Add Hitch

[ThijsFeryn]

Context

I'm a Varnish Software employee and I help @gquintard maintain the official Varnish Docker image.

Hitch is a very powerful TLS proxy. It is Varnish Software's preferred way to terminate TLS, because it is extremely stable and lightweight. Hitch only does TLS termination and doesn't even speak HTTP.

In this day and age TLS is everywhere, and the fact that Varnish Cache doesn't provide native TLS support makes a very Hitch relevant service.

The Hitch image was built using the same methodology as the official Varnish Docker image that was accepted by you.

At this point we don't provide publicly available packages for Hitch. We might do this in the near future. Meanwhile, we're relying on Debian Buster's Hitch package which does offer a quite recent version.

And just like Varnish, we consider this to be a service.

Checklist for Review

NOTE: This checklist is intended for the use of the Official Images maintainers both to track the status of your PR and to help inform you and others of where we're at. As such, please leave the "checking" of items to the repository maintainers. If there is a point below for which you would like to provide additional information or note completion, please do so by commenting on the PR. Thanks! (and thanks for staying patient with us ❤️)

• associated with or contacted upstream?
• does it fit into one of the common categories? ("service", "language stack", "base distribution")
• is it reasonably popular, or does it solve a particular use case well?
• does a documentation PR exist? (should be reviewed and merged at roughly the same time so that we don't have an empty image page on the Hub for very long)
• dockerization review for best practices and cache gotchas/improvements (ala the official review guidelines)?
• 2+ dockerization review?
• existing official images have been considered as a base? (ie, if foobar needs Node.js, has FROM node:... instead of grabbing node via other means been considered?)
• if FROM scratch, tarballs only exist in a single commit within the associated history?
• passes current tests? any simple new tests that might be appropriate to add? (https://github.com/docker-library/official-images/tree/master/test)

[ThijsFeryn]

Docs PR created: docker-library/docs#1675

[github-actions]

Diff for 674a13d:

failed fetching repo "hitch"
unable to find a manifest named "hitch" (in "/tmp/tmp.lVOMEhzXPf/oi/library" or as a remote URL)
diff --git a/_bashbrew-arches b/_bashbrew-arches
index e69de29..ce0a381 100644
--- a/_bashbrew-arches
+++ b/_bashbrew-arches
@@ -0,0 +1 @@
+hitch:latest @ amd64
diff --git a/_bashbrew-list b/_bashbrew-list
index e69de29..1bcc30b 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -0,0 +1,5 @@
+hitch:1
+hitch:1.5
+hitch:1.5.0
+hitch:1.5.0-1
+hitch:latest
diff --git a/_bashbrew.err b/_bashbrew.err
index cde404b..e69de29 100644
--- a/_bashbrew.err
+++ b/_bashbrew.err
@@ -1,6 +0,0 @@
-failed fetching repo "hitch"
-unable to find a manifest named "hitch" (in "/tmp/tmp.lVOMEhzXPf/oi/library" or as a remote URL)
-failed fetching repo "hitch"
-unable to find a manifest named "hitch" (in "/tmp/tmp.lVOMEhzXPf/oi/library" or as a remote URL)
-failed fetching repo "hitch"
-unable to find a manifest named "hitch" (in "/tmp/tmp.lVOMEhzXPf/oi/library" or as a remote URL)
diff --git a/hitch_latest/Dockerfile b/hitch_latest/Dockerfile
new file mode 100644
index 0000000..1b5b210
--- /dev/null
+++ b/hitch_latest/Dockerfile
@@ -0,0 +1,24 @@
+FROM debian:buster-slim
+
+ENV FRONTEND_PORT 443
+ENV FRONTEND_HOST *
+ENV BACKEND_PORT 8443
+ENV BACKEND_HOST localhost
+ENV PROXY_PROTOCOL --write-proxy-v2
+
+RUN apt-get update; \
+	apt-get install -y --no-install-recommends openssl hitch=1.5.0-1; \
+	rm -rf /var/lib/apt/lists/*; \
+	mkdir /etc/hitch/certs
+
+WORKDIR /etc/hitch
+
+COPY example.com /etc/hitch/certs
+COPY hitch.conf /etc/hitch
+COPY docker-hitch-entrypoint /usr/local/bin/
+
+ENTRYPOINT ["docker-hitch-entrypoint"]
+
+EXPOSE 443
+
+CMD hitch --config=/etc/hitch/hitch.conf --frontend="[$FRONTEND_HOST]:$FRONTEND_PORT" --backend="[$BACKEND_HOST]:$BACKEND_PORT" $PROXY_PROTOCOL
diff --git a/hitch_latest/docker-hitch-entrypoint b/hitch_latest/docker-hitch-entrypoint
new file mode 100755
index 0000000..4ee2a81
--- /dev/null
+++ b/hitch_latest/docker-hitch-entrypoint
@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+
+# this will check if the first argument is a flag
+# but only works if all arguments require a hyphenated flag
+# -v; -SL; -f arg; etc will work, but not arg1 arg2
+if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
+    set -- hitch "$@"
+fi
+
+exec "$@"
diff --git a/hitch_latest/example.com b/hitch_latest/example.com
new file mode 100644
index 0000000..c367680
--- /dev/null
+++ b/hitch_latest/example.com
@@ -0,0 +1,58 @@
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAqugAwIBAgIUe4v+PgBZeohddbh92DAKmy8N6nAwDQYJKoZIhvcNAQEL
+BQAwVjELMAkGA1UEBhMCTk8xEzARBgNVBAgMClNvbWUtU3RhdGUxHDAaBgNVBAoM
+E1Zhcm5pc2ggU29mdHdhcmUgQVMxFDASBgNVBAMMC2V4YW1wbGUuY29tMB4XDTIw
+MDEzMDEwMDMzOFoXDTQ3MDYxNzEwMDMzOFowVjELMAkGA1UEBhMCTk8xEzARBgNV
+BAgMClNvbWUtU3RhdGUxHDAaBgNVBAoME1Zhcm5pc2ggU29mdHdhcmUgQVMxFDAS
+BgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEA3/STgvtdRnVPnuiONY4ZtUXexHgOUAhiYnm7GuLKrJCqC1DoSwjeA8Fr/sly
+nrkS0QdrHDh3tZ/9JO4JUChy+hISBjer32JOpmwwsKyuM4YkQ9YI9NeAJQX4vSeF
+krdau2OxuKn9L0e/D8TddzAQ39AOjrE+Y2lCzvoGF2cEesxMNS66JStDFR2w2I7e
+EdTydyXYT7mK6iqhk/3RB3XdwvdQj8DzPQSVFe6/pCa+dzpSSLI8YEHkB8azaz3H
+jsFp4flSPJJMX+pChbs8NBtekuHWDIExKIeyIpEBd37eoZR9+41PZJOsvya/JIhR
+BmVa/t66NHg8ETqUdZYn35pBwQIDAQABo4GIMIGFMCUGA1UdEQQeMByCC2V4YW1w
+bGUuY29tgg0qLmV4YW1wbGUuY29tMB0GA1UdDgQWBBSNwlE7yKISR2VwKF/ODERV
+528ppTAfBgNVHSMEGDAWgBSNwlE7yKISR2VwKF/ODERV528ppTAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQsFAAOCAQEAh9M6yB0avQqL
+eXsE9EFINZkWGcMsOexArLAiKfNx5ntXelwfjxRwIgepYE8wTh+YfGwTby3Z8BWP
+IVODhu+AH2FlRqw/1y8bo/yf0bcGCu5fj7K3AdjCk03DtbZORtFxQ+5z7DDRxgbV
+rqwu3hPBm9FDcOEcaoBZ8tw4Mev4GRVwgIGg46UXHOPuoUwrmIZkHGo6ToqKAwwP
+eyyRkeNjytrTN0vnmcAuAeWVwGyfIajhsrM2xN3LLYknUfDQU9+8vQvXl8zlBYX+
+nSKLgzg1n8WNWHgDWijIaDrtKT2ejhslR+pHaKMTcBRVErpmWSkJ5zlVdalolTHU
+ADuwRXuDUg==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA3/STgvtdRnVPnuiONY4ZtUXexHgOUAhiYnm7GuLKrJCqC1Do
+SwjeA8Fr/slynrkS0QdrHDh3tZ/9JO4JUChy+hISBjer32JOpmwwsKyuM4YkQ9YI
+9NeAJQX4vSeFkrdau2OxuKn9L0e/D8TddzAQ39AOjrE+Y2lCzvoGF2cEesxMNS66
+JStDFR2w2I7eEdTydyXYT7mK6iqhk/3RB3XdwvdQj8DzPQSVFe6/pCa+dzpSSLI8
+YEHkB8azaz3HjsFp4flSPJJMX+pChbs8NBtekuHWDIExKIeyIpEBd37eoZR9+41P
+ZJOsvya/JIhRBmVa/t66NHg8ETqUdZYn35pBwQIDAQABAoIBAFXKKevGAKAp9hso
+eLl5Os3e+wwF9W2hGJcijJMrB3p9XDZDgwijV/DWWllar+avfM7H6bcAxpKzu9Q2
+vyiOpiS3YWIyV0uWLAzCaxByxbSFEUVPK1UnbDZCiFtlVVyzkjUwZncX3x4KfN08
+i53Jst0ZpUnyCbUpMGd7DXRPiT7EZj9ri4C/GA3VK/6zAYjlqXN0S0wcRBSVV26V
+5ZUve/daGjmnQu+YYB8Ni/mlph+nhPGVT5uwD/xb+fca6YyAbFKriPJ91lpDqaR9
+UqniwpKx6nsnZXFIctjYdqkSHLD1O92vFehHoVDrSQi66CptjqUAB9umkqYqug4t
+sQArDjECgYEA/PziahI9pJEYfs5uL93eSKh/v8TmYTP9pCoZE8oy63mZ4mQs0DMV
+fU+lMGDpzzFGyda+CBz8I+peNfkvyh742fejGqPUiKGvFNW9HajayRyI8zgxH66/
+KCjJJlcgbcWzgwFJwwQvkeLYFyAFCyKjSJf4AQcU4XT2f9TbcNxI9qUCgYEA4p8z
+KtdR1C8lnTFYkZxxFkX6jScsHwGRv3ypxGrSYNiSxqyJjm/XYIwi4adgyk4vHoFz
+doDtjFmH9Ib7AaI4DLUZSwBobROHxTdEyL4plaQl3iiIT03vxr9zH1xHlMsDctif
+tuz0HQ68gC/0DgaySTIk9+SltDH6G6eYOepdT+0CgYAcDl99q/AyI/U3euU1YcGZ
+BTbFqaxy8zUZ06FcVHw5KQ8r0Dg4DrI/Z2nGZ7kGRUy4bZw9ghlkUkWIbs4h+DVY
+1uG7vpd/X47vHJUQiP1aeFOnxX+NJ/ADICLOobLy+Y3i5W2stvYfk6yrQ93LUlgR
+YOkcFBD4v+PmYVDEv2lIEQKBgCFx7VM9Q85UxvBUAAY9WFM5MKj0RwasbJ4d/9AF
+E9dHHyJDBGoJB3gwNlWnJhm1QC74W9n5XRWBgRcNdK3hCvSVJY50GPVAFKF+bqBR
+sEFtYElRIgzSK7jhOFRAgi/rZi7k2W1duwkuy5L/gL0xL86tn9cV336ggZDjQwwJ
+EoxhAoGBAIqQzGle4KV/TujqAEoF+m1b2/UWVb5sV6PFnJCwP9Xp0OtX2MRLj4iV
+kc1i5xRzIQKeSt7XW4fCF8rgvPmPXb88h8F5/ANg1/sKd5tzRHXA/2B7cMIEv1rb
+7aqpn0Tft2l37ZBkihoceb7A63ec2C6jjeTEzYgaCJibxkETS2QO
+-----END RSA PRIVATE KEY-----
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA5Xe0TEdTsSL0JNnssS2HNVKjqagfB3wJ/DWeBsXy71o15XLz7Ygv
+dxAp72jiD6D18+iFlv91fAToMDV8+4lNphiLgNGomeuI9SYYdo/zUGQ1NtewHpAg
+A58XFebBCrBL6zUjh1pMrz4nlFfrhubgEl6lqr+PIvCnMuAOk3L2d2Py8f4hta/Q
+Nmmm5mI9VRF1kkg8QzSJpnxub/qn2nN6DnY3ZJKNBK+BEBdHphNAJPioVspoeHQD
+5WCt+VSpyF+FPXNpbhkMJ6stl8Y0TbhFSKxMtzVWQ43Ul29RgatC8YlGPlIy/WCZ
+YX/oJSsiRcMYqfqwlRnnldpbdp7LOn6LOwIBAg==
+-----END DH PARAMETERS-----
diff --git a/hitch_latest/hitch.conf b/hitch_latest/hitch.conf
new file mode 100644
index 0000000..0b35f41
--- /dev/null
+++ b/hitch_latest/hitch.conf
@@ -0,0 +1,2 @@
+pem-file = "/etc/hitch/certs/example.com"
+user = "_hitch"

[gquintard]

failed fetching repo "hitch" unable to find a manifest named "hitch" (in "/tmp/tmp.lVOMEhzXPf/oi/library" or as a remote URL)

isn't very reassuring, is it our fault?

[tianon]

@gquintard sorry, that bit's just a quirk of how diff-pr.sh works for "new-image" PRs (there's no real error there) -- I'm looking to make that more friendly in #7966 👍

Sorry for the delay on this; the world has been a little more crazy than usual. 😅

Here are a few thoughts on my initial look over the Dockerization:

---

	apt-get install -y --no-install-recommends openssl hitch=1.5.0-1; \

As a Debian Developer, I love to see Debian packages being used. However, for the purposes of official images, I'd exercise caution taking this route -- packages in Debian often require/use some amount of customization or default configuration that may not be what you as upstream would want (such as the auto-created user being called _hitch instead of hitch) or may not be suited for use in Docker. More critically though, this means that you're stuck with whatever packages are in Buster or backports, and in this case that concretely means you're at least 2 minor releases behind (Sid has 1.5.2).

Are there not any upstream-maintained packages available for Hitch (similar to what Varnish has) such that the distribution packages are preferred?

At this point we don't provide publicly available packages for Hitch. We might do this in the near future. Meanwhile, we're relying on Debian Buster's Hitch package which does offer a quite recent version.

(To be clear, this isn't a blocker -- think of it more as a warning of issues that might be in your future taking this route. Ultimately the choice is up to you whether this older version is "recent enough" to be considered useful. 😄 ❤️)

---

CMD hitch --config=/etc/hitch/hitch.conf --frontend="[$FRONTEND_HOST]:$FRONTEND_PORT" --backend="[$BACKEND_HOST]:$BACKEND_PORT" $PROXY_PROTOCOL

Using the shell syntax here means that there are potentially cases where /bin/sh will stick around; see #7662 (comment) for more on this and how it was fixed in varnish 😄 (I think the note there about "generic" environment variables names apply here to some extent, but not quite to the level of $SIZE 😅).

Also, with so many flags being specified by default (and controlled via environment variables), this becomes very difficult for users to add additional command-line flags, especially if they want their additional flags to interact with these default settings in some way.

---

COPY example.com /etc/hitch/certs

Having this example certificate pair pre-baked into the image feels a little strange IMO -- what're the details of that certificate? How does it get regenerated? What's it valid for, how long, etc? Is it signed by any other party? (These are all questions that are hard to answer from just an opaque certificate.)

Does having this certificate pre-baked in the image help users get started using Hitch faster? Does it hamper folks who are already set up and ready to go and just want to get Hitch running? (For example, do they have to disable or delete this certificate before using Hitch? Could it cause any ill/unexpected effect if they don't do so?)

---

user = "_hitch"

If users accidentally omit this bit from their configuration files, will Hitch run as root instead, or does it have some kind of protection against that?

Is it worth considering using USER _hitch or similar instead to enforce this at a higher level? (Usually filesystem permissions and/or "privileged" ports are the reasons setting USER becomes a hassle.)

Did you want to create a dedicated hitch user separate from the one auto-created by the Debian package? (Think about whether that might be something you'll want to consider doing later too, because it's much easier on you to make that sort of user-breaking change now than after we merge this, especially if it ends up getting embedded in user's configuration files too.)

---

All in all, I think one of my biggest concerns here is the overall simplicity of it -- I frankly don't see a ton of benefit of this over a user doing the bare-minimum FROM debian + RUN apt-get install hitch themselves (minus a tiny amount of sugar) beyond it being a pre-built image, which IMO isn't a very compelling sell for maintaining it here. Thoughts?

[gquintard]

this can be closed in favor of #8674

[ThijsFeryn]

I'll close this one, but please have a look at #8674, which takes the criticism of @tianon into account.