mirror of https://github.com/MISP/misp-docker
Replace Debian with Ubuntu 24.04 LTS
parent
bae3346f7a
commit
dcea8d5791
|
@ -27,6 +27,14 @@ Notable features:
|
||||||
|
|
||||||
The underlying spirit of this project is to allow "repeatable deployments", and all pull requests in this direction will be merged post-haste.
|
The underlying spirit of this project is to allow "repeatable deployments", and all pull requests in this direction will be merged post-haste.
|
||||||
|
|
||||||
|
## Warning
|
||||||
|
|
||||||
|
As part of our recent efforts to reduce the number of CVEs affecting the Docker images, we recently changed the base image from Debian Bookworm to Ubuntu 24.04.
|
||||||
|
|
||||||
|
While the transition did not affect MISP and MISP modules, the GitHub Action triggered a bug affecting `libcurl` and Ubuntu 24.04 when running on `linux/arm64` and establishing TLS connections to `api.github.com` when the server decides toreturn a 302. The issue is being discussed here https://github.com/curl/curl/issues/14154 and being further investigated here https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2073448.
|
||||||
|
|
||||||
|
To allow the build to complete, we temporarily disabled TLS verification (see `core/Dockerfile` when using `composer` to install PHP dependencies; the temporary workaround affects only the build when the target platform is `linux/arm64`, leaving the `linux/amd64` build unaffected.
|
||||||
|
|
||||||
## Getting Started
|
## Getting Started
|
||||||
|
|
||||||
- Copy the `template.env` to `.env`
|
- Copy the `template.env` to `.env`
|
||||||
|
|
111
core/Dockerfile
111
core/Dockerfile
|
@ -1,7 +1,7 @@
|
||||||
ARG DOCKER_HUB_PROXY=""
|
ARG DOCKER_HUB_PROXY=""
|
||||||
|
|
||||||
|
|
||||||
FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS php-base
|
FROM "${DOCKER_HUB_PROXY}ubuntu:24.04" AS php-base
|
||||||
ENV DEBIAN_FRONTEND noninteractive
|
ENV DEBIAN_FRONTEND noninteractive
|
||||||
|
|
||||||
# Uncomment when building in corporate environments
|
# Uncomment when building in corporate environments
|
||||||
|
@ -19,29 +19,48 @@ FROM php-base AS composer-build
|
||||||
ENV COMPOSER_ALLOW_SUPERUSER 1
|
ENV COMPOSER_ALLOW_SUPERUSER 1
|
||||||
ARG CORE_TAG
|
ARG CORE_TAG
|
||||||
ARG CORE_COMMIT
|
ARG CORE_COMMIT
|
||||||
|
ARG TARGETPLATFORM
|
||||||
|
|
||||||
RUN apt-get install -y --no-install-recommends \
|
RUN apt-get install -y --no-install-recommends \
|
||||||
php8.2 \
|
php8.3 \
|
||||||
php8.2-apcu \
|
php8.3-apcu \
|
||||||
php8.2-curl \
|
php8.3-curl \
|
||||||
php8.2-xml \
|
php8.3-xml \
|
||||||
php8.2-intl \
|
php8.3-intl \
|
||||||
php8.2-bcmath \
|
php8.3-bcmath \
|
||||||
php8.2-mbstring \
|
php8.3-mbstring \
|
||||||
php8.2-mysql \
|
php8.3-mysql \
|
||||||
php8.2-redis \
|
php8.3-redis \
|
||||||
php8.2-gd \
|
php8.3-gd \
|
||||||
php8.2-fpm \
|
php8.3-fpm \
|
||||||
php8.2-zip \
|
php8.3-zip \
|
||||||
unzip \
|
unzip \
|
||||||
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
|
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
WORKDIR /tmp
|
WORKDIR /tmp
|
||||||
RUN curl -o /tmp/composer.json https://raw.githubusercontent.com/MISP/MISP/${CORE_COMMIT:-${CORE_TAG}}/app/composer.json
|
RUN curl -o /tmp/composer.json https://raw.githubusercontent.com/MISP/MISP/${CORE_COMMIT:-${CORE_TAG}}/app/composer.json
|
||||||
COPY --from=composer:latest /usr/bin/composer /usr/bin/composer
|
COPY --from=composer:2.7.7 /usr/bin/composer /usr/bin/composer
|
||||||
RUN composer config --no-interaction allow-plugins.composer/installers true
|
|
||||||
RUN composer install
|
# See:
|
||||||
RUN composer require --with-all-dependencies --no-interaction \
|
# - https://github.com/curl/curl/issues/14154
|
||||||
|
# - https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2073448
|
||||||
|
RUN <<-EOF
|
||||||
|
if [ "$TARGETPLATFORM" = "linux/arm64" ]; then
|
||||||
|
cp /usr/bin/composer /composer.phar
|
||||||
|
mkdir /out/
|
||||||
|
php -r '$phar = new Phar("/composer.phar"); $phar->extractTo("/out/");'
|
||||||
|
sed -i "/'verify_peer_name' =>.*/a 'verify_peer_status' => CURLOPT_SSL_VERIFYSTATUS," /out/src/Composer/Util/Http/CurlDownloader.php
|
||||||
|
sed -i "/\$options = StreamContextFactory.*/a \$options['ssl']['verify_peer'] = false;" /out/src/Composer/Util/Http/CurlDownloader.php
|
||||||
|
sed -i "/\$options = StreamContextFactory.*/a \$options['ssl']['verify_peer_name'] = false;" /out/src/Composer/Util/Http/CurlDownloader.php
|
||||||
|
sed -i "/\$options = StreamContextFactory.*/a \$options['ssl']['verify_peer_status'] = false;" /out/src/Composer/Util/Http/CurlDownloader.php
|
||||||
|
rm /usr/bin/composer
|
||||||
|
ln -s /out/bin/composer /usr/bin/composer
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
|
||||||
|
RUN php /usr/bin/composer config --no-interaction allow-plugins.composer/installers true
