Add Environment Variable concept

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

.gitignore

@@ -1,4 +1,5 @@
 /logs/
 /files/
 /ssl/
-/server-configs/
+/server-configs/
+docker-compose.override.yml

Makefile

@@ -0,0 +1,30 @@
+# https://www.mkdocs.org/user-guide/deploying-your-docs/
+
+.PHONY: build-docker-misp build-docker-misp-module update-readme-toc add-remote-url update-from-origin
+
+build-docker-misp:
+	cp build-docker-compose.yml docker-compose.override.yml
+	docker-compose build misp
+
+build-docker-misp-module:
+	cp build-docker-compose.yml docker-compose.override.yml
+	docker-compose -fbuild misp-module
+
+# DEV only
+update-readme-toc:
+	docker run -v $(shell pwd)":/app" -w /app --rm -it sebdah/markdown-toc README.md --skip-headers 2 --replace --inline --header "## Table of Contents"
+
+docker-remove-build-run-logs-misp:
+	docker-compose down -v
+	$(MAKE) build-docker-misp
+	docker-compose up -d misp
+	docker-compose logs -f
+
+# For Git forks
+## Add remote url for mainstream
+add-remote-url:
+	git remote add base https://github.com/coolacid/docker-misp
+## Update from mainstream
+update-from-origin:
+	git fetch base
+	git merge base/master

README.md

@@ -17,6 +17,20 @@ This is based on some of the work from the DSCO docker build, nearly all of the
 -   Images directly from docker hub, no build required
 -   Slimmed down images by using build stages and slim parent image, removes unnecessary files from images
 
+<!-- ToC start -->
+## Table of Contents
+
+   1. [Docker Tags](#docker-tags)
+   1. [Getting Started](#getting-started)
+      1. [Environment Variables](#environment-variables)
+      1. [Development/Test](#development/test)
+      1. [Using the image for development](#using-the-image-for-development)
+      1. [Updating](#updating)
+      1. [Production](#production)
+      1. [Building](#building)
+   1. [Image file sizes](#image-file-sizes)
+<!-- ToC end -->
+
 ## Docker Tags
 
 [Docker hub](https://hub.docker.com/r/coolacid/misp-docker) builds the images automatically based on git tags. I try and tag using the following details
@@ -29,6 +43,28 @@ This is based on some of the work from the DSCO docker build, nearly all of the
 
 ## Getting Started
 
+### Environment Variables
+To modify settings a lot of different environment variables are used.
+For this we use the file [default_vars.sh](server/files/default_vars.sh). On this file are all existing environment variables registered, described and can be set via Docker, docker-compose, Swarm or Kubernetes.
+
+Example for docker:
+```bash
+docker run -ti \
+    -e MISP_ENTRYPOINT_NGINX_INIT=true \
+    -e MISP_ENTRYPOINT_NGINX_SECURESSL=false \
+        coolacid/misp-docker:core-latest 
+```
+
+Example for docker-compose:
+```bash
+services:
+    misp:
+    image: coolacid/misp-docker:core-latest
+    environment:
+      - "MISP_ENTRYPOINT_NGINX_INIT=true"
+      - "MISP_ENTRYPOINT_NGINX_SECURESSL=false"
+```
+
 ### Development/Test
 
 -   Grab the `docker-compose.yml` and `server-configs/email.php` files (Keep directory structure)

build-docker-compose.yml

@@ -7,7 +7,21 @@ services:
         args:
             - MISP_TAG=${MISP_TAG}
             - PHP_VER=${PHP_VER}
-
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "./server-configs/:/var/www/MISP/app/Config/"
+      - "./logs/:/var/www/MISP/app/tmp/logs/"
+      - "./files/:/var/www/MISP/app/files"
+      - "./ssl/:/etc/nginx/certs"
+#      - "./examples/custom-entrypoint.sh:/custom-entrypoint.sh" # Use the example custom-entrypoint.sh
+    environment:
+      - "INIT=true"             # Initialze MISP, things includes, attempting to import SQL and the Files DIR
+      - "HOSTNAME=https://localhost"
+      - "REDIS_FQDN=redis"
+      - "CRON_USER_ID=1"        # The MISP user ID to run cron jobs as
+      - "SYNCSERVERS=1 2 3 4"  # The MISP Feed servers to sync in the cron job
   misp-modules:
     image: coolacid/misp-docker:modules-latest
     build:

docker-compose.yml

@@ -13,10 +13,10 @@ services:
     command: --default-authentication-plugin=mysql_native_password
     restart: always
     environment:
-      - "MYSQL_USER=misp"
-      - "MYSQL_PASSWORD=example"
-      - "MYSQL_ROOT_PASSWORD=password"
-      - "MYSQL_DATABASE=misp"
+      - MYSQL_USER=${MISP_MYSQL_USER:-dbuser}
+      - MYSQL_PASSWORD=${MISP_MYSQL_PASSWORD:-ChangeMe!}
+      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD:-ChangeMe!}
+      - MYSQL_DATABASE=${MISP_MYSQL_DB:-misp}
     volumes:
       - mysql_data:/var/lib/mysql
     cap_add:
@@ -27,35 +27,80 @@ services:
     depends_on:
       - redis
       - db
-    ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - "./server-configs/:/var/www/MISP/app/Config/"
-      - "./logs/:/var/www/MISP/app/tmp/logs/"
-      - "./files/:/var/www/MISP/app/files"
-      - "./ssl/:/etc/nginx/certs"
+    expose:
+      - "80"
+      - "443"
+    # volumes:
+      # Per default no volumes will be mounted, so that you as user has the change to choose
+      # your wanted mountpoint or volume.
+      # - "./server-configs/:/var/www/MISP/app/Config/"
+      # - "./logs/:/var/www/MISP/app/tmp/logs/"
+      # - "./files/:/var/www/MISP/app/files"
+      # - "./ssl/:/etc/nginx/certs"
 #      - "./examples/custom-entrypoint.sh:/custom-entrypoint.sh" # Use the example custom-entrypoint.sh
     environment:
-      - "HOSTNAME=https://localhost"
-      - "REDIS_FQDN=redis"
-      - "INIT=true"             # Initialze MISP, things includes, attempting to import SQL and the Files DIR
-      - "CRON_USER_ID=1"        # The MISP user ID to run cron jobs as
-#      - "SYNCSERVERS=1 2 3 4"  # The MISP Feed servers to sync in the cron job
-      # Database Configuration (And their defaults)
-#      - "MYSQL_HOST=db"
-#      - "MYSQL_USER=misp"
-#      - "MYSQL_PASSWORD=example" # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run. 
-#      - "MYSQL_DATABASE=misp"
-      # Optional Settings
-#      - "NOREDIR=true" # Do not redirect port 80
-#      - "DISIPV6=true" # Disable IPV6 in nginx
-#      - "SECURESSL=true" # Enable higher security SSL in nginx
-#      - "MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url
+      #
+      # Please check server/files/devault_vars.sh to see the default values.
+      # Thses default values will be set if you do override it
+      # via .env, docker-compose.override.yml or your own docker-compose.yml file.
+      #
+      # NGINX
+      - MISP_ENTRYPOINT_NGINX_HOSTNAME=${MISP_ENTRYPOINT_NGINX_HOSTNAME}
+      - MISP_ENTRYPOINT_NGINX_NOREDIRECT=${MISP_ENTRYPOINT_NGINX_NOREDIRECT}
+      - MISP_ENTRYPOINT_NGINX_DISABLEIPV6=${MISP_ENTRYPOINT_NGINX_DISABLEIPV6}
+      - MISP_ENTRYPOINT_NGINX_SECURESSL=${MISP_ENTRYPOINT_NGINX_SECURESSL}
+      - MISP_ENTRYPOINT_NGINX_INIT=${MISP_ENTRYPOINT_NGINX_INIT}
+      # PHP-FPM
+      - ENTRYPOINT_FPM_PHP_MEMORY_LIMIT=${ENTRYPOINT_FPM_PHP_MEMORY_LIMIT}
+      - ENTRYPOINT_FPM_PHP_MAX_EXECUTION_TIME=${ENTRYPOINT_FPM_PHP_MAX_EXECUTION_TIME}
+      - ENTRYPOINT_FPM_PHP_UPLOAD_MAX_FILESIZE=${ENTRYPOINT_FPM_PHP_UPLOAD_MAX_FILESIZE}
+      - ENTRYPOINT_FPM_PHP_POST_MAX_SIZE=${ENTRYPOINT_FPM_PHP_POST_MAX_SIZE}
+      # Cron
+      - MISP_CRON_USER_ID=${MISP_CRON_USER_ID}
+      - MISP_CRON_SYNCSERVERS=${MISP_CRON_SYNCSERVERS}
+      # Redis
+      - MISP_REDIS_HOST=${MISP_REDIS_HOST}
+      - MISP_REDIS_PORT=${MISP_REDIS_PORT}
+      - MISP_REDIS_DB=${MISP_REDIS_DB}
+      - MISP_REDIS_PASSWORD=${MISP_REDIS_PASSWORD}
+      #MISP-Modules
+      - MISP_MISPMODULES_HOST=${MISP_MISPMODULES_HOST}
+      - MISP_MISPMODULES_PORT=${MISP_MISPMODULES_PORT}
+      - MISP_MISPMODULES_FQDN=${MISP_MISPMODULES_FQDN}
+      # MySQL
+      - MISP_MYSQL_HOST=${MISP_MYSQL_HOST}
+      - MISP_MYSQL_PORT=${MISP_MYSQL_PORT}
+      - MISP_MYSQL_USER=${MISP_MYSQL_USER}
+      - MISP_MYSQL_PASSWORD=${MISP_MYSQL_PASSWORD}
+      - MISP_MYSQL_DB=${MISP_MYSQL_DB}
+      - MISP_MYSQL_MYSQLCMD=${MISP_MYSQL_MYSQLCMD}
+      # MISP Settings
+      - MISP_MISP_BASEURL=${MISP_MISP_BASEURL}
+      - MISP_MISP_Base_LIVE=${MISP_MISP_Base_LIVE}
+      - MISP_MISP_PLUGIN_CUSTOMAUTH_ENABLE=${MISP_MISP_PLUGIN_CUSTOMAUTH_ENABLE}
+      #
+      # Add additional misp settings via MISP_MISP_NAME=value
+      #
+      ### Legacy vars:
+    #   - "HOSTNAME=https://localhost"
+    #   - "REDIS_FQDN=redis"
+    #   - "INIT=true"             # Initialze MISP, things includes, attempting to import SQL and the Files DIR
+    #   - "CRON_USER_ID=1"        # The MISP user ID to run cron jobs as
+    #  - "SYNCSERVERS=1 2 3 4"  # The MISP Feed servers to sync in the cron job
+    #   Database Configuration (And their defaults)
+    #  - "MYSQL_HOST=db"
+    #  - "MYSQL_USER=misp"
+    #  - "MYSQL_PASSWORD=example" # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run. 
+    #  - "MYSQL_DATABASE=misp"
+    #   Optional Settings
+    #  - "NOREDIR=true" # Do not redirect port 80
+    #  - "DISIPV6=true" # Disable IPV6 in nginx
+    #  - "SECURESSL=true" # Enable higher security SSL in nginx
+    #  - "MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url
   misp-modules:
     image: coolacid/misp-docker:modules-latest
     environment:
-      - "REDIS_BACKEND=redis"
+      - REDIS_BACKEND=${MISP_REDIS_HOST:-redis}
     depends_on:
       - redis
       - db

server/Dockerfile

@@ -160,6 +160,7 @@ ARG PHP_VER
     COPY files/entrypoint_cron.sh /
     COPY files/entrypoint_workers.sh /
     COPY files/entrypoint.sh /
+    COPY files/default_vars.sh /
     ENTRYPOINT [ "/entrypoint.sh" ]
 
