Hai Habr!
A cikin gaskiyar zamani, saboda haɓakar rawar kwantena a cikin hanyoyin ci gaba, batun tabbatar da tsaro na matakai daban-daban da abubuwan da ke da alaƙa da kwantena ba ƙaramin abu bane. Yin cak na hannu yana ɗaukar lokaci, don haka yana da kyau a ɗauki aƙalla matakan farko don sarrafa wannan tsari.
A cikin wannan labarin, zan raba rubutun da aka shirya don aiwatar da yawancin kayan aikin tsaro na Docker da umarni kan yadda ake tura ƙaramin demo don gwada wannan tsari. Kuna iya amfani da kayan don gwaji tare da yadda ake tsara tsarin gwajin tsaro na hotuna da umarnin Dockerfile. A bayyane yake cewa ci gaban kowa da kuma aiwatar da kayan aikin ya bambanta, don haka a ƙasa zan samar da zaɓuɓɓuka masu yawa.
Tsaro duba abubuwan amfani
Akwai adadi mai yawa na aikace-aikacen mataimaka daban-daban da rubutun da ke yin bincike kan fannoni daban-daban na kayan aikin Docker. An riga an kwatanta wasu daga cikinsu a labarin da ya gabata (), kuma a cikin wannan abu Ina so in mayar da hankali kan uku daga cikinsu, wanda ya rufe yawancin bukatun tsaro don hotunan Docker da aka gina a lokacin aikin ci gaba. Bugu da kari, zan kuma nuna misali na yadda za a iya hada wadannan ababen more rayuwa guda uku zuwa bututun mai guda domin yin binciken tsaro.
Hadolit
Kyakkyawan kayan aikin wasan bidiyo mai sauƙi wanda ke taimakawa, azaman ƙimar farko, kimanta daidaito da amincin umarnin Dockerfile (misali, ta amfani da rajistar hoto kawai ko amfani da sudo).
Dockle
Kayan aikin wasan bidiyo wanda ke aiki tare da hoto (ko tare da adana tarihin hoton hoto), wanda ke bincika daidaito da tsaro na wani hoto kamar haka, yana nazarin shimfidarsa da tsarinsa - waɗanda aka ƙirƙira masu amfani, waɗanne umarni ake amfani da su, waɗanda d. Ya zuwa yanzu adadin cak ɗin ba su da yawa kuma ya dogara ne akan yawancin namu cak da shawarwari. don Docker.
Rashin hankali
Wannan mai amfani yana nufin nemo nau'ikan lahani guda biyu - matsaloli tare da gina OS (goyan bayan Alpine, RedHat (EL), CentOS, Debian GNU, Ubuntu) da matsaloli tare da dogaro (Gemfile.lock, Pipfile.lock, composer.lock, kunshin -lock.json , yarn.kulle, kaya.kulle). Trivy na iya duba hoto duka a cikin ma'ajiyar da hoton gida, kuma yana iya duba bisa ga fayil ɗin .tar da aka canjawa wuri tare da hoton Docker.
Zaɓuɓɓuka don aiwatar da abubuwan amfani
Domin gwada aikace-aikacen da aka siffanta a cikin keɓantaccen yanayi, zan ba da umarni don shigar da duk abubuwan amfani a cikin tsari mai sauƙi.
Babban ra'ayi shine nuna yadda zaku iya aiwatar da tabbatar da abun ciki ta atomatik na Dockerfiles da Docker hotuna waɗanda aka ƙirƙira yayin haɓakawa.
Duban kanta ta ƙunshi matakai masu zuwa:
- Bincika daidaito da amincin umarnin Dockerfile ta amfani da kayan aikin linter Hadolit
- Duban daidaito da amincin hotuna na ƙarshe da matsakaici ta amfani da kayan aiki Dockle
- Dubawa don kasancewar sanannun lahani (CVE) a cikin hoton tushe da adadin dogaro - ta amfani da mai amfani. Rashin hankali
Daga baya a cikin labarin zan ba da zaɓuɓɓuka uku don aiwatar da waɗannan matakan:
Na farko shine ta hanyar daidaita bututun CI/CD ta amfani da GitLab a matsayin misali (tare da bayanin tsarin haɓaka misali na gwaji).
Na biyu yana amfani da rubutun harsashi.
Na uku ya ƙunshi gina hoton Docker don duba hotunan Docker.
Kuna iya zaɓar zaɓin da ya fi dacewa da ku, canza shi zuwa kayan aikin ku kuma daidaita shi da bukatun ku.