|
||||||
|
RUN php /usr/bin/composer install
|
||||||
|
RUN php /usr/bin/composer require --with-all-dependencies --no-interaction \
|
||||||
elasticsearch/elasticsearch:^8.7.0 \
|
elasticsearch/elasticsearch:^8.7.0 \
|
||||||
jakub-onderka/openid-connect-php:^1.0.0 \
|
jakub-onderka/openid-connect-php:^1.0.0 \
|
||||||
aws/aws-sdk-php
|
aws/aws-sdk-php
|
||||||
|
@ -56,9 +75,9 @@ FROM php-base AS php-build
|
||||||
g++ \
|
g++ \
|
||||||
git \
|
git \
|
||||||
make \
|
make \
|
||||||
php8.2 \
|
php8.3 \
|
||||||
php8.2-dev \
|
php8.3-dev \
|
||||||
php8.2-xml \
|
php8.3-xml \
|
||||||
php-pear \
|
php-pear \
|
||||||
libbrotli-dev \
|
libbrotli-dev \
|
||||||
libfuzzy-dev \
|
libfuzzy-dev \
|
||||||
|
@ -67,9 +86,9 @@ FROM php-base AS php-build
|
||||||
libzstd-dev \
|
libzstd-dev \
|
||||||
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
|
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
RUN update-alternatives --set php /usr/bin/php8.2
|
RUN update-alternatives --set php /usr/bin/php8.3
|
||||||
RUN update-alternatives --set php-config /usr/bin/php-config8.2
|
RUN update-alternatives --set php-config /usr/bin/php-config8.3
|
||||||
RUN update-alternatives --set phpize /usr/bin/phpize8.2
|
RUN update-alternatives --set phpize /usr/bin/phpize8.3
|
||||||
|
|
||||||
RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib
|
RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib
|
||||||
RUN pecl channel-update pecl.php.net && \
|
RUN pecl channel-update pecl.php.net && \
|
||||||
|
@ -99,6 +118,8 @@ FROM php-base AS python-build
|
||||||
|
|
||||||
RUN apt-get install -y --no-install-recommends \
|
RUN apt-get install -y --no-install-recommends \
|
||||||
git \
|
git \
|
||||||
|
python3-pip \
|
||||||
|
python3-wheel \
|
||||||
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
|
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
# Download MISP using git in the /var/www/ directory. Remove unnecessary items.
|
# Download MISP using git in the /var/www/ directory. Remove unnecessary items.
|
||||||
|
@ -178,25 +199,28 @@ FROM php-base
|
||||||
gpg-agent \
|
gpg-agent \
|
||||||
mariadb-client \
|
mariadb-client \
|
||||||
rsync \
|
rsync \
|
||||||
|
python3-setuptools \
|
||||||
|
python3-pip \
|
||||||
|
python3-wheel \
|
||||||
# PHP Requirements
|
# PHP Requirements
|
||||||
php8.2 \
|
php8.3 \
|
||||||
php8.2-apcu \
|
php8.3-apcu \
|
||||||
php8.2-curl \
|
php8.3-curl \
|
||||||
php8.2-xml \
|
php8.3-xml \
|
||||||
php8.2-intl \
|
php8.3-intl \
|
||||||
php8.2-bcmath \
|
php8.3-bcmath \
|
||||||
php8.2-mbstring \
|
php8.3-mbstring \
|
||||||
php8.2-mysql \
|
php8.3-mysql \
|
||||||
php8.2-redis \
|
php8.3-redis \
|
||||||
php8.2-gd \
|
php8.3-gd \
|
||||||
php8.2-fpm \
|
php8.3-fpm \
|
||||||
php8.2-zip \
|
php8.3-zip \
|
