[Fuego] [PATCH 6/9] Cleanup proxy

Guilherme Campos Camargo guicc at profusion.mobi
Fri Jan 26 17:35:42 UTC 2018


Prior to this patch, http_proxy was being set and saved during build
time according to the http_proxy values of the host.

This approach has at least two shortcomings, that are explained below:

1. Any other user that wanted to use a prebuilt image in their host
would be unable to do so, because the proxy configuration is matching
the host of the builder and not the host of the user.

2. A user of the image would be able to read the proxy configuration
that had been set during build from `/etc/default/jenkins` or the
apt-get config file. The proxy config may easily contain sensitive
information as the proxy user/password that were set on the host that
built the image.

In order to avoid the problems pointed out above, we chose to:

1. Remove the ARG/ENV instantiations of http_proxy from the Dockerfile
and use only the builtin docker ARG http_proxy. This will prevent the
proxy variable to be available in a running container and in the image
history.

2. Instead of using the apt-get global config file, we're just passing
http_proxy as a local environment variable to the RUN instruction in
which apt-get is being executed.

3. Jenkins /etc/default/jenkins JAVA_ARGS (that contain the proxy
information) is now being updated by a script that's been source by
/etc/default/jenkins itself. This means that, whenever `service jenkins`
is called, that script will run and append the proxy configurations to
the JAVA_ARGS at runtime, not replacing the JAVA_ARGS that are stored in
the file.

4. http_proxy variables are being passed as arguments to `docker create`
as well. By doing that, we make sure that the entrypoint will be running
with the http_proxy values of the user.

Signed-off-by: Guilherme Campos Camargo <guicc at profusion.mobi>
---
 Dockerfile                                            | 19 ++-----------------
 frontend-install/setup/jenkins/set-java-args-proxy.sh |  7 +++++++
 frontend-install/setup/jenkins/setup.sh               | 15 ++++-----------
 fuego-host-scripts/docker-build-image.sh              |  4 +++-
 fuego-host-scripts/docker-create-container.sh         |  2 ++
 .../docker-create-usb-privileged-container.sh         |  2 ++
 6 files changed, 20 insertions(+), 29 deletions(-)
 create mode 100755 frontend-install/setup/jenkins/set-java-args-proxy.sh

diff --git a/Dockerfile b/Dockerfile
index 493414e..c39454d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,14 +6,6 @@
 FROM debian:jessie
 MAINTAINER tim.bird at sony.com
 
-# ==============================================================================
-# Proxy variables
-# ==============================================================================
-
-ARG HTTP_PROXY
-ENV http_proxy ${HTTP_PROXY}
-ENV https_proxy ${HTTP_PROXY}
-
 # ==============================================================================
 # Prepare basic image
 # ==============================================================================
@@ -21,10 +13,7 @@ ENV https_proxy ${HTTP_PROXY}
 WORKDIR /
 COPY frontend-install/apt/sources/fuego-debian-jessie.list \
         /etc/apt/sources.list.d/fuego-debian-jessie.list
-RUN if [ -n "$HTTP_PROXY" ]; then \
-        echo 'Acquire::http::proxy "'$HTTP_PROXY'";' > /etc/apt/apt.conf.d/80proxy; \
-    fi && \
-    DEBIAN_FRONTEND=noninteractive apt-get update && \
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
     apt-get -yV install \
         apt-utils \
         at \
@@ -84,11 +73,7 @@ RUN if [ -n "$HTTP_PROXY" ]; then \
         xmlstarlet && \
     rm -rf /var/lib/apt/lists/*
 
-RUN echo dash dash/sh boolean false | debconf-set-selections ; DEBIAN_FRONTEND=noninteractive dpkg-reconfigure dash && \
-    if [ -n "$HTTP_PROXY" ]; then \
-        echo "use_proxy = on" >> /etc/wgetrc; \
-        echo -e "http_proxy=$HTTP_PROXY\nhttps_proxy=$HTTP_PROXY" >> /etc/environment; \
-    fi
+RUN echo dash dash/sh boolean false | debconf-set-selections ; DEBIAN_FRONTEND=noninteractive dpkg-reconfigure dash
 
 RUN pip install \
         filelock \
diff --git a/frontend-install/setup/jenkins/set-java-args-proxy.sh b/frontend-install/setup/jenkins/set-java-args-proxy.sh
new file mode 100755
index 0000000..9b04f40
--- /dev/null
+++ b/frontend-install/setup/jenkins/set-java-args-proxy.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if [ -n "${http_proxy}" ]; then
+	PROXYSERVER=$(echo $http_proxy | sed -E 's/^http://' | sed -E 's/\///g' | sed -E 's/(.*):(.*)/\1/');
+	PROXYPORT=$(echo $http_proxy | sed -E 's/^http://' | sed -E 's/\///g' | sed -E 's/(.*):(.*)/\2/');
+	JAVA_ARGS="$JAVA_ARGS -Dhttp.proxyHost=${PROXYSERVER} -Dhttp.proxyPort=${PROXYPORT} -Dhttps.proxyHost=${PROXYSERVER} -Dhttps.proxyPort=${PROXYPORT}";
+fi
diff --git a/frontend-install/setup/jenkins/setup.sh b/frontend-install/setup/jenkins/setup.sh
index 11ad371..b95fa91 100755
--- a/frontend-install/setup/jenkins/setup.sh
+++ b/frontend-install/setup/jenkins/setup.sh
@@ -2,17 +2,10 @@
 
