From a94d409f2b712fde25b4d0fc0d45cb15c802e325 Mon Sep 17 00:00:00 2001 From: "rE-Bo0t.bx1" <54429050+r3bo0tbx1@users.noreply.github.com> Date: Mon, 17 Nov 2025 22:38:30 +0800 Subject: [PATCH] =?UTF-8?q?feat(v1.1.2):=20Alpine=20edge=20variant,=20dual?= =?UTF-8?q?=20CI,=20GHCR=20edge=20builds=20=E2=9C=A8=F0=9F=9A=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add Dockerfile.edge ๐Ÿš๐Ÿ”ง - Add stable and edge CI matrix ๐Ÿ”๐Ÿ“ฆ - GHCR edge-only deployment ๐ŸŸฃ๐Ÿ“ค - SBOMs for both variants ๐Ÿ“œ๐Ÿ” - Tests, screenshots, logo ๐Ÿงช๐Ÿ–ผ๏ธ - Update docs and PR template ๐Ÿ“ - Remove dependabot.yml ๐Ÿ—‘๏ธ --- .dockerignore | 1 + .github/workflows/release.yml | 182 ++++++++++++++++++++++--------- CHANGELOG.md | 60 +++++++++- Dockerfile.edge | 86 +++++++++++++++ README.md | 73 ++++++++++++- docs/DEPLOYMENT.md | 2 +- scripts/utilities/quick-start.sh | 4 +- 7 files changed, 343 insertions(+), 65 deletions(-) create mode 100644 Dockerfile.edge diff --git a/.dockerignore b/.dockerignore index 2f7005e..487cdda 100644 --- a/.dockerignore +++ b/.dockerignore @@ -43,6 +43,7 @@ __pycache__/ # Keep only files needed for building and running the image !Dockerfile +!Dockerfile.edge !tools/ !docker-entrypoint.sh !healthcheck.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7bf9baa..1ea318b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -88,7 +88,7 @@ jobs: echo " ๐Ÿ”‘ SHA: ${{ steps.version.outputs.short_sha }}" build-and-push: - name: ๐Ÿ—๏ธ Multi-Arch Build and Push + name: ๐Ÿ—๏ธ Multi-Arch Build and Push (${{ matrix.variant.name }}) runs-on: ubuntu-latest needs: determine-version permissions: @@ -97,6 +97,22 @@ jobs: if: | github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' + strategy: + fail-fast: false + matrix: + variant: + - name: stable + dockerfile: Dockerfile + suffix: "" + is_latest: "true" + base: "Alpine 3.22.2" + push_dockerhub: "true" + - name: edge + dockerfile: Dockerfile.edge + suffix: "-edge" + is_latest: "false" + base: "Alpine edge" + push_dockerhub: "false" steps: - name: ๐Ÿ“ฅ Checkout Repository @@ -144,7 +160,7 @@ jobs: sudo apt-get update -qq && sudo apt-get install -y dos2unix echo "๐Ÿ“„ Processing main scripts..." - for script in docker-entrypoint.sh healthcheck.sh Dockerfile; do + for script in docker-entrypoint.sh healthcheck.sh Dockerfile Dockerfile.edge; do if [ -f "$script" ]; then dos2unix "$script" 2>/dev/null || true echo " โœ… Normalized: $script" @@ -169,6 +185,7 @@ jobs: echo "๐ŸŽ‰ Normalization complete" - name: ๐Ÿณ Login to Docker Hub + if: matrix.variant.push_dockerhub == 'true' uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} @@ -194,51 +211,86 @@ jobs: run: | VERSION="${{ needs.determine-version.outputs.version }}" BUILD_TYPE="${{ needs.determine-version.outputs.build_type }}" - SHORT_SHA="${{ needs.determine-version.outputs.short_sha }}" + VARIANT_NAME="${{ matrix.variant.name }}" + SUFFIX="${{ matrix.variant.suffix }}" + IS_LATEST="${{ matrix.variant.is_latest }}" + PUSH_DOCKERHUB="${{ matrix.variant.push_dockerhub }}" + + echo "๐Ÿท๏ธ Generating tags for variant: ${VARIANT_NAME}" + echo " Version: ${VERSION}${SUFFIX}" + echo " Build Type: ${BUILD_TYPE}" + echo " Is Latest: ${IS_LATEST}" + echo " Push to Docker Hub: ${PUSH_DOCKERHUB}" + echo "" TAGS=() + # Always add GHCR versioned tag + TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:${VERSION}${SUFFIX}") + if [ "$BUILD_TYPE" = "release" ]; then - # New release: Update both :latest and version tags - TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:latest") - TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:${VERSION}") - TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:latest") - TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:${VERSION}") + # New release: Add