Tidy things up before publishing (#11)

Co-authored-by: Stefano Ortolani <ortolanis@vmware.com>
2022-12-06 17:13:23 +00:00 · 2022-12-06 17:13:23 +00:00 · 25dd423617
parent 814379c22f
commit 25dd423617
17 changed files with 142 additions and 187 deletions
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -1,12 +0,0 @@
 # These are supported funding model platforms
 github: [coolacid]
 patreon: # Replace with a single Patreon username
 open_collective: # Replace with a single Open Collective username
 ko_fi: # Replace with a single Ko-fi username
 tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
 community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
 liberapay: # Replace with a single Liberapay username
 issuehunt: # Replace with a single IssueHunt username
 otechie: # Replace with a single Otechie username
 custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
--- a/.github/workflows/release-latest.yml
+++ b/.github/workflows/release-latest.yml
@ -18,7 +18,7 @@ jobs:
      env:
        GITHUB_CONTEXT: ${{ toJson(github) }}
      run: |
-        docker compose --file build-docker-compose.yml --env-file template.env build
+        docker compose --env-file template.env build
        # Tag the image with the commit SHA[0:7]
        DOCKER_IMG_TAG=`echo "${{ github.sha }}" | cut -c 1-7`
        docker tag ${{ secrets.DOCKER_USERNAME }}/misp-docker:core-latest ${{ secrets.DOCKER_USERNAME }}/misp-docker:core-$DOCKER_IMG_TAG
--- a/.github/workflows/test-build-latest.yml
+++ b/.github/workflows/test-build-latest.yml
@ -15,4 +15,4 @@ jobs:
    - uses: actions/checkout@v3
    - name: Build the Docker images
-      run: docker compose --file build-docker-compose.yml --env-file template.env build 
+      run: docker compose --env-file template.env build 
--- a/.gitignore
+++ b/.gitignore
@ -1,7 +1,7 @@
 /logs/
 /files/
 /ssl/
 /configs/
 /files/
 /gnupg/
 /logs/
 /public/
-.gnupg
+/ssl/
 .env
--- a/.travis.yml
+++ b/.travis.yml
@ -1,12 +0,0 @@
 language: minimal
 env:
  - DOCKER_COMPOSE_VERSION=1.25.3
 before_install:
  - curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` | sudo tee /usr/local/bin/docker-compose >/dev/null
  - sudo chmod +x /usr/local/bin/docker-compose
 script:
  - docker-compose -f docker-compose.yml -f build-docker-compose.yml build
--- a/README.md
+++ b/README.md
@ -1,13 +1,11 @@
-# CoolAcid's MISP Docker images
+# TAU's MISP Docker images
-[![Codacy Badge](https://api.codacy.com/project/badge/Grade/e9b0c08774a84b9e8e0454f3ac83651f)](https://app.codacy.com/manual/coolacid/docker-misp?utm_source=github.com&utm_medium=referral&utm_content=coolacid/docker-misp&utm_campaign=Badge_Grade_Dashboard)
+[![Build Status](https://img.shields.io/github/workflow/status/ostefano/docker-misp/Build%20the%20Docker%20images%20and%20push%20them%20to%20Docker%20Hub)](https://hub.docker.com/repository/docker/ostefano/misp-docker)
 [![CodeFactor](https://www.codefactor.io/repository/github/coolacid/docker-misp/badge/master)](https://www.codefactor.io/repository/github/coolacid/docker-misp/overview/master)
 [![Build Status](https://travis-ci.org/coolacid/docker-misp.svg?branch=master)](https://travis-ci.org/coolacid/docker-misp)
 [![Gitter chat](https://badges.gitter.im/gitterHQ/gitter.png)](https://gitter.im/MISP/Docker)
-A (nearly) production ready Dockered MISP
+A production ready Dockered MISP based on CoolAcid's MISP Docker image (https://github.com/coolacid/docker-misp).
-This is based on some of the work from the DSCO docker build, nearly all of the details have been rewritten.
+Like CoolAcid's MISP docker image, this is based on some of the work from the DSCO docker build, nearly all of the details have been rewritten.
