Add a docker image and security notes

tweag · Jul 11, 2024 · c3af8d3 · c3af8d3
1 parent c3fb191
commit c3af8d3
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -57,6 +57,25 @@ cargo install --git https://github.com/tweag/genealogos.git genealogos-api
 
 The `frontend` feature is enabled by default, so once the api is running open `http://localhost:8000/` for the frontend.
 
+## Running as a Docker image
+
+Genealogos API and frontend can also be packaged into a Docker image.
+
+To get and run the image,
+
+```fish
+# Produce the image
+nix build github:tweag/genealogos#dockerImage
+
+# Load it into docker
+docker load -i=./result
+
+# Run the image
+# Note: --rm will wipe the nix store inside the container after it quits
+# The service will be available on port 8000
+docker run -it --rm -p 8000:8000 localhost/genealogos
+```
+
 ## Hacking
 ### Prerequisites
 Development of Genealogos requires Cargo, and some other dependencies.
@@ -211,6 +230,20 @@ This means some inputs can be missed, in particular those that are part of strin
 Additionally, Nixtract (through Genealogos) restarts nix for every SBOM component.
 When evaluation of your derivation takes a long time, this will result in very slow SBOM generation.
 
+### Security notes
+
+By its very nature, Genealogos API evaluates arbitrary Nix code provided by users.
+If you are planning to run it as a public service, make sure to properly secure the process and set up appropriate serivce management measures, taking into account:
+
+- Potential for Denial of Service attacks by any user, in particular
+   * Unlimited memory usage,
+   * Unlimited storage usage,
+   * Unlimited CPU time usage
+- Reliance on the assumption that Nix Flake evaluation is fully hermetic and pure, and thus safe
+- Reliance on the Nix sandbox to be secure and non-leaking
+
+As such, we recommend running any public Genealogos instance in some containerised setting, such as via the provided [Docker Image](#Running_as_a_Docker_image), and properly limiting the resources available to the container.
+
 ## License
 Distributed under the MIT License. See `LICENSE` for more information.
 

diff --git a/flake.nix b/flake.nix
@@ -28,9 +28,30 @@
         crane-outputs = import ./nix/crane.nix {
           inherit pkgs crane-lib nixtract-cli cyclonedx;
         };
+        tmp = pkgs.runCommand "tmp" { } ''
+          mkdir $out
+          mkdir -m 1777 $out/tmp
+        '';
+        dockerImage = pkgs.dockerTools.buildLayeredImageWithNixDb {
+          name = "genealogos";
+          tag = "latest";
+          contents = [ crane-outputs.packages.genealogos-api tmp ];
+          config = {
+            EntryPoint = [ "genealogos-api" ];
+            ExposedPorts."8000" = {};
+            Env = [
+              "ROCKET_ADDRESS=0.0.0.0"
+              "ROCKET_PORT=8000"
+              "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+            ];
+          };
+        };
       in
       rec {
-        inherit (crane-outputs) checks packages;
+        inherit (crane-outputs) checks;
+        packages = crane-outputs.packages // {
+          inherit dockerImage;
+        };
         overlays.default = import ./nix/overlays.nix {
           inherit crane-lib;
         };