This repository was archived by the owner on Apr 1, 2019. It is now read-only.
Conversation
Author
|
ypid
added a commit
to ypid/docker-tor
that referenced
this pull request
Mar 29, 2015
…od#8. * Debian is the recommended base image for Docker. * Changed volume of tor home dir to the default one /var/lib/tor. Note that when I do `docker rm … && docker run …` docker will not use the previously used volume but instead create a new container resulting in new private keys being generated. I use `docker run -v /srv/tor:/var/lib/tor` for persistent storage. * apt automatically checks packages with GPG. Related to patrickod#8. * One could also run tor inside the Docker container as debian-tor user. But note that the UID of debian-tor might be mapped to a different user outside of the container resulting in read+write access for this user to the private key.
This was referenced Mar 29, 2015
Owner
|
Sorry about the delayed response here. I accidentally unsubscribed from my own repositories. I had a look at #9 and I think it does a good job of a) verifying the package being installed and b) cutting down the resulting image. It weight in at 268MB when I took it for a spin locally. I'm inclined to close this in favour of #9, but would love feedback if I'm missing anything RE: package verification. I'm not hugely familiar with how Debian deals with this. Thanks for the PR! Sorry for the delayed response 😨 |
patrickod
added a commit
that referenced
this pull request
May 2, 2015
Updated to tor 0.2.5.11 from deb package and switched to Debian jessie. Closes #8.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Check the tor tarball with appropriate signing keys to ensure authenticity of the download.
The reason for the /tmp/gpg directory is to silo off keys we're not sure about, since we download with the (still) insecure
gpg --recv-keys <short-key-id>- see https://evil32.com/. Even though this has been patched in latest versions of GPG, the packages in Ubuntu have yet to catch up.With
--export <fingerprint>, we can be sure we're selecting by the entire key, which is imported to the keyring we actually verify with. If the verify fails,docker buildwill halt.I also have the slim version of this, which is to run all the download and build steps in a single
Dockerfilecommand, available at https://github.com/Hainish/docker-tor/tree/slim. This may be desirable for those downloading the docker image based on filesize. It also may be undesirable for those building manually, if some intermediate step fails they can't easily re-run. For this reason I haven't included it in this PR.