From b650917f3278ff4486f7e9e7b3cd63d6bad4ffc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Bjug=C3=A5rd?= <287697+abjugard@users.noreply.github.com> Date: Tue, 17 Jan 2023 12:28:11 +0100 Subject: [PATCH 1/4] Install libcap and run `setcap cap_net_bind_service=+ep` on caddy binary Mitigates #104 --- 2.6/alpine/Dockerfile | 6 +++++- Dockerfile.tmpl | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/2.6/alpine/Dockerfile b/2.6/alpine/Dockerfile index d79b7df..c291b8e 100644 --- a/2.6/alpine/Dockerfile +++ b/2.6/alpine/Dockerfile @@ -1,6 +1,9 @@ FROM alpine:3.16 -RUN apk add --no-cache ca-certificates mailcap +RUN apk add --no-cache \ + ca-certificates \ + libcap \ + mailcap RUN set -eux; \ mkdir -p \ @@ -30,6 +33,7 @@ RUN set -eux; \ echo "$checksum /tmp/caddy.tar.gz" | sha512sum -c; \ tar x -z -f /tmp/caddy.tar.gz -C /usr/bin caddy; \ rm -f /tmp/caddy.tar.gz; \ + setcap cap_net_bind_service=+ep /usr/bin/caddy; \ chmod +x /usr/bin/caddy; \ caddy version diff --git a/Dockerfile.tmpl b/Dockerfile.tmpl index 31fee04..777b39a 100644 --- a/Dockerfile.tmpl +++ b/Dockerfile.tmpl @@ -1,6 +1,9 @@ {{ .base | strings.TrimSpace }} -RUN apk add --no-cache ca-certificates mailcap +RUN apk add --no-cache \ + ca-certificates \ + libcap \ + mailcap RUN set -eux; \ mkdir -p \ @@ -30,6 +33,7 @@ RUN set -eux; \ echo "$checksum /tmp/caddy.tar.gz" | sha512sum -c; \ tar x -z -f /tmp/caddy.tar.gz -C /usr/bin caddy; \ rm -f /tmp/caddy.tar.gz; \ + setcap cap_net_bind_service=+ep /usr/bin/caddy; \ chmod +x /usr/bin/caddy; \ caddy version From 65f410241365ddbc023b54eedae15ec39c52e28b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Bjug=C3=A5rd?= <287697+abjugard@users.noreply.github.com> Date: Tue, 17 Jan 2023 13:30:13 +0100 Subject: [PATCH 2/4] Install `libcap` in builder image to make it easier for users building their own images to do it securely Mitigates #104 --- 2.6/builder/Dockerfile | 5 +++-- Dockerfile.builder.tmpl | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/2.6/builder/Dockerfile b/2.6/builder/Dockerfile index 7c7c9ef..0bd0ac0 100644 --- a/2.6/builder/Dockerfile +++ b/2.6/builder/Dockerfile @@ -1,8 +1,9 @@ FROM golang:1.19-alpine RUN apk add --no-cache \ - git \ - ca-certificates + ca-certificates \ + git \ + libcap ENV XCADDY_VERSION v0.3.1 # Configures xcaddy to build with this version of Caddy diff --git a/Dockerfile.builder.tmpl b/Dockerfile.builder.tmpl index 9e94b1e..3a0c1e1 100644 --- a/Dockerfile.builder.tmpl +++ b/Dockerfile.builder.tmpl @@ -1,8 +1,9 @@ {{ .base | strings.TrimSpace }} RUN apk add --no-cache \ - git \ - ca-certificates + ca-certificates \ + git \ + libcap ENV XCADDY_VERSION v{{ .xcaddy_config.version }} # Configures xcaddy to build with this version of Caddy From 01473b704b08cc461246ba1344987ea9a50118b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Bjug=C3=A5rd?