From 67b9174562a3c28253ef993b78deeba3bc39f510 Mon Sep 17 00:00:00 2001 From: Mark Adams Date: Wed, 8 Jan 2020 14:40:54 -0800 Subject: [PATCH 1/2] Update container to Ubuntu Bionic --- web/Dockerfile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/web/Dockerfile b/web/Dockerfile index 1abb953..c69cb7a 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -9,8 +9,7 @@ # # We are based on Ubuntu:latest -FROM ubuntu:xenial -MAINTAINER Xavier Mertens +FROM ubuntu:bionic # Install core components ENV DEBIAN_FRONTEND noninteractive @@ -29,10 +28,11 @@ RUN a2dismod status RUN a2dissite 000-default # PHP 7.2 -RUN apt-get install -y libapache2-mod-php php7.2 php7.2-cli php-crypt-gpg php7.2-dev php7.2-json php7.2-mysql php7.2-opcache php7.2-readline php7.2-redis php7.2-xml -RUN apt-get install -y php-pear pkg-config libbson-1.0 libmongoc-1.0-0 php-xml php-dev php-gd +RUN apt-get install -y libapache2-mod-php7.2 php7.2 php7.2-cli php7.2-dev php7.2-json php7.2-mysql php7.2-opcache php7.2-readline php7.2-redis php7.2-xml +RUN apt-get install -y php-pear pkg-config libbson-1.0 libmongoc-1.0-0 php7.2-xml php7.2-dev php7.2-gd # install MySQL PDO extension -RUN apt-get install -y php-mysql +RUN apt-get install -y php7.2-mysql +RUN apt-get install -y php7.2-mbstring # Fix php.ini with recommended settings RUN sed -i "s/max_execution_time = 30/max_execution_time = 300/" /etc/php/7.2/apache2/php.ini @@ -143,7 +143,7 @@ RUN rm -rf taxonomies && git clone https://github.com/MISP/misp-taxonomies.git . RUN chown -R www-data:www-data misp-objects misp-galaxy warninglists taxonomies # Install MISP build requirements -RUN sudo -E apt-get -y install libpoppler58 libpoppler-dev libpoppler-cpp-dev +RUN sudo -E apt-get -y install libpoppler73 libpoppler-dev libpoppler-cpp-dev # Install MISP Modules WORKDIR /opt From 2d5cd097384ca7501d203f37394dbd1e2eae47f2 Mon Sep 17 00:00:00 2001 From: Mark Adams Date: Wed, 8 Jan 2020 19:25:25 -0800 Subject: [PATCH 2/2] Use fewer image layers --- web/Dockerfile | 236 +++++++++++++++++++++++++------------------------ 1 file changed, 119 insertions(+), 117 deletions(-) diff --git a/web/Dockerfile b/web/Dockerfile index c69cb7a..eac2366 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -1,48 +1,48 @@ -# -# Dockerfile to build a MISP (https://github.com/MISP/MISP) container -# -# Original docker file by eg5846 (https://github.com/eg5846) -# -# 2016/03/03 - First release -# 2017/06/02 - Updated -# 2018/04/04 - Added objects templates -# -# We are based on Ubuntu:latest FROM ubuntu:bionic # Install core components ENV DEBIAN_FRONTEND noninteractive -RUN apt-get update && apt-get dist-upgrade -y && apt-get autoremove -y && apt-get clean -RUN apt-get install -y software-properties-common -RUN apt-get install -y postfix -RUN apt-get install -y mysql-client curl gcc git gnupg-agent make python openssl redis-server sudo vim zip locales + +RUN apt-get update && \ + apt-get dist-upgrade -y && apt-get autoremove -y && apt-get clean && \ + apt-get install -y software-properties-common && \ + apt-get install -y postfix && \ + apt-get install -y mysql-client curl gcc git gnupg-agent \ + make python openssl redis-server sudo vim zip locales RUN locale-gen en_US.UTF-8 ENV LANG en_US.UTF-8 RUN add-apt-repository -y ppa:ondrej/php && apt-get update # Apache -RUN apt-get install -y apache2 apache2-doc apache2-utils -RUN a2dismod status -RUN a2dissite 000-default +RUN apt-get install -y apache2 apache2-doc apache2-utils && \ + a2dismod