krd/angie-conv-image
1
0
Fork 0
Code Activity

initial commit

Browse Source
This commit is contained in:
Konstantin Demin
2025-06-05 11:01:19 +03:00
commit 48f13f97a3
297 changed files with 7136 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

365
Dockerfile.base Normal file
View File

@@ -0,0 +1,365 @@
# FROM docker.io/debian:bookworm-slim as base-upstream
ARG PYTHONTAG=3.12.11-slim-bookworm
FROM docker.io/python:${PYTHONTAG} AS base-upstream
FROM base-upstream AS base-intermediate
SHELL [ "/bin/sh", "-ec" ]
COPY /scripts/* /usr/local/sbin/
COPY /scripts-extra/* /usr/local/sbin/
## PATH: remove /sbin and /bin (/usr is merged for Debian 12 and newer)
ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
TMPDIR=/tmp \
LANG=C.UTF-8 \
LC_ALL=C.UTF-8 \
TERM=linux \
TZ=Etc/UTC \
MALLOC_ARENA_MAX=2 \
PYTHONUNBUFFERED=1 \
PYTHONDONTWRITEBYTECODE=1
COPY /apt/prefs.backports /etc/apt/preferences.d/backports
COPY /apt/sources.debian /etc/apt/sources.list.d/debian.sources
## prevent services from auto-starting, part 1
RUN s='/usr/sbin/policy-rc.d' ; b='/usr/bin/policy-rc.d' ; \
rm -f "$s" "$b" ; \
echo '#!/bin/sh' > "$b" ; \
echo 'exit 101' >> "$b" ; \
chmod 0755 "$b" ; \
ln -s "$b" "$s"
RUN divert_true() { divert-rm.sh "$1" ; ln -sv /bin/true "$1" ; } ; \
## prevent services from auto-starting, part 2
divert_true /sbin/start-stop-daemon ; \
## always report that we're in chroot
divert_true /usr/bin/ischroot ; \
## hide systemd helpers
divert_true /usr/bin/deb-systemd-helper ; \
divert_true /usr/bin/deb-systemd-invoke
RUN apt-env.sh apt-get update ; \
apt-remove.sh \
ca-certificates \
e2fsprogs \
; \
apt-env.sh apt-get upgrade -y ; \
apt-install.sh \
apt-utils \
brotli \
cron \
curl \
gettext-base \
jdupes \
jq \
libcap2-bin \
libjemalloc2 \
logrotate \
netbase \
netcat-openbsd \
openssl \
procps \
psmisc \
tzdata \
zstd \
; \
apt-clean.sh ; \
## remove broken symlinks
find /etc/ -xdev -follow -type l -ls -delete
## perl-base: hardlink->symlink
RUN set +e ; \
d=/usr/bin ; \
ls -li "$d/perl" ; \
find "$d/" -xdev -samefile "$d/perl" 2>/dev/null \
| grep -Fxv -e "$d/perl" \
| while read -r p ; do \
[ -n "$p" ] || continue ; \
[ -e "$p" ] || continue ; \
ls -li "$p" ; \
rm -fv "$p" ; \
ln -fsv perl "$p" ; \
ls -li "$p" ; \
echo ; \
done
## remove unwanted binaries
RUN set -f ; \
for i in \
addgroup \
addpart \
adduser \
apt-ftparchive \
agetty \
badblocks \
blkdiscard \
blkid \
blkzone \
blockdev \
bsd-write \
chage \
chcpu \
chfn \
chgpasswd \
chmem \
chpasswd \
chsh \
cpgr \
cppw \
crontab \
ctrlaltdel \
debugfs \
delgroup \
delpart \
deluser \
dmesg \
dumpe2fs \
e2freefrag \
e2fsck \
e2image \
e2label \
e2mmpstatus \
e2scrub \
'e2scrub*' \
e2undo \
e4crypt \
e4defrag \
expiry \
faillock \
fdformat \
fincore \
findfs \
fsck \
'fsck.*' \
fsfreeze \
fstrim \
getty \
gpasswd \
groupadd \
groupdel \
groupmems \
groupmod \
grpck \
grpconv \
grpunconv \
hwclock \
isosize \
last \
lastb \
ldattach \
losetup \
lsblk \
lsirq \
lslogins \
mcookie \
mesg \
mke2fs \
mkfs \
'mkfs.*' \
mkhomedir_helper \
mklost+found \
mkswap \
mount \
newgrp \
newusers \
pam-auth-update \
pam_getenv \
pam_namespace_helper \
pam_timestamp_check \
partx \
passwd \
pivot_root \
pwck \
pwconv \
pwhistory_helper \
pwunconv \
raw \
readprofile \
resize2fs \
resizepart \
rtcwake \
sg \
shadowconfig \
su \
sulogin \
swaplabel \
swapoff \
swapon \
switch_root \
tune2fs \
umount \
unix_chkpwd \
unix_update \
update-passwd \
useradd \
userdel \
usermod \
utmpdump \
vigr \
vipw \
wall \
wdctl \
wipefs \
write \
'write.*' \
zramctl \
; do \
## try dpkg-divert first
for d in /usr/sbin /usr/bin ; do \
find "$d/" ! -type d -wholename "$d/$i" ; \
done \
| while read -r p ; do \
[ -n "$p" ] || continue ; \
[ -e "$p" ] || continue ; \
dpkg-search.sh "$p" || continue ; \
done \
| sed -E '/^diversion by/d' \
| sort -uV \
| while read -r pkg path ; do \
[ -n "${pkg}" ] || continue ; \
[ -e "${path}" ] || continue ; \
divert-rm.sh "${path}" ; \
