Some code refactoring for the dockerfiles.

[beardstack]

Improving the docker builds by removing bloat, removing extra RUN commands, unnecessary apps, passing chmod arguments to COPY/ADD directives directly instead of extra RUN 'chmod' commands and cleaning up repos resulting in a base image of 200MB image vs 274MB.

[jagerman]

Mostly minor things left as comments; the cleanup/refactoring here looks good to me overall. Thanks for your efforts, @beardstack !

[beardstack]

You're welcome. I'd like to help more on the docker side of things as I build my own systems. For now I'm trying to make it work with user namespaces but I'm having some trouble. I don't really like how the images is pancaked with a bunch of tools. It's best practice to separate apps in different containers and run containers separately (nginx, iptables, fail2ban, cron).

[majestrate]

You're welcome. I'd like to help more on the docker side of things as I build my own systems. For now I'm trying to make it work with user namespaces but I'm having some trouble. I don't really like how the images is pancaked with a bunch of tools. It's best practice to separate apps in different containers and run containers separately (nginx, iptables, fail2ban, cron).

iptables and fail2ban will break down given how lokinet would work in a docker setup. in general, i do not know what docker does with networking that allows fail2ban and iptables to continue working as intended but it likely would conflict with lokinet. this is a continual issue with docker, the way they do networking is blackbox from the perspective of layer 3 (it is "easier" for end users i hear but it has made my life harder)

[beardstack]

You're welcome. I'd like to help more on the docker side of things as I build my own systems. For now I'm trying to make it work with user namespaces but I'm having some trouble. I don't really like how the images is pancaked with a bunch of tools. It's best practice to separate apps in different containers and run containers separately (nginx, iptables, fail2ban, cron).

iptables and fail2ban will break down given how lokinet would work in a docker setup. in general, i do not know what docker does with networking that allows fail2ban and iptables to continue working as intended but it likely would conflict with lokinet. this is a continual issue with docker, the way they do networking is blackbox from the perspective of layer 3 (it is "easier" for end users i hear but it has made my life harder)

I definitely does make thing a bit "stranger" and more complicated until it's set up and working. I run my fail2ban containers externally from my services.. for instance typically by volume sharing/mounting log files. Benefits would really depend on the use case but generally it would allow a tighter and more granular security for the containers. In a way, since I run multiple services on a single host.it also simplifies management a fair bit.

services:
  fail2ban-ssh:
    cap_add:
    - NET_ADMIN
    - NET_RAW
    container_name: fail2ban_ssh
    environment:
      APP_SVC_NAME: fail2ban_ssh
      F2B_ACTION: '%(action_mwl)s'
      F2B_DB_PURGE_AGE: 3d
      F2B_DEST_EMAIL: ******
      F2B_IPTABLES_CHAIN: INPUT
      F2B_LOG_LEVEL: INFO
      F2B_LOG_TARGET: STDOUT
      F2B_MAX_RETRY: '4'
      F2B_SENDER: ******
      SSMTP_HOST: ***
      SSMTP_HOSTNAME: *****
      SSMTP_PASSWORD: *****
      SSMTP_PORT: '587'
      SSMTP_TLS: "YES"
      SSMTP_USER: *****
      TZ: America/Toronto
    image: crazymax/fail2ban:latest
    labels:
      com.centurylinklabs.watchtower.monitor-only: "true"
    network_mode: host
    restart: unless-stopped
    userns_mode: host
    volumes:
    - /docker-config-mount/sites/localhost/fail2ban/config/sshd:/data:rw
    - /var/log:/var/log:ro
    - /etc/localtime:/etc/localtime:ro
    - /usr/share/zoneinfo:/usr/share/zoneinfo:ro
    
  fail2ban-traefik:
    cap_add:
    - NET_ADMIN
    - NET_RAW
    container_name: fail2ban_traefik
    environment:
      APP_SVC_NAME: fail2ban_traefik
      F2B_ACTION: '%(action_mwl)s'
      F2B_DB_PURGE_AGE: 3d
      F2B_DEST_EMAIL: *****
      F2B_IPTABLES_CHAIN: DOCKER-USER
      F2B_LOG_LEVEL: INFO
      F2B_LOG_TARGET: STDOUT
      F2B_MAX_RETRY: '4'
      F2B_SENDER: *****
      SSMTP_HOST: *****
      SSMTP_HOSTNAME: *****
      SSMTP_PASSWORD: *****
      SSMTP_PORT: '587'
      SSMTP_TLS: "YES"
      SSMTP_USER: *****
      TZ: America/Toronto
    image: crazymax/fail2ban:latest
    labels:
      com.centurylinklabs.watchtower.monitor-only: "true"
    network_mode: host
    restart: unless-stopped
    userns_mode: host
    volumes:
    - /var/log:/var/log:ro
    - /docker-config-mount/sites/localhost/fail2ban/config/traefik:/data:rw
    - /etc/localtime:/etc/localtime:ro
    - /usr/share/zoneinfo:/usr/share/zoneinfo:ro
version: '3.2'

[beardstack]

No harm in using 755

[majestrate]

please make separate issues for each of these questions instead of in a git commit on a PR so they are tracked and we can close them as they get addressed.

[beardstack]

Sounds good! I figured out a number of things on my own but I'm not sure how to close the PR - Please do if you can.