Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add dockerfile for grr #1049

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -223,6 +223,50 @@ jobs:
path: gcs_upload_dir/
retention-days: 1

build-push-docker-base-image:
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
runs-on: ubuntu-22.04
needs:
- build-centos
- build-ubuntu
- build-osx
- build-windows
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Download installers from GitHub artifacts
id: download
uses: actions/download-artifact@v4
with:
pattern: '*_installer*'
path: _installers
- name: Login to GitHub Container registry
# if: ${{ github.event_name == 'push' }}
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract metadata (tags, labels) for Docker
# if: ${{ github.event_name == 'push' }}
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

- name: Build and push Docker image
# if: ${{ github.event_name == 'push' }}
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.base
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}

test-ubuntu-e2e:
continue-on-error: true # Debug follow up step.
runs-on: ubuntu-22.04
Expand Down
62 changes: 62 additions & 0 deletions Dockerfile.base
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
FROM ubuntu:22.04 AS builder

LABEL maintainer="[email protected]"

ENV DEBIAN_FRONTEND noninteractive
# Buffering output (sometimes indefinitely if a thread is stuck in
# a loop) makes for a non-optimal user experience when containers
# are run in the foreground, so we disable that.
ENV PYTHONUNBUFFERED 0

RUN apt-get update && \
apt-get install -y \
default-jre \
python-is-python3 \
python3-dev \
python3-pip \
python3-venv \
python3-mysqldb \
build-essential \
linux-headers-generic \
dh-make \
rpm

# Only available when building as part of Github Actions.
COPY _installers* /client_installers

ENV VIRTUAL_ENV /usr/share/grr-server
ENV GRR_SOURCE /usr/src/grr

RUN python -m venv --system-site-packages $VIRTUAL_ENV
ENV PATH="$VIRTUAL_ENV/bin:$PATH"

RUN pip install wheel nodeenv grpcio-tools==1.60

RUN nodeenv -p --prebuilt --node=16.13.0

RUN mkdir ${GRR_SOURCE}
ADD . ${GRR_SOURCE}

WORKDIR ${GRR_SOURCE}

RUN cd grr/server/grr_response_server/gui/static && \
npm ci && npm run gulp compile

RUN python grr/proto/makefile.py && \
python grr/core/grr_response_core/artifacts/makefile.py

RUN pip install grr/proto \
pip install grr/core \
pip install grr/client \
pip install grr/server \
pip install grr/client_builder \
pip install api_client/python

RUN rm -r ${GRR_SOURCE}

WORKDIR /

ENTRYPOINT [ "grr_server" ]



174 changes: 174 additions & 0 deletions docker-compose.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,174 @@
services:
db:
image: mysql:8.2
env_file: docker/.env
container_name: grr-db
hostname: mysql-host
command: [
--max_allowed_packet=40M,
--log_bin_trust_function_creators=1
]
restart: always
volumes:
- ./docker_config_files/mysql/init.sh:/docker-entrypoint-initdb.d/init.sh
- db_data:/var/lib/mysql:rw
ports:
- "3306"
expose:
- "3306"
networks:
- server-network
healthcheck:
test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
timeout: 5s
retries: 10

grr-admin-ui:
build:
dockerfile: Dockerfile.base
context: .
container_name: grr-admin-ui
hostname: admin-ui
restart: always
depends_on:
db:
condition: service_healthy
volumes:
- ./docker_config_files/server:/configs/
ports:
- "8000"
- "8080"
expose:
- 8080
- 8000
networks:
- server-network
tty: true
stdin_open: true
command:
- -component
- admin_ui
- -config
- /configs/grr.server.yaml
- --verbose

grr-fleetspeak-frontend:
build:
dockerfile: Dockerfile.base
context: .
container_name: grr-fleetspeak-frontend
hostname: grr-fleetspeak-frontend
depends_on:
db:
condition: service_healthy
volumes:
- ./docker_config_files/server/:/configs/
ports:
- "11111"
restart: always
stdin_open: true
tty: true
networks:
- server-network
command:
- -component
- frontend
- -config
- /configs/grr.server.yaml
- --verbose

fleetspeak-admin:
image: ghcr.io/google/fleetspeak:master
container_name: fleetspeak-admin
hostname: fleetspeak-admin
depends_on:
db:
condition: service_healthy
networks:
- server-network
ports:
- "4444"
volumes:
- ./docker_config_files/server/:/configs/
stdin_open: true
tty: true
entrypoint: [
"server",
"-components_config",
"/configs/admin.components.config",
"-services_config",
"/configs/grr_frontend.service",
"-alsologtostderr",
"-v",
"1000"
]

fleetspeak-frontend:
image: ghcr.io/google/fleetspeak:master
container_name: fleetspeak-frontend
hostname: fleetspeak-frontend
depends_on:
db:
condition: service_healthy
networks:
- server-network
ports:
- "4443"
volumes:
- ./docker_config_files/server/:/configs/
entrypoint: [
"server",
"-components_config",
"/configs/frontend.components.config",
"-services_config",
"/configs/grr_frontend.service",
"-alsologtostderr",
"-v",
"1000"
]

grr-worker:
build:
dockerfile: Dockerfile.base
context: .
container_name: grr-worker
volumes:
- ./docker_config_files/server/:/configs/
hostname: grr-worker
depends_on:
db:
condition: service_healthy
restart: always
stdin_open: true
tty: true
networks:
- server-network
command:
- -component
- worker
- -config
- /configs/grr.server.yaml
- --verbose

# linux-client:
# build:
# dockerfile: docker/client/Dockerfile.linux
# container_name: grr-linux-client
# restart: always
# depends_on:
# - db
# - fleetspeak-frontend
# volumes:
# - installers/:/installers/
# tty: true
# stdin_open: true
# networks:
# - server-network
# entrypoint: /entrypoint.sh

volumes:
db_data:
installers:
networks:
server-network:

12 changes: 12 additions & 0 deletions docker/.env
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
ADMIN_PASSWORD="admin"

MYSQL_ROOT_PASSWORD='root'
MYSQL_ROOT_HOST="%"

FLEETSPEAK_DB='fleetspeak'
FLEETSPEAK_DB_USER='fleetspeak-user'
FLEETSPEAK_DB_PASSWORD='fleetspeak-password'

GRR_DB='grr'
GRR_DB_USER='grru'
GRR_DB_PASSWORD='grrp'
9 changes: 9 additions & 0 deletions docker/client/Dockerfile.linux
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
FROM ubuntu:22.04

LABEL maintainer="[email protected]"

RUN apt-get update
RUN apt-get install -y iputils-ping

COPY ./docker/client/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
7 changes: 7 additions & 0 deletions docker/client/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/bin/bash
dpkg -i /installers/*.deb

./usr/bin/fleetspeak-client \
-alsologtostderr \
-std_forward \
-config /configs/client.config
20 changes: 20 additions & 0 deletions docker_config_files/client/client.config
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
server: "fleetspeak-frontend:4443"
trusted_certs: |
-----BEGIN CERTIFICATE-----
MIIByjCCAXCgAwIBAgIQRXLVvpuGxHhfDTlZ3drY8TAKBggqhkjOPQQDAjAjMSEw
HwYDVQQDExhGbGVldHNwZWFrIEZsZWV0c3BlYWsgQ0EwHhcNMjMxMjE1MTQyMTQ2
WhcNMjQxMjE0MTQyMTQ2WjAnMSUwIwYDVQQDExxGbGVldHNwZWFrIEZsZWV0c3Bl
YWsgU2VydmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaCG+J04RBhTCTDgr
Ml+KfTLOab/vOsNix+zMzzG8C+7Sz5K3Jf/wqCRlScft3IK0wJo7PMT1+kJTWHxo
bHFD+qOBgTB/MA4GA1UdDwEB/wQEAwIChDAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
DgQWBBTvdTLzfJCcEx9x6/DQo9u6JErv/jAfBgNVHSMEGDAWgBTDqQ/s7QxdkVU+
qXUTazg4lzhDUTAcBgNVHREEFTATghFmbGVldHNwZWFrLXNlcnZlcjAKBggqhkjO
PQQDAgNIADBFAiBtWzU2jEBrEIwt2rxfL68KfSAXb1wL1cs4NFqXj0vGUQIhAJJJ
vh+1vmpSS1Az9yxQoZK8Upo4wJe6zg2SfokzY681
-----END CERTIFICATE-----
client_label: ""
filesystem_handler: {
configuration_directory:"/configs/fleetspeak-config"
state_file:"/fleetspeak-client.state"
}
streaming:true
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
name: "GRR"
factory: "Daemon"
config: {
[type.googleapis.com/fleetspeak.daemonservice.Config]: {
argv: "/venv/bin/grr_client"
argv: "--config"
argv: "/configs/grr.client.yaml"
}
}
7 changes: 7 additions & 0 deletions docker_config_files/client/grr.client.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Client.fleetspeak_enabled: true
Client.foreman_check_frequency: 10 # seconds
Logging.verbose: true
Logging.engines: file,stderr
Logging.path: /tmp/grr-client
Logging.filename: /tmp/grr-client/grr-client.log
Config.writeback: /tmp/grr-client/grr-client.local.yaml
16 changes: 16 additions & 0 deletions docker_config_files/mysql/init.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
#!/bin/bash

set -ex

echo "** Creating default DB for GRR and fleetspeak"

mysql -u root -p$MYSQL_ROOT_PASSWORD --execute \
"CREATE USER'$GRR_DB_USER'@'$MYSQL_ROOT_HOST' IDENTIFIED BY '$GRR_DB_PASSWORD';
CREATE DATABASE $GRR_DB;
GRANT ALL ON $GRR_DB.* TO '$GRR_DB_USER'@'$MYSQL_ROOT_HOST';
CREATE USER '$FLEETSPEAK_DB_USER'@'$MYSQL_ROOT_HOST' IDENTIFIED BY '$FLEETSPEAK_DB_PASSWORD';
CREATE DATABASE $FLEETSPEAK_DB;
GRANT ALL ON $FLEETSPEAK_DB.* TO '$FLEETSPEAK_DB_USER'@'$MYSQL_ROOT_HOST';
FLUSH PRIVILEGES;"

echo "** Finished creating DBs and users"
5 changes: 5 additions & 0 deletions docker_config_files/server/admin.components.config
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
mysql_data_source_name: "fleetspeak-user:fleetspeak-password@tcp(mysql-host:3306)/fleetspeak"
admin_config: <
listen_address: "0.0.0.0:4444"
>
notification_use_http_notifier: true
8 changes: 8 additions & 0 deletions docker_config_files/server/frontend.components.config
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
mysql_data_source_name: "fleetspeak-user:fleetspeak-password@tcp(mysql-host:3306)/fleetspeak"
https_config: <
listen_address: "fleetspeak-frontend:4443"
certificates: "-----BEGIN CERTIFICATE-----\nMIIByjCCAXCgAwIBAgIQRXLVvpuGxHhfDTlZ3drY8TAKBggqhkjOPQQDAjAjMSEw\nHwYDVQQDExhGbGVldHNwZWFrIEZsZWV0c3BlYWsgQ0EwHhcNMjMxMjE1MTQyMTQ2\nWhcNMjQxMjE0MTQyMTQ2WjAnMSUwIwYDVQQDExxGbGVldHNwZWFrIEZsZWV0c3Bl\nYWsgU2VydmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaCG+J04RBhTCTDgr\nMl+KfTLOab/vOsNix+zMzzG8C+7Sz5K3Jf/wqCRlScft3IK0wJo7PMT1+kJTWHxo\nbHFD+qOBgTB/MA4GA1UdDwEB/wQEAwIChDAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud\nDgQWBBTvdTLzfJCcEx9x6/DQo9u6JErv/jAfBgNVHSMEGDAWgBTDqQ/s7QxdkVU+\nqXUTazg4lzhDUTAcBgNVHREEFTATghFmbGVldHNwZWFrLXNlcnZlcjAKBggqhkjO\nPQQDAgNIADBFAiBtWzU2jEBrEIwt2rxfL68KfSAXb1wL1cs4NFqXj0vGUQIhAJJJ\nvh+1vmpSS1Az9yxQoZK8Upo4wJe6zg2SfokzY681\n-----END CERTIFICATE-----\n"
key: "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIGjnSoIzlA7spP1jJDXNYT9VSG0Y2FLNqEsatkPfvaOWoAoGCCqGSM49\nAwEHoUQDQgAEaCG+J04RBhTCTDgrMl+KfTLOab/vOsNix+zMzzG8C+7Sz5K3Jf/w\nqCRlScft3IK0wJo7PMT1+kJTWHxobHFD+g==\n-----END EC PRIVATE KEY-----"
>
notification_listen_address: "fleetspeak-frontend:10000"
notification_public_address: "fleetspeak-frontend:10000"
Loading
Loading