A container is best served with the least amount of privileges. This
also ensures we don't have to drop anything later.
This does require running the container with elevated capabilities.
Note, that if for whatever reason, 'root' access within the container is
needed, this can easily be accomplished by running the container with
`docker run --user root:root sslh` for example.
Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
As per docker guidelines [0] a container should always really have a
consistent entrypoint, without having to override it or do special
tricks.
The behavior should be _identical_ as before, but will no longer trigger
errors because sslh doesn't understand certain parameters (/bin/sh
for example being common). Further more, allows a proper entrypoint for
a CI to work easily with the container as well. Allowing for scenario's
such as `apk add git && sslh --foreground` in your sslh image for example.
E.g. `docker run sslh --help` works though with the default
`--foreground` a bit weirdly, as does `docker run sslh
/bin/sh` or `docker run sslh ls`.
[0]: https://github.com/docker-library/official-images#consistency
Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
It is weird that when invoking sslh, that it daemonizess in foreground by
default. This should always be a user choice, and if not, it should be a
program default.
Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
Container builds that are parallelized must be 'merged' again
afterwards. Because that makes the pipeline far more complex for a quick
compile job, we might as well just run in sequentially.
Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
Docker is most efficient if you can 'order' the layers from
least-changing to most changing to improve on cache hits.
While here, change ADD to COPY as add is really intended to download
external packages, as well as installing sslh into a proper location.
Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
The current sslh container works fine, but needs to be created manually
and locally by the user. Instead, let the pipeline do the dirty work and
push it to this repo's own registry.
Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
==1391== Conditional jump or move depends on uninitialised value(s)
==1391== at 0x10E92F: watchers_add_read (sslh-select.c:67)
==1391== by 0x10E92F: watchers_init (sslh-select.c:59)
==1391== by 0x10E92F: main_loop (sslh-select.c:134)
==1391== by 0x10DB6D: main (sslh-main.c:285)
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
