From cf15da1ed5e319bcc8dac18cb9f76166ac0a50fa Mon Sep 17 00:00:00 2001
From: Thomas Kriechbaumer <thomas@kriechbaumer.name>
Date: Sat, 15 Sep 2018 12:00:20 +0000
Subject: add docker security warning

---
 docker/Dockerfile                   | 41 --------------------------------
 docker/DockerfileARMv7              | 45 -----------------------------------
 docker/README.md                    | 38 ------------------------------
 docker/docker-entrypoint.sh         | 13 ----------
 release/cibuild.py                  |  4 ++--
 release/docker/Dockerfile           | 41 ++++++++++++++++++++++++++++++++
 release/docker/DockerfileARMv7      | 45 +++++++++++++++++++++++++++++++++++
 release/docker/README.md            | 47 +++++++++++++++++++++++++++++++++++++
 release/docker/docker-entrypoint.sh | 13 ++++++++++
 9 files changed, 148 insertions(+), 139 deletions(-)
 delete mode 100644 docker/Dockerfile
 delete mode 100644 docker/DockerfileARMv7
 delete mode 100644 docker/README.md
 delete mode 100755 docker/docker-entrypoint.sh
 create mode 100644 release/docker/Dockerfile
 create mode 100644 release/docker/DockerfileARMv7
 create mode 100644 release/docker/README.md
 create mode 100755 release/docker/docker-entrypoint.sh

diff --git a/docker/Dockerfile b/docker/Dockerfile
deleted file mode 100644
index bbe88c9d..00000000
--- a/docker/Dockerfile
+++ /dev/null
@@ -1,41 +0,0 @@
-FROM alpine:3.7
-
-ENV LANG=en_US.UTF-8
-
-ARG WHEEL_MITMPROXY
-ARG WHEEL_BASENAME_MITMPROXY
-
-COPY $WHEEL_MITMPROXY /home/mitmproxy/
-
-# Add our user first to make sure the ID get assigned consistently,
-# regardless of whatever dependencies get added.
-RUN addgroup -S mitmproxy && adduser -S -G mitmproxy mitmproxy \
-    && apk add --no-cache \
-        su-exec \
-        git \
-        g++ \
-        libffi \
-        libffi-dev \
-        libstdc++ \
-        openssl \
-        openssl-dev \
-        python3 \
-        python3-dev \
-    && python3 -m ensurepip \
-    && LDFLAGS=-L/lib pip3 install -U /home/mitmproxy/${WHEEL_BASENAME_MITMPROXY} \
-    && apk del --purge \
-        git \
-        g++ \
-        libffi-dev \
-        openssl-dev \
-        python3-dev \
-    && rm -rf ~/.cache/pip /home/mitmproxy/${WHEEL_BASENAME_MITMPROXY}
-
-VOLUME /home/mitmproxy/.mitmproxy
-
-COPY docker/docker-entrypoint.sh /usr/local/bin/
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-EXPOSE 8080 8081
-
-CMD ["mitmproxy"]
diff --git a/docker/DockerfileARMv7 b/docker/DockerfileARMv7
deleted file mode 100644
index 2988b5e4..00000000
--- a/docker/DockerfileARMv7
+++ /dev/null
@@ -1,45 +0,0 @@
-FROM resin/raspberrypi3-alpine:3.7
-
-ENV LANG=en_US.UTF-8
-
-ARG WHEEL_MITMPROXY
-ARG WHEEL_BASENAME_MITMPROXY
-
-COPY $WHEEL_MITMPROXY /home/mitmproxy/
-
-RUN [ "cross-build-start" ]
-
-# Add our user first to make sure the ID get assigned consistently,
-# regardless of whatever dependencies get added.
-RUN addgroup -S mitmproxy && adduser -S -G mitmproxy mitmproxy \
-    && apk add --no-cache \
-        su-exec \
-        git \
-        g++ \
-        libffi \
-        libffi-dev \
-        libstdc++ \
-        openssl \
-        openssl-dev \
-        python3 \
-        python3-dev \
-    && python3 -m ensurepip \
-    && LDFLAGS=-L/lib pip3 install -U /home/mitmproxy/${WHEEL_BASENAME_MITMPROXY} \
-    && apk del --purge \
-        git \
-        g++ \
-        libffi-dev \
-        openssl-dev \
-        python3-dev \
-    && rm -rf ~/.cache/pip /home/mitmproxy/${WHEEL_BASENAME_MITMPROXY}
-
-RUN [ "cross-build-end" ]
-
-VOLUME /home/mitmproxy/.mitmproxy
-
-COPY docker/docker-entrypoint.sh /usr/local/bin/
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-EXPOSE 8080 8081
-
-CMD ["mitmproxy"]
diff --git a/docker/README.md b/docker/README.md
deleted file mode 100644
index 6693de45..00000000
--- a/docker/README.md
+++ /dev/null
@@ -1,38 +0,0 @@
-# mitmproxy
-
-Containerized version of [mitmproxy](https://mitmproxy.org/), an interactive SSL-capable intercepting HTTP proxy.
