From 7f9f6c328dbd3b688fbfbf5b37de99ff41df397b Mon Sep 17 00:00:00 2001 From: "rE-Bo0t.bx1" <54429050+r3bo0tbx1@users.noreply.github.com> Date: Mon, 1 Dec 2025 01:40:01 +0800 Subject: [PATCH] =?UTF-8?q?=F0=9F=90=8B=20fix(docker):=20enforce=20UID=201?= =?UTF-8?q?00=20for=20tor=20user=20to=20resolve=20permission=20conflicts?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Recent Alpine base images introduce a 'klogd' user at UID 100, which forced the 'tor' package to install as UID 101. This caused "Permission denied" errors for existing data volumes owned by UID 100. This fix: - Removes the conflicting 'klogd' user - Manually creates the 'tor' user with fixed UID 100 / GID 101 - Ensures compatibility with existing persistent volumes --- Dockerfile | 11 +++-------- Dockerfile.edge | 9 +++------ 2 files changed, 6 insertions(+), 14 deletions(-) diff --git a/Dockerfile b/Dockerfile index a95e388..633fcf3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,21 +4,14 @@ # ============================================================================ FROM golang:1.25-alpine AS builder -# Install git to fetch source RUN apk add --no-cache git -# Build Lyrebird (obfs4) from official Tor Project repo -# We use -ldflags="-s -w" to strip debug symbols and reduce binary size -# We go get -u to update dependencies to fix CVEs in crypto/net/etc. WORKDIR /go/src/lyrebird RUN git clone https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird.git . \ && go get -u ./... \ && go mod tidy \ && CGO_ENABLED=0 go build -ldflags="-s -w" -o /usr/bin/lyrebird ./cmd/lyrebird -# ============================================================================ -# Final Stage: Tor Guard Relay - Ultra-optimized ~16.8 MB container -# ============================================================================ FROM alpine:3.22.2 ARG BUILD_DATE @@ -43,6 +36,9 @@ SHELL ["/bin/ash", "-eo", "pipefail", "-c"] # Note: 'lyrebird' removed from apk add, copying it from builder instead RUN set -eux \ + && deluser klogd || true \ + && addgroup -g 101 -S tor \ + && adduser -u 100 -S -D -H -h /var/lib/tor -G tor -s /sbin/nologin tor \ && apk upgrade --no-cache \ && apk add --no-cache \ tor \ @@ -56,7 +52,6 @@ RUN set -eux \ "${BUILD_VERSION:-unversioned}" "${BUILD_DATE:-unknown}" "${TARGETARCH:-amd64}" > /build-info.txt \ && rm -rf /var/cache/apk/* -# Copy compiled Lyrebird from builder stage COPY --from=builder /usr/bin/lyrebird /usr/bin/lyrebird COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh diff --git a/Dockerfile.edge b/Dockerfile.edge index fcb06c0..7dc964a 100644 --- a/Dockerfile.edge +++ b/Dockerfile.edge @@ -4,13 +4,8 @@ # ============================================================================ FROM golang:1.25-alpine AS builder -# Install git to fetch source RUN apk add --no-cache git -# Build Lyrebird (obfs4) from official Tor Project repo -# 1. Clone official repo -# 2. Update dependencies (go get -u) to fix crypto/net CVEs -# 3. Build with stripped flags (-s -w) for minimal size WORKDIR /go/src/lyrebird RUN git clone https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird.git . \ && go get -u ./... \ @@ -48,6 +43,9 @@ SHELL ["/bin/ash", "-eo", "pipefail", "-c"] # NOTE: 'lyrebird' removed from apk add list (we copy it from builder instead) RUN set -eux \ + && deluser klogd || true \ + && addgroup -g 101 -S tor \ + && adduser -u 100 -S -D -H -h /var/lib/tor -G tor -s /sbin/nologin tor \ && apk upgrade --no-cache \ && apk add --no-cache \ tor \ @@ -61,7 +59,6 @@ RUN set -eux \ "${BUILD_VERSION:-unversioned}" "${BUILD_DATE:-unknown}" "${TARGETARCH:-amd64}" > /build-info.txt \ && rm -rf /var/cache/apk/* -# Copy compiled, secure Lyrebird binary from builder stage COPY --from=builder /usr/bin/lyrebird /usr/bin/lyrebird COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh