Python Docker 中的代码混淆 image/container
Python code obfuscation in Docker image/container
我正在尝试以混淆的形式构建 docker 图像,其中包含 python,所以我尝试了以下方法
FROM ubuntu:bionic
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update \
&& apt-get install -y python3-pip python3-dev \
&& cd /usr/local/bin \
&& ln -s /usr/bin/python3 python \
&& pip3 install --upgrade pip
COPY hello-world.py /
COPY requirments.txt /
RUN pip install -r requirments.txt
RUN pyarmor obfuscate 'hello-world.py'
RUN rm -rf hello-world.py
RUN cd dist
CMD ["python", "hello-world.py"]
我在 pyarmor 命令中遇到错误
INFO Start obfuscating the scripts...
INFO ello-world.py -> dist/ello-world.py
ERROR [Errno 2] No such file or directory: '/ello-world.py'
需要一些帮助
将原始文件放在根 (/) 之外似乎解决了问题:
FROM ubuntu:bionic
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update \
&& apt-get install -y python3-pip python3-dev \
&& cd /usr/local/bin \
&& ln -s /usr/bin/python3 python \
&& pip3 install --upgrade pip
WORKDIR /app
COPY hello-world.py .
COPY requirements.txt .
RUN pip install -r requirements.txt
RUN pyarmor obfuscate hello-world.py
RUN rm -rf hello-world.py
CMD ["python", "dist/hello-world.py"]
docker build -t obf-hello .
... <output omitted> ...
docker run -it --rm obf-hello
HELLO WORLD!
构建 Docker 图像时,务必记住任何语句(FROM、COPY、RUN 等)都会创建一个新层,并且以后将访问图像的任何人都可以访问所有层:
$ docker history obf-hello
IMAGE CREATED CREATED BY SIZE COMMENT
faf859dcd93b 45 seconds ago /bin/sh -c #(nop) CMD ["python" "dist/hello… 0B
db189a78c052 46 seconds ago /bin/sh -c rm -rf hello-world.py 0B
bb39d058fd4f 47 seconds ago /bin/sh -c pyarmor obfuscate hello-world.py 1.22MB
c2b29debdf25 49 seconds ago /bin/sh -c pip install -r requirements.txt 10.1MB
dbf9cde1f691 52 seconds ago /bin/sh -c #(nop) COPY file:5bf416045dde3b2a… 15B
8e632b7679ea 53 seconds ago /bin/sh -c #(nop) COPY file:8c0ca98b3d5632b9… 46B
2020b38099a5 54 seconds ago /bin/sh -c #(nop) WORKDIR /app 0B
b8eba45cc77a 55 seconds ago /bin/sh -c apt-get update && apt-get insta… 432MB
13d7ab1c648b About a minute ago /bin/sh -c #(nop) ENV DEBIAN_FRONTEND=nonin… 0B
dcf4d4bef137 2 weeks ago /bin/sh -c #(nop) CMD ["bash"] 0B
<missing> 2 weeks ago /bin/sh -c #(nop) ADD file:c6039a4f004b6b6c2… 63.2MB
$ docker run --rm bb39d058fd4f cat hello-world.py
#!/usr/bin/env python
print("HELLO WORLD!")
为避免泄露您的来源(无论您使用 Python、Java、Go 还是其他任何工具),请按照 Docker 中所述使用 multi-stage 构建文档 https://docs.docker.com/develop/develop-images/multistage-build/
对于原来的问题,我建议是这样的:
FROM ubuntu:bionic as build
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update \
&& apt-get install -y python3-pip python3-dev \
&& cd /usr/local/bin \
&& ln -s /usr/bin/python3 python \
&& pip3 install --upgrade pip
WORKDIR /app
COPY requirements.txt .
RUN pip install -r requirements.txt
FROM build as temp
COPY hello-world.py .
