github.com/filecoin-project/bacalhau@v0.3.23-0.20230228154132-45c989550ace/pkg/executor/docker/gateway/Dockerfile (about) 1 # Dockerfile for Bacalhau HTTP gateway 2 # 3 # This Dockerfile sets up a container image containing an HTTP(S) proxy with a 4 # specific allow-list of Internet domains that should be accessible. The proxy 5 # allows access to these domains only and blocks all other traffic. The 6 # container also enforces rate limits on the traffic. 7 # 8 # The container is designed to be attached to two networks: 9 # 10 # 1. A bridge connecting it to all containers taking part in the job, which is 11 # internal only and not connected to the Internet 12 # 2. A host network that is Internet connected, which only the proxy can access 13 # 14 # This enforces that the containers in the bridge network can only access the 15 # external network via the proxy. 16 # 17 # The image uses Squid as an HTTP(S) proxy, iptables to filter packet flows and 18 # iproute2 to do traffic shaping. See the squid.conf for how the allow-lists are 19 # managed and gateway.sh for how the traffic control is configured. 20 # 21 # In particular, the image expects some environment variables to be supplied: 22 # 23 # - BACALHAU_HTTP_CLIENTS which is a JSON array of strings of subnets allowed to 24 # access the gateway 25 # - BACALHAU_HTTP_DOMAINS which is a JSON array of strings of domains that 26 # clients are allowed to access 27 # - BACALHAU_JOB_ID which contains the ID of the Bacalhau job being run 28 # 29 # The container needs to be started with --cap-add=NET_ADMIN so that it can 30 # configure iptables and traffic control. 31 32 FROM ubuntu:22.04 33 RUN apt update && apt install -y squid iptables iproute2 jq curl \ 34 && rm -rf /var/lib/apt/lists/* 35 36 ADD squid.conf /etc/squid/conf.d/ 37 ADD gateway.sh /usr/local/bin 38 ADD health_check.sh /usr/local/bin 39 40 CMD ["bash", "/usr/local/bin/gateway.sh"] 41 HEALTHCHECK --interval=1s --start-period=5s CMD ["bash", "/usr/local/bin/health_check.sh" ]