hbase/dev-support/create-release/mac-sshd-gpg-agent/Dockerfile

#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

# Image for use on Mac boxes to get a gpg agent socket available
# within transient release building ocntainers.
#
# build like:
#
# docker build --build-arg "UID=$UID" --build-arg "RM_USER=$USER" \
#     --tag org.apache.hbase/gpg-agent-proxy mac-sshd-gpg-agent
#
# run like:
#
# docker run --rm -p 62222:22 \
#     --mount "type=bind,src=${HOME}/.ssh/id_rsa.pub,dst=/home/${USER}/.ssh/authorized_keys,readonly" \
#     --mount "type=volume,src=gpgagent,dst=/home/${USER}/.gnupg/" \
#     org.apache.hbase/gpg-agent-proxy:latest
#
# test like:
#
# ssh -p 62222 -R "/home/${USER}/.gnupg/S.gpg-agent:$(gpgconf --list-dir agent-extra-socket)" \
#     -i "${HOME}/.ssh/id_rsa" -N -n localhost
#
# launch a docker container to do work that shares the mount for the gpg agent
# expressly does not need to be this same image, but needs to have defined the same user
#
# docker run --rm -it \
#     --mount "type=volume,src=gpgagent,dst=/home/${USER}/.gnupg/" \
#     --mount "type=bind,src=${HOME}/projects/hbase-releases/KEYS,dst=/home/${USER}/KEYS,readonly" \
#     --entrypoint /bin/bash --user "${USER}" --workdir "/home/${USER}/" \
#     org.apache.hbase/gpg-agent-proxy:latest
#
#
# Make sure to import the public keys
#
# gpg --no-autostart --import < ${HOME}/KEYS
# Optional?
# gpg --no-autostart --edit-key ${YOUR_KEY}
# trust
# 5
# y
# quit
#
# echo "foo" > foo
# gpg --no-autostart --armor --detach --sign foo
# gpg --no-autostart --verify foo.asc
#
# For more info see
# * gpg forwarding over ssh: https://wiki.gnupg.org/AgentForwarding
# * example docker for sshd: https://github.com/hotblac/nginx-ssh
# * why we have to bother with this: https://github.com/docker/for-mac/issues/483
#
# If the docker image changes then the host key used by sshd will change and you will get a
# nastygram when launching ssh about host identification changing. This is expected. you should
# remove the previous host key.
#
# Tested with
# * Docker Desktop 2.2.0.5
# * gpg 2.2.20
# * pinentry-mac 0.9.4
# * yubikey 5
#
FROM ubuntu:18.04

# This is all in a single "RUN" command so that if anything changes, "apt update" is run to fetch
# the most current package versions (instead of potentially using old versions cached by docker).
#
# We only need gnupg2 here if we want the ability to test out the gpg-agent forwarding by sshing
# into the container rather than launching a new docker container.
RUN DEBIAN_FRONTEND=noninteractive apt-get -qq -y update \
  && DEBIAN_FRONTEND=noninteractive apt-get -qq -y install --no-install-recommends \
    openssh-server=1:7.6p1-* \
    gnupg2=2.2.4-* \
  && mkdir /run/sshd \
  && echo "StreamLocalBindUnlink yes" >> /etc/ssh/sshd_config \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
EXPOSE 22
# Set up our ssh user
ARG UID
ARG RM_USER
RUN groupadd sshgroup && \
    useradd --create-home --shell /bin/bash --groups sshgroup --uid $UID $RM_USER && \
    mkdir /home/$RM_USER/.ssh /home/$RM_USER/.gnupg && \
    chown -R $RM_USER:sshgroup /home/$RM_USER/ && \
    chmod -R 700 /home/$RM_USER/
# When we run we run sshd
ENTRYPOINT ["/usr/sbin/sshd", "-D"]