busybox

[yoshuawuyts]

I was wondering how much sense it would make to have an official nodesource™ busybox™ secure container system™. It would be pretty rad if Nodesource supplied some kind of hyper-minimal node-only environment. No cpp, no bash, just node.

The reason I'm asking this is because I read that the Google uses busybox to run single golang binaries, and as a result didn't have to worry about shellshock. Using minimalistic containers apparently reduces your attack surface. Also with you guys building noda we could actually have single node binaries someday.

Do you think this be possible / doable / actually useful ? Thanks!

[retrohacker]

Hey @yoshuawuyts! I'm going to do some research into node&busybox before committing to this, but I like the idea!

[yoshuawuyts]

@wblankenship Thanks! That's all I can ask for. Really glad you like the idea!

[retrohacker]

So I've been looking into running node in busybox. I have gotten to the point of having a compiled excutable loaded into the box, but we are missing some shared libraries:

• libdl.so.2
• librt.so.1
• libstdc++.so.6
• libm.so.6
• libc.so.6

Screenshot of current state.

If/when we get the libraries into busybox, we will still need to put node through a series of stress tests to make sure it is stable in this environment.

[yoshuawuyts]

So cool!! Let me know if I can assist in anything concrete, I'd be happy to! :smile:

[retrohacker]

Sure thing! Will keep you posted.

Do you have any experience loading shared libraries into busybox?

[yoshuawuyts]

@wblankenship Thanks! Haha, to be fair I have no experience with loading shared libs. Is there maybe another part where I can assist? You mentioned stress testing earlier, what did you have in mind for that?

[retrohacker]

No worries! The stress tests will probably be running the new testing script for distributions repo. It currently has a few bugs to be worked out, could always take a look :smile:

https://github.com/nodesource/distributions/issues/25

This recommendation came from the referenced pull request. If you have a better approach, feel free to recommend it. Could also look at some of the tests being run for the io.js project.

[retrohacker]

Current status: libraries are being linked, but there is something weird with the libstdc++ library I'm linking against. Will have to shave that yak on a future date though, calling it a night.

[yoshuawuyts]

Nice progress! I'd like to take a shot at implementing the tests for busybox. Can I find the wip branch anywhere?

[retrohacker]

Awesomesauce, here is the current shell script I was working on: https://github.com/nodesource/distributions/blob/hardcore/test/hardcore

According to othiym we should:

1. clone npm
2. make install, which will install the devDependencies and build the docs
3. npm run-script test-all, which will run both the legacy tests (which pretty heavily exercise npm all on their own) and the tap tests
4. npm -g install yo generator-angular && mkdir angular-test-app && cd angular-test-app
5. yo angular, filling out the prompts

"If it can install and build an entire Angular-scaffolded app, it's probably good to go."

[retrohacker]

Current status: Even after getting the libraries into the container, I couldn't get them to load into memory. So it looks like we have to go the static route. I was able to get node v0.10.33 to compile as a static binary by manually implementing this pull request: https://github.com/joyent/node/pull/8274

node is now in the container and running. Going to work on moving everything around to the proper locations then will submit this as a pull request.

[retrohacker]

for reference

[retrohacker]

Just opened the https://github.com/nodesource/docker-node/tree/busybox branch.

Currently npm is having some problems connecting to the network, not sure what is going on. Also, the image size is now at 18.85MB.

[skozin]

@wblankenship, have you checked this repo: https://github.com/hwestphal/docker-nodebox?

The resulting image is quite tiny and uses official node and npm binaries, which are fully functional in that environment. Also, it comes with useful tools like opkg package manager (inherited from progrium/busybox base image), bash, git and curl.

It is really easy to modify that Dockerfile to suit one's needs. For example, this is Node v0.11.14 with NPM v2.0.0 and without bash/git (27 MB total):

FROM progrium/busybox
MAINTAINER Your Name <your.name@gmail.com>

RUN \
  opkg-install curl libstdcpp && \
  rm -f /lib/libpthread.so.0 && \
  ln -s /lib/libpthread-2.18.so /lib/libpthread.so.0 && \
  curl -s http://nodejs.org/dist/v0.11.14/node-v0.11.14-linux-x64.tar.gz | gunzip | tar -xf - -C /

ENV PATH /node-v0.11.14-linux-x64/bin:$PATH

BTW, yo angular fails with EACCESS because Yeoman uses root-check to gowngrade the permissions of its process and loses access to the filesystem.

[retrohacker]

@skozin

< :heart: >

I love his use of opkg to install these dependencies. All of my problems with static linking are fixed in one fell swoop here.

Thanks for the tip on yo angular, you rock sir!

</ :heart: >

[ciekawy]

@skozin actually changing from /lib64/libpthread-0.9.33.2.so to /lib64/libpthread-2.18.so breaks git executable. Actually it looks like some inconsistency in busybox openwrt repository since bothe libpthread packages are available there and after being installed one overrides another.

[skozin]

@ciekawy, that was one of the reasons I ended up packaging it using Alpine Linux. It has some issues too, but really very few compared to progrium/busybox.

@wblankenship, glad it helped =)

[ciekawy]

Unfortunately on Alpine Linux it is impossible to build phantomjs which is another must have for me

W dniu czwartek, 2 kwietnia 2015 Семён notifications@github.com napisał(a):

@ciekawy https://github.com/ciekawy, that was one of the reasons I ended up packaging it using Alpine Linux https://github.com/ficusio/docker-nodejs. It has some issues too, but really few compared to busybox.

— Reply to this email directly or view it on GitHub https://github.com/nodesource/docker-node-legacy/issues/14#issuecomment-88683577 .