||||||
php8.2-ldap \
|
php8.3-ldap \
|
||||||
libmagic1 \
|
libmagic1 \
|
||||||
libldap-common \
|
libldap-common \
|
||||||
librdkafka1 \
|
librdkafka1 \
|
||||||
libbrotli1 \
|
libbrotli1 \
|
||||||
libsimdjson14 \
|
libsimdjson19 \
|
||||||
libzstd1 \
|
libzstd1 \
|
||||||
ssdeep \
|
ssdeep \
|
||||||
libfuzzy2 \
|
libfuzzy2 \
|
||||||
|
@ -206,11 +230,11 @@ FROM php-base
|
||||||
curl jq \
|
curl jq \
|
||||||
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
|
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
RUN update-alternatives --set php /usr/bin/php8.2
|
RUN update-alternatives --set php /usr/bin/php8.3
|
||||||
|
|
||||||
# Install python modules
|
# Install python modules
|
||||||
COPY --from=python-build /wheels /wheels
|
COPY --from=python-build /wheels /wheels
|
||||||
RUN pip install --no-cache-dir /wheels/*.whl && rm -rf /wheels
|
RUN pip install --break-system-packages --no-cache-dir /wheels/*.whl && rm -rf /wheels
|
||||||
|
|
||||||
# PHP: install prebuilt libraries, then install the app's PHP deps
|
# PHP: install prebuilt libraries, then install the app's PHP deps
|
||||||
COPY --from=php-build ["/usr/lib/php/${PHP_VER}/ssdeep.so", "/usr/lib/php/${PHP_VER}/rdkafka.so", "/usr/lib/php/${PHP_VER}/brotli.so", "/usr/lib/php/${PHP_VER}/simdjson.so", "/usr/lib/php/${PHP_VER}/zstd.so", "/usr/lib/php/${PHP_VER}/"]
|
COPY --from=php-build ["/usr/lib/php/${PHP_VER}/ssdeep.so", "/usr/lib/php/${PHP_VER}/rdkafka.so", "/usr/lib/php/${PHP_VER}/brotli.so", "/usr/lib/php/${PHP_VER}/simdjson.so", "/usr/lib/php/${PHP_VER}/zstd.so", "/usr/lib/php/${PHP_VER}/"]
|
||||||
|
@ -222,12 +246,11 @@ FROM php-base
|
||||||
COPY --from=composer-build --chown=www-data:www-data --chmod=0550 /tmp/Plugin /var/www/MISP/app/Plugin
|
COPY --from=composer-build --chown=www-data:www-data --chmod=0550 /tmp/Plugin /var/www/MISP/app/Plugin
|
||||||
|
|
||||||
# 'setuptools' is needed at runtime by 'mixbox'
|
# 'setuptools' is needed at runtime by 'mixbox'
|
||||||
RUN pip install setuptools
|
RUN cp /usr/lib/python3/dist-packages/setuptools/_distutils/version.py \
|
||||||
RUN cp /usr/local/lib/python3.12/site-packages/setuptools/_distutils/version.py \
|
/usr/local/lib/python3.12/dist-packages/mixbox/distutils_version.py
|
||||||
/usr/local/lib/python3.12/site-packages/mixbox/distutils_version.py
|
|
||||||
RUN sed -i 's/from distutils\.version/from mixbox.distutils_version/' \
|
RUN sed -i 's/from distutils\.version/from mixbox.distutils_version/' \
|
||||||
/usr/local/lib/python3.12/site-packages/mixbox/parser.py
|
/usr/local/lib/python3.12/dist-packages/mixbox/parser.py
|
||||||
RUN pip uninstall -y setuptools pip
|
RUN apt-get remove --purge python3-pip python3-wheel python3-setuptools -y
|
||||||
|
|
||||||
# Gather these in one layer, only act on actual directories under /etc/php/
|
