diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml new file mode 100644 index 00000000..deef9ad0 --- /dev/null +++ b/.github/workflows/docker-publish.yml @@ -0,0 +1,204 @@ +name: Docker Image Build and Release + +on: + push: + branches: [master] + # Publish semver tags as releases. + tags: ["v*.*.*"] + pull_request: + branches: [master, dev] + +concurrency: ci-${{ github.ref }} + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + IMAGE_NAME_GHCR: ghcr.io/${{ github.repository }} + IMAGE_NAME_DOCKER: securecompliance/gvm + +permissions: + contents: read + packages: write + +jobs: + build_apks: + name: Build APKs + runs-on: ubuntu-latest + + outputs: + labels: ${{ steps.meta.outputs.labels }} + tags: ${{ steps.meta.outputs.tags }} + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + with: + submodules: recursive + + - uses: docker/setup-buildx-action@v1 + id: buildx + with: + install: true + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Login to GitHub Container Registry ${{ env.REGISTRY }} + uses: docker/login-action@v1 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Login to DockerHub + if: github.event_name != 'pull_request' + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Relase Prepare + id: releasePreare + run: | + echo -n "::set-output name=images::" + if [ "${GITHUB_EVENT_NAME}" != "pull_request" ]; then + echo -n "${IMAGE_NAME_DOCKER}" + echo -n "," + fi + echo -n "${IMAGE_NAME_GHCR}" + + - name: Download artifact + uses: dawidd6/action-download-artifact@v2 + with: + # Optional, GitHub token, a Personal Access Token with `public_repo` scope if needed + # Required, if artifact is from a different repo + github_token: ${{secrets.GITHUB_TOKEN}} + # Required, workflow file name or ID + workflow: build-apk.yml + # Optional, will use the branch + branch: master + # Optional, uploaded artifact name, + # will download all artifacts if not specified + # and extract them in respective subdirectories + # https://github.com/actions/download-artifact#download-all-artifacts + name: apk-builds + # Optional, directory where to extract artifact. Defaults to the artifact name (see `name` input) + path: ${{ github.workspace }}/apk-build/ + # Optional, defaults to current repo + repo: Secure-Compliance-Solutions-LLC/GVM-APK-build + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta2 + uses: docker/metadata-action@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + images: ${{ steps.releasePreare.outputs.images }} + tags: | + type=ref,event=branch,prefix=,suffix= + type=ref,event=pr,prefix=,suffix= + type=semver,pattern={{version}},prefix=,suffix= + type=semver,pattern={{raw}},prefix=,suffix= + type=semver,pattern={{major}}.{{minor}},prefix=,suffix= + type=sha,prefix=,suffix= + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + uses: docker/build-push-action@v2 + with: + context: . + push: true + tags: ${{ steps.meta2.outputs.tags }} + labels: ${{ steps.meta2.outputs.labels }} + build-args: | + SETUP=0 + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta3 + uses: docker/metadata-action@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + images: ${{ steps.releasePreare.outputs.images }} + tags: | + type=ref,event=branch,prefix=,suffix=-full + type=ref,event=tag,prefix=,suffix=-full + type=ref,event=pr,prefix=,suffix=-full + type=semver,pattern={{version}},prefix=,suffix=-full + type=semver,pattern={{raw}},prefix=,suffix=-full + type=semver,pattern={{major}}.{{minor}},prefix=,suffix=-full + type=sha,prefix=,suffix=-full + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image -full tag + uses: docker/build-push-action@v2 + with: + context: . + push: true + tags: ${{ steps.meta3.outputs.tags }} + labels: ${{ steps.meta3.outputs.labels }} + build-args: | + SETUP=0 + OPT_PDF=1 + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta4 + uses: docker/metadata-action@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + images: ${{ steps.releasePreare.outputs.images }} + tags: | + type=ref,event=branch,prefix=,suffix=-data + type=ref,event=pr,prefix=,suffix=-data + type=semver,pattern={{version}},prefix=,suffix=-data + type=semver,pattern={{raw}},prefix=,suffix=-data + type=semver,pattern={{major}}.{{minor}},prefix=,suffix=-data + type=sha,prefix=,suffix=-data + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image with -data tag + uses: docker/build-push-action@v2 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta4.outputs.tags }} + labels: ${{ steps.meta4.outputs.labels }} + build-args: | + SETUP=1 + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta5 + uses: docker/metadata-action@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + images: ${{ steps.releasePreare.outputs.images }} + tags: | + type=ref,event=branch,prefix=,suffix=-data-full + type=ref,event=pr,prefix=,suffix=-data-full + type=semver,pattern={{version}},prefix=,suffix=-data-full + type=semver,pattern={{raw}},prefix=,suffix=-data-full + type=semver,pattern={{major}}.{{minor}},prefix=,suffix=-data-full + type=sha,prefix=,suffix=-data-full + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image with -data-full tag + uses: docker/build-push-action@v2 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta5.outputs.tags }} + labels: ${{ steps.meta5.outputs.labels }} + build-args: | + SETUP=1 + OPT_PDF=1 diff --git a/.gitignore b/.gitignore index b6361dba..08d9da80 100644 --- a/.gitignore +++ b/.gitignore @@ -68,3 +68,4 @@ $RECYCLE.BIN/ # Windows shortcuts *.lnk +apk-build/ diff --git a/.gitmodules b/.gitmodules deleted file mode 100644 index cdad81f6..00000000 --- a/.gitmodules +++ /dev/null @@ -1,4 +0,0 @@ -[submodule "apk-build"] - path = apk-build - url = git@github.com:Secure-Compliance-Solutions-LLC/GVM-APK-build - branch = master diff --git a/Dockerfile b/Dockerfile index 1a80bec4..51945bc8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,6 +16,8 @@ ARG DEBUG=N ARG RELAYHOST=smtp ARG SMTPPORT=25 ARG AUTO_SYNC=true +ARG CERTIFICATE=none +ARG CERTIFICATE_KEY=none ARG HTTPS=true ARG TZ=Etc/UTC ARG SSHD=false @@ -37,6 +39,8 @@ ENV SUPVISD=${SUPVISD:-supervisorctl} \ SMTPPORT=${SMTPPORT:-25} \ AUTO_SYNC=${AUTO_SYNC:-true} \ HTTPS=${HTTPS:-true} \ + CERTIFICATE=${CERTIFICATE:-none} \ + CERTIFICATE_KEY=${CERTIFICATE_KEY:-none} \ TZ=${TZ:-Etc/UTC} \ SSHD=${SSHD:-false} \ DB_PASSWORD=${DB_PASSWORD:-none} \ diff --git a/apk-build b/apk-build deleted file mode 160000 index 5ebb44d9..00000000 --- a/apk-build +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 5ebb44d991ad0a2feb7d07702085f3aad3cd2b1e diff --git a/config/supervisord.conf b/config/supervisord.conf index 92164237..da74a6c1 100644 --- a/config/supervisord.conf +++ b/config/supervisord.conf @@ -115,6 +115,21 @@ stopsignal=TERM stopasgroup=true killasgroup=true +[program:gsad-https-owncert] +command=/usr/bin/gsad -f --verbose --gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0 --ssl-certificate=%(ENV_CERTIFICATE)s --ssl-private-key=%(ENV_CERTIFICATE_KEY)s --timeout=%(ENV_TIMEOUT)s --no-redirect --mlisten=127.0.0.1 --mport=9390 --port=9392 +stdout_logfile=/var/log/supervisor/%(program_name)s.log +stderr_logfile=/var/log/supervisor/%(program_name)s_err.log +priority=30 +user=gvm +startretries=5 +startsecs=10 +autorestart=true +autostart=false +depends_on=redis,postgresql,ospd-openvas,gvmd +stopsignal=KILL +stopasgroup=true +killasgroup=true + [program:gsad-https] command=/usr/bin/gsad -f --verbose --gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0 --timeout=%(ENV_TIMEOUT)s --no-redirect --mlisten=127.0.0.1 --mport=9390 --port=9392 stdout_logfile=/var/log/supervisor/%(program_name)s.log diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh index 77836a23..c9dacf82 100755 --- a/scripts/entrypoint.sh +++ b/scripts/entrypoint.sh @@ -12,6 +12,8 @@ export RELAYHOST=${RELAYHOST:-smtp} export SMTPPORT=${SMTPPORT:-25} export AUTO_SYNC=${AUTO_SYNC:-true} export HTTPS=${HTTPS:-true} +export CERTIFICATE=${CERTIFICATE:-none} +export CERTIFICATE_KEY=${CERTIFICATE_KEY:-none} export TZ=${TZ:-Etc/UTC} export DEBUG=${DEBUG:-N} export SSHD=${SSHD:-false} diff --git a/scripts/start.sh b/scripts/start.sh index c099de17..6e3a3a0c 100755 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -11,6 +11,8 @@ export RELAYHOST=${RELAYHOST:-smtp} export SMTPPORT=${SMTPPORT:-25} export AUTO_SYNC=${AUTO_SYNC:-true} export HTTPS=${HTTPS:-true} +export CERTIFICATE=${CERTIFICATE:-none} +export CERTIFICATE_KEY=${CERTIFICATE_KEY:-none} export TZ=${TZ:-Etc/UTC} export SSHD=${SSHD:-false} export DB_PASSWORD=${DB_PASSWORD:-none} @@ -104,7 +106,7 @@ until (pg_isready --username=postgres >/dev/null 2>&1 && psql --username=postgre sleep 1 done -if [[ ! -d "/etc/ssh" ]] || [[ -d "/etc/ssh/" && $(find /etc/ssh/ -type d -empty) ]]; then +if [[ ! -d "/etc/ssh" ]] || [[ -d "/etc/ssh/" && $(find /etc/ssh/ -maxdepth 0 -empty) ]]; then mkdir /etc/ssh ssh-keygen -A fi @@ -251,7 +253,12 @@ if [ ! -f "/var/lib/gvm/.created_gvm_user" ]; then fi echo "Starting Greenbone Security Assistant..." -if [ "${HTTPS}" == "true" ]; then +if [ "${HTTPS}" == "true" ] && [ -e "${CERTIFICATE}" ] && [ -e "${CERTIFICATE_KEY}" ]; then + ${SUPVISD} start gsad-https-owncert + if [ "${DEBUG}" == "Y" ]; then + ${SUPVISD} status gsad-https-owncert + fi +elif [ "${HTTPS}" == "true" ]; then ${SUPVISD} start gsad-https if [ "${DEBUG}" == "Y" ]; then ${SUPVISD} status gsad-https