refactor: us S6 process supervisor (#21)

* use `s6-overlay` as process supervisor * install `go-exploitdb` instead of using teh official Docker image as it is based on EOL Alpine Linux version (3.15)
openclarity · Dec 8, 2023 · 6f0d9d0 · 6f0d9d0
1 parent 40fb685
commit 6f0d9d0
Show file tree

Hide file tree

Showing 23 changed files with 153 additions and 99 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,22 +1,96 @@
-# v0.4.5
-FROM vuls/go-exploitdb@sha256:4738ca739083d41b89aab11012e283f89645f5cdbb5c021f2fbb6584bd5fe423
+FROM alpine:3.18
 
-# Make directory to store DB if not volume mounted
-RUN mkdir /vuls
+ARG TARGETPLATFORM
 
-# Set up a cron job to update the database files every 3 hours
-RUN echo "0 */3 * * * /update.sh" >> /var/spool/cron/crontabs/root
+RUN apk --no-cache add git ca-certificates
 
-# Make sure the cron job file has proper permissions
-RUN chmod 0600 /var/spool/cron/crontabs/root
+ADD --link --chmod=600 crontabs/root /var/spool/cron/crontabs/root
 
-# Copy updater script and make it executable
-COPY update.sh /update.sh
-RUN chmod +x /update.sh
+RUN <<EOT
+  set -e
 
-# Copy entry point script and make it executable
-COPY entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
+  version=0.4.6
+  ## Install s6-overlay binaries
+  case "$TARGETPLATFORM" in
+    "linux/amd64")
+      url=https://github.com/vulsio/go-exploitdb/releases/download/v${version}/go-exploitdb_${version}_linux_amd64.tar.gz
+      checksum=b27cd43a1c194bb365c73d6e4bd199911d83aab4bf48a5eca4ecb8838c0daa9c
+      ;;
+    "linux/arm64")
+      url=https://github.com/vulsio/go-exploitdb/releases/download/v${version}/go-exploitdb_${version}_linux_arm64.tar.gz
+      checksum=432a51a12aebcd4350c4d10c1435cb0d7a5720a7a9bb204a109ccd6c10553184
+      ;;
+    *)
+      printf "ERROR: %s" "invalid architecture"
+      exit 1
+  esac
 
-# Use the entrypoint script to start freshclam, cron, and Nginx
-ENTRYPOINT ["/entrypoint.sh"]
+  archive="$(basename ${url})"
+  wget -q -O "${archive}" "${url}"
+  printf "%s %s" "${checksum}" "${archive}" | sha256sum -c -
+  tar xzvf "${archive}" -C /usr/local/bin 'go-exploitdb'
+  rm -f "${archive}"
+
+  chown root:root /usr/local/bin/go-exploitdb
+  chmod +x /usr/local/bin/go-exploitdb
+
+  mkdir -p /etc/go-exploitdb /var/lib/go-exploitdb /var/log/go-exploitdb
+EOT
+
+ADD --link --chmod=644 go-exploitdb/go-exploitdb.yaml /etc/go-exploitdb/go-exploitdb.yaml
+ADD --link --chmod=755 go-exploitdb/go-exploitdb-update.sh /usr/local/bin/go-exploitdb-update
+
+VOLUME ["/etc/go-exploitdb", "/var/lib/go-exploitdb", "/var/log/go-exploitdb"]
+
+RUN <<EOT
+  set -e
+
+  version=3.1.6.2
+  url=
+  checksum=
+
+  ## Install s6-overlay scripts
+  url=https://github.com/just-containers/s6-overlay/releases/download/v${version}/s6-overlay-noarch.tar.xz
+  checksum=05af2536ec4fb23f087a43ce305f8962512890d7c71572ed88852ab91d1434e3
+
+  archive="$(basename ${url})"
+  wget -q -O "${archive}" "${url}"
+  printf "%s %s" "${checksum}" "${archive}" | sha256sum -c -
+  tar -C / -Jxpf "${archive}"
+  rm -f "${archive}"
+
+  ## Install s6-overlay binaries
+  case "$TARGETPLATFORM" in
+    "linux/amd64")
+      url=https://github.com/just-containers/s6-overlay/releases/download/v${version}/s6-overlay-x86_64.tar.xz
+      checksum=95081f11c56e5a351e9ccab4e70c2b1c3d7d056d82b72502b942762112c03d1c
+      ;;
+    "linux/arm64")
+      url=https://github.com/just-containers/s6-overlay/releases/download/v${version}/s6-overlay-aarch64.tar.xz
+      checksum=3fc0bae418a0e3811b3deeadfca9cc2f0869fb2f4787ab8a53f6944067d140ee
+      ;;
+    *)
+      printf "ERROR: %s" "invalid architecture"
+      exit 1
+  esac
+
+  archive="$(basename ${url})"
+  wget -q -O "${archive}" "${url}"
+  printf "%s %s" "${checksum}" "${archive}" | sha256sum -c -
+  tar -C / -Jxpf "${archive}"
+  rm -f "${archive}"
+EOT
+
+ADD --link --chmod=755 s6-rc.d/cron /etc/s6-overlay/s6-rc.d/cron
+ADD --link --chmod=755 s6-rc.d/go-exploitdb /etc/s6-overlay/s6-rc.d/go-exploitdb
+ADD --link --chmod=755 s6-rc.d/go-exploitdb-updater /etc/s6-overlay/s6-rc.d/go-exploitdb-updater
+ADD --link --chmod=755 s6-rc.d/user/contents.d/* /etc/s6-overlay/s6-rc.d/user/contents.d/
+
+ENV S6_KEEP_ENV 1
+# Stop container if any of the services fail to start at boot.
+ENV S6_BEHAVIOUR_IF_STAGE2_FAILS 2
+ENV S6_VERBOSITY 1
+# Stop container if services are not started in 10 mins.
+ENV S6_CMD_WAIT_FOR_SERVICES_MAXTIME 600000
+
+ENTRYPOINT ["/init"]
diff --git a/README.md b/README.md
@@ -33,7 +33,7 @@ To persist the database between container runs:
 
 ```
 mkdir /opt/exploit-db
-docker run -d -p 1326:1326 -v /opt/exploit-db:/vuls -name exploit-db-server <registry>/exploit-db-server:<tag>
+docker run -d -p 1326:1326 -v /opt/exploit-db:/var/lib/go-exploitdb -name exploit-db-server <registry>/exploit-db-server:<tag>
 ```
 
 ## Querying

diff --git a/crontabs/root b/crontabs/root
@@ -0,0 +1 @@
+0 */3 * * * go-exploitdb-update
diff --git a/entrypoint.sh b/entrypoint.sh
diff --git a/go-exploitdb/go-exploitdb-update.sh b/go-exploitdb/go-exploitdb-update.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env sh
+
+set -e
+
+info () {
+  printf "INFO [go-exploitdb-update]: %s\n" "${1}"
+}
+
+error () {
+  printf "ERROR [go-exploitdb-update]: %s\n" "${1}"
+}
+
+update () {
+  local config
+  config=/etc/go-exploitdb/go-exploitdb.yaml
+
+  for db in awesomepoc exploitdb githubrepos inthewild; do
+    info "updating database: ${db}"
+    go-exploitdb --config="${config}" fetch "${db}" || error "failed to update database: ${db}"
+  done
+}
+
+main () {
+  (
+    flock -n 200 || error "failed to acquire lock."
+    update
+  ) 200>/var/lock/go-exploitdb-update.lock
+}
+
+main
diff --git a/go-exploitdb/go-exploitdb.yaml b/go-exploitdb/go-exploitdb.yaml
@@ -0,0 +1,5 @@
+---
+dbtype: sqlite3
+dbpath: /var/lib/go-exploitdb/go-exploitdb.sqlite3
+log-json: false
+debug: false
diff --git a/s6-rc.d/cron/dependencies.d/base b/s6-rc.d/cron/dependencies.d/base
diff --git a/s6-rc.d/cron/dependencies.d/go-exploitdb-updater b/s6-rc.d/cron/dependencies.d/go-exploitdb-updater
diff --git a/s6-rc.d/cron/finish b/s6-rc.d/cron/finish
@@ -0,0 +1,7 @@
+#!/command/execlineb -S0
+
+foreground {
+  redirfd -w 1 /run/s6-linux-init-container-results/exitcode echo "$1"
+}
+
+/run/s6/basedir/bin/halt
diff --git a/s6-rc.d/cron/run b/s6-rc.d/cron/run
@@ -0,0 +1,3 @@
+#!/command/execlineb -P
+
+exec crond -f -d 7
diff --git a/s6-rc.d/cron/type b/s6-rc.d/cron/type
@@ -0,0 +1 @@
+longrun
diff --git a/s6-rc.d/go-exploitdb-updater/dependencies.d/base b/s6-rc.d/go-exploitdb-updater/dependencies.d/base
diff --git a/s6-rc.d/go-exploitdb-updater/type b/s6-rc.d/go-exploitdb-updater/type
@@ -0,0 +1 @@
+oneshot
diff --git a/s6-rc.d/go-exploitdb-updater/up b/s6-rc.d/go-exploitdb-updater/up
@@ -0,0 +1,3 @@
+#!/command/execlineb -P
+
+exec go-exploitdb-update
diff --git a/s6-rc.d/go-exploitdb/dependencies.d/base b/s6-rc.d/go-exploitdb/dependencies.d/base
diff --git a/s6-rc.d/go-exploitdb/dependencies.d/go-exploitdb-updater b/s6-rc.d/go-exploitdb/dependencies.d/go-exploitdb-updater
diff --git a/s6-rc.d/go-exploitdb/finish b/s6-rc.d/go-exploitdb/finish
@@ -0,0 +1,7 @@
+#!/command/execlineb -S0
+
+foreground {
+  redirfd -w 1 /run/s6-linux-init-container-results/exitcode echo "$1"
+}
+
+/run/s6/basedir/bin/halt
diff --git a/s6-rc.d/go-exploitdb/run b/s6-rc.d/go-exploitdb/run
@@ -0,0 +1,3 @@
+#!/command/execlineb -P
+
+exec go-exploitdb server --bind 0.0.0.0 --config=/etc/go-exploitdb/go-exploitdb.yaml
diff --git a/s6-rc.d/go-exploitdb/type b/s6-rc.d/go-exploitdb/type
@@ -0,0 +1 @@
+longrun
diff --git a/s6-rc.d/user/contents.d/cron b/s6-rc.d/user/contents.d/cron
diff --git a/s6-rc.d/user/contents.d/go-exploitdb b/s6-rc.d/user/contents.d/go-exploitdb
diff --git a/s6-rc.d/user/contents.d/go-exploitdb-updater b/s6-rc.d/user/contents.d/go-exploitdb-updater
diff --git a/update.sh b/update.sh