 -   Components are split out where possible, currently this is only the MISP modules
 -   Over writable configuration files
@ -17,15 +15,30 @@ This is based on some of the work from the DSCO docker build, nearly all of the
 -   Images directly from docker hub, no build required
 -   Slimmed down images by using build stages and slim parent image, removes unnecessary files from images
-## Docker Tags
+Additionally, this fork features the following improvements:
-[Docker hub](https://hub.docker.com/r/coolacid/misp-docker) builds the images automatically based on git tags. I try and tag using the following details
+-   ARM (Apple M1) support
 -   Fix and improve support for cron jobs
 -   Fix Supervisor handling of entrypoints
 -   Make schema update repeatable and completely offline
 -   Fix missing MISP modules dependencies
 -   New Background Job system, see https://github.com/MISP/MISP/blob/2.4/docs/background-jobs-migration-guide.md
 -   Automatic configuration of MISP modules (see `entrypoint_internal.sh`)
 -   Automatic configuration of sync servers (see `entrypoint_internal.sh`)
 -   Automatic configuration of organizations (see `entrypoint_internal.sh`)
 -   Autoamtic configuration of authentication keys (see `entrypoint_internal.sh`)
-***v\[MISP Version]\[Our build version]***
+As a result, this image is not for everybody and does not (and will not) fit every use case.
 Nevertheless the underlying spirit of this fork is to allow "repeatable deployments", and all pull requests in this direction will be merged.
-   MISP version is the MISP tag we're building
+## Versioning
-   Our build version is the iteration for our changes with the same MISP version
+
-   Core and modules are split into \[core]-version and \[modules]-version respectively
+GitHub builds the images automatically and pushes them to [Docker hub](https://hub.docker.com/r/ostefano/misp-docker). We do not use tags and versioning works as follows:
 -   MISP (and modules) version specified inside the `template.env` file
 -   Docker images are tagged based on the commit hash
 -   Core and modules are tagged as core-commit-sha1[0:7] and modules-commit-sha1[0:7] respectively
 -   The latest images have additional tags core-latest and modules-latest
 ## Getting Started
@ -33,10 +46,6 @@ This is based on some of the work from the DSCO docker build, nearly all of the
 ### Development/Test
 -   Grab the `docker-compose.yml` and `server-configs/email.php` files (Keep directory structure)
 -   A dry run will create sane default configurations
 -   `docker-compose up`
 -   Login to `https://localhost`
@ -47,7 +56,7 @@ This is based on some of the work from the DSCO docker build, nearly all of the
 ### Using the image for development
-Pull the entire repository, you can build the images using `docker-compose -f docker-compose.yml -f build-docker-compose.yml build`
+Pull the entire repository, you can build the images using `docker-compose build`
 Once you have the docker container up you can access the container by running `docker-compose exec misp /bin/bash`.
 This will provide you with a root shell. You can use `apt update` and then install any tools you wish to use.
@ -73,11 +82,10 @@ Updating the images should be as simple as `docker-compose pull` which, unless c
 -   Additional directory volume mounts:
    -   `/var/www/MISP/app/files`
    -   `/var/www/MISP/.gnupg`
    -   `/var/www/MISP/.smime`
 ### Building
-If you are interested in building the project from scratch - `git clone` or download the entire repo and run `docker-compose -f build-docker-compose.yml build` 
+If you are interested in building the project from scratch - `git clone` or download the entire repo and run `docker-compose build` 
 ## Image file sizes
@ -91,3 +99,25 @@ If you are interested in building the project from scratch - `git clone` or down
 -   Modules (Saved: 640MB)
    -   Original: 1.36GB
    -   Pre-build modules: 750MB
 ### Configuration
 The `docker-compose.yml` file further allows the following configuration settings:
 ```
 "MYSQL_HOST=db"
 "MYSQL_USER=misp"
 "MYSQL_PASSWORD=example"    # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run. 
 "MYSQL_DATABASE=misp"
 "NOREDIR=true"              # Do not redirect port 80
 "DISIPV6=true"              # Disable IPV6 in nginx
 "CERTAUTH=optional"         # Can be set to optional or on - Step 2 of https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth is still required
 "SECURESSL=true"            # Enable higher security SSL in nginx
 "MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url
 "WORKERS=1"                 # Legacy variable controlling the number of parallel workers (use variables below instead)
 "NUM_WORKERS_DEFAULT=5"     # To set the number of default workers
 "NUM_WORKERS_PRIO=5"        # To set the number of prio workers
 "NUM_WORKERS_EMAIL=5"       # To set the number of email workers
 "NUM_WORKERS_UPDATE=1"      # To set the number of update workers
 "NUM_WORKERS_CACHE=5"       # To set the number of cache workers
 ```
--- a/build-docker-compose.yml
+++ b/build-docker-compose.yml
@ -1,17 +0,0 @@
 version: '3'
 services:
  misp:
    image: ostefano/misp-docker:core-latest
    build:
        context: server/.