-
-# Usage
-
-```sh
-$ docker run --rm -it [-v ~/.mitmproxy:/home/mitmproxy/.mitmproxy] -p 8080:8080 mitmproxy/mitmproxy
-```
-The *volume mount* is optional: It's to store the generated CA certificates.
-
-Once started, mitmproxy listens as a HTTP proxy on `localhost:8080`:
-```sh
-$ http_proxy=http://localhost:8080/ curl http://example.com/
-$ https_proxy=http://localhost:8080/ curl -k https://example.com/
-```
-
-You can also start `mitmdump` by just adding that to the end of the command-line:
-```sh
-$ docker run --rm -it -p 8080:8080 mitmproxy/mitmproxy mitmdump
-```
-
-For `mitmweb`, you also need to expose port 8081:
-```sh
-# this makes :8081 accessible to the local machine only
-$ docker run --rm -it -p 8080:8080 -p 127.0.0.1:8081:8081 mitmproxy/mitmproxy mitmweb --web-iface 0.0.0.0
-```
-
-You can also pass options directly via the CLI:
-```sh
-$ docker run --rm -it -p 8080:8080 mitmproxy/mitmproxy mitmdump --set ssl_insecure=true
-```
-
-For further details, please consult the mitmproxy [documentation](http://docs.mitmproxy.org/en/stable/).
-
-# Tags
-
-The available release tags can be seen [here](https://hub.docker.com/r/mitmproxy/mitmproxy/tags/).
diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh
deleted file mode 100755
index a4abe4ce..00000000
--- a/docker/docker-entrypoint.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/sh
-set -e
-
-MITMPROXY_PATH="/home/mitmproxy/.mitmproxy"
-
-if [[ "$1" = "mitmdump" || "$1" = "mitmproxy" || "$1" = "mitmweb" ]]; then
-        mkdir -p "$MITMPROXY_PATH"
-        chown -R mitmproxy:mitmproxy "$MITMPROXY_PATH"
-
-        su-exec mitmproxy "$@"
-else
-        exec "$@"
-fi
diff --git a/release/cibuild.py b/release/cibuild.py
index 6264c72b..ba17ced2 100755
--- a/release/cibuild.py
+++ b/release/cibuild.py
@@ -312,7 +312,7 @@ def build_docker_image(be: BuildEnviron, whl: str):  # pragma: no cover
         "--tag", be.docker_tag,
         "--build-arg", "WHEEL_MITMPROXY={}".format(whl),
         "--build-arg", "WHEEL_BASENAME_MITMPROXY={}".format(os.path.basename(whl)),
-        "--file", "docker/Dockerfile",
+        "--file", "release/docker/Dockerfile",
         "."
     ])
     subprocess.check_call([
@@ -321,7 +321,7 @@ def build_docker_image(be: BuildEnviron, whl: str):  # pragma: no cover
         "--tag", be.docker_tag + "-ARMv7",
         "--build-arg", "WHEEL_MITMPROXY={}".format(whl),
         "--build-arg", "WHEEL_BASENAME_MITMPROXY={}".format(os.path.basename(whl)),
-        "--file", "docker/DockerfileARMv7",
+        "--file", "release/docker/DockerfileARMv7",
         "."
     ])
 
diff --git a/release/docker/Dockerfile b/release/docker/Dockerfile
new file mode 100644
index 00000000..7c9a2421
--- /dev/null
+++ b/release/docker/Dockerfile
@@ -0,0 +1,41 @@
+FROM alpine:3.8
+
+ENV LANG=en_US.UTF-8
+
+ARG WHEEL_MITMPROXY
+ARG WHEEL_BASENAME_MITMPROXY
+
+COPY $WHEEL_MITMPROXY /home/mitmproxy/
+
+# Add our user first to make sure the ID get assigned consistently,
+# regardless of whatever dependencies get added.
+RUN addgroup -S mitmproxy && adduser -S -G mitmproxy mitmproxy \
+    && apk add --no-cache \
+        su-exec \
+        git \
+        g++ \
+        libffi \
+        libffi-dev \
+        libstdc++ \
+        openssl \
+        openssl-dev \
+        python3 \
+        python3-dev \
+    && python3 -m ensurepip \
+    && LDFLAGS=-L/lib pip3 install -U /home/mitmproxy/${WHEEL_BASENAME_MITMPROXY} \
+    && apk del --purge \
+        git \
+        g++ \
+        libffi-dev \
+        openssl-dev \
+        python3-dev \
+    && rm -rf ~/.cache/pip /home/mitmproxy/${WHEEL_BASENAME_MITMPROXY}
+
+VOLUME /home/mitmproxy/.mitmproxy
+
+COPY release/docker/docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+EXPOSE 8080 8081
+
+CMD ["mitmproxy"]
diff --git a/release/docker/DockerfileARMv7 b/release/docker/DockerfileARMv7
new file mode 100644
index 00000000..6e04b7ad
--- /dev/null
+++ b/release/docker/DockerfileARMv7
@@ -0,0 +1,45 @@
+FROM resin/raspberrypi3-alpine:3.7
+
+ENV LANG=en_US.UTF-8
+
+ARG WHEEL_MITMPROXY
+ARG WHEEL_BASENAME_MITMPROXY
+
+COPY $WHEEL_MITMPROXY /home/mitmproxy/
+
+RUN [ "cross-build-start" ]
+
+# Add our user first to make sure the ID get assigned consistently,
+# regardless of whatever dependencies get added.
+RUN addgroup -S mitmproxy && adduser -S -G mitmproxy mitmproxy \
+    && apk add --no-cache \
+        su-exec \
+        git \
+        g++ \
+        libffi \
+        libffi-dev \
+        libstdc++ \
+        openssl \
+        openssl-dev \
+        python3 \
+        python3-dev \
+    && python3 -m ensurepip \
+    && LDFLAGS=-L/lib pip3 install -U /home/mitmproxy/${WHEEL_BASENAME_MITMPROXY} \
+    && apk del --purge \
+        git \
+        g++ \
+        libffi-dev \
+        openssl-dev \
+        python3-dev \
+    && rm -rf ~/.cache/pip /home/mitmproxy/${WHEEL_BASENAME_MITMPROXY}
+
+RUN [ "cross-build-end" ]
+
+VOLUME /home/mitmproxy/.mitmproxy
+
+COPY release/docker/docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+EXPOSE 8080 8081
+
+CMD ["mitmproxy"]
diff --git a/release/docker/README.md b/release/docker/README.md
new file mode 100644
index 00000000..e7c9ab59
--- /dev/null
+++ b/release/docker/README.md
@@ -0,0 +1,47 @@
+# mitmproxy
+
+Containerized version of [mitmproxy](https://mitmproxy.org/), an interactive SSL-capable intercepting HTTP proxy.
+
+# Usage
+
+```sh
+$ docker run --rm -it [-v ~/.mitmproxy:/home/mitmproxy/.mitmproxy] -p 8080:8080 mitmproxy/mitmproxy
+```
+The *volume mount* is optional: It's to store the generated CA certificates.
+
+Once started, mitmproxy listens as a HTTP proxy on `localhost:8080`:
+```sh
+$ http_proxy=http://localhost:8080/ curl http://example.com/
+$ https_proxy=http://localhost:8080/ curl -k https://example.com/
+```
+
+You can also start `mitmdump` by just adding that to the end of the command-line:
+```sh
+$ docker run --rm -it -p 8080:8080 mitmproxy/mitmproxy mitmdump
+```
+
+For `mitmweb`, you also need to expose port 8081:
+```sh
+# this makes :8081 accessible to the local machine only
+$ docker run --rm -it -p 8080:8080 -p 127.0.0.1:8081:8081 mitmproxy/mitmproxy mitmweb --web-iface 0.0.0.0
+```
+
+You can also pass options directly via the CLI:
+```sh
+$ docker run --rm -it -p 8080:8080 mitmproxy/mitmproxy mitmdump --set ssl_insecure=true
+```
+
+For further details, please consult the mitmproxy [documentation](http://docs.mitmproxy.org/en/stable/).
+
+# Tags
+
+The available release tags can be seen [here](https://hub.docker.com/r/mitmproxy/mitmproxy/tags/).
+
+* `master` always tracks the git-master branch and represents the unstable development tree.
+* `latest` always points to the same image as the most recent stable release, including bugfix releases (e.g., `4.0.0` and `4.0.1`).
+* `X.Y.Z` tags contain the mitmproxy release with this version number.  
+  - All packages, dependencies, and the base image that were available at the time of the mitmproxy release.
+  - We DO NOT update these images! Use at your own risk!
+  - These images MIGHT BE affected by potential security issues!
+  - Security issues that were made public AFTER the release MIGHT affect these images!
+* `*-ARMv7` are images built for Raspbian / Raspberry Pi
diff --git a/release/docker/docker-entrypoint.sh b/release/docker/docker-entrypoint.sh
new file mode 100755
index 00000000..a4abe4ce
--- /dev/null
+++ b/release/docker/docker-entrypoint.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+MITMPROXY_PATH="/home/mitmproxy/.mitmproxy"
+
+if [[ "$1" = "mitmdump" || "$1" = "mitmproxy" || "$1" = "mitmweb" ]]; then
+        mkdir -p "$MITMPROXY_PATH"
+        chown -R mitmproxy:mitmproxy "$MITMPROXY_PATH"
+
+        su-exec mitmproxy "$@"
+else
+        exec "$@"
+fi
-- 
cgit v1.2.3