-
Notifications
You must be signed in to change notification settings - Fork 87
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1129 from grogsaxle/flatcar-arm64
Flatcar support
- Loading branch information
Showing
2 changed files
with
322 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,146 @@ | ||
# This Dockerfile aims to make building Hubble v4 packages easier. | ||
# Starting with version 4 building osquery is removed from individual Dockerfiles to its own. | ||
# osquery needs to be built once. Resulting tar file can be used in hubblev4 Dockerfiles. | ||
# Before building hubble, build osquery using a Dockerfile in pkg/osquery/ directory. | ||
# To build this image: 1. copy previously built osquery_4hubble.x86_64.tar to directory with this Dockerfile | ||
# 2. docker build -t <image_name> --build-arg HUBBLE_CHECKOUT=<tag or commit> --build-arg HUBBLE_VERSION=<Hubble Version> . | ||
# The resulting image is ready to build and run pyinstaller on container start that should | ||
# create hubble<version>-debian.tar.gz in the /data directory inside the container. | ||
# Mount /data volume into a directory on the host to access the package. | ||
# To run the container: docker run -it --rm -v `pwd`:/data <image_name> | ||
|
||
FROM debian:9 | ||
|
||
RUN apt-get update \ | ||
&& apt-get -y upgrade \ | ||
&& apt-get clean \ | ||
&& rm -rf /var/cache/apt | ||
|
||
# paths that hubble or hubble parts need in the package | ||
RUN mkdir -p /etc/hubble/hubble.d /opt/hubble /opt/osquery /var/log/hubble_osquery/backuplogs | ||
|
||
# install packages that should be needed for ligbit2 compilation and successful pyinstaller run | ||
RUN apt-get update \ | ||
&& apt-get -y install git curl \ | ||
python-dev libffi-dev libssl-dev libyaml-dev libssh2-1 libssh2-1-dev autoconf automake libtool \ | ||
libxml2-dev libxslt1-dev python-cffi zlib1g-dev python-setuptools \ | ||
cmake gcc wget python-pip openssl \ | ||
&& apt-get clean \ | ||
&& rm -rf /var/cache/apt | ||
|
||
# libcurl install start | ||
# install libcurl to avoid depending on host version | ||
# requires autoconf libtool libssh2-devel zlib-devel autoconf | ||
ENV LIBCURL_SRC_URL=https://github.com/curl/curl.git | ||
ENV LIBCURL_SRC_VERSION=curl-7_64_1 | ||
ENV LIBCURL_TEMP=/tmp/libcurl | ||
ENV PATH=/opt/hubble/bin/:/opt/hubble/include:/opt/hubble/lib:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin | ||
RUN mkdir -p "$LIBCURL_TEMP" \ | ||
&& cd "$LIBCURL_TEMP" \ | ||
&& git clone "$LIBCURL_SRC_URL" \ | ||
&& cd curl \ | ||
&& git checkout "$LIBCURL_SRC_VERSION" \ | ||
&& ./buildconf \ | ||
&& ./configure --prefix=/opt/hubble --disable-ldap --without-nss --disable-manual --disable-gopher --disable-smtp --disable-smb --disable-imap --disable-pop3 --disable-tftp --disable-telnet --disable-dict --disable-ldaps --disable-ldap --disable-rtsp --with-libssh2 \ | ||
&& make \ | ||
&& make install \ | ||
&& rm -rf "$LIBCURL_TEMP" | ||
|
||
# git install start | ||
# install git so that git package won't be a package dependency | ||
# requires make git libcurl-devel autoconf zlib-devel gcc | ||
ENV GIT_SRC_URL=https://github.com/git/git.git | ||
ENV GIT_SRC_VERSION=v2.21.0 | ||
ENV GITTEMP=/tmp/gittemp | ||
RUN mkdir -p "$GITTEMP" \ | ||
&& cd "$GITTEMP" \ | ||
&& git clone "$GIT_SRC_URL" \ | ||
&& cd git \ | ||
&& git checkout "$GIT_SRC_VERSION" \ | ||
&& make configure \ | ||
&& ./configure --prefix=/opt/hubble --with-tcltk=no --with-expat=no --with-python=no --with-curl=/opt/hubble \ | ||
&& echo "NO_TCLTK=YesPlease" >> config.mak.autogen \ | ||
&& echo "NO_PERL=YesPlease" >> config.mak.autogen \ | ||
&& sed -i '0,/^NO_GETTEXT/s/^NO_GETTEXT.*/NO_GETTEXT=YesPlease/' config.mak.autogen \ | ||
&& make \ | ||
&& make install \ | ||
&& rm -rf "$GITTEMP" | ||
|
||
# clean up of /opt/hubble | ||
RUN rm /opt/hubble/bin/curl* \ | ||
&& rm -rf /opt/hubble/include /opt/hubble/share | ||
|
||
# libgit2 install start | ||
# must precede pyinstaller requirements | ||
ENV LIBGIT2_SRC_VERSION=1.1.0 | ||
ENV LIBGIT2_SRC_URL=https://github.com/libgit2/libgit2/archive/v${LIBGIT2_SRC_VERSION}.tar.gz | ||
# it turns out github provided release files can change. so even though the | ||
# code hopefully hasn't changed, the hash has. | ||
ENV LIBGIT2_SRC_SHA256=41a6d5d740fd608674c7db8685685f45535323e73e784062cf000a633d420d1e | ||
ENV LIBGIT2TEMP=/tmp/libgit2temp | ||
RUN mkdir -p "$LIBGIT2TEMP" \ | ||
&& cd "$LIBGIT2TEMP" \ | ||
&& wget -q "$LIBGIT2_SRC_URL" -O libgit2.tar.gz \ | ||
&& echo "$LIBGIT2_SRC_SHA256 libgit2.tar.gz" | sha256sum -c - \ | ||
&& tar xzf libgit2.tar.gz \ | ||
&& cd libgit2-"$LIBGIT2_SRC_VERSION"/ \ | ||
&& export LIBGIT2=/usr/local/ \ | ||
&& cmake . -DCMAKE_INSTALL_PREFIX=$LIBGIT2 \ | ||
&& make \ | ||
&& make install \ | ||
&& rm -rf "$LIBGIT2TEMP" | ||
|
||
# fpm package making requirements start | ||
RUN apt-get install -y ruby ruby-dev rubygems gcc make \ | ||
&& gem install --no-ri --no-rdoc ffi --version 1.12.2 \ | ||
&& gem install --no-ri --no-rdoc fpm \ | ||
&& apt-get clean \ | ||
&& rm -rf /var/cache/apt | ||
|
||
RUN apt-get install -y libbz2-dev libsqlite3-dev \ | ||
&& apt-get clean \ | ||
&& rm -rf /var/cache/apt | ||
|
||
# use pyenv | ||
ARG PYENV_VERSION=3.7.9 | ||
ENV PYENV_INSTALLER_URL=https://raw.githubusercontent.com/pyenv/pyenv-installer/master/bin/pyenv-installer | ||
ENV PYENV_ROOT=/opt/hubble/pyenv | ||
ENV PATH=$PYENV_ROOT/bin:$PATH | ||
ENV PYTHON_CONFIGURE_OPTS="--enable-shared" | ||
RUN umask 022 \ | ||
&& curl -s -S -L "$PYENV_INSTALLER_URL" -o /usr/bin/pyenv-installer \ | ||
&& chmod 0755 /usr/bin/pyenv-installer \ | ||
&& /usr/bin/pyenv-installer \ | ||
&& eval "$(pyenv init --path)" \ | ||
&& pyenv install $PYENV_VERSION \ | ||
&& pyenv global $PYENV_VERSION | ||
|
||
RUN eval "$(pyenv init --path)" \ | ||
&& pip -v install --upgrade pip | ||
|
||
# pyinstaller start | ||
# commands specified for ENTRYPOINT and CMD are executed when the container is run, not when the image is built | ||
# use the following variables to choose the version of hubble | ||
ARG HUBBLE_CHECKOUT=v4.5.0 | ||
ARG HUBBLE_VERSION=4.5.0 | ||
ARG HUBBLE_GIT_URL=https://github.com/hubblestack/hubble.git | ||
ENV HUBBLE_ITERATION=1 | ||
ENV HUBBLE_URL=https://github.com/hubblestack/hubble | ||
ENV HUBBLE_SRC_PATH=/hubble_src | ||
ENV _HOOK_DIR="./pkg/" | ||
ENV _BINARY_LOG_LEVEL="INFO" | ||
ENV _INCLUDE_PATH="" | ||
ENV LD_LIBRARY_PATH=/opt/hubble/lib:/lib:/lib64:/usr/lib:/usr/lib64:/usr/local/lib:/usr/local/lib64 | ||
ENV HUBBLE_CHECKOUT=$HUBBLE_CHECKOUT | ||
ENV HUBBLE_VERSION=$HUBBLE_VERSION | ||
ENV HUBBLE_GIT_URL=$HUBBLE_GIT_URL | ||
|
||
# leaving this blank will cause the entrypoint to look for either osquery_4hubble.tar | ||
# or osquery_4_hubble.$(uname -m).tar | ||
ARG OSQUERY_TAR_FILENAME= | ||
ENV OSQUERY_TAR_FILENAME=$OSQUERY_TAR_FILENAME | ||
|
||
VOLUME /data | ||
WORKDIR /hubble_build | ||
COPY entrypoint.sh /entrypoint.sh | ||
ENTRYPOINT [ "/bin/bash", "/entrypoint.sh" ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,176 @@ | ||
#!/bin/bash | ||
#Moving hubble source code logic in the shell script | ||
|
||
# if ENTRYPOINT is given a CMD other than nothing | ||
# abort here and do that other CMD | ||
if [ $# -gt 0 ] | ||
then exec "$@" | ||
fi | ||
|
||
set -x -e | ||
if [ ! -d "${HUBBLE_SRC_PATH}" ] | ||
then git clone "${HUBBLE_GIT_URL}" "${HUBBLE_SRC_PATH}" | ||
fi | ||
|
||
if [ -n "$OSQUERY_TAR_FILENAME" ] | ||
then OSQUERY_TAR_FILENAMES=( /data/$OSQUERY_TAR_FILENAME ) | ||
else OSQUERY_TAR_FILENAMES=( /data/osquery_4hubble.$(uname -m).tar /data/osquery_4hubble.tar ) | ||
fi | ||
|
||
if [ ! -d /opt/osquery ] | ||
then mkdir -vp /opt/osquery | ||
fi | ||
|
||
for filename in "${OSQUERY_TAR_FILENAMES[@]}"; do | ||
if [ -e "$filename" ]; then | ||
# tar -C /opt/osquery -xvvf "$filename" | ||
tar -C / -xvvf "$filename" | ||
break | ||
fi | ||
done | ||
|
||
ls -l /opt/osquery/bin | ||
|
||
ln -s /opt/osquery/bin/osqueryd /opt/osquery/osqueryi | ||
ln -s /opt/osquery/bin/osqueryd /opt/osquery/osqueryd | ||
|
||
if [ ! -L /opt/osquery/osqueryi ] | ||
then echo please provide a working osquery tarfile; exit 1 | ||
else /opt/osquery/osqueryi --version | ||
fi | ||
|
||
cd "${HUBBLE_SRC_PATH}" | ||
git checkout "${HUBBLE_CHECKOUT}" | ||
|
||
HUBBLE_VERSION="$( sed -e 's/^v//' -e 's/[_-]rc/rc/g' <<< "$HUBBLE_VERSION" )" | ||
|
||
cp -rf "${HUBBLE_SRC_PATH}"/* /hubble_build | ||
rm -rf /hubble_build/.git | ||
|
||
cp /hubble_build/hubblestack/__init__.py /hubble_build/hubblestack/__init__.orig | ||
sed -i -e "s/BRANCH_NOT_SET/${HUBBLE_CHECKOUT}/g" -e "s/COMMIT_NOT_SET/$(cd ${HUBBLE_SRC_PATH}; git describe --long --always --tags)/g" /hubble_build/hubblestack/__init__.py | ||
cp /hubble_build/hubblestack/__init__.py /hubble_build/hubblestack/__init__.fixed | ||
|
||
sed -i -e "s/'.*'/'$HUBBLE_VERSION'/g" /hubble_build/hubblestack/version.py | ||
|
||
eval "$(pyenv init --path)" | ||
|
||
# from now on, exit on error (rather than && every little thing) | ||
PS4=$'-------------=: ' | ||
|
||
# possibly replace the version file | ||
if [ -f /data/hubble_buildinfo ]; then | ||
echo >> /hubble_build/hubblestack/__init__.py | ||
cat /data/hubble_buildinfo >> /hubble_build/hubblestack/__init__.py | ||
fi 2>/dev/null | ||
|
||
cat > /data/pre_packaged_certificates.py << EOF | ||
ca_crt = list() | ||
public_crt = list() | ||
EOF | ||
do_pkg_crts=0 | ||
if [ -f /data/certs/ca-root.crt ]; then | ||
echo "ca_crt.append('''$(< /data/certs/ca-root.crt)''')" \ | ||
>> /data/pre_packaged_certificates.py | ||
do_pkg_crts=$(( do_pkg_crts + 1 )) | ||
for item in /data/certs/int*.crt; do | ||
if [ -f "$item" ] | ||
then echo "ca_crt.append('''$(< "$item")''')" \ | ||
>> /data/pre_packaged_certificates.py | ||
do_pkg_crts=$(( do_pkg_crts + 1 )) | ||
fi | ||
done | ||
fi | ||
for item in /data/certs/{pub,sign}*.crt; do | ||
if [ -f "$item" ] | ||
then echo "public_crt.append('''$(< "$item")''')" \ | ||
>> /data/pre_packaged_certificates.py | ||
do_pkg_crts=$(( do_pkg_crts + 1 )) | ||
fi | ||
done | ||
if [ $do_pkg_crts -gt 0 ] | ||
then cp /data/pre_packaged_certificates.py /hubble_build/hubblestack | ||
fi | ||
|
||
cd /hubble_build | ||
|
||
# we may have preinstalled requirements that may need upgrading | ||
# pip install . might not upgrade/downgrade the requirements | ||
pip install wheel | ||
python setup.py egg_info | ||
pip install --upgrade \ | ||
-r hubblestack.egg-info/requires.txt \ | ||
-r optional-requirements.txt \ | ||
-r package-requirements.txt | ||
pip freeze > /data/requirements.txt | ||
|
||
[ -f ${_HOOK_DIR:-./pkg}/hook-hubblestack.py ] || exit 1 | ||
|
||
rm -rf build dist /opt/hubble/hubble-libs /hubble_build/hubble.spec | ||
export LD_LIBRARY_PATH=$(pyenv prefix)/lib:/opt/hubble/lib:/opt/hubble-libs | ||
export LD_RUN_PATH=$LD_LIBRARY_PATH | ||
pyinstaller --onedir --noconfirm --log-level ${_BINARY_LOG_LEVEL:-INFO} \ | ||
--additional-hooks-dir ${_HOOK_DIR:-./pkg} \ | ||
--runtime-hook pkg/runtime-hooks.py \ | ||
./hubble.py 2>&1 | tee /tmp/pyinstaller.log | ||
|
||
cp -pr dist/hubble /opt/hubble/hubble-libs | ||
|
||
cat > /opt/hubble/hubble << EOF | ||
#!/bin/bash | ||
exec /opt/hubble/hubble-libs/hubble "\$@" | ||
exit 1 | ||
EOF | ||
chmod 0755 /opt/hubble/hubble | ||
|
||
[ -d /data/last-build.4 ] && rm -rf /data/last-build.4 | ||
[ -d /data/last-build.3 ] && mv -v /data/last-build.3 /data/last-build.4 | ||
[ -d /data/last-build.2 ] && mv -v /data/last-build.2 /data/last-build.3 | ||
[ -d /data/last-build.1 ] && mv -v /data/last-build.1 /data/last-build.2 | ||
cp -va build/ /data/last-build.1 | ||
mv /tmp/pyinstaller.log /data/last-build.1 | ||
cp -va /entrypoint.sh /data/last-build.1 | ||
|
||
mkdir -p /var/log/hubble_osquery/backuplogs | ||
|
||
mkdir -p /etc/systemd/system | ||
mkdir -p /etc/profile.d | ||
mkdir -p /etc/hubble/hubble.d | ||
|
||
cp -v /hubble_build/pkg/hubble.service /etc/hubble/hubble-example.service | ||
cp -v /hubble_build/conf/hubble-profile.sh /etc/profile.d/ | ||
cp -v /hubble_build/conf/hubble-d-conf /etc/hubble/hubble.d | ||
|
||
if [ -f /data/hubble ] | ||
then cp -v /data/hubble /etc/hubble/ | ||
else cp -v /hubble_build/conf/hubble /etc/hubble/ | ||
fi | ||
|
||
if [ "X$NO_TAR" = X1 ]; then | ||
echo "exiting (as requested by NO_TAR=$NO_TAR) without pre-tar-ing package" | ||
exit 0 | ||
fi 2>/dev/null | ||
|
||
# also bring in anything from a /data/opt/ directory so we can bundle other executables if needed | ||
if [ -d /data/opt ] | ||
then cp -r /data/opt/* /opt | ||
fi | ||
|
||
PACKAGE_NAME_ARCH="${ARCH:-$(uname -m)}" | ||
|
||
# edit to change iteration number, if necessary | ||
PKG_BASE_NAME=hubblestack-${HUBBLE_VERSION}-${HUBBLE_ITERATION} | ||
PKG_OUT_EXT=$PACKAGE_NAME_ARCH.tar.gz | ||
PKG_FIN_EXT=flatcar.$PKG_OUT_EXT | ||
PKG_FNAME=$PKG_BASE_NAME.$PKG_FIN_EXT | ||
PKG_FILE="/data/$PKG_FNAME" | ||
|
||
tar -cSPvvzf "$PKG_FILE" \ | ||
--exclude opt/hubble/pyenv \ | ||
/etc/hubble /opt/hubble /opt/osquery \ | ||
/etc/profile.d/hubble-profile.sh \ | ||
/var/log/hubble_osquery/backuplogs \ | ||
/etc/hubble/hubble-example.service \ | ||
2>&1 | tee /hubble_build/deb-pkg-start-tar.log | ||
|
||
openssl dgst -sha256 "$PKG_FILE" > "$PKG_FILE".sha256 |