Merge branch 'release/3.1.2'

TheHive-Project · Nov 5, 2021 · 5259659 · 5259659
2 parents 4bb3f50 + 294790a
commit 5259659
Show file tree

Hide file tree

Showing 14 changed files with 421 additions and 284 deletions.
diff --git a/.drone.yml b/.drone.yml
@@ -36,7 +36,7 @@ steps:
         fi
         . ~/.nvm/nvm.sh
         [ -n "$PLUGIN_PGP_KEY" ] && gpg --batch --import - <<< $PLUGIN_PGP_KEY
-        sbt -Duser.home=$PWD docker:stage debian:packageBin rpm:packageBin universal:packageBin
+        sbt -Duser.home=$PWD Docker/stage Debian/packageBin Rpm/packageBin Universal/packageBin cortexWithDeps/Docker/stage
         if ( echo $V | grep -qi rc )
         then
           echo $( echo $V | sed -re 's/([0-9]+.[0-9]+.[0-9]+)-RC([0-9]+)-([0-9]+)/\1-RC\2,\1-RC\2-\3/' ) > .tags
@@ -117,6 +117,36 @@ steps:
     when:
       event: [tag]
 
+  - name: update docker tags
+    image: thehiveproject/drone-scala-node
+    commands:
+      - sed -i -e 's/,/-withdeps,/g; s/$/-withdeps/' .tags
+
+  # Publish docker image on Docker Hub
+  - name: docker fat
+    image: plugins/docker
+    settings:
+      context: target/docker-withdeps/target/docker/stage
+      dockerfile: target/docker-withdeps/target/docker/stage/Dockerfile
+      repo: thehiveproject/cortex
+      username: {from_secret: docker_username}
+      password: {from_secret: docker_password}
+    when:
+      event: [tag]
+
+  # Publish docker image on Harbor
+  - name: harbor fat
+    image: plugins/docker
+    settings:
+      context: target/docker-withdeps/target/docker/stage
+      dockerfile: target/docker-withdeps/target/docker/stage/Dockerfile
+      registry: {from_secret: harbor_registry}
+      repo: {from_secret: harbor_repo}
+      username: {from_secret: harbor_username}
+      password: {from_secret: harbor_password}
+    when:
+      event: [tag]
+
   - name: send message
     image: thehiveproject/drone_keybase
     settings:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,16 +1,26 @@
 # Change Log
 
-## [3.1.1](https://github.com/TheHive-Project/Cortex/milestone/28) (2021-03-01)
+## [3.1.2](https://github.com/TheHive-Project/Cortex/milestone/30) (2021-11-05)
+
+**Closed issues:**
+
+- More settings on docker containers instantiated by Cortex [\#387](https://github.com/TheHive-Project/Cortex/issues/387)
 
 **Implemented enhancements:**
 
-- [Improvement] Create logfile after installation [\#341](https://github.com/TheHive-Project/Cortex/issues/341)
+- Create a docker image with all dependencies [\#388](https://github.com/TheHive-Project/Cortex/issues/388)
+
+## [3.1.1](https://github.com/TheHive-Project/Cortex/milestone/28) (2021-03-01)
 
 **Fixed bugs:**
 
 - [BUG] Certificate not taken into account when running neurons with process [\#317](https://github.com/TheHive-Project/Cortex/issues/317)
 - [Bug] Update doesn't work on Elasticsearch 7.11 [\#346](https://github.com/TheHive-Project/Cortex/issues/346)
 
+**Implemented enhancements:**
+
+- [Improvement] Create logfile after installation [\#341](https://github.com/TheHive-Project/Cortex/issues/341)
+
 ## [3.1.0](https://github.com/TheHive-Project/Cortex/milestone/27) (2020-10-30)
 
