MISP Docker images

A production ready Docker MISP image (formerly hosted at https://github.com/ostefano/docker-misp, now deprecated) loosely based on CoolAcid and DSCO builds, with nearly all logic rewritten and verified for correctness and portability.

Notable features:

• MISP and MISP modules are split into two different Docker images, misp-core and misp-modules
• Docker images are pushed regularly, no build required
• Lightweigth Docker images by using multiple build stages and a slim parent image
• Rely on off the shelf Docker images for Exim4, Redis, and MariaDB
• Cron jobs run updates, pushes, and pulls
• Fix supervisord process control (processes are correctly terminated upon reload)
• Fix schema update by making it completely offline (no user interaction required)
• Fix enforcement of permissions
• Fix MISP modules loading of faup library
• Fix MISP modules loading of gl library
• Add support for new background job system
• Add support for building specific MISP and MISP-modules commits
• Add automatic configuration of syncservers (see configure_misp.sh)
• Add automatic configuration of authentication keys (see configure_misp.sh)
• Add direct push of docker images to GitHub Packages
• Consolidated docker-compose.yml file
• Workardound VirtioFS bug when running Docker Desktop for Mac
• ... and many others

The underlying spirit of this project is to allow "repeatable deployments", and all pull requests in this direction will be merged post-haste.

Getting Started

• Copy the template.env to .env
• Customize .env based on your needs (optional step)

Run

• docker-compose pull if you want to use pre-built images or docker-compose build if you want to build your own (see the Troubleshooting section in case of errors)
• docker-compose up
• Login to https://localhost
  • User: admin@admin.test
  • Password: admin

Keeping the image up-to-date with upstream should be as simple as running docker-compose pull.

Configuration

The docker-compose.yml file allows further configuration settings:

"MYSQL_HOST=db"
"MYSQL_USER=misp"
"MYSQL_PASSWORD=example"    # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run.
"MYSQL_DATABASE=misp"
"MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url
"WORKERS=1"                 # Legacy variable controlling the number of parallel workers (use variables below instead)
"NUM_WORKERS_DEFAULT=5"     # To set the number of default workers
"NUM_WORKERS_PRIO=5"        # To set the number of prio workers
"NUM_WORKERS_EMAIL=5"       # To set the number of email workers
"NUM_WORKERS_UPDATE=1"      # To set the number of update workers
"NUM_WORKERS_CACHE=5"       # To set the number of cache workers

New options are added on a regular basis.

Production

• It is recommended to specify the build you want run by editing docker-compose.yml (see here for the list of available tags https://github.com/orgs/MISP/packages)
• Directory volume mount SSL Certs ./ssl: /etc/ssl/certs
  • Certificate File: cert.pem
  • Certificate Key File: key.pem
  • CA File for Cert Authentication (optional) ca.pem
• Additional directory volume mounts:
  • ./configs: /var/www/MISP/app/Config/
  • ./logs: /var/www/MISP/app/tmp/logs/
  • ./files: /var/www/MISP/app/files/
  • ./gnupg: /var/www/MISP/.gnupg/
• If you need to automatically run additional steps each time the container starts, create a new file files/customize_misp.sh, and replace the variable ${CUSTOM_PATH} inside docker-compose.yml with its parent path.

Installing custom root CA certificates

Custom root CA certificates can be mounted under /usr/local/share/ca-certificates and will be installed during the misp-core container start.

Note: It is important to have the .crt extension on the file, otherwise it will not be processed.

  misp-core:
    # ...
    volumes:
      - "./configs/:/var/www/MISP/app/Config/"
      - "./logs/:/var/www/MISP/app/tmp/logs/"
      - "./files/:/var/www/MISP/app/files/"
      - "./ssl/:/etc/nginx/certs/"
      - "./gnupg/:/var/www/MISP/.gnupg/"
      # customize by replacing ${CUSTOM_PATH} with a path containing 'files/customize_misp.sh'
      # - "${CUSTOM_PATH}/:/custom/"
      # mount custom ca root certificates
      - "./rootca.pem:/usr/local/share/ca-certificates/rootca.crt"

Troubleshooting

• Make sure you run a fairly recent version of Docker and Docker Compose (if in doubt, update following the steps outlined in https://docs.docker.com/engine/install/ubuntu/)
• Some Linux distributions provide a recent version of Docker but a legacy version of Docker Compose, so you can try running docker compose instead of docker-compose
• Make sure you are not running an old image or container; when in doubt run docker system prune --volumes and clone this repository into an empty directory

Versioning

A GitHub Action builds both misp-core and misp-modules images automatically and pushes them to the GitHub Package registry. We do not use tags inside the repository; instead we tag images as they are pushed to the registry. For each build, misp-core and misp-modules images are tagged as follows:

• misp-core:${commit-sha1}[0:7] and misp-modules:${commit-sha1}[0:7] where ${commit-sha1} is the commit hash triggering the build
• misp-core:latest and misp-modules:latest in order to track the latest builds available
• misp-core:${CORE_TAG} and misp-modules:${MODULES_TAG} reflecting the underlying version of MISP and MISP modules (as specified inside the template.env file at build time)