special tags + if [ "$IS_LATEST" = "true" ]; then + # Stable variant gets :latest and :stable + TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:latest") + TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:stable") + else + # Edge variant gets :edge only + TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:edge") + fi + + # Add Docker Hub tags only for stable variant + if [ "$PUSH_DOCKERHUB" = "true" ]; then + TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:${VERSION}") + TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:latest") + TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:stable") + fi elif [ "$BUILD_TYPE" = "weekly" ]; then - # Weekly rebuild: Update version tag with fresh packages, keep :latest pointing to last release - TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:${VERSION}") - TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:${VERSION}") - TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:latest") - TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:latest") - elif [ "$BUILD_TYPE" = "validated" ]; then - TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:${VERSION}-validated") - TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:${VERSION}-validated") + # Weekly rebuild: Update version tag with fresh packages + if [ "$IS_LATEST" = "true" ]; then + TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:latest") + TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:stable") + else + TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:edge") + fi + + if [ "$PUSH_DOCKERHUB" = "true" ]; then + TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:${VERSION}") + TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:latest") + TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:stable") + fi else - # Manual builds: version tag only - TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:${VERSION}") - TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:${VERSION}") + # Manual/validated builds: version tag only + if [ "$PUSH_DOCKERHUB" = "true" ]; then + TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:${VERSION}${SUFFIX}") + fi fi TAGS_STR=$(IFS=','; echo "${TAGS[*]}") echo "tags=${TAGS_STR}" >> "$GITHUB_OUTPUT" + echo "๐Ÿ“‹ Generated tags:" + for tag in "${TAGS[@]}"; do + echo " - ${tag}" + done + - name: ๐Ÿš€ Build and Push Multi-Arch Image uses: docker/build-push-action@v6 with: context: . - file: ./Dockerfile + file: ./${{ matrix.variant.dockerfile }} platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.tags.outputs.tags }} build-args: | BUILD_DATE=${{ needs.determine-version.outputs.build_date }} BUILD_VERSION=${{ needs.determine-version.outputs.version }} - cache-from: type=gha - cache-to: type=gha,mode=max + cache-from: type=gha,scope=${{ matrix.variant.name }} + cache-to: type=gha,mode=max,scope=${{ matrix.variant.name }} labels: | - org.opencontainers.image.title=Tor Guard Relay - org.opencontainers.image.description=Hardened Tor Guard Relay - org.opencontainers.image.version=${{ needs.determine-version.outputs.version }} + org.opencontainers.image.title=Tor Guard Relay (${{ matrix.variant.name }}) + org.opencontainers.image.description=Hardened Tor Guard Relay (${{ matrix.variant.base }}) + org.opencontainers.image.version=${{ needs.determine-version.outputs.version }}${{ matrix.variant.suffix }} org.opencontainers.image.created=${{ needs.determine-version.outputs.build_date }} org.opencontainers.image.revision=${{ github.sha }} org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} @@ -257,52 +309,55 @@ jobs: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin VERSION="${{ needs.determine-version.outputs.version }}" - IMAGE="${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:${VERSION}" + SUFFIX="${{ matrix.variant.suffix }}" + VARIANT="${{ matrix.variant.name }}" + IMAGE="${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:${VERSION}${SUFFIX}" - echo "๐Ÿ“ฆ Generating SBOM for image: ${IMAGE}" + echo "๐Ÿ“ฆ Generating SBOM for ${VARIANT} variant" + echo " Image: ${IMAGE}" echo "" # Generate CycloneDX JSON echo "๐Ÿ“„ Generating CycloneDX JSON format..." - syft "${IMAGE}" -o cyclonedx-json > "sbom-cyclonedx-v${VERSION}.json" - echo " โœ… sbom-cyclonedx-v${VERSION}.json" + syft "${IMAGE}" -o cyclonedx-json > "sbom-${VARIANT}-cyclonedx-v${VERSION}.json" + echo " โœ… sbom-${VARIANT}-cyclonedx-v${VERSION}.json" # Generate CycloneDX XML echo "๐Ÿ“„ Generating CycloneDX XML format..." - syft "${IMAGE}" -o cyclonedx-xml > "sbom-cyclonedx-v${VERSION}.xml" - echo " โœ… sbom-cyclonedx-v${VERSION}.xml" + syft "${IMAGE}" -o cyclonedx-xml > "sbom-${VARIANT}-cyclonedx-v${VERSION}.xml" + echo " โœ… sbom-${VARIANT}-cyclonedx-v${VERSION}.xml" # Generate SPDX JSON echo "๐Ÿ“„ Generating SPDX JSON format..." - syft "${IMAGE}" -o spdx-json > "sbom-spdx-v${VERSION}.json" - echo " โœ… sbom-spdx-v${VERSION}.json" + syft "${IMAGE}" -o spdx-json > "sbom-${VARIANT}-spdx-v${VERSION}.json" + echo " โœ… sbom-${VARIANT}-spdx-v${VERSION}.json" # Generate SPDX tag-value echo "๐Ÿ“„ Generating SPDX tag-value format..." - syft "${IMAGE}" -o spdx-tag-value > "sbom-spdx-v${VERSION}.spdx" - echo " โœ… sbom-spdx-v${VERSION}.spdx" + syft "${IMAGE}" -o spdx-tag-value > "sbom-${VARIANT}-spdx-v${VERSION}.spdx" + echo " โœ… sbom-${VARIANT}-spdx-v${VERSION}.spdx" # Generate human-readable table echo "๐Ÿ“„ Generating human-readable table..." - syft "${IMAGE}" -o table > "sbom-table-v${VERSION}.txt" - echo " โœ… sbom-table-v${VERSION}.txt" + syft "${IMAGE}" -o table > "sbom-${VARIANT}-table-v${VERSION}.txt" + echo " โœ… sbom-${VARIANT}-table-v${VERSION}.txt" echo "" - echo "โœ… SBOM generation complete" + echo "โœ… SBOM generation complete for ${VARIANT} variant" echo "" echo "๐Ÿ“Š Package Statistics:" - jq '.components | length' "sbom-cyclonedx-v${VERSION}.json" | xargs echo " Total packages:" + jq '.components | length' "sbom-${VARIANT}-cyclonedx-v${VERSION}.json" | xargs echo " Total packages:" - name: ๐Ÿ“ค Upload SBOM Artifacts if: needs.determine-version.outputs.is_release == 'true' uses: actions/upload-artifact@v4 with: - name: sbom-v${{ needs.determine-version.outputs.version }} + name: sbom-${{ matrix.variant.name }}-v${{ needs.determine-version.outputs.version }} path: | - sbom-*.json - sbom-*.xml - sbom-*.spdx - sbom-*.txt + sbom-${{ matrix.variant.name }}-*.json + sbom-${{ matrix.variant.name }}-*.xml + sbom-${{ matrix.variant.name }}-*.spdx + sbom-${{ matrix.variant.name }}-*.txt retention-days: 90 release-notes: @@ -385,23 +440,42 @@ jobs: echo "" >> release_notes.md echo "### ๐Ÿณ Docker Images" >> release_notes.md echo "" >> release_notes.md + echo "**Stable Variant (Recommended for Production)**" >> release_notes.md + echo "" >> release_notes.md + echo "- Base: Alpine 3.22.2" >> release_notes.md + echo "- Proven stability with weekly security updates" >> release_notes.md + echo "" >> release_notes.md echo "\`\`\`bash" >> release_notes.md echo "# From GitHub Container Registry (GHCR)" >> release_notes.md echo "docker pull ${GHCR_IMAGE}:${VERSION}" >> release_notes.md + echo "docker pull ${GHCR_IMAGE}:latest" >> release_notes.md echo "" >> release_notes.md echo "# From Docker Hub" >> release_notes.md echo "docker pull ${DOCKERHUB_IMAGE}:${VERSION}" >> release_notes.md + echo "docker pull ${DOCKERHUB_IMAGE}:latest" >> release_notes.md + echo "\`\`\`" >> release_notes.md + echo "" >> release_notes.md + echo "**Edge Variant (Testing Only)**" >> release_notes.md + echo "" >> release_notes.md + echo "- Base: Alpine edge (bleeding edge)" >> release_notes.md + echo "- โš ๏ธ **NOT recommended for production** - faster updates, less stable" >> release_notes.md + echo "- Available on GHCR only" >> release_notes.md + echo "" >> release_notes.md + echo "\`\`\`bash" >> release_notes.md + echo "# From GitHub Container Registry (GHCR)" >> release_notes.md + echo "docker pull ${GHCR_IMAGE}:${VERSION}-edge" >> release_notes.md + echo "docker pull ${GHCR_IMAGE}:edge" >> release_notes.md echo "\`\`\`" >> release_notes.md echo "" >> release_notes.md echo "### ๐Ÿ“‹ Software Bill of Materials (SBOM)" >> release_notes.md echo "" >> release_notes.md - echo "This release includes comprehensive SBOM files for supply chain security:" >> release_notes.md + echo "This release includes comprehensive SBOM files for **both variants** for supply chain security:" >> release_notes.md echo "" >> release_notes.md - echo "- **CycloneDX**: JSON and XML formats" >> release_notes.md - echo "- **SPDX**: JSON and tag-value formats" >> release_notes.md - echo "- **Human-readable**: Table format" >> release_notes.md + echo "- **CycloneDX**: JSON and XML formats (stable + edge)" >> release_notes.md + echo "- **SPDX**: JSON and tag-value formats (stable + edge)" >> release_notes.md + echo "- **Human-readable**: Table format (stable + edge)" >> release_notes.md echo "" >> release_notes.md - echo "Download SBOM files from the release assets below." >> release_notes.md + echo "Download SBOM files from the release assets below (prefixed with \`stable-\` or \`edge-\`)." >> release_notes.md echo "" >> release_notes.md echo "---" >> release_notes.md echo "" >> release_notes.md @@ -410,10 +484,16 @@ jobs: echo "" echo "โœ… Release notes generation complete" - - name: ๐Ÿ“ฆ Download SBOM Artifacts + - name: ๐Ÿ“ฆ Download SBOM Artifacts (Stable) uses: actions/download-artifact@v4 with: - name: sbom-v${{ needs.determine-version.outputs.version }} + name: sbom-stable-v${{ needs.determine-version.outputs.version }} + path: ./sbom + + - name: ๐Ÿ“ฆ Download SBOM Artifacts (Edge) + uses: actions/download-artifact@v4 + with: + name: sbom-edge-v${{ needs.determine-version.outputs.version }} path: ./sbom - name: ๐Ÿท๏ธ Create GitHub Release diff --git a/CHANGELOG.md b/CHANGELOG.md index b31267e..4771dc3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,55 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 --- +## [1.1.2] - 2025-11-17 + +Add Alpine edge variant with dual-track build strategy ๐Ÿ—๏ธโœ… - ๐ŸŸข/โš ๏ธ + +### โœจ Features + +- Add Dockerfile.edge for bleeding-edge Alpine builds +- Implement dual-track CI/CD strategy (stable + edge variants) +- Configure GHCR-only deployment for edge variant (prevents production use) +- Add separate SBOM generation for both variants +- Skip Docker Hub login for edge builds to optimize workflow + +### ๐Ÿ“š Documentation + +- Enhance comprehensive testing scripts documentation + - Document quick-test.sh for ENV compatibility validation + - Add test-build-v1.1.2.sh for local registry testing + - Document security-validation-tests.sh usage +- Add project screenshots (bootstrapping, bridge-line, relay-status, Cosmos dashboard) +- Add project logo (src/logo.png) +- Update FAQ.md with edge variant information +- Refine PR template with security considerations +- Update workflows documentation for dual-track strategy + +### ๐Ÿ” CI/CD Improvements + +- Extend release.yml with matrix strategy for stable/edge builds +- Add variant-specific tagging (:edge, :1.1.2-edge) +- Remove dependabot.yml (manual dependency management preferred) +- Enhance validate.yml with Trivy SARIF upload + +### ๐Ÿ—๏ธ Build Variants + +๐ŸŸข Stable (Production): +- Base: Alpine 3.22.2 +- Tags: :latest, :stable, :1.1.2 +- Registries: Docker