many changes

- trying hardened_malloc as default malloc
- removed advanced permission check, should be faster
- use commit instead of main branch

Dockerfile

@@ -1,7 +1,18 @@
+FROM alpine:3.13 as build-malloc
+
+ARG HARDENED_MALLOC_VERSION=7
+
+RUN apk -U upgrade && apk add build-base && cd /tmp \
+ && wget -q https://github.com/GrapheneOS/hardened_malloc/archive/refs/tags/${HARDENED_MALLOC_VERSION}.tar.gz \
+ && mkdir hardened_malloc && tar xf ${HARDENED_MALLOC_VERSION}.tar.gz -C hardened_malloc --strip-components 1 \
+ && cd hardened_malloc && make
+
 FROM ruby:2.7.3-alpine3.13
 
-ARG VERSION=main
-ARG REPOSITORY=tootsuite/mastodon
+COPY --from=build-malloc /tmp/hardened_malloc/libhardened_malloc.so /usr/local/lib/
+
+ARG MASTODON_VERSION=baed52c2a7d8f91bae3c69150005fc528387785c
+ARG MASTODON_REPOSITORY=tootsuite/mastodon
 ARG LIBICONV_VERSION=1.16
 ARG NODE_VERSION=14.16.1
 
@@ -12,13 +23,15 @@ ENV UID=991 GID=991 \
     RAILS_SERVE_STATIC_FILES=true \
     RAILS_ENV=production \
     NODE_ENV=production \
-    PATH="${PATH}:/opt/node/bin:/mastodon/bin"
+    PATH="${PATH}:/opt/node/bin:/mastodon/bin" \
+    LD_PRELOAD="/usr/local/lib/libhardened_malloc.so"
 
 WORKDIR /mastodon
 
 # Install dependencies
 RUN wget -q https://unofficial-builds.nodejs.org/download/release/v$NODE_VERSION/node-v$NODE_VERSION-linux-x64-musl.tar.xz \
  && mkdir /opt/node && tar -Jxf node-v$NODE_VERSION-linux-x64-musl.tar.xz -C /opt/node --strip-components 1 \
+ && rm node-v$NODE_VERSION-linux-x64-musl.tar.xz \
  && apk -U upgrade \
  && apk add \
     ca-certificates \
@@ -57,17 +70,18 @@ RUN wget -q https://unofficial-builds.nodejs.org/download/release/v$NODE_VERSION
 
 # Install GNU Libiconv
  && wget http://ftp.gnu.org/pub/gnu/libiconv/libiconv-${LIBICONV_VERSION}.tar.gz -O /tmp/libiconv-${LIBICONV_VERSION}.tar.gz \
- && mkdir /tmp/src && tar xzf /tmp/libiconv-${LIBICONV_VERSION}.tar.gz -C /tmp/src \
+ && mkdir /tmp/src && tar xzf /tmp/libiconv-${LIBICONV_VERSION}.tar.gz -C /tmp/src && rm /tmp/libiconv-${LIBICONV_VERSION}.tar.gz \
  && cd /tmp/src/libiconv-${LIBICONV_VERSION} \
  && ./configure --prefix=/usr/local \
  && make -j$(getconf _NPROCESSORS_ONLN) && make install && libtool --finish /usr/local/lib \
 
 # Install Mastodon
  && cd /mastodon \
- && wget -qO- https://github.com/${REPOSITORY}/archive/${VERSION}.tar.gz | tar xz --strip 1 \
+ && wget -qO- https://github.com/${MASTODON_REPOSITORY}/archive/${MASTODON_VERSION}.tar.gz | tar xz --strip 1 \
  && bundle config build.nokogiri --use-system-libraries --with-iconv-lib=/usr/local/lib --with-iconv-include=/usr/local/include \
- && bundle config set --local clean 'true' && bundle config set --local deployment 'true' && bundle config set --local without 'test development' \
- && bundle install -j$(getconf _NPROCESSORS_ONLN) --no-cache \
+ && bundle config set --local clean 'true' && bundle config set --local deployment 'true' \
+ && bundle config set --local without 'test development' && bundle config set no-cache 'true' \
+ && bundle install -j$(getconf _NPROCESSORS_ONLN) \
  && npm install -g yarn \
  && yarn install --pure-lockfile --ignore-engines \
 

README.md

@@ -13,7 +13,9 @@ As I said, I'll keep "maintaining" it for now (I always thought of my images as
 
 ___
 
-**Note (Apr. 2021)**: currently Mastodon "stable" can't be built beacause of some [yanked packages](https://github.com/tootsuite/mastodon/issues/15986). Not only that, but the streaming component refuses to work correctly with node v14. This is fixed in main.
+**Note (Apr. 2021)**:
+- Currently Mastodon "stable" can't be built beacause of some [yanked packages](https://github.com/tootsuite/mastodon/issues/15986). Not only that, but the streaming component refuses to work correctly with node v14. This is fixed in main.
+- This image is being reworked. Expect some changes, though I try not to break anything.
 
 #### Why this image?
 This image is not the official one. The main difference you can notice is that all processes (web, streaming, sidekiq) are running in a single container, thanks to s6 (a supervision suite). Therefore it's easier to deploy, but not recommended for scaling.

rootfs/usr/local/bin/run

@@ -1,12 +1,5 @@
 #!/bin/sh
 
-### 1. Adds local user (UID and GID are provided from environment variables).
-### 2. Moves precompiled assets into them.
-### 3. Updates permissions, except for ./public/system (should be chown on previous installations).
-###    NOTE : this can take a long time if overlay2 is the storage-driver (issue #3194).
-### 4. If $RUN_DB_MIGRATIONS is set to true, runs the database migrations task.
-### 5. Executes the command as that user.
-
 echo "
 ---------------------------------------------
      _____         _         _
@@ -16,7 +9,6 @@ echo "
 
 A GNU Social-compatible microblogging server
    https://github.com/tootsuite/mastodon
-    17j2g7vpgHhLuXhN4bueZFCvdxxieyRVWd
 ---------------------------------------------
 UID/GID settings
 ---------------------------------------------
@@ -36,7 +28,7 @@ addgroup -g ${GID} mastodon &>/dev/null
 adduser -h /mastodon -s /bin/sh -D -G mastodon -u ${UID} mastodon &>/dev/null
 
 echo "Updating permissions, this can take a while..."
-find /mastodon -path /mastodon/public/system -prune -o -not -user mastodon -not -group mastodon -print0 | xargs -0 chown -f mastodon:mastodon
+find /mastodon -path /mastodon/public/system -prune -o -print0 | xargs -0 chown -f mastodon:mastodon
 chown -R mastodon:mastodon /etc/s6.d
 
 if [ "$RUN_DB_MIGRATIONS" == "true" ]; then