MISP
/
misp-docker
mirror of https://github.com/MISP/misp-docker
2
0
Fork 0
Code Issues Releases Wiki Activity

Replace Debian with Ubuntu 24.04 LTS

noble
Stefano Ortolani 2024-07-12 17:41:37 +01:00
parent bae3346f7a
commit dcea8d5791
6 changed files with 89 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -27,6 +27,14 @@ Notable features:
The underlying spirit of this project is to allow "repeatable deployments", and all pull requests in this direction will be merged post-haste. The underlying spirit of this project is to allow "repeatable deployments", and all pull requests in this direction will be merged post-haste.
## Warning
As part of our recent efforts to reduce the number of CVEs affecting the Docker images, we recently changed the base image from Debian Bookworm to Ubuntu 24.04.
While the transition did not affect MISP and MISP modules, the GitHub Action triggered a bug affecting `libcurl` and Ubuntu 24.04 when running on `linux/arm64` and establishing TLS connections to `api.github.com` when the server decides toreturn a 302. The issue is being discussed here https://github.com/curl/curl/issues/14154 and being further investigated here https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2073448.
To allow the build to complete, we temporarily disabled TLS verification (see `core/Dockerfile` when using `composer` to install PHP dependencies; the temporary workaround affects only the build when the target platform is `linux/arm64`, leaving the `linux/amd64` build unaffected.
## Getting Started ## Getting Started
- Copy the `template.env` to `.env` - Copy the `template.env` to `.env`

111
core/Dockerfile
View File

@ -1,7 +1,7 @@
ARG DOCKER_HUB_PROXY="" ARG DOCKER_HUB_PROXY=""
FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS php-base FROM "${DOCKER_HUB_PROXY}ubuntu:24.04" AS php-base
ENV DEBIAN_FRONTEND noninteractive ENV DEBIAN_FRONTEND noninteractive
# Uncomment when building in corporate environments # Uncomment when building in corporate environments
@ -19,29 +19,48 @@ FROM php-base AS composer-build
ENV COMPOSER_ALLOW_SUPERUSER 1 ENV COMPOSER_ALLOW_SUPERUSER 1
ARG CORE_TAG ARG CORE_TAG
ARG CORE_COMMIT ARG CORE_COMMIT
ARG TARGETPLATFORM
RUN apt-get install -y --no-install-recommends \ RUN apt-get install -y --no-install-recommends \
php8.2 \ php8.3 \
php8.2-apcu \ php8.3-apcu \
php8.2-curl \ php8.3-curl \
php8.2-xml \ php8.3-xml \
php8.2-intl \ php8.3-intl \
php8.2-bcmath \ php8.3-bcmath \
php8.2-mbstring \ php8.3-mbstring \
php8.2-mysql \ php8.3-mysql \
php8.2-redis \ php8.3-redis \
php8.2-gd \ php8.3-gd \
php8.2-fpm \ php8.3-fpm \
php8.2-zip \ php8.3-zip \
unzip \ unzip \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
WORKDIR /tmp WORKDIR /tmp
RUN curl -o /tmp/composer.json https://raw.githubusercontent.com/MISP/MISP/${CORE_COMMIT:-${CORE_TAG}}/app/composer.json RUN curl -o /tmp/composer.json https://raw.githubusercontent.com/MISP/MISP/${CORE_COMMIT:-${CORE_TAG}}/app/composer.json
COPY --from=composer:latest /usr/bin/composer /usr/bin/composer COPY --from=composer:2.7.7 /usr/bin/composer /usr/bin/composer
RUN composer config --no-interaction allow-plugins.composer/installers true
RUN composer install # See:
RUN composer require --with-all-dependencies --no-interaction \ # - https://github.com/curl/curl/issues/14154
# - https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2073448
RUN <<-EOF
if [ "$TARGETPLATFORM" = "linux/arm64" ]; then
cp /usr/bin/composer /composer.phar
mkdir /out/
php -r '$phar = new Phar("/composer.phar"); $phar->extractTo("/out/");'
sed -i "/'verify_peer_name' =>.*/a 'verify_peer_status' => CURLOPT_SSL_VERIFYSTATUS," /out/src/Composer/Util/Http/CurlDownloader.php
sed -i "/\$options = StreamContextFactory.*/a \$options['ssl']['verify_peer'] = false;" /out/src/Composer/Util/Http/CurlDownloader.php
sed -i "/\$options = StreamContextFactory.*/a \$options['ssl']['verify_peer_name'] = false;" /out/src/Composer/Util/Http/CurlDownloader.php
sed -i "/\$options = StreamContextFactory.*/a \$options['ssl']['verify_peer_status'] = false;" /out/src/Composer/Util/Http/CurlDownloader.php
rm /usr/bin/composer
ln -s /out/bin/composer /usr/bin/composer
fi
EOF
RUN php /usr/bin/composer config --no-interaction allow-plugins.composer/installers true
RUN php /usr/bin/composer install
RUN php /usr/bin/composer require --with-all-dependencies --no-interaction \
elasticsearch/elasticsearch:^8.7.0 \ elasticsearch/elasticsearch:^8.7.0 \
jakub-onderka/openid-connect-php:^1.0.0 \ jakub-onderka/openid-connect-php:^1.0.0 \
aws/aws-sdk-php aws/aws-sdk-php
@ -56,9 +75,9 @@ FROM php-base AS php-build
g++ \ g++ \
git \ git \
make \ make \
php8.2 \ php8.3 \
php8.2-dev \ php8.3-dev \
php8.2-xml \ php8.3-xml \
php-pear \ php-pear \
libbrotli-dev \ libbrotli-dev \
libfuzzy-dev \ libfuzzy-dev \
@ -67,9 +86,9 @@ FROM php-base AS php-build
libzstd-dev \ libzstd-dev \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
RUN update-alternatives --set php /usr/bin/php8.2 RUN update-alternatives --set php /usr/bin/php8.3
RUN update-alternatives --set php-config /usr/bin/php-config8.2 RUN update-alternatives --set php-config /usr/bin/php-config8.3
RUN update-alternatives --set phpize /usr/bin/phpize8.2 RUN update-alternatives --set phpize /usr/bin/phpize8.3
RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib
RUN pecl channel-update pecl.php.net && \ RUN pecl channel-update pecl.php.net && \
@ -99,6 +118,8 @@ FROM php-base AS python-build
RUN apt-get install -y --no-install-recommends \ RUN apt-get install -y --no-install-recommends \
git \ git \
python3-pip \
python3-wheel \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
# Download MISP using git in the /var/www/ directory. Remove unnecessary items. # Download MISP using git in the /var/www/ directory. Remove unnecessary items.
@ -178,25 +199,28 @@ FROM php-base
gpg-agent \ gpg-agent \
mariadb-client \ mariadb-client \
rsync \ rsync \
python3-setuptools \
python3-pip \
python3-wheel \
# PHP Requirements # PHP Requirements
php8.2 \ php8.3 \
php8.2-apcu \ php8.3-apcu \
php8.2-curl \ php8.3-curl \
php8.2-xml \ php8.3-xml \
php8.2-intl \ php8.3-intl \
php8.2-bcmath \ php8.3-bcmath \
php8.2-mbstring \ php8.3-mbstring \
php8.2-mysql \ php8.3-mysql \
php8.2-redis \ php8.3-redis \
php8.2-gd \ php8.3-gd \
php8.2-fpm \ php8.3-fpm \
php8.2-zip \ php8.3-zip \
php8.2-ldap \ php8.3-ldap \
libmagic1 \ libmagic1 \
libldap-common \ libldap-common \
librdkafka1 \ librdkafka1 \
libbrotli1 \ libbrotli1 \
libsimdjson14 \ libsimdjson19 \
libzstd1 \ libzstd1 \
ssdeep \ ssdeep \
libfuzzy2 \ libfuzzy2 \
@ -206,11 +230,11 @@ FROM php-base
curl jq \ curl jq \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
RUN update-alternatives --set php /usr/bin/php8.2 RUN update-alternatives --set php /usr/bin/php8.3
# Install python modules # Install python modules
COPY --from=python-build /wheels /wheels COPY --from=python-build /wheels /wheels
RUN pip install --no-cache-dir /wheels/*.whl && rm -rf /wheels RUN pip install --break-system-packages --no-cache-dir /wheels/*.whl && rm -rf /wheels
# PHP: install prebuilt libraries, then install the app's PHP deps # PHP: install prebuilt libraries, then install the app's PHP deps
COPY --from=php-build ["/usr/lib/php/${PHP_VER}/ssdeep.so", "/usr/lib/php/${PHP_VER}/rdkafka.so", "/usr/lib/php/${PHP_VER}/brotli.so", "/usr/lib/php/${PHP_VER}/simdjson.so", "/usr/lib/php/${PHP_VER}/zstd.so", "/usr/lib/php/${PHP_VER}/"] COPY --from=php-build ["/usr/lib/php/${PHP_VER}/ssdeep.so", "/usr/lib/php/${PHP_VER}/rdkafka.so", "/usr/lib/php/${PHP_VER}/brotli.so", "/usr/lib/php/${PHP_VER}/simdjson.so", "/usr/lib/php/${PHP_VER}/zstd.so", "/usr/lib/php/${PHP_VER}/"]
@ -222,12 +246,11 @@ FROM php-base
COPY --from=composer-build --chown=www-data:www-data --chmod=0550 /tmp/Plugin /var/www/MISP/app/Plugin COPY --from=composer-build --chown=www-data:www-data --chmod=0550 /tmp/Plugin /var/www/MISP/app/Plugin
# 'setuptools' is needed at runtime by 'mixbox' # 'setuptools' is needed at runtime by 'mixbox'
RUN pip install setuptools RUN cp /usr/lib/python3/dist-packages/setuptools/_distutils/version.py \
RUN cp /usr/local/lib/python3.12/site-packages/setuptools/_distutils/version.py \ /usr/local/lib/python3.12/dist-packages/mixbox/distutils_version.py
/usr/local/lib/python3.12/site-packages/mixbox/distutils_version.py
RUN sed -i 's/from distutils\.version/from mixbox.distutils_version/' \ RUN sed -i 's/from distutils\.version/from mixbox.distutils_version/' \
/usr/local/lib/python3.12/site-packages/mixbox/parser.py /usr/local/lib/python3.12/dist-packages/mixbox/parser.py
RUN pip uninstall -y setuptools pip RUN apt-get remove --purge python3-pip python3-wheel python3-setuptools -y
# Gather these in one layer, only act on actual directories under /etc/php/ # Gather these in one layer, only act on actual directories under /etc/php/
RUN <<-EOF RUN <<-EOF

