From 07d1004e09a1c31cc5c65b84177f14fda95cfd8e Mon Sep 17 00:00:00 2001 From: Thibault Godouet Date: Sun, 25 Jul 2021 17:42:10 +0100 Subject: [PATCH 1/6] run as non-root in docker --- README.md | 6 +++--- build/Dockerfile | 7 +++++++ build/entrypoint.sh | 5 +++++ 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 853a82d..389e6b7 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ tag | description To initialize and add account to the bridge, run the following command. ``` -docker run --rm -it -v protonmail:/root shenxn/protonmail-bridge init +docker run --rm -it -v protonmail:/home/protonmail shenxn/protonmail-bridge init ``` Wait for the bridge to startup, use `login` command and follow the instructions to add your account into the bridge. Then use `info` to see the configuration information (username and password). After that, use `exit` to exit the bridge. You may need `CTRL+C` to exit the docker entirely. @@ -48,7 +48,7 @@ Wait for the bridge to startup, use `login` command and follow the instructions To run the container, use the following command. ``` -docker run -d --name=protonmail-bridge -v protonmail:/root -p 1025:25/tcp -p 1143:143/tcp --restart=unless-stopped shenxn/protonmail-bridge +docker run -d --name=protonmail-bridge -v protonmail:/home/protonmail -p 1025:25/tcp -p 1143:143/tcp --restart=unless-stopped shenxn/protonmail-bridge ``` ## Kubernetes @@ -62,7 +62,7 @@ If you don't want to use Helm, you can also reference to the guide ([#6](https:/ Please be aware that running the command above will expose your bridge to the network. Remember to use firewall if you are going to run this in an untrusted network or on a machine that has public IP address. You can also use the following command to publish the port to only localhost, which is the same behavior as the official bridge package. ``` -docker run -d --name=protonmail-bridge -v protonmail:/root -p 127.0.0.1:1025:25/tcp -p 127.0.0.1:1143:143/tcp --restart=unless-stopped shenxn/protonmail-bridge +docker run -d --name=protonmail-bridge -v protonmail:/home/protonmail -p 127.0.0.1:1025:25/tcp -p 127.0.0.1:1143:143/tcp --restart=unless-stopped shenxn/protonmail-bridge ``` Besides, you can publish only port 25 (SMTP) if you don't need to receive any email (e.g. as a email notification service). diff --git a/build/Dockerfile b/build/Dockerfile index ae1c6f7..439e831 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -25,4 +25,11 @@ COPY gpgparams entrypoint.sh /protonmail/ # Copy protonmail COPY --from=build /build/proton-bridge/proton-bridge /protonmail/ +# Add a user 'protonmail' with UID 8535 +RUN useradd -u 8535 -d /home/protonmail protonmail \ + && mkdir -p /home/protonmail \ + && chown protonmail: /home/protonmail +# change to non-privileged user for extra security +USER protonmail + ENTRYPOINT ["bash", "/protonmail/entrypoint.sh"] diff --git a/build/entrypoint.sh b/build/entrypoint.sh index 1cebda6..c04cb4a 100644 --- a/build/entrypoint.sh +++ b/build/entrypoint.sh @@ -2,6 +2,11 @@ set -ex +id +# Go to current user's homedir +cd +echo $PWD + # Initialize if [[ $1 == init ]]; then From bc9f9b00ce8a8d947ce5e5947d9c8843d642a298 Mon Sep 17 00:00:00 2001 From: Thibault Godouet Date: Sat, 3 Dec 2022 16:40:32 +0000 Subject: [PATCH 2/6] Run as non-root for higher security It is best security practice to run the process in docker as non-root. From a6c2c9735c55c592fbe3145b320afb0343a00f30 Mon Sep 17 00:00:00 2001 From: Thibault Godouet Date: Tue, 20 Dec 2022 14:54:48 +0000 Subject: [PATCH 3/6] Docker build from ubuntu:jammy to fix glibc error. --- build/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/Dockerfile b/build/Dockerfile index 65dbe93..94807d2 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -9,7 +9,7 @@ WORKDIR /build/ COPY build.sh VERSION /build/ RUN bash build.sh -FROM ubuntu:focal +FROM ubuntu:jammy LABEL maintainer="Xiaonan Shen " EXPOSE 25/tcp From c875aa8ccc65e156f0a0b0ba2f096f565a79c99e Mon Sep 17 00:00:00 2001 From: Thibault Godouet Date: Tue, 20 Dec 2022 16:09:14 +0000 Subject: [PATCH 4/6] Sync from origin. (#3) * Bump build version to 3.0.5 * Bump build version to 3.0.6 * Bump build version to 3.0.7 Co-authored-by: GitHub Actions --- build/VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/VERSION b/build/VERSION index b38ebbf..3a8b971 100644 --- a/build/VERSION +++ b/build/VERSION @@ -1 +1 @@ -3.0.4 \ No newline at end of file +3.0.7 \ No newline at end of file From fa08ca00ca6a491257730a0e19e7bdc115e05f51 Mon Sep 17 00:00:00 2001 From: Thibault Godouet Date: Tue, 20 Dec 2022 16:15:45 +0000 Subject: [PATCH 5/6] Improved user info message in entrypoint.sh. --- build/entrypoint.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/build/entrypoint.sh b/build/entrypoint.sh index 5c20212..1ab0172 100644 --- a/build/entrypoint.sh +++ b/build/entrypoint.sh @@ -2,10 +2,9 @@ set -ex -id # Go to current user's homedir cd -echo $PWD +echo "Running as user '$USER' (UID '$UID') in '$PWD'" # Initialize if [[ $1 == init ]]; then From 69f65ed4092c26f96dbd4e02134c0031b1d19f7d Mon Sep 17 00:00:00 2001 From: Thibault Godouet Date: Sat, 3 Feb 2024 14:13:08 +0000 Subject: [PATCH 6/6] Merge from upstream (#4) * Bump build version to 3.0.10 * Bump build version to 3.0.12 * Bump build version to 3.0.14 * Bump build version to 3.0.15 * Bump build version to 3.0.16 * Bump deb version to 3.0.17-1 * Bump build version to 3.0.18 * Bump deb version to 3.0.19-1 * Bump build version to 3.0.19 * Bump deb version to 3.0.20-1 * Bump build version to 3.0.20 * Update Ubuntu tag for deb to fix GLIBC dependency (#80) GLIBC dependency issue highlighted in https://github.com/shenxn/protonmail-bridge-docker/issues/79 is caused by v3 of the bridge not supporting bionic. This PR simply updates the "deb" version to match the "build" version which is already on ubuntu:jammy. * Bump deb version to 3.0.21-1 * Bump build version to 3.0.21 * Bump build version to 3.1.0 * Bump build version to 3.1.1 * Bump deb version to 3.1.2-1 * Bump build version to 3.1.2 * Add a docker compose file (#70) It's quite the norm to include a docker-compose file, generally in the README or the root for people to copy and modify. For example as https://github.com/wfg/docker-openvpn-client has done so. If there are [Environmental variables](https://github.com/wfg/docker-openvpn-client#environment-variables), they should also be documented - in this case there isn't. * Bump deb version to 3.1.3-1 * Bump build version to 3.1.3 * Bump build version to 3.2.0 * Bump deb version to 3.2.0-1 * Bump build version to 3.3.0 * Bump deb version to 3.3.0-1 * Bump build version to 3.3.1 * Bump deb version to 3.3.2-1 * Bump build version to 3.3.2 * Bump build version to 3.4.0 * Bump build version to 3.4.1 * Bump build version to 3.4.2 * Bump build version to 3.5.0 * Bump deb version to 3.4.2-1 * Bump build version to 3.5.1 * Bump deb version to 3.5.1-1 * Bump deb version to 3.4.2-1 * Bump build version to 3.5.2 * Bump deb version to 3.5.3-1 * Bump build version to 3.5.3 * Bump build version to 3.6.0 * Bump deb version to 3.5.4-1 * Bump build version to 3.6.1 * Bump deb version to 3.6.1-2 * Bump build version to 3.7.0 * Bump build version to 3.7.1 * Bump deb version to 3.7.1-1 * Bump build version to 3.8.0 * Bump build version to 3.8.1 * Bump deb version to 3.8.1-1 * Bump build version to 3.9.0 * Bump deb version to 3.8.2-1 --------- Co-authored-by: GitHub Actions Co-authored-by: Aziz Hasanain Co-authored-by: Daniel Nathan Gray --- build/VERSION | 2 +- deb/Dockerfile | 2 +- deb/VERSION | 2 +- docker-compose.yml | 18 ++++++++++++++++++ 4 files changed, 21 insertions(+), 3 deletions(-) create mode 100644 docker-compose.yml diff --git a/build/VERSION b/build/VERSION index 489200c..b72ad01 100644 --- a/build/VERSION +++ b/build/VERSION @@ -1 +1 @@ -3.0.9 \ No newline at end of file +3.9.0 \ No newline at end of file diff --git a/deb/Dockerfile b/deb/Dockerfile index d225daf..8aa8bc7 100644 --- a/deb/Dockerfile +++ b/deb/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:bionic +FROM ubuntu:jammy LABEL maintainer="Xiaonan Shen " EXPOSE 25/tcp diff --git a/deb/VERSION b/deb/VERSION index a472920..cb5cc1b 100644 --- a/deb/VERSION +++ b/deb/VERSION @@ -1 +1 @@ -2.3.0-1 \ No newline at end of file +3.8.2-1 \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..cdea9b5 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,18 @@ +version: '2.1' + +services: + protonmail-bridge: + image: shenxn/protonmail-bridge + # build: + # context: ./build + # dockerfile: Dockerfile + container_name: pm_bridge + ports: + - 1025:25/tcp + - 1143:143/tcp + restart: unless-stopped + stdin_open: true + tty: true +volumes: + protonmail: + name: protonmail