third-party-mirrors/sslh
1
0
Fork 0
mirror of https://github.com/yrutschle/sslh.git synced 2025-04-12 23:27:15 +03:00
Code Issues Packages Projects Releases Wiki Activity

container: Cleanup some style issues

Browse Source 
Commit 5635dc5142aa ("Enable --transparent mode for docker") made a
little bit of a mess of the Dockerfile and container-entrypoint.sh.

A few issues are, but not limited to; trailing whitespaces, incorrect
indentation, removed final newline, component sortability just to name a
few.

This MR fixes that and cleans up those files again.

One thing not touched was the enable/disablement of `set +e` to exit the
script on error. It is nicer/cleaner to solve this in a different way,
but that adds to much complexity.

While here, make the container architecture and alpine version
configurable, allowing us to build multi-arch images from the CI in the
future.

Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
This commit is contained in:
Olliver Schinagl 2023-08-08 09:01:51 +02:00
parent 4cbff962db
commit 00beb9595d
No known key found for this signature in database
GPG Key ID: 96E1A3A6C9044763
2 changed files with 70 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
Dockerfile
View File

@ -1,23 +1,38 @@
FROM alpine:latest as build ARG ALPINE_VERSION="latest"
ARG TARGET_ARCH="library"
FROM docker.io/${TARGET_ARCH}/alpine:${ALPINE_VERSION} AS build
WORKDIR /sslh WORKDIR /sslh
RUN apk add gcc libconfig-dev make musl-dev pcre2-dev perl RUN apk add --no-cache \
'gcc' \
'libconfig-dev' \
'make' \
'musl-dev' \
'pcre2-dev' \
'perl' \
;
COPY . /sslh COPY . /sslh
RUN make sslh-select && strip sslh-select RUN make sslh-select && strip sslh-select
FROM alpine:latest FROM docker.io/${TARGET_ARCH}/alpine:${ALPINE_VERSION}
RUN apk --no-cache add libconfig pcre2 iptables ip6tables libcap
RUN adduser sslh --shell /bin/sh --disabled-password
COPY --from=build "/sslh/sslh-select" "/usr/local/bin/sslh" COPY --from=build "/sslh/sslh-select" "/usr/local/bin/sslh"
RUN setcap cap_net_bind_service,cap_net_raw+ep /usr/local/bin/sslh RUN apk add --no-cache \
'libconfig' \
'pcre2' \
'iptables' \
'ip6tables' \
'libcap' \
&& \
adduser -s '/bin/sh' -S -D sslh && \
setcap cap_net_bind_service,cap_net_raw+ep /usr/local/bin/sslh
COPY "./container-entrypoint.sh" "/init" COPY "./container-entrypoint.sh" "/init"
ENTRYPOINT [ "/init" ] ENTRYPOINT [ "/init" ]
# required for updating iptables # required for updating iptables
USER root:root USER root:root

95
container-entrypoint.sh
View File

@ -1,5 +1,4 @@
#!/bin/sh #!/bin/sh
# SPDX-License-Identifier: GPL2-or-later # SPDX-License-Identifier: GPL2-or-later
# #
# Copyright (C) 2023 Olliver Schinagl <oliver@schinagl.nl> # Copyright (C) 2023 Olliver Schinagl <oliver@schinagl.nl>
@ -20,73 +19,71 @@ if [ "${#}" -le 0 ] || \
entrypoint='true' entrypoint='true'
fi fi
############################################################################ unconfigure_iptables() {
set +e # Don't exit
unconfigure_iptables() { echo "Received SIG TERM/INT/KILL. Removing iptables / routing changes"
set +e # Don't exit
echo "Received SIG TERM/INT/KILL. Removing iptables / routing changes" iptables -t raw -D PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
iptables -t mangle -D POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
iptables -t raw -D PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP iptables -t nat -D OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
iptables -t mangle -D POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP iptables -t mangle -D OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
iptables -t nat -D OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f ip rule del fwmark 0x1 lookup 100
iptables -t mangle -D OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f ip route del local 0.0.0.0/0 dev lo table 100
ip rule del fwmark 0x1 lookup 100
ip route del local 0.0.0.0/0 dev lo table 100
ip6tables -t raw -D PREROUTING ! -i lo -d ::1/128 -j DROP & > /dev/null #silence ipv6 errors ip6tables -t raw -D PREROUTING ! -i lo -d ::1/128 -j DROP & > '/dev/null' # silence ipv6 errors
ip6tables -t mangle -D POSTROUTING ! -o lo -s ::1/128 -j DROP & > /dev/null ip6tables -t mangle -D POSTROUTING ! -o lo -s ::1/128 -j DROP & > '/dev/null'
ip6tables -t nat -D OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f & > /dev/null ip6tables -t nat -D OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f & > '/dev/null'
ip6tables -t mangle -D OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f & > /dev/null ip6tables -t mangle -D OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f & > /dev/null
ip -6 rule del fwmark 0x1 lookup 100 & > /dev/null ip -6 rule del fwmark 0x1 lookup 100 & > '/dev/null'
ip -6 route del local ::/0 dev lo table 100 & > /dev/null ip -6 route del local ::/0 dev lo table 100 & > '/dev/null'
set -e set -e
} }
configure_iptables() { configure_iptables() {
set +e # Don't exit if rule exist or ipv6 not enabled set +e # Don't exit if rule exist or ipv6 not enabled
echo "Configuring iptables and routing..." echo 'Configuring iptables and routing...'
iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
iptables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f iptables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
ip rule add fwmark 0x1 lookup 100 ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100 ip route add local 0.0.0.0/0 dev lo table 100
ip6tables -t raw -A PREROUTING ! -i lo -d ::1/128 -j DROP & > /dev/null #silence ipv6 errors ip6tables -t raw -A PREROUTING ! -i lo -d ::1/128 -j DROP & > '/dev/null' # silence ipv6 errors
ip6tables -t mangle -A POSTROUTING ! -o lo -s ::1/128 -j DROP & > /dev/null ip6tables -t mangle -A POSTROUTING ! -o lo -s ::1/128 -j DROP & > '/dev/null'
ip6tables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f & > /dev/null ip6tables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f & > '/dev/null'
ip6tables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f & > /dev/null ip6tables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f & > '/dev/null'
ip -6 rule add fwmark 0x1 lookup 100 & > /dev/null ip -6 rule add fwmark 0x1 lookup 100 & > '/dev/null'
ip -6 route add local ::/0 dev lo table 100 & > /dev/null ip -6 route add local ::/0 dev lo table 100 & > '/dev/null'
set -e set -e
} }
for i in "$@" ; do for _args in "${@}" ; do
if [ "${i}" = "--transparent" ] ; then if [ "${_args:-}" = '--transparent' ] ; then
echo "--transparent is set" echo '--transparent flag is set'
configure_iptables configure_iptables
trap unconfigure_iptables TERM INT KILL trap unconfigure_iptables TERM INT KILL
break break
fi fi
done done
#run command as sslh user # Drop privileges and run as sslh user
command="${entrypoint:+${bin}} ${@}" sslh_cmd="${entrypoint:+${bin}} ${@}"
echo "executing with user 'sslh': $command" echo "Executing with user 'sslh': ${sslh_cmd}"
exec su - sslh -c "$command" & exec su - sslh -c "${sslh_cmd}" &
wait $! wait "${!}"
exit 0 exit 0