2
core/files/entrypoint_fpm.sh
View File

@ -34,7 +34,7 @@ change_php_vars() {
echo "Configure PHP | Change PHP values ..." && change_php_vars echo "Configure PHP | Change PHP values ..." && change_php_vars
echo "Configure PHP | Starting PHP FPM" echo "Configure PHP | Starting PHP FPM"
/usr/sbin/php-fpm8.2 -R -F & master_pid=$! /usr/sbin/php-fpm8.3 -R -F & master_pid=$!
# Wait for it # Wait for it
wait "$master_pid" wait "$master_pid"

2
core/files/etc/nginx/includes/misp
View File

@ -23,7 +23,7 @@ location / {
location ~ ^/[^/]+\.php(/|$) { location ~ ^/[^/]+\.php(/|$) {
include snippets/fastcgi-php.conf; include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
fastcgi_read_timeout 300s; fastcgi_read_timeout 300s;
fastcgi_send_timeout 300s; fastcgi_send_timeout 300s;
fastcgi_connect_timeout 300s; fastcgi_connect_timeout 300s;

18
modules/Dockerfile
View File

@ -1,6 +1,6 @@
ARG DOCKER_HUB_PROXY="" ARG DOCKER_HUB_PROXY=""
FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS python-build FROM "${DOCKER_HUB_PROXY}ubuntu:24.04" AS python-build
ENV DEBIAN_FRONTEND noninteractive ENV DEBIAN_FRONTEND noninteractive
ARG MODULES_TAG ARG MODULES_TAG
ARG MODULES_COMMIT ARG MODULES_COMMIT
@ -14,6 +14,9 @@ FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS python-build
ca-certificates \ ca-certificates \
cmake \ cmake \
git \ git \
python3-dev \
python3-pip \
python3-wheel \
build-essential \ build-essential \
libpoppler-cpp-dev \ libpoppler-cpp-dev \
libfuzzy-dev \ libfuzzy-dev \
@ -35,8 +38,8 @@ FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS python-build
EOF EOF
WORKDIR /srv/misp-modules WORKDIR /srv/misp-modules
RUN pip install poetry RUN pip install --break-system-packages poetry
RUN sed -i "s/^python = .*/python = \"$(python -c 'import platform; print(platform.python_version())')\"/" pyproject.toml RUN sed -i "s/^python = .*/python = \"$(python3 -c 'import platform; print(platform.python_version())')\"/" pyproject.toml
RUN poetry lock RUN poetry lock
RUN poetry self add poetry-plugin-export RUN poetry self add poetry-plugin-export
RUN poetry export --with unstable --without-hashes -f requirements.txt -o requirements.txt RUN poetry export --with unstable --without-hashes -f requirements.txt -o requirements.txt
@ -65,7 +68,7 @@ EOF
RUN rm -rf /srv/faup RUN rm -rf /srv/faup
FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" FROM "${DOCKER_HUB_PROXY}ubuntu:24.04"
ENV DEBIAN_FRONTEND noninteractive ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get install -y --no-install-recommends \ RUN apt-get update && apt-get install -y --no-install-recommends \
@ -78,18 +81,19 @@ FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm"
libxml2 \ libxml2 \
libxslt1.1 \ libxslt1.1 \
libzbar0 \ libzbar0 \
python3-pip \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
COPY --from=python-build /wheels /wheels COPY --from=python-build /wheels /wheels
COPY --from=python-build /usr/local/lib/libfaupl* /usr/local/lib/ COPY --from=python-build /usr/local/lib/libfaupl* /usr/local/lib/
RUN ldconfig RUN ldconfig
RUN pip install --no-cache-dir --use-deprecated=legacy-resolver /wheels/*.whl && rm -rf /wheels RUN pip install --break-system-packages --no-cache-dir --use-deprecated=legacy-resolver /wheels/*.whl && rm -rf /wheels
RUN pip uninstall -y pip RUN apt-get remove --purge python3-pip python3-setuptools -y
# Since we compile faup ourselves and lua is not required anymore, we can load our own library # Since we compile faup ourselves and lua is not required anymore, we can load our own library
# and skip the pre-compiled blob to improve compatibility with other architectures like ARM # and skip the pre-compiled blob to improve compatibility with other architectures like ARM
RUN sed -i s/LoadLibrary\(LOAD_LIB\)/LoadLibrary\(\"\\/usr\\/local\\/lib\\/libfaupl.so\"\)/ \ RUN sed -i s/LoadLibrary\(LOAD_LIB\)/LoadLibrary\(\"\\/usr\\/local\\/lib\\/libfaupl.so\"\)/ \
/usr/local/lib/python3.12/site-packages/pyfaup/__init__.py /usr/local/lib/python3.12/dist-packages/pyfaup/__init__.py
# Disable (all) warnings raised when using 'future' # Disable (all) warnings raised when using 'future'
RUN sed -i '/import sys/a import warnings\nwarnings.warn = lambda *args, **kwargs: None' \ RUN sed -i '/import sys/a import warnings\nwarnings.warn = lambda *args, **kwargs: None' \

2
template.env
View File

@ -4,7 +4,7 @@
CORE_TAG=v2.5.1 CORE_TAG=v2.5.1
MODULES_TAG=v2.4.198 MODULES_TAG=v2.4.198
PHP_VER=20220829 PHP_VER=20230831
LIBFAUP_COMMIT=3a26d0a LIBFAUP_COMMIT=3a26d0a
# PYPY_* vars take precedence over MISP's # PYPY_* vars take precedence over MISP's