= <287697+abjugard@users.noreply.github.com> Date: Tue, 7 Feb 2023 09:03:13 +0100 Subject: [PATCH 3/4] Update xcaddy to version v0.3.2 to support setcap for production builds --- 2.6/builder/Dockerfile | 16 ++++++++-------- 2.6/windows-builder/1809/Dockerfile | 6 +++--- 2.6/windows-builder/ltsc2022/Dockerfile | 6 +++--- stackbrew-config.yaml | 16 ++++++++-------- 4 files changed, 22 insertions(+), 22 deletions(-) diff --git a/2.6/builder/Dockerfile b/2.6/builder/Dockerfile index 0bd0ac0..1f11750 100644 --- a/2.6/builder/Dockerfile +++ b/2.6/builder/Dockerfile @@ -5,7 +5,7 @@ RUN apk add --no-cache \ git \ libcap -ENV XCADDY_VERSION v0.3.1 +ENV XCADDY_VERSION v0.3.2 # Configures xcaddy to build with this version of Caddy ENV CADDY_VERSION v2.6.2 # Configures xcaddy to not clean up post-build (unnecessary in a container) @@ -14,15 +14,15 @@ ENV XCADDY_SKIP_CLEANUP 1 RUN set -eux; \ apkArch="$(apk --print-arch)"; \ case "$apkArch" in \ - x86_64) binArch='amd64'; checksum='bffe075ac254111ead0238c330a33c7f39f9cc5f7d2b4b3fce48256d79c3f5fb94aec23d816c9ea0e21cd51bda058c05336cfa2849a0d25d821c9280962f9a53' ;; \ - armhf) binArch='armv6'; checksum='6e988c78881bf6463d92e2194a815a243b0b1bb185ff37f321bd74694d55c6ae6490403e99b165fa3548d37340230ef486cba7ff3801d53607d8df4c036baf4c' ;; \ - armv7) binArch='armv7'; checksum='ace94e101d1d1fa368b644043dce5e46a634dd85ecf2a8fcec367281420af48c7609cf451f2930d07fce6238e68dd9848e48aef203dd5c6b4f64c2a67e3010d3' ;; \ - aarch64) binArch='arm64'; checksum='97f3d83124846a22080dd1136d066141c0972a31abc4d54aefd9e7c7a4ad0b3deeede5df4e24b190291235c337c06c340bcdc29e302c253a667494c6825d2a0c' ;; \ - ppc64el|ppc64le) binArch='ppc64le'; checksum='ae8d994dbd1870efb54fcfa7d10b541a01afee482102a5fa0b5852848d88775a54056ecacd96192116cb205bead6a6e3165192a0d1b91f4fc5ef73c9368bc5d0' ;; \ - s390x) binArch='s390x'; checksum='a7ed957d3b9cda7345ae4444302d53c12cf648ec7c354de93c92fbd7a10d104d90cc2b3b41ff357969baaeadb6dab5c074f735bcc41520b7ba35dada87a4ac8f' ;; \ + x86_64) binArch='amd64'; checksum='2538d080f065cf1c5a41c9c14dd6acd55783e004c7ea3fdd6e1bc07c4d846a85b78d5de1111391fda71d48cad9d542a0741593e5b25ea9826faaee74577d8a98' ;; \ + armhf) binArch='armv6'; checksum='5bd99dfc28d867253275c2a6753425a1e8445385449cd5414c8bb14fdf7b513f468c69e0ae8ba431cf4b5e2b5f77666dda2a6811fbe8a1718cae377387319b36' ;; \ + armv7) binArch='armv7'; checksum='e8ea697bcbe029c81ce183b5ec44d095d8919f62a7170a0697dd7531d5a87c980b9aac1442638bf4dee1e60abe0ad698dfa56bed222fe9329ff274f5973f12fe' ;; \ + aarch64) binArch='arm64'; checksum='afbf26528c4238a7d6eaa375c1367d213f7d3359e97193b996a896b89fb852531d33581b8cef6432bd866d1488f5f98ed43a198732c45d5b9d008eb9316d36ab' ;; \ + ppc64el|ppc64le) binArch='ppc64le'; checksum='519e8d7575507e49ddd7d58d168c6223802b94a8954284956db4b72133bf3027de03f9bfc0dc578373ebcb49d668a140fcd54d90888c17cdbbef6ab182a8b511' ;; \ + s390x) binArch='s390x'; checksum='b95078a4231acd54bd56c70d110709c9e290089200855c9448259621c983fa5ecfa925a1e6ab59459750bc6abb936422433543b6079fa547dea4dc08d5daabf9' ;; \ *) echo >&2 "error: unsupported architecture ($apkArch)"; exit 1 ;;\ esac; \ - wget -O /tmp/xcaddy.tar.gz "https://github.com/caddyserver/xcaddy/releases/download/v0.3.1/xcaddy_0.3.1_linux_${binArch}.tar.gz"; \ + wget -O /tmp/xcaddy.tar.gz "https://github.com/caddyserver/xcaddy/releases/download/v0.3.2/xcaddy_0.3.2_linux_${binArch}.tar.gz"; \ echo "$checksum /tmp/xcaddy.tar.gz" | sha512sum -c; \ tar x -z -f /tmp/xcaddy.tar.gz -C /usr/bin xcaddy; \ rm -f /tmp/xcaddy.tar.gz; \ diff --git a/2.6/windows-builder/1809/Dockerfile b/2.6/windows-builder/1809/Dockerfile index 3623407..1aeec2d 100644 --- a/2.6/windows-builder/1809/Dockerfile +++ b/2.6/windows-builder/1809/Dockerfile @@ -2,7 +2,7 @@ FROM golang:1.19-windowsservercore-1809 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -ENV XCADDY_VERSION v0.3.1 +ENV XCADDY_VERSION v0.3.2 # Configures xcaddy to build with this version of Caddy ENV CADDY_VERSION v2.6.2 # Configures xcaddy to not clean up post-build (unnecessary in a container) @@ -11,9 +11,9 @@ ENV XCADDY_SKIP_CLEANUP 1 # Apparently Windows Server 2016 disables TLS 1.2 by default - this enables it so we can talk to GitHub RUN [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ Invoke-WebRequest \ - -Uri "https://github.com/caddyserver/xcaddy/releases/download/v0.3.1/xcaddy_0.3.1_windows_amd64.zip" \ + -Uri "https://github.com/caddyserver/xcaddy/releases/download/v0.3.2/xcaddy_0.3.2_windows_amd64.zip" \ -OutFile "/xcaddy.zip"; \ - if (!(Get-FileHash -Path /xcaddy.zip -Algorithm SHA512).Hash.ToLower().Equals('f20e6ae1f20b65098ed7d1638a7ba96bd8da8dc8e7b6f771d32f33216abfd20606b821c6780d49ed866629764613deaff9adf3c7a26c35ec9413979b5e1087a6')) { exit 1; }; \ + if (!(Get-FileHash -Path /xcaddy.zip -Algorithm SHA512).Hash.ToLower().Equals('8de1cb65e555e8d7f1124d384904cd53a37d1914106af6ec1cef92f1975bd66b5a1f0e066c2c6b68c85d67de54d52f170f539dff117ce97f4166d8e984a728ba')) { exit 1; }; \ Expand-Archive -Path "/xcaddy.zip" -DestinationPath "/" -Force; \ Remove-Item "/xcaddy.zip" -Force diff --git a/2.6/windows-builder/ltsc2022/Dockerfile b/2.6/windows-builder/ltsc2022/Dockerfile index 703b8be..a086ec5 100644 --- a/2.6/windows-builder/ltsc2022/Dockerfile +++ b/2.6/windows-builder/ltsc2022/Dockerfile @@ -2,7 +2,7 @@ FROM golang:1.19-windowsservercore-ltsc2022 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -ENV XCADDY_VERSION v0.3.1 +ENV XCADDY_VERSION v0.3.2 # Configures xcaddy to build with this version of Caddy ENV CADDY_VERSION v2.6.2 # Configures xcaddy to not clean up post-build (unnecessary in a container) @@ -11,9 +11,9 @@ ENV XCADDY_SKIP_CLEANUP 1 # Apparently Windows Server 2016 disables TLS 1.2 by default - this enables it so we can talk to GitHub RUN [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ Invoke-WebRequest \ - -Uri "https://github.com/caddyserver/xcaddy/releases/download/v0.3.1/xcaddy_0.3.1_windows_amd64.zip" \ + -Uri "https://github.com/caddyserver/xcaddy/releases/download/v0.3.2/xcaddy_0.3.2_windows_amd64.zip" \ -OutFile "/xcaddy.zip"; \ - if (!(Get-FileHash -Path /xcaddy.zip -Algorithm SHA512).Hash.ToLower().Equals('f20e6ae1f20b65098ed7d1638a7ba96bd8da8dc8e7b6f771d32f33216abfd20606b821c6780d49ed866629764613deaff9adf3c7a26c35ec9413979b5e1087a6')) { exit 1; }; \ + if (!(Get-FileHash -Path /xcaddy.zip -Algorithm SHA512).Hash.ToLower().Equals('8de1cb65e555e8d7f1124d384904cd53a37d1914106af6ec1cef92f1975bd66b5a1f0e066c2c6b68c85d67de54d52f170f539dff117ce97f4166d8e984a728ba')) { exit 1; }; \ Expand-Archive -Path "/xcaddy.zip" -DestinationPath "/" -Force; \ Remove-Item "/xcaddy.zip" -Force diff --git a/stackbrew-config.yaml b/stackbrew-config.yaml index ea8cdb3..9c1ac5c 100644 --- a/stackbrew-config.yaml +++ b/stackbrew-config.yaml @@ -12,15 +12,15 @@ versions: s390x: 2c8f9b6b28194dcc14db98c0657f6a47f35dbfa6c0a45fc485b488ada7c5b77abb4f880d3763dac1699d1007ba8e0f622a075fc7f394a0f3898fb90883c00407 windows_amd64: 1454eb2de857fa091a00e62199bb5ea7840210a90a9b04f626f0cf3688cdf69ea736b497e3b8ac0f1b40bb9aba416bfa9e4eb9c33be166665ee0ce02a26cfd98 xcaddy_config: - version: '0.3.1' + version: '0.3.2' checksums: - amd64: bffe075ac254111ead0238c330a33c7f39f9cc5f7d2b4b3fce48256d79c3f5fb94aec23d816c9ea0e21cd51bda058c05336cfa2849a0d25d821c9280962f9a53 - arm32v6: 6e988c78881bf6463d92e2194a815a243b0b1bb185ff37f321bd74694d55c6ae6490403e99b165fa3548d37340230ef486cba7ff3801d53607d8df4c036baf4c - arm32v7: ace94e101d1d1fa368b644043dce5e46a634dd85ecf2a8fcec367281420af48c7609cf451f2930d07fce6238e68dd9848e48aef203dd5c6b4f64c2a67e3010d3 - arm64v8: 97f3d83124846a22080dd1136d066141c0972a31abc4d54aefd9e7c7a4ad0b3deeede5df4e24b190291235c337c06c340bcdc29e302c253a667494c6825d2a0c - ppc64le: ae8d994dbd1870efb54fcfa7d10b541a01afee482102a5fa0b5852848d88775a54056ecacd96192116cb205bead6a6e3165192a0d1b91f4fc5ef73c9368bc5d0 - s390x: a7ed957d3b9cda7345ae4444302d53c12cf648ec7c354de93c92fbd7a10d104d90cc2b3b41ff357969baaeadb6dab5c074f735bcc41520b7ba35dada87a4ac8f - windows_amd64: f20e6ae1f20b65098ed7d1638a7ba96bd8da8dc8e7b6f771d32f33216abfd20606b821c6780d49ed866629764613deaff9adf3c7a26c35ec9413979b5e1087a6 + amd64: 2538d080f065cf1c5a41c9c14dd6acd55783e004c7ea3fdd6e1bc07c4d846a85b78d5de1111391fda71d48cad9d542a0741593e5b25ea9826faaee74577d8a98 + arm32v6: 5bd99dfc28d867253275c2a6753425a1e8445385449cd5414c8bb14fdf7b513f468c69e0ae8ba431cf4b5e2b5f77666dda2a6811fbe8a1718cae377387319b36 + arm32v7: e8ea697bcbe029c81ce183b5ec44d095d8919f62a7170a0697dd7531d5a87c980b9aac1442638bf4dee1e60abe0ad698dfa56bed222fe9329ff274f5973f12fe + arm64v8: afbf26528c4238a7d6eaa375c1367d213f7d3359e97193b996a896b89fb852531d33581b8cef6432bd866d1488f5f98ed43a198732c45d5b9d008eb9316d36ab + ppc64le: 519e8d7575507e49ddd7d58d168c6223802b94a8954284956db4b72133bf3027de03f9bfc0dc578373ebcb49d668a140fcd54d90888c17cdbbef6ab182a8b511 + s390x: b95078a4231acd54bd56c70d110709c9e290089200855c9448259621c983fa5ecfa925a1e6ab59459750bc6abb936422433543b6079fa547dea4dc08d5daabf9 + windows_amd64: 8de1cb65e555e8d7f1124d384904cd53a37d1914106af6ec1cef92f1975bd66b5a1f0e066c2c6b68c85d67de54d52f170f539dff117ce97f4166d8e984a728ba # configuration for the stackbrew.tmpl template variants: - dir: alpine From a5a1dac8292a81994e7f44683eaeffd8658b505c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Bjug=C3=A5rd?= <287697+abjugard@users.noreply.github.com> Date: Tue, 7 Feb 2023 09:04:11 +0100 Subject: [PATCH 4/4] Use XCADDY_SETCAP environment variable to set cap_net_bind_service on output caddy binary when building --- 2.6/builder/Dockerfile | 2 ++ Dockerfile.builder.tmpl | 2 ++ 2 files changed, 4 insertions(+) diff --git a/2.6/builder/Dockerfile b/2.6/builder/Dockerfile index 1f11750..46c3024 100644 --- a/2.6/builder/Dockerfile +++ b/2.6/builder/Dockerfile @@ -10,6 +10,8 @@ ENV XCADDY_VERSION v0.3.2 ENV CADDY_VERSION v2.6.2 # Configures xcaddy to not clean up post-build (unnecessary in a container) ENV XCADDY_SKIP_CLEANUP 1 +# Sets capabilities for output caddy binary to be able to bind to privileged ports +ENV XCADDY_SETCAP 1 RUN set -eux; \ apkArch="$(apk --print-arch)"; \ diff --git a/Dockerfile.builder.tmpl b/Dockerfile.builder.tmpl index 3a0c1e1..c403252 100644 --- a/Dockerfile.builder.tmpl +++ b/Dockerfile.builder.tmpl @@ -10,6 +10,8 @@ ENV XCADDY_VERSION v{{ .xcaddy_config.version }} ENV CADDY_VERSION v{{ .config.caddy_version }} # Configures xcaddy to not clean up post-build (unnecessary in a container) ENV XCADDY_SKIP_CLEANUP 1 +# Sets capabilities for output caddy binary to be able to bind to privileged ports +ENV XCADDY_SETCAP 1 RUN set -eux; \ apkArch="$(apk --print-arch)"; \