From fb3c799f75742c89dfd9bb6784a027c63a55faf2 Mon Sep 17 00:00:00 2001 From: Yifeng Xiao Date: Fri, 21 Dec 2018 16:39:58 +0800 Subject: [PATCH] Dockerize ova-webserver Run ova-webserver in a container with non-root user. Drop unused capabilities of this container to reduce risk from network attacks. --- installer/build/build-cache.sh | 25 +++++++++++++ installer/build/ova-manifest.json | 5 --- .../fileserver/configure_fileserver.sh | 3 +- .../scripts/fileserver/fileserver.service | 3 +- .../scripts/fileserver/start_fileserver.sh | 23 ------------ .../systemd/scripts/load-docker-images.sh | 10 ++++++ installer/fileserver/Dockerfile | 35 +++++++++++++++++++ 7 files changed, 73 insertions(+), 31 deletions(-) delete mode 100755 installer/build/scripts/fileserver/start_fileserver.sh create mode 100644 installer/fileserver/Dockerfile diff --git a/installer/build/build-cache.sh b/installer/build/build-cache.sh index adb8248bbb..d5f4ca1e16 100755 --- a/installer/build/build-cache.sh +++ b/installer/build/build-cache.sh @@ -24,6 +24,10 @@ warrow="\033[0;00;97m=>\033[0m" barrow="\033[0;00;94m=>\033[0m" yarrow="\033[0;00;93m=>\033[0m" +buildimages=( + "vmware/fileserver:${BUILD_OVA_REVISION},fileserver/Dockerfile,." +) + # cache docker images images=( vmware/admiral:vic_${BUILD_ADMIRAL_REVISION} @@ -95,6 +99,26 @@ function cacheOther() { timecho "${warrow} saved all downloads" } +function buildImages() { + timecho "${warrow} building container images" + mkdir -p ${CACHE}/docker/ + for params in "${buildimages[@]}"; do + img=$(echo "${params}" | awk -F',' '{print $1}') + docker_file=$(echo "${params}" | awk -F',' '{print $2}') + context=$(echo "${params}" | awk -F',' '{print $3}') + timecho "${barrow} building ${brprpl}${img}${reset}" + docker build --no-cache -t ${img} -f ${docker_file} ${context} + + archive="${CACHE}/docker/$(echo "${img##*/}" | tr ':' '-').tar.gz" + timecho "${yarrow} saving ${brprpl}${archive##*/}${reset}" + docker save "$img" | gzip > "$archive" + + timecho "${warrow} ${img} details \n$(docker images --digests -f "dangling=false" --format "tag: {{.Tag}}, digest: {{.Digest}}, age: {{.CreatedSince}}" $(echo ${img} | cut -d ':' -f1))\n" + done + + timecho "${warrow} built all images" +} + function usage() { timecho "Usage: $0 -c cache-directory" 1>&2 exit 1 @@ -124,3 +148,4 @@ fi cacheImages cacheOther +buildImages diff --git a/installer/build/ova-manifest.json b/installer/build/ova-manifest.json index 41cf0fa9e8..be2acad17d 100644 --- a/installer/build/ova-manifest.json +++ b/installer/build/ova-manifest.json @@ -158,11 +158,6 @@ "source": "scripts/fileserver/configure_fileserver.sh", "destination": "/etc/vmware/fileserver/configure_fileserver.sh" }, - { - "type": "file", - "source": "scripts/fileserver/start_fileserver.sh", - "destination": "/etc/vmware/fileserver/start_fileserver.sh" - }, { "type": "file", "source": "scripts/verify.py", diff --git a/installer/build/scripts/fileserver/configure_fileserver.sh b/installer/build/scripts/fileserver/configure_fileserver.sh index 315e8ad7fa..7775714166 100755 --- a/installer/build/scripts/fileserver/configure_fileserver.sh +++ b/installer/build/scripts/fileserver/configure_fileserver.sh @@ -14,6 +14,5 @@ # limitations under the License. set -uf -o pipefail -mkdir -p "/opt/vmware/fileserver/ca_download" - iptables -w -A INPUT -j ACCEPT -p tcp --dport "${FILESERVER_PORT}" +echo "Finished fileserver config" \ No newline at end of file diff --git a/installer/build/scripts/fileserver/fileserver.service b/installer/build/scripts/fileserver/fileserver.service index 04bac42471..c4b4e74407 100644 --- a/installer/build/scripts/fileserver/fileserver.service +++ b/installer/build/scripts/fileserver/fileserver.service @@ -11,7 +11,8 @@ RestartSec=15 EnvironmentFile=/etc/vmware/environment ExecStartPre=-/usr/bin/systemctl stop landing_server.service ExecStartPre=/usr/bin/bash /etc/vmware/fileserver/configure_fileserver.sh -ExecStart=/etc/vmware/fileserver/start_fileserver.sh +ExecStart=/usr/bin/docker run --cap-drop ALL --cap-add NET_BIND_SERVICE --rm --name fileserver -v /opt/vmware/fileserver:/opt/vmware/fileserver -v /storage/data/certs:/certs:ro -p 80:80 -p ${FILESERVER_PORT}:9443 vmware/fileserver:ova +ExecStop=/usr/bin/docker stop fileserver [Install] WantedBy=vic-appliance.target diff --git a/installer/build/scripts/fileserver/start_fileserver.sh b/installer/build/scripts/fileserver/start_fileserver.sh deleted file mode 100755 index df6717130b..0000000000 --- a/installer/build/scripts/fileserver/start_fileserver.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/bash -# Copyright 2017 VMware, Inc. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -set -euf -o pipefail - -cert_dir="/storage/data/certs" -cert="${cert_dir}/server.crt" -key="${cert_dir}/server.key" - -# Start file server with certificate cause we'll generate self-signed certificates if it's not customized by user -/usr/local/bin/ova-webserver --addr ":${FILESERVER_PORT}" --cert "${cert}" --key "${key}" - diff --git a/installer/build/scripts/systemd/scripts/load-docker-images.sh b/installer/build/scripts/systemd/scripts/load-docker-images.sh index b2ce1787ab..f907f49d12 100755 --- a/installer/build/scripts/systemd/scripts/load-docker-images.sh +++ b/installer/build/scripts/systemd/scripts/load-docker-images.sh @@ -43,6 +43,16 @@ if [[ ! -f /etc/vmware/firstboot ]]; then echo "admiral=${ADMIRAL_IMAGE} ${ADMIRAL_IMAGE_ID}" >> /storage/data/version echo "admiral=${ADMIRAL_IMAGE} ${ADMIRAL_IMAGE_ID}" >> /etc/vmware/version + echo "Loading file server" + # tag fileserver as :ova + FILESERVER_IMAGE="vmware/fileserver:${BUILD_OVA_REVISION}" + docker tag "$FILESERVER_IMAGE" vmware/fileserver:ova + FILESERVER_IMAGE_ID=$(docker images vmware/fileserver:ova -q) + + # Write version files + echo "fileserver=${FILESERVER_IMAGE} ${FILESERVER_IMAGE_ID}" >> /storage/data/version + echo "fileserver=${FILESERVER_IMAGE} ${FILESERVER_IMAGE_ID}" >> /etc/vmware/version + echo "Loading vic-machine-server" # tag vic-machine-server as :ova VIC_MACHINE_SERVER_IMAGE="gcr.io/eminent-nation-87317/vic-machine-server:${BUILD_VIC_MACHINE_SERVER_REVISION}" diff --git a/installer/fileserver/Dockerfile b/installer/fileserver/Dockerfile new file mode 100644 index 0000000000..40fe8ce9ca --- /dev/null +++ b/installer/fileserver/Dockerfile @@ -0,0 +1,35 @@ +# Building: +# from installer directory +# make ova-webserver +# docker build --no-cache -t vmware/fileserver:ova -f fileserver/Dockerfile . + +FROM photon:2.0 + +RUN set -eux; \ + tdnf distro-sync --refresh -y; \ + tdnf install shadow -y; \ + tdnf info installed; \ + tdnf clean all + +# Default location for TLS - Specify `-v /host/cert/path:/certs` to use defaults +# Override by providing a volume and values for `-e TLS_CERTIFICATE` and `-e TLS_PRIVATE_KEY` +ENV TLS_CERTIFICATE=/certs/server.crt +ENV TLS_PRIVATE_KEY=/certs/server.key +ENV PORT 80 +ENV TLS_PORT 9443 + +EXPOSE $PORT +EXPOSE $TLS_PORT + +COPY bin/ova-webserver /usr/local/bin/ + +RUN setcap cap_net_bind_service=+ep /usr/local/bin/ova-webserver + +# Create a VIC user to run the application. +RUN groupadd -g 10000 vic && \ + useradd -u 10000 -g vic -s /sbin/nologin -c "VIC user" vic + +# Change to the VIC user. +USER vic + +ENTRYPOINT /usr/local/bin/ova-webserver --addr ":${TLS_PORT}" --cert "${TLS_CERTIFICATE}" --key "${TLS_PRIVATE_KEY}"