dev-support/create-release/mac-sshd-gpg-agent/Dockerfile - hbase - Git at Google

 #
 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
 # The ASF licenses this file to You under the Apache License, Version 2.0
 # (the "License"); you may not use this file except in compliance with
 # the License.  You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #

 # Image for use on Mac boxes to get a gpg agent socket available
 # within transient release building ocntainers.
 #
 # build like:
 #
 # docker build --build-arg "UID=$UID" --build-arg "RM_USER=$USER" \
 #     --tag org.apache.hbase/gpg-agent-proxy mac-sshd-gpg-agent
 #
 # run like:
 #
 # docker run --rm -p 62222:22 \
 #     --mount "type=bind,src=${HOME}/.ssh/id_rsa.pub,dst=/home/${USER}/.ssh/authorized_keys,readonly" \
 #     --mount "type=volume,src=gpgagent,dst=/home/${USER}/.gnupg/" \
 #     org.apache.hbase/gpg-agent-proxy:latest
 #
 # test like:
 #
 # ssh -p 62222 -R "/home/${USER}/.gnupg/S.gpg-agent:$(gpgconf --list-dir agent-extra-socket)" \
 #     -i "${HOME}/.ssh/id_rsa" -N -n localhost
 #
 # launch a docker container to do work that shares the mount for the gpg agent
 # expressly does not need to be this same image, but needs to have defined the same user
 #
 # docker run --rm -it \
 #     --mount "type=volume,src=gpgagent,dst=/home/${USER}/.gnupg/" \
 #     --mount "type=bind,src=${HOME}/projects/hbase-releases/KEYS,dst=/home/${USER}/KEYS,readonly" \
 #     --entrypoint /bin/bash --user "${USER}" --workdir "/home/${USER}/" \
 #     org.apache.hbase/gpg-agent-proxy:latest
 #
 #
 # Make sure to import the public keys
 #
 # gpg --no-autostart --import < ${HOME}/KEYS
 # Optional?
 # gpg --no-autostart --edit-key ${YOUR_KEY}
 # trust
 # 5
 # y
 # quit
 #
 # echo "foo" > foo
 # gpg --no-autostart --armor --detach --sign foo
 # gpg --no-autostart --verify foo.asc
 #
 # For more info see
 # * gpg forwarding over ssh: https://wiki.gnupg.org/AgentForwarding
 # * example docker for sshd: https://github.com/hotblac/nginx-ssh
 # * why we have to bother with this: https://github.com/docker/for-mac/issues/483
 #
 # If the docker image changes then the host key used by sshd will change and you will get a
 # nastygram when launching ssh about host identification changing. This is expected. you should
 # remove the previous host key.
 #
 # Tested with
 # * Docker Desktop 2.2.0.5
 # * gpg 2.2.20
 # * pinentry-mac 0.9.4
 # * yubikey 5
 #
 FROM ubuntu:18.04

 # This is all in a single "RUN" command so that if anything changes, "apt update" is run to fetch
 # the most current package versions (instead of potentially using old versions cached by docker).
 #
 # We only need gnupg2 here if we want the ability to test out the gpg-agent forwarding by sshing
 # into the container rather than launching a new docker container.
 RUN DEBIAN_FRONTEND=noninteractive apt-get -qq -y update \
   && DEBIAN_FRONTEND=noninteractive apt-get -qq -y install --no-install-recommends \
   openssh-server=1:7.6p1-4ubuntu0.3 gnupg2=2.2.4-1ubuntu1.3 && mkdir /run/sshd \
   && echo "StreamLocalBindUnlink yes" >> /etc/ssh/sshd_config \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 EXPOSE 22
 # Set up our ssh user
 ARG UID
 ARG RM_USER
 RUN groupadd sshgroup && \
     useradd --create-home --shell /bin/bash --groups sshgroup --uid $UID $RM_USER && \
     mkdir /home/$RM_USER/.ssh /home/$RM_USER/.gnupg && \
     chown -R $RM_USER:sshgroup /home/$RM_USER/ && \
     chmod -R 700 /home/$RM_USER/
 # When we run we run sshd
 ENTRYPOINT ["/usr/sbin/sshd", "-D"]
	#
	# Licensed to the Apache Software Foundation (ASF) under one or more
	# contributor license agreements. See the NOTICE file distributed with
	# this work for additional information regarding copyright ownership.
	# The ASF licenses this file to You under the Apache License, Version 2.0
	# (the "License"); you may not use this file except in compliance with
	# the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	#

	# Image for use on Mac boxes to get a gpg agent socket available
	# within transient release building ocntainers.
	#
	# build like:
	#
	# docker build --build-arg "UID=$UID" --build-arg "RM_USER=$USER" \
	# --tag org.apache.hbase/gpg-agent-proxy mac-sshd-gpg-agent
	#
	# run like:
	#
	# docker run --rm -p 62222:22 \
	# --mount "type=bind,src=${HOME}/.ssh/id_rsa.pub,dst=/home/${USER}/.ssh/authorized_keys,readonly" \
	# --mount "type=volume,src=gpgagent,dst=/home/${USER}/.gnupg/" \
	# org.apache.hbase/gpg-agent-proxy:latest
	#
	# test like:
	#
	# ssh -p 62222 -R "/home/${USER}/.gnupg/S.gpg-agent:$(gpgconf --list-dir agent-extra-socket)" \
	# -i "${HOME}/.ssh/id_rsa" -N -n localhost
	#
	# launch a docker container to do work that shares the mount for the gpg agent
	# expressly does not need to be this same image, but needs to have defined the same user
	#
	# docker run --rm -it \
	# --mount "type=volume,src=gpgagent,dst=/home/${USER}/.gnupg/" \
	# --mount "type=bind,src=${HOME}/projects/hbase-releases/KEYS,dst=/home/${USER}/KEYS,readonly" \
	# --entrypoint /bin/bash --user "${USER}" --workdir "/home/${USER}/" \
	# org.apache.hbase/gpg-agent-proxy:latest
	#
	#
	# Make sure to import the public keys
	#
	# gpg --no-autostart --import < ${HOME}/KEYS
	# Optional?
	# gpg --no-autostart --edit-key ${YOUR_KEY}
	# trust
	# 5
	# y
	# quit
	#
	# echo "foo" > foo
	# gpg --no-autostart --armor --detach --sign foo
	# gpg --no-autostart --verify foo.asc
	#
	# For more info see
	# * gpg forwarding over ssh: https://wiki.gnupg.org/AgentForwarding
	# * example docker for sshd: https://github.com/hotblac/nginx-ssh
	# * why we have to bother with this: https://github.com/docker/for-mac/issues/483
	#
	# If the docker image changes then the host key used by sshd will change and you will get a
	# nastygram when launching ssh about host identification changing. This is expected. you should
	# remove the previous host key.
	#
	# Tested with
	# * Docker Desktop 2.2.0.5
	# * gpg 2.2.20
	# * pinentry-mac 0.9.4
	# * yubikey 5
	#
	FROM ubuntu:18.04

	# This is all in a single "RUN" command so that if anything changes, "apt update" is run to fetch
	# the most current package versions (instead of potentially using old versions cached by docker).
	#
	# We only need gnupg2 here if we want the ability to test out the gpg-agent forwarding by sshing
	# into the container rather than launching a new docker container.
	RUN DEBIAN_FRONTEND=noninteractive apt-get -qq -y update \
	&& DEBIAN_FRONTEND=noninteractive apt-get -qq -y install --no-install-recommends \
	openssh-server=1:7.6p1-4ubuntu0.3 gnupg2=2.2.4-1ubuntu1.3 && mkdir /run/sshd \
	&& echo "StreamLocalBindUnlink yes" >> /etc/ssh/sshd_config \
	&& apt-get clean \
	&& rm -rf /var/lib/apt/lists/*
	EXPOSE 22
	# Set up our ssh user
	ARG UID
	ARG RM_USER
	RUN groupadd sshgroup && \
	useradd --create-home --shell /bin/bash --groups sshgroup --uid $UID $RM_USER && \
	mkdir /home/$RM_USER/.ssh /home/$RM_USER/.gnupg && \
	chown -R $RM_USER:sshgroup /home/$RM_USER/ && \
	chmod -R 700 /home/$RM_USER/
	# When we run we run sshd
	ENTRYPOINT ["/usr/sbin/sshd", "-D"]