Hei Habr!
I tenei ra, na te piki haere o te mahi whakangao i roto i nga tikanga whanaketanga, ko te take ki te whakarite i te haumarutanga o nga momo waahanga me nga hinonga e pa ana ki nga ipu kaore i te waahi whakamutunga. He mahi uaua te mahi arowhai a-ringa, no reira he pai ki te tango i nga mahi tuatahi ki te whakaaunoa i tenei mahi.
I roto i tenei tuhinga, ka tohatohahia e au nga tuhinga kua rite mo te whakatinana i nga taputapu haumaru Docker me nga tohutohu mo te whakatu i tetahi tuunga demo iti hei whakamatautau i tenei mahi. Ka taea e koe te whakamahi i nga rauemi hei whakamatautau me pehea te whakarite i te tukanga whakamatautau i te haumarutanga o nga whakaahua me nga tohutohu Dockerfile. E marama ana he rereke nga hanganga whanaketanga me te whakatinanatanga mo nga tangata katoa, na kei raro nei ka hoatu e ahau etahi momo whiringa ka taea.
Taputapu Tirohanga Haumarutanga
He maha nga momo tono kaiawhina me nga tuhinga tuhi e mahi ana i nga arowhai mo nga ahuatanga rereke o te hanganga Docker. Ko etahi o ratou kua korerohia i roto i te tuhinga o mua (), a i roto i tenei tuhinga ka hiahia ahau ki te arotahi ki te toru o enei, e kapi ana i te nuinga o nga whakaritenga haumarutanga mo nga whakaahua Docker e hangaia ana i te wa o te whanaketanga. I tua atu, ka whakaatu ano ahau i tetahi tauira mo te whakakotahi i enei taputapu e toru ki te paipa kotahi hei whakahaere i nga arowhai haumarutanga.
Hadolint
He taputapu papatohu ngawari e awhina ana ki te aromatawai tuatahi i te tika me te haumaru o nga tohutohu Dockerfile (hei tauira, ma te whakamahi i nga rehita whakaahua e whakaaetia ana, ma te whakamahi ranei i te sudo).
Puka
He taputapu papatohu e mahi ana i runga i tetahi atahanga (i runga ranei i te peera atahanga kua tiakina) e arowhai ana i te tika me te haumarutanga o tetahi ahua penei ma te tātari i ona paparanga me ona whirihoranga - he aha nga kaiwhakamahi i hangaia, he aha nga tohutohu kei te whakamahia, he aha nga pukapuka e mau ana. , te nohonga o te kupuhipa patea, me etahi atu e. Ahakoa kaore i te tino nui te maha o nga arowhai, ka ahu mai i te maha o nga arowhai me nga taunakitanga mo te docker.
He iti noa
Ko tenei whaipainga e whai ana ki te rapu i nga momo whakaraeraetanga e rua - nga raru hanga OS (Alpine, RedHat (EL), CentOS, Debian GNU, Ubuntu e tautokohia ana) me nga raruraru whakawhirinaki (Gemfile.lock, Pipfile.lock, composer.lock, package-lock .json , yarn.lock, Cargo.lock). Ka taea e Trivy te matawai i te ahua e rua i roto i te putunga me te ahua o te rohe, me te karapa ano i runga i te konae .tar kua whakawhitia me te ahua Docker.
Kōwhiringa Whakatinana Taputapu
Hei whakamatau i nga tono kua whakaahuahia i roto i nga ahuatanga motuhake, ka tukuna e au nga tohutohu mo te whakauru i nga taputapu katoa hei waahanga o te tikanga ngawari.
Ko te whakaaro nui ko te whakaatu me pehea e taea ai e koe te whakatinana i te tirotiro ihirangi aunoa mo nga Dockerfiles me nga whakaahua Docker i hangaia i te wa o te whanaketanga.
Ko te manatoko ake ko nga waahanga e whai ake nei:
- Te arowhai i te tika me te haumaru o nga tohutohu Dockerfile me te taputapu linter Hadolint
- Te tirotiro i te tika me te haumarutanga o nga whakaahua whakamutunga me te takawaenga - he taputapu Puka
- Te tirotiro mo nga Whakaraeraetanga E mohiotia ana (CVE) i te ahua taketake me te maha o nga whakawhirinaki - na te taputapu He iti noa
I muri mai i roto i te tuhinga ka hoatu e ahau nga waahanga e toru mo te whakatinana i enei waahanga:
Ko te mea tuatahi ma te whirihora i te paipa CI / CD ma te whakamahi i te tauira o GitLab (me te whakaahuatanga o te tukanga o te whakaara i tetahi tauira whakamatautau).
