Feature/boefjes to oci images #2709
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Change the signature to a dictionary for containerized boefjes.
…cess triggered through `make kat`
dekkers
reviewed
Mar 25, 2024
Use the `nonroot` user in the boefje images. Explanation for setting the DOCKER_DEFAULT_PLATFORM in the boefje Makefile
Handle the boefje api requests in Python as well, using httpx Use the docker_adapter as entrypoint, making the entrypoint redundant.
Handle the boefje api requests in Python as well, using httpx Use the docker_adapter as entrypoint, making the entrypoint redundant
Checklist for QA:
What works:DNSSec boefje works and appear no error messages in the logs. After Review is done it can be moved to Ready to merge. I followed the following approach while timing: I let the DNSrecords and DNSzone boefjes run and finish, then enable the dnssec boefje and start the stopwatch. Data is against mispo.es with L1 and timed until the KAT-NO-DNSSEC Finding Type is completed under the Normalizer tab:
What doesn't work:n/a Bug or feature?:n/a |
underdarknl
reviewed
Mar 29, 2024
| domain = input_["name"] | ||
|
|
||
| client = docker.from_env() | ||
|
|
||
| # check for string pollution in domain. This check will fail if anything other characters than a-zA-Z0-9_.- are | ||
| # present in the hostname | ||
| if not re.search(r"^[\w.]+[\w\-.]+$", domain.lower()): |
There was a problem hiding this comment.
Have we checked punicode domainname compatibility here?
underdarknl
approved these changes
Mar 29, 2024
jpbruinsslot
added a commit
that referenced
this pull request
Apr 4, 2024
* main: (51 commits) Fix static files for container images/Debian packages when DEBUG is on (#2742) OOI selection at Aggregate report does not remember changed selection (#2619) fix schema errors on empty / missing schemas (#2744) Updated `phonenumbers` and `django-phonenumber-field` (#2757) Remove octopoes coverage workflow (#2755) Bump actions/configure-pages from 4 to 5 (#2745) Add xtdb-cli tool to Octopoes (#2733) Dont report vulnerabilities without version info of the software for snyk (#2730) Feature/boefjes to oci images (#2709) Query non-reference fields and subclass-specific fields through path queries (#2662) Fix in System Specific (#2732) Plugins overview in appendix not showing any plugins (#2694) Feat stepper design v2 (#2704) Undo project-directory in Rocky (#2734) Remove Docker Compose: "version" (#2718) Upgrade `pre-commit` hooks (#2729) Fix #1739 (#2705) Improve generate report (#2633) Fix critical vulnerability counter (#2712) Fix pdf alignment (#2674) ...
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
This adds Docker (OCI) image builder setups for both python-native boefjes and boefjes that were using docker containers already. As an example for this first version, only
dns-recordsanddns-secwere changed.To get it working for the dnssec image, I had to change the boefje_meta argument to be a dict since else we'd be adding pydantic there and a job_models file. This can be a point of discussion.
I also added a step in the
make buildthat we run during installations. We now also domake -C boefjes imagesthat builds the two images. There the target also provides examples of how to manually run the docker build commands with the right arguments and tags.One issue here is that some alpine images only have python 3.5 available which messes a bit with some of the APIs in the standard lib. Hence the ignoring the dnssec main.py for pre-commit.We'll try to migrate to new python3.11-slim images where possible. In this case, it was possible.I used
boefje.Dockerfileper the Dockerfile naming convention and the fact that potentially normalizer Dockerfiles could perhaps also live in the same directory with the namenormalizer.Dockerfilefor instance.Follow up: do we still care about the group and user ids? We do not pass them anyways currently and the main reason for implementing them was specific requirements for the apps themselves, if I recall correctly.No, removed.Issue link
Closes #2443
Demo & QA notes
This feature should not change the current flow or setup, but please verify that both the
dns-recordsanddns-secboefje work properly on a clean install (i.e. aftermake katormake reset, which should build the images). Perhaps a rough notion of the new performance would also be nice as the risk here is that the new setup will induce significant overhead to smaller boefjes.Code Checklist
Communication
.envchanges files if required and changed the.env-distaccordingly.Checklist for code reviewers:
Copy-paste the checklist from the docs/source/templates folder into your comment.
Checklist for QA:
Copy-paste the checklist from the docs/source/templates folder into your comment.