childflow 0.4.0

A per-command-tree network sandbox for Linux
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

FROM golang:1.25-bookworm AS proxycheck-builder

WORKDIR /src
COPY docker/dev/proxycheck/go.mod docker/dev/proxycheck/main.go ./
RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /out/proxycheck .

FROM golang:1.25-bookworm AS vhs-builder

RUN go install github.com/charmbracelet/vhs@latest

FROM debian:trixie-slim AS ttyd-fetch

ARG TTYD_VERSION=1.7.7
ARG TARGETARCH

RUN apt-get update \
    && apt-get install -y --no-install-recommends ca-certificates curl \
    && rm -rf /var/lib/apt/lists/*

RUN case "${TARGETARCH}" in \
        "arm64") asset="ttyd.aarch64" ;; \
        "amd64") asset="ttyd.x86_64" ;; \
        "386") asset="ttyd.i686" ;; \
        "arm") asset="ttyd.armhf" ;; \
        *) echo "unsupported TARGETARCH for ttyd: ${TARGETARCH}" >&2; exit 1 ;; \
    esac \
    && curl -fsSL "https://github.com/tsl0922/ttyd/releases/download/${TTYD_VERSION}/${asset}" -o /usr/local/bin/ttyd \
    && chmod +x /usr/local/bin/ttyd

FROM rust:1-trixie

RUN rustup component add clippy

RUN apt-get clean \
    && rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/* \
    && apt-get update \
    && apt-get install -y --no-install-recommends \
        busybox-static \
        chromium \
        iproute2 \
        iputils-ping \
        iptables \
        libcap2-bin \
        uidmap \
        sudo \
        tcpdump \
        traceroute \
        ffmpeg \
        pkg-config \
    && setcap cap_net_raw=ep /usr/bin/ping \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*

RUN groupadd --gid 1000 childflow \
    && useradd --uid 1000 --gid 1000 --create-home --shell /bin/bash childflow \
    && usermod -aG sudo childflow \
    && printf 'childflow:100000:65536\n' >> /etc/subuid \
    && printf 'childflow:100000:65536\n' >> /etc/subgid \
    && printf 'childflow ALL=(ALL) NOPASSWD:ALL\n' >/etc/sudoers.d/childflow \
    && chmod 0440 /etc/sudoers.d/childflow

COPY --from=proxycheck-builder /out/proxycheck /usr/local/bin/proxycheck
COPY --from=vhs-builder /go/bin/vhs /usr/local/bin/vhs
COPY --from=ttyd-fetch /usr/local/bin/ttyd /usr/local/bin/ttyd

WORKDIR /workspaces/childflow

ENV CARGO_TARGET_DIR=/tmp/childflow-target
ENV PATH=${CARGO_TARGET_DIR}/debug:${CARGO_TARGET_DIR}/release:/usr/local/cargo/bin:${PATH}
ENV CHROME_PATH=/usr/bin/chromium

RUN printf '%s\n' \
    'export CARGO_TARGET_DIR=/tmp/childflow-target' \
    'export PATH=/tmp/childflow-target/debug:/tmp/childflow-target/release:/usr/local/cargo/bin:$PATH' \
    >/etc/profile.d/childflow-path.sh \
    && chmod 0644 /etc/profile.d/childflow-path.sh \
    && printf '\nsource /etc/profile.d/childflow-path.sh\n' >> /home/childflow/.bashrc \
    && printf '\nsource /etc/profile.d/childflow-path.sh\n' >> /home/childflow/.profile \
    && chown childflow:childflow /home/childflow/.bashrc /home/childflow/.profile

USER childflow

CMD ["bash"]