diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ad06f7cf3eba1dc7a9e6a0f7c140296ef5e5b222
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,171 @@
+image: docker:stable
+services:
+ - docker:dind
+
+stages:
+ - build
+ - static_tests
+ - dynamic_tests
+ - deployment
+
+build:
+ stage: build
+ before_script:
+ - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
+ - apk update
+ - apk add git
+ - chmod +x ./get-modified-image.sh
+ - ./get-modified-image.sh
+ - export MODIFIED_IMAGE_FULL=$(./get-modified-image.sh)
+ - export MODIFIED_IMAGE=$(echo $MODIFIED_IMAGE_FULL | cut -d ':' -f1)
+ - echo -e "Building container $MODIFIED_IMAGE"
+ script:
+ - docker build -f $MODIFIED_IMAGE/Dockerfile $MODIFIED_IMAGE -t $REGISTRY/ci-builds/$CI_COMMIT_SHA
+ - docker push $REGISTRY/ci-builds/$CI_COMMIT_SHA
+ after_script:
+ - docker logout $REGISTRY
+ tags: [build]
+ only:
+ changes:
+ - pica-etherpad/*
+ - pica-dokuwiki/*
+
+clair:
+ stage: static_tests
+ before_script:
+ - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
+ - docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
+ - apk update
+ - apk add git
+ - chmod +x get-modified-image.sh
+ - export MODIFIED_IMAGE_FULL=$(./get-modified-image.sh)
+ - export MODIFIED_IMAGE=$(echo $MODIFIED_IMAGE_FULL | cut -d ':' -f1)
+ - echo -e "Performing static analysis for container $MODIFIED_IMAGE"
+ script:
+ - docker run -d --name db arminc/clair-db:latest
+ - docker run -p 6060:6060 -d --link db:postgres --name clair --restart on-failure arminc/clair-local-scan:v2.0.6
+ - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
+ - mv clair-scanner_linux_amd64 clair-scanner
+ - chmod +x clair-scanner
+ - echo "Waiting for Clair daemon to start"wget
+ - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
+ - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r clair-report.json -l clair.log -w $MODIFIED_IMAGE/clair-whitelist.yml --threshold="High" $REGISTRY/ci-builds/$CI_COMMIT_SHA
+ artifacts:
+ paths:
+ - clair-report.json
+ - clair.log
+ after_script:
+ - docker logout $REGISTRY
+ tags: [build]
+ only:
+ changes:
+ - pica-etherpad/*
+ - pica-dokuwiki/*
+ allow_failure: false
+
+docker-bench-security:
+ stage: dynamic_tests
+ before_script:
+ - apk update
+ - apk add wget py-pip git iproute2
+ - pip install docker-compose
+ - chmod +x get-modified-image.sh
+ - export MODIFIED_IMAGE_FULL=$(./get-modified-image.sh)
+ - export MODIFIED_IMAGE=$(echo $MODIFIED_IMAGE_FULL | cut -d ':' -f1)
+ - sed -i -e "s/$MODIFIED_IMAGE_FULL/$REGISTRY\/ci-builds\/$CI_COMMIT_SHA:latest/g" $MODIFIED_IMAGE/docker-compose.yml
+ - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
+ - docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
+ script:
+ - if [[ -d $MODIFIED_IMAGE/secrets ]]; then for i in $MODIFIED_IMAGE/secrets/* ; do cp $i $(echo $i| cut -d '.' -f1,2); done; fi;
+ - cd $MODIFIED_IMAGE
+ - docker-compose up -d
+ - git clone https://github.com/docker/docker-bench-security.git
+ - cd docker-bench-security
+ - sh docker-bench-security.sh -c container_images,container_runtime,docker_security_operations -e check_5_12,check_4_1 -l ../../report.txt
+ artifacts:
+ paths:
+ - report.txt
+ after_script:
+ - docker logout $REGISTRY
+ tags: [build]
+ only:
+ changes:
+ - pica-etherpad/*
+ - pica-dokuwiki/*
+
+deployment-test:
+ stage: deployment
+ before_script:
+ - apk update
+ - apk add wget py-pip git iproute2
+ - pip install docker-compose
+ - chmod +x get-modified-image.sh
+ - export MODIFIED_IMAGE_FULL=$(./get-modified-image.sh)
+ - export MODIFIED_IMAGE=$(echo $MODIFIED_IMAGE_FULL | cut -d ':' -f1)
+ - export CURRENT_CONTAINER_ID=$(docker container ls -a | grep pica-dokuwiki| cut -d ' ' -f1)
+ - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
+ - docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
+ - docker tag $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest $REGISTRY/$MODIFIED_IMAGE_FULL
+ - docker push $REGISTRY/$MODIFIED_IMAGE_FULL
+ - export DOCKER_HOST=tcp://pica01-test.picasoft.net:2376
+ - export DOCKER_TLS_VERIFY=1
+ - export DOCKER_CERT_PATH=/tmp/certs
+ - mkdir -p $DOCKER_CERT_PATH
+ - echo "$DEV_DOCKER_CA_CERT" > $DOCKER_CERT_PATH/ca.pem
+ - echo "$DEV_DOCKER_CLIENT_CERT" > $DOCKER_CERT_PATH/cert.pem
+ - echo "$DEV_DOCKER_CLIENT_KEY" > $DOCKER_CERT_PATH/key.pem
+ script:
+ - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
+ - docker pull $REGISTRY/$MODIFIED_IMAGE_FULL
+ - docker tag $REGISTRY/$MODIFIED_IMAGE_FULL $MODIFIED_IMAGE_FULL
+ - cd /docker
+ - echo $(cat docker-compose.yml | grep $MODIFIED_IMAGE -B1 | head -n1 | cut -d ':' -f1)
+ - docker-compose up -d --force-recreate --remove-orphans $(cat docker-compose.yml | grep $MODIFIED_IMAGE -B1 | head -n1 | cut -d ':' -f1)
+ after_script:
+ - rm -rf $DOCKER_CERT_PATH
+ - docker logout $REGISTRY
+ tags: [build]
+ only:
+ changes:
+ - pica-etherpad/*
+ - pica-dokuwiki/*
+
+.deployment-prod:
+ stage: deployment
+ before_script:
+ - apk update
+ - apk add wget py-pip git iproute2
+ - pip install docker-compose
+ - chmod +x get-modified-image.sh
+ - export MODIFIED_IMAGE_FULL=$(./get-modified-image.sh)
+ - export MODIFIED_IMAGE=$(echo $MODIFIED_IMAGE_FULL | cut -d ':' -f1)
+ - export CURRENT_CONTAINER_ID=$(docker container ls -a | grep pica-dokuwiki| cut -d ' ' -f1)
+ - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
+ - docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
+ - docker logout $REGISTRY
+ - echo $REGISTRY_PROD_PASSWORD | docker login $REGISTRY_PROD -u $REGISTRY_PROD_USERNAME --password-stdin
+ - docker tag $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest $REGISTRY_PROD/$MODIFIED_IMAGE_FULL
+ - docker push $REGISTRY_PROD/$MODIFIED_IMAGE_FULL
+ - docker logout $REGISTRY_PROD
+ - export REMOTE_HOSTNAME=pica01
+ - export DOCKER_HOST=tcp://$REMOTE_HOSTNAME.picasoft.net:2376
+ - export DOCKER_TLS_VERIFY=1
+ - export DOCKER_CERT_PATH=/tmp/certs
+ - mkdir -p $DOCKER_CERT_PATH
+ - echo "$PROD_DOCKER_CA_CERT" > $DOCKER_CERT_PATH/ca.pem
+ - echo "$PROD_DOCKER_CLIENT_CERT" > $DOCKER_CERT_PATH/cert.pem
+ - echo "$PROD_DOCKER_CLIENT_KEY" > $DOCKER_CERT_PATH/key.pem
+ script:
+ - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
+ - docker pull $REGISTRY/$MODIFIED_IMAGE_FULL
+ - docker logout $REGISTRY
+ - cd pica-etherpad
+ - docker-compose up -d --force-recreate --remove-orphans $(cat docker-compose.yml | grep $MODIFIED_IMAGE -B1 | head -n1 | cut -d ':' -f1)
+ after_script:
+ - rm -rf $DOCKER_CERT_PATH
+ tags: [build]
+ only:
+ changes:
+ - pica-etherpad/*
+ when: manual
+
diff --git a/get-modified-image.sh b/get-modified-image.sh
new file mode 100644
index 0000000000000000000000000000000000000000..0fe55f193debdd56cae5653b52ae2910c90c5db7
--- /dev/null
+++ b/get-modified-image.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# retrieve the name of the image that was modified in the latest commit
+# this script should become obsolete as soon as a proper way of getting the modified files is added to Gitlab CI
+
+RES=""
+for i in $(git diff-tree --no-commit-id --name-only $CI_COMMIT_SHA)
+do
+ case "$i" in
+ *pica*) RES=$i ;;
+ esac
+done
+if [[ "$i" == "" ]]
+then
+ exit 1
+fi
+RES=$(cat $RES/docker-compose.yml | grep image: | head -n1 | cut -d ':' -f2-)
+echo $RES
\ No newline at end of file
diff --git a/pica-dokuwiki/Dockerfile b/pica-dokuwiki/Dockerfile
index d8e10dd718c5b1bd3f7c89ffeab741d35010c880..c37d0a95439716a96c06883eb454f29397fb0335 100644
--- a/pica-dokuwiki/Dockerfile
+++ b/pica-dokuwiki/Dockerfile
@@ -1,8 +1,8 @@
FROM nginx
LABEL maintainer="antoine@barbare.me"
-COPY --chown=www-data nginx.conf /etc/nginx/nginx.conf
-COPY --chown=www-data run.sh /
+COPY --chown=www-data nginx.conf /etc/nginx/nginx.conf
+COPY --chown=www-data run.sh /
WORKDIR /var/www
RUN apt-get update -y && \
diff --git a/pica-dokuwiki/clair-whitelist.yml b/pica-dokuwiki/clair-whitelist.yml
new file mode 100644
index 0000000000000000000000000000000000000000..987c831ef64473a8b259544368755b81967389ec
--- /dev/null
+++ b/pica-dokuwiki/clair-whitelist.yml
@@ -0,0 +1,18 @@
+generalwhitelist:
+ CVE-2018-6954: systemd -> Pas de contre mesure
+ CVE-2018-15686: systemd -> Pas de contre mesure
+ CVE-2017-16997: glibc -> Pas de contre mesure
+ CVE-2018-6551: glibc -> La contre mesure est dans des paquets plus anciens et il est dangereux d'installer une version fixe, ou dans sid -> Pas de conter mesure pour stretch
+ CVE-2018-1000001: glibc -> Pas de contre-mesure
+ CVE-2017-18269: glibc -> La contre mesure est dans des paquets plus anciens et il est dangereux d'installer une version fixe, ou dans sid -> Pas de conter mesure pour stretch
+ CVE-2019-9169: glibc -> Pas de contre-mesure
+ CVE-2017-15670: glibc -> Pas de contre-mesure
+ CVE-2017-15804: glibc -> Pas de contre-mesure
+ CVE-2017-1000408: glibc -> Pas de contre mesure
+ CVE-2018-6485: glibc -> Pas de contre mesure
+ CVE-2017-9120: php7.0 -> Il n'y a pas de paquet PHP version 7 non vulnérable -> Pas de contre mesure
+ CVE-2017-8923: php7.0 -> Pas de contre mesure
+ CVE-2018-1000654: libtasn1-6 -> Pas de contre-mesure
+ CVE-2017-12424: shadow -> Pas de contre-mesure
+ CVE-2016-2779: util-linux -> Pas de contre-mesure
+ CVE-2017-14062: libidn11 -> dépendance directe de wget et indirecte de curl, un des 2 est nécessaire pour le HEALTHCHECK et le téléchargement de Dokuwiki -> Pas de contre-mesure
\ No newline at end of file
diff --git a/pica-dokuwiki/docker-compose.yml b/pica-dokuwiki/docker-compose.yml
index 02ef29cb444a63ee6670409fd1aaaba4ccc1d908..e8ffa7b8672ce5304bd065d0c96950289786db3c 100644
--- a/pica-dokuwiki/docker-compose.yml
+++ b/pica-dokuwiki/docker-compose.yml
@@ -1,13 +1,13 @@
version : "2.4"
services:
- wiki:
- container_name: wiki
+ dokuwiki-app:
image: pica-dokuwiki:2018.05
+ container_name: dokuwiki-app
volumes:
- /DATA/docker/wiki/html:/var/www/html
security_opt:
- no-new-privileges
- mem_limit: 2048m
+ mem_limit: "2048m"
cpus: "0.20"
pids_limit: 1024
labels:
@@ -15,4 +15,3 @@ services:
- "traefik.port=80"
- "traefik.enable=true"
restart: always
-
diff --git a/pica-dokuwiki/entrypoint.sh b/pica-dokuwiki/entrypoint.sh
new file mode 100755
index 0000000000000000000000000000000000000000..1dbb845066d19d296d41360ee8e375bb50bd0c44
--- /dev/null
+++ b/pica-dokuwiki/entrypoint.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -e
+chmod +x /run.sh
+/run.sh
diff --git a/pica-etherpad/Dockerfile b/pica-etherpad/Dockerfile
index b0c4383019bc1713b8f060fabbe396c4b4cf78a2..20e77dfcb17ca813a6495473506fe7e6198987cb 100644
--- a/pica-etherpad/Dockerfile
+++ b/pica-etherpad/Dockerfile
@@ -15,8 +15,8 @@ ENV NODE_ENV=${NODE_ENV_BUILD}
FROM base as downloader
RUN apt-get update && \
apt-get install -y \
- curl \
git \
+ curl \
gzip \
libssl-dev \
pkg-config \
diff --git a/pica-etherpad/clair-whitelist.yml b/pica-etherpad/clair-whitelist.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a9ef1655750a09236c7ee2506147e24c899c5239
--- /dev/null
+++ b/pica-etherpad/clair-whitelist.yml
@@ -0,0 +1,23 @@
+generalwhitelist:
+ CVE-2017-14062: libidn11 -> pas de contre mesure disponible pour stretch
+ CVE-2019-3823: curl -> non affecté, le paquet qui contient la contre mesure est installé à la place de celui qui est vulnérable cf logs
+ CVE-2019-3822: curl -> idem
+ CVE-2018-1000654: libtasn1-6 -> Pas de contre mesure disponible
+ CVE-2016-9841: zlib -> le paquet qui corrige le problème n'est pas backporté -> Pas de contre mesure
+ CVE-2016-2774: isc-dhcp -> Le paquet qui corrige le problème n'est pas backporté, et DHCP n'est probablement même pas utilisé par le conteneur -> Pas de contre mesure
+ CVE-2016-9843: zlib -> le paquet qui corrige le problème n'est pas backporté -> Pas de contre mesure
+ CVE-2016-2779: util-linux -> Vulnérabilité Linux
+ CVE-2017-10788: libdbd-mysql-perl -> Bug qui semble nécessiter que la base de données soit accessible par le réseau ce qui n'est pas le cas -> Non affecté
+ CVE-2018-6485: glibc -> Pas de contre mesure
+ CVE-2017-16997: glibc -> Pas de contre mesure
+ CVE-2017-18269: glibc -> Pas de contre mesure
+ CVE-2017-15670: glibc -> Pas de contre mesure
+ CVE-2018-6551: glibc -> Pas de contre mesure
+ CVE-2018-1000001: glibc -> Pas de contre mesure
+ CVE-2017-1000408: glibc -> Pas de contre mesure
+ CVE-2017-15804: glibc -> Pas de contre mesure
+ CVE-2019-9169: glibc -> Pas de contre mesure
+ CVE-2017-12424: shadow -> Pas de contre mesure
+ CVE-2018-6954: systemd -> Pas de contre mesure
+ CVE-2018-15686: systemd -> Pas de contre mesure
+ CVE-2018-6797: Perl est une dépendance du client mysql et la version non vulnérable dans stretch n'a pas été backportée -> Pas de contre-mesure
\ No newline at end of file
diff --git a/pica-etherpad/docker-compose.yml b/pica-etherpad/docker-compose.yml
index c15970b359e66f76916f9b85d2678eda4cd9932b..fa5b85f0a19203721574caed3a4a028da747b89d 100755
--- a/pica-etherpad/docker-compose.yml
+++ b/pica-etherpad/docker-compose.yml
@@ -22,7 +22,7 @@ services:
container_name: etherpad-db
security_opt:
- no-new-privileges
- mem_limit: 2048m
+ mem_limit: "2048m"
cpus: "0.20"
pids_limit: 1024
volumes: