Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to debian bookworm and python 3.12 #91

Closed
wants to merge 1 commit into from
Closed

Update to debian bookworm and python 3.12 #91

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
134 changes: 81 additions & 53 deletions core/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,25 +1,42 @@
ARG DOCKER_HUB_PROXY=""

FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as composer-build

FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" as php-base
ENV DEBIAN_FRONTEND noninteractive

# Uncomment when building in corporate environments
# COPY ./rootca.crt /usr/local/share/ca-certificates/rootca.pem
# COPY ./rootca.crt /usr/lib/ssl/cert.pem

RUN apt-get update; apt-get install -y --no-install-recommends \
lsb-release \
ca-certificates \
curl
RUN curl -sSLo /tmp/debsuryorg-archive-keyring.deb https://packages.sury.org/debsuryorg-archive-keyring.deb
RUN dpkg -i /tmp/debsuryorg-archive-keyring.deb
RUN echo "deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list
RUN apt-get update


FROM php-base as composer-build
ENV DEBIAN_FRONTEND noninteractive
ENV COMPOSER_ALLOW_SUPERUSER 1
ARG CORE_TAG
ARG CORE_COMMIT

RUN apt-get update; apt-get install -y --no-install-recommends \
ca-certificates \
php \
php-apcu \
php-curl \
php-xml \
php-intl \
php-bcmath \
php-mbstring \
php-mysql \
php-redis \
php-gd \
php-fpm \
php-zip \
RUN apt-get install -y --no-install-recommends \
php7.4 \
php7.4-apcu \
php7.4-curl \
php7.4-xml \
php7.4-intl \
php7.4-bcmath \
php7.4-mbstring \
php7.4-mysql \
php7.4-redis \
php7.4-gd \
php7.4-fpm \
php7.4-zip \
unzip \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*

Expand All @@ -39,31 +56,43 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as composer-build
jakub-onderka/openid-connect-php:^1.0.0 \
aws/aws-sdk-php

FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as php-build

FROM php-base as php-build
ENV DEBIAN_FRONTEND noninteractive
ENV TZ Etc/UTC

RUN apt-get update; apt-get install -y --no-install-recommends \
RUN apt-get install -y --no-install-recommends \
gcc \
g++ \
make \
php7.4 \
php7.4-dev \
php7.4-xml \
libfuzzy-dev \
ca-certificates \
php \
php-dev \
php-xml \
php-pear \
librdkafka-dev \
libsimdjson-dev \
libzstd-dev \
git \
php-pear \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*

RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib; pecl channel-update pecl.php.net && pecl install ssdeep && pecl install rdkafka && pecl install simdjson && pecl install zstd
RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && \
cd php-ext-brotli && phpize && ./configure && make && make install
RUN apt-cache search pecl

RUN update-alternatives --set php /usr/bin/php7.4
RUN update-alternatives --set php-config /usr/bin/php-config7.4
RUN update-alternatives --set phpize /usr/bin/phpize7.4

RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib
RUN pecl channel-update pecl.php.net && \
pecl install ssdeep && \
pecl install rdkafka && \
pecl install simdjson && \
pecl install zstd
RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && \
cd php-ext-brotli && phpize && ./configure && make && make install

FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as python-build

FROM php-base as python-build
ENV DEBIAN_FRONTEND noninteractive
ARG CORE_TAG
ARG CORE_COMMIT
Expand All @@ -77,8 +106,7 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as python-build
ARG PYPI_CYBOX_VERSION
ARG PYPI_PYMISP_VERSION

RUN apt-get update; apt-get install -y --no-install-recommends \
python3-pip \
RUN apt-get install -y --no-install-recommends \
git \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*

Expand Down Expand Up @@ -124,7 +152,7 @@ EOF
fi
done;

pip3 wheel --no-cache-dir -w /wheels/ -r /var/www/MISP/requirements.txt
pip wheel --no-cache-dir -w /wheels/ -r /var/www/MISP/requirements.txt

# Remove files we do not care for
rm -r /var/www/MISP/PyMISP
Expand All @@ -134,13 +162,14 @@ EOF
find /var/www/MISP/.git/* ! -name HEAD -exec rm -rf {} +
EOF

FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim"

FROM php-base
ENV DEBIAN_FRONTEND noninteractive
ARG CORE_TAG
ARG CORE_COMMIT
ARG PHP_VER

RUN apt-get update; apt-get install -y --no-install-recommends \
RUN apt-get install -y --no-install-recommends \
gettext \
procps \
sudo \
Expand All @@ -150,42 +179,41 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim"
openssl \
gpg \
gpg-agent \
ssdeep \
libfuzzy2 \
mariadb-client \
rsync \
# Python Requirements
python3 \
python3-setuptools \
python3-pip \
# PHP Requirements
php \
php-apcu \
php-curl \
php-xml \
php-intl \
php-bcmath \
php-mbstring \
php-mysql \
php-redis \
php-gd \
php-fpm \
php-zip \
php-ldap \
php7.4 \
php7.4-apcu \
php7.4-curl \
php7.4-xml \
php7.4-intl \
php7.4-bcmath \
php7.4-mbstring \
php7.4-mysql \
php7.4-redis \
php7.4-gd \
php7.4-fpm \
php7.4-zip \
php7.4-ldap \
libmagic1 \
libldap-common \
librdkafka1 \
libbrotli1 \
libsimdjson5 \
libsimdjson14 \
libzstd1 \
ssdeep \
libfuzzy2 \
# Unsure we need these
zip unzip \
# Require for advanced an unattended configuration
curl jq \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*

RUN update-alternatives --set php /usr/bin/php7.4

# Install python modules
COPY --from=python-build /wheels /wheels
RUN pip3 install --no-cache-dir /wheels/*.whl && rm -rf /wheels
RUN pip install --no-cache-dir /wheels/*.whl && rm -rf /wheels

# PHP: install prebuilt libraries, then install the app's PHP deps
COPY --from=php-build ["/usr/lib/php/${PHP_VER}/ssdeep.so", "/usr/lib/php/${PHP_VER}/rdkafka.so", "/usr/lib/php/${PHP_VER}/brotli.so", "/usr/lib/php/${PHP_VER}/simdjson.so", "/usr/lib/php/${PHP_VER}/zstd.so", "/usr/lib/php/${PHP_VER}/"]
Expand All @@ -208,7 +236,7 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim"
EOF

# nginx
RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php /etc/nginx/certs
RUN rm /etc/nginx/sites-enabled/*; mkdir -p /run/php /etc/nginx/certs

# Make a copy of the file and configuration stores, so we can sync from it

Expand Down
54 changes: 34 additions & 20 deletions modules/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
ARG DOCKER_HUB_PROXY=""

FROM "${DOCKER_HUB_PROXY}python:3.11-slim-bullseye" as python-build
FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" as python-build
ENV DEBIAN_FRONTEND noninteractive
ARG MODULES_TAG
ARG MODULES_COMMIT
Expand All @@ -16,46 +16,60 @@ FROM "${DOCKER_HUB_PROXY}python:3.11-slim-bullseye" as python-build
pkg-config \
libpoppler-cpp-dev \
libfuzzy-dev \
libffi-dev \
libxml2-dev \
libxslt-dev \
libssl-dev \
ninja-build \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*

RUN mkdir /wheels
WORKDIR /srv

RUN <<-EOF
if [ ! -z ${MODULES_COMMIT} ]; then
git clone https://github.com/MISP/misp-modules.git /srv/misp-modules && cd /srv/misp-modules && git checkout ${MODULES_COMMIT}
else
git clone --branch ${MODULES_TAG} --depth 1 https://github.com/MISP/misp-modules.git /srv/misp-modules
fi

cd /srv/misp-modules
sed -i "s/numpy.*/numpy<2/" REQUIREMENTS
echo "pyeti" >> REQUIREMENTS
echo "greynoise" >> REQUIREMENTS
echo "Google-Search-API" >> REQUIREMENTS
pip3 wheel -r REQUIREMENTS --no-cache-dir -w /wheels/
rm -rf /srv/misp-modules
EOF

WORKDIR /srv/misp-modules
RUN pip3 install pipenv
# Pin python = 3.12
RUN sed -i "s/python_version.*/python_version = \"3.12\"/" Pipfile
# Pin numpy < 2.0.0
RUN sed -i "/\[packages\]/a numpy = \"<2.0.0\"" Pipfile
# Add some missing dependencies
RUN sed -i "/\[packages\]/a pysafebrowsing = \"*\"" Pipfile
RUN sed -i "/\[packages\]/a sigmf = \"*\"" Pipfile
RUN sed -i "/\[packages\]/a matplotlib = \"*\"" Pipfile
RUN pipenv lock
RUN pipenv requirements > requirements.txt
RUN pip3 wheel -r requirements.txt --no-cache-dir -w /wheels/

WORKDIR /srv/
RUN rm -rf /srv/misp-modules

RUN <<-EOF
git clone --depth 1 https://github.com/stricaud/faup.git /srv/faup
cd /srv/faup
if [ ! -z ${LIBFAUP_COMMIT} ]; then
git checkout ${LIBFAUP_COMMIT}
fi

cd /srv/faup/build
cmake -G "Ninja" ../
ninja
ninja install
cd /srv/faup/src/lib/bindings/python
pip3 wheel --no-cache-dir --no-dependencies -w /wheels/ .
rm -rf /srv/faup
EOF

WORKDIR /srv/faup/build
RUN cmake -G "Ninja" ../
RUN ninja
RUN ninja install
WORKDIR /srv/faup/src/lib/bindings/python
RUN pip3 wheel --no-cache-dir --no-dependencies -w /wheels/ .

WORKDIR /srv/
RUN rm -rf /srv/faup


FROM "${DOCKER_HUB_PROXY}python:3.11-slim-bullseye"
FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm"
ENV DEBIAN_FRONTEND noninteractive

RUN apt-get update && apt-get install -y --no-install-recommends \
Expand All @@ -74,7 +88,7 @@ FROM "${DOCKER_HUB_PROXY}python:3.11-slim-bullseye"
# Since we compile faup ourselves and lua is not required anymore, we can load our own library
# and skip the pre-compiled blob to improve compatibility with other architectures like ARM
RUN sed -i s/LoadLibrary\(LOAD_LIB\)/LoadLibrary\(\"\\/usr\\/local\\/lib\\/libfaupl.so\"\)/ \
/usr/local/lib/python3.11/site-packages/pyfaup/__init__.py
/usr/local/lib/python3.12/site-packages/pyfaup/__init__.py

# Disable (all) warnings raised when using 'future'
RUN sed -i '/import sys/a import warnings\nwarnings.warn = lambda *args, **kwargs: None' \
Expand Down