services/
ro - read only => writable for the ictf user but not by the challenge user
rw - read/write => writable by the ictf user and by the challenge user
rr - root owned => not writable by the ictf user and not writable by the service user
./Dockerfile => Submitted by service creator
./docker-compose.yml => Maintained by iCTF team. Same for every service
Every service will use the same docker-compose.yml, which is provided as part of the iCTF infrastructure. As specified in the docker-compose.yml file, the directories ./service/ro, ./service/rw, and ./service/root_owned will be "volumed in" at runtime. As such, your Dockerfile will not need to COPY in the source code.
The Dockerfile should contain all the instructions necessary to install the dependencies for your service and provision an unprivileged user. The general structure for how to do so is contained here:
In short:
-
Install system dependencies (as root)
-
Create an unprivileged user to run the actual service
-
Install any local (userspace) dependencies
-
Finally run the command necessary to start the service (e.g.
CMD cd ./rw && socat tcp-l:6666,reuseaddr,fork exec:"../ro/example_service.py")
You are advised to follow docker best practices.
In particular:
- Keep your images as small as possible
- only install necessary dependencies
- delete any intermediate files such as
.tgz,/var/lib/apt/lists/*etc
- Take advantage of docker's build cache by ordering your layers from least frequently changed to most frequent
Note that you can take a look at this example development history to get an idea of the steps required to build your service from scratch.