Added mysql chown to guarantee permissions on directories that are remote mounted and keep their own, and added rng-tools to help with entropy 'randomness' generation + a note about it and the security aspects.

pull/4/head
Ventz Petkov 2017-02-09 11:25:59 -05:00
parent 82adc8ae92
commit 09c043f779
2 changed files with 15 additions and 4 deletions

View File

@ -81,5 +81,14 @@ And in your ```/certs``` dir, create private/public certs with file names:
* misp.key
* misp.cert
# Security note in regards to key generation:
We have added "rng-tools" in order to help with entropy generation,
since users have mentioned that during the pgp generation, some systems
have a hard time creating enough "randomness". This in turn uses a pseudo-random
generator, which is not 100% secure. If this is a concern for a
production environment, you can either 1.) take out the "rng-tools"
part from the Dockerfile and re-build the container, or 2.) replace the keys with
your own! For most users, this should not ever be an issue.
# Help/Questions/Comments:
For help or more info, feel free to contact Ventz Petkov: ventz_petkov@harvard.edu

View File

@ -10,13 +10,14 @@ ARG MISP_EMAIL=admin@localhost
# Dir you need to override to keep data on reboot/new container:
VOLUME /var/lib/mysql
#VOLUME /var/www/MISP/Config
# Dir you might want to override in order to have custom ssl certs
# Need: "misp.key" and "misp.cert"
#VOLUME /etc/ssl/private
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get install -y supervisor cron logrotate syslog-ng-core postfix curl gcc git gnupg-agent make python openssl redis-server sudo vim zip wget mariadb-client mariadb-server apache2 apache2-doc apache2-utils libapache2-mod-php php php-cli php-crypt-gpg php-dev php-json php-mysql php-opcache php-readline php-redis python-dev python-pip libxml2-dev libxslt1-dev zlib1g-dev python-setuptools
RUN apt-get update && apt-get install -y supervisor cron logrotate syslog-ng-core postfix curl gcc git gnupg-agent make python openssl redis-server sudo vim zip wget mariadb-client mariadb-server apache2 apache2-doc apache2-utils libapache2-mod-php php php-cli php-crypt-gpg php-dev php-json php-mysql php-opcache php-readline php-redis python-dev python-pip libxml2-dev libxslt1-dev zlib1g-dev python-setuptools rng-tools
#echo "test -e /var/run/mysqld || install -m 755 -o mysql -g root -d /var/run/mysqld" ; \
RUN sed -i -E 's/^(\s*)system\(\);/\1unix-stream("\/dev\/log");/' /etc/syslog-ng/syslog-ng.conf ; \
@ -99,16 +100,17 @@ RUN mkdir /var/www/.composer && chown -R www-data:www-data /var/www/.composer ;
sudo -u www-data cp -a /var/www/MISP/app/Config/config.default.php /var/www/MISP/app/Config/config.php
RUN sed -i -e 's/db login/misp/g' /var/www/MISP/app/Config/database.php ; \
sed -i -e "s/db password/$MYSQL_MISP_PASSWORD/g" /var/www/MISP/app/Config/database.php ; \
sed -i -e "s/db password/${MYSQL_MISP_PASSWORD}/g" /var/www/MISP/app/Config/database.php ; \
sed -i -E "s/'salt'(\s+)=>\s''/'salt' => '`openssl rand -base64 32 | tr \'/\' \'0\'`'/" /var/www/MISP/app/Config/config.php ; \
sed -i -E "s/'baseurl'(\s+)=>\s''/'baseurl' => 'https:\/\/$MISP_FQDN'/" /var/www/MISP/app/Config/config.php ; \
sed -i -e "s/email@address.com/$MISP_EMAIL/" /var/www/MISP/app/Config/config.php ; \
sed -i -E "s/'baseurl'(\s+)=>\s''/'baseurl' => 'https:\/\/${MISP_FQDN}'/" /var/www/MISP/app/Config/config.php ; \
sed -i -e "s/email@address.com/${MISP_EMAIL}/" /var/www/MISP/app/Config/config.php ; \
sudo chown -R www-data:www-data /var/www/MISP/app/Config ; \
sudo chmod -R 750 /var/www/MISP/app/Config ; \
sudo pip install pyzmq ; \
sudo pip install redis ; \
echo "#!/bin/bash" > /init-db ; \
echo "if [ ! -f /var/lib/mysql/.db_initialized ]; then" >> /init-db ; \
echo "sudo chown -R mysql:mysql /var/lib/mysql" >> /init-db ; \
echo "sudo -u mysql -H /usr/bin/mysql_install_db --user=mysql" >> /init-db ; \
echo "chown -R mysql:mysql /var/lib/mysql" >> /init-db ; \
echo "cd '/usr' ; /usr/bin/mysqld_safe --datadir='/var/lib/mysql' &" >> /init-db ; \