Hub + GHCR +- Recommended for production relays + +โš ๏ธ Edge (Testing): +- Base: Alpine edge (bleeding edge) +- Tags: :edge, :1.1.2-edge +- Registries: GHCR only +- Latest Tor/obfs4 packages, NOT recommended for production + +BREAKING CHANGES: None + +--- + ## [1.1.1] - 2025-11-14 ### ๐Ÿš€ Major Release: Ultra-Optimized Build + Security Hardening + Configuration Enhancement @@ -323,7 +372,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## ๐Ÿ“Š Release Information * **๐ŸŽ‰ First Release:** v1.0.0 (November 1, 2025) -* **๐Ÿ“ฆ Current Stable:** v1.1.1 (November 13, 2025) +* **๐Ÿ“ฆ Current Stable:** v1.1.2 (November 17, 2025) * **๐Ÿ”— Latest Release:** [GitHub Releases](https://github.com/r3bo0tbx1/tor-guard-relay/releases/latest) * **๐Ÿณ Docker Images:** @@ -336,15 +385,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 | Version | Status | Support Level | | --------- | --------------------- | ------------------------------------------- | -| **1.1.1** | ๐ŸŸข ๐Ÿ›ก๏ธ **Active** | Full support (current stable) | -| **1.1.0** | ๐ŸŸก ๐Ÿ”ง **Maintenance** | Security + critical fixes only | -| **1.0.9** | ๐ŸŸ  โš ๏ธ **Legacy** | Security patches only โ€“ upgrade recommended | -| **1.0.8** | ๐Ÿ”ด โŒ **EOL** | No support โ€“ upgrade immediately | +| **1.1.2** | ๐ŸŸข ๐Ÿ›ก๏ธ **Active** | Full support (current stable) | +| **1.1.1** | ๐ŸŸก ๐Ÿ”ง **Maintenance** | Security + critical fixes only | +| **1.0.8** | ๐ŸŸ  โš ๏ธ **Legacy** | Security patches only โ€“ upgrade recommended | +| **1.0.9** | ๐Ÿ”ด โŒ **EOL** | No support โ€“ upgrade immediately | --- ## ๐Ÿ”— Release Links +[1.1.2]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.1.2 [1.1.1]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.1.1 [1.1.0]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.1.0 [1.0.9]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.0.9 diff --git a/Dockerfile.edge b/Dockerfile.edge new file mode 100644 index 0000000..b1e5c82 --- /dev/null +++ b/Dockerfile.edge @@ -0,0 +1,86 @@ +# syntax=docker/dockerfile:1.20 +# ============================================================================ +# Tor Guard Relay - EDGE variant (Alpine edge - bleeding edge) +# Base: Alpine edge | Multi-arch: amd64, arm64 +# โš ๏ธ WARNING: Uses Alpine edge - faster updates, less stable +# โš ๏ธ NOT RECOMMENDED for production relays - use for testing only +# ============================================================================ + +FROM alpine:edge + +ARG BUILD_DATE +ARG BUILD_VERSION +ARG TARGETARCH + +LABEL maintainer="rE-Bo0t.bx1 " \ + org.opencontainers.image.title="Tor Guard Relay (Edge)" \ + org.opencontainers.image.description="๐Ÿง… Alpine Edge Tor Relay (TESTING ONLY - Bleeding Edge Updates)" \ + org.opencontainers.image.version="${BUILD_VERSION}-edge" \ + org.opencontainers.image.created="${BUILD_DATE}" \ + org.opencontainers.image.source="https://github.com/r3bo0tbx1/tor-guard-relay" \ + org.opencontainers.image.documentation="https://github.com/r3bo0tbx1/tor-guard-relay#readme" \ + org.opencontainers.image.licenses="MIT" \ + org.opencontainers.image.vendor="r3bo0tbx1" \ + org.opencontainers.image.authors="rE-Bo0t.bx1 " \ + org.opencontainers.image.url="https://github.com/r3bo0tbx1/tor-guard-relay" \ + org.opencontainers.image.base.name="docker.io/library/alpine:edge" \ + org.opencontainers.image.revision="${TARGETARCH}" + +SHELL ["/bin/ash", "-eo", "pipefail", "-c"] + +RUN set -eux \ + && apk add --no-cache \ + tor \ + tini \ + lyrebird \ + && mkdir -p /var/lib/tor /var/log/tor /run/tor /etc/tor \ + && chown -R tor:tor /var/lib/tor /var/log/tor /run/tor /etc/tor \ + && chmod 700 /var/lib/tor \ + && chmod 755 /var/log/tor /run/tor /etc/tor \ + && rm -f /etc/tor/torrc \ + && printf "Version: %s-edge\nBuild Date: %s\nArchitecture: %s\nBase: Alpine edge (bleeding edge)\n" \ + "${BUILD_VERSION:-unversioned}" "${BUILD_DATE:-unknown}" "${TARGETARCH:-amd64}" > /build-info.txt \ + && rm -rf /var/cache/apk/* + +COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh +COPY healthcheck.sh /usr/local/bin/healthcheck.sh +COPY tools/status /usr/local/bin/status +COPY tools/health /usr/local/bin/health +COPY tools/fingerprint /usr/local/bin/fingerprint +COPY tools/bridge-line /usr/local/bin/bridge-line + +RUN set -eux \ + && chmod +x /usr/local/bin/docker-entrypoint.sh \ + /usr/local/bin/healthcheck.sh \ + /usr/local/bin/status \ + /usr/local/bin/health \ + /usr/local/bin/fingerprint \ + /usr/local/bin/bridge-line \ + && echo "๐Ÿงฉ Registered diagnostic tools:" \ + && ls -lh /usr/local/bin/status /usr/local/bin/health /usr/local/bin/fingerprint /usr/local/bin/bridge-line + +ENV TOR_DATA_DIR=/var/lib/tor \ + TOR_LOG_DIR=/var/log/tor \ + TOR_CONFIG=/etc/tor/torrc \ + TOR_RELAY_MODE=guard \ + TOR_NICKNAME="" \ + TOR_CONTACT_INFO="" \ + TOR_ORPORT=9001 \ + TOR_DIRPORT=9030 \ + TOR_OBFS4_PORT=9002 \ + TOR_BANDWIDTH_RATE="" \ + TOR_BANDWIDTH_BURST="" \ + TOR_EXIT_POLICY="" \ + PATH="/usr/local/bin:$PATH" + +RUN rm -rf /usr/share/man /tmp/* /var/tmp/* /root/.cache/* + +USER tor + +EXPOSE 9001 9030 9002 + +HEALTHCHECK --interval=10m --timeout=15s --start-period=30s --retries=3 \ + CMD /usr/local/bin/healthcheck.sh + +ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/docker-entrypoint.sh"] +CMD ["tor", "-f", "/etc/tor/torrc"] diff --git a/README.md b/README.md index a591d0a..e914ccc 100644 --- a/README.md +++ b/README.md @@ -140,6 +140,65 @@ docker logs -f tor-relay
+
โ– ๐ŸŽฏ Choosing a Variant
+ +We offer **two build variants** to match your risk tolerance and requirements: + +### Stable Variant (Recommended) + +**Base:** Alpine 3.22.2 | **Recommended for:** Production relays + +- โœ… Battle-tested Alpine stable release +- โœ… Weekly automated rebuilds with latest security patches +- โœ… Proven stability for long-running relays +- โœ… Available on both **Docker Hub** and **GHCR** + +```bash +# Pull from Docker Hub (easiest) +docker pull r3bo0tbx1/onion-relay:latest +docker pull r3bo0tbx1/onion-relay:1.1.2 + +# Pull from GHCR +docker pull ghcr.io/r3bo0tbx1/onion-relay:latest +docker pull ghcr.io/r3bo0tbx1/onion-relay:stable +``` + +### Edge Variant (Testing Only) + +**Base:** Alpine edge | **Recommended for:** Testing, security research + +- โšก Bleeding-edge Alpine packages (faster security updates) +- โšก Latest Tor and obfs4 versions as soon as available +- โš ๏ธ **NOT recommended for production** - less stable, potential breaking changes +- โš ๏ธ Available **only on GHCR** (not Docker Hub) + +```bash +# Pull from GHCR only +docker pull ghcr.io/r3bo0tbx1/onion-relay:edge +docker pull ghcr.io/r3bo0tbx1/onion-relay:1.1.2-edge +``` + +**When to use edge:** +- ๐Ÿ”ฌ Testing new Tor features before stable release +- ๐Ÿ›ก๏ธ Security research requiring latest packages +- ๐Ÿงช Non-production test environments +- ๐Ÿš€ Early adopters willing to accept potential breakage + +**Stability comparison:** + +| Feature | Stable | Edge | +|---------|--------|------| +| Production ready | โœ… Yes | โŒ No | +| Breaking changes | โŒ Rare | โš ๏ธ Possible | +| Security updates | Weekly | Weekly (newer packages) | +| Package versions | Proven | Bleeding edge | +| Docker Hub | โœ… Yes | โŒ No | +| GHCR | โœ… Yes | โœ… Yes | + +> ๐Ÿ’ก **Our recommendation:** Use **stable** for production relays, **edge** only for testing or when you specifically need the latest package versions. + +
+
โ– ๐Ÿ—๏ธ Deployment Methods
Choose the method that fits your workflow. @@ -166,7 +225,7 @@ See [Deployment Guide](docs/DEPLOYMENT.md) for complete instructions.
โ– ๐Ÿ”ง Diagnostic Tools
-Version 1.1.1 includes four busybox-only tools. +Version >=v1.1.1 includes four busybox-only tools. | Tool | Purpose | Usage | |------|---------|--------| @@ -202,7 +261,7 @@ Example JSON:
โ– ๐Ÿ“Š Monitoring and Observability
-**v1.1.1 uses external monitoring** for minimal image size and maximum security. +**>=v1.1.1 uses external monitoring** for minimal image size and maximum security. ### JSON Health API @@ -289,7 +348,7 @@ STATUS=$(echo "$HEALTH" | jq -r '.status')
โ– ๐Ÿ“š Documentation
-**v1.1.1 includes comprehensive documentation** organized by topic: +**>=v1.1.1 includes comprehensive documentation** organized by topic: ### Getting Started - **[FAQ](docs/FAQ.md)** - โญ **NEW!** Frequently asked questions with factual answers @@ -659,8 +718,8 @@ Found a vulnerability? See our [Security Policy](SECURITY.md) for responsible di Images are automatically rebuilt weekly to include security patches: - **Schedule:** Every Sunday at 18:30 UTC - **Includes:** Latest Tor + Alpine updates -- **Strategy:** Overwrites last release version (e.g., `:1.1.1`) with updated packages -- **Tags Updated:** Both `:latest` and version tags (e.g., `:1.1.1`) +- **Strategy:** Overwrites last release version (e.g., `:1.1.2`) with updated packages +- **Tags Updated:** Both `:latest` and version tags (e.g., `:1.1.2`) - **Auto-published:** To Docker Hub and GitHub Container Registry
@@ -693,7 +752,7 @@ Images are automatically rebuilt weekly to include security patches: ![GitHub Repo stars](https://img.shields.io/github/stars/r3bo0tbx1/tor-guard-relay?style=for-the-badge) ![GitHub Issues](https://img.shields.io/github/issues/r3bo0tbx1/tor-guard-relay?style=for-the-badge) -**Current Version:** v1.1.1 โ€ข **Status:** Production Ready +**Current Version:** v1.1.2 โ€ข **Status:** Production Ready **Image Size:** 17.1 MB โ€ข **Rebuild:** Weekly **Registries:** Docker Hub โ€ข GHCR @@ -771,6 +830,8 @@ I use Arch btw ๐Ÿง *Protecting privacy, one relay at a time* ๐Ÿ”๐Ÿง…โœจ +โญ Star this repo if you find it useful! + ๐ŸŒ [Support Internet Freedom](https://donate.torproject.org/) ๐Ÿ“š [Documentation](docs/README.md) โฌ† [Back to top](#readme-top) diff --git a/docs/DEPLOYMENT.md b/docs/DEPLOYMENT.md index 7893be1..61a0947 100644 --- a/docs/DEPLOYMENT.md +++ b/docs/DEPLOYMENT.md @@ -1,4 +1,4 @@ -# ๐Ÿš€ Deployment Guide - Tor Guard Relay v1.1.1 +# ๐Ÿš€ Deployment Guide - Tor Guard Relay >=v1.1.1 Complete deployment instructions for guard, exit, and bridge relays across various hosting environments. diff --git a/scripts/utilities/quick-start.sh b/scripts/utilities/quick-start.sh index 3e9fea3..bd489e4 100644 --- a/scripts/utilities/quick-start.sh +++ b/scripts/utilities/quick-start.sh @@ -391,7 +391,7 @@ EOF cat >> /tmp/tor-relay-run.sh << EOF -v tor-${RELAY_MODE}-data:/var/lib/tor \\ -v tor-${RELAY_MODE}-logs:/var/log/tor \\ - r3bo0tbx1/onion-relay:latest + ghcr.io/r3bo0tbx1/onion-relay:latest # Wait for container to start sleep 5 @@ -441,7 +441,7 @@ version: '3.8' services: tor-${RELAY_MODE}: - image: r3bo0tbx1/onion-relay:latest + image: ghcr.io/r3bo0tbx1/onion-relay:latest container_name: tor-${RELAY_MODE} restart: unless-stopped network_mode: host