done ; \
## remove if still exists
for d in /usr/sbin /usr/bin ; do \
find "$d/" ! -type d -wholename "$d/$i" ; \
done \
| while read -r p ; do \
[ -n "$p" ] || continue ; \
[ -e "$p" ] || continue ; \
rm -fv "$p" ; \
done ; \
done ; \
## remove broken symlinks
find /bin/ /sbin/ -xdev -follow -type l -ls -delete
## remove excessive privileges from binaries: setuid/setgid
RUN find / -xdev -type f -perm /7000 \
| sort -V \
| while read -r p ; do \
[ -n "$p" ] || continue ; \
## clear setuid/setgid bit
m=$(env stat -c '0%a' "$p") ; \
m=$(printf '0%o\n' $((m & 00777)) ) ; \
## try to lookup in dpkg database
n=$(set +e ; dpkg-search.sh "$p" | sed -E '/^diversion by/d' | cut -d ' ' -f2-) ; \
if [ "$p" = "$n" ] ; then \
o=$(env stat -c '%U' "$n") ; \
g=$(env stat -c '%G' "$n") ; \
dpkg-statoverride --force --update --add "$o" "$g" "$m" "$n" ; \
else \
env printf 'unable to find in dpkg database: %q\n' "$n" ; \
chmod "$m" "$p" ; \
fi ; \
ls -l "$p" ; \
done
## remove excessive privileges from binaries: setcap
RUN find / -xdev -type f -executable -exec getcap {} + \
| sort -V \
| while read -r path caps ; do \
[ -n "${path}" ] || continue ; \
getcap -v "${path}" ; \
setcap -r "${path}" "${caps}" 2>/dev/null || : ; \
getcap -v "${path}" ; \
done
## "docker.io/python"-specific cleanup
RUN env -C /root rm -f .bash_history .python_history .wget-hsts
## ---
FROM base-intermediate AS certs
SHELL [ "/bin/sh", "-ec" ]
## "2025.04.26"
ENV CERTIFI_COMMIT=275c9eb55733a464589c15fb4566fddd4598e5b2
# ARG CERTIFI_BASE_URI='https://raw.githubusercontent.com/certifi/python-certifi'
ARG CERTIFI_BASE_URI='https://github.com/certifi/python-certifi/raw'
ARG CERTIFI_URI="${CERTIFI_BASE_URI}/${CERTIFI_COMMIT}/certifi/cacert.pem"
# hadolint ignore=DL3020
ADD "${CERTIFI_URI}" /tmp/certifi.crt
RUN apt-install.sh ca-certificates ; \
apt-clean.sh ; \
ca_file='/etc/ssl/certs/ca-certificates.crt' ; \
ls -l "${ca_file}" ; \
## process certifi
certifi-extras.sh /tmp/certifi.crt ; \
openssl-cert-auto-pem.sh "${ca_file}" "${ca_file}.new" "${ca_file}.fp" ; \
mv -f "${ca_file}.new" "${ca_file}" ; \
chmod 0444 "${ca_file}" "${ca_file}.fp" ; \
ls -l "${ca_file}" "${ca_file}.fp"
## ---
FROM base-intermediate AS apt-gpg
SHELL [ "/bin/sh", "-ec" ]
COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/
ADD https://angie.software/keys/angie-signing.gpg /tmp/angie.gpg.bin
COPY /apt/sources.angie /etc/apt/angie.sources
RUN pkg='gnupg' ; \
apt-install.sh ${pkg} ; \
## process Angie GPG keyring / APT sources
gpg-export.sh /tmp/angie.gpg.bin /etc/apt/keyrings/angie.gpg.asc ; \
rm -f /tmp/angie.gpg.bin ; \
env -C /etc/apt mv angie.sources sources.list.d/ ; \
## verify sources!
apt-env.sh apt-get update ; \
apt-remove.sh ${pkg} ; \
apt-clean.sh
## ---
FROM base-intermediate AS base
SHELL [ "/bin/sh", "-ec" ]
COPY /Dockerfile.base /usr/local/share/
COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/
COPY --from=apt-gpg /etc/apt/keyrings/ /etc/apt/keyrings/
RUN python-rm-cache.sh /usr/local
RUN pip-env.sh pip list --format freeze \
| grep -F '==' | mawk -F= '{print $1}' \
| xargs -r pip-env.sh pip install -U ; \
python-rm-cache.sh /usr/local
RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
rm -rfv \
/usr/local/bin/idle* \
/usr/local/bin/pydoc* \
"${libpython}/ensurepip/_bundled" \
"${libpython}/idlelib" \
"${libpython}/pydoc.py" \
"${libpython}/pydoc_data" \
"${libpython}/tkinter" \
"${libpython}/turtle.py" \
"${libpython}/turtledemo" \
; \
find "${PYTHON_SITE_PACKAGES}/" -iname '*.exe' -ls -delete
## adjust pip/certifi
RUN certifi_pem="${PYTHON_SITE_PACKAGES}/pip/_vendor/certifi/cacert.pem" ; \
[ -d "${certifi_pem%/*}" ] || exit 0 ; \
rm -f "${certifi_pem}" ; \
ln -sv /etc/ssl/certs/ca-certificates.crt "${certifi_pem}"
RUN apt-clean.sh
RUN find /usr/local/sbin/ ! -type d -ls -delete ; \
find /run/ -mindepth 1 -ls -delete || : ; \
install -d -m 01777 /run/lock ; \
jdupes -1LSpr /usr/
ENTRYPOINT [ ]
CMD [ "bash" ]