Merge pull request #160 from coolacid/bullseye

Moving to Bullseye
2022-02-14 12:42:05 -05:00 · 2022-02-14 12:42:05 -05:00 · d266944501
parent 1aecb1fbdf 0510cfe7d0
commit d266944501
7 changed files with 24 additions and 30 deletions
--- a/.env
+++ b/.env
@ -1,3 +1,3 @@
 MISP_TAG=v2.4.152
 MODULES_TAG=v2.4.152
-PHP_VER=20180731
+PHP_VER=20190902
--- a/modules/Dockerfile
+++ b/modules/Dockerfile
@ -1,4 +1,4 @@
-FROM python:3.7-slim-buster  as builder
+FROM python:3.9-slim-bullseye  as builder
 ENV DEBIAN_FRONTEND noninteractive
 ARG MODULES_TAG

@ -18,11 +18,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    RUN mkdir /wheel
    WORKDIR /srv

-    # TODO: remove downgrade of sigmatools when we have Python 3.8 ref #128 and #143
    RUN git clone --branch ${MODULES_TAG} --depth 1  https://github.com/MISP/misp-modules.git /srv/misp-modules; \
-        cd /srv/misp-modules || exit; \
-        sed -i -e 's/-e //g' -e 's/sigmatools==0.20/sigmatools==0.19.1/' REQUIREMENTS; \
-        pip3 wheel -r REQUIREMENTS --no-cache-dir -w /wheel/
+        cd /srv/misp-modules || exit; sed -i 's/-e //g' REQUIREMENTS; pip3 wheel -r REQUIREMENTS --no-cache-dir -w /wheel/

    RUN git clone --depth 1 https://github.com/stricaud/faup.git /srv/faup; \
        cd /srv/faup/build || exit; cmake .. && make install; \
@ -33,7 +30,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    RUN find . -name "chardet*" | grep -v "chardet-4.0.0" | xargs rm -f


-FROM python:3.7-slim-buster
+FROM python:3.9-slim-bullseye

 RUN apt-get update && apt-get install -y --no-install-recommends \
            libglib2.0-0 \
--- a/server/Dockerfile
+++ b/server/Dockerfile
@ -1,11 +1,11 @@
-FROM composer:2.1 as composer-build
+FROM composer:2.2 as composer-build
    ARG MISP_TAG
    WORKDIR /tmp
    ADD https://raw.githubusercontent.com/MISP/MISP/${MISP_TAG}/app/composer.json /tmp
    RUN composer install --ignore-platform-reqs && \
     composer require jumbojett/openid-connect-php --ignore-platform-reqs

-FROM debian:buster-slim as php-build
+FROM debian:bullseye-slim as php-build
    RUN apt-get update; apt-get install -y --no-install-recommends \
        gcc \
        make \
@ -23,7 +23,7 @@ FROM debian:buster-slim as php-build
        RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && cd php-ext-brotli && phpize && ./configure && make && make install
        

-FROM debian:buster-slim as python-build
+FROM debian:bullseye-slim as python-build
    RUN apt-get update; apt-get install -y --no-install-recommends \
        gcc \
        git \
@ -60,9 +60,10 @@ FROM debian:buster-slim as python-build
        sed -i 's/-e //g' requirements.txt; pip3 wheel -r requirements.txt --no-cache-dir -w /wheels/

    # install STIX2.0 library to support STIX 2.0 export:
+    # Original Requirements has a bunch of non-required pacakges, force it to only grab wheels for deps from setup.py
    RUN git clone --depth 1 https://github.com/MISP/cti-python-stix2.git; \
        cd cti-python-stix2 || exit; python3 setup.py bdist_wheel -d /wheels; \
-        sed -i 's/-e //g' requirements.txt; pip3 wheel -r requirements.txt --no-cache-dir -w /wheels/
+        echo "-e ." > requirements.txt; pip3 wheel -r requirements.txt --no-cache-dir -w /wheels/

    # install PyMISP
    RUN git clone --depth 1 https://github.com/MISP/PyMISP.git; \
@ -75,17 +76,12 @@ FROM debian:buster-slim as python-build
    # Grab other modules we need
    RUN pip3 wheel --no-cache-dir -w /wheels/ plyara pyzmq redis python-magic lief

-    # Temp workaround for cryptography library
-    RUN pip3 wheel 'cryptography>=3.3.0,<3.4.0' --no-cache-dir -w /wheels/
-
    # Remove extra packages due to incompatible requirements.txt files
    WORKDIR /wheels
-    RUN find . -name "pluggy*" | grep -v "pluggy-0.13.1" | xargs rm -f
-    RUN find . -name "tox*" | grep -v "tox-2.7.0" | xargs rm -f
-    RUN find . -name "Sphinx*" | grep -v "Sphinx-1.8.5" | xargs rm -f
+    RUN find . -name "Sphinx*" | tee /dev/stderr | grep -v "Sphinx-1.5.5" | xargs rm -f


-FROM debian:buster-slim
+FROM debian:bullseye-slim
 ENV DEBIAN_FRONTEND noninteractive
 ARG MISP_TAG
 ARG PHP_VER
@ -111,6 +107,7 @@ ARG PHP_VER
        python3-pip \
        # PHP Requirements
        php \
+        php-apcu \
        php-curl \
        php-xml \
        php-intl \
--- a/server/files/entrypoint_fpm.sh
+++ b/server/files/entrypoint_fpm.sh
@ -14,4 +14,4 @@ change_php_vars(){
 echo "Configure PHP  | Change PHP values ..." && change_php_vars
 echo "Starting PHP FPM"

-/usr/sbin/php-fpm7.3 -R -F
+/usr/sbin/php-fpm7.4 -R -F
--- a/server/files/etc/nginx/misp
+++ b/server/files/etc/nginx/misp
@ -45,7 +45,7 @@ server {

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
-        fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_read_timeout 300;
    }
 }
--- a/server/files/etc/nginx/misp-secure
+++ b/server/files/etc/nginx/misp-secure
@ -43,7 +43,7 @@ server {

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
-        fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_read_timeout 300;
    }
 }
--- a/server/files/etc/nginx/misp80-noredir
+++ b/server/files/etc/nginx/misp80-noredir
@ -12,14 +12,14 @@ server {
    error_log  /dev/stderr error;

    # Aded headers for hardening browser security
-    add_header Referrer-Policy "no-referrer" always;                                                 
-    add_header X-Content-Type-Options "nosniff" always;                                              
-    add_header X-Download-Options "noopen" always;                                                   
-    add_header X-Frame-Options "SAMEORIGIN" always;                                                  
-    add_header X-Permitted-Cross-Domain-Policies "none" always;                                     
-    add_header X-Robots-Tag "none" always;                                                           
-    add_header X-XSS-Protection "1; mode=block" always;                                              
-                                                                                                     
+    add_header Referrer-Policy "no-referrer" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Download-Options "noopen" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Permitted-Cross-Domain-Policies "none" always;
+    add_header X-Robots-Tag "none" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

@ -29,7 +29,7 @@ server {

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
-        fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_read_timeout 300;
    }
 }