status && \ + a2dissite 000-default -# PHP 7.2 -RUN apt-get install -y libapache2-mod-php7.2 php7.2 php7.2-cli php7.2-dev php7.2-json php7.2-mysql php7.2-opcache php7.2-readline php7.2-redis php7.2-xml -RUN apt-get install -y php-pear pkg-config libbson-1.0 libmongoc-1.0-0 php7.2-xml php7.2-dev php7.2-gd -# install MySQL PDO extension -RUN apt-get install -y php7.2-mysql -RUN apt-get install -y php7.2-mbstring +# PHP 7.2 and install MySQL PDO extension +RUN apt-get install -y libapache2-mod-php7.2 php7.2 php7.2-cli php7.2-dev \ + php7.2-json php7.2-mysql php7.2-opcache php7.2-readline php7.2-redis \ + php7.2-xml && \ + apt-get install -y php-pear pkg-config libbson-1.0 libmongoc-1.0-0 \ + php7.2-xml php7.2-dev php7.2-gd && \ + apt-get install -y php7.2-mysql && \ + apt-get install -y php7.2-mbstring # Fix php.ini with recommended settings -RUN sed -i "s/max_execution_time = 30/max_execution_time = 300/" /etc/php/7.2/apache2/php.ini -RUN sed -i "s/memory_limit = 128M/memory_limit = 2048M/" /etc/php/7.2/apache2/php.ini -RUN sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 50M/" /etc/php/7.2/apache2/php.ini -RUN sed -i "s/post_max_size = 8M/post_max_size = 50M/" /etc/php/7.2/apache2/php.ini +RUN sed -i "s/max_execution_time = 30/max_execution_time = 300/" \ + /etc/php/7.2/apache2/php.ini && \ + sed -i "s/memory_limit = 128M/memory_limit = 2048M/" \ + /etc/php/7.2/apache2/php.ini && \ + sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 50M/" \ + /etc/php/7.2/apache2/php.ini && \ + sed -i "s/post_max_size = 8M/post_max_size = 50M/" \ + /etc/php/7.2/apache2/php.ini -RUN apt-get install -y python-dev python-pip libxml2-dev libxslt1-dev zlib1g-dev python-setuptools libfuzzy-dev python-lxml python3-lxml -RUN apt-get install -y cron logrotate supervisor syslog-ng-core -RUN apt-get clean +RUN apt-get install -y python-dev python-pip libxml2-dev libxslt1-dev \ + zlib1g-dev python-setuptools libfuzzy-dev python-lxml python3-lxml && \ + apt-get install -y cron logrotate supervisor syslog-ng-core && \ + apt-get clean # update setuptools because otherwise you'' get python errors RUN pip install --upgrade setuptools @@ -52,15 +52,14 @@ RUN chown www-data:www-data /var/www USER www-data RUN git clone https://github.com/MISP/MISP.git WORKDIR /var/www/MISP -RUN git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`) -RUN git config core.filemode false -RUN git submodule update --init --recursive -# Make git ignore filesystem permission differences for submodules -RUN git submodule foreach --recursive git config core.filemode false +RUN git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`) && \ + git config core.filemode false && \ + git submodule update --init --recursive && \ + git submodule foreach --recursive git config core.filemode false WORKDIR /var/www/MISP/app/files/scripts -RUN git clone https://github.com/CybOXProject/python-cybox.git -RUN git clone https://github.com/STIXProject/python-stix.git +RUN git clone https://github.com/CybOXProject/python-cybox.git && \ + git clone https://github.com/STIXProject/python-stix.git WORKDIR /var/www/MISP/app/files/scripts/python-cybox RUN git checkout v2.1.0.12 @@ -75,20 +74,19 @@ RUN python setup.py install USER www-data WORKDIR /var/www/MISP -RUN git submodule init -RUN git submodule update +RUN git submodule init && git submodule update WORKDIR /var/www/MISP/app # FIX COMPOSER -RUN curl --fail --location -o composer-setup.php https://getcomposer.org/installer -RUN