[Galene] Docker image

[Galene] Docker image

[Cell]

I couldn't find any info about a docker image for a docker image of galene. I saw something from Jeroen van Veen. Any news on that?

I have some knowledge I could offer. And if I run galene on my server it will be in a docker image anyway (behind a traefik).

[Galene] Re: Docker image

[Jeroen van Veen]

Hi,

I made a minimal docker image from the compiled version of Galene, but am not sure
of the quality yet. Docker images I made before were always using an interpreted
language(python/node) and a base image. This one is from scratch and is only
10mb, but more difficult to inspect. I'm using dive(https://github.com/wagoodman/dive)
to inspect the image.

I have some questions about its portability and security because it only contains the binary:

* Does the image run properly on other Linux OS? (it's supposed to be statically linked I think?)
* Would the image also run on a different OS (MacOS/Windows)?
* Is there a way to garantuee the safety of a binary, e.g. proof that its built from
a snapshot of the Galene source-tree.

The image itself is at https://hub.docker.com/r/garage44/galene
The Dockerfile is from https://github.com/garage44/galene/blob/master/Dockerfile

The config(data/groups dir) is kinda hard-coded for now. Any feedback is welcome.

Jeroen


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Op zondag, december 27, 2020 6:03 PM, Cell <galene.org@kn1ght.org> schreef:

> I couldn't find any info about a docker image for a docker image of galene. I saw something from Jeroen van Veen. Any news on that?
>
> I have some knowledge I could offer. And if I run galene on my server it will be in a docker image anyway (behind a traefik).
>
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org

[Galene] Re: Docker image

[Antonin Décimo]

Hi!

If your image is using a pre-compiled version of Galène, you’ll lack
portability across distributions and architectures. You should build
Galène and run it inside the Dockerfile. You could even use a layered
Dockerfile so that Galène is build in one image, then copied in the
second image and run from there.

Starting from scratch is a bad idea.

I’d use instead the Golang Docker image. It is well documented:

    https://hub.docker.com/_/golang

A simple workflow would be to have the Dockerfile inside the Galène
repo and use the example Dockerfile:

    FROM golang:1.15

    WORKDIR /go/src/galene
    COPY . .
    
    RUN go get -d -v ./...
    RUN go install -v ./...
    
    CMD ["galene"]

Or you could build a "self-hosting" Dockerfile that download the
package and its dependencies itself (this one is untested, I don't
have the bandwidth right now):

    FROM golang:1.15
    
    WORKDIR /go/src/galene
    COPY data groups static ./
    
    RUN go get -d -v github.com/jech/galene
    RUN go install -v github.com/jech/galene
    
    CMD ["galene"]

The Golang project provides images for Linux, Windows, macOS, and
various architectures that you can use as base images.

Once an image is build, it is *not* portable to other systems or
architectures; but the build script (the Dockerfile) may be portable.
For Windows, nanoserver is the lightest image, windowsservercore is a
bit more featured.

-- Antonin

[Galene] Re: Docker image

[Cell]

[-- Attachment #1: Type: text/plain, Size: 1672 bytes --]

Yep. That's my plan. Work in progress :)

On 28 December 2020 10:21:16 CET, "Antonin Décimo" <antonin.decimo@gmail.com> wrote:
>Hi!
>
>If your image is using a pre-compiled version of Galène, you’ll lack
>portability across distributions and architectures. You should build
>Galène and run it inside the Dockerfile. You could even use a layered
>Dockerfile so that Galène is build in one image, then copied in the
>second image and run from there.
>
>Starting from scratch is a bad idea.
>
>I’d use instead the Golang Docker image. It is well documented:
>
>    https://hub.docker.com/_/golang
>
>A simple workflow would be to have the Dockerfile inside the Galène
>repo and use the example Dockerfile:
>
>    FROM golang:1.15
>
>    WORKDIR /go/src/galene
>    COPY . .
>    
>    RUN go get -d -v ./...
>    RUN go install -v ./...
>    
>    CMD ["galene"]
>
>Or you could build a "self-hosting" Dockerfile that download the
>package and its dependencies itself (this one is untested, I don't
>have the bandwidth right now):
>
>    FROM golang:1.15
>    
>    WORKDIR /go/src/galene
>    COPY data groups static ./
>    
>    RUN go get -d -v github.com/jech/galene
>    RUN go install -v github.com/jech/galene
>    
>    CMD ["galene"]
>
>The Golang project provides images for Linux, Windows, macOS, and
>various architectures that you can use as base images.
>
>Once an image is build, it is *not* portable to other systems or
>architectures; but the build script (the Dockerfile) may be portable.
>For Windows, nanoserver is the lightest image, windowsservercore is a
>bit more featured.
>
>-- Antonin

