vrr/goose
2
0
Fork 0
mirror of https://github.com/block/goose.git synced 2026-05-05 07:09:34 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 24
goose/recipe-scanner/Dockerfile
Ebony Louis 69bc978d00
Automate OpenRouter API Key Distribution for External Recipe Contributors (#3198) 
Co-authored-by: w. ian douglas <ian.douglas@iandouglas.com>
2025-08-28 16:37:09 -06:00

101 lines
3.5 KiB
Docker
Raw Blame History

FROM debian:bookworm-slim
# Install essential tools for monitoring and security scanning
# Also install X11 libraries needed by Goose CLI
RUN apt-get update && apt-get install -y --no-install-recommends \
ca-certificates \
curl \
bash \
coreutils \
iproute2 \
net-tools \
procps \
tcpdump \
strace \
inotify-tools \
clamav \
clamav-freshclam \
jq \
ripgrep \
sudo \
python3 \
bzip2 \
tar \
gnupg \
git \
libxcb1 \
libxcb-render0 \
libxcb-shape0 \
libxcb-xfixes0 \
libxkbcommon0 \
libgl1-mesa-glx \
&& rm -rf /var/lib/apt/lists/*
# Install Node.js (LTS) and npm/npx via NodeSource
RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
apt-get update && apt-get install -y --no-install-recommends nodejs && \
npm --version && node --version && npx --version && \
rm -rf /var/lib/apt/lists/*
# Install Astral uv (provides 'uv' and 'uvx')
RUN curl -LsSf https://astral.sh/uv/install.sh | sh && \
cp -f /root/.local/bin/uv /usr/local/bin/uv && \
cp -f /root/.local/bin/uvx /usr/local/bin/uvx && \
chmod +x /usr/local/bin/uv /usr/local/bin/uvx && \
uv --version && uvx --version
# Pre-download and install Goose CLI to avoid network issues during runtime
RUN curl -fsSL https://github.com/block/goose/releases/download/stable/download_cli.sh | \
CONFIGURE=false GOOSE_BIN_DIR=/usr/local/bin bash && \
echo "✅ Goose CLI pre-installed: $(/usr/local/bin/goose --version)"
# Create ClamAV configuration directory and basic config
# Allow non-root 'scanner' to install packages via sudo without password
RUN echo "scanner ALL=(root) NOPASSWD: /usr/bin/apt, /usr/bin/apt-get, /usr/bin/dpkg, /usr/bin/curl, /usr/bin/wget" > /etc/sudoers.d/scanner \
&& chmod 0440 /etc/sudoers.d/scanner \
&& chown root:root /etc/sudoers.d/scanner
RUN mkdir -p /etc/clamav && \
echo "DatabaseDirectory /var/lib/clamav" > /etc/clamav/freshclam.conf && \
echo "UpdateLogFile /var/log/clamav/freshclam.log" >> /etc/clamav/freshclam.conf && \
echo "LogVerbose yes" >> /etc/clamav/freshclam.conf && \
echo "DatabaseMirror database.clamav.net" >> /etc/clamav/freshclam.conf && \
mkdir -p /var/log/clamav && \
chown -R clamav:clamav /var/lib/clamav /var/log/clamav
# Update ClamAV virus definitions
RUN freshclam || true
# Create non-root user and setup directories
RUN useradd -m -u 1000 scanner && \
mkdir -p /home/scanner/.config/goose && \
mkdir -p /home/scanner/.local/share/goose && \
mkdir -p /output && \
mkdir -p /tmp/goose && \
mkdir -p /tmp/goose_home && \
mkdir -p /tmp/training && \
chown -R scanner:scanner /home/scanner /output /tmp/goose /tmp/goose_home /tmp/training
# Set capabilities on tcpdump to allow non-root network capture
RUN setcap cap_net_raw,cap_net_admin=eip /usr/bin/tcpdump
# Copy Goose configuration
COPY config.yaml /home/scanner/.config/goose/config.yaml
# Copy scanning script, base recipe, and training data decoder
COPY scan-recipe.sh /usr/local/bin/scan-recipe.sh
COPY base_recipe.yaml /docker/base_recipe.yaml
COPY decode-training-data.py /usr/local/bin/decode-training-data.py
RUN chmod +x /usr/local/bin/scan-recipe.sh /usr/local/bin/decode-training-data.py
# Set proper ownership
RUN chown scanner:scanner /home/scanner/.config/goose/config.yaml /docker/base_recipe.yaml
# Switch to non-root user
USER scanner
# Set working directory
WORKDIR /workspace
# Default entrypoint
ENTRYPOINT ["/usr/local/bin/scan-recipe.sh"]
Reference in a new issue View git blame Copy permalink