ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-20 21:43:18 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity
1e3c7c78b0
HIRS/.ci/docker/Dockerfile.aca-rocky
5B96790E3664F40075A67E6ADF737EDB15B4408DBC91A81228B31537B0CE3E26 1e3c7c78b0
Dockerfiles for v3 ACA. Also Powershell Package Scripts (#628) 
* Package scripts for powershell

* Adding dockerfiles
2023-11-09 11:54:51 -05:00

75 lines
4.0 KiB
Docker
Raw Blame History

FROM rockylinux:9
LABEL org.opencontainers.image.vendor NSA Laboratory for Advanced Cybersecurity Research
LABEL org.opencontainers.image.source https://github.com/nsacyber/hirs
LABEL org.opencontainers.image.description NSA\'s HIRS Attestation Certificate Authority. Expose port 8443 to access the portal from outside the container.
SHELL ["/bin/bash", "-c"]
# Rocky 9 has a different channel for some apps
RUN dnf install -y 'dnf-command(config-manager)' && dnf config-manager --set-enabled crb
# Update and install OS-dependencies
RUN dnf update -y
# Dependencies were selected for these reasons:
# OS setup/Unknown direct impact for HIRS
ENV HIRS_DNF_OS_SETUP="initscripts firewalld policycoreutils policycoreutils-python-utils net-tools"
# OS tools
ENV HIRS_DNF_OS_TOOLS="git sudo vim wget"
# ACA compile
ENV HIRS_DNF_ACA_COMPILE="java-17-openjdk-devel"
# ACA run
ENV HIRS_DNF_ACA_RUN="mariadb-server"
# IBM TPM simulator compile
ENV HIRS_DNF_TPM_COMPILE="tpm2-tools gcc cmake openssl-devel"
# Download and install all dependencies at one time
RUN dnf -y install $(echo "$HIRS_DNF_OS_SETUP") $(echo "$HIRS_DNF_OS_TOOLS") $(echo "$HIRS_DNF_ACA_COMPILE") $(echo "$HIRS_DNF_ACA_RUN") $(echo "$HIRS_DNF_TPM_COMPILE")
# Set up TPM Simulator
RUN git clone https://github.com/kgoldman/ibmswtpm2 /ibmswtpm2
WORKDIR /ibmswtpm2/src
RUN make
# The following script allows the TPM to be set up in the docker image.
# This will install an empty TPM.
RUN echo "#!/bin/bash" > /tmp/tpm_config && \
echo "/ibmswtpm2/src/tpm_server &" >> /tmp/tpm_config && \
echo "sleep 5" >> /tmp/tpm_config && \
echo "tpm2_startup -c" >> /tmp/tpm_config && \
bash /tmp/tpm_config && \
rm -rf /tmp/tpm_config
#EXPOSE 8080 # Only needed if TLS is not working.
EXPOSE 8443
# Checkout HIRS
RUN git clone -b main https://github.com/nsacyber/HIRS.git /repo
# Defensive copy of the repo so it's easy to start fresh if needed
RUN mkdir /hirs
WORKDIR /repo
RUN cp -r . /hirs
# Run bootwar to cache build artifacts
WORKDIR /hirs
RUN ./gradlew bootWar
# Add ACA TLS certification path to container OS
# Allows the curl command in the HEALTHCHECK to work with TLS
# These commands are placed into a script that can be run after aca_setup.sh on container launch.
RUN echo "#!/bin/bash" > /tmp/hirs_add_aca_tls_path_to_os.sh && \
echo "cp /etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_intermediate_ca_rsa_3k_sha384.pem /etc/pki/ca-trust/source/anchors/" >> /tmp/hirs_add_aca_tls_path_to_os.sh && \
echo "cp /etc/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_intermediate_ca_ecc_512_sha384.pem /etc/pki/ca-trust/source/anchors/" >> /tmp/hirs_add_aca_tls_path_to_os.sh && \
echo "cp /etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_root_ca_rsa_3k_sha384.pem /etc/pki/ca-trust/source/anchors/" >> /tmp/hirs_add_aca_tls_path_to_os.sh && \
echo "cp /etc/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_root_ca_ecc_512_sha384.pem /etc/pki/ca-trust/source/anchors/" >> /tmp/hirs_add_aca_tls_path_to_os.sh && \
echo "cp /etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_leaf_ca3_rsa_3k_sha384.pem /etc/pki/ca-trust/source/anchors/" >> /tmp/hirs_add_aca_tls_path_to_os.sh && \
echo "cp /etc/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_leaf_ca3_ecc_512_sha384.pem /etc/pki/ca-trust/source/anchors/" >> /tmp/hirs_add_aca_tls_path_to_os.sh && \
echo "update-ca-trust" >> /tmp/hirs_add_aca_tls_path_to_os.sh
RUN chmod +x /tmp/hirs_add_aca_tls_path_to_os.sh
# The container will report a health state based on when embedded tomcat finishes loading. If the ACA isn't loaded after the timeout, the container will report that it is unhealthy.
HEALTHCHECK --start-period=50s --interval=1s --timeout=90s CMD curl -f https://localhost:8443/HIRS_AttestationCAPortal/portal/index
# Reset working directory
WORKDIR /hirs
# On container launch, the database will be set up. Then bootRun should utilize build artifacts stored in the image.
CMD ["bash", "-c", "/hirs/package/scripts/aca/aca_setup.sh --unattended && /tmp/hirs_add_aca_tls_path_to_os.sh && /hirs/package/scripts/aca/aca_bootRun.sh"]
Reference in New Issue View Git Blame Copy Permalink