#193 Fix docker entrypoint

build.sbt

@@ -34,10 +34,10 @@ run := {
   (run in Compile).evaluated
   frontendDev.value
 }
-
 mappings in packageBin in Assets ++= frontendFiles.value
 
-// Remove conf files// Install service files //
+// Remove conf files
+// Install service files
 mappings in Universal ~= {
   _.flatMap {
     case (file, "conf/application.conf") => Nil
@@ -87,7 +87,7 @@ linuxEtcDefaultTemplate in Debian := (baseDirectory.value / "install" / "etc_def
 linuxMakeStartScript in Debian := None
 
 // RPM //
-rpmRelease := "7"
+rpmRelease := "8"
 rpmVendor in Rpm := "TheHive Project"
 rpmUrl := Some("http://thehive-project.org/")
 rpmLicense := Some("AGPL")
@@ -101,23 +101,30 @@ rpmPrefix := Some(defaultLinuxInstallLocation.value)
 linuxEtcDefaultTemplate in Rpm := (baseDirectory.value / "install" / "etc_default_thehive").asURL
 
 // DOCKER //
-import com.typesafe.sbt.packager.docker.{Cmd, ExecCmd}
+import com.typesafe.sbt.packager.docker.{ Cmd, ExecCmd }
 
-dockerBaseImage := "elasticsearch:2.3"
-dockerExposedVolumes += "/data"
+defaultLinuxInstallLocation in Docker := "/opt/thehive"
 dockerRepository := Some("certbdf")
 dockerUpdateLatest := true
-mappings in Docker += file("install/docker/entrypoint") -> "bin/entrypoint"
-
-dockerCommands := dockerCommands.value.map {
-  case ExecCmd("ENTRYPOINT", _*) => ExecCmd("ENTRYPOINT", "bin/entrypoint")
-  case cmd => cmd
+dockerEntrypoint := Seq("/opt/thehive/entrypoint")
+dockerExposedPorts := Seq(9000)
+mappings in Docker ++= Seq(
+  file("install/docker/entrypoint") -> "/opt/thehive/entrypoint",
+  file("conf/logback.xml") -> "/etc/thehive/logback.xml",
+  file("install/empty") -> "/var/log/thehive/application.log")
+mappings in Docker ~= (_.filterNot {
+  case (_, filepath) => filepath == "/opt/thehive/conf/application.conf"
+})
+dockerCommands ~= { dc =>
+  val (dockerInitCmds, dockerTailCmds) = dc.splitAt(4)
+  dockerInitCmds ++
+    Seq(
+      Cmd("ADD", "var", "/var"),
+      Cmd("ADD", "etc", "/etc"),
+      ExecCmd("RUN", "chown", "-R", "daemon:daemon", "/var/log/thehive")) ++
+    dockerTailCmds
 }
 
-dockerCommands := (dockerCommands.value.head +:
-  Cmd("EXPOSE", "9000") +:
-  dockerCommands.value.tail)
-
 // Bintray //
 bintrayOrganization := Some("cert-bdf")
 bintrayRepository := "thehive"

docker/thehive/docker-compose.yml

@@ -0,0 +1,21 @@
+version: "2"
+services:
+  elasticsearch:
+    image: elasticsearch:2
+    command: [
+      -Des.script.inline=on,
+      -Des.cluster.name=hive,
+      -Des.threadpool.index.queue_size=100000,
+      -Des.threadpool.search.queue_size=100000,
+      -Des.threadpool.bulk.queue_size=1000]
+  cortex:
+    image: certbdf/cortex:latest
+    ports:
+      - "0.0.0.0:9001:9000"
+  thehive:
+    image: certbdf/thehive:latest
+    depends_on:
+      - elasticsearch
+      - cortex
+    ports:
+      - "0.0.0.0:9000:9000"

docker/thehive/thehive.conf

@@ -0,0 +1,5 @@
+cortex {
+  aa {
+    url = "http://192.168.1.1"
+  }
+}

install/docker/entrypoint

@@ -1,24 +1,119 @@
 #!/bin/bash
 
-/docker-entrypoint.sh elasticsearch \
-	-Des.path.data=/data \
-	-Des.script.inline=on \
-	-Des.cluster.name=hive \
-	-Des.threadpool.index.queue_size=100000 \
-	-Des.threadpool.search.queue_size=100000 \
-	-Des.threadpool.bulk.queue_size=1000 &
+ES_HOSTNAME=elasticsearch
+CONFIG_SECRET=1
+CONFIG_ES=1
+CONFIG_CORTEX=1
+CORTEX_HOSTNAME=cortex
+CORTEX_PROTO=http
+CORTEX_PORT=9000
+CORTEX_URLS=()
+CONFIG=1
+CONFIG_FILE=/etc/thehive/application.conf
 
+function usage {
+	cat <<- _EOF_
+		Available options:
+		--no-config		| do not try to configure TheHive (add secret and elasticsearch)
+		--no-config-secret	| do not add random secret to configuration
+		--no-config-es		| do not add elasticsearch hosts to configuration
+		--es-hosts <esconfig>	| use this string to configure elasticsearch hosts (format: ["host1:9300","host2:9300"])
+		--es-hostname <host>	| resolve this hostname to find elasticseach instances
+		--secret <secret>	| secret to secure sessions
+		--cortex-proto <proto>	| define protocol to connect to Cortex (default: http)
+		--cortex-port <port>	| define port to connect to Cortex (default: 9000)
+		--cortex-url <url>	| add Cortex connection
+		--cortex-hostname <host>| resolve this hostname to find Cortex instances
+	_EOF_
+	exit 1
+}
 
-if test ! -e conf/application.conf
+STOP=0
+while test $# -gt 0 -o $STOP = 1
+do
+	case "$1" in
+		"--no-config")		CONFIG=0;;
+		"--no-config-secret")	CONFIG_SECRET=0;;
+		"--secret")		shift; SECRET=$1;;
+		"--no-config-es")	CONFIG_ES=0;;
+		"--es-hosts")		shift; ES_HOSTS=$1;;
+		"--es-hostname")	shift; ES_HOSTNAME=$1;;
+		"--no-config-cortex")	CONFIG_CORTEX=0;;
+		"--cortex-proto")	shift; CORTEX_PROTO=$1;;
+		"--cortex-port")	shift; CORTEX_PORT=$1;;
+		"--cortex-url")		shift; CORTEX_URLS+=($1);;
+		"--cortex-hostname")	shift; CORTEX_HOSTNAME=$1;;
+		"--")			STOP=1;;
+		*)			usage
+	esac
+	shift
+done
+
+if test $CONFIG = 1
 then
-	mkdir -p conf
-	cat > conf/application.conf <<- _EOF_
-		# Secret key
-		# ~~~~~
-		# The secret key is used to secure cryptographics functions.
-		# If you deploy your application to several instances be sure to use the same key!
-		play.crypto.secret="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1)"
-		_EOF_
+	CONFIG_FILE=$(mktemp).conf
+	if test $CONFIG_SECRET = 1
+	then
+		if test -z "$SECRET"
+		then
+			SECRET=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1)
+		fi
+		echo Using secret: $SECRET
+		echo play.crypto.secret=\"$SECRET\" >> $CONFIG_FILE
+	fi
+
+	if test $CONFIG_ES = 1
+	then
+		if test -z "$ES_HOSTS"
+		then
+			function join_es_hosts {
+				echo -n "[\"$1"
+				shift
+				printf "%s:9300\"]" "${@/#/:9300\",\"}"
+			}
+
+			ES=$(getent ahostsv4 $ES_HOSTNAME | awk '{ print $1 }' | sort -u)
+			if test -z "$ES"
+			then
+				echo "Warning automatic elasticsearch host config fails"
+			else
+				ES_HOSTS=$(join_es_hosts $ES)
+			fi
+		fi
+		if test -n "$ES_HOSTS"
+		then
+			echo Using elasticsearch host: $ES_HOSTS
+			echo search.host=$ES_HOSTS >> $CONFIG_FILE
+		else
+			echo elasticsearch host not configured
+		fi
+	fi
+
+	if test $CONFIG_CORTEX = 1
+	then
+		if test -n "$CORTEX_HOSTNAME"
+		then
+			CORTEX_URLS+=($(getent ahostsv4 $CORTEX_HOSTNAME | awk "{ print \"$CORTEX_PROTO://\"\$1\":$CORTEX_PORT\" }" | sort -u))
+		fi
+
+		if test ${#CORTEX_URLS[@]} -gt 0
+		then
+			echo "play.modules.enabled += connectors.cortex.CortexConnector" >> $CONFIG_FILE
+		fi
+		I=1
+		for C in ${CORTEX_URLS[@]}
+		do
+			echo Add Cortex cortex$I: $C
+			echo cortex.cortex$I.url=\"$C\" >> $CONFIG_FILE
+			I=$(($I+1))
+		done
+	fi
+
+	echo 'include file("/etc/thehive/application.conf")' >> $CONFIG_FILE
 fi
 
-bin/thehive $@
+exec bin/thehive \
+	-Dconfig.file=$CONFIG_FILE \
+	-Dlogger.file=/etc/thehive/logback.xml \
+	-Dpidfile.path=/dev/null \
+	$@

install/thehive.conf

@@ -1,7 +1,7 @@
 # generated upstart config
 
 description "Scalable, Open Source and Free Security Incident Response Solutions"
-author "Thomas Franco <[email protected]"
+author "Thomas Franco <[email protected]>"
 
 # Stanzas
 #
@@ -22,10 +22,6 @@ respawn limit 1 60
 
 normal exit 0
 
-pre-start script
-	[ -d /var/run/thehive ] || install -m 755 -o thehive -g thehive -d /var/run/thehive
-end script
-
 # set the working directory of the job processes
 chdir /opt/thehive
 

install/thehive.service

@@ -10,17 +10,10 @@ WorkingDirectory=/opt/thehive
 User=thehive
 Group=thehive
 
-RuntimeDirectory=thehive
-RuntimeDirectoryMode=0750
-
-ExecStartPre=/bin/mkdir -p /run/thehive /var/log/thehive
-ExecStartPre=/bin/chown thehive:thehive /run/thehive /var/log/thehive
-ExecStartPre=/bin/chmod 755 /run/thehive /var/log/thehive
-
 ExecStart=/opt/thehive/bin/thehive \
-                        -Dconfig.file=/etc/thehive/application.conf \
-                        -Dlogger.file=/etc/thehive/logback.xml \
-			            -Dpidfile.path=/dev/null
+	-Dconfig.file=/etc/thehive/application.conf \
+	-Dlogger.file=/etc/thehive/logback.xml \
+	-Dpidfile.path=/dev/null
 
 StandardOutput=journal
 StandardError=inherit

project/Release.scala

@@ -29,6 +29,7 @@ object Release {
       IO.load(properties, credentialsFile)
       val token = Option(properties.getProperty("token")).fold("")(t => s"-t $t")
       s"github_changelog_generator $token" ! sLog.value
+      ()
     }
   )
 }