Populate uninitialized data directories at container startup

jbarlow-mcafee · jbarlow-mcafee · commit 81fa87c8bbad · 2018-04-18T08:54:42.000-07:00
Previously, configuration for ssl cert/key and the MISP web
application did not have volume mounts defined by default and
population of the mysql database required creating an ephemeral
container instance to run an initialization script once before
creating the full MISP app container.

With the changes in this commit, volumes would be available by
default for mysql, ssl, and the MISP application.
Initialization of the data for each volume is also done post
container startup so that the data can be populated into
mounted directories if not already present. Since this logic
would be run on each container startup, the one-time creation
of a container to initialize the mysql database would no
longer be required.
diff --git a/container/Dockerfile b/container/Dockerfile
@@ -10,11 +10,10 @@ ARG MISP_EMAIL=admin@localhost
 
 # Dir you need to override to keep data on reboot/new container:
 VOLUME /var/lib/mysql
-#VOLUME /var/www/MISP/Config
 
 # Dir you might want to override in order to have custom ssl certs
 # Need: "misp.key" and "misp.crt"
-#VOLUME /etc/ssl/private
+VOLUME /etc/ssl/private
 
 # 80/443 - MISP web server, 3306 - mysql, 6379 - redis, 50000 - MISP ZeroMQ
 EXPOSE 80 443 3306 6379 50000
@@ -39,6 +38,11 @@ RUN sed -i -E 's/^(\s*)system\(\);/\1unix-stream("\/dev\/log");/' /etc/syslog-ng
     sudo -u www-data -H git config core.filemode false ; \
     echo
 
+# Dir you need to override to keep app config on reboot/new container. This
+# appears after the git clone above to avoid a failure that would occur if
+# trying to clone into a non-empty directory.
+VOLUME /var/www/MISP/app/Config
+
 WORKDIR /var/www/MISP/app/files/scripts
 RUN sudo -u www-data -H git clone https://github.com/CybOXProject/python-cybox.git ; \
     sudo -u www-data -H git clone https://github.com/STIXProject/python-stix.git
@@ -83,7 +87,6 @@ RUN mkdir /var/www/.composer && chown -R www-data:www-data /var/www/.composer ;
     sudo chmod -R g+ws /var/www/MISP/app/tmp ; \
     sudo chmod -R g+ws /var/www/MISP/app/files ; \
     sudo chmod -R g+ws /var/www/MISP/app/files/scripts/tmp ; \
-    openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/misp.key -out /etc/ssl/private/misp.crt -batch ; \
     echo "<VirtualHost *:80>" > /etc/apache2/sites-available/000-default.conf ; \
     echo "ServerName $MISP_FQDN" >> /etc/apache2/sites-available/000-default.conf ; \
     echo "Redirect permanent / https://$MISP_FQDN" >> /etc/apache2/sites-available/000-default.conf ; \
@@ -110,18 +113,28 @@ RUN mkdir /var/www/.composer && chown -R www-data:www-data /var/www/.composer ;
     echo "ServerSignature Off" >> /etc/apache2/sites-available/default-ssl.conf ; \
     echo "</VirtualHost>" >> /etc/apache2/sites-available/default-ssl.conf ; \
     echo "ServerName localhost" >> /etc/apache2/apache2.conf ; \
-    sudo -u www-data cp -a /var/www/MISP/app/Config/bootstrap.default.php /var/www/MISP/app/Config/bootstrap.php ; \
-    sudo -u www-data cp -a /var/www/MISP/app/Config/database.default.php /var/www/MISP/app/Config/database.php ; \
-    sudo -u www-data cp -a /var/www/MISP/app/Config/core.default.php /var/www/MISP/app/Config/core.php ; \
-    sudo -u www-data cp -a /var/www/MISP/app/Config/config.default.php /var/www/MISP/app/Config/config.php
-
-RUN sed -i -e 's/db login/misp/g' /var/www/MISP/app/Config/database.php ; \
-    sed -i -e "s/db password/${MYSQL_MISP_PASSWORD}/g" /var/www/MISP/app/Config/database.php ; \
-    sed -i -E "s/'salt'(\s+)=>\s''/'salt' => '`openssl rand -base64 32 | tr \'/\' \'0\'`'/" /var/www/MISP/app/Config/config.php ; \
-    sed -i -E "s/'baseurl'(\s+)=>\s''/'baseurl' => 'https:\/\/${MISP_FQDN}'/" /var/www/MISP/app/Config/config.php ; \
-    sed -i -e "s/email@address.com/${MISP_EMAIL}/" /var/www/MISP/app/Config/config.php ; \
-    sudo chown -R www-data:www-data /var/www/MISP/app/Config ; \
-    sudo chmod -R 750 /var/www/MISP/app/Config ; \
+    sudo cp -aR /var/www/MISP/app/Config /.misp_config_default
+
+RUN echo "#!/bin/bash" > /.misp_config_default/init-misp-config ; \
+    echo "if [ ! -f /var/www/MISP/app/Config/.misp_config_initialized ]; then " >> /.misp_config_default/init-misp-config ; \
+    echo "sudo -u www-data mkdir -p /var/www/MISP/app/Config" >> /.misp_config_default/init-misp-config ; \
+    echo "sudo cp -aR /.misp_config_default/*.php /var/www/MISP/app/Config" >> /.misp_config_default/init-misp-config ; \
+    echo "sudo chown -R www-data:www-data /var/www/MISP/app/Config" >> /.misp_config_default/init-misp-config ; \
+    echo "sudo -u www-data cp -a /var/www/MISP/app/Config/bootstrap.default.php /var/www/MISP/app/Config/bootstrap.php" >> /.misp_config_default/init-misp-config ; \
+    echo "sudo -u www-data cp -a /var/www/MISP/app/Config/database.default.php /var/www/MISP/app/Config/database.php" >> /.misp_config_default/init-misp-config ; \
+    echo "sudo -u www-data cp -a /var/www/MISP/app/Config/core.default.php /var/www/MISP/app/Config/core.php" >> /.misp_config_default/init-misp-config ; \
+    echo "sudo -u www-data cp -a /var/www/MISP/app/Config/config.default.php /var/www/MISP/app/Config/config.php" >> /.misp_config_default/init-misp-config ; \
+    echo "sed -i -e \"s/db login/misp/g\" /var/www/MISP/app/Config/database.php" >> /.misp_config_default/init-misp-config ; \
+    echo "sed -i -e \"s/db password/$MYSQL_MISP_PASSWORD/g\" /var/www/MISP/app/Config/database.php" >> /.misp_config_default/init-misp-config ; \
+    echo "sed -i -E \"s/'salt'(\s+)=>\s''/'salt' => '`openssl rand -base64 32 | tr \'/\' \'0\'`'/\" /var/www/MISP/app/Config/config.php" >> /.misp_config_default/init-misp-config ; \
+    echo "sed -i -E \"s/'baseurl'(\s+)=>\s''/'baseurl' => 'https:\/\/$MISP_FQDN'/\" /var/www/MISP/app/Config/config.php" >> /.misp_config_default/init-misp-config ; \
+    echo "sed -i -e \"s/email@address.com/$MISP_EMAIL/\" /var/www/MISP/app/Config/config.php" >> /.misp_config_default/init-misp-config ; \
+    echo "sudo chown -R www-data:www-data /var/www/MISP/app/Config" >> /.misp_config_default/init-misp-config ; \
+    echo "touch /var/www/MISP/app/Config/.misp_config_initialized" >> /.misp_config_default/init-misp-config ; \
+    echo "sudo chmod -R 750 /var/www/MISP/app/Config" >> /.misp_config_default/init-misp-config ; \
+    echo "fi" >> /.misp_config_default/init-misp-config ; \
+    echo "sudo rm -fR /.misp_config_default" >> /.misp_config_default/init-misp-config ; \
+    chmod 755 /.misp_config_default/init-misp-config ; \
     sudo pip2 install --upgrade pip ; \
     sudo pip2 install pyzmq ; \
     sudo pip2 install redis ; \
@@ -152,7 +165,7 @@ RUN sed -i -e 's/db login/misp/g' /var/www/MISP/app/Config/database.php ; \
     echo "touch /var/lib/mysql/.db_initialized" >> /init-db ; \
     echo "chown -R mysql:mysql /var/lib/mysql" >> /init-db ; \
     echo "fi" >> /init-db ; \
-    echo "rm -f /init-db" >> /init-db ; \
+    echo "sudo rm -f /init-db" >> /init-db ; \
     chmod 755 /init-db ; \
     echo "#!/bin/bash" > /misp-bug-fix ; \
     echo "cd '/usr' ; /usr/bin/mysqld_safe --datadir='/var/lib/mysql' &" >> /misp-bug-fix ; \
@@ -201,4 +214,5 @@ COPY supervisord.conf /etc/supervisor/conf.d/
 # To change it:
 #echo "/var/www/MISP/app/Console/cake Password 'admin@admin.test' '@dmin1!'" >> /root/init-db ; \
 
-CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
+COPY startup.sh /
+CMD ["/startup.sh"]
diff --git a/container/startup.sh b/container/startup.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+if [ -f /init-db ]; then
+   /init-db
+fi
+
+if [ -f /.misp_config_default/init-misp-config ]; then
+   /.misp_config_default/init-misp-config
+fi
+
+if [ ! -f /etc/ssl/private/.ssl_initialized ] && [ ! -f /etc/ssl/private/misp.crt ] && [ ! -f /etc/ssl/private/misp.key ]; then
+    openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/misp.key -out /etc/ssl/private/misp.crt -batch
+    touch /etc/ssl/private/.ssl_initialized
+fi
+
+/usr/bin/supervisord -c "/etc/supervisor/conf.d/supervisord.conf"
