Upgrade to debian trixie (#333)

Author: ostefano

README.md

@@ -56,7 +56,7 @@ docker compose version
 
 ### Run
 
-- `docker compose pull` if you want to use pre-built images or `docker compose build` if you want to build your own (see the `Troubleshooting` section in case of errors)
+- `docker compose pull` if you want to use pre-built images or `docker compose build` if you want to build your own (see the [Troubleshooting](#troubleshooting) section in case of errors)
 - `docker compose up`
   - Add `-d` to run the services in the background
 - Login to `https://localhost`
@@ -238,6 +238,58 @@ For Okta, create a new application integration:
 - If you need to automatically run additional steps each time the container starts, create a new file `files/customize_misp.sh`, and replace the variable `${CUSTOM_PATH}` inside `docker-compose.yml` with its parent path.
 - If you are interested in running streamlined versions of the images (fewer dependencies, easier approval from compliance), you might want to use the `latest-slim` tag. Just adjust the `docker-compose.yml` file, and run again `docker compose pull` and `docker compose up`.
 
+### Build Options
+
+This project supports multiple build methods to suit different needs.
+
+#### Using Docker Compose (Standard Method)
+
+For most users, the standard Docker Compose build is recommended:
+```bash
+docker compose build
+```
+
+#### Using Docker Buildx Bake (Advanced)
+
+Docker Buildx bake provides advanced build capabilities including multi-platform builds and parallel building of multiple targets. This method uses the `docker-bake.hcl` configuration file.
+
+**Prerequisites:**
+- Docker Buildx plugin installed and enabled
+- `template.env` file in the project root
+
+**Build full-featured images:**
+```bash
+export NAMESPACE=local
+export COMMIT_HASH=`git rev-parse --short HEAD`
+sed -e '/^[[:space:]]*$/d' -e '/[#@]/d' -e 's/\"//g' -e 's/\(^[^=]*\)=\(.*\)/\1="\2"/' template.env > env.hcl
+docker buildx bake -f docker-bake.hcl -f env.hcl --provenance false debian
+```
+
+This builds `misp-core`, `misp-modules`, and `misp-guard` with all features included.
+
+**Build slim images:**
+```bash
+export NAMESPACE=local
+export COMMIT_HASH=`git rev-parse --short HEAD`
+sed -e '/^[[:space:]]*$/d' -e '/[#@]/d' -e 's/\"//g' -e 's/\(^[^=]*\)=\(.*\)/\1="\2"/' template.env > env.hcl
+docker buildx bake -f docker-bake.hcl -f env.hcl --provenance false debian-slim
+```
+
+This builds lightweight versions of `misp-core-slim`, `misp-modules-slim`, and `misp-guard` with reduced dependencies.
+
+**Available bake targets:**
+- `standard` - Full-featured images (misp-core, misp-modules, misp-guard)
+- `slim` - Lightweight images (misp-core-slim, misp-modules-slim, misp-guard)
+- `default` - Builds all variants (both standard and slim)
+
+**Note:** The (GNU) `sed` command converts `template.env` to `env.hcl` format by removing empty lines, comments, and properly formatting variables for the bake file (on OSX you should install `gsed`).
+
+**After building with buildx bake:**
+
+You can still use Docker Compose to run the services:
+```bash
+docker compose up
+```
 #### Using slow disks as volume mounts
 
 Using a slow disk as the mounted volume or a volume with high latency like NFS, EFS or S3 might significantly increase the startup time and downgrade the performance of the service. To address this we will mount the bare minimum that needs to be persisted.

core/Dockerfile

@@ -1,7 +1,7 @@
 ARG DOCKER_HUB_PROXY=""
 
 
-FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS php-base
+FROM "${DOCKER_HUB_PROXY}python:3.12-slim-trixie" AS php-base
     ENV DEBIAN_FRONTEND=noninteractive
 
     # Uncomment when building in corporate environments
@@ -25,29 +25,29 @@ FROM php-base AS composer-build
     RUN <<-EOF
         if [ "${CORE_FLAVOR}" = "lite" ]; then
             apt-get install -y --no-install-recommends \
-                php8.2 \
-                php8.2-curl \
-                php8.2-xml \
-                php8.2-mysql \
-                php8.2-redis \
-                php8.2-gd \
-                php8.2-fpm \
-                php8.2-zip \
+                php8.4 \
+                php8.4-curl \
+                php8.4-xml \
+                php8.4-mysql \
+                php8.4-redis \
+                php8.4-gd \
+                php8.4-fpm \
+                php8.4-zip \
                 unzip
         else
             apt-get install -y --no-install-recommends \
-                php8.2 \
-                php8.2-apcu \
-                php8.2-curl \
-                php8.2-xml \
-                php8.2-intl \
-                php8.2-bcmath \
-                php8.2-mbstring \
-                php8.2-mysql \
-                php8.2-redis \
-                php8.2-gd \
-                php8.2-fpm \
-                php8.2-zip \
+                php8.4 \
+                php8.4-apcu \
+                php8.4-curl \
+                php8.4-xml \
+                php8.4-intl \
+                php8.4-bcmath \
+                php8.4-mbstring \
+                php8.4-mysql \
+                php8.4-redis \
+                php8.4-gd \
+                php8.4-fpm \
+                php8.4-zip \
                 unzip
         fi
         apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
@@ -86,19 +86,19 @@ FROM php-base AS php-build
                 g++ \
                 git \
                 make \
-                php8.2 \
-                php8.2-dev \
-                php8.2-xml \
+                php8.4 \
+                php8.4-dev \
+                php8.4-xml \
                 php-pear
         else
             apt-get install -y --no-install-recommends \
                 gcc \
                 g++ \
                 git \
                 make \
-                php8.2 \
-                php8.2-dev \
-                php8.2-xml \
+                php8.4 \
+                php8.4-dev \
+                php8.4-xml \
                 php-pear \
                 libbrotli-dev \
                 libfuzzy-dev \
@@ -109,9 +109,9 @@ FROM php-base AS php-build
         apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
 EOF
 
-    RUN update-alternatives --set php /usr/bin/php8.2
-    RUN update-alternatives --set php-config /usr/bin/php-config8.2
-    RUN update-alternatives --set phpize /usr/bin/phpize8.2
+    RUN update-alternatives --set php /usr/bin/php8.4
+    RUN update-alternatives --set php-config /usr/bin/php-config8.4
+    RUN update-alternatives --set phpize /usr/bin/phpize8.4
 
     RUN <<-EOF
         pecl channel-update pecl.php.net
@@ -236,15 +236,15 @@ FROM php-base
                 mariadb-client \
                 rsync \
                 rsyslog \
-                php8.2 \
-                php8.2-curl \
-                php8.2-xml \
-                php8.2-mbstring \
-                php8.2-mysql \
-                php8.2-redis \
-                php8.2-gd \
-                php8.2-fpm \
-                php8.2-zip \
+                php8.4 \
+                php8.4-curl \
+                php8.4-xml \
+                php8.4-mbstring \
+                php8.4-mysql \
+                php8.4-redis \
+                php8.4-gd \
+                php8.4-fpm \
+                php8.4-zip \
                 unzip \
                 zip \
                 curl \
@@ -262,24 +262,24 @@ FROM php-base
                 mariadb-client \
                 rsync \
                 rsyslog \
-                php8.2 \
-                php8.2-apcu \
-                php8.2-curl \
-                php8.2-xml \
-                php8.2-intl \
-                php8.2-bcmath \
-                php8.2-mbstring \
-                php8.2-mysql \
-                php8.2-redis \
-                php8.2-gd \
-                php8.2-fpm \
-                php8.2-zip \
-                php8.2-ldap \
+                php8.4 \
+                php8.4-apcu \
+                php8.4-curl \
+                php8.4-xml \
+                php8.4-intl \
+                php8.4-bcmath \
+                php8.4-mbstring \
+                php8.4-mysql \
+                php8.4-redis \
+                php8.4-gd \
+                php8.4-fpm \
+                php8.4-zip \
+                php8.4-ldap \
                 libmagic1 \
                 libldap-common \
                 librdkafka1 \
                 libbrotli1 \
-                libsimdjson14 \
+                libsimdjson25 \
                 libzstd1 \
                 ssdeep \
                 libfuzzy2 \
@@ -294,7 +294,7 @@ EOF
 
     # Remove some defaults (kernel logging) and fix alternatives
     RUN sed -i '/imklog/s/^/#/' /etc/rsyslog.conf
-    RUN update-alternatives --set php /usr/bin/php8.2
+    RUN update-alternatives --set php /usr/bin/php8.4
 
     # Install python modules
     COPY --from=python-build /wheels /wheels

core/files/configure_misp.sh

@@ -577,6 +577,16 @@ create_default_scheduled_tasks() {
         ON DUPLICATE KEY UPDATE user_id=$CRON_USER_ID;" | ${MYSQL_CMD}
 }
 
+print_version() {
+    VERSION_FILE="/var/www/MISP/VERSION.json"
+    if [[ -f "$VERSION_FILE" ]]; then
+        VERSION=$(jq -r '"\(.major).\(.minor).\(.hotfix)"' ${VERSION_FILE})
+    else
+        VERSION="unknown"
+    fi
+    echo "MISP | Version: ${VERSION}"
+}
+
 echo "MISP | Update CA certificates ..." && update_ca_certificates
 
 echo "MISP | Apply minimum configuration directives ..." && init_minimum_config
@@ -615,5 +625,5 @@ echo "MISP | Set Up Proxy ..." && set_up_proxy
 
 echo "MISP | Create default Scheduled Tasks ..." && create_default_scheduled_tasks
 
-echo "MISP | Mark instance live"
+echo "MISP | Mark instance live" && print_version
 sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1

core/files/entrypoint.sh

@@ -17,6 +17,10 @@ export MYSQL_TLS=${MYSQL_TLS:-false}
 export MYSQL_TLS_CA=${MYSQL_TLS_CA}
 export MYSQL_TLS_CERT=${MYSQL_TLS_CERT}
 export MYSQL_TLS_KEY=${MYSQL_TLS_KEY}
+if [[ "${MYSQL_TLS}" != true ]]; then
+  MYSQL_CMD+=" --skip-ssl"
+  export MYSQL_CMD
+fi
 export REDIS_HOST=${REDIS_HOST:-redis}
 export REDIS_PORT=${REDIS_PORT:-6379}
 export ENABLE_REDIS_EMPTY_PASSWORD=${ENABLE_REDIS_EMPTY_PASSWORD:-false}

core/files/entrypoint_fpm.sh

@@ -93,7 +93,7 @@ fi
 echo "Configure PHP | Change PHP values ..." && change_php_vars
 
 echo "Configure PHP | Starting PHP FPM"
-/usr/sbin/php-fpm8.2 -R -F & master_pid=$!
+/usr/sbin/php-fpm8.4 -R -F & master_pid=$!
 
 # Wait for it
 wait "$master_pid"

core/files/etc/nginx/includes/misp

@@ -22,7 +22,7 @@ location / {
 
 location ~ ^/[^/]+\.php(/|$) {
     include snippets/fastcgi-php.conf;
-    fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+    fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
     fastcgi_read_timeout 300s;
     fastcgi_send_timeout 300s;
     fastcgi_connect_timeout 300s;

core/files/etc/nginx/sites-available/misp443

@@ -1,6 +1,7 @@
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
 
     # disable access logs
     access_log off;

core/files/kubernetes/entrypoint_fpm.sh

@@ -34,4 +34,4 @@ echo "Configure PHP | Change PHP values ..." && change_php_vars
 
 echo "Configure PHP | Starting PHP FPM"
 
-exec /usr/bin/tini -- /usr/sbin/php-fpm8.2 -R -F
+exec /usr/bin/tini -- /usr/sbin/php-fpm8.4 -R -F

docker-bake.hcl

@@ -2,6 +2,10 @@ variable "PLATFORMS" {
   default = ["linux/amd64", "linux/arm64"]
 }
 
+variable "DOCKER_HUB_PROXY" {
+  default = ""
+}
+
 variable "PYPI_REDIS_VERSION" {
   default = ""
 }
@@ -100,6 +104,21 @@ group "default" {
   ]
 }
 
+group "slim" {
+  targets = [
+    "misp-modules-slim",
+    "misp-core-slim",
+    "misp-guard",
+  ]
+}
+group "standard" {
+  targets = [
+    "misp-modules",
+    "misp-core",
+    "misp-guard",
+  ]
+}
+
 target "misp-modules" {
   context = "modules/."
   dockerfile = "Dockerfile"
@@ -108,20 +127,20 @@ target "misp-modules" {
     "MODULES_TAG": "${MODULES_TAG}",
     "MODULES_COMMIT": "${MODULES_COMMIT}",
     "MODULES_FLAVOR": "full",
+    "DOCKER_HUB_PROXY" : "${DOCKER_HUB_PROXY}",
   }
   platforms = "${PLATFORMS}"
 }
 
 target "misp-modules-slim" {
-  context = "modules/."
-  dockerfile = "Dockerfile"
+  inherits = [ "misp-modules" ]
   tags = flatten(["${NAMESPACE}/misp-modules:latest-slim", "${NAMESPACE}/misp-modules:${COMMIT_HASH}-slim", MODULES_TAG != "" ? ["${NAMESPACE}/misp-modules:${MODULES_TAG}-slim"] : []])
   args = {
     "MODULES_TAG": "${MODULES_TAG}",
     "MODULES_COMMIT": "${MODULES_COMMIT}",
     "MODULES_FLAVOR": "lite",
+    "DOCKER_HUB_PROXY" : "${DOCKER_HUB_PROXY}",
   }
-  platforms = "${PLATFORMS}"
 }
 
 target "misp-core" {
@@ -146,13 +165,12 @@ target "misp-core" {
     "PYPI_TAXII2_CLIENT": "${PYPI_TAXII2_CLIENT}",
     "PYPI_SETUPTOOLS_VERSION": "${PYPI_SETUPTOOLS_VERSION}",
     "PYPI_SUPERVISOR_VERSION": "${PYPI_SUPERVISOR_VERSION}",
+    "DOCKER_HUB_PROXY" : "${DOCKER_HUB_PROXY}",
   }
-  platforms = "${PLATFORMS}"
 }
 
 target "misp-core-slim" {
-  context = "core/."
-  dockerfile = "Dockerfile"
+  inherits = [ "misp-core" ]
   tags = flatten(["${NAMESPACE}/misp-core:latest-slim", "${NAMESPACE}/misp-core:${COMMIT_HASH}-slim", CORE_TAG != "" ? ["${NAMESPACE}/misp-core:${CORE_TAG}-slim"] : []])
   args = {
     "CORE_TAG": "${CORE_TAG}",
@@ -172,8 +190,8 @@ target "misp-core-slim" {
     "PYPI_TAXII2_CLIENT": "${PYPI_TAXII2_CLIENT}",
     "PYPI_SETUPTOOLS_VERSION": "${PYPI_SETUPTOOLS_VERSION}",
     "PYPI_SUPERVISOR_VERSION": "${PYPI_SUPERVISOR_VERSION}",
+    "DOCKER_HUB_PROXY" : "${DOCKER_HUB_PROXY}",
   }
-  platforms = "${PLATFORMS}"
 }
 
 target "misp-guard" {
@@ -183,6 +201,7 @@ target "misp-guard" {
   args = {
     "GUARD_TAG": "${GUARD_TAG}",
     "GUARD_COMMIT": "${GUARD_COMMIT}"
+    "DOCKER_HUB_PROXY" : "${DOCKER_HUB_PROXY}",
   }
   platforms = "${PLATFORMS}"
 }