From 9efd37de442820ea7554bc00b55d35df2df890d4 Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Wed, 30 Sep 2020 21:47:35 +0530 Subject: [PATCH] Adds dev-focal to run SecureDrop on Focal container `make dev-focal` will start a Focal container with SecureDrop running. Also updates the gpg2 --import command to import into the pubring.gpg keyring file explictly. Related Ansible change is tracked via https://github.com/freedomofpress/securedrop/issues/5499 --- Makefile | 13 ++++ securedrop/bin/dev-deps | 2 +- securedrop/bin/dev-shell | 2 +- .../dockerfiles/focal/python3/Dockerfile | 74 +++++++++++++++++++ 4 files changed, 89 insertions(+), 2 deletions(-) create mode 100644 securedrop/dockerfiles/focal/python3/Dockerfile diff --git a/Makefile b/Makefile index fc62269c916..a604b8453f5 100644 --- a/Makefile +++ b/Makefile @@ -176,6 +176,13 @@ dev: ## Run the development server in a Docker container. @OFFSET_PORTS='false' DOCKER_BUILD_VERBOSE='true' $(DEVSHELL) $(SDBIN)/run @echo +.PHONY: dev-focal +dev-focal: ## Run the development server in a Docker container. + @echo "███ Starting development server..." + @OFFSET_PORTS='false' DOCKER_BUILD_VERBOSE='true' BASE_OS='focal' $(DEVSHELL) $(SDBIN)/run + @echo + + .PHONY: staging staging: ## Create a local staging environment in virtual machines (Xenial) @echo "███ Creating staging environment on Ubuntu Xenial..." @@ -225,6 +232,12 @@ test: ## Run the test suite in a Docker container. @$(DEVSHELL) $(SDBIN)/run-test -v $${TESTFILES:-tests} @echo +.PHONY: test-focal +test-focal: ## Run the test suite in a Docker container. + @echo "███ Running SecureDrop application tests..." + @BASE_OS='focal' $(DEVSHELL) $(SDBIN)/run-test -v $${TESTFILES:-tests} + @echo + .PHONY: docker-vnc docker-vnc: ## Open a VNC connection to a running Docker instance. @echo "███ Opening VNC connection to dev container..." diff --git a/securedrop/bin/dev-deps b/securedrop/bin/dev-deps index 465433f8114..d67a0f6bbb9 100755 --- a/securedrop/bin/dev-deps +++ b/securedrop/bin/dev-deps @@ -88,7 +88,7 @@ function reset_demo() { ./manage.py reset - gpg2 --homedir /var/lib/securedrop/keys --import /var/lib/securedrop/keys/test_journalist_key.pub + gpg2 --homedir /var/lib/securedrop/keys --no-default-keyring --keyring /var/lib/securedrop/keys/pubring.gpg --import /var/lib/securedrop/keys/test_journalist_key.pub ./create-dev-data.py } diff --git a/securedrop/bin/dev-shell b/securedrop/bin/dev-shell index ef424bc0116..67f923e9971 100755 --- a/securedrop/bin/dev-shell +++ b/securedrop/bin/dev-shell @@ -9,7 +9,7 @@ set -eu export PATH="/opt/venvs/securedrop-app-code/bin:$PATH" TOPLEVEL=$(git rev-parse --show-toplevel) -BASE_OS=xenial +BASE_OS="${BASE_OS:-xenial}" ## Get an integer offset for exposed ports, to support multiple containers get_port_offset() { diff --git a/securedrop/dockerfiles/focal/python3/Dockerfile b/securedrop/dockerfiles/focal/python3/Dockerfile new file mode 100644 index 00000000000..3f12d271bd5 --- /dev/null +++ b/securedrop/dockerfiles/focal/python3/Dockerfile @@ -0,0 +1,74 @@ +# ubuntu 16.04 image from 2019-03-12 +FROM ubuntu@sha256:2e70e9c81838224b5311970dbf7ed16802fbfe19e7a70b3cbfa3d7522aa285b4 +ARG USER_NAME +ENV USER_NAME ${USER_NAME:-root} +ARG USER_ID +ENV USER_ID ${USER_ID:-0} + +# If running grsecurity kernel on the host, Memprotect must be disabled on mono-sgen in the container +RUN apt-get update && apt-get install -y paxctl && \ + { apt-get install -y libgtk2.0 || echo 'libgtk2.0 was not installed'; } && \ + paxctl -cm /usr/bin/mono-sgen && dpkg-reconfigure mono-runtime-sgen && \ + apt-get install -y apache2-dev coreutils devscripts vim \ + python3-pip python3-all python3-venv virtualenv libpython3.8-dev libssl-dev \ + gnupg2 ruby redis-server git xvfb haveged curl wget \ + gettext paxctl x11vnc enchant libffi-dev sqlite3 gettext sudo \ + libasound2 libdbus-glib-1-2 libgtk2.0-0 libfontconfig1 libxrender1 \ + libcairo-gobject2 libgtk-3-0 libstartup-notification0 tor + +RUN gem install sass -v 3.4.23 + +# Current versions of the test browser software. Tor Browser is based +# on a specific version of Firefox, noted in Help > About Tor Browser. +# Ideally we'll keep those in sync. +ENV FF_VERSION 68.12.0esr +ENV GECKODRIVER_VERSION v0.27.0 +ENV TBB_VERSION 9.5.4 + +# Import Tor release signing key +ENV TOR_RELEASE_KEY_FINGERPRINT "EF6E286DDA85EA2A4BA7DE684E2C6E8793298290" +RUN curl -s https://openpgpkey.torproject.org/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf | gpg2 --import - + +# Install Tor Browser +RUN wget https://www.torproject.org/dist/torbrowser/${TBB_VERSION}/tor-browser-linux64-${TBB_VERSION}_en-US.tar.xz && \ + wget https://www.torproject.org/dist/torbrowser/${TBB_VERSION}/tor-browser-linux64-${TBB_VERSION}_en-US.tar.xz.asc && \ + gpg2 --verify tor-browser-linux64-${TBB_VERSION}_en-US.tar.xz.asc 2>&1 | grep "Primary key fingerprint:" | sed -e 's/Primary key fingerprint: //' -e 's/ //g' | tail -1 | grep -qE "${TOR_RELEASE_KEY_FINGERPRINT}" && \ + tar -xvJf tor-browser-linux64-${TBB_VERSION}_en-US.tar.xz && \ + mkdir -p /root/.local/tbb && mv tor-browser_en-US /root/.local/tbb &&\ + paxctl -cm /root/.local/tbb/tor-browser_en-US/Browser/firefox.real && \ + paxctl -cm /root/.local/tbb/tor-browser_en-US/Browser/libnspr4.so && \ + paxctl -cm /root/.local/tbb/tor-browser_en-US/Browser/plugin-container + +# Import Mozilla release signing key +ENV MOZILLA_RELEASE_KEY_FINGERPRINT "14F26682D0916CDD81E37B6D61B7B526D98F0353" +RUN curl -s https://archive.mozilla.org/pub/firefox/releases/${FF_VERSION}/KEY | gpg2 --import - + +# Install the version of Firefox on which Tor Browser is based +RUN curl -LO https://archive.mozilla.org/pub/firefox/releases/${FF_VERSION}/linux-x86_64/en-US/firefox-${FF_VERSION}.tar.bz2 && \ + curl -LO https://archive.mozilla.org/pub/firefox/releases/${FF_VERSION}/linux-x86_64/en-US/firefox-${FF_VERSION}.tar.bz2.asc && \ + gpg2 --verify firefox-${FF_VERSION}.tar.bz2.asc 2>&1 | grep "Primary key fingerprint:" | sed -e 's/Primary key fingerprint: //' -e 's/ //g' | tail -1 | grep -qE "${MOZILLA_RELEASE_KEY_FINGERPRINT}" && \ + tar xjf firefox-*.tar.bz2 && \ + mv firefox /usr/bin && \ + paxctl -cm /usr/bin/firefox/firefox + +# Install geckodriver +RUN wget https://github.com/mozilla/geckodriver/releases/download/${GECKODRIVER_VERSION}/geckodriver-${GECKODRIVER_VERSION}-linux64.tar.gz && \ + wget https://github.com/mozilla/geckodriver/releases/download/${GECKODRIVER_VERSION}/geckodriver-${GECKODRIVER_VERSION}-linux64.tar.gz.asc && \ + gpg2 --verify geckodriver-${GECKODRIVER_VERSION}-linux64.tar.gz.asc && \ + tar -zxvf geckodriver*tar.gz && chmod +x geckodriver && mv geckodriver /bin && \ + paxctl -cm /bin/geckodriver + +COPY requirements requirements +RUN python3 -m venv /opt/venvs/securedrop-app-code && \ + /opt/venvs/securedrop-app-code/bin/pip3 install --no-deps --require-hashes -r requirements/python3/docker-requirements.txt && \ + /opt/venvs/securedrop-app-code/bin/pip3 install --no-deps --require-hashes -r requirements/python3/securedrop-app-code-requirements.txt && \ + /opt/venvs/securedrop-app-code/bin/pip3 install --no-deps --require-hashes -r requirements/python3/test-requirements.txt + +RUN if test $USER_NAME != root ; then useradd --no-create-home --home-dir /tmp --uid $USER_ID $USER_NAME && echo "$USER_NAME ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers ; fi && \ + cp -r /root/.local /tmp/ && chmod +x /tmp/.local/tbb/tor-browser_en-US/Browser/firefox && chmod -R 777 /tmp/.local && \ + chown -R $USER_NAME.$USER_NAME /tmp/.local/ && \ + chown -R $USER_NAME.$USER_NAME /opt/venvs/securedrop-app-code/ + +STOPSIGNAL SIGKILL + +EXPOSE 8080 8081 5909