From de1fdaa2aab575dfefa5324a4bee6a9e5a28bf89 Mon Sep 17 00:00:00 2001 From: "rE-Bo0t.bx1" <54429050+r3bo0tbx1@users.noreply.github.com> Date: Thu, 20 Nov 2025 21:26:06 +0800 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=20fix(security):=20compile=20lyreb?= =?UTF-8?q?ird=20from=20source=20to=20resolve=20Go=20runtime=20CVEs?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Implements multi-stage build in `Dockerfile` and `Dockerfile.edge` using `golang:1.24-alpine` to compile `lyrebird` from official source. - Resolves high-severity vulnerabilities in `stdlib`, `crypto`, and `pion` by enforcing latest Go runtime and dependency updates (`go get -u`). - Maintains minimal image footprint by discarding the build toolchain and copying only the stripped binary to the final Alpine image. --- Dockerfile | 25 +++++++++++++++++++++---- Dockerfile.edge | 25 +++++++++++++++++++++++-- 2 files changed, 44 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 29d5559..999e65d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,24 @@ # syntax=docker/dockerfile:1.20 # ============================================================================ -# Tor Guard Relay - Ultra-optimized ~17.1 MB container -# Base: Alpine 3.22.2 | Multi-arch: amd64, arm64 -# v1.1.1 - Busybox-only, 4 diagnostic tools, AIO multi-mode support +# Builder Stage: Compile Lyrebird with latest Go to fix CVEs # ============================================================================ +FROM golang:1.24-alpine AS builder +# Install git to fetch source +RUN apk add --no-cache git + +# Build Lyrebird (obfs4) from official Tor Project repo +# We use -ldflags="-s -w" to strip debug symbols and reduce binary size +# We go get -u to update dependencies to fix CVEs in crypto/net/etc. +WORKDIR /go/src/lyrebird +RUN git clone https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird.git . \ + && go get -u ./... \ + && go mod tidy \ + && CGO_ENABLED=0 go build -ldflags="-s -w" -o /usr/bin/lyrebird ./cmd/lyrebird + +# ============================================================================ +# Final Stage: Tor Guard Relay - Ultra-optimized ~17.1 MB container +# ============================================================================ FROM alpine:3.22.2 ARG BUILD_DATE @@ -27,11 +41,11 @@ LABEL maintainer="rE-Bo0t.bx1 " \ SHELL ["/bin/ash", "-eo", "pipefail", "-c"] +# Note: 'lyrebird' removed from apk add, we copy it from builder instead RUN set -eux \ && apk add --no-cache \ tor \ tini \ - lyrebird \ && mkdir -p /var/lib/tor /var/log/tor /run/tor /etc/tor \ && chown -R tor:tor /var/lib/tor /var/log/tor /run/tor /etc/tor \ && chmod 700 /var/lib/tor \ @@ -41,6 +55,9 @@ RUN set -eux \ "${BUILD_VERSION:-unversioned}" "${BUILD_DATE:-unknown}" "${TARGETARCH:-amd64}" > /build-info.txt \ && rm -rf /var/cache/apk/* +# Copy compiled Lyrebird from builder stage +COPY --from=builder /usr/bin/lyrebird /usr/bin/lyrebird + COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh COPY healthcheck.sh /usr/local/bin/healthcheck.sh COPY tools/status /usr/local/bin/status diff --git a/Dockerfile.edge b/Dockerfile.edge index b1e5c82..ef9899a 100644 --- a/Dockerfile.edge +++ b/Dockerfile.edge @@ -1,4 +1,22 @@ # syntax=docker/dockerfile:1.20 +# ============================================================================ +# Builder Stage: Compile Lyrebird with latest Go to fix CVEs +# ============================================================================ +FROM golang:1.24-alpine AS builder + +# Install git to fetch source +RUN apk add --no-cache git + +# Build Lyrebird (obfs4) from official Tor Project repo +# 1. Clone official repo +# 2. Update dependencies (go get -u) to fix crypto/net CVEs +# 3. Build with stripped flags (-s -w) for minimal size +WORKDIR /go/src/lyrebird +RUN git clone https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird.git . \ + && go get -u ./... \ + && go mod tidy \ + && CGO_ENABLED=0 go build -ldflags="-s -w" -o /usr/bin/lyrebird ./cmd/lyrebird + # ============================================================================ # Tor Guard Relay - EDGE variant (Alpine edge - bleeding edge) # Base: Alpine edge | Multi-arch: amd64, arm64 @@ -28,11 +46,11 @@ LABEL maintainer="rE-Bo0t.bx1 " \ SHELL ["/bin/ash", "-eo", "pipefail", "-c"] +# NOTE: 'lyrebird' removed from apk add list (we copy it from builder) RUN set -eux \ && apk add --no-cache \ tor \ tini \ - lyrebird \ && mkdir -p /var/lib/tor /var/log/tor /run/tor /etc/tor \ && chown -R tor:tor /var/lib/tor /var/log/tor /run/tor /etc/tor \ && chmod 700 /var/lib/tor \ @@ -42,6 +60,9 @@ RUN set -eux \ "${BUILD_VERSION:-unversioned}" "${BUILD_DATE:-unknown}" "${TARGETARCH:-amd64}" > /build-info.txt \ && rm -rf /var/cache/apk/* +# Copy compiled, secure Lyrebird binary from builder stage +COPY --from=builder /usr/bin/lyrebird /usr/bin/lyrebird + COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh COPY healthcheck.sh /usr/local/bin/healthcheck.sh COPY tools/status /usr/local/bin/status @@ -83,4 +104,4 @@ HEALTHCHECK --interval=10m --timeout=15s --start-period=30s --retries=3 \ CMD /usr/local/bin/healthcheck.sh ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/docker-entrypoint.sh"] -CMD ["tor", "-f", "/etc/tor/torrc"] +CMD ["tor", "-f", "/etc/tor/torrc"] \ No newline at end of file