# Gather these in one layer, only act on actual directories under /etc/php/
|
||||||
RUN <<-EOF
|
RUN <<-EOF
|
||||||
|
|
|
@ -34,7 +34,7 @@ change_php_vars() {
|
||||||
echo "Configure PHP | Change PHP values ..." && change_php_vars
|
echo "Configure PHP | Change PHP values ..." && change_php_vars
|
||||||
|
|
||||||
echo "Configure PHP | Starting PHP FPM"
|
echo "Configure PHP | Starting PHP FPM"
|
||||||
/usr/sbin/php-fpm8.2 -R -F & master_pid=$!
|
/usr/sbin/php-fpm8.3 -R -F & master_pid=$!
|
||||||
|
|
||||||
# Wait for it
|
# Wait for it
|
||||||
wait "$master_pid"
|
wait "$master_pid"
|
||||||
|
|
|
@ -23,7 +23,7 @@ location / {
|
||||||
|
|
||||||
location ~ ^/[^/]+\.php(/|$) {
|
location ~ ^/[^/]+\.php(/|$) {
|
||||||
include snippets/fastcgi-php.conf;
|
include snippets/fastcgi-php.conf;
|
||||||
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
|
fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
|
||||||
fastcgi_read_timeout 300s;
|
fastcgi_read_timeout 300s;
|
||||||
fastcgi_send_timeout 300s;
|
fastcgi_send_timeout 300s;
|
||||||
fastcgi_connect_timeout 300s;
|
fastcgi_connect_timeout 300s;
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
ARG DOCKER_HUB_PROXY=""
|
ARG DOCKER_HUB_PROXY=""
|
||||||
|
|
||||||
FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS python-build
|
FROM "${DOCKER_HUB_PROXY}ubuntu:24.04" AS python-build
|
||||||
ENV DEBIAN_FRONTEND noninteractive
|
ENV DEBIAN_FRONTEND noninteractive
|
||||||
ARG MODULES_TAG
|
ARG MODULES_TAG
|
||||||
ARG MODULES_COMMIT
|
ARG MODULES_COMMIT
|
||||||
|
@ -14,6 +14,9 @@ FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS python-build
|
||||||
ca-certificates \
|
ca-certificates \
|
||||||
cmake \
|
cmake \
|
||||||
git \
|
git \
|
||||||
|
python3-dev \
|
||||||
|
python3-pip \
|
||||||
|
python3-wheel \
|
||||||
build-essential \
|
build-essential \
|
||||||
libpoppler-cpp-dev \
|
libpoppler-cpp-dev \
|
||||||
libfuzzy-dev \
|
libfuzzy-dev \
|
||||||
|
@ -35,8 +38,8 @@ FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS python-build
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
WORKDIR /srv/misp-modules
|
WORKDIR /srv/misp-modules
|
||||||
RUN pip install poetry
|
RUN pip install --break-system-packages poetry
|
||||||
RUN sed -i "s/^python = .*/python = \"$(python -c 'import platform; print(platform.python_version())')\"/" pyproject.toml
|
RUN sed -i "s/^python = .*/python = \"$(python3 -c 'import platform; print(platform.python_version())')\"/" pyproject.toml
|
||||||
RUN poetry lock
|
RUN poetry lock
|
||||||
RUN poetry self add poetry-plugin-export
|
RUN poetry self add poetry-plugin-export
|
||||||
RUN poetry export --with unstable --without-hashes -f requirements.txt -o requirements.txt
|