Ko te tuarua ko te whakamahi i te tuhinga anga.
Ko te tuatoru ko te hanga pikitia Docker hei matawai i nga whakaahua Docker.
Ka taea e koe te whiriwhiri i te waahanga e pai ana ki a koe, whakawhiti ki to hanganga me te urutau ki o hiahia.
Ko nga konae katoa me nga tohutohu taapiri kei roto ano i te putunga:
GitLab CI/CD whakauru
I te waahanga tuatahi, ka tirohia me pehea te whakatinana i nga arowhai haumarutanga ma te whakamahi i te punaha putunga GitLab hei tauira. I konei ka haere tatou i roto i nga hikoinga ka kite me pehea te whakarite i tetahi taiao whakamatautau me GitLab mai i te wahanga, hanga he tukanga karapa me te whakahaere i nga taputapu hei whakamatautau i tetahi Dockerfile whakamatautau me te ahua matapōkere - te tono JuiceShop.
Kei te whakauru i a GitLab
1. Tāuta Docker:
sudo apt-get update && sudo apt-get install docker.io2. Tāpirihia te kaiwhakamahi o nāianei ki te roopu docker kia taea ai e koe te mahi me te docker me te kore e whakamahi sudo:
sudo addgroup <username> docker3. Kimihia to IP:
ip addr4. Tāutahia, ka whakahaeretia a GitLab i roto i te ipu, whakakapi i te wāhitau IP i te ingoa kaihautū ki a koe ake:
docker run --detach
--hostname 192.168.1.112
--publish 443:443 --publish 80:80
--name gitlab
--restart always
--volume /srv/gitlab/config:/etc/gitlab
--volume /srv/gitlab/logs:/var/log/gitlab
--volume /srv/gitlab/data:/var/opt/gitlab
gitlab/gitlab-ce:latestKei te tatari matou mo GitLab ki te whakaoti i nga tikanga whakauru katoa e tika ana (ka taea e koe te whai i te tukanga ma te putanga o te konae rangitaki: docker logs -f gitlab).
5. Whakatuwherahia to IP o to rohe i roto i te tirotiro ka kite i tetahi whaarangi e tuku ana ki te huri i te kupuhipa mo te kaiwhakamahi pakiaka:
Whakaritea he kupuhipa hou ka haere ki GitLab.
6. Waihangahia he kaupapa hou, hei tauira cicd-test ka arawhiti ki te konae tiimata README.md:
7. Inaianei me whakauru tatou i te GitLab Runner: he kaihoko ka whakahaere i nga mahi katoa i runga i te tono.
Tangohia te putanga hou (i tenei keehi, i raro i te Linux 64-bit):
sudo curl -L --output /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd648. Whakaritea kia taea te whakahaere:
sudo chmod +x /usr/local/bin/gitlab-runner9. Tāpirihia he kaiwhakamahi OS mo te Runner ka timata te ratonga:
sudo useradd --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bash
sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
sudo gitlab-runner startMe penei te ahua:
local@osboxes:~$ sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
Runtime platform arch=amd64 os=linux pid=8438 revision=0e5417a3 version=12.0.1
local@osboxes:~$ sudo gitlab-runner start
Runtime platform arch=amd64 os=linux pid=8518 revision=0e5417a3 version=12.0.1
10. Inaianei ka rehita matou i te Kaiwhaiwhai kia taea ai e ia te taunekeneke me ta maatau tauira GitLab.
Ki te mahi i tenei, whakatuwherahia te whaarangi Tautuhinga-CI/CD (http://OUR_ IP_ADDRESS/root/cicd-test/-/settings/ci_cd) a ki runga ki te ripa Runners kitea te URL me te tohu Rehitatanga:
11. Rehitatia te Kaiwhaiwhai ma te whakakapi i te URL me te tohu Rehitatanga:
sudo gitlab-runner register
--non-interactive
--url "http://<URL>/"
--registration-token "<Registration Token>"
--executor "docker"
--docker-privileged
--docker-image alpine:latest
--description "docker-runner"
--tag-list "docker,privileged"
--run-untagged="true"
--locked="false"
--access-level="not_protected"Ko te mutunga, ka whiwhi tatou i te GitLab mahi kua rite, me taapiri atu nga tohutohu hei timata i a tatou taputapu. I roto i tenei demo, karekau a maatau mahi hanga tono me nga waahanga whakaurunga, engari i roto i te taiao tuuturu ka puta i mua i nga waahanga karapa me te whakaputa whakaahua me te Dockerfile hei tātari.
whirihoranga paipa
1. Tāpirihia nga konae ki te putunga mydockerfile.df (he Dockerfile whakamatautau tenei ka whakamatauhia e matou) me te konae whirihoranga tukanga GitLab CI/CD .gitlab-cicd.yml, e whakarārangi ana i ngā tohutohu mō ngā matawai (tuhia te ira i te ingoa kōnae).
