From 6de94714530e0cdaa9df6d9fae0231d791ab4c87 Mon Sep 17 00:00:00 2001 From: Tommy Date: Sun, 4 Dec 2022 17:09:15 -0500 Subject: [PATCH] Add Mjolnir module and update workflow Signed-off-by: Tommy --- .github/workflows/build.yml | 10 +++++----- .github/workflows/scan.yml | 12 ++++++------ Dockerfile | 24 +++++++++++------------- LICENSE | 2 +- README.md | 12 +++++++----- 5 files changed, 30 insertions(+), 30 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b2c2b34..ea455aa 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,4 +1,4 @@ -name: build +name: Build on: workflow_dispatch: @@ -9,12 +9,12 @@ on: paths-ignore: - '**.md' schedule: - # Build the image regularly (each Friday) - - cron: '13 21 * * 5' + # Build the image regularly (each Saturday) + - cron: '0 22 * * 6' env: REGISTRY: ghcr.io - IMAGE_NAME: wonderfall/synapse + IMAGE_NAME: tommytran732/synapse jobs: build: @@ -75,4 +75,4 @@ jobs: run: cosign sign ${TAGS} env: COSIGN_EXPERIMENTAL: "true" - TAGS: ${{ steps.meta.outputs.tags }} + TAGS: ${{ steps.meta.outputs.tags }} \ No newline at end of file diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 56db9a2..a6e741b 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -1,14 +1,14 @@ -name: scan +name: Scan on: schedule: # Scan the image regularly (once a day) - - cron: '45 03 * * *' + - cron: '0 23 * * *' jobs: - build: + scan: name: Scan current image & report results - runs-on: "ubuntu-20.04" + runs-on: "ubuntu-latest" steps: - name: Checkout code uses: actions/checkout@v2 @@ -16,7 +16,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: 'ghcr.io/wonderfall/synapse' + image-ref: 'ghcr.io/tommytran732/synapse' format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' @@ -26,4 +26,4 @@ jobs: - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: 'trivy-results.sarif' + sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index da98eac..c04742e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,15 @@ ARG SYNAPSE_VERSION=1.75.0 -ARG PYTHON_VERSION=3.11 -ARG ALPINE_VERSION=3.17 ARG HARDENED_MALLOC_VERSION=11 ARG UID=991 ARG GID=991 ### Build Hardened Malloc -FROM alpine:${ALPINE_VERSION} as build-malloc +FROM alpine:latest as build-malloc ARG HARDENED_MALLOC_VERSION ARG CONFIG_NATIVE=false -ARG VARIANT=light +ARG VARIANT=default RUN apk --no-cache add build-base git gnupg && cd /tmp \ && wget -q https://github.com/thestinger.gpg && gpg --import thestinger.gpg \ @@ -21,8 +19,7 @@ RUN apk --no-cache add build-base git gnupg && cd /tmp \ ### Build Synapse -ARG ALPINE_VERSION -FROM python:${PYTHON_VERSION}-alpine${ALPINE_VERSION} as builder +FROM python:alpine as builder ARG SYNAPSE_VERSION @@ -33,7 +30,7 @@ RUN apk -U upgrade \ libjpeg-turbo-dev \ libxslt-dev \ linux-headers \ - openssl-dev \ + openssl-dev \ postgresql-dev \ rustup \ zlib-dev \ @@ -44,10 +41,8 @@ RUN apk -U upgrade \ ### Build Production -ARG ALPINE_VERSION -ARG PYTHON_VERSION -FROM python:${PYTHON_VERSION}-alpine${ALPINE_VERSION} +FROM python:alpine ARG UID ARG GID @@ -64,17 +59,20 @@ RUN apk -U upgrade \ zlib \ tzdata \ xmlsec \ + git \ curl \ icu-libs \ && adduser -g ${GID} -u ${UID} --disabled-password --gecos "" synapse \ && rm -rf /var/cache/apk/* +RUN pip install --upgrade pip \ + && pip install -e "git+https://github.com/matrix-org/mjolnir.git#egg=mjolnir&subdirectory=synapse_antispam" -COPY --from=build-malloc /tmp/hardened_malloc/out-light/libhardened_malloc-light.so /usr/local/lib/ +COPY --from=build-malloc /tmp/hardened_malloc/out/libhardened_malloc.so /usr/local/lib/ COPY --from=builder /install /usr/local COPY --chown=synapse:synapse rootfs / -ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc-light.so" +ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc.so" USER synapse @@ -85,4 +83,4 @@ EXPOSE 8008/tcp 8009/tcp 8448/tcp ENTRYPOINT ["python3", "start.py"] HEALTHCHECK --start-period=5s --interval=15s --timeout=5s \ - CMD curl -fSs http://localhost:8008/health || exit 1 + CMD curl -fSs http://localhost:8008/health || exit 1 \ No newline at end of file diff --git a/LICENSE b/LICENSE index dca4a3a..7038eae 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2021 Wonderfall +Copyright (c) 2021 Wonderfall, Thien Tran Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index 8ea748f..8bd80af 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,19 @@ -# wonderfall/synapse +# tommytran732/synapse -![Build, scan & push](https://github.com/wonderfall/docker-synapse/actions/workflows/build.yml/badge.svg) +![Build, scan & push](https://github.com/tommytran732/Synapse-Docker/actions/workflows/build.yml/badge.svg) [Synapse](https://github.com/matrix-org/synapse) is a [Matrix](https://matrix.org/) implementation written in Python. ### Notes -- Prebuilt images are available at `ghcr.io/wonderfall/synapse`. +- Prebuilt images are available at `ghcr.io/tommytran732/synapse` and `quay.io/tommytran732/synapse`. - Don't trust random images: build yourself if you can. -- Always keep your software up-to-date: manage versions with [build-time variables](https://github.com/Wonderfall/docker-synapse/blob/main/Dockerfile#L1-L6). -- Images from `ghcr.io` are built every week, and scanned every day for critical vulnerabilities. +- Always keep your software up-to-date: manage versions with [build-time variables](https://github.com/TommyTran732/Synapse-Docker/blob/main/Dockerfile#L1-L4). +- Images from `ghcr.io` are built every week and scanned every day for critical vulnerabilities with Trivy. I recommend that you use these images. +- Images from `quay.io` are built on every push event and scanned for vulnerabilities with Clair. ### Features & usage - Drop-in replacement for the [official image](https://github.com/matrix-org/synapse/tree/develop/docker). - Unprivileged image: you should check your volumes permissions (eg `/data`), default UID/GID is 991. - Based on [Alpine](https://alpinelinux.org/), which provides more recent packages while having less attack surface. - Comes with a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), protecting against some heap-based buffer overflows. +- [Mjolnir module](https://github.com/matrix-org/mjolnir/blob/main/docs/synapse_module.md) support. \ No newline at end of file