-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathDockerfile-alpine
More file actions
74 lines (58 loc) · 2.79 KB
/
Dockerfile-alpine
File metadata and controls
74 lines (58 loc) · 2.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# Do not use if you care about security (read comments)!
FROM alpine:latest
LABEL maintainer "publicarray"
LABEL description "chrony is a versatile implementation of the Network Time Protocol (NTP)"
ENV REVISION 0
ENV CHRONY_BUILD_DEPS make tar gcc musl-dev libcap-dev libseccomp-dev libedit-dev tzdata
# test with glibc ?
# ENV CHRONY_BUILD_DEPS make tar gcc libc-dev libcap-dev libseccomp-dev libedit-dev tzdata
RUN apk add --no-cache $CHRONY_BUILD_DEPS
# https://chrony.tuxfamily.org/news.html
ENV CHRONY_VERSION 3.5
ENV CHRONY_DOWNLOAD_URL "https://download.tuxfamily.org/chrony/chrony-${CHRONY_VERSION}.tar.gz"
ENV CHRONY_SHA256 4e02795b1260a4ec51e6ace84149036305cc9fc340e65edb9f8452aa611339b5
ENV TZDATA_VERSION 2018e
RUN set -x && \
mkdir -p /tmp && \
cd /tmp && \
wget -O chrony.tar.gz $CHRONY_DOWNLOAD_URL && \
echo "${CHRONY_SHA256} *chrony.tar.gz" | sha256sum -c - && \
tar xzf chrony.tar.gz && \
rm -f chrony.tar.gz && \
cd chrony-${CHRONY_VERSION} && \
./configure --enable-scfilter --with-user _chrony \
setenv CFLAGS "-O2 -flto -fPIE -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -Wformat -Werror=format-security" \
setenv LDFLAGS "-Wl,-z,now -Wl,-z,relro" && \
make && \
make quickcheck && \
make install
# update tzdata (doesn't work yet)
# RUN set -x && \
# wget -O tzdata.tar.gz "http://www.iana.org/time-zones/repository/releases/tzdata${TZDATA_VERSION}.tar.gz" && \
# tar xvf tzdata.tar.gz && \
# ls -l && \
# zic -y ./yearistype -d /usr/share/zoneinfo/right -L leapseconds etcetera systemv factory
#------------------------------------------------------------------------------#
FROM alpine:latest
ENV CHRONY_RUN_DEPS libcap libseccomp libedit tzdata
RUN apk add --no-cache $CHRONY_RUN_DEPS && mkdir -p /usr/share/zoneinfo/right
COPY --from=0 /usr/local/sbin/chronyd /usr/local/sbin/chronyd
COPY --from=0 /usr/local/bin/chronyc /usr/local/bin/chronyc
# COPY --from=0 /usr/share/zoneinfo/right/UTC /usr/share/zoneinfo/right/UTC
RUN set -x && \
addgroup -S _chrony && \
adduser -S -D -H -s /sbin/nologin -G _chrony -g _chrony _chrony && \
mkdir -p /var/lib/chrony && \
chown -R _chrony:_chrony /var/lib/chrony
# wget ftp://ftp.nist.gov/pub/time/leap-seconds.list -O /usr/share/zoneinfo/leap-seconds.list && \
# zic -L /usr/share/zoneinfo/leap-seconds.list
COPY chrony.conf /etc/chrony.conf
EXPOSE 123/udp
RUN chronyd --version
HEALTHCHECK --interval=60s --timeout=5s CMD chronyc tracking > /dev/null
ENTRYPOINT ["/usr/local/sbin/chronyd"]
CMD ["-d", "-F", "0"]
## libseccomp restrictions don't work, also no leap-seconds
# CMD ["-d", "-F", "1", "-s"]
## changing nice (process priority) is not permitted even with --cap-add SYS_NICE, same with locking process into RAM
# CMD ["-d", "-F", "1", "-s", "-m", "-P" "1"]