From 9144ee8c758d12ea8d8370312dc84960a177d79c Mon Sep 17 00:00:00 2001 From: EnDe Date: Sun, 15 Dec 2019 00:08:56 +0100 Subject: [PATCH] EF: build with debian supported --- Dockerfile | 65 +++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 50 insertions(+), 15 deletions(-) diff --git a/Dockerfile b/Dockerfile index f801ef72a7..001f71f57c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,7 +9,7 @@ #? #? OSAFT_VM_FROM #? Base image to be used for this build. Tested images are: -#? (2017) alpine:3.6 alpine:edge debian:stretch-slim debian +#? (2017) alpine:3.6 alpine:edge debian:stretch-slim debian #? (2018) alpine:3.8 debian #? (2019) alpine:3.10 debian:10.2-slim #? @@ -90,7 +90,7 @@ #? PATH for shell, set to: #? ${OSAFT_DIR}:${OSAFT_DIR}/contrib:${OPENSSL_DIR}/bin:$PATH #? WORK_DIR -#? Directory where to build the packages (used for Dockerfile's +#? Directory where to build the packages (used for Dockerfile's #? WORKDIR dierective. #? #? EXAMPLES @@ -103,6 +103,11 @@ #? --build-arg "OSAFT_VM_FROM=alpine:3.8" \ #? -f Dockerfile -t owasp/o-saft . #? +#? Simple build with base image debian:10.2-slim +#? docker build --force-rm --rm \ +#? --build-arg "OSAFT_VM_FROM=debian:10.2-slim" \ +#? -f Dockerfile -t owasp/o-saft . +#? #? Build with base image alpine:3.6 and Tcl/Tk #? docker build --force-rm --rm \ #? --build-arg "OSAFT_VM_FROM=alpine:3.6" \ @@ -123,6 +128,9 @@ #? Note that o-saft-docker searches for a Docker image owasp/o-saft #? so don't forget to tag at least one image with this name. #? +# HACKER's Info +# Note that the base package alpine uses busybox as shell. This shell is +# very picky, in particular for the expr command. ARG OSAFT_VM_FROM=alpine:3.10 @@ -159,7 +167,7 @@ LABEL \ SOURCE0="https://github.com/OWASP/O-Saft/raw/master/Dockerfile" \ SOURCE1="$OSAFT_VM_SRC_OSAFT" \ SOURCE2="$OSAFT_VM_SRC_OPENSSL" \ - SID="@(#) Dockerfile 1.34 19/12/14 22:34:10" \ + SID="@(#) Dockerfile 1.35 19/12/15 00:08:51" \ AUTHOR="Achim Hoffmann" ENV osaft_vm_build "Dockerfile $OSAFT_VERSION; FROM $OSAFT_VM_FROM" @@ -176,7 +184,7 @@ WORKDIR $WORK_DIR RUN \ #== Configure user - if expr "$OSAFT_VM_FROM" : debian >/dev/null ; then \ + if expr "X$OSAFT_VM_FROM" : Xdebian >/dev/null ; then \ adduser --quiet --home ${OSAFT_DIR} ${OSAFT_VM_USER} ; \ passwd --delete ${OSAFT_VM_USER} ; \ else \ @@ -184,13 +192,40 @@ RUN \ fi && \ mkdir -p ${OSAFT_DIR} && \ \ + #== Configure apk (alpine) or apt (debian); default: apk + apt_exe=apk && \ + apt_add=add && \ + apt_del=del && \ + opt_add=--no-cache && \ + opt_del=--purge \ + packages_make="gcc make musl-dev linux-headers perl-dev" && \ + packages="wget ncurses $OSAFT_VM_APT_INSTALL \ + $packages_make \ + krb5-dev zlib-dev perl perl-readonly \ + ca-certificates" && \ + packages_dev="gmp-dev lksctp-tools-dev" && \ + packages_perl="perl-net-dns perl-net-libidn perl-mozilla-ca" && \ + if expr "X$OSAFT_VM_FROM" : Xdebian >/dev/null ; then \ + apt_exe=apt-get ; \ + apt_add=install ; \ + apt_del=purge ; \ + opt_add=--yes ; \ + opt_del=--yes ; \ +# fehltnoch: perl-dev + packages_make="gcc make linux-headers-amd64" ; \ + # ncurses-base ncurses-bin already part of debian + packages="wget $packages_make libkrb5-3 libkrb5-dev zlib1g-dev perl ca-certificates" ; \ + packages_dev="libgmp-dev lksctp-tools libsctp-dev" ; \ + packages_perl="libnet-dns-perl libnet-libidn-perl" ; \ + fi && \ + # perl-io-socket-ssl perl-net-ssleay build herein + \ #== Install required packages, development tools and libs #apk update && \ # no update needed and not wanted - apk add --no-cache wget ncurses $OSAFT_VM_APT_INSTALL \ - gcc make musl-dev linux-headers \ - krb5-dev zlib-dev perl perl-readonly perl-dev \ - ca-certificates && \ - # perl-io-socket-ssl perl-net-ssleay + if expr "X$OSAFT_VM_FROM" : Xdebian >/dev/null ; then \ + $apt_exe update ; \ + fi && \ + $apt_exe $apt_add $opt_add $packages && \ \ #== Workaround for docker/alpine (bug or race condition) # in some alpine versions, resolving a hostname fails, see @@ -198,12 +233,14 @@ RUN \ # as workaround we try to prefetch the name resolution; # however, it is not bullet proof either ... workaround_alpine_bug() { \ + expr "X$OSAFT_VM_FROM" : Xdebian >/dev/null && return ; \ for host in github.com codeload.github.com cpan.metacpan.org search.cpan.org cpan.metacpan.org ; do \ echo -n "resolving $host ... " && ping -c 1 $host > /dev/null && echo SUCCESS || echo FAILDED ; \ done; } && \ + \ #== Pull, build and install enhanced openssl workaround_alpine_bug && \ - apk add --no-cache gmp-dev lksctp-tools-dev && \ + $apt_exe $apt_add $opt_add $packages_dev && \ cd $WORK_DIR && \ mkdir -p $BUILD_DIR ${OPENSSL_DIR} && \ wget --no-check-certificate $OSAFT_VM_SRC_OPENSSL -O $OSAFT_VM_TAR_OPENSSL && \ @@ -262,7 +299,7 @@ RUN \ echo -n "# number of ciphers ${OPENSSL_DIR}/bin/openssl: " && \ ${OPENSSL_DIR}/bin/openssl ciphers -V ALL:COMPLEMENTOFALL:aNULL|wc -l && \ # cleanup - apk del --purge gmp-dev lksctp-tools-dev && \ + $apt_exe $apt_del $opt_del $packages_dev && \ cd $WORK_DIR && \ rm -rf $BUILD_DIR $OSAFT_VM_TAR_OPENSSL && \ \ @@ -277,7 +314,7 @@ RUN \ \ tar -xzf $OSAFT_VM_TAR_SSLEAY -C $BUILD_DIR --strip-components=1 && \ # install additional packages for Net-SSLeay ... - apk add --no-cache perl-net-dns perl-net-libidn perl-mozilla-ca && \ + $apt_exe $apt_add $opt_add $packages_perl && \ cd $BUILD_DIR && \ perl -i.orig -pe 'if (m/^#define\s*REM_AUTOMATICALLY_GENERATED_1_09/){print "const SSL_METHOD * SSLv2_method()\n\nconst SSL_METHOD * SSLv3_method()\n\n";}' SSLeay.xs && \ # quick&dirty patch, results in warning, which can be ignored @@ -310,8 +347,6 @@ RUN \ #== Pull and install O-Saft workaround_alpine_bug && \ cd $WORK_DIR && \ - mkdir -p ${OSAFT_DIR} && \ - \ wget --no-check-certificate $OSAFT_VM_SRC_OSAFT -O $OSAFT_VM_TAR_OSAFT && \ # check sha256 if there is one [ -n "$OSAFT_VM_SHA_OSAFT" ] && \ @@ -335,7 +370,7 @@ RUN \ rm -f ${OSAFT_VM_TAR_OSAFT} && \ \ #== Cleanup - apk del --purge gcc make musl-dev linux-headers perl-dev + $apt_exe $apt_del $opt_del $packages_make # do not delete krb5-dev zlib-dev because we need # libkrb5.so.3, libk5crypto.so.3 and libz.so to run openssl