less privileges and other fixes

2018-08-21 21:41:42 +03:00 · 2018-08-21 21:41:42 +03:00 · 4c109106cb
parent 4aeb700019
commit 4c109106cb
5 changed files with 22 additions and 10 deletions
--- a/15
+++ b/15
@ -1,23 +1,26 @@
 FROM ubuntu:bionic
-RUN apt-get update && apt-get install -y firefox
+RUN apt-get update && apt-get install -y firefox \
  curl sudo openvpn transmission \
  && rm -rf /var/lib/apt/lists/*
 RUN export uid=1000 gid=1000 && \
    mkdir -p /home/user && \
    echo "user:x:${uid}:${gid}:User,,,:/home/user:/bin/bash" >> /etc/passwd && \
    echo "user:x:${uid}:" >> /etc/group && \
    chown ${uid}:${gid} -R /home/user
-RUN apt-get install -y openvpn
+# Enable sudo (needed by openvpn, unfortunately)
 RUN apt-get install -y curl sudo
 RUN echo "user ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/user && \
  chmod 0440 /etc/sudoers.d/user
 USER user
-COPY files/user.js /home/user/
+RUN mkdir -p /tmp/user.js.d/
 COPY files/user.js.d/* /tmp/user.js.d/
 RUN cat /tmp/user.js.d/* > /home/user/user.js
 COPY files/start.sh /home/user/
 COPY files/start-openvpn-blocking.sh /home/user/
 ENV HOME /home/user
-CMD /bin/bash /home/user/start.sh
+ENTRYPOINT ["/bin/bash", "/home/user/start.sh"]
--- a/files/start-openvpn-blocking.sh
+++ b/files/start-openvpn-blocking.sh
@ -1,11 +1,11 @@
 #!/bin/bash
-set -eux -o pipefail
+set -e -o pipefail
 CONF="$1"
-sudo openvpn "$CONF" > "$HOME/openvpn.log" &
+sudo openvpn "$CONF" | tee "$HOME/openvpn.log" &
 while [ `tail "$HOME/openvpn.log" | grep "Initialization Sequence Completed" | wc -l` == "0" ];
 do
-  # echo "still not done"
+  echo "... still waiting for OpenVPN to start"
  sleep 2
 done
--- a/files/start.sh
+++ b/files/start.sh
@ -15,6 +15,9 @@ else
  echo "no OpenVPN config"
 fi
 # revoke sudo privileges after OpenVPN start
 sudo rm /etc/sudoers.d/user
 if [ ! -z ${ASSERT_COUNTRY+x} ]; then
  IP_COUNTRY=`curl ifconfig.co/country`
  echo " ---------------------------------------------------------------"
--- a/files/user.js.d/user.js
+++ b/files/user.js.d/user.js
@ -3,3 +3,9 @@
 // Firefox often crashes without this setting
 // https://askubuntu.com/questions/966332/firefox-56-0-64-bit-crashing-tabs-after-upgrade
 user_pref("browser.tabs.remote.autostart", false);
 // disable onboarding: you don't want to see the welcome message every time
 user_pref("browser.onboarding.enabled", false);
 // no tracking protection intro
 user_pref("privacy.trackingprotection.introCount", 100);
--- a/run.sh
+++ b/run.sh
@ -1,7 +1,7 @@
 #!/bin/bash
 set -eux
 docker run -ti --rm -e DISPLAY \
-  --privileged \
+  --cap-add=NET_ADMIN --device /dev/net/tun \
  -v /tmp/.X11-unix:/tmp/.X11-unix \
  -v `pwd`/openvpn:/etc/openvpn \
  -v `pwd`/dbip:/home/user/dbip \