You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+37-2Lines changed: 37 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -155,6 +155,41 @@ $ docker run v0.12.1-bitcore-3 https://github.com/bitpay/bitcoin ../bitcoin/cont
155
155
```
156
156
The Dockerfile is the key piece to audit here. Provided that you trust Docker to give you a legitimate copy of Ubuntu (the value of the FROM key in the Dockerfile), then the next step is making sure you agree with what the Dockerfile is doing.
157
157
158
-
##TODO What if the gitian-builder input script (see config script above) needs sudo access during its build process?
159
-
##TODO Offline builds
158
+
###What if gitian builder or the script located within the gitian config needs root access (sudo)?
159
+
Generally, it is a bad idea to give anyone outside the hypervisor itself root access in the linux container. But, if there is no other way, then you can add a file to /etc/sudoers.d directory. This is done by editing the Dockerfile and performing a rebuild of the docker image.
160
+
161
+
For example, if I need to allow a non-privileged user to cat any file on the system, then I would add 'cat' to the list commands available to the ubuntu user in the Dockerfile.
3. With the line: 'echo 'ubuntu ALL=(root) NOPASSWD:/usr/bin/apt-get,/shared/gitian-builder/target-bin/grab-packages.sh,/bin/cat' > /etc/sudoers.d/ubuntu && \'
166
+
4. Save the file and:
167
+
168
+
```bash
169
+
$ docker build -t builder .
170
+
```
171
+
172
+
##Offline builds
173
+
174
+
It is a good idea to perform your builds while your host operating system and container are off the network (Internet or otherwise). This is one less attack surface to expose. The strategy would be to gather all the required dependencies, remove any ethernet cables and turn off the wifi connection and begin the build process.
175
+
176
+
Step 1: build your docker image:
177
+
```bash
178
+
$ docker build -t builder .
179
+
```
180
+
181
+
Step 2: checkout bitcoin to the root of this project (where the Dockerfile is):
182
+
```bash
183
+
$ git clone https://github.com/bitpay/bitcoin
184
+
```
185
+
186
+
Step 3: disconnect wired and wireless network connections:
187
+
188
+
TODO what to do about gitian needing to run apt-get install for packages in gitian config
189
+
190
+
Step 4: run the container using bitcoin as shared volume:
191
+
```bash
192
+
$ docker run -v `pwd`/bitcoin:/shared/bitcoin builder
0 commit comments