RUN poetry export --with unstable --without-hashes -f requirements.txt -o requirements.txt
|
||||||
|
@ -65,7 +68,7 @@ EOF
|
||||||
RUN rm -rf /srv/faup
|
RUN rm -rf /srv/faup
|
||||||
|
|
||||||
|
|
||||||
FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm"
|
FROM "${DOCKER_HUB_PROXY}ubuntu:24.04"
|
||||||
ENV DEBIAN_FRONTEND noninteractive
|
ENV DEBIAN_FRONTEND noninteractive
|
||||||
|
|
||||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||||
|
@ -78,18 +81,19 @@ FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm"
|
||||||
libxml2 \
|
libxml2 \
|
||||||
libxslt1.1 \
|
libxslt1.1 \
|
||||||
libzbar0 \
|
libzbar0 \
|
||||||
|
python3-pip \
|
||||||
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
|
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
COPY --from=python-build /wheels /wheels
|
COPY --from=python-build /wheels /wheels
|
||||||
COPY --from=python-build /usr/local/lib/libfaupl* /usr/local/lib/
|
COPY --from=python-build /usr/local/lib/libfaupl* /usr/local/lib/
|
||||||
RUN ldconfig
|
RUN ldconfig
|
||||||
RUN pip install --no-cache-dir --use-deprecated=legacy-resolver /wheels/*.whl && rm -rf /wheels
|
RUN pip install --break-system-packages --no-cache-dir --use-deprecated=legacy-resolver /wheels/*.whl && rm -rf /wheels
|
||||||
RUN pip uninstall -y pip
|
RUN apt-get remove --purge python3-pip python3-setuptools -y
|
||||||
|
|
||||||
# Since we compile faup ourselves and lua is not required anymore, we can load our own library
|
# Since we compile faup ourselves and lua is not required anymore, we can load our own library
|
||||||
# and skip the pre-compiled blob to improve compatibility with other architectures like ARM
|
# and skip the pre-compiled blob to improve compatibility with other architectures like ARM
|
||||||
RUN sed -i s/LoadLibrary\(LOAD_LIB\)/LoadLibrary\(\"\\/usr\\/local\\/lib\\/libfaupl.so\"\)/ \
|
RUN sed -i s/LoadLibrary\(LOAD_LIB\)/LoadLibrary\(\"\\/usr\\/local\\/lib\\/libfaupl.so\"\)/ \
|
||||||
/usr/local/lib/python3.12/site-packages/pyfaup/__init__.py
|
/usr/local/lib/python3.12/dist-packages/pyfaup/__init__.py
|
||||||
|
|
||||||
# Disable (all) warnings raised when using 'future'
|
# Disable (all) warnings raised when using 'future'
|
||||||
RUN sed -i '/import sys/a import warnings\nwarnings.warn = lambda *args, **kwargs: None' \
|
RUN sed -i '/import sys/a import warnings\nwarnings.warn = lambda *args, **kwargs: None' \
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
|
|
||||||
CORE_TAG=v2.5.1
|
CORE_TAG=v2.5.1
|
||||||
MODULES_TAG=v2.4.198
|
MODULES_TAG=v2.4.198
|
||||||
PHP_VER=20220829
|
PHP_VER=20230831
|
||||||
LIBFAUP_COMMIT=3a26d0a
|
LIBFAUP_COMMIT=3a26d0a
|
||||||
|
|
||||||
# PYPY_* vars take precedence over MISP's
|
# PYPY_* vars take precedence over MISP's
|
||||||
|
|
Loading…
Reference in New Issue