        args:
            - MISP_TAG=${MISP_TAG}
            - MISP_COMMIT=${MISP_COMMIT}
            - PHP_VER=${PHP_VER}
  misp-modules:
    image: ostefano/misp-docker:modules-latest
    build:
        context: modules/.
        args:
            - MODULES_TAG=${MODULES_TAG}
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -30,6 +30,12 @@ services:
  misp:
    image: ostefano/misp-docker:core-latest
    build:
      context: server/.
      args:
          - MISP_TAG=${MISP_TAG}
          - MISP_COMMIT=${MISP_COMMIT}
          - PHP_VER=${PHP_VER}
    depends_on:
      - redis
      - db
@ -37,48 +43,30 @@ services:
      - "80:80"
      - "443:443"
    volumes:
-      - "./configs/:/var/www/MISP/app/Config/:delegated"
+      - "./configs/:/var/www/MISP/app/Config/"
-      - "./logs/:/var/www/MISP/app/tmp/logs/:delegated"
+      - "./logs/:/var/www/MISP/app/tmp/logs/"
-      - "./files/:/var/www/MISP/app/files/:delegated"
+      - "./files/:/var/www/MISP/app/files/"
-      - "./ssl/:/etc/nginx/certs/:delegated"
+      - "./ssl/:/etc/nginx/certs/"
-      - "${PUBLIC_MOUNT_POINT}:/mnt/public/:delegated"
+      - "./gnupg/:/var/www/MISP/.gnupg/"
      - "${PUBLIC_MOUNT_POINT}:/mnt/public/"
 #      - "./examples/custom-entrypoint.sh:/custom-entrypoint.sh" # Use the example custom-entrypoint.sh
      - "./.gnupg/:/var/www/MISP/.gnupg/:delegated"
    environment:
      - "HOSTNAME=https://localhost"
      - "REDIS_FQDN=redis"
      - "INIT=true"             # Initialze MISP, things includes, attempting to import SQL and the Files DIR
      - "CRON_USER_ID=1"        # The MISP user ID to run cron jobs as
      # Synchronization Servers settings
-      - "SYNCSERVERS=1"
+      - "SYNCSERVERS=${SYNCSERVERS}"
      - "SYNCSERVERS_1_NAME=${SYNCSERVERS_1_NAME}"
      - "SYNCSERVERS_1_UUID=${SYNCSERVERS_1_UUID}"
      - "SYNCSERVERS_1_KEY=${SYNCSERVERS_1_KEY}"
      - |
        SYNCSERVERS_1_DATA=
        {
-          "url": "https://intel.thedfirreport.com/",
+          "url": "${SYNCSERVERS_1_URL}",
          "pull_rules": "{\"tags\":{\"OR\":[],\"NOT\":[]},\"orgs\":{\"OR\":[],\"NOT\":[]},\"url_params\":\"{\\\"searchanalysis\\\": \\\"2\\\"}\"}",
          "pull": true
        }
      - "ORGANIZATIONS=${ORGANIZATIONS}"
      # Database Configuration (And their defaults)
 #      - "MYSQL_HOST=db"
 #      - "MYSQL_USER=misp"
 #      - "MYSQL_PASSWORD=example" # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run. 
 #      - "MYSQL_DATABASE=misp"
      # Optional Settings
 #      - "NOREDIR=true" # Do not redirect port 80
 #      - "DISIPV6=true" # Disable IPV6 in nginx
 #      - "CERTAUTH=optional" # Can be set to optional or on - Step 2 of https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth is still required
 #      - "SECURESSL=true" # Enable higher security SSL in nginx
 #      - "MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url
 #      - "WORKERS=1" # Legacy variable controlling the number of parallel workers (use variables below instead)
 #      - "NUM_WORKERS_DEFAULT=5"    # To set the number of default workers
 #      - "NUM_WORKERS_PRIO=5"       # To set the number of prio workers
 #      - "NUM_WORKERS_EMAIL=5"      # To set the number of email workers
 #      - "NUM_WORKERS_UPDATE=1"     # To set the number of update workers
 #      - "NUM_WORKERS_CACHE=5"      # To set the number of cache workers
      # Custom Settings
      - "ADMIN_EMAIL=${ADMIN_EMAIL}"
      - "ADMIN_KEY=${ADMIN_KEY}"
@ -86,9 +74,15 @@ services:
      - "GPG_PASSPHRASE=${GPG_PASSPHRASE}"
      - "NSX_ANALYSIS_API_TOKEN=${NSX_ANALYSIS_API_TOKEN}"
      - "NSX_ANALYSIS_KEY=${NSX_ANALYSIS_KEY}"
      - "ORGANIZATIONS=${ORGANIZATIONS}"
      - "VIRUSTOTAL_KEY=${VIRUSTOTAL_KEY}"
  misp-modules:
    image: ostefano/misp-docker:modules-latest
    build:
      context: modules/.
      args:
        - MODULES_TAG=${MODULES_TAG}
        - MODULES_COMMIT=${MODULES_COMMIT}
    environment:
      - "REDIS_BACKEND=redis"
    depends_on:
--- a/modules/hooks/build
+++ b/modules/hooks/build
@ -1,17 +0,0 @@
 #!/bin/bash
 # https://docs.docker.com/docker-cloud/builds/advanced/
 # $IMAGE_NAME var is injected into the build so the tag is correct.
 echo "[***] Build hook running"
 export $(grep -v '^#' ../.env | xargs)
 docker pull $DOCKER_REPO:modules-latest
 docker build \
    --build-arg MODULES_TAG=$MODULES_TAG \
    --build-arg PHP_VER=$PHP_VER \
    --build-arg BUILD_RFC3339=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
    --build-arg COMMIT=$(git rev-parse --short HEAD) \
    --build-arg VERSION=$(git describe --tags --always) \
    -t $IMAGE_NAME .
--- a/modules/hooks/post_push
+++ b/modules/hooks/post_push
@ -1,4 +0,0 @@
 #!/bin/bash
 docker tag $IMAGE_NAME $DOCKER_REPO:modules-latest
 docker push $DOCKER_REPO:modules-latest
--- a/public/.keep
+++ b/public/.keep
--- a/server/Dockerfile
+++ b/server/Dockerfile
@ -136,7 +136,9 @@ ARG PHP_VER
    RUN git clone --branch ${MISP_TAG} --depth 1 https://github.com/MISP/MISP.git /var/www/MISP
    RUN if [ ! -z ${MISP_COMMIT} ]; then cd /var/www/MISP && git checkout ${MISP_COMMIT}; fi; \
        # We build the MISP modules outside, so we don't need to grab those submodules
-        cd /var/www/MISP/app || exit; git submodule update --init --recursive .;
+        cd /var/www/MISP/app || exit; git submodule update --init --recursive .; \
        # Remove some old and broken links that pollute the log files
        rm -rf /var/www/MISP/INSTALL/old
 # Python Modules
    COPY --from=python-build /wheels /wheels
--- a/server/files/entrypoint_internal.sh
+++ b/server/files/entrypoint_internal.sh
@ -78,7 +78,7 @@ apply_critical_fixes() {
    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.external_baseurl" "${HOSTNAME}"
    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.host_org_id" 1
    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Action_services_enable" false
-    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_enable" true
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_enable" false
    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_popover_only" false
    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.csp_enforce" true
 }
@ -214,6 +214,13 @@ get_server() {
     -H "Content-type: application/json" ${HOSTNAME}/servers | jq -e -r ".[] | select(.Server[\"name\"] == \"${1}\") | .Server.id"
 }
 updateComponents() {
    sudo -u www-data /var/www/MISP/app/Console/cake Admin updateGalaxies
    sudo -u www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies
    sudo -u www-data /var/www/MISP/app/Console/cake Admin updateWarningLists
    sudo -u www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists
    sudo -u www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID"
 }
 echo "Customize MISP | Configure email ..." && configure_email
@ -233,15 +240,14 @@ echo "Customize MISP | Configure plugins ..." && configure_plugins
 # Create organizations (and silently fail if present already)
 echo "Customize MISP | Creating organizations ..."
 SPLITTED_ORGS=$(echo $ORGANIZATIONS | tr ',' '\n')
-for ORG in $SPLITTED_ORGS
+for ORG in $SPLITTED_ORGS; do
 do
    echo "Adding organization: $ORG"
    add_organization $ORG true
 done
-
+echo "Customize MISP | Creating sync servers ..."
