Skip to content

Docker distribution

Some inspiration can be gained from freedombox docker-script (archive).

Fixes:

  • Dependencies -> See #1879 (closed).
  • Configuration -> It would be best if freedombox would parse environment variables for the whole setup process (username, password, optional domain name, list of services, ?).
  • LDAP (slapd) configuration

    • dpkg-reconfigure for slapd requires more privileges (--privileged as workaround) (see slapd mailing list)
      -> Find out minimum set of capabilities/seccomp.
      Linked to the following error:

      debconf: DbDriver "_ENV_stack": unable to save changes to: slapd/domain
      Use of uninitialized value $item in hash element at
      /usr/share/perl5/Debconf/DbDriver/File.pm line 85, <__ANONIO__> chunk 1.

      -> as a workaround run debconf before installing the package.

  • Allow restarting services via /usr/sbin/policy-rc.d. Resolves the following error:

    invoke-rc.d: policy-rc.d denied execution of start.

  • Systemd requires STOPSIGNAL, CMD, tmpfs and cgroups mounts
  • Firewalld requires CAP_NET_ADMIN -> Alternative is to disable firewall completely. How?
  • Persistent configuration/data -> see #1885
    -> Which folders contain configuration/user data? What about storing all user data in /srv/freedombox and configuring services accordingly?
  • List of ports to setup port-forwarding in manual.
  • Setting domain fails (requirement for Let's encrypt).

    Error setting domain name: ('domainname-change', '', 'sed: cannot rename /etc/sed1OWefi: Device or resource busy\n')

This is my Dockerfile:

FROM debian:buster

ENV container docker

# FIX dpkg-reconfigure for slapd not working without docker run --privileged
# https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/thread/CSSLP6CCZNRWXCEHMR4UX3D3J2D26Z2H/
RUN echo slapd slapd/domain string thisbox | debconf-set-selections && \
    apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
      ldap-utils slapd && \
    apt-get clean && rm -rf /var/lib/apt/lists/*

# FIX dependency problems for stable version in buster repository
# https://salsa.debian.org/freedombox-team/freedombox/-/merge_requests/1833
RUN echo 'deb http://deb.debian.org/debian buster-backports main' > /etc/apt/sources.list.d/backports.list
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -t buster-backports install -y --no-install-recommends \
      freedombox python3-systemd ssl-cert && \
    apt-get clean && rm -rf /var/lib/apt/lists/*

# Setting first setup secret
# TODO use environment variables to setup
RUN echo "Tdpfc5y1gXLgiPWI" > /var/lib/plinth/firstboot-wizard-secret
# FIX disable slapd dpkg-reconfigure on first setup
#  TODO provide proper patch file to replace "action_utils.dpkg_reconfigure('slapd', {'domain': 'thisbox'})" in "subcommand_first_setup()"
RUN sed -i '108s/.*/    pass/' /usr/share/plinth/actions/users

# FIX allow restarting services (docker image debian:buster forbids this by default)
# https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1491091.html
RUN bash -c "install -m755 <(printf '#!/bin/sh\nexit 0') /usr/sbin/policy-rc.d"

STOPSIGNAL SIGRTMIN+3

CMD [ "/sbin/init" ]

Run a container with:

docker run \
  --name freedombox \
  --rm -d \
  --tmpfs /run --tmpfs /run/lock --tmpfs /tmp -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
  --cap-add=NET_ADMIN \
  freedombox
Edited by Dark Dragon