feat(ci): change build to dockerx bake

Signed-off-by: Felipe Zipitria <[email protected]>
coreruleset · Sep 21, 2021 · 7bd5934 · 7bd5934
1 parent 05ceb8d
commit 7bd5934
Show file tree

Hide file tree

Showing 11 changed files with 318 additions and 116 deletions.
diff --git a/.github/workflows/buildimage.yml b/.github/workflows/buildimage.yml
@@ -2,34 +2,48 @@ name: Build images for Docker Hub
 on:
   push:
     branches:
-    - master
+      - master
   schedule:
-    - cron: '0 12 * * MON'  # Run every Monday
+    - cron: "0 12 * * TUE" # Run every Tuesday (base run on Monday)
+
 jobs:
   build:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        version: ['v3.3.2']
-        server: ['apache', 'nginx']
+        crs-version:
+          - "3.3.2"
+        image:
+          - apache
+          - nginx
+        variant:
+          - ""
+          - "-alpine"
     steps:
-    - uses: actions/checkout@v1
-      with:
-        fetch-depth: 1
-
-    - name: Log in to Docker Hub
-      run: docker login
-           -u "${{ secrets.dockerhub_user }}"
-           -p "${{ secrets.dockerhub_token }}"
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 1
 
-    - name: Build ${{ matrix.version }}-${{ matrix.server }}
-      run: make VERSIONS=${{ matrix.version }} SERVERS=${{ matrix.server }}
+      # https://github.com/docker/setup-qemu-action
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
 
-    # As we build multiple versions now, we need one to be the default
-    - name: Set default tag for ${{ matrix.version }}-${{ matrix.server }}
-      run: docker tag owasp/modsecurity-crs:${{ matrix.version }}-${{ matrix.server }}
-                      owasp/modsecurity-crs:${{ matrix.server }}
+      # https://github.com/docker/setup-buildx-action
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+        with:
+          driver-opts: image=moby/buildkit:master
 
-    - name: Push ${{ matrix.version }}-${{ matrix.server }}
-      run: docker push --all-tags owasp/modsecurity-crs
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.dockerhub_user }}
+          password: ${{ secrets.dockerhub_token }}
 
+      - name: Build and push ${{ matrix.crs-version }}-${{ matrix.image }}${{ matrix.variant }}
+        uses: docker/[email protected]
+        with:
+          targets: ${{ matrix.image }}${{ matrix.variant }}
+          files: docker-bake.hcl
+          push: true
diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml
@@ -1,30 +1,56 @@
+---
 name: Verify Images
 on:
   pull_request:
     branches:
-    - master
+      - master
 jobs:
   build:
     runs-on: ubuntu-latest
     strategy:
-      # Remember to match these with the buildimage.yml action
       matrix:
-        version: ['v3.3.2']
-        server: ['apache', 'nginx']
+        crs-version:
+          - "3.3.2"
+        image:
+          - apache
+          - nginx
+        variant:
+          - ""
+          - "-alpine"
+        platform:
+          - linux/amd64
     steps:
-    - uses: actions/checkout@v1
-      with:
-        fetch-depth: 1
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 1
 
-    - name: Build ${{ matrix.version }}-${{ matrix.server }}
-      run: make VERSIONS=${{ matrix.version }} SERVERS=${{ matrix.server }} TAG=test
+      # https://github.com/docker/setup-qemu-action
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
 
-    - name: Run ${{ matrix.version }}-${{ matrix.server }}
-      run: |
-        docker run -d --name ${{ matrix.version }}-${{ matrix.server }} test:${{ matrix.version }}-${{ matrix.server }}
-        docker logs --details ${{ matrix.version }}-${{ matrix.server }}
+      # https://github.com/docker/setup-buildx-action
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+        with:
+          driver-opts: image=moby/buildkit:master
 
-    - name: Verify ${{ matrix.version }}-${{ matrix.server }}
-      run: |
-        docker inspect ${{ matrix.version }}-${{ matrix.server }}
-        [ $(docker inspect ${{ matrix.version }}-${{ matrix.server }} --format='{{.State.Running}}') = 'true' ]
+      - name: Build ${{ matrix.crs-version }}-${{ matrix.image }}${{ matrix.variant }}
+        uses: docker/[email protected]
+        with:
+          files: docker-bake.hcl
+          targets: ${{ matrix.image }}${{ matrix.variant }}
+          set: |
+            "${{ matrix.image }}${{ matrix.variant }}.tags=${{ matrix.crs-version }}-${{ matrix.image }}${{ matrix.variant }}-test"
+            "${{ matrix.image }}${{ matrix.variant }}.platform=${{ matrix.platform }}"
+          load: true
+          push: false
+
+      - name: Run ${{ matrix.image }}${{ matrix.variant }}
+        run: |
+          docker run -d --name ${{ matrix.crs-version }}-${{ matrix.image }}${{ matrix.variant }}-test ${{ matrix.crs-version }}-${{ matrix.image }}${{ matrix.variant }}-test
+          docker logs ${{ matrix.crs-version }}-${{ matrix.image }}${{ matrix.variant }}-test
+
+      - name: Verify ${{ matrix.crs-version }}-${{ matrix.image }}${{ matrix.variant }}
+        run: |
+          [ $(docker inspect ${{ matrix.crs-version }}-${{ matrix.image }}${{ matrix.variant }}-test --format='{{.State.Running}}') = 'true' ]
diff --git a/Makefile b/Makefile
diff --git a/README.md b/README.md
@@ -14,26 +14,25 @@ ModSecurity is an open source, cross platform web application firewall (WAF) eng
 
 ## Supported tags and respective `Dockerfile` links
 
-* `3.3.2-nginx`, `nginx` ([master/nginx/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)) – *last stable ModSecurity v3 on Nginx 1.20 official stable base image, and latest stable Core Rule Set 3.3.2 *
-* `3.3.2-apache`, `apache` ([master/apache/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)) – *last stable ModSecurity v2 on Apache 2.4 official stable base image, and latest stable Core Rule Set 3.3.2 *
+* `3-nginx`, `3.3-nginx`, `3.3.2-nginx`, `nginx` ([master/nginx/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)) – *last stable ModSecurity v3 on Nginx 1.20 official stable base image, and latest stable Core Rule Set 3.3.2 *
+* `3-apache`, `3.3-apache`, `3.3.2-apache`, `apache` ([master/apache/Dockerfile](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)) –*last stable ModSecurity v2 on Apache 2.4 official stable base image, and latest stable Core Rule Set 3.3.2 *
 
-## Building
+## Supported variants
 
-Image building requires `make`, or you can do the same by calling the `src/release.sh` helper with the version release you want and the web server, e.g:
+We have support for [alpine linux](https://www.alpinelinux.org/) variants of the base images. Just add `-alpine` and you will get it. Examples:
 
-```bash
-$ ./src/release.sh "v3.3.2-apache"
-$ docker build --tag owasp/modsecurity-crs:v3.3.2-apache -f v3.3.2-apache/Dockerfile .
-```
+* `3-nginx-alpine`, `3.3-nginx-alpine`, `3.3.2-nginx-alpine`, `nginx-alpine` ([master/nginx/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine) – *last stable ModSecurity v3 on Nginx 1.20 official alpine stable base image, and latest stable Core Rule Set 3.3.2 *
+* `3-apache-alpine`, `3.3-apache-alpine`, `3.3.2-apache-alpine`, `apache-alpine` ([master/apache/Dockerfile-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)) – *last stable ModSecurity v2 on Apache 2.4 official alpine stable base image, and latest stable Core Rule Set 3.3.2 *
 
-If you call `make` without arguments, will build all releases and web server combinations.
+## Supported architectures
 
-Or use `make VERSIONS=v3.3.3-rc1` and it will get the proper release and build the container.
+We added the [docker buildx](https://github.com/docker/buildx) support to our docker builds so additional architectures are supported now. As we create our containers based on the official apache and nginx ones, we can only support the architectures they support.
 
-You can also add your local tag, or override the build:
+There is a new file `docker-bake.hcl` used for this purpose. To build for new platforms, just use this example:
 
 ```bash
-make VERSIONS=v3.3.2 SERVERS=nginx TAG=mytag
+$ docker buildx use $(docker buildx create --platform linux/amd64,linux/arm64,linux/arm/v8)
+$ docker buildx bake -f docker-bake.hcl
 ```
 
 ## CRS Versions
@@ -50,6 +49,7 @@ $ docker run -p 80:80 -ti -e PARANOIA=4 -v ./rules:/opt/owasp-crs/rules:ro --rm
 ```
 
 ## Apache
+
 The Apache webserver is configured via the `httpd-modsecurity.conf` file overriding directives from the base file.
 
 ## Environment Variables
@@ -120,7 +120,7 @@ docker run -dti --rm \
    -p 80:80 \
    -v /path/to/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf \
    -v /path/to/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf \
-   owasp/modsecurity-crs
+   owasp/modsecurity-crs:apache
 ```
 
 ### Copy ModSecurity tuning file into created container
@@ -130,7 +130,7 @@ This example can be helpful when no volume mounts are possible (some CI pipeline
 ```
 docker create -ti --name modseccrs \
    -p 80:80 \
-   owasp/modsecurity-crs
+   owasp/modsecurity-crs:apache
 
 docker cp /path/to/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf \
    modseccrs:/etc/modsecurity.d/owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
@@ -178,5 +178,5 @@ docker run -dti 80:80 --rm \
    -e MODSEC_PCRE_MATCH_LIMIT=1000 \
    -e MODSEC_PCRE_MATCH_LIMIT_RECURSION=1000 \
    -e VALIDATE_UTF8_ENCODING=1 
-   owasp/modsecurity-crs
+   owasp/modsecurity-crs:apache
 ```
diff --git a/apache/Dockerfile b/apache/Dockerfile
@@ -1,8 +1,8 @@
-FROM owasp/modsecurity:2
+FROM owasp/modsecurity:apache
 
-LABEL maintainer="Chaim Sanders <[email protected]>"
+LABEL maintainer="Felipe Zipitria <[email protected]>"
 
-ARG RELEASE=%%RELEASE%%
+ARG RELEASE
 
 ENV PARANOIA=1 \
     ANOMALY_INBOUND=5 \
@@ -31,22 +31,20 @@ COPY src/opt/modsecurity/activate-rules.sh /opt/modsecurity/
 COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/
 COPY apache/docker-entrypoint.sh /
 
-# Change default shell to bash
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
-
 # hadolint ignore=DL3008,SC2016
-RUN apt-get update \
- && apt-get -y install --no-install-recommends \
-      ca-certificates \
-      curl \
-      iproute2 \
- && mkdir /opt/owasp-crs \
- && curl -SL https://github.com/coreruleset/coreruleset/archive/${RELEASE}.tar.gz \
- | tar -zxf - --strip-components=1 -C /opt/owasp-crs \
- && mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf \
- && ln -sv /opt/owasp-crs /etc/modsecurity.d/ \
- && sed -i -E 's/(Listen) [0-9]+/\1 ${PORT}/g' /usr/local/apache2/conf/httpd.conf \
- && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+ apt-get update; \
+ apt-get -y install --no-install-recommends \
+   ca-certificates \
+   curl \
+   iproute2; \
+ mkdir /opt/owasp-crs; \
+ curl -SL https://github.com/coreruleset/coreruleset/archive/v${RELEASE}.tar.gz | \
+ tar -zxf - --strip-components=1 -C /opt/owasp-crs; \
+ mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf; \
+ ln -sv /opt/owasp-crs /etc/modsecurity.d/; \
+ sed -i -E 's/(Listen) [0-9]+/\1 ${PORT}/g' /usr/local/apache2/conf/httpd.conf; \
+ rm -rf /var/lib/apt/lists/*
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["apachectl", "-D", "FOREGROUND"]
diff --git a/apache/Dockerfile-alpine b/apache/Dockerfile-alpine
@@ -0,0 +1,46 @@
+FROM owasp/modsecurity:apache-alpine
+
+LABEL maintainer="Felipe Zipitria <[email protected]>"
+
+ARG RELEASE
+
+ENV PARANOIA=1 \
+    ANOMALY_INBOUND=5 \
+    ANOMALY_OUTBOUND=4 \
+    APACHE_TIMEOUT=60 \
+    LOGLEVEL=warn \
+    ERRORLOG='/proc/self/fd/2' \
+    USER=daemon \
+    GROUP=daemon \
+    SERVERADMIN=root@localhost \
+    SERVERNAME=localhost \
+    PORT=80 \
+    MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \
+    MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \
+    MODSEC_RULE_ENGINE=on \
+    MODSEC_REQ_BODY_ACCESS=on \
+    MODSEC_REQ_BODY_LIMIT=13107200 \
+    MODSEC_REQ_BODY_NOFILES_LIMIT=131072 \
+    MODSEC_RESP_BODY_ACCESS=on \
+    MODSEC_RESP_BODY_LIMIT=1048576 \
+    MODSEC_PCRE_MATCH_LIMIT=100000 \
+    MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000
+
+COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
+COPY src/opt/modsecurity/activate-rules.sh /opt/modsecurity/
+COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/
+COPY apache/docker-entrypoint.sh /
+
+# hadolint ignore=DL3008,SC2016
+RUN set -eux; \
+    apk add --no-cache \
+    ca-certificates \
+    curl \
+    iproute2; \
+    mkdir /opt/owasp-crs; \
+    curl -SL https://github.com/coreruleset/coreruleset/archive/v${RELEASE}.tar.gz \
+    | tar -zxf - --strip-components=1 -C /opt/owasp-crs; \
+    mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf; \
+    ln -sv /opt/owasp-crs /etc/modsecurity.d/; \
+    sed -i -E 's/(Listen) [0-9]+/\1 ${PORT}/g' /usr/local/apache2/conf/httpd.conf
+