From cec3f31b9d5a3c11438632274c64db8ab0157021 Mon Sep 17 00:00:00 2001 From: Jason Kendall Date: Wed, 5 Jan 2022 12:25:27 -0500 Subject: [PATCH] Initial Bullseye work --- .env | 2 +- modules/Dockerfile | 9 +++------ server/Dockerfile | 22 +++++++++++----------- server/files/entrypoint_fpm.sh | 2 +- server/files/etc/nginx/misp | 2 +- server/files/etc/nginx/misp-secure | 2 +- server/files/etc/nginx/misp80-noredir | 18 +++++++++--------- 7 files changed, 27 insertions(+), 30 deletions(-) diff --git a/.env b/.env index 1fa506c..817b83e 100644 --- a/.env +++ b/.env @@ -1,3 +1,3 @@ MISP_TAG=v2.4.152 MODULES_TAG=v2.4.152 -PHP_VER=20180731 +PHP_VER=20190902 diff --git a/modules/Dockerfile b/modules/Dockerfile index fb98d92..22ad2ae 100644 --- a/modules/Dockerfile +++ b/modules/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.7-slim-buster as builder +FROM python:3.9-slim-bullseye as builder ENV DEBIAN_FRONTEND noninteractive ARG MODULES_TAG @@ -18,11 +18,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ RUN mkdir /wheel WORKDIR /srv - # TODO: remove downgrade of sigmatools when we have Python 3.8 ref #128 and #143 RUN git clone --branch ${MODULES_TAG} --depth 1 https://github.com/MISP/misp-modules.git /srv/misp-modules; \ - cd /srv/misp-modules || exit; \ - sed -i -e 's/-e //g' -e 's/sigmatools==0.20/sigmatools==0.19.1/' REQUIREMENTS; \ - pip3 wheel -r REQUIREMENTS --no-cache-dir -w /wheel/ + cd /srv/misp-modules || exit; sed -i 's/-e //g' REQUIREMENTS; pip3 wheel -r REQUIREMENTS --no-cache-dir -w /wheel/ RUN git clone --depth 1 https://github.com/stricaud/faup.git /srv/faup; \ cd /srv/faup/build || exit; cmake .. && make install; \ @@ -33,7 +30,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ RUN find . -name "chardet*" | grep -v "chardet-4.0.0" | xargs rm -f -FROM python:3.7-slim-buster +FROM python:3.9-slim-bullseye RUN apt-get update && apt-get install -y --no-install-recommends \ libglib2.0-0 \ diff --git a/server/Dockerfile b/server/Dockerfile index fdc3e3e..7d0928f 100644 --- a/server/Dockerfile +++ b/server/Dockerfile @@ -1,11 +1,11 @@ -FROM composer:2.1 as composer-build +FROM composer:2.2 as composer-build ARG MISP_TAG WORKDIR /tmp ADD https://raw.githubusercontent.com/MISP/MISP/${MISP_TAG}/app/composer.json /tmp RUN composer install --ignore-platform-reqs && \ composer require jumbojett/openid-connect-php --ignore-platform-reqs -FROM debian:buster-slim as php-build +FROM debian:bullseye-slim as php-build RUN apt-get update; apt-get install -y --no-install-recommends \ gcc \ make \ @@ -23,7 +23,7 @@ FROM debian:buster-slim as php-build RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && cd php-ext-brotli && phpize && ./configure && make && make install -FROM debian:buster-slim as python-build +FROM debian:bullseye-slim as python-build RUN apt-get update; apt-get install -y --no-install-recommends \ gcc \ git \ @@ -60,9 +60,10 @@ FROM debian:buster-slim as python-build sed -i 's/-e //g' requirements.txt; pip3 wheel -r requirements.txt --no-cache-dir -w /wheels/ # install STIX2.0 library to support STIX 2.0 export: + # Original Requirements has a bunch of non-required pacakges, force it to only grab wheels for deps from setup.py RUN git clone --depth 1 https://github.com/MISP/cti-python-stix2.git; \ cd cti-python-stix2 || exit; python3 setup.py bdist_wheel -d /wheels; \ - sed -i 's/-e //g' requirements.txt; pip3 wheel -r requirements.txt --no-cache-dir -w /wheels/ + echo "-e ." > requirements.txt; pip3 wheel -r requirements.txt --no-cache-dir -w /wheels/ # install PyMISP RUN git clone --depth 1 https://github.com/MISP/PyMISP.git; \ @@ -75,17 +76,15 @@ FROM debian:buster-slim as python-build # Grab other modules we need RUN pip3 wheel --no-cache-dir -w /wheels/ plyara pyzmq redis python-magic lief - # Temp workaround for cryptography library - RUN pip3 wheel 'cryptography>=3.3.0,<3.4.0' --no-cache-dir -w /wheels/ - # Remove extra packages due to incompatible requirements.txt files WORKDIR /wheels - RUN find . -name "pluggy*" | grep -v "pluggy-0.13.1" | xargs rm -f - RUN find . -name "tox*" | grep -v "tox-2.7.0" | xargs rm -f - RUN find . -name "Sphinx*" | grep -v "Sphinx-1.8.5" | xargs rm -f + RUN find . -name "pluggy*" | tee /dev/stderr | grep -v "pluggy-1.0.0" | xargs rm -f + RUN find . -name "tox*" | tee /dev/stderr | grep -v "tox-3.24.5" | xargs rm -f + RUN find . -name "Sphinx*" | tee /dev/stderr | grep -v "Sphinx-1.8.6" | xargs rm -f + RUN find . -name "docutils*" | tee /dev/stderr | grep -v "docutils-0.17.1" | xargs rm -f -FROM debian:buster-slim +FROM debian:bullseye-slim ENV DEBIAN_FRONTEND noninteractive ARG MISP_TAG ARG PHP_VER @@ -111,6 +110,7 @@ ARG PHP_VER python3-pip \ # PHP Requirements php \ + php-apcu \ php-curl \ php-xml \ php-intl \ diff --git a/server/files/entrypoint_fpm.sh b/server/files/entrypoint_fpm.sh index 825624b..59661d7 100755 --- a/server/files/entrypoint_fpm.sh +++ b/server/files/entrypoint_fpm.sh @@ -14,4 +14,4 @@ change_php_vars(){ echo "Configure PHP | Change PHP values ..." && change_php_vars echo "Starting PHP FPM" -/usr/sbin/php-fpm7.3 -R -F \ No newline at end of file +/usr/sbin/php-fpm7.4 -R -F diff --git a/server/files/etc/nginx/misp b/server/files/etc/nginx/misp index f30968c..afa3090 100644 --- a/server/files/etc/nginx/misp +++ b/server/files/etc/nginx/misp @@ -45,7 +45,7 @@ server { location ~ \.php$ { include snippets/fastcgi-php.conf; - fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; + fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; fastcgi_read_timeout 300; } } diff --git a/server/files/etc/nginx/misp-secure b/server/files/etc/nginx/misp-secure index 26c5477..c0ea72d 100644 --- a/server/files/etc/nginx/misp-secure +++ b/server/files/etc/nginx/misp-secure @@ -43,7 +43,7 @@ server { location ~ \.php$ { include snippets/fastcgi-php.conf; - fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; + fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; fastcgi_read_timeout 300; } } diff --git a/server/files/etc/nginx/misp80-noredir b/server/files/etc/nginx/misp80-noredir index 679fa98..9dd2cc4 100644 --- a/server/files/etc/nginx/misp80-noredir +++ b/server/files/etc/nginx/misp80-noredir @@ -12,14 +12,14 @@ server { error_log /dev/stderr error; # Aded headers for hardening browser security - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; @@ -29,7 +29,7 @@ server { location ~ \.php$ { include snippets/fastcgi-php.conf; - fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; + fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; fastcgi_read_timeout 300; } }