add /etc/nsswitch.conf so container reads /etc/hosts

The golang resolver uses `/etc/nsswitch.conf` if it exists. See golang/go#22846 Resolves jumanjihouse#64
jumanjiman · Sep 13, 2018 · b9d88ea · b9d88ea
1 parent 2eb9f64
commit b9d88ea
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -26,7 +26,8 @@ The build takes about 30 seconds and results in a 5 MiB Docker image.
 <br/>The runtime image contains **only**:
 
 * a static binary,
-* CA certificates, and
+* CA certificates,
+* `/etc/nsswitch.conf` so golang net resolver uses `/etc/hosts`, and
 * `/etc/passwd` to provide an unprivileged user.
 
 The container runs as an unprivileged user via the technique described in
@@ -160,3 +161,15 @@ You can use `docker-compose` with the `docker-compose.yaml` file in this git rep
     "https://github.com": "A+"
 
     2017/05/13 15:35:40 [INFO] All assessments complete; shutting down
+
+
+### Scan internal sites
+
+You can add entries to `/etc/hosts` via `docker run --add-host`
+or via the docker-compose `extra_hosts` option.
+However, websites to be scanned must be resolvable and reachable
+by the [Qualys SSL Labs service](https://www.ssllabs.com/ssltest/).
+
+Consider to use https://github.com/jumanjihouse/docker-testssl
+if you need to scan internal sites that are not reachable from
+the public Internet.
diff --git a/ci/test b/ci/test
@@ -52,4 +52,10 @@ info The sleeper container does not have the "ps" command, so we
 info attach a regular container to the namespace of the sleeper container.
 run docker run --rm -it --pid container:"${cid}" --network container:"${cid}" alpine:3.8 ps -o pid,user,group,comm |
   grep -E -e run -e '1 1000     1000     sleeper'
+
+info 'Check that /etc/hosts entries are used.'
+info 'The sleeper container does not have the "ping" command, so we'
+info 'attach a regular container to the namespace of the sleeper container.'
+run docker run --rm -it --pid container:"${cid}" --network container:"${cid}" alpine:3.8 ping -c1 -W2 static-host.com
+
 run docker-compose down
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -31,6 +31,8 @@ services:
     build:
       context: sleeper/
       dockerfile: Dockerfile
+    extra_hosts:
+      - 'static-host.com:127.0.0.1'
 
   grade_github:
     <<: *defaults

diff --git a/scanner/Dockerfile b/scanner/Dockerfile
@@ -48,7 +48,7 @@ CMD ["--help"]
 ARG VERSION
 COPY --from=scanner_builder /tmp/ssllabs-scan-${VERSION}/ssllabs-scan /
 COPY --from=scanner_builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-COPY passwd /etc/passwd
+COPY . /
 
 ARG CIRCLE_BUILD_URL
 ARG BUILD_DATE

diff --git a/scanner/etc/nsswitch.conf b/scanner/etc/nsswitch.conf
@@ -0,0 +1,3 @@
+# https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275
+# https://golang.org/pkg/net/
+hosts: files dns
diff --git a/scanner/passwd → scanner/etc/passwd b/scanner/passwd → scanner/etc/passwd