-# Create sync servers
+SPLITTED_SYNCSERVERS=$(echo $SYNCSERVERS | tr ',' '\n')
-for ID in $SYNCSERVERS; do
+for ID in $SPLITTED_SYNCSERVERS; do
    NAME="SYNCSERVERS_${ID}_NAME"
    UUID="SYNCSERVERS_${ID}_UUID"
    DATA="SYNCSERVERS_${ID}_DATA"
@ -255,5 +261,7 @@ for ID in $SYNCSERVERS; do
    fi
 done
 echo "Customize MISP | Updating components ..." && updateComponents
 # Make the instance live
 sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1
--- a/server/files/entrypoint_nginx.sh
+++ b/server/files/entrypoint_nginx.sh
@ -34,27 +34,26 @@ init_misp_config(){
    sed -i "s/db\s*login/$MYSQL_USER/" $MISP_APP_CONFIG_PATH/database.php
    sed -i "s/db\s*password/$MYSQL_PASSWORD/" $MISP_APP_CONFIG_PATH/database.php
    sed -i "s/'database' => 'misp'/'database' => '$MYSQL_DATABASE'/" $MISP_APP_CONFIG_PATH/database.php
    echo "Configure sane defaults"
    /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_host" "$REDIS_FQDN"
    /var/www/MISP/app/Console/cake Admin setSetting "MISP.baseurl" "$HOSTNAME"
    /var/www/MISP/app/Console/cake Admin setSetting "MISP.python_bin" $(which python3)
    /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN"
    /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true
    /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true
    /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN"
    /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true
    /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_url" "$MISP_MODULES_FQDN"
    /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true
    /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_url" "$MISP_MODULES_FQDN"
    /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false
 }
 init_misp_defaults(){
    # Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
    echo "Configure sane defaults"
    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_host" "$REDIS_FQDN"
    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.baseurl" "$HOSTNAME"
    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.python_bin" $(which python3)
    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN"
    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true
    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true
    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN"
    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true
    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_url" "$MISP_MODULES_FQDN"
    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true
    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_url" "$MISP_MODULES_FQDN"
    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false
 }
 init_misp_workers(){
    # Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
    echo "Configuring background workers"
@ -145,13 +144,21 @@ echo "Configure MISP | Initialize misp base config..." && init_misp_config
 echo "Configure MISP | Sync app files..." && sync_files
 echo "Configure MISP | Enforce permissions ..."
-echo "... chown -R www-data:www-data /var/www/MISP ..." && find /var/www/MISP -not -user www-data -exec chown www-data:www-data {} +
+# The spirit of the upstrem dockerization is to keep user and group aligned in terms of permissions
-echo "... chmod -R 0750 /var/www/MISP ..." && find /var/www/MISP -perm 550 -type f -exec chmod 0550 {} + && find /var/www/MISP -perm 770 -type d -exec chmod 0770 {} +
+echo "... chown -R www-data:www-data /var/www/MISP ..." && find /var/www/MISP \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
-echo "... chmod -R g+ws /var/www/MISP/app/tmp ..." && chmod -R g+ws /var/www/MISP/app/tmp
+# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
-echo "... chmod -R g+ws /var/www/MISP/app/files ..." && chmod -R g+ws /var/www/MISP/app/files
+echo "... chmod -R 0550 files /var/www/MISP ..." && find /var/www/MISP -not -perm 550 -type f -exec chmod 0550 {} +
-echo "... chmod -R g+ws /var/www/MISP/app/files/scripts/tmp ..." && chmod -R g+ws /var/www/MISP/app/files/scripts/tmp
+# Directories are also writable, because there seems to be a requirement to add new files every once in a while
 echo "... chmod -R 0770 directories /var/www/MISP ..." && find /var/www/MISP -not -perm 770 -type d -exec chmod 0770 {} +
 # We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit)
 echo "... chmod -R u+w,g+w /var/www/MISP/app/tmp ..." && chmod -R u+w,g+w /var/www/MISP/app/tmp
 echo "... chmod -R u+w,g+w /var/www/MISP/app/files ..." && chmod -R u+w,g+w /var/www/MISP/app/files
 # We also make other special files writable (should be 660)
 echo "... chmod 600 /var/www/MISP/app/Config/config.php /var/www/MISP/app/Config/database.php /var/www/MISP/app/Config/email.php ... " && chmod 600 /var/www/MISP/app/Config/config.php /var/www/MISP/app/Config/database.php /var/www/MISP/app/Config/email.php