RUN pyarmor obfuscate hello-world.py
FROM build as dist
COPY --from=temp /app/dist/ dist/
CMD ["python", "dist/hello-world.py"]
请注意,我已经删除了 RUN rm -rf hello-world.py,因为这只是一个毫无意义的额外步骤。
我正在尝试以混淆的形式构建 docker 图像,其中包含 python,所以我尝试了以下方法
FROM ubuntu:bionic
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update \
&& apt-get install -y python3-pip python3-dev \
&& cd /usr/local/bin \
&& ln -s /usr/bin/python3 python \
&& pip3 install --upgrade pip
COPY hello-world.py /
COPY requirments.txt /
RUN pip install -r requirments.txt
RUN pyarmor obfuscate 'hello-world.py'
RUN rm -rf hello-world.py
RUN cd dist
CMD ["python", "hello-world.py"]
我在 pyarmor 命令中遇到错误
INFO Start obfuscating the scripts...
INFO ello-world.py -> dist/ello-world.py
ERROR [Errno 2] No such file or directory: '/ello-world.py'
需要一些帮助
将原始文件放在根 (/) 之外似乎解决了问题:
FROM ubuntu:bionic
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update \
&& apt-get install -y python3-pip python3-dev \
&& cd /usr/local/bin \
&& ln -s /usr/bin/python3 python \
&& pip3 install --upgrade pip
WORKDIR /app
COPY hello-world.py .
COPY requirements.txt .
RUN pip install -r requirements.txt
RUN pyarmor obfuscate hello-world.py
RUN rm -rf hello-world.py
CMD ["python", "dist/hello-world.py"]
docker build -t obf-hello .
... <output omitted> ...
docker run -it --rm obf-hello
HELLO WORLD!
构建 Docker 图像时,务必记住任何语句(FROM、COPY、RUN 等)都会创建一个新层,并且以后将访问图像的任何人都可以访问所有层:
$ docker history obf-hello
IMAGE CREATED CREATED BY SIZE COMMENT
faf859dcd93b 45 seconds ago /bin/sh -c #(nop) CMD ["python" "dist/hello… 0B
db189a78c052 46 seconds ago /bin/sh -c rm -rf hello-world.py 0B
bb39d058fd4f 47 seconds ago /bin/sh -c pyarmor obfuscate hello-world.py 1.22MB
c2b29debdf25 49 seconds ago /bin/sh -c pip install -r requirements.txt 10.1MB
dbf9cde1f691 52 seconds ago /bin/sh -c #(nop) COPY file:5bf416045dde3b2a… 15B
8e632b7679ea 53 seconds ago /bin/sh -c #(nop) COPY file:8c0ca98b3d5632b9… 46B
2020b38099a5 54 seconds ago /bin/sh -c #(nop) WORKDIR /app 0B
b8eba45cc77a 55 seconds ago /bin/sh -c apt-get update && apt-get insta… 432MB
13d7ab1c648b About a minute ago /bin/sh -c #(nop) ENV DEBIAN_FRONTEND=nonin… 0B
dcf4d4bef137 2 weeks ago /bin/sh -c #(nop) CMD ["bash"] 0B
<missing> 2 weeks ago /bin/sh -c #(nop) ADD file:c6039a4f004b6b6c2… 63.2MB
$ docker run --rm bb39d058fd4f cat hello-world.py
#!/usr/bin/env python
print("HELLO WORLD!")
为避免泄露您的来源(无论您使用 Python、Java、Go 还是其他任何工具),请按照 Docker 中所述使用 multi-stage 构建文档 https://docs.docker.com/develop/develop-images/multistage-build/
对于原来的问题,我建议是这样的:
FROM ubuntu:bionic as build
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update \
&& apt-get install -y python3-pip python3-dev \
&& cd /usr/local/bin \
&& ln -s /usr/bin/python3 python \
&& pip3 install --upgrade pip
WORKDIR /app
COPY requirements.txt .
RUN pip install -r requirements.txt
FROM build as temp
COPY hello-world.py .
RUN pyarmor obfuscate hello-world.py
FROM build as dist
COPY --from=temp /app/dist/ dist/
CMD ["python", "dist/hello-world.py"]
请注意,我已经删除了 RUN rm -rf hello-world.py,因为这只是一个毫无意义的额外步骤。