 set -e
 
-cp config.xml jenkins.model.JenkinsLocationConfiguration.xml ${JENKINS_HOME}
+cp config.xml jenkins.model.JenkinsLocationConfiguration.xml "${JENKINS_HOME}"
 
-source /etc/default/jenkins
-JENKINS_ARGS="$JENKINS_ARGS --prefix=/fuego"
-sed -i -e "s#JENKINS_ARGS.*#JENKINS_ARGS\=\"${JENKINS_ARGS}\"#g" /etc/default/jenkins
+echo 'JENKINS_ARGS="${JENKINS_ARGS} --prefix=/fuego"' >> /etc/default/jenkins
+echo 'JAVA_ARGS="${JAVA_ARGS} -Djenkins.install.runSetupWizard=false"' >> /etc/default/jenkins
 
-JAVA_ARGS="$JAVA_ARGS -Djenkins.install.runSetupWizard=false"
-if [ -n "$HTTP_PROXY" ]; then
-	PROXYSERVER=$(echo $http_proxy | sed -E 's/^http://' | sed -E 's/\///g' | sed -E 's/(.*):(.*)/\1/');
-	PROXYPORT=$(echo $http_proxy | sed -E 's/^http://' | sed -E 's/\///g' | sed -E 's/(.*):(.*)/\2/');
-	JAVA_ARGS="$JAVA_ARGS -Dhttp.proxyHost=${PROXYSERVER} -Dhttp.proxyPort=${PROXYPORT} -Dhttps.proxyHost=${PROXYSERVER} -Dhttps.proxyPort=${PROXYPORT}";
-fi
-sed -i -e "s#^JAVA_ARGS.*#JAVA_ARGS\=\"${JAVA_ARGS}\"#g" /etc/default/jenkins
+echo "source /setup/jenkins/set-java-args-proxy.sh" >> /etc/default/jenkins
 
diff --git a/fuego-host-scripts/docker-build-image.sh b/fuego-host-scripts/docker-build-image.sh
index 6550a98..d276ee0 100755
--- a/fuego-host-scripts/docker-build-image.sh
+++ b/fuego-host-scripts/docker-build-image.sh
@@ -2,4 +2,6 @@
 # $1 - name for the docker image (default: fuego)
 DOCKERIMAGE=${1:-fuego}
 
-sudo docker build -t ${DOCKERIMAGE} --build-arg HTTP_PROXY=$http_proxy .
+sudo docker build -t ${DOCKERIMAGE} \
+    --build-arg http_proxy=${http_proxy} \
+    --build-arg https_proxy=${https_proxy} .
diff --git a/fuego-host-scripts/docker-create-container.sh b/fuego-host-scripts/docker-create-container.sh
index 20f4b59..9e3d61a 100755
--- a/fuego-host-scripts/docker-create-container.sh
+++ b/fuego-host-scripts/docker-create-container.sh
@@ -22,5 +22,7 @@ sudo docker create -it --name ${DOCKERCONTAINER} \
     -v $DIR/../fuego-rw:/fuego-rw \
     -v $DIR/../fuego-ro:/fuego-ro:ro \
     -v $DIR/../../fuego-core:/fuego-core:ro \
+    -e http_proxy=${http_proxy} \
+    -e https_proxy=${https_proxy:-$http_proxy} \
     --net="host" ${DOCKERIMAGE} || \
     echo "Could not create fuego-container. See error messages."
diff --git a/fuego-host-scripts/docker-create-usb-privileged-container.sh b/fuego-host-scripts/docker-create-usb-privileged-container.sh
index b3a55c4..2431214 100755
--- a/fuego-host-scripts/docker-create-usb-privileged-container.sh
+++ b/fuego-host-scripts/docker-create-usb-privileged-container.sh
@@ -28,5 +28,7 @@ sudo docker create -it --name ${DOCKERCONTAINER} \
     -v $DIR/../fuego-rw:/fuego-rw \
     -v $DIR/../fuego-ro:/fuego-ro:ro \
     -v $DIR/../../fuego-core:/fuego-core:ro \
+    -e http_proxy=${http_proxy} \
+    -e https_proxy=${https_proxy:-$http_proxy} \
     --net="host" ${DOCKERIMAGE} || \
     echo "Could not create fuego-container. See error messages."
-- 
2.15.1



More information about the Fuego mailing list