-
-
Notifications
You must be signed in to change notification settings - Fork 86
/
Dockerfile.openssl
415 lines (404 loc) · 17.8 KB
/
Dockerfile.openssl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
#!/usr/bin/docker build --force-rm --rm -f
#? DESCRIPTION
#? Dockerfile to build an image with o-saft.tgz using patched openssl:
#? https://github.com/PeterMosmans/openssl/archive/1.0.2-chacha.tar.gz
#? Build necessary Perl modules based on patched openssl.
#?
#? USAGE
#? This Dockerfile uses "buildargs" variables to build the Docker image.
#? For default settings, please use: awk '/^ARG/{print $2}' Dockerfile.openssl
#?
#? OSAFT_VERSION
#? Version of this build (should be used as image tag also).
#?
#? OSAFT_VM_FROM
#? Base image to be used for this build. Tested images are:
#? (2017) alpine:3.6 alpine:edge debian:stretch-slim debian
#? (2018) alpine:3.8 debian
#? (2019) alpine:3.10 debian:10.2-slim
#? (2024) alpine:3.20
#?
#? OSAFT_VM_USER
#? Username to be added in the build image.
#?
#? OSAFT_VM_APT_INSTALL
#? Additional packages to be installed in the image.
#? Note that the package names depend on the used base image.
#? Tested packages are: tcl tk tklib xvfb openssl
#?
#? OSAFT_VM_SRC_OSAFT
#? URL to fetch o-saft.tgz archive.
#?
#? OSAFT_VM_SHA_OSAFT
#? SHA256 checksum for the o-saft.tgz archive.
#? Note that the checksum in the Dockerfile provided by this .tgz
#? archive is wrong (due to hen-egg-problem).
#? https://github.com/OWASP/O-Saft/blob/master/Dockerfile.openssl
#? is the most current version and contains proper checksums.
#?
#? OSAFT_VM_TAR_OSAFT
#? Name of archive file for O-Saft (during build).
#?
#? OSAFT_VM_SRC_OPENSSL
#? URL to fetch openssl.tgz archive.
#?
#? OSAFT_VM_SHA_OPENSSL
#? SHA256 checksum for the openssl-1.0.2-chacha.tar.gz archive.
#?
#? OSAFT_VM_TAR_OPENSSL
#? Name of archive file for OpenSSL (during build).
#?
#? OSAFT_VM_DYN_OPENSSL
#? Build (link) mode of openssl executable: --static or --shared
#?
#? OSAFT_VM_SRC_SSLEAY
#? URL to fetch Net-SSLeay.tar.gz archive.
#?
#? OSAFT_VM_SHA_SSLEAY
#? SHA256 checksum for the Net-SSLeay.tar.gz archive.
#?
#? OSAFT_VM_TAR_SSLEAY
#? Name of archive file for Net-SSLeay.tgz (during build).
#?
#? OSAFT_VM_SRC_SOCKET
#? URL to fetch IO-Socket-SSL.tar.gz archive.
#?
#? OSAFT_VM_SHA_SOCKET
#? SHA256 checksum for the IO-Socket-SSL.tar.gz archive.
#?
#? OSAFT_VM_TAR_SOCKET
#? Name of archive file for IO-Socket-SSL.tgz (during build).
#?
#? OSAFT_VM_TRACE
#? Additional first shell command in Docker's RUN. Can be used to
#? enable tracing of build process with:
#? --build-arg OSAFT_VM_TRACE="set -x"
#? Default: (empty)
#?
#? ENVIRONMENT VARIABLES
#? The build image sets environment variables. They are mainly used for
#? documentation or by other programs to check for the right build.
#?
#? Following environment variables are set inside the docker image:
#?
#? osaft_vm_build
#? Build version of this image, used by o-saft-docker.
#? OSAFT_DIR
#? Directory where O-Saft is installed.
#? OPENSSL_DIR
#? Directory where OpenSSL is installed.