 # Configuring defaults now
 echo "Configure MISP | Setting defaults ..." && init_misp_defaults
 # Workers are set to NOT auto start so we have time to enforce permissions on the cache first
 echo "Configure MISP | Starting workers ..." && init_misp_workers
@ -219,26 +226,6 @@ if [[ "$WARNING53" == true ]]; then
 fi
 if [[ -x /entrypoint_internal.sh ]]; then
    ## Re-exporting might not be necessary after all?
    # export ADMIN_EMAIL=${ADMIN_EMAIL}
    # export ADMIN_ORG=${ADMIN_ORG}
    # export ADMIN_KEY=${ADMIN_KEY}
    # export GPG_PASSPHRASE=${GPG_PASSPHRASE}
    # export HOSTNAME=${HOSTNAME}
    # export NSX_ANALYSIS_API_TOKEN=${NSX_ANALYSIS_API_TOKEN}
    # export NSX_ANALYSIS_KEY=${NSX_ANALYSIS_KEY}
    # export VIRUSTOTAL_KEY=${VIRUSTOTAL_KEY}
    # export SYNCSERVERS=${SYNCSERVERS}
    # for ID in $SYNCSERVERS; do
    #     NAME="SYNCSERVERS_${ID}_NAME"
    #     UUID="SYNCSERVERS_${ID}_UUID"
    #     DATA="SYNCSERVERS_${ID}_DATA"
    #     KEY="SYNCSERVERS_${ID}_KEY"
    #     export ${NAME}="${!NAME}"
    #     export ${UUID}="${!UUID}"
    #     export ${DATA}="${!DATA}"
    #     export ${KEY}="${!KEY}"
    # done
    export MYSQLCMD=${MYSQLCMD}
    nginx -g 'daemon off;' & master_pid=$!
    /entrypoint_internal.sh
--- a/server/hooks/build
+++ b/server/hooks/build
@ -1,17 +0,0 @@
 #!/bin/bash
 # https://docs.docker.com/docker-cloud/builds/advanced/
 # $IMAGE_NAME var is injected into the build so the tag is correct.
 echo "[***] Build hook running"
 export $(grep -v '^#' ../.env | xargs)
 docker pull $DOCKER_REPO:core-latest
 docker build \
    --build-arg MISP_TAG=$MISP_TAG \
    --build-arg PHP_VER=$PHP_VER \
    --build-arg BUILD_RFC3339=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
    --build-arg COMMIT=$(git rev-parse --short HEAD) \
    --build-arg VERSION=$(git describe --tags --always) \
    -t $IMAGE_NAME .
--- a/server/hooks/post_push
+++ b/server/hooks/post_push
@ -1,4 +0,0 @@
 #!/bin/bash
 docker tag $IMAGE_NAME $DOCKER_REPO:core-latest
 docker push $DOCKER_REPO:core-latest
--- a/template.env
+++ b/template.env
@ -6,21 +6,38 @@ PHP_VER=20190902
 # MODULES_COMMIT takes precedence over MODULES_TAG
 # MODULES_COMMIT=de69ae3
 # default to MISP's default (admin@admin.test)
 ADMIN_EMAIL=
 # default to MISP's default (Org1)
 ADMIN_ORG=
 # default to an automatically generated one (password is 'admin')
 ADMIN_KEY=
 # default to 'passphrase'
 GPG_PASSPHRASE=
 # optional and used by some misp-modules
 NSX_ANALYSIS_API_TOKEN=
 NSX_ANALYSIS_KEY=
 VIRUSTOTAL_KEY=
 # optional and used by the mail sub-system
 SMARTHOST_ADDRESS=
 SMARTHOST_PORT=
 SMARTHOST_USER=
 SMARTHOST_PASSWORD=
 SMARTHOST_ALIASES=
-# comma separated list of organizations to create (e.g ORGANIZATIONS="ORG1, ORG2, ORG3")
+# comma separated list of IDs of syncservers (e.g. SYNCSERVERS=1)
 SYNCSERVERS=
 # name, remote organization uuid, and key of each syncserver
 # note: if you have more than one, you need to update docker-compose.yml
 SYNCSERVERS_1_URL=
 SYNCSERVERS_1_NAME=
 SYNCSERVERS_1_UUID=
 SYNCSERVERS_1_KEY=
 # comma separated list of organizations to create (e.g. ORGANIZATIONS="ORG1, ORG2, ORG3")
 ORGANIZATIONS=
-# Host folder containing the files generated by external tools
+
 # host folder containing public files generated by external tools
 PUBLIC_MOUNT_POINT=./public