[-- Attachment #2: Type: text/html, Size: 2016 bytes --]

[Galene] Re: Docker image

[Juliusz Chroboczek]

>     RUN go get -d -v github.com/jech/galene

Please use a tag or a git hash.

[Galene] Re: Docker image

[Cell]

> Please use a tag or a git hash.

Do you know any best practices? What could be the LABEL name?

December 28, 2020 11:30 AM, "Juliusz Chroboczek" <jch@irif.fr> wrote:

>> RUN go get -d -v github.com/jech/galene
> 
> Please use a tag or a git hash.
> 
> _______________________________________________
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org

[Galene] Re: Docker image

[Jeroen van Veen]

Hi Antonin,

Thanks for the detailed description! I'll give it a try with
the golang base-image instead.

cheers,

Jeroen


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Op maandag, december 28, 2020 10:21 AM, Antonin Décimo <antonin.decimo@gmail.com> schreef:

> Hi!
>
> If your image is using a pre-compiled version of Galène, you’ll lack
> portability across distributions and architectures. You should build
> Galène and run it inside the Dockerfile. You could even use a layered
> Dockerfile so that Galène is build in one image, then copied in the
> second image and run from there.
>
> Starting from scratch is a bad idea.
>
> I’d use instead the Golang Docker image. It is well documented:
>
> https://hub.docker.com/_/golang
>
> A simple workflow would be to have the Dockerfile inside the Galène
> repo and use the example Dockerfile:
>
> FROM golang:1.15
>
> WORKDIR /go/src/galene
> COPY . .
>
> RUN go get -d -v ./...
> RUN go install -v ./...
>
> CMD ["galene"]
>
> Or you could build a "self-hosting" Dockerfile that download the
> package and its dependencies itself (this one is untested, I don't
> have the bandwidth right now):
>
> FROM golang:1.15
>
> WORKDIR /go/src/galene
> COPY data groups static ./
>
> RUN go get -d -v github.com/jech/galene
> RUN go install -v github.com/jech/galene
>
> CMD ["galene"]
>
> The Golang project provides images for Linux, Windows, macOS, and
> various architectures that you can use as base images.
>
> Once an image is build, it is not portable to other systems or
> architectures; but the build script (the Dockerfile) may be portable.
> For Windows, nanoserver is the lightest image, windowsservercore is a
> bit more featured.
>
> -- Antonin
>
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org

[Galene] Re: Docker image

[Jeroen van Veen]

I've updated the image with the Dockerfile additions you suggested.
The groups and config are mounted using docker-compose. The image is at:

https://github.com/garage44/pyrite/blob/main/docker/galene/Dockerfile
https://hub.docker.com/r/garage44/galene

Locally it works fine, but Galene gives a warning (TURN: no public addresses),
which suggests I still lack some config.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Op maandag, december 28, 2020 7:08 PM, Jeroen van Veen <jvanveen@protonmail.com> schreef:

> Hi Antonin,
>
> Thanks for the detailed description! I'll give it a try with
> the golang base-image instead.
>
> cheers,
>
> Jeroen
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> Op maandag, december 28, 2020 10:21 AM, Antonin Décimo antonin.decimo@gmail.com schreef:
>
> > Hi!
> > If your image is using a pre-compiled version of Galène, you’ll lack
> > portability across distributions and architectures. You should build
> > Galène and run it inside the Dockerfile. You could even use a layered
> > Dockerfile so that Galène is build in one image, then copied in the
> > second image and run from there.
> > Starting from scratch is a bad idea.
> > I’d use instead the Golang Docker image. It is well documented:
> > https://hub.docker.com/_/golang
> > A simple workflow would be to have the Dockerfile inside the Galène
> > repo and use the example Dockerfile:
> > FROM golang:1.15
> > WORKDIR /go/src/galene
> > COPY . .
> > RUN go get -d -v ./...
> > RUN go install -v ./...
> > CMD ["galene"]
> > Or you could build a "self-hosting" Dockerfile that download the
> > package and its dependencies itself (this one is untested, I don't
> > have the bandwidth right now):
> > FROM golang:1.15
> > WORKDIR /go/src/galene
> > COPY data groups static ./
> > RUN go get -d -v github.com/jech/galene
> > RUN go install -v github.com/jech/galene
> > CMD ["galene"]
> > The Golang project provides images for Linux, Windows, macOS, and
> > various architectures that you can use as base images.
> > Once an image is build, it is not portable to other systems or
> > architectures; but the build script (the Dockerfile) may be portable.
> > For Windows, nanoserver is the lightest image, windowsservercore is a
> > bit more featured.
> > -- Antonin
> > Galene mailing list -- galene@lists.galene.org
> > To unsubscribe send an email to galene-leave@lists.galene.org

[Galene] Re: Docker image

[Juliusz Chroboczek]

> Locally it works fine, but Galene gives a warning (TURN: no public addresses),
> which suggests I still lack some config.

This means that Galène is being run behind NAT, and has disabled the
built-in TURN server.  Galène will still work, but connectivity might be
erratic.

To fix the issue, you need to find the public address of the image and
pass it to Galène using the "-turn" command-line option.  I'm not sure if
docker provides a way to do this from the container, but you could
probably ask galene.org for your address:

  turnutils_stunclient -p 1194 galene.org

I'm half-tempted to have Galène do it automatically.  Toke, can you see
any reason why it's a bad idea?

-- Juliusz

[Galene] Fw: Re: Re: Docker image

[Jeroen van Veen]

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Op woensdag, januari 27, 2021 9:36 AM, Jeroen van Veen <jvanveen@protonmail.com> schreef:

> Thank you for the help. Adding coturn to the image would be a possibility.
> Would it be a good alternative to have a commandline option in galene that
> does the same trick as turnutils_stunclient?
>
> -- Jeroen
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> Op dinsdag, januari 26, 2021 8:55 PM, Juliusz Chroboczek jch@irif.fr schreef:
>
> > > Locally it works fine, but Galene gives a warning (TURN: no public addresses),
> >
> > > which suggests I still lack some config.
> >
> > This means that Galène is being run behind NAT, and has disabled the
> > built-in TURN server. Galène will still work, but connectivity might be
> > erratic.
> > To fix the issue, you need to find the public address of the image and
> > pass it to Galène using the "-turn" command-line option. I'm not sure if
> > docker provides a way to do this from the container, but you could
> > probably ask galene.org for your address:
> > turnutils_stunclient -p 1194 galene.org
> > I'm half-tempted to have Galène do it automatically. Toke, can you see
> > any reason why it's a bad idea?
> > -- Juliusz
> > Galene mailing list -- galene@lists.galene.org
> > To unsubscribe send an email to galene-leave@lists.galene.org

[Galene] Re: Docker image

[Juliusz Chroboczek]

> Locally it works fine, but Galene gives a warning (TURN: no public addresses),
> which suggests I still lack some config.

Jeroen, what network mode are you using in your container?  You should
probably be using "host", not the default "bridge".

[Galene] Re: Docker image

[Jeroen van Veen]

Its using bridge. I would rather use host, but that wouldn't work on MacOS/Windows hosts.
I could make the network mode configurable, but I figured that it has to support bridge
mode anyway, or it would be limited to Linux hosts.


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Op dinsdag, januari 26, 2021 10:01 PM, Juliusz Chroboczek <jch@irif.fr> schreef:

> > Locally it works fine, but Galene gives a warning (TURN: no public addresses),
>
> > which suggests I still lack some config.
>
> Jeroen, what network mode are you using in your container? You should
> probably be using "host", not the default "bridge".
>
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org

[Galene] Re: Docker image

[Cell]

[-- Attachment #1: Type: text/plain, Size: 1747 bytes --]

Ok thx  I forked your repo this morning and will try to open a PR this afternoon.

On 28 December 2020 09:36:28 CET, Jeroen van Veen <jvanveen@protonmail.com> wrote:
>Hi,
>
>I made a minimal docker image from the compiled version of Galene, but
>am not sure
>of the quality yet. Docker images I made before were always using an
>interpreted
>language(python/node) and a base image. This one is from scratch and is
>only
>10mb, but more difficult to inspect. I'm using
>dive(https://github.com/wagoodman/dive)
>to inspect the image.
>
>I have some questions about its portability and security because it
>only contains the binary:
>
>* Does the image run properly on other Linux OS? (it's supposed to be
>statically linked I think?)
>* Would the image also run on a different OS (MacOS/Windows)?
>* Is there a way to garantuee the safety of a binary, e.g. proof that
>its built from
>a snapshot of the Galene source-tree.
>
>The image itself is at https://hub.docker.com/r/garage44/galene
>The Dockerfile is from
>https://github.com/garage44/galene/blob/master/Dockerfile
>
>The config(data/groups dir) is kinda hard-coded for now. Any feedback
>is welcome.
>
>Jeroen
>
>
>‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>Op zondag, december 27, 2020 6:03 PM, Cell <galene.org@kn1ght.org>
>schreef:
>
>> I couldn't find any info about a docker image for a docker image of
>galene. I saw something from Jeroen van Veen. Any news on that?
>>
>> I have some knowledge I could offer. And if I run galene on my server
>it will be in a docker image anyway (behind a traefik).
>>
>> Galene mailing list -- galene@lists.galene.org
>> To unsubscribe send an email to galene-leave@lists.galene.org

[-- Attachment #2: Type: text/html, Size: 2318 bytes --]

[Galene] Re: Docker image

[Juliusz Chroboczek]

> * Does the image run properly on other Linux OS? (it's supposed to be
>   statically linked I think?)

Yes, if you compile with "CGO_ENABLED=0".

> * Would the image also run on a different OS (MacOS/Windows)?

No.  You'll need to cross-compile, e.g.

  GOARCH=amd64 GOOS=windows CGO_ENABLED=0 go build ...

> * Is there a way to garantuee the safety of a binary, e.g. proof that
>   its built from a snapshot of the Galene source-tree.

  https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf

-- Juliusz

[Galene] Re: Docker image

[Cell]

Ok thx I forked your repo this morning and will try to open a PR this afternoon.

(sorry for sending again my response but my phone sent it from a wrong email address)

December 28, 2020 9:36 AM, "Jeroen van Veen" <jvanveen@protonmail.com> wrote:

> Hi,
> 
> I made a minimal docker image from the compiled version of Galene, but am not sure
> of the quality yet. Docker images I made before were always using an interpreted
> language(python/node) and a base image. This one is from scratch and is only
> 10mb, but more difficult to inspect. I'm using dive(https://github.com/wagoodman/dive)
> to inspect the image.
> 
> I have some questions about its portability and security because it only contains the binary:
> 
> * Does the image run properly on other Linux OS? (it's supposed to be statically linked I think?)
> * Would the image also run on a different OS (MacOS/Windows)?
> * Is there a way to garantuee the safety of a binary, e.g. proof that its built from
> a snapshot of the Galene source-tree.
> 
> The image itself is at https://hub.docker.com/r/garage44/galene
> The Dockerfile is from https://github.com/garage44/galene/blob/master/Dockerfile
> 
> The config(data/groups dir) is kinda hard-coded for now. Any feedback is welcome.
> 
> Jeroen
> 
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> Op zondag, december 27, 2020 6:03 PM, Cell <galene.org@kn1ght.org> schreef:
> 
>> I couldn't find any info about a docker image for a docker image of galene. I saw something from
>> Jeroen van Veen. Any news on that?
>> 
>> I have some knowledge I could offer. And if I run galene on my server it will be in a docker image
>> anyway (behind a traefik).
>> 
>> Galene mailing list -- galene@lists.galene.org
>> To unsubscribe send an email to galene-leave@lists.galene.org
> 
> _______________________________________________
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org

[Galene] Re: Docker image

[Cell]

Here is a first draft: https://github.com/Cellophan/galene/blob/master/Dockerfile

>> * Is there a way to garantuee the safety of a binary, e.g. proof that its built from
>> a snapshot of the Galene source-tree.

The binary is compiled inside during the image creation process thus it should add some trust about the version of the binary.

If you need more, I would add the git hash of the commit used to build as a label to the image. This would need to be provided to docker, I've done it with a Makefile if needed (an other project I have).


>> * Does the image run properly on other Linux OS? (it's supposed to be statically linked I think?)

I can't test for now as I don't know how galene works. I'll work on that.

>> * Would the image also run on a different OS (MacOS/Windows)?

I work on linux so I can't test for real this image works on Mac nor Windows but linux containers should be able to run on the three systems perhaps with a less performance compared to system dedicated images but I think it's good for a first step. 

>> The config(data/groups dir) is kinda hard-coded for now. Any feedback is welcome.

Is galene taking default values by itself? If yes, then I would consider that no default file should be provided. If not, then I think the spirit of the binary should be respected and none should be provided. So I'm against :)

To help to bootstrap projects faster, I would try to convince the author to add an example of the defaults to its repo. Then we add a `docker-compose,yml` to show a way to start the image with the defaults.


What do you think?


December 28, 2020 11:11 AM, "Cell" <galene.org@kn1ght.org> wrote:

> Ok thx I forked your repo this morning and will try to open a PR this afternoon.
> 
> (sorry for sending again my response but my phone sent it from a wrong email address)
> 
> December 28, 2020 9:36 AM, "Jeroen van Veen" <jvanveen@protonmail.com> wrote:
> 
>> Hi,
>> 
>> I made a minimal docker image from the compiled version of Galene, but am not sure
>> of the quality yet. Docker images I made before were always using an interpreted
>> language(python/node) and a base image. This one is from scratch and is only
>> 10mb, but more difficult to inspect. I'm using dive(https://github.com/wagoodman/dive)
>> to inspect the image.
>> 
>> I have some questions about its portability and security because it only contains the binary:
>> 
>> * Does the image run properly on other Linux OS? (it's supposed to be statically linked I think?)
>> * Would the image also run on a different OS (MacOS/Windows)?
>> * Is there a way to garantuee the safety of a binary, e.g. proof that its built from
>> a snapshot of the Galene source-tree.
>> 
>> The image itself is at https://hub.docker.com/r/garage44/galene
>> The Dockerfile is from https://github.com/garage44/galene/blob/master/Dockerfile
>> 
>> The config(data/groups dir) is kinda hard-coded for now. Any feedback is welcome.
>> 
>> Jeroen
>> 
>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>> Op zondag, december 27, 2020 6:03 PM, Cell <galene.org@kn1ght.org> schreef:
>> 
>>> I couldn't find any info about a docker image for a docker image of galene. I saw something from
>>> Jeroen van Veen. Any news on that?
>>> 
>>> I have some knowledge I could offer. And if I run galene on my server it will be in a docker image
>>> anyway (behind a traefik).
>>> 
>>> Galene mailing list -- galene@lists.galene.org
>>> To unsubscribe send an email to galene-leave@lists.galene.org
>> 
>> _______________________________________________
>> Galene mailing list -- galene@lists.galene.org
>> To unsubscribe send an email to galene-leave@lists.galene.org
> 
> _______________________________________________
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org