 # Change Workdirectory

server/files/default_vars.sh

@@ -0,0 +1,114 @@
+#!/bin/sh
+
+#
+# This file contains all valid environments variables and their default value, which is in entrypoint used.
+# The structure of the environment variables are:
+# MISP_<Component>_<SectionName>_<SettingName>
+# This file will used in the entrypoint.sh.
+#
+
+
+#### LEGACY ENV
+#
+#    This area is added until 2022, to support the legacy variants of environment variables.
+#
+# For the following environment variable a extra check must be done, because it will be set always.
+# https://linuxize.com/post/how-to-check-if-string-contains-substring-in-bash/
+# echo "$1" | grep -q "$2"
+# shellcheck disable=SC2039
+[ $(echo "$HOSTNAME"|grep -q "http") ] || MISP_MISP_BASEURL=${HOSTNAME}
+MISP_REDIS_HOST=${REDIS_FQDN}
+MISP_ENTRYPOINT_NGINX_INIT=${INIT}
+MISP_CRON_USER_ID=${CRON_USER_ID}
+MISP_CRON_SYNCSERVERS=${SYNCSERVERS}
+MISP_MYSQL_HOST=${MYSQL_HOST}
+MISP_MYSQL_USER=${MYSQL_USER}
+MISP_MYSQL_PASSWORD=${MYSQL_PASSWORD}
+MISP_MYSQL_DB=${MYSQL_DATABASE}
+MISP_ENTRYPOINT_NGINX_NOREDIRECT=${NOREDIR}
+MISP_ENTRYPOINT_NGINX_DISABLEIPV6=${DISIPV6}
+MISP_ENTRYPOINT_NGINX_SECURESSL=${SECURESSL}
+MISP_MISPMODULES_FQDN=${MISP_MODULES_FQDN}
+#### LEGACY END
+
+# Entrypoint NGINX
+## Set PID file:
+MISP_ENTRYPOINT_NGINX_PID_FILE=${MISP_ENTRYPOINT_NGINX_PID_FILE:-"/entrypoint_apache.install"}
+## Set Hostname for selfsigned certificate
+# shellcheck disable=SC2039
+MISP_ENTRYPOINT_NGINX_HOSTNAME=${MISP_ENTRYPOINT_NGINX_HOSTNAME:-"$HOSTNAME"}
+## Do not redirect port 80:
+MISP_ENTRYPOINT_NGINX_NOREDIRECT=${MISP_ENTRYPOINT_NGINX_NOREDIRECT:-"true"}
+## Disable IPV6 in NGINX:
+MISP_ENTRYPOINT_NGINX_DISABLEIPV6=${MISP_ENTRYPOINT_NGINX_DISABLEIPV6:-"true"}
+## Enable higher security SSL in NIGNX:
+MISP_ENTRYPOINT_NGINX_SECURESSL=${MISP_ENTRYPOINT_NGINX_SECURESSL:-"true"}
+## Deactivate intitialization if it is not explicit set:
+MISP_ENTRYPOINT_NGINX_INIT=${MISP_ENTRYPOINT_NGINX_INIT:-"false"}
+
+
+# Entrypoint Workers
+## Set Worker Path
+ENTRYPOINT_WORKERS_BIN_FILE=${ENTRYPOINT_WORKERS_BIN_FILE:-"/var/www/MISP/app/Console/worker/start.sh"}
+
+# Entrypoint FPM
+## Set memory_limit in MB:
+ENTRYPOINT_FPM_PHP_MEMORY_LIMIT=${ENTRYPOINT_FPM_PHP_MEMORY_LIMIT:-"2048M"}
+## Set max_execution_time in seconds:
+ENTRYPOINT_FPM_PHP_MAX_EXECUTION_TIME=${ENTRYPOINT_FPM_PHP_MAX_EXECUTION_TIME:-"300"}
