Revert "Shrink uptermd Docker image by 5 MB, 20% (#225)"

owenthereal / upterm

Instant Terminal Sharing

https://upterm.dev

Apache License 2.0

809 stars 53 forks source link

Revert "Shrink uptermd Docker image by 5 MB, 20% (#225)" #228

Closed owenthereal closed 5 months ago

owenthereal commented 5 months ago

This reverts commit bb763d6cdd9e5b1da00ffe794c71b3dfe0422828.

@bcspragu I have to revert https://github.com/owenthereal/upterm/pull/225 because the production community server shares the same image and needs sh to compute fly.io node address at boot time: https://github.com/owenthereal/upterm/blob/2e48f7341cf51a291bb626ddfc70ae56da0b49d0/fly.toml#L11-L12. I think we might have to stick with the Alpine image or if you have a suggestion that a smaller image that has a shell in it.

bcspragu commented 5 months ago

Ah, apologies for breaking things! As for adding a shell to SCRATCH, I think that defeats most of the purpose (and some of the size benefits) of it. Some alternatives, from what I think are best to worst:

Add FLY_* "auto-detection" directly to uptermd. If FLY_ALLOC_ID and FLY_APP_NAME are set, use those variables
- Can optionally hide this behind a --autodetect-fly flag to make it opt-in
- I'm suggesting this because it looks like the only usage of sh here is variable substitution (and some string munging)
- Am also happy to do this work
Make a separate Docker image for Fly that includes a shell
- Makes sense if there's other sh usage in the Fly setup
Copy the shell over from the builder step
- This probably won't actually work, with dynamic libs and whatnot, and probably isn't a good approach.

Not having a shell is also a useful security invariant for some modalities of compromise, gives an attacker less of a toolkit for introspecting things.

owenthereal commented 5 months ago

I think the FLY_* shouldn't be built into uptermd because it's designed to be cloud agnostic. Making a separate Docker image for Fly is the way to go if we want to have a minimum image for self-hosting while keeping a shell for the fly.io deployment.

bcspragu commented 5 months ago

One more idea because I think even Fly users would benefit from the lack of shell: A small, auxiliary flycfg binary that does the "env lookup to uptermd flag" conversion. That way, Fly still has a separate, Fly-specific image, uptermd has no Fly-specific flags, and both images benefit from lack of shell for size + security

owenthereal commented 1 month ago

A small, auxiliary flycfg binary that does the "env lookup to uptermd flag" conversion. That way, Fly still has a separate, Fly-specific image, uptermd has no Fly-specific flags, and both images benefit from lack of shell for size + security

Thanks for the feedback. I created a binary uptermd-fly for this purpose and use Docker's build target for Fly's deployment: https://github.com/owenthereal/upterm/pull/261