misp-docker/core/Dockerfile

270 lines
10 KiB
Docker

ARG DOCKER_HUB_PROXY=""
FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS php-base
ENV DEBIAN_FRONTEND noninteractive
# Uncomment when building in corporate environments
# COPY ./rootca.crt /usr/local/share/ca-certificates/rootca.pem
# COPY ./rootca.crt /usr/lib/ssl/cert.pem
RUN apt-get update; apt-get install -y --no-install-recommends \
lsb-release \
ca-certificates \
curl
RUN curl -sSLo /tmp/debsuryorg-archive-keyring.deb https://packages.sury.org/debsuryorg-archive-keyring.deb
RUN dpkg -i /tmp/debsuryorg-archive-keyring.deb
RUN echo "deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list
RUN apt-get update
FROM php-base AS composer-build
ENV DEBIAN_FRONTEND noninteractive
ENV COMPOSER_ALLOW_SUPERUSER 1
ARG CORE_TAG
ARG CORE_COMMIT
RUN apt-get install -y --no-install-recommends \
php7.4 \
php7.4-apcu \
php7.4-curl \
php7.4-xml \
php7.4-intl \
php7.4-bcmath \
php7.4-mbstring \
php7.4-mysql \
php7.4-redis \
php7.4-gd \
php7.4-fpm \
php7.4-zip \
unzip \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
WORKDIR /tmp
ADD https://raw.githubusercontent.com/MISP/MISP/${CORE_COMMIT:-${CORE_TAG}}/app/composer.json /tmp
COPY --from=composer:latest /usr/bin/composer /usr/bin/composer
RUN composer config --no-interaction allow-plugins.composer/installers true
RUN composer install
RUN composer require --with-all-dependencies --no-interaction \
supervisorphp/supervisor:^4.0 \
guzzlehttp/guzzle:^7.4.5 \
lstrojny/fxmlrpc \
php-http/message \
php-http/message-factory \
# docker image specific dependencies
elasticsearch/elasticsearch:^8.7.0 \
jakub-onderka/openid-connect-php:^1.0.0 \
aws/aws-sdk-php
FROM php-base AS php-build
ENV DEBIAN_FRONTEND noninteractive
ENV TZ Etc/UTC
RUN apt-get install -y --no-install-recommends \
gcc \
g++ \
make \
php7.4 \
php7.4-dev \
php7.4-xml \
php-pear \
libbrotli-dev \
libfuzzy-dev \
librdkafka-dev \
libsimdjson-dev \
libzstd-dev \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
RUN update-alternatives --set php /usr/bin/php7.4
RUN update-alternatives --set php-config /usr/bin/php-config7.4
RUN update-alternatives --set phpize /usr/bin/phpize7.4
RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib
RUN pecl channel-update pecl.php.net && \
pecl install ssdeep && \
pecl install rdkafka && \
pecl install simdjson && \
pecl install zstd && \
pecl install brotli
FROM php-base AS python-build
ENV DEBIAN_FRONTEND noninteractive
ARG CORE_TAG
ARG CORE_COMMIT
ARG PYPI_REDIS_VERSION
ARG PYPI_LIEF_VERSION
ARG PYPI_PYDEEP2_VERSION
ARG PYPI_PYTHON_MAGIC_VERSION
ARG PYPI_MISP_LIB_STIX2_VERSION
ARG PYPI_MAEC_VERSION
ARG PYPI_MIXBOX_VERSION
ARG PYPI_CYBOX_VERSION
ARG PYPI_PYMISP_VERSION
ARG PYPI_MISP_STIX_VERSION
RUN apt-get install -y --no-install-recommends \
git \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
# Download MISP using git in the /var/www/ directory. Remove unnecessary items.
RUN <<-EOF
if [ ! -z "${CORE_COMMIT}" ]; then
git clone https://github.com/MISP/MISP.git /var/www/MISP && cd /var/www/MISP && git checkout "${CORE_COMMIT}"
else
git clone --branch "${CORE_TAG}" --depth 1 https://github.com/MISP/MISP.git /var/www/MISP
fi
cd /var/www/MISP || exit; git submodule update --init --recursive .
EOF
RUN <<-EOF
mkdir /wheels
# Add additional dependencies (container specific)
# The "set" line contains the list of modules we want to ensure are present.
# PYPI_MODULE_NAME_VERSION env vars can be set to specify the version desired,
# e.g. PYPI_SURICATA_VERSION="==2.0" to specify exactly version 2.0 for the suricata package
#
# 1. Check for presence of each module in requirements.txt
# 2. If missing, add it (with optional version from env (defaults to empty string))
# 3. If present, replace with our specified version if it exists, otherwise leave
# the upstream version alone.
set -- "redis" "lief" "pydeep2" "python-magic" "misp-lib-stix2" "maec" "mixbox" "cybox" "pymisp" "misp-stix"
for mod in "$@"; do
mod_version_var=$(echo "PYPI_${mod}_VERSION" | tr '[:lower:]' '[:upper:]' | tr '-' '_')
mod_version=$(eval "echo \"\$$mod_version_var\"")
grep -q ${mod} /var/www/MISP/requirements.txt
exists=$?
if [ "${exists}" -eq "1" ]; then
echo "Adding missing module ${mod} with version '${mod_version}'"
echo ${mod}${mod_version} >> /var/www/MISP/requirements.txt
else
if [ "$(echo ${mod_version} | wc -m)" -gt 1 ]; then
echo "Overwriting existing module ${mod}, version '${mod_version}'"
sed -i "/${mod}/s/.*/${mod}${mod_version}/" /var/www/MISP/requirements.txt
else
echo "Skipping overwriting ${mod} due to missing version variable"
fi
fi
done;
pip wheel --no-cache-dir -w /wheels/ -r /var/www/MISP/requirements.txt
# Remove files we do not care for
find /var/www/MISP/INSTALL/* ! -name 'MYSQL.sql' -type f -exec rm {} +
find /var/www/MISP/INSTALL/* ! -name 'MYSQL.sql' -type l -exec rm {} +
# Remove most files in .git - we do not use git functionality in docker
find /var/www/MISP/.git/* ! -name HEAD -exec rm -rf {} +
# Remove libraries submodules
rm -r /var/www/MISP/PyMISP
rm -r /var/www/MISP/app/files/scripts/cti-python-stix2
rm -r /var/www/MISP/app/files/scripts/misp-stix
rm -r /var/www/MISP/app/files/scripts/mixbox
rm -r /var/www/MISP/app/files/scripts/python-cybox
rm -r /var/www/MISP/app/files/scripts/python-maec
rm -r /var/www/MISP/app/files/scripts/python-stix
EOF
FROM php-base
ENV DEBIAN_FRONTEND noninteractive
ARG CORE_TAG
ARG CORE_COMMIT
ARG PHP_VER
RUN apt-get install -y --no-install-recommends \
gettext \
procps \
sudo \
nginx \
supervisor \
cron \
openssl \
gpg \
gpg-agent \
mariadb-client \
rsync \
# PHP Requirements
php7.4 \
php7.4-apcu \
php7.4-curl \
php7.4-xml \
php7.4-intl \
php7.4-bcmath \
php7.4-mbstring \
php7.4-mysql \
php7.4-redis \
php7.4-gd \
php7.4-fpm \
php7.4-zip \
php7.4-ldap \
libmagic1 \
libldap-common \
librdkafka1 \
libbrotli1 \
libsimdjson14 \
libzstd1 \
ssdeep \
libfuzzy2 \
# Unsure we need these
zip unzip \
# Require for advanced an unattended configuration
curl jq \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
RUN update-alternatives --set php /usr/bin/php7.4
# Install python modules
COPY --from=python-build /wheels /wheels
RUN pip install --no-cache-dir /wheels/*.whl && rm -rf /wheels
RUN pip uninstall -y pip
# PHP: install prebuilt libraries, then install the app's PHP deps
COPY --from=php-build ["/usr/lib/php/${PHP_VER}/ssdeep.so", "/usr/lib/php/${PHP_VER}/rdkafka.so", "/usr/lib/php/${PHP_VER}/brotli.so", "/usr/lib/php/${PHP_VER}/simdjson.so", "/usr/lib/php/${PHP_VER}/zstd.so", "/usr/lib/php/${PHP_VER}/"]
# Do an early chown to limit image size
COPY --from=python-build --chown=www-data:www-data --chmod=0550 /var/www/MISP /var/www/MISP
COPY --from=composer-build --chown=www-data:www-data --chmod=0550 /tmp/composer.lock /var/www/MISP/app/composer.lock
COPY --from=composer-build --chown=www-data:www-data --chmod=0550 /tmp/Vendor /var/www/MISP/app/Vendor
COPY --from=composer-build --chown=www-data:www-data --chmod=0550 /tmp/Plugin /var/www/MISP/app/Plugin
# Gather these in one layer, only act on actual directories under /etc/php/
RUN <<-EOF
set -- "ssdeep" "rdkafka" "brotli" "simdjson" "zstd"
for mod in "$@"; do
for dir in /etc/php/*/; do
echo "extension=${mod}.so" > "${dir}mods-available/${mod}.ini"
done;
phpenmod "${mod}"
done;
phpenmod redis
EOF
# nginx
RUN rm /etc/nginx/sites-enabled/*; mkdir -p /run/php /etc/nginx/certs
# Make a copy of the file and configuration stores, so we can sync from it
# The spirit of the upstream dockerization is to make:
# 1) User and group aligned in terms of permissions
# 2) Files executable and read only, because of some rogue scripts like 'cake'
# 3) Directories writable, because sometimes MISP add new files
RUN <<-EOF
cp -R /var/www/MISP/app/files /var/www/MISP/app/files.dist
cp -R /var/www/MISP/app/Config /var/www/MISP/app/Config.dist
find /var/www/MISP \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data '{}' +;
find /var/www/MISP -not -perm 550 -type f -exec chmod 0550 '{}' +;
find /var/www/MISP -not -perm 770 -type d -exec chmod 0770 '{}' +;
# Diagnostics wants this file to be present and writable even if we do not use git in docker land
touch /var/www/MISP/.git/ORIG_HEAD && chmod 0600 /var/www/MISP/.git/ORIG_HEAD && chown www-data:www-data /var/www/MISP/.git/ORIG_HEAD
EOF
# Copy all our image specific files to appropriate locations
COPY files/ /
ENTRYPOINT [ "/entrypoint.sh" ]
# Change Workdirectory
WORKDIR /var/www/MISP