[Fuego] [PATCH 6/9] Cleanup proxy

Tim.Bird at sony.com Tim.Bird at sony.com
Tue Jan 30 21:48:50 UTC 2018


OK - I had to modify this because I skipped patch 5/9, but
I applied it.

I'm not running this from behind a proxy, so I'll have to find someone to test this.
 -- Tim


> -----Original Message-----
> From: fuego-bounces at lists.linuxfoundation.org [mailto:fuego-
> bounces at lists.linuxfoundation.org] On Behalf Of Guilherme Campos
> Camargo
> Sent: Friday, January 26, 2018 9:36 AM
> To: fuego at lists.linuxfoundation.org
> Subject: [Fuego] [PATCH 6/9] Cleanup proxy
> 
> Prior to this patch, http_proxy was being set and saved during build
> time according to the http_proxy values of the host.
> 
> This approach has at least two shortcomings, that are explained below:
> 
> 1. Any other user that wanted to use a prebuilt image in their host
> would be unable to do so, because the proxy configuration is matching
> the host of the builder and not the host of the user.
> 
> 2. A user of the image would be able to read the proxy configuration
> that had been set during build from `/etc/default/jenkins` or the
> apt-get config file. The proxy config may easily contain sensitive
> information as the proxy user/password that were set on the host that
> built the image.
> 
> In order to avoid the problems pointed out above, we chose to:
> 
> 1. Remove the ARG/ENV instantiations of http_proxy from the Dockerfile
> and use only the builtin docker ARG http_proxy. This will prevent the
> proxy variable to be available in a running container and in the image
> history.
> 
> 2. Instead of using the apt-get global config file, we're just passing
> http_proxy as a local environment variable to the RUN instruction in
> which apt-get is being executed.
> 
> 3. Jenkins /etc/default/jenkins JAVA_ARGS (that contain the proxy
> information) is now being updated by a script that's been source by
> /etc/default/jenkins itself. This means that, whenever `service jenkins`
> is called, that script will run and append the proxy configurations to
> the JAVA_ARGS at runtime, not replacing the JAVA_ARGS that are stored in
> the file.
> 
> 4. http_proxy variables are being passed as arguments to `docker create`
> as well. By doing that, we make sure that the entrypoint will be running
> with the http_proxy values of the user.
> 
> Signed-off-by: Guilherme Campos Camargo <guicc at profusion.mobi>
> ---
>  Dockerfile                                            | 19 ++-----------------
>  frontend-install/setup/jenkins/set-java-args-proxy.sh |  7 +++++++
>  frontend-install/setup/jenkins/setup.sh               | 15 ++++-----------
>  fuego-host-scripts/docker-build-image.sh              |  4 +++-
>  fuego-host-scripts/docker-create-container.sh         |  2 ++
>  .../docker-create-usb-privileged-container.sh         |  2 ++
>  6 files changed, 20 insertions(+), 29 deletions(-)
>  create mode 100755 frontend-install/setup/jenkins/set-java-args-proxy.sh
> 
> diff --git a/Dockerfile b/Dockerfile
> index 493414e..c39454d 100644
> --- a/Dockerfile
> +++ b/Dockerfile
> @@ -6,14 +6,6 @@
>  FROM debian:jessie
>  MAINTAINER tim.bird at sony.com
> 
> -#
> ==========================================================
> ====================
> -# Proxy variables
> -#
> ==========================================================
> ====================
> -
> -ARG HTTP_PROXY
> -ENV http_proxy ${HTTP_PROXY}
> -ENV https_proxy ${HTTP_PROXY}
> -
>  #
> ==========================================================
> ====================
>  # Prepare basic image
>  #
> ==========================================================
> ====================
> @@ -21,10 +13,7 @@ ENV https_proxy ${HTTP_PROXY}
>  WORKDIR /
>  COPY frontend-install/apt/sources/fuego-debian-jessie.list \
>          /etc/apt/sources.list.d/fuego-debian-jessie.list
> -RUN if [ -n "$HTTP_PROXY" ]; then \
> -        echo 'Acquire::http::proxy "'$HTTP_PROXY'";' >
> /etc/apt/apt.conf.d/80proxy; \
> -    fi && \
> -    DEBIAN_FRONTEND=noninteractive apt-get update && \
> +RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
>      apt-get -yV install \
>          apt-utils \
>          at \
> @@ -84,11 +73,7 @@ RUN if [ -n "$HTTP_PROXY" ]; then \
>          xmlstarlet && \
>      rm -rf /var/lib/apt/lists/*
> 
> -RUN echo dash dash/sh boolean false | debconf-set-selections ;
> DEBIAN_FRONTEND=noninteractive dpkg-reconfigure dash && \
> -    if [ -n "$HTTP_PROXY" ]; then \
> -        echo "use_proxy = on" >> /etc/wgetrc; \
> -        echo -e "http_proxy=$HTTP_PROXY\nhttps_proxy=$HTTP_PROXY" >>
> /etc/environment; \
> -    fi
> +RUN echo dash dash/sh boolean false | debconf-set-selections ;
> DEBIAN_FRONTEND=noninteractive dpkg-reconfigure dash
> 
>  RUN pip install \
>          filelock \
> diff --git a/frontend-install/setup/jenkins/set-java-args-proxy.sh
> b/frontend-install/setup/jenkins/set-java-args-proxy.sh
> new file mode 100755
> index 0000000..9b04f40
> --- /dev/null
> +++ b/frontend-install/setup/jenkins/set-java-args-proxy.sh
> @@ -0,0 +1,7 @@
> +#!/bin/bash
> +
> +if [ -n "${http_proxy}" ]; then
> +	PROXYSERVER=$(echo $http_proxy | sed -E 's/^http://' | sed -E
> 's/\///g' | sed -E 's/(.*):(.*)/\1/');
> +	PROXYPORT=$(echo $http_proxy | sed -E 's/^http://' | sed -E
> 's/\///g' | sed -E 's/(.*):(.*)/\2/');
> +	JAVA_ARGS="$JAVA_ARGS -Dhttp.proxyHost=${PROXYSERVER} -
> Dhttp.proxyPort=${PROXYPORT} -Dhttps.proxyHost=${PROXYSERVER} -
> Dhttps.proxyPort=${PROXYPORT}";
> +fi
> diff --git a/frontend-install/setup/jenkins/setup.sh b/frontend-
> install/setup/jenkins/setup.sh
> index 11ad371..b95fa91 100755
> --- a/frontend-install/setup/jenkins/setup.sh
> +++ b/frontend-install/setup/jenkins/setup.sh
> @@ -2,17 +2,10 @@
> 
>  set -e
> 
> -cp config.xml jenkins.model.JenkinsLocationConfiguration.xml
> ${JENKINS_HOME}
> +cp config.xml jenkins.model.JenkinsLocationConfiguration.xml
> "${JENKINS_HOME}"
> 
> -source /etc/default/jenkins
> -JENKINS_ARGS="$JENKINS_ARGS --prefix=/fuego"
> -sed -i -e "s#JENKINS_ARGS.*#JENKINS_ARGS\=\"${JENKINS_ARGS}\"#g"
> /etc/default/jenkins
> +echo 'JENKINS_ARGS="${JENKINS_ARGS} --prefix=/fuego"' >>
> /etc/default/jenkins
> +echo 'JAVA_ARGS="${JAVA_ARGS} -
> Djenkins.install.runSetupWizard=false"' >> /etc/default/jenkins
> 
> -JAVA_ARGS="$JAVA_ARGS -Djenkins.install.runSetupWizard=false"
> -if [ -n "$HTTP_PROXY" ]; then
> -	PROXYSERVER=$(echo $http_proxy | sed -E 's/^http://' | sed -E
> 's/\///g' | sed -E 's/(.*):(.*)/\1/');
> -	PROXYPORT=$(echo $http_proxy | sed -E 's/^http://' | sed -E
> 's/\///g' | sed -E 's/(.*):(.*)/\2/');
> -	JAVA_ARGS="$JAVA_ARGS -Dhttp.proxyHost=${PROXYSERVER} -
> Dhttp.proxyPort=${PROXYPORT} -Dhttps.proxyHost=${PROXYSERVER} -
> Dhttps.proxyPort=${PROXYPORT}";
> -fi
> -sed -i -e "s#^JAVA_ARGS.*#JAVA_ARGS\=\"${JAVA_ARGS}\"#g"
> /etc/default/jenkins
> +echo "source /setup/jenkins/set-java-args-proxy.sh" >>
> /etc/default/jenkins
> 
> diff --git a/fuego-host-scripts/docker-build-image.sh b/fuego-host-
> scripts/docker-build-image.sh
> index 6550a98..d276ee0 100755
> --- a/fuego-host-scripts/docker-build-image.sh
> +++ b/fuego-host-scripts/docker-build-image.sh
> @@ -2,4 +2,6 @@
>  # $1 - name for the docker image (default: fuego)
>  DOCKERIMAGE=${1:-fuego}
> 
> -sudo docker build -t ${DOCKERIMAGE} --build-arg
> HTTP_PROXY=$http_proxy .
> +sudo docker build -t ${DOCKERIMAGE} \
> +    --build-arg http_proxy=${http_proxy} \
> +    --build-arg https_proxy=${https_proxy} .
> diff --git a/fuego-host-scripts/docker-create-container.sh b/fuego-host-
> scripts/docker-create-container.sh
> index 20f4b59..9e3d61a 100755
> --- a/fuego-host-scripts/docker-create-container.sh
> +++ b/fuego-host-scripts/docker-create-container.sh
> @@ -22,5 +22,7 @@ sudo docker create -it --name ${DOCKERCONTAINER} \
>      -v $DIR/../fuego-rw:/fuego-rw \
>      -v $DIR/../fuego-ro:/fuego-ro:ro \
>      -v $DIR/../../fuego-core:/fuego-core:ro \
> +    -e http_proxy=${http_proxy} \
> +    -e https_proxy=${https_proxy:-$http_proxy} \
>      --net="host" ${DOCKERIMAGE} || \
>      echo "Could not create fuego-container. See error messages."
> diff --git a/fuego-host-scripts/docker-create-usb-privileged-container.sh
> b/fuego-host-scripts/docker-create-usb-privileged-container.sh
> index b3a55c4..2431214 100755
> --- a/fuego-host-scripts/docker-create-usb-privileged-container.sh
> +++ b/fuego-host-scripts/docker-create-usb-privileged-container.sh
> @@ -28,5 +28,7 @@ sudo docker create -it --name ${DOCKERCONTAINER} \
>      -v $DIR/../fuego-rw:/fuego-rw \
>      -v $DIR/../fuego-ro:/fuego-ro:ro \
>      -v $DIR/../../fuego-core:/fuego-core:ro \
> +    -e http_proxy=${http_proxy} \
> +    -e https_proxy=${https_proxy:-$http_proxy} \
>      --net="host" ${DOCKERIMAGE} || \
>      echo "Could not create fuego-container. See error messages."
> --
> 2.15.1
> 
> _______________________________________________
> Fuego mailing list
> Fuego at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/fuego


More information about the Fuego mailing list