#? OPENSSL_VERSION
#? Version of installed OpenSSL
#? TERM
#? Prefered X-Terminal program.
#? LD_RUN_PATH
#? Additional paths for runtime loader, used while linking with
#? "ld -rpath=..."
#? Linking of openssl, libssl.so and SSLeay.so will use -rpath
#? in LDFLAGS to ensure that the special library will be used.
#? Default:${OPENSSL_DIR}/lib
#? PATH
#? PATH for shell, set to:
#? ${OSAFT_DIR}:${OSAFT_DIR}/usr:${OPENSSL_DIR}/bin:$PATH
#? WORK_DIR
#? Directory where to build the packages (used for Dockerfile's
#? WORKDIR dierective.
#?
#? EXAMPLES
#? Simple build with defaults: alpine:edge, o-saft.tgz, openssl-chacha
#? docker build --force-rm --rm \
#? -f Dockerfile.openssl -t owasp/o-saft .
#?
#? Simple build with base image alpine:3.8
#? docker build --force-rm --rm \
#? --build-arg "OSAFT_VM_FROM=alpine:3.8" \
#? -f Dockerfile.openssl -t owasp/o-saft .
#?
#? Simple build with base image debian:10.2-slim
#? docker build --force-rm --rm \
#? --build-arg "OSAFT_VM_FROM=debian:10.2-slim" \
#? -f Dockerfile.openssl -t owasp/o-saft .
#?
#? Build with base image alpine:3.6 and Tcl/Tk
#? docker build --force-rm --rm \
#? --build-arg "OSAFT_VM_FROM=alpine:3.6" \
#? --build-arg "OSAFT_VM_APT_INSTALL=tcl tk tklib xvfb" \
#? -f Dockerfile.openssl -t owasp/o-saft .
#?
#? Build with other SHA256 checksum for o-saft.tgz
#? docker build --force-rm --rm \
#? --build-arg "OSAFT_VM_SHA_OSAFT=caffee" \
#? -f Dockerfile.openssl -t owasp/o-saft .
#?
#? Build with from local o-saft.tgz file without checksum
#? docker build --force-rm --rm \
#? --build-arg "OSAFT_VM_SRC_OSAFT=file:///path/to/o-saft.tgz" \
#? --build-arg "OSAFT_VM_SHA_OSAFT=" \
#? -f Dockerfile.openssl -t owasp/o-saft .
#?
#? Build with development O-Saft download from github
#? docker build --force-rm --rm \
#? --build-arg "OSAFT_VM_SRC_OSAFT=https://github.com/OWASP/O-Saft/archive/master.tar.gz" \
#? --build-arg "OSAFT_VERSION=latest-development" \
#? -f Dockerfile.openssl -t owasp/o-saft .
#?
#? Note that o-saft-docker searches for a Docker image owasp/o-saft
#? so don't forget to tag at least one image with this name.
#?
# HACKER's Info
# Note that the base package alpine uses busybox as shell. This shell is
# very picky, in particular for the expr command.
#
# Compiling erros with:
# https://cpan.metacpan.org/authors/id/C/CH/CHRISN/Net-SSLeay-1.94.tar.gz
# 9d7be8a56d1bedda05c425306cc504ba134307e0c09bda4a788c98744ebcd95d
ARG OSAFT_VM_FROM=alpine:3.20
FROM $OSAFT_VM_FROM
MAINTAINER Achim <achim@owasp.org>
# Parameters passed to build
# OSAFT_VM_FROM must be defined again, otherwise its value is not available
ARG OSAFT_VM_FROM
ARG OSAFT_VM_TRACE
ARG OSAFT_VM_USER=osaft
ARG OSAFT_VM_SRC_OSAFT="https://github.com/OWASP/O-Saft/raw/master/o-saft.tgz"
ARG OSAFT_VM_SHA_OSAFT="158e33ea4c1f27ac87da3555f811d01bbccdf1756f064d68c144f58aad02eb0e"
ARG OSAFT_VM_TAR_OSAFT="o-saft.tgz"
ARG OSAFT_VM_SRC_SSLEAY="http://search.cpan.org/CPAN/authors/id/M/MI/MIKEM/Net-SSLeay-1.85.tar.gz"
ARG OSAFT_VM_SHA_SSLEAY="9d8188b9fb1cae3bd791979c20554925d5e94a138d00414f1a6814549927b0c8"
ARG OSAFT_VM_TAR_SSLEAY="Net-SSLeay.tgz"
ARG OSAFT_VM_SRC_SOCKET="http://search.cpan.org/CPAN/authors/id/S/SU/SULLR/IO-Socket-SSL-2.052.tar.gz"
ARG OSAFT_VM_SHA_SOCKET="e4897a9b17cb18a3c44aa683980d52cef534cdfcb8063d6877c879bfa2f26673"
ARG OSAFT_VM_TAR_SOCKET="IO-Socket-SSL.tgz"
ARG OSAFT_VM_SRC_OPENSSL="https://github.com/PeterMosmans/openssl/archive/1.0.2-chacha.tar.gz"
ARG OSAFT_VM_SHA_OPENSSL="ad3d99ec091e403a3a7a678ddda38b392e3204515425827c53dc5baa92d61d67"
ARG OSAFT_VM_TAR_OPENSSL="openssl.tgz"
ARG OSAFT_VM_DYN_OPENSSL="--shared"
# --static not yet (2020) working 'cause of libkrb5
ARG OSAFT_VM_APT_INSTALL
ARG OSAFT_VERSION="undefined"
ARG _SELF_="H$Þ^"
# _SELF_ for internal use only to make multiple references unique
LABEL \
VERSION="$OSAFT_VERSION" \
\
DESCRIPTION="Build O-Saft docker image (with Peter Mosman's openssl)" \
SYNOPSIS="docker build --force-rm --rm -f ./$_SELF_ -t owasp/o-saft:$OSAFT_VERSION -t owasp/o-saft ." \
DETAILS="Please see https://github.com/OWASP/O-Saft/raw/master/o-saft-docker" \
SOURCE0="https://github.com/OWASP/O-Saft/raw/master/$_SELF_" \
SOURCE1="$OSAFT_VM_SRC_OSAFT" \
SOURCE2="$OSAFT_VM_SRC_OPENSSL" \
SID="@(#) H$Þ^ 3.6 24/09/26 01:19:36" \
AUTHOR="Achim Hoffmann"
ENV osaft_vm_build "$_SELF_ $OSAFT_VERSION; FROM $OSAFT_VM_FROM"
ENV OSAFT_DIR /O-Saft
ENV OPENSSL_DIR /openssl
ENV OPENSSL_VERSION 1.0.2-chacha
ENV TERM xterm
ENV LD_RUN_PATH ${OPENSSL_DIR}/lib
ENV PATH ${OSAFT_DIR}:${OSAFT_DIR}/usr:${OPENSSL_DIR}/bin:$PATH
ENV BUILD_DIR /tmp_src
ENV WORK_DIR /
WORKDIR $WORK_DIR
RUN \
$OSAFT_VM_TRACE ; \
echo "#== Configure user" && \
if expr "X$OSAFT_VM_FROM" : Xdebian >/dev/null ; then \
adduser --quiet --home ${OSAFT_DIR} ${OSAFT_VM_USER} ; \
passwd --delete ${OSAFT_VM_USER} ; \
else \
adduser -D -h ${OSAFT_DIR} ${OSAFT_VM_USER} ; \
fi && \
mkdir -p ${OSAFT_DIR} && \
\
echo "#== Configure apk (alpine) or apt (debian); default: apk" && \
tklib=tk-lib && \
apt_exe=apk && \
apt_add=add && \
apt_del=del && \
opt_add=--no-cache && \
opt_del=--purge \
packages_make="gcc make musl-dev linux-headers perl-dev" && \
packages="curl ncurses $OSAFT_VM_APT_INSTALL gawk virt-what \
$packages_make \
krb5-dev zlib-dev perl perl-readonly \
ca-certificates" && \
packages_dev="gmp-dev lksctp-tools-dev" && \
packages_perl="perl-net-dns perl-net-libidn perl-mozilla-ca" && \
if expr "X$OSAFT_VM_FROM" : Xdebian >/dev/null ; then \
tklib=tklib ; \
apt_exe=apt-get ; \
apt_add=install ; \
apt_del=purge ; \
opt_add=--yes ; \
opt_del=--yes ; \
# fehltnoch: perl-dev
packages_make="gcc make linux-headers-amd64" ; \
# ncurses-base ncurses-bin already part of debian
packages="curl $packages_make libkrb5-3 libkrb5-dev zlib1g-dev perl ca-certificates" ; \
packages_dev="libgmp-dev lksctp-tools libsctp-dev" ; \
packages_perl="libnet-dns-perl libnet-libidn-perl" ; \
fi && \
[ -n "$OSAFT_VM_APT_INSTALL" ] && packages="$packages $tklib" && \
# perl-io-socket-ssl perl-net-ssleay build herein
\
echo "#== Install required packages, development tools and libs" && \
#apk update && \ # no update needed and not wanted
if expr "X$OSAFT_VM_FROM" : Xdebian >/dev/null ; then \
$apt_exe update ; \
fi && \
$apt_exe $apt_add $opt_add $packages && \
\
echo "#== Workaround for docker/alpine (bug or race condition)" && \
# in some alpine versions, resolving a hostname fails, see
# https://forums.docker.com/t/resolved-service-name-resolution-broken-on-alpine-and-docker-1-11-1-cs1/19307/23
# as workaround we try to prefetch the name resolution;
# however, it is not bullet proof either ...
workaround_alpine_bug() { \
expr "X$OSAFT_VM_FROM" : Xdebian >/dev/null && return ; \
for host in github.com codeload.github.com cpan.metacpan.org search.cpan.org cpan.metacpan.org ; do \
echo -n "resolving $host ... " && ping -c 1 $host > /dev/null && echo SUCCESS || echo FAILDED ; \
done; } && \
\
echo "#== Pull, build and install enhanced openssl" && \
workaround_alpine_bug && \
$apt_exe $apt_add $opt_add $packages_dev && \
cd $WORK_DIR && \
mkdir -p $BUILD_DIR ${OPENSSL_DIR} && \
curl --insecure --location --silent $OSAFT_VM_SRC_OPENSSL -o $OSAFT_VM_TAR_OPENSSL && \
# check sha256 if there is one
[ -n "$OSAFT_VM_SHA_OPENSSL" ] && \
echo "$OSAFT_VM_SHA_OPENSSL $OSAFT_VM_TAR_OPENSSL" | sha256sum -c ; \
\
tar -xzf $OSAFT_VM_TAR_OPENSSL -C $BUILD_DIR --strip-components=1 && \
cd $BUILD_DIR && \
# patch openssl.cnf for GOST
sed -i '/RANDFILE/a openssl_conf=openssl_def' apps/openssl.cnf && \
# using echo instead of cat to avoid problems with stacked commands:
# cat -> shell -> docker
(\
echo 'openssl_conf=openssl_def'; \
echo '[openssl_def]'; \
echo 'engines=engine_section';\
echo '[engine_section]'; \
echo 'gost=gost_section'; \
echo '[gost_section]'; \
echo 'engine_id = gost'; \
echo 'default_algorithms=ALL';\
echo 'CRYPT_PARAMS=id-Gost28147-89-CryptoPro-A-ParamSet'; \
) >> apps/openssl.cnf && \
# config with all options, even if they are default
LDFLAGS="-rpath=$LD_RUN_PATH" && export LDFLAGS && \
# see description for LD_RUN_PATH above
./config --prefix=${OPENSSL_DIR} --openssldir=${OPENSSL_DIR}/ssl \
$OSAFT_VM_DYN_OPENSSL \
--with-krb5-flavor=MIT --with-krb5-dir=/usr/include/krb5/ \
-fPIC zlib zlib-dynamic enable-zlib enable-npn sctp \
enable-deprecated enable-weak-ssl-ciphers \
enable-heartbeats enable-unit-test enable-ssl-trace \
enable-ssl3 enable-ssl3-method enable-ssl2 \
enable-tls1 enable-tls1-method enable-tls\
enable-tls1-1 enable-tls1-1-method enable-tlsext \
enable-tls1-2 enable-tls1-2-method enable-tls1-2-client \
enable-dtls1 enable-dtls1-method \
enable-dtls1-2 enable-dtls1-2-method \
enable-md2 enable-md4 enable-mdc2 \
enable-rc2 enable-rc4 enable-rc5 \
enable-sha0 enable-sha1 enable-sha256 enable-sha512 \
enable-aes enable-cms enable-dh enable-egd \
enable-des enable-dsa enable-rsa enable-rsax \
enable-ec enable-ec2m enable-ecdh enable-ecdsa \
enable-blake2 enable-bf enable-cast enable-camellia \
enable-gmp enable-gost enable-GOST enable-idea \
enable-poly1305 enable-krb5 enable-rdrand enable-rmd160 \
enable-seed enable-srp enable-whirlpool \
enable-rfc3779 enable-ec_nistp_64_gcc_128 experimental-jpake \
-DOPENSSL_USE_BUILD_DATE -DTLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES -DTEMP_GOST_TLS \
&& \
make depend && make && make report -i && make install && \
# make report most likely fails, hence -i
# simple test
echo -n "# number of ciphers ${OPENSSL_DIR}/bin/openssl: " && \
${OPENSSL_DIR}/bin/openssl ciphers -V ALL:COMPLEMENTOFALL:aNULL|wc -l && \
# cleanup
$apt_exe $apt_del $opt_del $packages_dev && \
cd $WORK_DIR && \
rm -rf $BUILD_DIR $OSAFT_VM_TAR_OPENSSL && \
\
echo "#== Pull, build and install Net::SSLeay" && \
workaround_alpine_bug && \
cd $WORK_DIR && \
mkdir -p $BUILD_DIR && \
curl --insecure --location --silent $OSAFT_VM_SRC_SSLEAY -o $OSAFT_VM_TAR_SSLEAY && \
# check sha256 if there is one
[ -n "$OSAFT_VM_SHA_SSLEAY" ] && \
echo "$OSAFT_VM_SHA_SSLEAY $OSAFT_VM_TAR_SSLEAY" | sha256sum -c ; \
\
tar -xzf $OSAFT_VM_TAR_SSLEAY -C $BUILD_DIR --strip-components=1 && \
# install additional packages for Net-SSLeay ...
$apt_exe $apt_add $opt_add $packages_perl && \
cd $BUILD_DIR && \
perl -i.orig -pe 'if (m/^#define\s*REM_AUTOMATICALLY_GENERATED_1_09/){print "const SSL_METHOD * SSLv2_method()\n\nconst SSL_METHOD * SSLv3_method()\n\n";}' SSLeay.xs && \
# quick&dirty patch, results in warning, which can be ignored
# Warning: duplicate function definition 'SSLv2_method' detected in SSLeay.xs, line 4256
LDFLAGS="-rpath=$LD_RUN_PATH" && export LDFLAGS && \
echo "n" | env OPENSSL_PREFIX=${OPENSSL_DIR} perl Makefile.PL \
INC=-I${OPENSSL_DIR}/include DEFINE=-DOPENSSL_BUILD_UNSAFE=1 && \
# Makefile.PL asks for "network tests", hence pipe "n" as answer
# installation in (default) /usr/local, hence no PREFIX=
make && make test && make install && \
cd $WORK_DIR && \
rm -rf $BUILD_DIR $OSAFT_VM_TAR_SSLEAY && \
\
echo "#== Pull, build and install IO::Socket::SSL" && \
workaround_alpine_bug && \
mkdir -p $BUILD_DIR && \
curl --insecure --location --silent $OSAFT_VM_SRC_SOCKET -o $OSAFT_VM_TAR_SOCKET && \
# check sha256 if there is one
[ -n "$OSAFT_VM_SHA_SOCKET" ] && \
echo "$OSAFT_VM_SHA_SOCKET $OSAFT_VM_TAR_SOCKET" | sha256sum -c ; \
\
tar -xzf $OSAFT_VM_TAR_SOCKET -C $BUILD_DIR --strip-components=1 && \
cd $BUILD_DIR && \
echo "n" | perl Makefile.PL INC=-I${OPENSSL_DIR}/include && \
make && make -i test && make install && \
# make test sometimes fails (see Workaround above), hence -i
cd $WORK_DIR && \
rm -r $BUILD_DIR $OSAFT_VM_TAR_SOCKET && \
\
echo "#== Pull and install O-Saft" && \
workaround_alpine_bug && \
cd $WORK_DIR && \
curl --insecure --location --silent $OSAFT_VM_SRC_OSAFT -o $OSAFT_VM_TAR_OSAFT && \
# check sha256 if there is one
[ -n "$OSAFT_VM_SHA_OSAFT" ] && \
echo "$OSAFT_VM_SHA_OSAFT $OSAFT_VM_TAR_OSAFT" | sha256sum -c ; \
\
tar -xzf ${OSAFT_VM_TAR_OSAFT} && \
# handle master directory from github, mv to ${OSAFT_DIR}
# checks fail sometimes, hence in a sub-shell
(\
[ -d "./O-Saft-master" ] && mv ./O-Saft-master/* ${OSAFT_DIR}/ ; \
[ -d "./O-Saft-master" ] && mv ./O-Saft-master/.[a-zA-Z]* ${OSAFT_DIR}/ ; \
[ -d "./O-Saft-master" ] && rm -rf ./O-Saft-master/ ; \
exit 0 ; \
) && \
chown -R root:root ${OSAFT_DIR} && \
chown -R ${OSAFT_VM_USER}:${OSAFT_VM_USER} ${OSAFT_DIR}/doc && \
chown -R ${OSAFT_VM_USER}:${OSAFT_VM_USER} ${OSAFT_DIR}/lib && \
chown -R ${OSAFT_VM_USER}:${OSAFT_VM_USER} ${OSAFT_DIR}/usr && \
chown ${OSAFT_VM_USER}:${OSAFT_VM_USER} ${OSAFT_DIR}/.o-saft.pl && \
cp ${OSAFT_DIR}/.o-saft.pl ${OSAFT_DIR}/.o-saft.pl-orig && \
perl -i.bak -pe "s:^#?\s*--openssl=.*:--openssl=${OPENSSL_DIR}/bin/openssl:;s:^#?\s*--openssl-cnf=.*:--openssl-cnf=${OPENSSL_DIR}/ssl/openssl.cnf:;s:^#?\s*--ca-path=.*:--ca-path=/etc/ssl/certs/:;s:^#?\s*--ca-file=.*:--ca-file=/etc/ssl/certs/ca-certificates.crt:" ${OSAFT_DIR}/.o-saft.pl && \
chmod 666 ${OSAFT_DIR}/.o-saft.pl && \
rm -f ${OSAFT_VM_TAR_OSAFT} && \
\
echo "#== Cleanup" && \
$apt_exe $apt_del $opt_del $packages_make
# do not delete krb5-dev zlib-dev because we need
# libkrb5.so.3, libk5crypto.so.3 and libz.so to run openssl
WORKDIR $OSAFT_DIR
USER $OSAFT_VM_USER
RUN o-saft-docker usage
ENTRYPOINT ["/O-Saft/o-saft"]
CMD ["--norc", "--help=docker"]
# vim:set ft=dockerfile: