From 416e43e7bb14674c944b18ca87c7a79310dbd173 Mon Sep 17 00:00:00 2001 From: Kevin Froman Date: Tue, 15 Dec 2020 19:54:33 -0600 Subject: [PATCH 1/5] correct yt link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5eea66c5..86d265b3 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,7 @@ Not yet usable: ## Watch the talk from BSidesPDX 2019 - + improving anonymous networking talk link From b1ef248ee924a4627a97ef5a8e4cdb3b528719d7 Mon Sep 17 00:00:00 2001 From: Duncan X Simpson Date: Mon, 14 Dec 2020 23:20:27 -0700 Subject: [PATCH 2/5] Docker improvements - Modify onionr.sh to parse env and supply args to run-onionr-node.py - Run onionr by default rather than bash - Run as unprivileged user by default instead of root - Use /app for all code - Specify python 3.7 (3.8 fails to build cffi) - Use apt-get rather than apt (apt's CLI is not stable) - Slight reformatting and consolidation --- Dockerfile | 34 ++++++++++++++++++---------------- onionr.sh | 21 +++++++++++++++++++-- 2 files changed, 37 insertions(+), 18 deletions(-) diff --git a/Dockerfile b/Dockerfile index 546152db..c8e93527 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,28 +1,30 @@ -FROM python +FROM python:3.7 -#Base settings -ENV HOME /root +USER root + +RUN mkdir /app +WORKDIR /app + +ENV PORT=8080 +EXPOSE 8080 #Install needed packages -RUN apt update && apt install -y tor locales +RUN apt-get update && apt-get install -y tor locales RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \ locale-gen -ENV LANG en_US.UTF-8 -ENV LANGUAGE en_US:en -ENV LC_ALL en_US.UTF-8 +ENV LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_ALL=en_US.UTF-8 -WORKDIR /srv/ -ADD ./requirements.txt /srv/requirements.txt +ADD ./requirements.txt /app/requirements.txt RUN pip3 install --require-hashes -r requirements.txt -WORKDIR /root/ #Add Onionr source -COPY . /root/ -VOLUME /root/data/ +COPY . /app/ -#Set upstart command -CMD bash +VOLUME /app/data/ -#Expose ports -EXPOSE 8080 +#Default to running as nonprivileged user +RUN chmod g=u -R /app +USER 1000 + +CMD ["bash", "./onionr.sh"] diff --git a/onionr.sh b/onionr.sh index 0b7d898c..ea925a52 100755 --- a/onionr.sh +++ b/onionr.sh @@ -2,5 +2,22 @@ ORIG_ONIONR_RUN_DIR=`pwd` export ORIG_ONIONR_RUN_DIR cd "$(dirname "$0")" -cd src -./__init__.py "$@" \ No newline at end of file + +[[ -n "$USE_TOR" ]] || USE_TOR=1 +[[ -n "$PORT" ]] || PORT=8080 +[[ -n "$KEEP_LOG" ]] || KEEP_LOG=0 +[[ -n "$STORE_PLAINTEXT" ]] || STORE_PLAINTEXT=1 + +PRIVKEY_OPT="" +[[ -f "privkey.key" ]] && PRIVKEY_OPT="--private-key privkey.key" + +python run-onionr-node.py \ + --open-ui 0 \ + --onboarding 0 \ + --bind-address 0.0.0.0 \ + --port $PORT \ + --use-tor $USE_TOR \ + --keep-log-on-exit $KEEP_LOG \ + --store-plaintext $STORE_PLAINTEXT \ + $PRIVKEY_OPT \ + "$@" From 2bd58945daa244ebceb6a04acd1a572ea7a9f9f3 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Thu, 10 Dec 2020 14:04:14 +0000 Subject: [PATCH 3/5] Bump watchdog from 0.10.4 to 1.0.1 Bumps [watchdog](https://github.com/gorakhargosh/watchdog) from 0.10.4 to 1.0.1. - [Release notes](https://github.com/gorakhargosh/watchdog/releases) - [Changelog](https://github.com/gorakhargosh/watchdog/blob/master/changelog.rst) - [Commits](https://github.com/gorakhargosh/watchdog/compare/v0.10.4...v1.0.1) Signed-off-by: dependabot-preview[bot] --- requirements.in | 2 +- requirements.txt | 7 ++----- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/requirements.in b/requirements.in index c23dec08..ea5f0c18 100644 --- a/requirements.in +++ b/requirements.in @@ -12,5 +12,5 @@ toomanyobjs==1.1.0 niceware==0.2.1 psutil==5.7.3 filenuke==0.0.0 -watchdog==0.10.4 +watchdog==1.0.1 ujson==4.0.1 diff --git a/requirements.txt b/requirements.txt index ffedc92c..759f221a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -141,9 +141,6 @@ niceware==0.2.1 \ --hash=sha256:0f8b192f2a1e800e068474f6e208be9c7e2857664b33a96f4045340de4e5c69c \ --hash=sha256:cf2dc0e1567d36d067c61b32fed0f1b9c4534ed511f9eeead4ba548d03b5c9eb \ # via -r requirements.in -pathtools==0.1.2 \ - --hash=sha256:7c35c5421a39bb82e58018febd90e3b6e5db34c5443aaaf742b3f33d4655f1c0 \ - # via watchdog psutil==5.7.3 \ --hash=sha256:01bc82813fbc3ea304914581954979e637bcc7084e59ac904d870d6eb8bb2bc7 \ --hash=sha256:1cd6a0c9fb35ece2ccf2d1dd733c1e165b342604c67454fd56a4c12e0a106787 \ @@ -232,8 +229,8 @@ urllib3==1.25.11 \ --hash=sha256:8d7eaa5a82a1cac232164990f04874c594c9453ec55eef02eab885aa02fc17a2 \ --hash=sha256:f5321fbe4bf3fefa0efd0bfe7fb14e90909eb62a48ccda331726b4319897dd5e \ # via -r requirements.in, requests -watchdog==0.10.4 \ - --hash=sha256:e38bffc89b15bafe2a131f0e1c74924cf07dcec020c2e0a26cccd208831fcd43 \ +watchdog==1.0.1 \ + --hash=sha256:78ea5d78f2cf8e4d6343ab2cbed93bb47b7a85b1c2f90a1dea365226bbab68ac \ # via -r requirements.in werkzeug==0.15.5 \ --hash=sha256:87ae4e5b5366da2347eb3116c0e6c681a0e939a33b2805e2c0cbd282664932c4 \ From ae359de56252f64b3e0d2868910fbe5791e5a5cc Mon Sep 17 00:00:00 2001 From: Kevin Froman Date: Tue, 15 Dec 2020 21:59:36 -0600 Subject: [PATCH 4/5] Added custom port and bind address args --- onionr.sh | 21 ++------------------- run-onionr-node.py | 13 +++++++++++++ src/apiservers/private/__init__.py | 11 +++++++++-- static-data/default_config.json | 1 + tests/test_default_config_json.py | 1 + 5 files changed, 26 insertions(+), 21 deletions(-) diff --git a/onionr.sh b/onionr.sh index ea925a52..0b7d898c 100755 --- a/onionr.sh +++ b/onionr.sh @@ -2,22 +2,5 @@ ORIG_ONIONR_RUN_DIR=`pwd` export ORIG_ONIONR_RUN_DIR cd "$(dirname "$0")" - -[[ -n "$USE_TOR" ]] || USE_TOR=1 -[[ -n "$PORT" ]] || PORT=8080 -[[ -n "$KEEP_LOG" ]] || KEEP_LOG=0 -[[ -n "$STORE_PLAINTEXT" ]] || STORE_PLAINTEXT=1 - -PRIVKEY_OPT="" -[[ -f "privkey.key" ]] && PRIVKEY_OPT="--private-key privkey.key" - -python run-onionr-node.py \ - --open-ui 0 \ - --onboarding 0 \ - --bind-address 0.0.0.0 \ - --port $PORT \ - --use-tor $USE_TOR \ - --keep-log-on-exit $KEEP_LOG \ - --store-plaintext $STORE_PLAINTEXT \ - $PRIVKEY_OPT \ - "$@" +cd src +./__init__.py "$@" \ No newline at end of file diff --git a/run-onionr-node.py b/run-onionr-node.py index 2c8f3431..15fd581e 100755 --- a/run-onionr-node.py +++ b/run-onionr-node.py @@ -55,6 +55,12 @@ def show_info(p: Process): parser = argparse.ArgumentParser() +parser.add_argument( + "--bind-address", help="Address to bind to. Be very careful with non-loopback", + type=str, default="") +parser.add_argument( + "--port", help="Port to bind to, must be available and possible", + type=int, default=0) parser.add_argument( "--use-bootstrap-file", help="Use bootstrap node list file", type=int, default=1) @@ -129,6 +135,13 @@ config['general']['dev_mode'] = False config['general']['store_plaintext_blocks'] = True config['general']['use_bootstrap_list'] = True config['transports']['tor'] = True +config['general']['bind_port'] = 0 # client api server port +config['general']['bind_address'] = '' # client api server address + +if args.bind_address: + config['general']['bind_address'] = args.bind_address +if args.port: + config['client']['client']['port'] = args.port if not args.use_bootstrap_file: config['general']['use_bootstrap_list'] = False diff --git a/src/apiservers/private/__init__.py b/src/apiservers/private/__init__.py index 3bc0df3a..657c30b7 100644 --- a/src/apiservers/private/__init__.py +++ b/src/apiservers/private/__init__.py @@ -50,13 +50,20 @@ class PrivateAPI: self.startTime = epoch.get_epoch() app = flask.Flask(__name__) + + bind_port = int(config.get('client.client.port', 59496)) self.bindPort = bind_port self.clientToken = config.get('client.webpassword') - self.host = httpapi.apiutils.setbindip.set_bind_IP( - private_API_host_file) + if config.get('general.bind_address'): + with open(private_API_host_file, 'w') as bindFile: + bindFile.write(config.get('general.bind_address')) + self.host = config.get('general.bind_address') + else: + self.host = httpapi.apiutils.setbindip.set_bind_IP( + private_API_host_file) logger.info('Running api on %s:%s' % (self.host, self.bindPort)) self.httpServer = '' diff --git a/static-data/default_config.json b/static-data/default_config.json index 2a788eb3..dcad2e50 100755 --- a/static-data/default_config.json +++ b/static-data/default_config.json @@ -8,6 +8,7 @@ "general": { "allow_public_api_dns_rebinding": false, "announce_node": true, + "bind_address": "", "dev_mode": false, "display_header": true, "ephemeral_tunnels": false, diff --git a/tests/test_default_config_json.py b/tests/test_default_config_json.py index b50db4b2..2678b13c 100644 --- a/tests/test_default_config_json.py +++ b/tests/test_default_config_json.py @@ -24,6 +24,7 @@ class OnionrConfig(unittest.TestCase): self.assertEqual(conf['allocations']['disk'], 1073741824) self.assertEqual(conf['allocations']['disk'], 1073741824) self.assertEqual(conf['general']['announce_node'], True) + self.assertEqual(conf['general']['bind_address'], '') self.assertEqual(conf['general']['dev_mode'], False) self.assertEqual(conf['general']['display_header'], True) self.assertEqual(conf['general']['ephemeral_tunnels'], False) From c44d6624ff7df9813f1574c305d9828124a0d609 Mon Sep 17 00:00:00 2001 From: Kevin Froman Date: Tue, 15 Dec 2020 19:54:33 -0600 Subject: [PATCH 5/5] correct yt link Docker improvements - Run onionr by default rather than bash - Run as unprivileged user by default instead of root - Use /app for all code - Specify python 3.7 (3.8 fails to build cffi) - Use apt-get rather than apt (apt's CLI is not stable) - Slight reformatting and consolidation Added custom port and bind address args --- Dockerfile | 34 ++++++++++++++++-------------- README.md | 2 +- run-onionr-node.py | 13 ++++++++++++ src/apiservers/private/__init__.py | 11 ++++++++-- static-data/default_config.json | 1 + tests/test_default_config_json.py | 1 + 6 files changed, 43 insertions(+), 19 deletions(-) diff --git a/Dockerfile b/Dockerfile index 546152db..c8e93527 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,28 +1,30 @@ -FROM python +FROM python:3.7 -#Base settings -ENV HOME /root +USER root + +RUN mkdir /app +WORKDIR /app + +ENV PORT=8080 +EXPOSE 8080 #Install needed packages -RUN apt update && apt install -y tor locales +RUN apt-get update && apt-get install -y tor locales RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \ locale-gen -ENV LANG en_US.UTF-8 -ENV LANGUAGE en_US:en -ENV LC_ALL en_US.UTF-8 +ENV LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_ALL=en_US.UTF-8 -WORKDIR /srv/ -ADD ./requirements.txt /srv/requirements.txt +ADD ./requirements.txt /app/requirements.txt RUN pip3 install --require-hashes -r requirements.txt -WORKDIR /root/ #Add Onionr source -COPY . /root/ -VOLUME /root/data/ +COPY . /app/ -#Set upstart command -CMD bash +VOLUME /app/data/ -#Expose ports -EXPOSE 8080 +#Default to running as nonprivileged user +RUN chmod g=u -R /app +USER 1000 + +CMD ["bash", "./onionr.sh"] diff --git a/README.md b/README.md index 5eea66c5..86d265b3 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,7 @@ Not yet usable: ## Watch the talk from BSidesPDX 2019 - + improving anonymous networking talk link diff --git a/run-onionr-node.py b/run-onionr-node.py index 2c8f3431..15fd581e 100755 --- a/run-onionr-node.py +++ b/run-onionr-node.py @@ -55,6 +55,12 @@ def show_info(p: Process): parser = argparse.ArgumentParser() +parser.add_argument( + "--bind-address", help="Address to bind to. Be very careful with non-loopback", + type=str, default="") +parser.add_argument( + "--port", help="Port to bind to, must be available and possible", + type=int, default=0) parser.add_argument( "--use-bootstrap-file", help="Use bootstrap node list file", type=int, default=1) @@ -129,6 +135,13 @@ config['general']['dev_mode'] = False config['general']['store_plaintext_blocks'] = True config['general']['use_bootstrap_list'] = True config['transports']['tor'] = True +config['general']['bind_port'] = 0 # client api server port +config['general']['bind_address'] = '' # client api server address + +if args.bind_address: + config['general']['bind_address'] = args.bind_address +if args.port: + config['client']['client']['port'] = args.port if not args.use_bootstrap_file: config['general']['use_bootstrap_list'] = False diff --git a/src/apiservers/private/__init__.py b/src/apiservers/private/__init__.py index 3bc0df3a..657c30b7 100644 --- a/src/apiservers/private/__init__.py +++ b/src/apiservers/private/__init__.py @@ -50,13 +50,20 @@ class PrivateAPI: self.startTime = epoch.get_epoch() app = flask.Flask(__name__) + + bind_port = int(config.get('client.client.port', 59496)) self.bindPort = bind_port self.clientToken = config.get('client.webpassword') - self.host = httpapi.apiutils.setbindip.set_bind_IP( - private_API_host_file) + if config.get('general.bind_address'): + with open(private_API_host_file, 'w') as bindFile: + bindFile.write(config.get('general.bind_address')) + self.host = config.get('general.bind_address') + else: + self.host = httpapi.apiutils.setbindip.set_bind_IP( + private_API_host_file) logger.info('Running api on %s:%s' % (self.host, self.bindPort)) self.httpServer = '' diff --git a/static-data/default_config.json b/static-data/default_config.json index 2a788eb3..dcad2e50 100755 --- a/static-data/default_config.json +++ b/static-data/default_config.json @@ -8,6 +8,7 @@ "general": { "allow_public_api_dns_rebinding": false, "announce_node": true, + "bind_address": "", "dev_mode": false, "display_header": true, "ephemeral_tunnels": false, diff --git a/tests/test_default_config_json.py b/tests/test_default_config_json.py index b50db4b2..2678b13c 100644 --- a/tests/test_default_config_json.py +++ b/tests/test_default_config_json.py @@ -24,6 +24,7 @@ class OnionrConfig(unittest.TestCase): self.assertEqual(conf['allocations']['disk'], 1073741824) self.assertEqual(conf['allocations']['disk'], 1073741824) self.assertEqual(conf['general']['announce_node'], True) + self.assertEqual(conf['general']['bind_address'], '') self.assertEqual(conf['general']['dev_mode'], False) self.assertEqual(conf['general']['display_header'], True) self.assertEqual(conf['general']['ephemeral_tunnels'], False)