Duk fayilolin da ake buƙata da ƙarin umarni kuma suna cikin ma'ajiya:
Haɗin kai cikin GitLab CI/CD
A cikin zaɓi na farko, za mu kalli yadda zaku iya aiwatar da binciken tsaro ta amfani da tsarin ma'ajin GitLab a matsayin misali. Anan za mu bi ta matakai kuma mu gano yadda ake shigar da yanayin gwaji tare da GitLab daga karce, ƙirƙirar tsarin dubawa da ƙaddamar da abubuwan amfani don bincika Dockerfile na gwaji da hoton bazuwar - aikace-aikacen JuiceShop.
Shigar da GitLab
1. Sanya Docker:
sudo apt-get update && sudo apt-get install docker.io2. Ƙara mai amfani na yanzu zuwa ƙungiyar docker domin ku iya aiki tare da docker ba tare da amfani da sudo ba:
sudo addgroup <username> docker3. Nemo IP na ku:
ip addr4. Shigar da kaddamar da GitLab a cikin akwati, maye gurbin adireshin IP a cikin sunan mai masauki tare da naka:
docker run --detach
--hostname 192.168.1.112
--publish 443:443 --publish 80:80
--name gitlab
--restart always
--volume /srv/gitlab/config:/etc/gitlab
--volume /srv/gitlab/logs:/var/log/gitlab
--volume /srv/gitlab/data:/var/opt/gitlab
gitlab/gitlab-ce:latestMuna jira har sai GitLab ya kammala duk hanyoyin shigarwa masu mahimmanci (zaku iya saka idanu kan tsari ta hanyar fitar da fayil ɗin log: docker logs -f gitlab).
5. Bude IP na gida a cikin burauzar kuma duba shafi yana neman ku canza kalmar sirri don tushen mai amfani:
Saita sabon kalmar sirri kuma je zuwa GitLab.
6. Ƙirƙiri sabon aiki, misali cicd-test kuma fara shi tare da fayil ɗin farawa KARANTAME.md:
7. Yanzu muna buƙatar shigar da GitLab Runner: wakili wanda zai gudanar da duk ayyukan da ake bukata akan buƙata.
Zazzage sabon sigar (a wannan yanayin, don Linux 64-bit):
sudo curl -L --output /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd648. Sanya shi mai aiwatarwa:
sudo chmod +x /usr/local/bin/gitlab-runner9. Ƙara mai amfani da OS don Runner kuma fara sabis:
sudo useradd --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bash
sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
sudo gitlab-runner startYa kamata yayi kama da wani abu kamar haka:
local@osboxes:~$ sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
Runtime platform arch=amd64 os=linux pid=8438 revision=0e5417a3 version=12.0.1
local@osboxes:~$ sudo gitlab-runner start
Runtime platform arch=amd64 os=linux pid=8518 revision=0e5417a3 version=12.0.1
10. Yanzu muna rajistar Mai Gudu don ya iya yin hulɗa tare da misalin GitLab ɗin mu.
Don yin wannan, buɗe shafin Saituna-CI/CD (http://OUR_IP_ADDRESS/root/cicd-test/-/settings/ci_cd) kuma akan maballin Runners sami URL da alamar rajista:
11. Yi Rijistar Gudu ta hanyar musanya URL da Alamar Rijista:
sudo gitlab-runner register
--non-interactive
--url "http://<URL>/"
--registration-token "<Registration Token>"
--executor "docker"
--docker-privileged
--docker-image alpine:latest
--description "docker-runner"
--tag-list "docker,privileged"
--run-untagged="true"
--locked="false"
--access-level="not_protected"Sakamakon haka, muna samun GitLab mai aiki wanda aka yi shi, wanda muke buƙatar ƙara umarni don fara abubuwan amfaninmu. A cikin wannan demo ba mu da matakan gina aikace-aikacen da kuma sanya shi a cikin akwati, amma a cikin yanayi na gaske waɗannan za su riga sun rigaya matakan binciken kuma su samar da hotuna da Dockerfile don bincike.
tsarin bututun mai
1. Ƙara fayiloli zuwa wurin ajiya mydockerfile.df (wannan shine gwajin Dockerfile wanda zamu bincika) da kuma tsarin tsarin tsarin GitLab CI/CD .gitlab-cicd.yml, wanda ke jera umarnin na'urar daukar hotan takardu (lura da digo a cikin sunan fayil).
Fayil ɗin daidaitawar YAML ya ƙunshi umarni don gudanar da abubuwan amfani guda uku (Hadolint, Dockle, da Trivy) waɗanda zasu bincika zaɓin Dockerfile da hoton da aka ƙayyade a cikin madaidaicin DOCKERFILE. Ana iya ɗaukar duk fayilolin da ake buƙata daga ma'ajiyar:
An karbo daga mydockerfile.df (wannan babban fayil ne tare da saitin umarni na sabani kawai don nuna aikin mai amfani). Hanyar haɗi kai tsaye zuwa fayil:
Abubuwan da ke cikin mydockerfile.df
FROM amd64/node:10.16.0-alpine@sha256:f59303fb3248e5d992586c76cc83e1d3700f641cbcd7c0067bc7ad5bb2e5b489 AS tsbuild
COPY package.json .
COPY yarn.lock .
RUN yarn install
COPY lib lib
COPY tsconfig.json tsconfig.json
COPY tsconfig.app.json tsconfig.app.json
RUN yarn build
FROM amd64/ubuntu:18.04@sha256:eb70667a801686f914408558660da753cde27192cd036148e58258819b927395
LABEL maintainer="Rhys Arkins <[email protected]>"
LABEL name="renovate"
...
COPY php.ini /usr/local/etc/php/php.ini
RUN cp -a /tmp/piik/* /var/www/html/
RUN rm -rf /tmp/piwik
RUN chown -R www-data /var/www/html
ADD piwik-cli-setup /piwik-cli-setup
ADD reset.php /var/www/html/
## ENTRYPOINT ##
ADD entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
USER rootTsarin YAML yayi kama da haka (ana iya samun fayil ɗin kanta ta hanyar haɗin kai tsaye anan: ):
Abubuwan da ke cikin .gitlab-ci.yml
variables:
DOCKER_HOST: "tcp://docker:2375/"
DOCKERFILE: "mydockerfile.df" # name of the Dockerfile to analyse
DOCKERIMAGE: "bkimminich/juice-shop" # name of the Docker image to analyse
# DOCKERIMAGE: "knqyf263/cve-2018-11235" # test Docker image with several CRITICAL CVE
SHOWSTOPPER_PRIORITY: "CRITICAL" # what level of criticality will fail Trivy job
TRIVYCACHE: "$CI_PROJECT_DIR/.cache" # where to cache Trivy database of vulnerabilities for faster reuse
ARTIFACT_FOLDER: "$CI_PROJECT_DIR"
services:
- docker:dind # to be able to build docker images inside the Runner
stages:
- scan
- report
- publish
HadoLint:
# Basic lint analysis of Dockerfile instructions
stage: scan
image: docker:git
after_script:
- cat $ARTIFACT_FOLDER/hadolint_results.json
script:
- export VERSION=$(wget -q -O - https://api.github.com/repos/hadolint/hadolint/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64 && chmod +x hadolint-Linux-x86_64
# NB: hadolint will always exit with 0 exit code
- ./hadolint-Linux-x86_64 -f json $DOCKERFILE > $ARTIFACT_FOLDER/hadolint_results.json || exit 0
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/hadolint_results.json
Dockle:
# Analysing best practices about docker image (users permissions, instructions followed when image was built, etc.)
stage: scan
image: docker:git
after_script:
- cat $ARTIFACT_FOLDER/dockle_results.json
script:
- export VERSION=$(wget -q -O - https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz && tar zxf dockle_${VERSION}_Linux-64bit.tar.gz
- ./dockle --exit-code 1 -f json --output $ARTIFACT_FOLDER/dockle_results.json $DOCKERIMAGE
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/dockle_results.json
Trivy:
# Analysing docker image and package dependencies against several CVE bases
stage: scan
image: docker:git
script:
# getting the latest Trivy
- apk add rpm
- export VERSION=$(wget -q -O - https://api.github.com/repos/knqyf263/trivy/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz && tar zxf trivy_${VERSION}_Linux-64bit.tar.gz
# displaying all vulnerabilities w/o failing the build
- ./trivy -d --cache-dir $TRIVYCACHE -f json -o $ARTIFACT_FOLDER/trivy_results.json --exit-code 0 $DOCKERIMAGE
# write vulnerabilities info to stdout in human readable format (reading pure json is not fun, eh?). You can remove this if you don't need this.
