \
gcc \
libc-dev \
libcap-dev \
libcap-static \
libevent-dev \
libevent-static \
libseccomp-dev \
libseccomp-static \
make \
openssl-dev \
openssl-libs-static \
pkgconf \
xz-dev \
zlib-dev \
zlib-static \
zstd-dev \
zstd-static \
&& \
./autogen.sh && \
./configure \
--disable-asciidoc \
--disable-html-manual \
--disable-manpage \
--disable-systemd \
--enable-lzma \
--enable-static-tor \
--enable-zstd \
--localstatedir='/var' \
--prefix='/usr' \
--sysconfdir='/etc' \
--with-libevent-dir='/usr/lib' \
--with-openssl-dir='/usr/lib' \
--with-tor-group='tor' \
--with-tor-user='tor' \
--with-zlib-dir='/lib' \
&& \
make -j$(($(nproc) - 1)) && \
make test && \
make DESTDIR='/tor' install && \
sed \
-e 's|^\#\(%include /etc/torrc.d/\*\.conf\).*|\1|' \
-e 's|^\#\(ControlPort\).*|\1 0.0.0.0:9051|' \
-e 's|^\#\(CookieAuthentication\).*|\1 1|' \
-e 's|^\#\(DataDirectory\).*|\1 /var/lib/tor|' \
-e 's|^\#\(SOCKSPort\) 9050.*|\1 0.0.0.0:9050|' \
'/tor/etc/tor/torrc.sample' > '/tor/etc/tor/torrc' && \
printf "\n# Enable HTTP tunnel proxy\nHTTPTunnelPort 0.0.0.0:9080\n" >> '/tor/etc/tor/torrc'
FROM index.docker.io/library/alpine:latest
EXPOSE 9050
EXPOSE 9051
EXPOSE 9080
COPY --from=builder '/tor' '/'
RUN apk add --no-cache \
tini \
&& \
addgroup -S 'tor' && \
adduser -D -G 'tor' -h '/var/lib/tor' -s '/sbin/nologin' -S 'tor' && \
chmod 0700 '/var/lib/tor' && \
install -d -g 'tor' -m 0770 -o 'tor' '/etc/torrc.d' && \
install -d -g 'tor' -m 0770 -o 'tor' '/var/lib/tor/cookies' && \
install -d -g 'tor' -m 0775 -o 'tor' '/var/log/tor' && \
chown 'tor:tor' -R '/etc/tor'
COPY "./dockerfiles/torcheck.sh" "/usr/local/bin/"
COPY "./dockerfiles/docker-entrypoint.sh" "/init"
USER tor
HEALTHCHECK CMD "torcheck.sh"
ENTRYPOINT [ "/init" ]
# Tor in Docker
Tor can berun within a Docker container. This provides isolation from other
processes by running it in a containerized environment. If new or unfamiliar
with Docker, container or cgroups see [docker.com](https://www.docker.com).
## The official images on Docker Hub
Official docker images can be found
[on Docker Hub](https://hub.docker.com/r/torproject/tor).
## Building the Tor image
While it is recommended to pull the image from our
[Docker Hub registry](https://hub.docker.com/r/torproject/tor), some may want
to build the image locally instead. All that is needed is:
```console
docker build --tag 'tor:TICKET-123' .
```
in the current directory. This will build the Tor image and tag it with the
name 'tor:TICKET-123'. Any name can generally be used and it is this name
that needs to be referred to later when running the image.
## Running Tor
To run `tor` in a Docker container, first, an image either has to be build
or pulled frm a Docker registry.
### Running Tor using the official Tor images from Docker Hub
To pull the "latest" image from Docker Hub, run:
```console
docker pull tor/tor:latest
```
> _Tip_: Subsitute `latest` with a different version as needed.
To pull _and run_ the official Tor images from the Docker Hub registry,
try the following command:
```console
docker run \
--interactive \
--name 'tor_container-01' \
--rm \
--tty \
tor/tor:latest
```
The above creates an interactive container with the current TTY connected to
it. This is optional but useful when getting started as it allows one to
directly see the output and `ctrl-c` to close the container and thus `tor`.
The `--rm` parameter ensures that the contianer is cleaned up after it exists
and the `--name` parameter names the container, so that it can be referenced
through other (Docker) commands, as several containers of the same image can
be started without conflicts.
> _Note_: Pulling is not always required. `docker run` will pull the image
> if it cannot be found locally and `docker run --pull always` will always
> pull beforehand to ensure the most up-to-date container is being used.
> _Tip_: It is common to see `-it` instead of `--interactive --tty`.
### Running tor using a locally built image
The locally built container can easily be run as before:
```console
docker run \
--interactive \
--name 'tor_container-01' \
--rm \
--tty \
tor:TICKET-123
```
## Exposing ports
By default docker will not make the ports accessible to the host.
In other words, tor's warning, about using fully accessible interfaces is
irrelevant when running tor in a container. To make ports available outside
of the container, docker needs to
[publish](https://docs.docker.com/engine/reference/commandline/run/#publish-or-expose-port--p---expose)
them.
The ports available by the default image configuration are:
- SOCKSPort: 9050
- ControlPort: 9051
- HTTPTunnelPort: 9080
Thus to run the container while exposing the `SOCKSPort` to the host and the
`ControlPort` to the localhost only:
```console
docker run \
--interactive \
--name 'tor_container-01' \
--publish 9050:9050 \
--publish 127.0.0.1:9051:9051 \
--rm \
--tty \
tor/tor:latest
```
## Advanced configuration
The container by default has only a very minimal configuration, allowing to
use tor as a proxy only. When wanting to do more advanced things, two options
can be used. Passing various commandline arguments:
```console
docker run \
--interactive \
--name 'tor_container-01' \
--rm \
--tty \
tor/tor:latest --list-torrc-options
```
Additionally configuration files can be added via
[docker volume mounts](https://docs.docker.com/engine/reference/commandline/run/#mount-volume--v---read-only)
and can be mounted on `/etc/torrc.d` which is sourced by the default
configuration file `/etc/tor/torrc`.
```console
docker run \
--interactive \
--name 'tor_container-01' \
--rm \
--tty \
--volume '<path-to-configs>:/etc/torrc.d/'
tor/tor:latest
```
Even the default configuration can be volume mounted by either mount `/etc/tor`
with a valid configuration file or mounting a configuration file anywhere
and then using the `-f <path-to-config>` flag in the `docker run` command.
#!/sbin/tini /bin/sh
# SPDX-License-Identifier: GPL-2.0-or-later
#
# Copyright (C) 2021 Olliver Schinagl <oliver@schinagl.nl>
#
# A beginning user should be able to docker run image bash (or sh) without
# needing to learn about --entrypoint
# https://github.com/docker-library/official-images#consistency
set -eu
# run command if it is not starting with a "-" and is an executable in PATH
if [ "${#}" -gt 0 ] && \
[ "${1#-}" = "${1}" ] && \
command -v "${1}" > '/dev/null' 2>&1; then
exec "${@}"
else
exec '/usr/bin/tor' "${@}"
fi
exit 0
#!/bin/sh
set -eu
if [ "$(printf "AUTHENTICATE $(hexdump -e '32/1 "%02x"' '/var/lib/tor/control_auth_cookie')\n" | \
nc localhost 9051 | \
tr -d '\r')" != '250 OK' ]; then
echo "ERROR: Unable to contact server"
exit 1
fi
echo "Tor is up"
exit 0
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment