Improved Dockerfile and run script (#1579)

The Dockerfile has also been rebuilt to use an unprivileged user instead
of root.

The run script adds more options and changes the method the
configuration is overwritten, which may help in situations where the
configuration is not owned by the unprivileged user.
1602-webhook
quelsan 2019-10-07 05:18:06 +02:00 committed by Jordan Wright
parent c3e90183c8
commit 3227437f52
2 changed files with 47 additions and 26 deletions

View File

@ -1,30 +1,43 @@
# setup build image # Minify client side assets (JavaScript)
FROM golang:1.11 AS build FROM node:latest AS build-js
# build Gophish binary RUN npm install gulp gulp-cli -g
WORKDIR /build/gophish
WORKDIR /build
COPY . . COPY . .
RUN go get -d -v ./... RUN npm install --only=dev
RUN go build RUN gulp
# setup run image # Build Golang binary
FROM golang:1.11 AS build-golang
WORKDIR /go/src/github.com/gophish/gophish
COPY . .
RUN go get -v && go build -v
# Runtime container
FROM debian:stable-slim FROM debian:stable-slim
RUN useradd -m -d /opt/gophish -s /bin/bash app
RUN apt-get update && \ RUN apt-get update && \
apt-get install --no-install-recommends -y \ apt-get install --no-install-recommends -y jq && \
jq && \ apt-get clean && \
apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
# copy Gophish assets from the build image WORKDIR /opt/gophish
WORKDIR /gophish COPY --from=build-golang /go/src/github.com/gophish/gophish/ ./
COPY --from=build /build/gophish/ /gophish/ COPY --from=build-js /build/static/js/dist/ ./static/js/dist/
RUN chmod +x gophish COPY --from=build-js /build/static/css/dist/ ./static/css/dist/
COPY --from=build-golang /go/src/github.com/gophish/gophish/config.json ./
RUN chown app. config.json
# expose the admin port to the host USER app
RUN sed -i 's/127.0.0.1/0.0.0.0/g' config.json RUN sed -i 's/127.0.0.1/0.0.0.0/g' config.json
RUN touch config.json.tmp
# expose default ports EXPOSE 3333 8080 8443
EXPOSE 80 443 3333
CMD ["./docker/run.sh"] CMD ["./docker/run.sh"]

View File

@ -5,25 +5,25 @@ if [ -n "${ADMIN_LISTEN_URL+set}" ] ; then
jq -r \ jq -r \
--arg ADMIN_LISTEN_URL "${ADMIN_LISTEN_URL}" \ --arg ADMIN_LISTEN_URL "${ADMIN_LISTEN_URL}" \
'.admin_server.listen_url = $ADMIN_LISTEN_URL' config.json > config.json.tmp && \ '.admin_server.listen_url = $ADMIN_LISTEN_URL' config.json > config.json.tmp && \
mv config.json.tmp config.json cat config.json.tmp > config.json
fi fi
if [ -n "${ADMIN_USE_TLS+set}" ] ; then if [ -n "${ADMIN_USE_TLS+set}" ] ; then
jq -r \ jq -r \
--argjson ADMIN_USE_TLS "${ADMIN_USE_TLS}" \ --argjson ADMIN_USE_TLS "${ADMIN_USE_TLS}" \
'.admin_server.use_tls = $ADMIN_USE_TLS' config.json > config.json.tmp && \ '.admin_server.use_tls = $ADMIN_USE_TLS' config.json > config.json.tmp && \
mv config.json.tmp config.json cat config.json.tmp > config.json
fi fi
if [ -n "${ADMIN_CERT_PATH+set}" ] ; then if [ -n "${ADMIN_CERT_PATH+set}" ] ; then
jq -r \ jq -r \
--arg ADMIN_CERT_PATH "${ADMIN_CERT_PATH}" \ --arg ADMIN_CERT_PATH "${ADMIN_CERT_PATH}" \
'.admin_server.cert_path = $ADMIN_CERT_PATH' config.json > config.json.tmp && \ '.admin_server.cert_path = $ADMIN_CERT_PATH' config.json > config.json.tmp && \
mv config.json.tmp config.json cat config.json.tmp > config.json
fi fi
if [ -n "${ADMIN_KEY_PATH+set}" ] ; then if [ -n "${ADMIN_KEY_PATH+set}" ] ; then
jq -r \ jq -r \
--arg ADMIN_KEY_PATH "${ADMIN_KEY_PATH}" \ --arg ADMIN_KEY_PATH "${ADMIN_KEY_PATH}" \
'.admin_server.key_path = $ADMIN_KEY_PATH' config.json > config.json.tmp && \ '.admin_server.key_path = $ADMIN_KEY_PATH' config.json > config.json.tmp && \
mv config.json.tmp config.json cat config.json.tmp > config.json
fi fi
# set config for phish_server # set config for phish_server
@ -31,25 +31,25 @@ if [ -n "${PHISH_LISTEN_URL+set}" ] ; then
jq -r \ jq -r \
--arg PHISH_LISTEN_URL "${PHISH_LISTEN_URL}" \ --arg PHISH_LISTEN_URL "${PHISH_LISTEN_URL}" \
'.phish_server.listen_url = $PHISH_LISTEN_URL' config.json > config.json.tmp && \ '.phish_server.listen_url = $PHISH_LISTEN_URL' config.json > config.json.tmp && \
mv config.json.tmp config.json cat config.json.tmp > config.json
fi fi
if [ -n "${PHISH_USE_TLS+set}" ] ; then if [ -n "${PHISH_USE_TLS+set}" ] ; then
jq -r \ jq -r \
--argjson PHISH_USE_TLS "${PHISH_USE_TLS}" \ --argjson PHISH_USE_TLS "${PHISH_USE_TLS}" \
'.phish_server.use_tls = $PHISH_USE_TLS' config.json > config.json.tmp && \ '.phish_server.use_tls = $PHISH_USE_TLS' config.json > config.json.tmp && \
mv config.json.tmp config.json cat config.json.tmp > config.json
fi fi
if [ -n "${PHISH_CERT_PATH+set}" ] ; then if [ -n "${PHISH_CERT_PATH+set}" ] ; then
jq -r \ jq -r \
--arg PHISH_CERT_PATH "${PHISH_CERT_PATH}" \ --arg PHISH_CERT_PATH "${PHISH_CERT_PATH}" \
'.phish_server.cert_path = $PHISH_CERT_PATH' config.json > config.json.tmp && \ '.phish_server.cert_path = $PHISH_CERT_PATH' config.json > config.json.tmp && \
mv config.json.tmp config.json cat config.json.tmp > config.json
fi fi
if [ -n "${PHISH_KEY_PATH+set}" ] ; then if [ -n "${PHISH_KEY_PATH+set}" ] ; then
jq -r \ jq -r \
--arg PHISH_KEY_PATH "${PHISH_KEY_PATH}" \ --arg PHISH_KEY_PATH "${PHISH_KEY_PATH}" \
'.phish_server.key_path = $PHISH_KEY_PATH' config.json > config.json.tmp && \ '.phish_server.key_path = $PHISH_KEY_PATH' config.json > config.json.tmp && \
mv config.json.tmp config.json cat config.json.tmp > config.json
fi fi
# set contact_address # set contact_address
@ -57,9 +57,17 @@ if [ -n "${CONTACT_ADDRESS+set}" ] ; then
jq -r \ jq -r \
--arg CONTACT_ADDRESS "${CONTACT_ADDRESS}" \ --arg CONTACT_ADDRESS "${CONTACT_ADDRESS}" \
'.contact_address = $CONTACT_ADDRESS' config.json > config.json.tmp && \ '.contact_address = $CONTACT_ADDRESS' config.json > config.json.tmp && \
mv config.json.tmp config.json cat config.json.tmp > config.json
fi fi
if [ -n "${DB_FILE_PATH+set}" ] ; then
jq -r \
--arg DB_FILE_PATH "${DB_FILE_PATH}" \
'.db_path = $DB_FILE_PATH' config.json > config.json.tmp && \
cat config.json.tmp > config.json
fi
echo "Runtime configuration: "
cat config.json cat config.json
# start gophish # start gophish