Merge pull request #183 from BenediktMKuehne/net_change

Net change
e-m-b-a · Nov 25, 2021 · b83444c · b83444c
2 parents ded34cc + e7e3d66
commit b83444c
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 26 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -10,10 +10,22 @@ services:
         - ${EMBA}/:/emba:ro
         - /etc/timezone:/etc/timezone:ro
         - /etc/localtime:/etc/localtime:ro
-    network_mode: "host"
     environment:
         - USER
     devices:
       - /dev/fuse:/dev/fuse:rwm
     cap_add:
       - SYS_ADMIN
+    networks:
+      - emba_runs
+
+networks:
+  emba_runs:
+    name: emba_runs
+    driver: bridge
+    internal: true
+    driver_opts:
+      com.docker.network.bridge.name: emba_runs
+    ipam:
+      config:
+        - subnet: "172.36.0.0/16"
diff --git a/emba.sh b/emba.sh
@@ -541,8 +541,6 @@ main()
     fi
 
     if docker images | grep -qE "emba[[:space:]]*latest"; then
-      setup_docker_iptables
-
       print_output "[*] EMBA initializes docker container.\\n" "no_log"
       EMBA="$INVOCATION_PATH" FIRMWARE="$FIRMWARE_PATH" LOG="$LOG_DIR" docker-compose run --rm emba -c './emba.sh -l /log -f /firmware -i "$@"' _ "${ARGUMENTS[@]}"
       D_RETURN=$?

diff --git a/helpers/helpers_emba_dependency_check.sh b/helpers/helpers_emba_dependency_check.sh
@@ -68,6 +68,29 @@ check_dep_port()
   fi
 }
 
+check_docker_env() {
+  TOOL_NAME="MongoDB"
+  print_output "    ""$TOOL_NAME"" - \\c" "no_log"
+  if ! grep -q "bindIp: 172.36.0.1" /etc/mongod.conf; then
+    echo -e "$RED""not ok""$NC"
+    echo -e "$RED""    Wrong ""mongodb config"" - check your installation""$NC"
+    echo -e "$RED""    RE-run installation - bindIp should be set to 172.36.0.1""$NC"
+    DEP_ERROR=1
+  else
+    echo -e "$GREEN""ok""$NC"
+  fi
+  TOOL_NAME="Docker Interface"
+  print_output "    ""$TOOL_NAME"" -""$RED"" \\c" "no_log"
+  if ! ip a show emba_runs | grep -q "172.36.0.1" ; then
+    # echo -e "$RED""not ok""$NC"
+    echo -e "$RED""    Missing ""Docker-Interface"" - check your installation""$NC"
+    echo -e "$RED""    run \$docker-compose up --no-start to start or reset it otherwise""$NC"
+    DEP_ERROR=1
+  else
+    echo -e "$GREEN""ok""$NC"
+  fi
+}
+
 check_cve_search() {
   TOOL_NAME="cve-search"
   print_output "    ""$TOOL_NAME"" - testing" "no_log"
@@ -187,6 +210,7 @@ dependency_check()
   if [[ $USE_DOCKER -eq 1 ]] ; then
     check_dep_tool "docker"
     check_dep_tool "docker-compose"
+    check_docker_env
     check_cve_search
   fi
 
@@ -268,6 +292,7 @@ dependency_check()
     DEP_ERROR=0
 
     # CVE-search
+    # TODO change to portcheck and write one for external hosts
     check_dep_file "cve-search script" "$EXT_DIR""/cve-search/bin/search.py"
     # we have to ignore this warning, because shellcheck doesn't know, that this file will be imported
     # shellcheck disable=SC2309

diff --git a/helpers/helpers_emba_helpers.sh b/helpers/helpers_emba_helpers.sh
@@ -115,14 +115,6 @@ cleaner() {
   exit 1
 }
 
-setup_docker_iptables() {
-  print_output "[*] Setup iptables rules to protect the docker environment" "no_log"
-  #iptables -I INPUT -p tcp -i docker0 -j DROP
-  #iptables -I INPUT -p icmp -i docker0 -j DROP
-  #iptables -I INPUT -p udp -i docker0 -j DROP
-  #iptables -I OUTPUT -p tcp -j DROP
-  iptables -L
-}
 
 check_start_cve_database() {
   # we check if cve-search reports real results:

diff --git a/installer.sh b/installer.sh
@@ -394,6 +394,7 @@ if [[ "$CVE_SEARCH" -ne 1 ]]; then
         echo -e "$ORANGE""EMBA docker image will be downloaded.""$NC"
         docker pull embeddedanalyzer/emba
         export DOCKER_CLI_EXPERIMENTAL=disabled
+        docker-compose up --no-start
       else
         echo -e "$GREEN""EMBA docker image is already available - no further action will be performed.""$NC"
       fi
@@ -1222,6 +1223,9 @@ if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]
     xargs sudo apt-get install -y < requirements.system
     # shellcheck disable=SC2002
     cat requirements.txt | xargs -n 1 pip install 2>/dev/null
+    cp ./etc/configuration.ini.sample ./etc/configuration.ini
+    sed -i 's/localhost/172.36.0.1/g' ./etc/configuration.ini
+    sed -i 's/127.0.0.1/172.36.0.1/g' ./etc/configuration.ini
   fi
 
   case ${ANSWER:0:1} in
@@ -1231,15 +1235,11 @@ if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]
       echo -e "\\n""$MAGENTA""Check if the cve-search database is already installed.""$NC"
       cd "$HOME_PATH" || exit 1
       cd ./external/cve-search/ || exit 1
-      if netstat -anpt | grep LISTEN | grep -q 27017; then
-        if [[ $(./bin/search.py -p busybox 2>/dev/null | grep -c ":\ CVE-") -gt 18 ]]; then
+      if [[ $(./bin/search.py -p busybox 2>/dev/null | grep -c ":\ CVE-") -gt 18 ]]; then
           CVE_INST=0
           echo -e "\\n""$GREEN""cve-search database already installed - no further action performed.""$NC"
-        else
-          echo -e "\\n""$MAGENTA""cve-search database not ready.""$NC"
-        fi
       else
-        echo -e "\\n""$MAGENTA""cve-search database port 27017 not available.""$NC"
+          echo -e "\\n""$MAGENTA""cve-search database not ready.""$NC"
       fi
       if [[ "$CVE_INST" -eq 1 ]]; then
         wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -
@@ -1250,6 +1250,8 @@ if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]
         systemctl daemon-reload
         systemctl start mongod
         systemctl enable mongod
+        sed -i 's/bindIp\:\ 127.0.0.1/bindIp\:\ 172.36.0.1/g' /etc/mongod.conf
+        systmctl restart mongod.service
 
         if [[ "$FORCE" -eq 0 ]] ; then
           echo -e "\\n""$MAGENTA""$BOLD""Do you want to download and update the cve-search database?""$NC"
@@ -1262,16 +1264,11 @@ if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]
           y|Y )
             CVE_INST=1
             echo -e "\\n""$MAGENTA""Check if the cve-search database is already installed.""$NC"
-            if netstat -anpt | grep LISTEN | grep -q 27017; then
-              if [[ $(./bin/search.py -p busybox 2>/dev/null | grep -c ":\ CVE-") -gt 18 ]]; then
-                CVE_INST=0
-                echo -e "\\n""$GREEN""cve-search database already installed - no further action performed.""$NC"
-              else
-                echo -e "\\n""$MAGENTA""cve-search database not ready.""$NC"
-                echo -e "\\n""$MAGENTA""The installer is going to populate the database.""$NC"
-              fi
+            if [[ $(./bin/search.py -p busybox 2>/dev/null | grep -c ":\ CVE-") -gt 18 ]]; then
+              CVE_INST=0
+              echo -e "\\n""$GREEN""cve-search database already installed - no further action performed.""$NC"
             else
-              echo -e "\\n""$MAGENTA""cve-search database port 27017 not available.""$NC"
+              echo -e "\\n""$MAGENTA""cve-search database not ready.""$NC"
               echo -e "\\n""$MAGENTA""The installer is going to populate the database.""$NC"
             fi
             # only update and install the database if we have no working database: