add docker security warning

5 files changed, 148 insertions, 2 deletions

diff --git a/release/cibuild.py b/release/cibuild.py
index 6264c72b..ba17ced2 100755
--- a/release/cibuild.py
+++ b/release/cibuild.py
@@ -312,7 +312,7 @@ def build_docker_image(be: BuildEnviron, whl: str):  # pragma: no cover
         "--tag", be.docker_tag,
         "--build-arg", "WHEEL_MITMPROXY={}".format(whl),
         "--build-arg", "WHEEL_BASENAME_MITMPROXY={}".format(os.path.basename(whl)),
-        "--file", "docker/Dockerfile",
+        "--file", "release/docker/Dockerfile",
         "."
     ])
     subprocess.check_call([
@@ -321,7 +321,7 @@ def build_docker_image(be: BuildEnviron, whl: str):  # pragma: no cover
         "--tag", be.docker_tag + "-ARMv7",
         "--build-arg", "WHEEL_MITMPROXY={}".format(whl),
         "--build-arg", "WHEEL_BASENAME_MITMPROXY={}".format(os.path.basename(whl)),
-        "--file", "docker/DockerfileARMv7",
+        "--file", "release/docker/DockerfileARMv7",
         "."
     ])
 
diff --git a/release/docker/Dockerfile b/release/docker/Dockerfile
new file mode 100644
index 00000000..7c9a2421
--- /dev/null
+++ b/release/docker/Dockerfile
@@ -0,0 +1,41 @@
+FROM alpine:3.8
+
+ENV LANG=en_US.UTF-8
+
+ARG WHEEL_MITMPROXY
+ARG WHEEL_BASENAME_MITMPROXY
+
+COPY $WHEEL_MITMPROXY /home/mitmproxy/
+
+# Add our user first to make sure the ID get assigned consistently,
+# regardless of whatever dependencies get added.
+RUN addgroup -S mitmproxy && adduser -S -G mitmproxy mitmproxy \
+    && apk add --no-cache \
+        su-exec \
+        git \
+        g++ \
+        libffi \
+        libffi-dev \
+        libstdc++ \
+        openssl \
+        openssl-dev \
+        python3 \
+        python3-dev \
+    && python3 -m ensurepip \
+    && LDFLAGS=-L/lib pip3 install -U /home/mitmproxy/${WHEEL_BASENAME_MITMPROXY} \
+    && apk del --purge \
+        git \
+        g++ \
+        libffi-dev \
+        openssl-dev \
+        python3-dev \
+    && rm -rf ~/.cache/pip /home/mitmproxy/${WHEEL_BASENAME_MITMPROXY}
+
+VOLUME /home/mitmproxy/.mitmproxy
+
+COPY release/docker/docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+EXPOSE 8080 8081
+
+CMD ["mitmproxy"]
diff --git a/release/docker/DockerfileARMv7 b/release/docker/DockerfileARMv7
new file mode 100644
index 00000000..6e04b7ad
--- /dev/null
+++ b/release/docker/DockerfileARMv7
@@ -0,0 +1,45 @@
+FROM resin/raspberrypi3-alpine:3.7
+
+ENV LANG=en_US.UTF-8
+
+ARG WHEEL_MITMPROXY
+ARG WHEEL_BASENAME_MITMPROXY
+
+COPY $WHEEL_MITMPROXY /home/mitmproxy/
+
+RUN [ "cross-build-start" ]
+
+# Add our user first to make sure the ID get assigned consistently,
+# regardless of whatever dependencies get added.
+RUN addgroup -S mitmproxy && adduser -S -G mitmproxy mitmproxy \
+    && apk add --no-cache \
+        su-exec \
+        git \
+        g++ \
+        libffi \
+        libffi-dev \
+        libstdc++ \
+        openssl \
+        openssl-dev \
+        python3 \
+        python3-dev \
+    && python3 -m ensurepip \
+    && LDFLAGS=-L/lib pip3 install -U /home/mitmproxy/${WHEEL_BASENAME_MITMPROXY} \
+    && apk del --purge \
+        git \
+        g++ \
+        libffi-dev \
+        openssl-dev \
+        python3-dev \
+    && rm -rf ~/.cache/pip /home/mitmproxy/${WHEEL_BASENAME_MITMPROXY}
+
+RUN [ "cross-build-end" ]
+
+VOLUME /home/mitmproxy/.mitmproxy
+
+COPY release/docker/docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+EXPOSE 8080 8081
+
+CMD ["mitmproxy"]
diff --git a/release/docker/README.md b/release/docker/README.md
new file mode 100644
index 00000000..e7c9ab59
--- /dev/null
+++ b/release/docker/README.md
@@ -0,0 +1,47 @@
+# mitmproxy
+
+Containerized version of [mitmproxy](https://mitmproxy.org/), an interactive SSL-capable intercepting HTTP proxy.
+
+# Usage
+
+```sh
+$ docker run --rm -it [-v ~/.mitmproxy:/home/mitmproxy/.mitmproxy] -p 8080:8080 mitmproxy/mitmproxy
+```
+The *volume mount* is optional: It's to store the generated CA certificates.
+
+Once started, mitmproxy listens as a HTTP proxy on `localhost:8080`:
+```sh
+$ http_proxy=http://localhost:8080/ curl http://example.com/
+$ https_proxy=http://localhost:8080/ curl -k https://example.com/
+```
+
+You can also start `mitmdump` by just adding that to the end of the command-line:
+```sh
+$ docker run --rm -it -p 8080:8080 mitmproxy/mitmproxy mitmdump
+```
+
+For `mitmweb`, you also need to expose port 8081:
+```sh
+# this makes :8081 accessible to the local machine only
+$ docker run --rm -it -p 8080:8080 -p 127.0.0.1:8081:8081 mitmproxy/mitmproxy mitmweb --web-iface 0.0.0.0
+```
+
+You can also pass options directly via the CLI:
+```sh
+$ docker run --rm -it -p 8080:8080 mitmproxy/mitmproxy mitmdump --set ssl_insecure=true
+```
+
+For further details, please consult the mitmproxy [documentation](http://docs.mitmproxy.org/en/stable/).
+
+# Tags
+
+The available release tags can be seen [here](https://hub.docker.com/r/mitmproxy/mitmproxy/tags/).
+
+* `master` always tracks the git-master branch and represents the unstable development tree.
+* `latest` always points to the same image as the most recent stable release, including bugfix releases (e.g., `4.0.0` and `4.0.1`).
+* `X.Y.Z` tags contain the mitmproxy release with this version number.  
+  - All packages, dependencies, and the base image that were available at the time of the mitmproxy release.
+  - We DO NOT update these images! Use at your own risk!
+  - These images MIGHT BE affected by potential security issues!
+  - Security issues that were made public AFTER the release MIGHT affect these images!
+* `*-ARMv7` are images built for Raspbian / Raspberry Pi
diff --git a/release/docker/docker-entrypoint.sh b/release/docker/docker-entrypoint.sh
new file mode 100755
index 00000000..a4abe4ce
--- /dev/null
+++ b/release/docker/docker-entrypoint.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+MITMPROXY_PATH="/home/mitmproxy/.mitmproxy"
+
+if [[ "$1" = "mitmdump" || "$1" = "mitmproxy" || "$1" = "mitmweb" ]]; then
+        mkdir -p "$MITMPROXY_PATH"
+        chown -R mitmproxy:mitmproxy "$MITMPROXY_PATH"
+
+        su-exec mitmproxy "$@"
+else
+        exec "$@"
+fi