Skip to content

Commit 8e4ddd3

Browse files
authored
Upgrade to debian trixie (#333)
1 parent f1aa497 commit 8e4ddd3

File tree

12 files changed

+160
-74
lines changed

12 files changed

+160
-74
lines changed

README.md

Lines changed: 53 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ docker compose version
5656

5757
### Run
5858

59-
- `docker compose pull` if you want to use pre-built images or `docker compose build` if you want to build your own (see the `Troubleshooting` section in case of errors)
59+
- `docker compose pull` if you want to use pre-built images or `docker compose build` if you want to build your own (see the [Troubleshooting](#troubleshooting) section in case of errors)
6060
- `docker compose up`
6161
- Add `-d` to run the services in the background
6262
- Login to `https://localhost`
@@ -238,6 +238,58 @@ For Okta, create a new application integration:
238238
- If you need to automatically run additional steps each time the container starts, create a new file `files/customize_misp.sh`, and replace the variable `${CUSTOM_PATH}` inside `docker-compose.yml` with its parent path.
239239
- If you are interested in running streamlined versions of the images (fewer dependencies, easier approval from compliance), you might want to use the `latest-slim` tag. Just adjust the `docker-compose.yml` file, and run again `docker compose pull` and `docker compose up`.
240240
241+
### Build Options
242+
243+
This project supports multiple build methods to suit different needs.
244+
245+
#### Using Docker Compose (Standard Method)
246+
247+
For most users, the standard Docker Compose build is recommended:
248+
```bash
249+
docker compose build
250+
```
251+
252+
#### Using Docker Buildx Bake (Advanced)
253+
254+
Docker Buildx bake provides advanced build capabilities including multi-platform builds and parallel building of multiple targets. This method uses the `docker-bake.hcl` configuration file.
255+
256+
**Prerequisites:**
257+
- Docker Buildx plugin installed and enabled
258+
- `template.env` file in the project root
259+
260+
**Build full-featured images:**
261+
```bash
262+
export NAMESPACE=local
263+
export COMMIT_HASH=`git rev-parse --short HEAD`
264+
sed -e '/^[[:space:]]*$/d' -e '/[#@]/d' -e 's/\"//g' -e 's/\(^[^=]*\)=\(.*\)/\1="\2"/' template.env > env.hcl
265+
docker buildx bake -f docker-bake.hcl -f env.hcl --provenance false debian
266+
```
267+
268+
This builds `misp-core`, `misp-modules`, and `misp-guard` with all features included.
269+
270+
**Build slim images:**
271+
```bash
272+
export NAMESPACE=local
273+
export COMMIT_HASH=`git rev-parse --short HEAD`
274+
sed -e '/^[[:space:]]*$/d' -e '/[#@]/d' -e 's/\"//g' -e 's/\(^[^=]*\)=\(.*\)/\1="\2"/' template.env > env.hcl
275+
docker buildx bake -f docker-bake.hcl -f env.hcl --provenance false debian-slim
276+
```
277+
278+
This builds lightweight versions of `misp-core-slim`, `misp-modules-slim`, and `misp-guard` with reduced dependencies.
279+
280+
**Available bake targets:**
281+
- `standard` - Full-featured images (misp-core, misp-modules, misp-guard)
282+
- `slim` - Lightweight images (misp-core-slim, misp-modules-slim, misp-guard)
283+
- `default` - Builds all variants (both standard and slim)
284+
285+
**Note:** The (GNU) `sed` command converts `template.env` to `env.hcl` format by removing empty lines, comments, and properly formatting variables for the bake file (on OSX you should install `gsed`).
286+
287+
**After building with buildx bake:**
288+
289+
You can still use Docker Compose to run the services:
290+
```bash
291+
docker compose up
292+
```
241293
#### Using slow disks as volume mounts
242294

243295
Using a slow disk as the mounted volume or a volume with high latency like NFS, EFS or S3 might significantly increase the startup time and downgrade the performance of the service. To address this we will mount the bare minimum that needs to be persisted.

core/Dockerfile

Lines changed: 54 additions & 54 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
ARG DOCKER_HUB_PROXY=""
22

33

4-
FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS php-base
4+
FROM "${DOCKER_HUB_PROXY}python:3.12-slim-trixie" AS php-base
55
ENV DEBIAN_FRONTEND=noninteractive
66

77
# Uncomment when building in corporate environments
@@ -25,29 +25,29 @@ FROM php-base AS composer-build
2525
RUN <<-EOF
2626
if [ "${CORE_FLAVOR}" = "lite" ]; then
2727
apt-get install -y --no-install-recommends \
28-
php8.2 \
29-
php8.2-curl \
30-
php8.2-xml \
31-
php8.2-mysql \
32-
php8.2-redis \
33-
php8.2-gd \
34-
php8.2-fpm \
35-
php8.2-zip \
28+
php8.4 \
29+
php8.4-curl \
30+
php8.4-xml \
31+
php8.4-mysql \
32+
php8.4-redis \
33+
php8.4-gd \
34+
php8.4-fpm \
35+
php8.4-zip \
3636
unzip
3737
else
3838
apt-get install -y --no-install-recommends \
39-
php8.2 \
40-
php8.2-apcu \
41-
php8.2-curl \
42-
php8.2-xml \
43-
php8.2-intl \
44-
php8.2-bcmath \
45-
php8.2-mbstring \
46-
php8.2-mysql \
47-
php8.2-redis \
48-
php8.2-gd \
49-
php8.2-fpm \
50-
php8.2-zip \
39+
php8.4 \
40+
php8.4-apcu \
41+
php8.4-curl \
42+
php8.4-xml \
43+
php8.4-intl \
44+
php8.4-bcmath \
45+
php8.4-mbstring \
46+
php8.4-mysql \
47+
php8.4-redis \
48+
php8.4-gd \
49+
php8.4-fpm \
50+
php8.4-zip \
5151
unzip
5252
fi
5353
apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
@@ -86,19 +86,19 @@ FROM php-base AS php-build
8686
g++ \
8787
git \
8888
make \
89-
php8.2 \
90-
php8.2-dev \
91-
php8.2-xml \
89+
php8.4 \
90+
php8.4-dev \
91+
php8.4-xml \
9292
php-pear
9393
else
9494
apt-get install -y --no-install-recommends \
9595
gcc \
9696
g++ \
9797
git \
9898
make \
99-
php8.2 \
100-
php8.2-dev \
101-
php8.2-xml \
99+
php8.4 \
100+
php8.4-dev \
101+
php8.4-xml \
102102
php-pear \
103103
libbrotli-dev \
104104
libfuzzy-dev \
@@ -109,9 +109,9 @@ FROM php-base AS php-build
109109
apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
110110
EOF
111111

112-
RUN update-alternatives --set php /usr/bin/php8.2
113-
RUN update-alternatives --set php-config /usr/bin/php-config8.2
114-
RUN update-alternatives --set phpize /usr/bin/phpize8.2
112+
RUN update-alternatives --set php /usr/bin/php8.4
113+
RUN update-alternatives --set php-config /usr/bin/php-config8.4
114+
RUN update-alternatives --set phpize /usr/bin/phpize8.4
115115

116116
RUN <<-EOF
117117
pecl channel-update pecl.php.net
@@ -236,15 +236,15 @@ FROM php-base
236236
mariadb-client \
237237
rsync \
238238
rsyslog \
239-
php8.2 \
240-
php8.2-curl \
241-
php8.2-xml \
242-
php8.2-mbstring \
243-
php8.2-mysql \
244-
php8.2-redis \
245-
php8.2-gd \
246-
php8.2-fpm \
247-
php8.2-zip \
239+
php8.4 \
240+
php8.4-curl \
241+
php8.4-xml \
242+
php8.4-mbstring \
243+
php8.4-mysql \
244+
php8.4-redis \
245+
php8.4-gd \
246+
php8.4-fpm \
247+
php8.4-zip \
248248
unzip \
249249
zip \
250250
curl \
@@ -262,24 +262,24 @@ FROM php-base
262262
mariadb-client \
263263
rsync \
264264
rsyslog \
265-
php8.2 \
266-
php8.2-apcu \
267-
php8.2-curl \
268-
php8.2-xml \
269-
php8.2-intl \
270-
php8.2-bcmath \
271-
php8.2-mbstring \
272-
php8.2-mysql \
273-
php8.2-redis \
274-
php8.2-gd \
275-
php8.2-fpm \
276-
php8.2-zip \
277-
php8.2-ldap \
265+
php8.4 \
266+
php8.4-apcu \
267+
php8.4-curl \
268+
php8.4-xml \
269+
php8.4-intl \
270+
php8.4-bcmath \
271+
php8.4-mbstring \
272+
php8.4-mysql \
273+
php8.4-redis \
274+
php8.4-gd \
275+
php8.4-fpm \
276+
php8.4-zip \
277+
php8.4-ldap \
278278
libmagic1 \
279279
libldap-common \
280280
librdkafka1 \
281281
libbrotli1 \
282-
libsimdjson14 \
282+
libsimdjson25 \
283283
libzstd1 \
284284
ssdeep \
285285
libfuzzy2 \
@@ -294,7 +294,7 @@ EOF
294294

295295
# Remove some defaults (kernel logging) and fix alternatives
296296
RUN sed -i '/imklog/s/^/#/' /etc/rsyslog.conf
297-
RUN update-alternatives --set php /usr/bin/php8.2
297+
RUN update-alternatives --set php /usr/bin/php8.4
298298

299299
# Install python modules
300300
COPY --from=python-build /wheels /wheels

core/files/configure_misp.sh

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -577,6 +577,16 @@ create_default_scheduled_tasks() {
577577
ON DUPLICATE KEY UPDATE user_id=$CRON_USER_ID;" | ${MYSQL_CMD}
578578
}
579579

580+
print_version() {
581+
VERSION_FILE="/var/www/MISP/VERSION.json"
582+
if [[ -f "$VERSION_FILE" ]]; then
583+
VERSION=$(jq -r '"\(.major).\(.minor).\(.hotfix)"' ${VERSION_FILE})
584+
else
585+
VERSION="unknown"
586+
fi
587+
echo "MISP | Version: ${VERSION}"
588+
}
589+
580590
echo "MISP | Update CA certificates ..." && update_ca_certificates
581591

582592
echo "MISP | Apply minimum configuration directives ..." && init_minimum_config
@@ -615,5 +625,5 @@ echo "MISP | Set Up Proxy ..." && set_up_proxy
615625

616626
echo "MISP | Create default Scheduled Tasks ..." && create_default_scheduled_tasks
617627

618-
echo "MISP | Mark instance live"
628+
echo "MISP | Mark instance live" && print_version
619629
sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1

core/files/entrypoint.sh

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,10 @@ export MYSQL_TLS=${MYSQL_TLS:-false}
1717
export MYSQL_TLS_CA=${MYSQL_TLS_CA}
1818
export MYSQL_TLS_CERT=${MYSQL_TLS_CERT}
1919
export MYSQL_TLS_KEY=${MYSQL_TLS_KEY}
20+
if [[ "${MYSQL_TLS}" != true ]]; then
21+
MYSQL_CMD+=" --skip-ssl"
22+
export MYSQL_CMD
23+
fi
2024
export REDIS_HOST=${REDIS_HOST:-redis}
2125
export REDIS_PORT=${REDIS_PORT:-6379}
2226
export ENABLE_REDIS_EMPTY_PASSWORD=${ENABLE_REDIS_EMPTY_PASSWORD:-false}

core/files/entrypoint_fpm.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,7 @@ fi
9393
echo "Configure PHP | Change PHP values ..." && change_php_vars
9494

9595
echo "Configure PHP | Starting PHP FPM"
96-
/usr/sbin/php-fpm8.2 -R -F & master_pid=$!
96+
/usr/sbin/php-fpm8.4 -R -F & master_pid=$!
9797

9898
# Wait for it
9999
wait "$master_pid"

core/files/etc/nginx/includes/misp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ location / {
2222

2323
location ~ ^/[^/]+\.php(/|$) {
2424
include snippets/fastcgi-php.conf;
25-
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
25+
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
2626
fastcgi_read_timeout 300s;
2727
fastcgi_send_timeout 300s;
2828
fastcgi_connect_timeout 300s;

core/files/etc/nginx/sites-available/misp443

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
server {
2-
listen 443 ssl http2;
3-
listen [::]:443 ssl http2;
2+
listen 443 ssl;
3+
listen [::]:443 ssl;
4+
http2 on;
45

56
# disable access logs
67
access_log off;

core/files/kubernetes/entrypoint_fpm.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,4 +34,4 @@ echo "Configure PHP | Change PHP values ..." && change_php_vars
3434

3535
echo "Configure PHP | Starting PHP FPM"
3636

37-
exec /usr/bin/tini -- /usr/sbin/php-fpm8.2 -R -F
37+
exec /usr/bin/tini -- /usr/sbin/php-fpm8.4 -R -F

docker-bake.hcl

Lines changed: 26 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,10 @@ variable "PLATFORMS" {
22
default = ["linux/amd64", "linux/arm64"]
33
}
44

5+
variable "DOCKER_HUB_PROXY" {
6+
default = ""
7+
}
8+
59
variable "PYPI_REDIS_VERSION" {
610
default = ""
711
}
@@ -100,6 +104,21 @@ group "default" {
100104
]
101105
}
102106

107+
group "slim" {
108+
targets = [
109+
"misp-modules-slim",
110+
"misp-core-slim",
111+
"misp-guard",
112+
]
113+
}
114+
group "standard" {
115+
targets = [
116+
"misp-modules",
117+
"misp-core",
118+
"misp-guard",
119+
]
120+
}
121+
103122
target "misp-modules" {
104123
context = "modules/."
105124
dockerfile = "Dockerfile"
@@ -108,20 +127,20 @@ target "misp-modules" {
108127
"MODULES_TAG": "${MODULES_TAG}",
109128
"MODULES_COMMIT": "${MODULES_COMMIT}",
110129
"MODULES_FLAVOR": "full",
130+
"DOCKER_HUB_PROXY" : "${DOCKER_HUB_PROXY}",
111131
}
112132
platforms = "${PLATFORMS}"
113133
}
114134

115135
target "misp-modules-slim" {
116-
context = "modules/."
117-
dockerfile = "Dockerfile"
136+
inherits = [ "misp-modules" ]
118137
tags = flatten(["${NAMESPACE}/misp-modules:latest-slim", "${NAMESPACE}/misp-modules:${COMMIT_HASH}-slim", MODULES_TAG != "" ? ["${NAMESPACE}/misp-modules:${MODULES_TAG}-slim"] : []])
119138
args = {
120139
"MODULES_TAG": "${MODULES_TAG}",
121140
"MODULES_COMMIT": "${MODULES_COMMIT}",
122141
"MODULES_FLAVOR": "lite",
142+
"DOCKER_HUB_PROXY" : "${DOCKER_HUB_PROXY}",
123143
}
124-
platforms = "${PLATFORMS}"
125144
}
126145

127146
target "misp-core" {
@@ -146,13 +165,12 @@ target "misp-core" {
146165
"PYPI_TAXII2_CLIENT": "${PYPI_TAXII2_CLIENT}",
147166
"PYPI_SETUPTOOLS_VERSION": "${PYPI_SETUPTOOLS_VERSION}",
148167
"PYPI_SUPERVISOR_VERSION": "${PYPI_SUPERVISOR_VERSION}",
168+
"DOCKER_HUB_PROXY" : "${DOCKER_HUB_PROXY}",
149169
}
150-
platforms = "${PLATFORMS}"
151170
}
152171

153172
target "misp-core-slim" {
154-
context = "core/."
155-
dockerfile = "Dockerfile"
173+
inherits = [ "misp-core" ]
156174
tags = flatten(["${NAMESPACE}/misp-core:latest-slim", "${NAMESPACE}/misp-core:${COMMIT_HASH}-slim", CORE_TAG != "" ? ["${NAMESPACE}/misp-core:${CORE_TAG}-slim"] : []])
157175
args = {
158176
"CORE_TAG": "${CORE_TAG}",
@@ -172,8 +190,8 @@ target "misp-core-slim" {
172190
"PYPI_TAXII2_CLIENT": "${PYPI_TAXII2_CLIENT}",
173191
"PYPI_SETUPTOOLS_VERSION": "${PYPI_SETUPTOOLS_VERSION}",
174192
"PYPI_SUPERVISOR_VERSION": "${PYPI_SUPERVISOR_VERSION}",
193+
"DOCKER_HUB_PROXY" : "${DOCKER_HUB_PROXY}",
175194
}
176-
platforms = "${PLATFORMS}"
177195
}
178196

179197
target "misp-guard" {
@@ -183,6 +201,7 @@ target "misp-guard" {
183201
args = {
184202
"GUARD_TAG": "${GUARD_TAG}",
185203
"GUARD_COMMIT": "${GUARD_COMMIT}"
204+
"DOCKER_HUB_PROXY" : "${DOCKER_HUB_PROXY}",
186205
}
187206
platforms = "${PLATFORMS}"
188207
}

0 commit comments

Comments
 (0)