Kei roto i te konae whirihoranga .yaml nga tohutohu mo te whakahaere i nga taputapu e toru (Hadolint, Dockle, me Trivy) ka wetewete i te Dockerfile kua tohua me te atahanga kua tohua ki te taurangi DOCKERFILE. Ka taea te tango i nga konae katoa mai i te putunga:
Tango mai mydockerfile.df (he konae waitara tenei me nga huinga tohutohu noa hei whakaatu i te mahi a te taputapu). Hononga tika ki te konae:
Nga ihirangi o mydockerfile.df
FROM amd64/node:10.16.0-alpine@sha256:f59303fb3248e5d992586c76cc83e1d3700f641cbcd7c0067bc7ad5bb2e5b489 AS tsbuild
COPY package.json .
COPY yarn.lock .
RUN yarn install
COPY lib lib
COPY tsconfig.json tsconfig.json
COPY tsconfig.app.json tsconfig.app.json
RUN yarn build
FROM amd64/ubuntu:18.04@sha256:eb70667a801686f914408558660da753cde27192cd036148e58258819b927395
LABEL maintainer="Rhys Arkins <[email protected]>"
LABEL name="renovate"
...
COPY php.ini /usr/local/etc/php/php.ini
RUN cp -a /tmp/piik/* /var/www/html/
RUN rm -rf /tmp/piwik
RUN chown -R www-data /var/www/html
ADD piwik-cli-setup /piwik-cli-setup
ADD reset.php /var/www/html/
## ENTRYPOINT ##
ADD entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
USER rootKo te ahua o te YAML te ahua o tenei (ka taea te tango i te konae mai i te hono tika i konei: ):
Nga ihirangi o .gitlab-ci.yml
variables:
DOCKER_HOST: "tcp://docker:2375/"
DOCKERFILE: "mydockerfile.df" # name of the Dockerfile to analyse
DOCKERIMAGE: "bkimminich/juice-shop" # name of the Docker image to analyse
# DOCKERIMAGE: "knqyf263/cve-2018-11235" # test Docker image with several CRITICAL CVE
SHOWSTOPPER_PRIORITY: "CRITICAL" # what level of criticality will fail Trivy job
TRIVYCACHE: "$CI_PROJECT_DIR/.cache" # where to cache Trivy database of vulnerabilities for faster reuse
ARTIFACT_FOLDER: "$CI_PROJECT_DIR"
services:
- docker:dind # to be able to build docker images inside the Runner
stages:
- scan
- report
- publish
HadoLint:
# Basic lint analysis of Dockerfile instructions
stage: scan
image: docker:git
after_script:
- cat $ARTIFACT_FOLDER/hadolint_results.json
script:
- export VERSION=$(wget -q -O - https://api.github.com/repos/hadolint/hadolint/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64 && chmod +x hadolint-Linux-x86_64
# NB: hadolint will always exit with 0 exit code
- ./hadolint-Linux-x86_64 -f json $DOCKERFILE > $ARTIFACT_FOLDER/hadolint_results.json || exit 0
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/hadolint_results.json
Dockle:
# Analysing best practices about docker image (users permissions, instructions followed when image was built, etc.)
stage: scan
image: docker:git
after_script:
- cat $ARTIFACT_FOLDER/dockle_results.json
script:
- export VERSION=$(wget -q -O - https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz && tar zxf dockle_${VERSION}_Linux-64bit.tar.gz
- ./dockle --exit-code 1 -f json --output $ARTIFACT_FOLDER/dockle_results.json $DOCKERIMAGE
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/dockle_results.json
Trivy:
# Analysing docker image and package dependencies against several CVE bases
stage: scan
image: docker:git
script:
# getting the latest Trivy
- apk add rpm
- export VERSION=$(wget -q -O - https://api.github.com/repos/knqyf263/trivy/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz && tar zxf trivy_${VERSION}_Linux-64bit.tar.gz
# displaying all vulnerabilities w/o failing the build
- ./trivy -d --cache-dir $TRIVYCACHE -f json -o $ARTIFACT_FOLDER/trivy_results.json --exit-code 0 $DOCKERIMAGE
# write vulnerabilities info to stdout in human readable format (reading pure json is not fun, eh?). You can remove this if you don't need this.
