Docker: Fix error upon running the container, Add Xauth settings, Add feature to load a host binary as read-only (#556)

This commit is contained in:
ps 2018-06-29 21:16:51 +02:00 committed by xarkes
parent 1a0f307dcb
commit 1e6f8b923d
3 changed files with 41 additions and 32 deletions

View File

@ -62,4 +62,4 @@ RUN chown -R r2:r2 /var/sharedFolder
RUN chown -R r2:r2 /home/r2/ RUN chown -R r2:r2 /home/r2/
USER r2 USER r2
ENTRYPOINT ["/bin/bash", "-c", "/opt/cutter/build/cutter"] ENTRYPOINT ["/opt/cutter/build/Cutter"]

View File

@ -1,8 +1,15 @@
SHELL := /bin/bash SHELL := /bin/bash
# The directory of this file # The directory of this file
DIR := $(shell echo $(shell cd "$(shell dirname "${BASH_SOURCE[0]}" )" && pwd )) DIR := $(shell echo $(shell cd "$(shell dirname "${BASH_SOURCE[0]}" )" && pwd ))
# To mount a specific binary using BINARY=/absolute/path/to/binary
ifdef BINARY
MOUNTFLAGS += -v $(BINARY):/home/r2/$(shell basename $(BINARY)):ro
RUNFLAGS += /home/r2/$(shell basename $(BINARY))
endif
VERSION ?= latest VERSION ?= latest
IMAGE_NAME ?= radareorg/cutter IMAGE_NAME ?= radareorg/cutter
CONTAINER_NAME ?= cutter CONTAINER_NAME ?= cutter
@ -24,21 +31,31 @@ build-nc: ## Build the container without caching
sudo docker build --rm --no-cache -t $(IMAGE_NAME) . sudo docker build --rm --no-cache -t $(IMAGE_NAME) .
run: ## Run container run: ## Run container
XSOCK=/tmp/.X11-unix && \
XAUTH=$(shell mktemp /tmp/r2cutter_tmp.XXX.xauth) && \
xauth nlist $$DISPLAY | sed -e 's/^..../ffff/' | xauth -f $$XAUTH nmerge - && \
chmod 644 $$XAUTH && \
touch $(DIR)/radare2rc && \ touch $(DIR)/radare2rc && \
mkdir -p $(DIR)/r2-config && \ mkdir -p $(DIR)/r2-config && \
mkdir -p $(DIR)/sharedFolder && \ mkdir -p $(DIR)/sharedFolder && \
xhost +local:root && \
sudo docker run \ sudo docker run \
-it \ -it \
--name $(CONTAINER_NAME) \ --name $(CONTAINER_NAME) \
--cap-drop=ALL \ --cap-drop=ALL \
--cap-add=SYS_PTRACE \ --cap-add=SYS_PTRACE \
-e DISPLAY=$$DISPLAY \ -e DISPLAY=$$DISPLAY \
-v /tmp/.X11-unix:/tmp/.X11-unix:ro \ -e XAUTHORITY=$$XAUTH \
-v $$XSOCK:$$XSOCK:ro \
-v $$XAUTH:$$XAUTH \
$(MOUNTFLAGS) \
-v $(DIR)/sharedFolder:/var/sharedFolder \ -v $(DIR)/sharedFolder:/var/sharedFolder \
-v $(DIR)/radare2rc:/home/r2/.radare2rc \ -v $(DIR)/radare2rc:/home/r2/.radare2rc \
-v $(DIR)/r2-config:/home/r2/.config/radare2 \ -v $(DIR)/r2-config:/home/r2/.config/radare2 \
$(IMAGE_NAME):$(VERSION) $(IMAGE_NAME):$(VERSION) $(RUNFLAGS) && \
rm $$XAUTH
get: ## Get the latest Cutter image
sudo docker pull $(IMAGE_NAME):$(VERSION)
stop: ## Stop a running container stop: ## Stop a running container
sudo docker stop $(CONTAINER_NAME) sudo docker stop $(CONTAINER_NAME)

View File

@ -1,24 +1,16 @@
# Docker Configuration for Cutter # Docker Configuration for Cutter
These files provide an easy way to deploy *cutter* in a docker container. These files provide an easy way to deploy *Cutter* in a Docker container. After additional configuration you may want to apply to the `Makefile`, execute `make run`. By default, the *Cutter* image on [Docker Hub](https://hub.docker.com/r/radareorg/cutter/) will be used along with additional capability, X and mount settings:
You can use the pre-built image like: - Xauthority settings which avoid using potentially insecure `xhost` directives. The settings have been adapted from [this post](https://stackoverflow.com/questions/16296753/can-you-run-gui-apps-in-a-docker-container/25280523#25280523).
``` - Mount directives to mount a shared folder and radare2 configuration files.
touch $PWD/radare2rc && \ - Capability dropping to only use `SYS_PTRACE`.
mkdir -p $PWD/r2-config && \
mkdir -p $PWD/sharedFolder && \
xhost +local:root && \
sudo docker run \
-it \
--name cutter \
--cap-drop=ALL \
--cap-add=SYS_PTRACE \
-e DISPLAY=$DISPLAY \
-v /tmp/.X11-unix:/tmp/.X11-unix:ro \
-v $PWD/sharedFolder:/var/sharedFolder \
-v $PWD/radare2rc:/home/r2/.radare2rc \
-v $PWD/r2-config:/home/r2/.config/radare2 \
radareorg/cutter:latest
```
or by using the `Makefile` (after additional configuration to make it fit your needs) by executing `make build` and `make run`. ## Mounting and Using a Specific Binary
The `Makefile` allows mounting a single binary file as read-only, which will also be used as an input for *Cutter*. To use this feature, execute `make run BINARY=/absolote/path/to/binary`.
## Additional Notes
- The internal container user doesn't use superuser privileges and is called `r2`.
- To check for more options of the `Makefile`, execute `make`.