EXPECTED_SIGNATURE="$(curl https://composer.github.io/installer.sig)"; php -r "if (hash_file('sha384', 'composer-setup.php') == '$(echo $EXPECTED_SIGNATURE)' ) { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" -RUN php composer-setup.php -RUN php -r "unlink('composer-setup.php');" +RUN curl --fail --location -o composer-setup.php https://getcomposer.org/installer && \ + EXPECTED_SIGNATURE="$(curl https://composer.github.io/installer.sig)"; php -r "if (hash_file('sha384', 'composer-setup.php') == '$(echo $EXPECTED_SIGNATURE)' ) { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" && \ + php composer-setup.php && \ + php -r "unlink('composer-setup.php');" # END FIX -RUN php composer.phar update -RUN php composer.phar config vendor-dir Vendor -RUN php composer.phar install --ignore-platform-reqs +RUN php composer.phar update && \ + php composer.phar config vendor-dir Vendor && \ + php composer.phar install --ignore-platform-reqs USER root RUN phpenmod redis USER www-data @@ -96,51 +94,53 @@ RUN cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeR # Fix permissions USER root -RUN chown -R www-data:www-data /var/www/MISP -RUN chmod -R 750 /var/www/MISP -RUN chmod -R g+ws /var/www/MISP/app/tmp -RUN chmod -R g+ws /var/www/MISP/app/files -RUN chmod -R g+ws /var/www/MISP/app/files/scripts/tmp -RUN chmod +x /var/www/MISP/app/Console/cake +RUN chown -R www-data:www-data /var/www/MISP && \ + chmod -R 750 /var/www/MISP && \ + chmod -R g+ws /var/www/MISP/app/tmp && \ + chmod -R g+ws /var/www/MISP/app/files && \ + chmod -R g+ws /var/www/MISP/app/files/scripts/tmp && \ + chmod +x /var/www/MISP/app/Console/cake RUN cp /var/www/MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp # Preconfigure setting for packages -RUN echo "postfix postfix/main_mailer_type string Local only" | debconf-set-selections -RUN echo "postfix postfix/mailname string localhost.localdomain" | debconf-set-selections +RUN echo "postfix postfix/main_mailer_type string Local only" \ + | debconf-set-selections && \ + echo "postfix postfix/mailname string localhost.localdomain" | \ + debconf-set-selections # Redis Setup RUN sed -i 's/^\(daemonize\s*\)yes\s*$/\1no/g' /etc/redis/redis.conf # Apache Setup -RUN cp /var/www/MISP/INSTALL/apache.misp.ubuntu /etc/apache2/sites-available/misp.conf -RUN a2dissite 000-default -RUN a2ensite misp -RUN a2enmod rewrite -RUN a2enmod headers +RUN cp /var/www/MISP/INSTALL/apache.misp.ubuntu /etc/apache2/sites-available/misp.conf && \ + a2dissite 000-default && \ + a2ensite misp && \ + a2enmod rewrite && \ + a2enmod headers # MISP base configuration -RUN sudo -u www-data cp -a /var/www/MISP/app/Config/bootstrap.default.php /var/www/MISP/app/Config/bootstrap.php -RUN sudo -u www-data cp -a /var/www/MISP/app/Config/database.default.php /var/www/MISP/app/Config/database.php -RUN sudo -u www-data cp -a /var/www/MISP/app/Config/core.default.php /var/www/MISP/app/Config/core.php -RUN sudo -u www-data cp -a /var/www/MISP/app/Config/config.default.php /var/www/MISP/app/Config/config.php -RUN chown -R www-data:www-data /var/www/MISP/app/Config -RUN chmod -R 750 /var/www/MISP/app/Config +RUN sudo -u www-data cp -a /var/www/MISP/app/Config/bootstrap.default.php /var/www/MISP/app/Config/bootstrap.php && \ + sudo -u www-data cp -a /var/www/MISP/app/Config/database.default.php /var/www/MISP/app/Config/database.php && \ + sudo -u www-data cp -a /var/www/MISP/app/Config/core.default.php /var/www/MISP/app/Config/core.php && \ + sudo -u www-data cp -a /var/www/MISP/app/Config/config.default.php /var/www/MISP/app/Config/config.php && \ + chown -R www-data:www-data /var/www/MISP/app/Config && \ + chmod -R 750 /var/www/MISP/app/Config # Replace the default salt RUN sed -i -E "s/'salt'\s=>\s'(\S+)'/'salt' => '`openssl rand -base64 32|tr "/" "-"`'/" /var/www/MISP/app/Config/config.php # Enable workers at boot time -RUN chmod a+x /var/www/MISP/app/Console/worker/start.sh -RUN echo "sudo -u www-data bash /var/www/MISP/app/Console/worker/start.sh" >>/etc/rc.local +RUN chmod a+x /var/www/MISP/app/Console/worker/start.sh && \ + echo "sudo -u www-data bash /var/www/MISP/app/Console/worker/start.sh" >>/etc/rc.local # Install templates & stuff WORKDIR /var/www/MISP/app/files -RUN rm -rf misp-objects && git clone https://github.com/MISP/misp-objects.git -RUN rm -rf misp-galaxy && git clone https://github.com/MISP/misp-galaxy.git -RUN rm -rf warninglists && git clone https://github.com/MISP/misp-warninglists.git ./warninglists -RUN rm -rf taxonomies && git clone https://github.com/MISP/misp-taxonomies.git ./taxonomies -RUN chown -R www-data:www-data misp-objects misp-galaxy warninglists taxonomies +RUN rm -rf misp-objects && git clone https://github.com/MISP/misp-objects.git && \ + rm -rf misp-galaxy && git clone https://github.com/MISP/misp-galaxy.git && \ + rm -rf warninglists && git clone https://github.com/MISP/misp-warninglists.git ./warninglists && \ + rm -rf taxonomies && git clone https://github.com/MISP/misp-taxonomies.git ./taxonomies && \ + chown -R www-data:www-data misp-objects misp-galaxy warninglists taxonomies # Install MISP build requirements RUN sudo -E apt-get -y install libpoppler73 libpoppler-dev libpoppler-cpp-dev @@ -149,62 +149,64 @@ RUN sudo -E apt-get -y install libpoppler73 libpoppler-dev libpoppler-cpp-dev WORKDIR /opt RUN apt-get install -y python3 python3-pip libjpeg-dev # PIP3 fix -RUN pip install --upgrade pip +RUN pip3 install --upgrade pip # END FIX RUN git clone https://github.com/MISP/misp-modules.git WORKDIR /opt/misp-modules -RUN pip3 install --upgrade pip -RUN cat REQUIREMENTS | sed 's/aiohttp==3.4.4/aiohttp/g' > REQUIREMENTS -RUN pip3 install --upgrade --ignore-installed urllib3 -RUN pip3 install --upgrade --ignore-installed requests +RUN pip3 install --upgrade pip && \ + cat REQUIREMENTS | sed 's/aiohttp==3.4.4/aiohttp/g' > REQUIREMENTS && \ + pip3 install --upgrade --ignore-installed urllib3 && \ + pip3 install --upgrade --ignore-installed requests -RUN sed -i 's/aiohttp.*/aiohttp/g' REQUIREMENTS -RUN sed -i 's/functools.*//g' REQUIREMENTS -RUN sed -i 's/async-timeout.*/async-timeout/g' REQUIREMENTS -RUN sed -i 's/url-normalize.*/url-normalize/g' REQUIREMENTS -RUN sed -i 's/^\(yarl\)\=.*/\1/g' REQUIREMENTS -RUN sed -i 's/^\(sigmatools\)\=.*/\1/' REQUIREMENTS -RUN pip3 install -I -r REQUIREMENTS -RUN pip3 install -I . -RUN echo "sudo -u www-data misp-modules -s -l 127.0.0.1 &" >>/etc/rc.local +RUN sed -i 's/aiohttp.*/aiohttp/g' REQUIREMENTS && \ + sed -i 's/functools.*//g' REQUIREMENTS && \ + sed -i 's/async-timeout.*/async-timeout/g' REQUIREMENTS && \ + sed -i 's/url-normalize.*/url-normalize/g' REQUIREMENTS && \ + sed -i 's/^\(yarl\)\=.*/\1/g' REQUIREMENTS && \ + sed -i 's/^\(sigmatools\)\=.*/\1/' REQUIREMENTS && \ + pip3 install -I -r REQUIREMENTS && \ + pip3 install -I . && \ + echo "sudo -u www-data misp-modules -s -l 127.0.0.1 &" >>/etc/rc.local # Supervisord Setup -RUN echo '[supervisord]' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo 'nodaemon = true' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo '' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo '[program:postfix]' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo 'process_name = master' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo 'directory = /etc/postfix' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo 'command = /usr/sbin/postfix -c /etc/postfix start' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo 'startsecs = 0' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo 'autorestart = false' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo '' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo '[program:redis-server]' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo 'command=redis-server /etc/redis/redis.conf' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo '' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo '[program:apache2]' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo 'command=/bin/bash -c "source /etc/apache2/envvars && exec /usr/sbin/apache2 -D FOREGROUND"' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo '' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo '[program:resque]' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo 'command=/bin/bash /var/www/MISP/app/Console/worker/start.sh' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo 'user = www-data' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo 'startsecs = 0' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo 'autorestart = false' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo '' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo '[program:misp-modules]' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo 'command=/bin/bash -c "misp-modules -s -l 127.0.0.1"' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo 'user = www-data' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo 'startsecs = 0' >> /etc/supervisor/conf.d/supervisord.conf -RUN echo 'autorestart = false' >> /etc/supervisor/conf.d/supervisord.conf +RUN ( \ + echo '[supervisord]'; \ + echo 'nodaemon = true'; \ + echo ''; \ + echo '[program:postfix]'; \ + echo 'process_name = master'; \ + echo 'directory = /etc/postfix'; \ + echo 'command = /usr/sbin/postfix -c /etc/postfix start'; \ + echo 'startsecs = 0'; \ + echo 'autorestart = false'; \ + echo ''; \ + echo '[program:redis-server]'; \ + echo 'command=redis-server /etc/redis/redis.conf'; \ + echo ''; \ + echo '[program:apache2]'; \ + echo 'command=/bin/bash -c "source /etc/apache2/envvars && exec /usr/sbin/apache2 -D FOREGROUND"'; \ + echo ''; \ + echo '[program:resque]'; \ + echo 'command=/bin/bash /var/www/MISP/app/Console/worker/start.sh'; \ + echo 'user = www-data'; \ + echo 'startsecs = 0'; \ + echo 'autorestart = false'; \ + echo ''; \ + echo '[program:misp-modules]'; \ + echo 'command=/bin/bash -c "misp-modules -s -l 127.0.0.1"'; \ + echo 'user = www-data'; \ + echo 'startsecs = 0'; \ + echo 'autorestart = false'; \ +) >> /etc/supervisor/conf.d/supervisord.conf + # Modify syslog configuration RUN sed -i -E 's/^(\s*)system\(\);/\1unix-stream("\/dev\/log");/' /etc/syslog-ng/syslog-ng.conf # Add run script -ADD run.sh /run.sh -RUN chmod 0755 /run.sh - # Trigger to perform first boot operations -RUN touch /.firstboot.tmp +ADD run.sh /run.sh +RUN chmod 0755 /run.sh && touch /.firstboot.tmp + # Make a backup of /var/www/MISP to restore it to the local moint point at first boot WORKDIR /var/www/MISP