+## Set upload_max_filesize in MB:
+ENTRYPOINT_FPM_PHP_UPLOAD_MAX_FILESIZE=${ENTRYPOINT_FPM_PHP_UPLOAD_MAX_FILESIZE:-"50M"}
+## Set post_max_size in MB:
+ENTRYPOINT_FPM_PHP_POST_MAX_SIZE=${ENTRYPOINT_FPM_PHP_POST_MAX_SIZE:-"50M"}
+
+# Cake
+## Set Cake File Path
+MISP_CAKE_FILE=${MISP_CAKE_FILE:-"/var/www/MISP/app/Console/cake"}
+
+# Cron
+MISP_CRON_USER_ID=${MISP_CRON_USER_ID:-"1"}
+MISP_CRON_SYNCSERVERS=${MISP_CRON_SYNCSERVERS:-""}
+
+# Redis
+## Set Redis Server Host:
+MISP_REDIS_HOST=${MISP_REDIS_HOST:-"redis"}
+## Set Redis Server Port:
+MISP_REDIS_PORT=${MISP_REDIS_PORT:-"6379"}
+## Set Redis Database which should be used for MISP:
+MISP_REDIS_DB=${MISP_REDIS_DB:-"0"}
+## Set Redis Password if authentication is activated:
+MISP_REDIS_PASSWORD=${MISP_REDIS_PASSWORD:-""}
+
+# MISP-Modules
+## Set MISP-Module Host:
+MISP_MISPMODULES_HOST=${MISP_MISPMODULES_HOST:-"misp-modules"}
+## Set MISP-Module Port:
+MISP_MISPMODULES_PORT=${MISP_MISPMODULES_PORT:-"6666"}
+## Set MISP-Module FQDN:
+MISP_MISPMODULES_FQDN=${MISP_MISPMODULES_FQDN:-"http://${MISP_MISPMODULES_HOST}:${MISP_MISPMODULES_PORT}"}
+
+# MySQL
+## Set MySQL Host:
+MISP_MYSQL_HOST=${MISP_MYSQL_HOST:-"db"}
+## Set MySQL Port:
+MISP_MYSQL_PORT=${MISP_MYSQL_PORT:-"3306"}
+## Set MySQL username:
+MISP_MYSQL_USER=${MISP_MYSQL_USER:-"dbuser"}
+## Set MySQL user password:
+MISP_MYSQL_PASSWORD=${MISP_MYSQL_PASSWORD:-"ChangeMe!"}
+## Set MySQL database:
+MISP_MYSQL_DB=${MISP_MYSQL_DB:-"misp"}
+## Set Default MySQL CMD:
+MISP_MYSQL_MYSQLCMD=${MISP_MYSQL_MYSQLCMD:-"mysql -u $MISP_MYSQL_USER -p$MISP_MYSQL_PASSWORD -P $MISP_MYSQL_PORT -h $MISP_MYSQL_HOST -r -N  $MISP_MYSQL_DB"}
+
+
+# MISP Settings
+## Set MISP App Config Path:
+MISP_MISP_APP_CONFIG_PATH=${MISP_MISP_APP_CONFIG_PATH:-"/var/www/MISP/app/Config"}
+## Set BaseURL
+MISP_MISP_BASEURL=${MISP_MISP_BASEURL:-"$ENTRYPOINT_NGINX_HOSTNAME"}
+## Activate MISP Instance on start:
+MISP_MISP_Base_LIVE=${MISP_MISP_Base_LIVE:-"true"}
+## Activate CustomAuth_Enable setting:
+MISP_MISP_PLUGIN_CUSTOMAUTH_ENABLE=${MISP_MISP_PLUGIN_CUSTOMAUTH_ENABLE:-"true"}
+

server/files/entrypoint.sh

@@ -1,3 +1,8 @@
 #!/bin/bash
+
+# Include default vars file:
+# shellcheck disable=SC1091
+source "/default_vars.sh"
+
 # start supervisord
 /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf