[integration] Fix the build of FIPS 140-2 images

OpenCTI-Platform · Feb 24, 2024 · cdc32a6 · cdc32a6
1 parent bfa6943
commit cdc32a6
Show file tree

Hide file tree

Showing 4 changed files with 101 additions and 13 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -663,12 +663,16 @@ workflows:
       - notify_rolling:
           requires:
             - deploy_testing
+            - docker_build_platform_fips_rolling
+            - docker_build_worker_fips_rolling              
             - package_rolling
             - package_rolling_musl
       - notify:
           requires:
             - docker_build_platform
             - docker_build_worker
+            - docker_build_platform_fips
+            - docker_build_worker_fips
           filters:
             tags:
               only: /[0-9]+(\.[0-9]+)+(\.[0-9]+)*/

diff --git a/opencti-platform/Dockerfile_circleci b/opencti-platform/Dockerfile_circleci
@@ -40,7 +40,6 @@ RUN set -ex; \
 WORKDIR /opt/opencti
 COPY opencti-graphql/src/python/requirements.txt ./src/python/requirements.txt
 RUN pip3 install --no-cache-dir --requirement ./src/python/requirements.txt
-RUN pip3 install --upgrade --force --no-cache-dir git+https://github.com/OpenCTI-Platform/client-python@master
 RUN apk del git gcc musl-dev
 COPY --from=graphql-deps-builder /opt/opencti-build/opencti-graphql/node_modules ./node_modules
 COPY --from=graphql-builder /opt/opencti-build/opencti-graphql/build ./build

diff --git a/opencti-platform/Dockerfile_circleci_fips b/opencti-platform/Dockerfile_circleci_fips
@@ -1,15 +1,13 @@
 FROM filigran/python-nodejs-fips:latest AS base
 
-
 FROM base AS graphql-deps-builder
 
 WORKDIR /opt/opencti-build/opencti-graphql
 COPY opencti-graphql/package.json opencti-graphql/yarn.lock opencti-graphql/.yarnrc.yml ./
 COPY opencti-graphql/.yarn ./.yarn
 COPY opencti-graphql/patch ./patch
 RUN set -ex; \
-    apk add --no-cache git tini gcc g++ make musl-dev cargo python3 python3-dev postfix postfix-pcre \
-    && rm /usr/lib/python3.11/EXTERNALLY-MANAGED \
+    apk add --no-cache git tini gcc g++ make musl-dev cargo postfix postfix-pcre gettext-dev \
     && npm install -g node-gyp \
     && yarn install --frozen-lockfile && yarn cache clean --all
 
@@ -21,8 +19,7 @@ COPY opencti-graphql/package.json opencti-graphql/yarn.lock opencti-graphql/.yar
 COPY opencti-graphql/.yarn ./.yarn
 COPY opencti-graphql/patch ./patch
 RUN set -ex; \
-    apk add --no-cache git tini gcc g++ make musl-dev cargo python3 python3-dev postfix postfix-pcre \
-    && rm /usr/lib/python3.11/EXTERNALLY-MANAGED \
+    apk add --no-cache git tini gcc g++ make musl-dev cargo postfix postfix-pcre gettext-dev \
     && npm install -g node-gyp \
     && yarn install
 COPY opencti-graphql /opt/opencti-build/opencti-graphql
@@ -31,16 +28,11 @@ RUN yarn build:prod
 FROM base AS app
 
 RUN set -ex; \
-    apk add --no-cache git tini gcc g++ make musl-dev cargo python3 python3-dev postfix postfix-pcre; \
-    rm /usr/lib/python3.11/EXTERNALLY-MANAGED; \
-    python3 -m ensurepip; \
-    rm -rv /usr/lib/python*/ensurepip; \
-    pip3 install --no-cache-dir --upgrade pip setuptools wheel; \
-    ln -sf python3 /usr/bin/python;
+    apk add --no-cache git tini gcc g++ make musl-dev cargo postfix postfix-pcre; \
+    pip3 install --no-cache-dir --upgrade pip setuptools wheel;
 WORKDIR /opt/opencti
 COPY opencti-graphql/src/python/requirements.txt ./src/python/requirements.txt
 RUN pip3 install --no-cache-dir --requirement ./src/python/requirements.txt
-RUN pip3 install --upgrade --force --no-cache-dir git+https://github.com/OpenCTI-Platform/client-python@master
 RUN apk del git gcc musl-dev
 COPY --from=graphql-deps-builder /opt/opencti-build/opencti-graphql/node_modules ./node_modules
 COPY --from=graphql-builder /opt/opencti-build/opencti-graphql/build ./build

diff --git a/opencti-platform/Dockerfile_fips b/opencti-platform/Dockerfile_fips
@@ -0,0 +1,93 @@
+FROM filigran/python-nodejs-fips:latest AS base
+
+FROM base AS graphql-deps-builder
+
+WORKDIR /opt/opencti-build/opencti-graphql
+COPY opencti-graphql/package.json opencti-graphql/yarn.lock opencti-graphql/.yarnrc.yml ./
+COPY opencti-graphql/.yarn ./.yarn
+COPY opencti-graphql/patch ./patch
+RUN set -ex; \
+    apk add --no-cache git tini gcc g++ make musl-dev cargo postfix postfix-pcre gettext-dev \
+    && npm install -g node-gyp \
+    && yarn install --frozen-lockfile && yarn cache clean --all
+
+
+FROM base AS graphql-builder
+
+WORKDIR /opt/opencti-build/opencti-graphql
+COPY opencti-graphql/package.json opencti-graphql/yarn.lock opencti-graphql/.yarnrc.yml ./
+COPY opencti-graphql/.yarn ./.yarn
+COPY opencti-graphql/patch ./patch
+RUN set -ex; \
+    apk add --no-cache git tini gcc g++ make musl-dev cargo postfix postfix-pcre gettext-dev \
+    && npm install -g node-gyp \
+    && yarn install
+COPY opencti-graphql /opt/opencti-build/opencti-graphql
+RUN yarn build:prod
+
+
+FROM base AS front-builder
+
+WORKDIR /opt/opencti-build/opencti-front
+
+COPY opencti-front/package.json opencti-front/yarn.lock opencti-front/.yarnrc.yml ./
+COPY opencti-front/.yarn ./.yarn
+COPY opencti-front/patch ./patch
+COPY opencti-front/packages ./packages
+RUN set -ex; \
+    apk add --no-cache git tini gcc g++ make musl-dev cargo postfix postfix-pcre gettext-dev \
+    && npm install -g node-gyp \
+    && yarn install
+
+COPY opencti-front /opt/opencti-build/opencti-front
+COPY opencti-graphql/config/schema/opencti.graphql /opt/opencti-build/opencti-graphql/config/schema/opencti.graphql
+
+RUN yarn build:standalone
+
+
+FROM base AS app
+
+RUN set -ex; \
+    apk add --no-cache git tini gcc g++ make musl-dev cargo postfix postfix-pcre \
+    && pip3 install --no-cache-dir --upgrade pip setuptools wheel
+WORKDIR /opt/opencti
+
+COPY opencti-graphql/src/python/requirements.txt ./src/python/requirements.txt
+
+RUN pip3 install --no-cache-dir --requirement ./src/python/requirements.txt \
+    && apk del git gcc musl-dev
+
+COPY --from=graphql-deps-builder /opt/opencti-build/opencti-graphql/node_modules ./node_modules
+COPY --from=graphql-builder /opt/opencti-build/opencti-graphql/build ./build
+COPY --from=graphql-builder /opt/opencti-build/opencti-graphql/static ./static
+COPY --from=front-builder /opt/opencti-build/opencti-front/builder/prod/build ./public
+COPY opencti-graphql/src ./src
+COPY opencti-graphql/config ./config
+COPY opencti-graphql/script ./script
+
+ARG UID=10000
+ARG GID=10001
+ARG USERNAME="_opencti"
+
+ENV PYTHONUNBUFFERED=1
+ENV NODE_OPTIONS="--force-fips --max_old_space_size=12288"
+ENV NODE_ENV=production
+
+RUN set -ex \
+    ; addgroup -g "${GID}" -S "${USERNAME}" \
+    && adduser \
+        -h /opt/opencti \
+        -g "OpenCTI privsep user" \
+        -s "/sbin/nologin" \
+        -G "${USERNAME}" \
+        -S \
+        -u "${UID}" \
+        "${USERNAME}" \
+    && install -o "${UID}" -g "${GID}" -m 0750 -d '/opt/opencti/logs'
+
+VOLUME ["/opt/opencti/logs"]
+
+USER "${USERNAME}"
+
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["node", "build/back.js"]