feat(build): add multi image build

Signed-off-by: Felipe Zipitria <[email protected]>
coreruleset · Feb 14, 2021 · 83663ee · 83663ee
1 parent 9f81a87
commit 83663ee
Show file tree

Hide file tree

Showing 14 changed files with 132 additions and 55 deletions.
diff --git a/.github/workflows/buildimage.yml b/.github/workflows/buildimage.yml
@@ -3,14 +3,16 @@ on:
   push:
     branches:
     - master
+env:
+  DEFAULT_VERSION: 'v3.3.0'
+  DEFAULT_SERVER: 'apache'
 jobs:
   build:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        image:
-        - 3.3-apache
-        - 3.3-nginx
+        version: ['v3.3.0']
+        server: ['apache', 'nginx']
     steps:
     - uses: actions/checkout@v1
       with:
@@ -21,15 +23,14 @@ jobs:
            -u "${{ secrets.dockerhub_user }}"
            -p "${{ secrets.dockerhub_token }}"
 
-    - name: Build ${{ matrix.image }}
-      run: docker build . -f ${{ matrix.image }}/Dockerfile
-           --tag owasp/modsecurity-crs:${{ matrix.image }}
-           --tag owasp/modsecurity-crs:$(echo ${{ matrix.image }} | sed 's/.*-//')
+    - name: Build ${{ matrix.version }}-${{ matrix.server }}
+      run: make VERSIONS=${{ matrix.version }} SERVERS=${{ matrix.server }}
 
-    - name: Set default tag for ${{ matrix.image }}
-      if: endsWith(matrix.image, '-apache')
-      run: docker tag owasp/modsecurity-crs:${{ matrix.image }}
-                      owasp/modsecurity-crs:$(echo ${{ matrix.image }} | sed 's/-.*//')
+    # As we build multiple versions now, we need one to be the default
+    - name: Set default tag for ${{ matrix.version }}-${{ matrix.server }}
+      if: matrix.server == env.DEFAULT_SERVER && matrix.version == env.DEFAULT_VERSION
+      run: docker tag owasp/modsecurity-crs:${{ matrix.version }}-${{ matrix.server }}
+                      owasp/modsecurity-crs:${{ matrix.server }}
 
-    - name: Push ${{ matrix.image }}
+    - name: Push ${{ matrix.version }}-${{ matrix.server }}
       run: docker push owasp/modsecurity-crs
diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml
@@ -7,21 +7,21 @@ jobs:
   build:
     runs-on: ubuntu-latest
     strategy:
+      # Remember to match these with the buildimage.yml action
       matrix:
-        image:
-        - 3.3-apache
-        - 3.3-nginx
+        version: ['v3.3.0']
+        server: ['apache', 'nginx']
     steps:
     - uses: actions/checkout@v1
       with:
         fetch-depth: 1
 
-    - name: Build ${{ matrix.image }}
-      run: docker build . -f ${{ matrix.image }}/Dockerfile --tag test
+    - name: Build ${{ matrix.version }}-${{ matrix.server }}
+      run: make VERSIONS=${{ matrix.version }} SERVERS=${{ matrix.server }} TAG=test
 
-    - name: Run ${{ matrix.image }}
-      run: docker run -d --name ${{ matrix.image }} test
+    - name: Run ${{ matrix.version }}-${{ matrix.server }}
+      run: docker run -d --name ${{ matrix.version }}-${{ matrix.server }} test:${{ matrix.version }}-${{ matrix.server }}
 
-    - name: Verify ${{ matrix.image }}
+    - name: Verify ${{ matrix.version }}-${{ matrix.server }}
       run: |
-        [ $(docker inspect ${{ matrix.image }} --format='{{.State.Running}}') = 'true' ]
+        [ $(docker inspect ${{ matrix.version }}-${{ matrix.server }} --format='{{.State.Running}}') = 'true' ]
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+v*-{apache,nginx}/
diff --git a/Makefile b/Makefile
@@ -0,0 +1,19 @@
+VERSIONS = v3.3.0
+SERVERS = apache nginx
+TAG = owasp/modsecurity-crs
+
+TARGETS = $(foreach server,$(SERVERS),$(foreach version,$(VERSIONS),$(addsuffix -$(server),$(version))))
+IMAGES = $(addprefix image/, $(TARGETS))
+
+.PHONY: clean
+
+all: $(TARGETS) $(IMAGES)
+
+v%: $(addsufix /Dockerfile, $(SERVERS))
+	./src/release.sh "v$*"
+
+image/%: $(TARGETS)
+	docker build --tag $(TAG):$* -f $*/Dockerfile .
+
+clean:
+	rm -rfv v*
diff --git a/README.md b/README.md
@@ -2,17 +2,17 @@
 
 [![dockeri.co](http://dockeri.co/image/owasp/modsecurity-crs)](https://hub.docker.com/r/owasp/modsecurity-crs/)
 
-[![Build Status](https://img.shields.io/endpoint.svg?url=https%3A%2F%2Factions-badge.atrox.dev%2FCRS-support%2Fmodsecurity-crs-docker%2Fbadge%3Fref%3Dmaster&style=flat)](https://actions-badge.atrox.dev/CRS-support/modsecurity-crs-docker/goto?ref=master
-) [![GitHub issues](https://img.shields.io/github/issues-raw/CRS-support/modsecurity-crs-docker.svg)](https://github.com/CRS-support/modsecurity-crs-docker/issues
-) [![GitHub PRs](https://img.shields.io/github/issues-pr-raw/CRS-support/modsecurity-crs-docker.svg)](https://github.com/CRS-support/modsecurity-crs-docker/pulls
-) [![License](https://img.shields.io/github/license/CRS-support/modsecurity-crs-docker.svg)](https://github.com/CRS-support/modsecurity-crs-docker/blob/master/LICENSE)
+[![Build Status](https://img.shields.io/endpoint.svg?url=https%3A%2F%2Factions-badge.atrox.dev%2Fcoreruleset%2Fmodsecurity-crs-docker%2Fbadge%3Fref%3Dmaster&style=flat)](https://actions-badge.atrox.dev/coreruleset/modsecurity-crs-docker/goto?ref=master
+) [![GitHub issues](https://img.shields.io/github/issues-raw/coreruleset/modsecurity-crs-docker.svg)](https://github.com/coreruleset/modsecurity-crs-docker/issues
+) [![GitHub PRs](https://img.shields.io/github/issues-pr-raw/coreruleset/modsecurity-crs-docker.svg)](https://github.com/coreruleset/modsecurity-crs-docker/pulls
+) [![License](https://img.shields.io/github/license/coreruleset/modsecurity-crs-docker.svg)](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/LICENSE)
 
 ## What is the Core Rule Set
 
 The Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls.
 ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx.
 
-## Example
+## Examples
 
 ```
 docker build -t owasp/modsecurity-crs .
@@ -26,6 +26,38 @@ docker build -t owasp/modsecurity-crs .
 docker run -p 80:80 -ti -e PARANOIA=4 -e PROXY=1 --rm owasp/modsecurity-crs
 ```
 
+## Building
+
+Image building requires `make`, or you can do the same by calling the `src/release.sh` helper with the version release you want and the web server, e.g:
+
+```bash
+$ ./src/release.sh "v3.3.0-apache"
+$ docker build --tag owasp/modsecurity-crs:v3.3.0-apache -f v3.3.0-apache/Dockerfile .
+```
+
+If you call `make` without arguments, will build all releases and web server combinations.
+
+Or use `make VERSIONS=v3.3.0-rc1` and it will get the proper release and build the container.
+
+You can also add your local tag, or override the build:
+
+```bash
+make VERSIONS=v3.3.0 SERVERS=nginx TAG=mytag
+```
+
+## CRS Versions
+
+> Hey, I used some specific git version with the containers? What happened?
+
+You can achieve the same results just by getting any version you want, and using docker volumes. See this example:
+
+```bash
+$ git clone https://github.com/coreruleset/coreruleset.git myrules
+$ cd myrules
+$ git checkout ac2a0d1
+$ docker run -p 80:80 -ti -e PARANOIA=4 -v ./rules:/opt/owasp-crs/rules:ro --rm owasp/modsecurity-crs
+```
+
 ## Apache
 The Apache webserver is configured via the `httpd-modsecurity.conf` file overriding directives from the base file.
 

diff --git a/3.3-apache/Dockerfile → apache/Dockerfile b/3.3-apache/Dockerfile → apache/Dockerfile
@@ -2,9 +2,7 @@ FROM owasp/modsecurity:2
 
 LABEL maintainer="Chaim Sanders <[email protected]>"
 
-ARG COMMIT=v3.3/dev
-ARG BRANCH=v3.3/dev
-ARG REPO=coreruleset/coreruleset
+ARG RELEASE=%%RELEASE%%
 
 ENV PARANOIA=1 \
     ANOMALY_INBOUND=5 \
@@ -28,23 +26,25 @@ ENV PARANOIA=1 \
 
 COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
 COPY src/opt/modsecurity/activate-rules.sh /opt/modsecurity/
-COPY 3.3-apache/conf/extra/*.conf /usr/local/apache2/conf/extra/
-COPY 3.3-apache/docker-entrypoint.sh /
+COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/
+COPY apache/docker-entrypoint.sh /
 
+# Change default shell to bash
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# hadolint ignore=DL3008,SC2016
 RUN apt-get update \
- && apt-get -y install \
+ && apt-get -y install --no-install-recommends \
       ca-certificates \
-      git \
+      curl \
       iproute2 \
  && mkdir /opt/owasp-crs \
- && cd /opt/owasp-crs \
- && git init \
- && git remote add origin https://github.com/${REPO} \
- && git fetch --depth 1 origin ${BRANCH} \
- && git checkout ${COMMIT} \
- && mv -v crs-setup.conf.example crs-setup.conf \
+ && curl -SL https://github.com/coreruleset/coreruleset/archive/${RELEASE}.tar.gz \
+ | tar -zxf - --strip-components=1 -C /opt/owasp-crs \
+ && mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf \
  && ln -sv /opt/owasp-crs /etc/modsecurity.d/ \
- && sed -i -E 's/(Listen) [0-9]+/\1 ${PORT}/g' /usr/local/apache2/conf/httpd.conf
+ && sed -i -E 's/(Listen) [0-9]+/\1 ${PORT}/g' /usr/local/apache2/conf/httpd.conf \
+ && rm -rf /var/lib/apt/lists/*
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["apachectl", "-D", "FOREGROUND"]
diff --git a/...onf/extra/httpd-logging-after-modsec.conf → ...onf/extra/httpd-logging-after-modsec.conf b/...onf/extra/httpd-logging-after-modsec.conf → ...onf/extra/httpd-logging-after-modsec.conf
diff --git a/...nf/extra/httpd-logging-before-modsec.conf → ...nf/extra/httpd-logging-before-modsec.conf b/...nf/extra/httpd-logging-before-modsec.conf → ...nf/extra/httpd-logging-before-modsec.conf
diff --git a/3.3-apache/conf/extra/httpd-modsecurity.conf → apache/conf/extra/httpd-modsecurity.conf b/3.3-apache/conf/extra/httpd-modsecurity.conf → apache/conf/extra/httpd-modsecurity.conf
diff --git a/3.3-apache/docker-entrypoint.sh → apache/docker-entrypoint.sh b/3.3-apache/docker-entrypoint.sh → apache/docker-entrypoint.sh
diff --git a/3.3-nginx/Dockerfile → nginx/Dockerfile b/3.3-nginx/Dockerfile → nginx/Dockerfile
@@ -2,9 +2,7 @@ FROM owasp/modsecurity:3
 
 LABEL maintainer="Chaim Sanders <[email protected]>"
 
-ARG COMMIT=v3.3/dev
-ARG BRANCH=v3.3/dev
-ARG REPO=coreruleset/coreruleset
+ARG RELEASE=%%RELEASE%%
 
 ENV PARANOIA=1 \
     ANOMALY_INBOUND=5 \
@@ -25,25 +23,26 @@ ENV PARANOIA=1 \
     MODSEC_PCRE_MATCH_LIMIT=100000 \
     MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000
 
-COPY 3.3-nginx/docker-entrypoint.sh /
-COPY 3.3-nginx/nginx.conf /etc/nginx/nginx.conf
 COPY src/opt/modsecurity/activate-rules.sh /opt/modsecurity/
 COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
+COPY nginx/docker-entrypoint.sh /
+COPY nginx/nginx.conf /etc/nginx/nginx.conf
 
+# Change default shell to bash
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# hadolint ignore=DL3008,SC2016
 RUN apt-get update \
- && apt-get -y install \
+ && apt-get -y install --no-install-recommends \
       ca-certificates \
-      git \
+      curl \
       iproute2 \
-      moreutils \
  && mkdir /opt/owasp-crs \
- && cd /opt/owasp-crs \
- && git init \
- && git remote add origin https://github.com/${REPO} \
- && git fetch --depth 1 origin ${BRANCH} \
- && git checkout ${COMMIT} \
- && mv -v crs-setup.conf.example crs-setup.conf \
- && ln -sv /opt/owasp-crs /etc/modsecurity.d/
+ && curl -SL https://github.com/coreruleset/coreruleset/archive/${RELEASE}.tar.gz \
+ | tar -zxf - --strip-components=1 -C /opt/owasp-crs \
+ && mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf \
+ && ln -sv /opt/owasp-crs /etc/modsecurity.d/ \
+ && rm -rf /var/lib/apt/lists/*
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["nginx", "-g", "daemon off;"]
diff --git a/3.3-nginx/docker-entrypoint.sh → nginx/docker-entrypoint.sh b/3.3-nginx/docker-entrypoint.sh → nginx/docker-entrypoint.sh
diff --git a/3.3-nginx/nginx.conf → nginx/nginx.conf b/3.3-nginx/nginx.conf → nginx/nginx.conf
diff --git a/src/release.sh b/src/release.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Release will use master branch as stable
+
+set -e
+
+target="$1"
+
+if [ -z "$target" ]; then
+  echo "usage: $0 vX.Y-(apache|nginx)" >&2
+  exit 1
+fi
+
+# relases might be release candidates, which are named with '-rcX'
+release="${target%-*}"
+server="${target#*-}"
+server_no_rc="${server#*-}"
+
+cd "$(dirname "$0")/.."
+mkdir -p "${target}"
+
+
+sed -e "s,%%RELEASE%%,${release},g" \
+  "${server_no_rc}/Dockerfile" > "${target}/Dockerfile"
+