From f4a778f82c18f7b75f7563392ebd6852ef2e0d61 Mon Sep 17 00:00:00 2001 From: Bond_009 Date: Tue, 22 Oct 2024 15:54:41 +0200 Subject: [PATCH 1/2] Change base of dodona-docker image to busybox This prevents the submitted Dockerfile from conflicting with any required dynamic libraries (by not having any). * Decreases image size substatially * Uses the certificates bundled with kaniko * Replaces the sudo hack with renaming the root user to runner --- dodona-docker.dockerfile | 30 ++++++++++-------------------- 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/dodona-docker.dockerfile b/dodona-docker.dockerfile index 9df9109..4150e0b 100644 --- a/dodona-docker.dockerfile +++ b/dodona-docker.dockerfile @@ -1,31 +1,21 @@ -FROM gcr.io/kaniko-project/executor:v1.23.2-slim AS kaniko +FROM busybox:musl -FROM hadolint/hadolint:2.12.0-debian +COPY --from=hadolint/hadolint:2.12.0 /bin/hadolint /bin/hadolint +COPY --from=ghcr.io/jqlang/jq:1.7.1 /jq /bin/jq +COPY --from=gcr.io/kaniko-project/executor:v1.23.2-slim /kaniko /kaniko -RUN apt-get update && \ - apt-get install -y --no-install-recommends \ - ca-certificates=20210119 \ - jq=1.6-2.1 \ - sudo=1.9.5p2-3+deb11u1 && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists/* +ENV SSL_CERT_DIR=/kaniko/ssl/certs -COPY --from=kaniko /kaniko/executor /kaniko/executor2 - -RUN chmod 777 /kaniko && \ - # kaniko requires root permissions to unpack the base image with proper permissions - echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers && \ - printf '#!/bin/sh\nsudo /kaniko/executor2 "$@"' > /kaniko/executor && \ - chmod +x /kaniko/executor && \ +# kaniko requires root permissions to unpack the base image with proper permissions +RUN printf 'runner:x:0:0:runner:/home/runner:/bin/sh' > /etc/passwd && \ # Make sure the students can't find our secret path, which is mounted in # /mnt with a secure random name. - chmod 711 /mnt && \ - # Add the user which will run the student's code and the judge. - useradd -m runner --groups sudo + mkdir /mnt && \ + chmod 711 /mnt # As the runner user USER runner -RUN mkdir /home/runner/workdir +RUN mkdir -p /home/runner/workdir WORKDIR /home/runner/workdir From 799a7367b572ba655effbf99153b5d70fdb50fff Mon Sep 17 00:00:00 2001 From: Bond_009 Date: Thu, 14 Nov 2024 13:41:34 +0100 Subject: [PATCH 2/2] Add dodona-containerfile-evaluator dep to dodona-docker image This utility allows the judge to check the usage of the USER and WORKDIR instructions in the Containerfile. --- dodona-docker.dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/dodona-docker.dockerfile b/dodona-docker.dockerfile index 4150e0b..1691b36 100644 --- a/dodona-docker.dockerfile +++ b/dodona-docker.dockerfile @@ -1,5 +1,6 @@ FROM busybox:musl +COPY --from=ghcr.io/bond-009/dodona-containerfile-evaluator:v0.1.0 /bin/dodona-containerfile-evaluator /bin/dodona-containerfile-evaluator COPY --from=hadolint/hadolint:2.12.0 /bin/hadolint /bin/hadolint COPY --from=ghcr.io/jqlang/jq:1.7.1 /jq /bin/jq COPY --from=gcr.io/kaniko-project/executor:v1.23.2-slim /kaniko /kaniko