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 0 $DOCKERIMAGE
# failing the build if the SHOWSTOPPER priority is found
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 1 --severity $SHOWSTOPPER_PRIORITY --quiet $DOCKERIMAGE
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/trivy_results.json
cache:
paths:
- .cache
Report:
# combining tools outputs into one HTML
stage: report
when: always
image: python:3.5
script:
- mkdir json
- cp $ARTIFACT_FOLDER/*.json ./json/
- pip install json2html
- wget https://raw.githubusercontent.com/shad0wrunner/docker_cicd/master/convert_json_results.py
- python ./convert_json_results.py
artifacts:
paths:
- results.htmlMena e tika ana, ka taea ano e koe te matawai i nga whakaahua kua tiakina hei puranga .tar (heoi, me whakarereke koe i nga tawhā whakauru mo nga taputapu kei roto i te konae YAML)
NB: Me whakauru a Trivy rpm и git. Ki te kore, ka puta he hapa i te wa e karapa ana i nga whakaahua a-RedHat me te whiwhi whakahōutanga ki te papaunga raraunga whakaraeraetanga.
2. I muri i te taapiri i nga konae ki te putunga, kia rite ki nga tohutohu kei roto i ta maatau konae whirihoranga, ka tiimata aunoa a GitLab i te hanga me te mahi matawai. I te ripa CI / CD → Pipelines, ka kite koe i te ahunga whakamua o nga tohutohu.
Ko te mutunga mai, e wha nga mahi. Tokotoru o ratou e uru tika ana ki te matawai, a ko te mea whakamutunga (Ripoata) ka kohia he purongo ngawari mai i nga konae marara me nga hua karapa.
Ma te taunoa, ka whakamutua e Trivy tana mahi mena ka kitea nga whakaraeraetanga CRITICAL i roto i te ahua, i nga whakawhirinakitanga ranei. I te wa ano, ka hoki mai ano a Hadolint i tetahi waehere Angitu, na te mea he korero tonu tana mahi, ka mutu te hanga.
I runga i o whakaritenga motuhake, ka taea e koe te whirihora i tetahi waehere putanga kia mutu ai enei taputapu i te mahi hanga ina kitea nga raru o tetahi mea nui. I a maatau, ka mutu te hanga mena ka kitea e Trivy tetahi whakaraeraetanga me te taumaha kua tohua e matou ki te taurangi SHOWSTOPPER i .gitlab-ci.yml.
Ko te hua o te mahi o ia taputapu ka taea te tiro i roto i te raarangi o ia mahi matawai, tika i roto i nga konae json i roto i te waahanga toi, i roto ranei i tetahi purongo HTML ngawari (he maha atu i raro nei):
3. Hei whakaatu i nga purongo whaipainga i roto i te ahua ngawari ake ka taea e te tangata te panui, ka whakamahia he tuhinga Python iti hei huri i nga konae json e toru ki te konae HTML kotahi me te ripanga o nga hapa.
I whakarewahia tenei tuhinga e tetahi mahi Ripoata motuhake, a ko tana mahi toi whakamutunga he konae HTML me tetahi purongo. Ko te puna tuhinga kei roto ano i te putunga ka taea te urutau ki o hiahia, tae, aha atu.
Tuhinga anga
Ko te waahanga tuarua e tika ana mo nga keehi e hiahia ana koe ki te tirotiro i nga whakaahua Docker kaore i roto i te punaha CI / CD, me whai tohutohu katoa ranei koe i roto i te ahua ka taea te mahi tika ki te kaihautu. Ka hipokina tenei kowhiri e te tuhinga anga kua rite ka taea te whakahaere i runga i te miihini mariko mariko (he tino pono ranei). Ka whai te tuhinga i nga tohutohu rite ki te gitlab-runner i runga ake nei.
Kia pai te mahi o te tuhinga, me whakauru a Docker ki runga i te punaha, me noho te kaiwhakamahi o naianei ki te roopu docker.
Ka kitea te tuhinga ake i konei:
I te timatanga o te konae, ka whakatauhia e nga taurangi ko tehea ahua me karapahia me te kaha o nga hapa ka puta te taputapu Trivy me te waehere hapa kua tohua.
I te wa e mahia ana te tuhinga, ka tangohia nga taputapu katoa ki te raarangi docker_tools, nga hua o a raatau mahi - kei roto i te raarangi docker_tools/json, a ko te HTML me te purongo kei roto i te konae hua.html.
He tauira putanga tuhinga
~/docker_cicd$ ./docker_sec_check.sh
[+] Setting environment variables
[+] Installing required packages
[+] Preparing necessary directories
[+] Fetching sample Dockerfile
2020-10-20 10:40:00 (45.3 MB/s) - ‘Dockerfile’ saved [8071/8071]
[+] Pulling image to scan
latest: Pulling from bkimminich/juice-shop
[+] Running Hadolint
...
Dockerfile:205 DL3015 Avoid additional packages by specifying `--no-install-recommends`
Dockerfile:248 DL3002 Last USER should not be root
...
[+] Running Dockle
...
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
...
[+] Running Trivy
juice-shop/frontend/package-lock.json
=====================================
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+---------+-------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | VERSION | TITLE |
+---------------------+------------------+----------+---------+-------------------------+
| object-path | CVE-2020-15256 | HIGH | 0.11.4 | Prototype pollution in |
| | | | | object-path |
+---------------------+------------------+ +---------+-------------------------+
| tree-kill | CVE-2019-15599 | | 1.2.2 | Code Injection |
+---------------------+------------------+----------+---------+-------------------------+
| webpack-subresource | CVE-2020-15262 | LOW | 1.4.1 | Unprotected dynamically |
| | | | | loaded chunks |
+---------------------+------------------+----------+---------+-------------------------+
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
juice-shop/package-lock.json
============================
Total: 5 (CRITICAL: 5)
...
[+] Removing left-overs
[+] Making the output look pretty
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.htmlWhakaahua Docker me nga taputapu katoa
Hei tauira tuatoru, i kohia e ahau nga Dockerfiles ngawari e rua hei hanga whakaahua me nga taputapu haumaru. Ka awhina tetahi Dockerfile ki te hanga i tetahi huinga hei matawai i te ahua mai i te putunga, ko te tuarua (Dockerfile_tar) ka hanga he huinga hei matawai i te konae tar me te ahua.
1. Ka tangohia e matou te konae Docker tika me nga tuhinga mai i te putunga .
2. Whakahaerehia mo te huihuinga:
docker build -t dscan:image -f docker_security.df .
3. Kia oti te hanga, hanga he ipu mai i te ahua. I te wa ano, ka tukuna e matou te taurangi taiao DOCKERIMAGE me te ingoa o te ahua e pirangi ana matou me te whakairi i te Dockerfile e hiahia ana matou ki te tātari mai i ta maatau miihini ki te konae. /dockerfile (kia mahara he huarahi tino tika ki tenei konae):
docker run --rm -v $(pwd)/results:/results -v $(pwd)/docker_security.df:/Dockerfile -e DOCKERIMAGE="bkimminich/juice-shop" dscan:image
[+] Setting environment variables
[+] Running Hadolint
/Dockerfile:3 DL3006 Always tag the version of an image explicitly
[+] Running Dockle
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
* not found HEALTHCHECK statement
INFO - DKL-LI-0003: Only put necessary files
* unnecessary file : juice-shop/node_modules/sqlite3/Dockerfile
* unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm64/Dockerfile
* unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm/Dockerfile
[+] Running Trivy
...
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
[+] Making the output look pretty
[+] Starting the main module ============================================================
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.htmlРезультаты
Kua hipokina e matou tetahi huinga taketake o nga taputapu matawai toi a Docker, ki taku whakaaro ka kapi te nui o nga whakaritenga haumaru whakaahua. He maha atu nga taputapu utu me te kore utu ka taea te mahi i nga arowhai rite, te tuhi i nga purongo ataahua, te mahi ma te aratau papatohu, te uhi i nga punaha whakahaere ipu, me etahi atu. He tirohanga whanui mo enei taputapu me pehea te whakauru i a raatau ka puta i muri mai.
Ko te taha pai o te huinga taputapu e whakaahuatia ana i roto i te tuhinga ko te mea he mea hanga katoa i runga i te puna tuwhera ka taea e koe te whakamatautau ki a raatau me etahi atu taputapu rite ki te rapu he aha nga mea e pai ana ki o hiahia me nga waahanga hanganga. Ko te tikanga, ko nga whakaraeraetanga katoa e kitea ana me ako mo te whakamahinga i roto i nga tikanga motuhake, engari he kaupapa tenei mo te tuhinga nui a meake nei.
Te ti'aturi nei au ma enei tohutohu, tuhinga me nga taputapu ka awhina i a koe ka noho hei timatanga mo te hanga i tetahi hanganga haumaru ake i roto i te waahi whakauru.
Source: will.com