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 0 $DOCKERIMAGE
# failing the build if the SHOWSTOPPER priority is found
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 1 --severity $SHOWSTOPPER_PRIORITY --quiet $DOCKERIMAGE
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/trivy_results.json
cache:
paths:
- .cache
Report:
# combining tools outputs into one HTML
stage: report
when: always
image: python:3.5
script:
- mkdir json
- cp $ARTIFACT_FOLDER/*.json ./json/
- pip install json2html
- wget https://raw.githubusercontent.com/shad0wrunner/docker_cicd/master/convert_json_results.py
- python ./convert_json_results.py
artifacts:
paths:
- results.htmlIdan ya cancanta, Hakanan zaka iya bincika hotunan da aka adana a cikin nau'in tarihin .tar (duk da haka, kuna buƙatar canza sigogin shigarwa don abubuwan amfani a cikin fayil ɗin YAML)
NB: Trivy yana buƙatar shigar rpm и Git. In ba haka ba, zai haifar da kurakurai lokacin bincika hotuna na tushen RedHat da karɓar sabuntawa zuwa bayanan raunin rauni.
2. Bayan ƙara fayiloli zuwa ma'ajiyar, bisa ga umarnin a cikin fayil ɗin sanyi, GitLab zai fara aikin ginawa da dubawa ta atomatik. A kan CI/CD → Pipelines shafin zaka iya ganin ci gaban umarni.
A sakamakon haka, muna da ayyuka hudu. Uku daga cikinsu suna hulɗa kai tsaye tare da dubawa, kuma na ƙarshe (Rahoto) yana tattara rahoto mai sauƙi daga tarwatsa fayilolin tare da sakamakon binciken.
Ta hanyar tsoho, Trivy yana dakatar da aiki idan an gano munanan lahani a cikin hoton ko abin dogaro. A lokaci guda, Hadolint koyaushe yana mayar da lambar Nasara saboda koyaushe yana haifar da sharhi, wanda ke sa ginin ya tsaya.
Dangane da ƙayyadaddun buƙatun ku, zaku iya saita lambar fita ta yadda lokacin da waɗannan abubuwan amfani suka gano matsalolin wani mahimmanci, su kuma dakatar da aikin gini. A cikin yanayinmu, ginin zai tsaya ne kawai idan Trivy ya gano rauni tare da mahimmancin da muka ayyana a cikin ma'aunin SHOWSTOPPER a ciki. .gitlab-ci.yml.
Ana iya ganin sakamakon kowane mai amfani a cikin log na kowane aikin dubawa, kai tsaye a cikin fayilolin json a cikin sashin kayan tarihi, ko a cikin rahoton HTML mai sauƙi (ƙari akan wannan ƙasa):
3. Don gabatar da rahotanni masu amfani a cikin ɗan ƙaramin sigar da ɗan adam ke iya karantawa, ana amfani da ƙaramin rubutun Python don canza fayilolin JSON guda uku zuwa fayil ɗin HTML ɗaya tare da tebur na lahani.
An ƙaddamar da wannan rubutun ta wani aikin Rahoton daban, kuma kayan aikin sa na ƙarshe shine fayil ɗin HTML tare da rahoto. Tushen rubutun kuma yana cikin ma'ajiya kuma ana iya daidaita shi don dacewa da bukatunku, launuka, da sauransu.
Rubutun Shell
Zaɓin na biyu ya dace da lokuta lokacin da kake buƙatar duba hotunan Docker a waje da tsarin CI / CD ko kana buƙatar samun duk umarnin a cikin nau'i wanda za'a iya aiwatar da shi kai tsaye akan mai watsa shiri. Wannan zaɓin yana rufe shi da rubutun harsashi wanda aka yi shi wanda za'a iya aiki dashi akan na'ura mai tsabta (ko ma na gaske). Rubutun yana aiwatar da umarni iri ɗaya kamar mai gudu na gitlab wanda aka kwatanta a sama.
Don rubutun ya yi nasara, dole ne a shigar da Docker akan tsarin kuma mai amfani na yanzu dole ne ya kasance cikin rukunin docker.
Ana iya samun rubutun da kansa a nan:
A farkon fayil ɗin, masu canji suna ƙididdige hoton da ake buƙatar bincika kuma wane lahani mai mahimmanci zai sa mai amfani na Trivy ya fita tare da ƙayyadadden lambar kuskure.
Yayin aiwatar da rubutun, duk abubuwan amfani za a zazzage su zuwa kundin adireshi docker_tools, sakamakon aikin su yana cikin directory docker_tools/json, kuma HTML tare da rahoton zai kasance a cikin fayil ɗin sakamako.html.
Misalin fitowar rubutun
~/docker_cicd$ ./docker_sec_check.sh
[+] Setting environment variables
[+] Installing required packages
[+] Preparing necessary directories
[+] Fetching sample Dockerfile
2020-10-20 10:40:00 (45.3 MB/s) - ‘Dockerfile’ saved [8071/8071]
[+] Pulling image to scan
latest: Pulling from bkimminich/juice-shop
[+] Running Hadolint
...
Dockerfile:205 DL3015 Avoid additional packages by specifying `--no-install-recommends`
Dockerfile:248 DL3002 Last USER should not be root
...
[+] Running Dockle
...
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
...
[+] Running Trivy
juice-shop/frontend/package-lock.json
=====================================
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+---------+-------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | VERSION | TITLE |
+---------------------+------------------+----------+---------+-------------------------+
| object-path | CVE-2020-15256 | HIGH | 0.11.4 | Prototype pollution in |
| | | | | object-path |
+---------------------+------------------+ +---------+-------------------------+
| tree-kill | CVE-2019-15599 | | 1.2.2 | Code Injection |
+---------------------+------------------+----------+---------+-------------------------+
| webpack-subresource | CVE-2020-15262 | LOW | 1.4.1 | Unprotected dynamically |
| | | | | loaded chunks |
+---------------------+------------------+----------+---------+-------------------------+
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
juice-shop/package-lock.json
============================
Total: 5 (CRITICAL: 5)
...
[+] Removing left-overs
[+] Making the output look pretty
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.htmlHoton Docker tare da duk abubuwan amfani
A matsayin madadin na uku, na tattara Dockerfiles masu sauƙi guda biyu don ƙirƙirar hoto tare da abubuwan tsaro. Dockerfile ɗaya zai taimaka gina saiti don duba hoto daga wurin ajiya, na biyu (Dockerfile_tar) zai taimaka gina saiti don bincika fayil ɗin tar tare da hoto.
1. Ɗauki fayil ɗin Docker daidai da rubutun daga ma'ajiyar .
2. Mun ƙaddamar da shi don taro:
docker build -t dscan:image -f docker_security.df .
3. Bayan kammala taron, muna ƙirƙirar akwati daga hoton. A lokaci guda, muna wuce canjin yanayi na DOCKERIMAGE tare da sunan hoton da muke sha'awar kuma mu hau Dockerfile wanda muke son tantancewa daga injin mu zuwa fayil ɗin. /Dockerfile (lura cewa ana buƙatar cikakkiyar hanyar wannan fayil):
docker run --rm -v $(pwd)/results:/results -v $(pwd)/docker_security.df:/Dockerfile -e DOCKERIMAGE="bkimminich/juice-shop" dscan:image
[+] Setting environment variables
[+] Running Hadolint
/Dockerfile:3 DL3006 Always tag the version of an image explicitly
[+] Running Dockle
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
* not found HEALTHCHECK statement
INFO - DKL-LI-0003: Only put necessary files
* unnecessary file : juice-shop/node_modules/sqlite3/Dockerfile
* unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm64/Dockerfile
* unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm/Dockerfile
[+] Running Trivy
...
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
[+] Making the output look pretty
[+] Starting the main module ============================================================
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.htmlРезультаты
Mun kalli saitin kayan aiki guda ɗaya kawai don bincika kayan aikin Docker, wanda, a ganina, ya ƙunshi ingantaccen ɓangaren buƙatun tsaro na hoto. Har ila yau, akwai adadi mai yawa na kayan aikin da aka biya da kyauta waɗanda za su iya yin rajistan guda ɗaya, zana kyawawan rahotanni ko aiki kawai a cikin yanayin wasan bidiyo, tsarin sarrafa kwantena, da sauransu. Bayanin waɗannan kayan aikin da yadda ake haɗa su na iya bayyana kaɗan daga baya. .
Abu mai kyau game da saitin kayan aikin da aka bayyana a cikin wannan labarin shine cewa dukkanin su bude tushe ne kuma za ku iya gwaji tare da su da sauran kayan aikin makamancin haka don nemo abin da ya dace da bukatunku da abubuwan more rayuwa. Tabbas, duk raunin da aka samu ya kamata a yi nazari don dacewa a cikin takamaiman yanayi, amma wannan batu ne don babban labarin nan gaba.
Ina fatan wannan jagorar, rubutun da abubuwan amfani za su taimake ku kuma su zama mafari don ƙirƙirar ingantattun ababen more rayuwa a fannin ɗaukar hoto.
source: www.habr.com