 **Implemented enhancements:**
@@ -25,14 +35,14 @@
 
 ## [3.1.0-RC1](https://github.com/TheHive-Project/Cortex/milestone/21) (2020-08-13)
 
-**Implemented enhancements:**
-
-- Support of ElasticSearch 7  [\#279](https://github.com/TheHive-Project/Cortex/issues/279)
-
 **Fixed bugs:**
 
 - OAuth2 SSO Login Broken [\#264](https://github.com/TheHive-Project/Cortex/issues/264)
 
+**Implemented enhancements:**
+
+- Support of ElasticSearch 7  [\#279](https://github.com/TheHive-Project/Cortex/issues/279)
+
 ## [3.0.1](https://github.com/TheHive-Project/Cortex/milestone/24) (2020-04-24)
 
 **Implemented enhancements:**
@@ -58,17 +68,17 @@
 
 ## [3.0.0-RC4](https://github.com/TheHive-Project/Cortex/milestone/22) (2019-07-11)
 
-**Closed issues:**
-
-- dockerhub sample uses the wrong port [\#203](https://github.com/TheHive-Project/Cortex/issues/203)
-- docker version of cortex prints a lot of errors for auth failures [\#205](https://github.com/TheHive-Project/Cortex/issues/205)
-
 **Fixed bugs:**
 
 - Login error after Cortex upgrade to 3 [\#199](https://github.com/TheHive-Project/Cortex/issues/199)
 - docker version of cortex breaks when you don't create a user immediately [\#204](https://github.com/TheHive-Project/Cortex/issues/204)
 - Responder run displayed as Analyzer run [\#207](https://github.com/TheHive-Project/Cortex/issues/207)
 
+**Closed issues:**
+
+- dockerhub sample uses the wrong port [\#203](https://github.com/TheHive-Project/Cortex/issues/203)
+- docker version of cortex prints a lot of errors for auth failures [\#205](https://github.com/TheHive-Project/Cortex/issues/205)
+
 ## [3.0.0-RC3](https://github.com/TheHive-Project/Cortex/milestone/20) (2019-06-28)
 
 **Implemented enhancements:**
@@ -108,11 +118,6 @@
 
 ## [2.1.3](https://github.com/TheHive-Project/Cortex/milestone/18) (2019-02-05)
 
-**Implemented enhancements:**
-
-- Add PAP property to jobs list [\#146](https://github.com/TheHive-Project/Cortex/issues/146)
-- Add configuration for drone continuous integration [\#156](https://github.com/TheHive-Project/Cortex/issues/156)
-
 **Closed issues:**
 
 - conf/logback.xml: Rotate logs [\#62](https://github.com/TheHive-Project/Cortex/issues/62)
@@ -126,6 +131,11 @@
 - Unable to disable invalid responders [\#157](https://github.com/TheHive-Project/Cortex/issues/157)
 - Wrong checks of role when an user is created [\#158](https://github.com/TheHive-Project/Cortex/issues/158)
 
+**Implemented enhancements:**
+
+- Add PAP property to jobs list [\#146](https://github.com/TheHive-Project/Cortex/issues/146)
+- Add configuration for drone continuous integration [\#156](https://github.com/TheHive-Project/Cortex/issues/156)
+
 ## [2.1.2](https://github.com/TheHive-Project/Cortex/milestone/17) (2018-10-12)
 
 **Fixed bugs:**
@@ -134,18 +144,18 @@
 
 ## [2.1.1](https://github.com/TheHive-Project/Cortex/milestone/16) (2018-10-12)
 
-**Implemented enhancements:**
-
-- Publish stable versions in beta package channels [\#138](https://github.com/TheHive-Project/Cortex/issues/138)
-- Allow Cortex to use a custom root context [\#140](https://github.com/TheHive-Project/Cortex/issues/140)
-- Change Debian dependencies [\#141](https://github.com/TheHive-Project/Cortex/issues/141)
-
 **Fixed bugs:**
 
 - Console output should not be logged in syslog [\#136](https://github.com/TheHive-Project/Cortex/issues/136)
 - RPM update replace configuration file [\#137](https://github.com/TheHive-Project/Cortex/issues/137)
 - Fix Cache column in analyzers admin page [\#139](https://github.com/TheHive-Project/Cortex/issues/139)
 
+**Implemented enhancements:**
+
+- Publish stable versions in beta package channels [\#138](https://github.com/TheHive-Project/Cortex/issues/138)
+- Allow Cortex to use a custom root context [\#140](https://github.com/TheHive-Project/Cortex/issues/140)
+- Change Debian dependencies [\#141](https://github.com/TheHive-Project/Cortex/issues/141)
+
 ## [2.1.0](https://github.com/TheHive-Project/Cortex/milestone/15) (2018-09-25)
 
 **Implemented enhancements:**
@@ -180,10 +190,6 @@
 
 ## [2.0.4](https://github.com/TheHive-Project/Cortex/milestone/13) (2018-04-13)
 
-**Implemented enhancements:**
-
-- Let a Read/Analyze User Display/Change their API Key [\#89](https://github.com/TheHive-Project/Cortex/issues/89)
-
 **Fixed bugs:**
 
 - Install python3 requirements for analyzers in public docker image [\#58](https://github.com/TheHive-Project/Cortex/issues/58)
@@ -194,8 +200,17 @@
 - Updating users by orgAdmin users fails silently [\#94](https://github.com/TheHive-Project/Cortex/issues/94)
 - Strictly filter the list of analyzers in the run dialog [\#95](https://github.com/TheHive-Project/Cortex/issues/95)
 
+**Implemented enhancements:**
+
+- Let a Read/Analyze User Display/Change their API Key [\#89](https://github.com/TheHive-Project/Cortex/issues/89)
+
 ## [2.0.3](https://github.com/TheHive-Project/Cortex/milestone/12) (2018-04-12)
 
+**Fixed bugs:**
+
+- Version Upgrade of Analyzer makes all Analyzers invisible for TheHive (Cortex2) [\#75](https://github.com/TheHive-Project/Cortex/issues/75)
+- Refresh Analyzers button not working [\#83](https://github.com/TheHive-Project/Cortex/issues/83)
+
 **Implemented enhancements:**
 
 - Allow configuring auto artifacts extraction per analyzer [\#80](https://github.com/TheHive-Project/Cortex/issues/80)
@@ -204,11 +219,6 @@
 - Allow specifying a cache period per analyzer [\#85](https://github.com/TheHive-Project/Cortex/issues/85)
 - Allow arbitrary parameters for a job [\#86](https://github.com/TheHive-Project/Cortex/issues/86)
 
-**Fixed bugs:**
-
-- Version Upgrade of Analyzer makes all Analyzers invisible for TheHive (Cortex2) [\#75](https://github.com/TheHive-Project/Cortex/issues/75)
-- Refresh Analyzers button not working [\#83](https://github.com/TheHive-Project/Cortex/issues/83)
-
 ## [2.0.2](https://github.com/TheHive-Project/Cortex/milestone/11) (2018-04-04)
 
 **Fixed bugs:**
@@ -263,17 +273,17 @@
 
 ## [1.1.2](https://github.com/TheHive-Project/Cortex/milestone/6) (2017-06-12)
 
-**Implemented enhancements:**
-
-- Initialize MISP modules at startup [\#28](https://github.com/TheHive-Project/Cortex/issues/28)
-- Add page loader [\#30](https://github.com/TheHive-Project/Cortex/issues/30)
-
 **Fixed bugs:**
 
 - Error 500 in TheHive when a job is submited to Cortex [\#27](https://github.com/TheHive-Project/Cortex/issues/27)
 - Cortex and MISP unclear and error-loop [\#29](https://github.com/TheHive-Project/Cortex/issues/29)
 - jobstatus from jobs within cortex are not updated when status changes [\#31](https://github.com/TheHive-Project/Cortex/issues/31)
 
+**Implemented enhancements:**
+
+- Initialize MISP modules at startup [\#28](https://github.com/TheHive-Project/Cortex/issues/28)
+- Add page loader [\#30](https://github.com/TheHive-Project/Cortex/issues/30)
+
 ## [1.1.1](https://github.com/TheHive-Project/Cortex/milestone/5) (2017-05-17)
 
 **Implemented enhancements:**

diff --git a/app/org/thp/cortex/services/DockerJobRunnerSrv.scala b/app/org/thp/cortex/services/DockerJobRunnerSrv.scala
@@ -23,6 +23,7 @@ import org.elastic4play.utils.RichFuture
 @Singleton
 class DockerJobRunnerSrv(
     client: DockerClient,
+    config: Configuration,
     autoUpdate: Boolean,
     jobBaseDirectory: Path,
     dockerJobBaseDirectory: Path,
@@ -42,6 +43,7 @@ class DockerJobRunnerSrv(
         .uri(config.getOptional[String]("docker.uri").getOrElse("unix:///var/run/docker.sock"))
         .useProxy(config.getOptional[Boolean]("docker.useProxy").getOrElse(false))
         .build(),
+      config,
       config.getOptional[Boolean]("docker.autoUpdate").getOrElse(true),
       Paths.get(config.get[String]("job.directory")),
       Paths.get(config.get[String]("job.dockerDirectory")),
@@ -64,20 +66,33 @@ class DockerJobRunnerSrv(
     import scala.collection.JavaConverters._
     if (autoUpdate) client.pull(dockerImage)
     //    ContainerConfig.builder().addVolume()
-    val hostConfig = HostConfig
-      .builder()
-      .appendBinds(
-        Bind
-          .from(dockerJobBaseDirectory.resolve(jobBaseDirectory.relativize(jobDirectory)).toAbsolutePath.toString)
-          .to("/job")
-          .readOnly(false)
-          .build()
-      )
-      .build()
+    val hostConfigBuilder = HostConfig.builder()
+    config.getOptional[Seq[String]]("docker.container.capAdd").map(_.asJava).foreach(hostConfigBuilder.capAdd)
+    config.getOptional[Seq[String]]("docker.container.capDrop").map(_.asJava).foreach(hostConfigBuilder.capDrop)
+    config.getOptional[String]("docker.container.cgroupParent").foreach(hostConfigBuilder.cgroupParent)
+    config.getOptional[Long]("docker.container.cpuPeriod").foreach(hostConfigBuilder.cpuPeriod(_))
+    config.getOptional[Long]("docker.container.cpuQuota").foreach(hostConfigBuilder.cpuQuota(_))
+    config.getOptional[Seq[String]]("docker.container.dns").map(_.asJava).foreach(hostConfigBuilder.dns)
+    config.getOptional[Seq[String]]("docker.container.dnsSearch").map(_.asJava).foreach(hostConfigBuilder.dnsSearch)
+    config.getOptional[Seq[String]]("docker.container.extraHosts").map(_.asJava).foreach(hostConfigBuilder.extraHosts)
+    config.getOptional[Long]("docker.container.kernelMemory").foreach(hostConfigBuilder.kernelMemory(_))
+    config.getOptional[Long]("docker.container.memoryReservation").foreach(hostConfigBuilder.memoryReservation(_))
+    config.getOptional[Long]("docker.container.memory").foreach(hostConfigBuilder.memory(_))
+    config.getOptional[Long]("docker.container.memorySwap").foreach(hostConfigBuilder.memorySwap(_))
+    config.getOptional[Int]("docker.container.memorySwappiness").foreach(hostConfigBuilder.memorySwappiness(_))
+    config.getOptional[String]("docker.container.networkMode").foreach(hostConfigBuilder.networkMode)
+    config.getOptional[Boolean]("docker.container.privileged").foreach(hostConfigBuilder.privileged(_))
+    hostConfigBuilder.appendBinds(
+      Bind
+        .from(dockerJobBaseDirectory.resolve(jobBaseDirectory.relativize(jobDirectory)).toAbsolutePath.toString)
+        .to("/job")
+        .readOnly(false)
+        .build()
+    )
     val cacertsFile = jobDirectory.resolve("input").resolve("cacerts")
     val containerConfigBuilder = ContainerConfig
       .builder()
-      .hostConfig(hostConfig)
+      .hostConfig(hostConfigBuilder.build())
       .image(dockerImage)
       .cmd("/job")
 

diff --git a/build.sbt b/build.sbt
@@ -3,34 +3,48 @@ import Common._
 lazy val cortex = (project in file("."))
   .enablePlugins(PlayScala)
   .settings(projectSettings)
+  .settings(PackageSettings.packageSettings)
+  .settings(PackageSettings.rpmSettings)
+  .settings(PackageSettings.debianSettings)
+  .settings(DockerSettings.default)
+  .settings(
+    Seq(
+      libraryDependencies ++= Seq(
+        Dependencies.Play.cache,
+        Dependencies.Play.ws,
+        Dependencies.Play.ahc,
+        Dependencies.Play.specs2 % Test,
+        Dependencies.Play.guice,
+        Dependencies.scalaGuice,
+        Dependencies.elastic4play,
+        Dependencies.reflections,
+        Dependencies.zip4j,
+        Dependencies.dockerClient,
+        Dependencies.akkaCluster,
+        Dependencies.akkaClusterTyped
+      ),
+      resolvers += Resolver.sbtPluginRepo("releases"),
+      resolvers += "scalaz-bintray" at "https://dl.bintray.com/scalaz/releases",
+      resolvers += "elasticsearch-releases" at "https://artifacts.elastic.co/maven",
+      Compile / packageDoc / publishArtifact := false,
+      Compile / doc / sources := Seq.empty,
+      // Front-end //
+      Assets / packageBin / mappings ++= frontendFiles.value,
+      packageBin := {
+        (Debian / packageBin).value
+        (Rpm / packageBin).value
+        (Universal / packageBin).value
+      }
+    )
+  )
 
-libraryDependencies ++= Seq(
-  Dependencies.Play.cache,
-  Dependencies.Play.ws,
-  Dependencies.Play.ahc,
-  Dependencies.Play.specs2 % Test,
-  Dependencies.Play.guice,
-  Dependencies.scalaGuice,
-  Dependencies.elastic4play,
-  Dependencies.reflections,
-  Dependencies.zip4j,
-  Dependencies.dockerClient,
-  Dependencies.akkaCluster,
-  Dependencies.akkaClusterTyped
-)
-
-resolvers += Resolver.sbtPluginRepo("releases")
-resolvers += "scalaz-bintray" at "https://dl.bintray.com/scalaz/releases"
-resolvers += "elasticsearch-releases" at "https://artifacts.elastic.co/maven"
-publishArtifact in (Compile, packageDoc) := false
-publishArtifact in packageDoc := false
-sources in (Compile, doc) := Seq.empty
-
-// Front-end //
-mappings in packageBin in Assets ++= frontendFiles.value
-
-packageBin := {
-  (packageBin in Debian).value
-  (packageBin in Rpm).value
-  (packageBin in Universal).value
-}
+lazy val cortexWithDeps = (project in file("target/docker-withdeps"))
+  .dependsOn(cortex)
+  .enablePlugins(DockerPlugin)
+  .settings(projectSettings)
+  .settings(DockerSettings.withDeps)
+  .settings(
+    Docker / mappings := (cortex / Docker / mappings).value,
+    Docker / version := version.value + "-withdeps",
+    Docker / packageName := "cortex"
+  )
diff --git a/debian.sbt b/debian.sbt