From 6f5ece8bc1be9aca7a4600070e48612db77a8df5 Mon Sep 17 00:00:00 2001 From: ironbank-bot Date: Thu, 10 Dec 2020 01:06:27 +0000 Subject: [PATCH 1/8] Migrate to hardening_manifest.yaml --- Dockerfile | 1 - Jenkinsfile | 2 -- download.json | 20 ------------- hardening_manifest.yaml | 63 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 63 insertions(+), 23 deletions(-) delete mode 100644 Jenkinsfile delete mode 100644 download.json create mode 100644 hardening_manifest.yaml diff --git a/Dockerfile b/Dockerfile index 80cac2d..2b21cf7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -66,7 +66,6 @@ RUN find / -xdev -perm -4000 -exec chmod u-s {} + RUN groupadd --gid 1000 kibana && useradd --uid 1000 --gid 1000 --home-dir /usr/share/kibana --no-create-home kibana USER kibana -LABEL org.label-schema.schema-version="1.0" org.label-schema.vendor="Elastic" org.label-schema.name="kibana" org.label-schema.version="7.10.0" org.label-schema.url="https://www.elastic.co/products/kibana" org.label-schema.vcs-url="https://github.com/elastic/kibana" org.label-schema.license="Elastic License" license="Elastic License" ENTRYPOINT ["/usr/local/bin/dumb-init", "--"] diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index f60d67a..0000000 --- a/Jenkinsfile +++ /dev/null @@ -1,2 +0,0 @@ -@Library('DCCSCR@master') _ -dccscrPipeline(version: '7.10.0') diff --git a/download.json b/download.json deleted file mode 100644 index 4dc3748..0000000 --- a/download.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "resources": [ - { - "url": "https://artifacts.elastic.co/downloads/kibana/kibana-7.10.0-linux-x86_64.tar.gz", - "filename": "kibana-7.10.0-linux-x86_64.tar.gz", - "validation": { - "type": "sha512", - "value": "385fe5d875ba074e0931a1e9ebbac8e3d91d300ca478f589da06b01c68e4694c5953a538afd6c385bdccec0f0d3cda1a5dc39f1b56e41d584cdcab8fba466677" - } - }, - { - "url": "https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_amd64", - "filename": "dumb-init", - "validation": { - "type": "sha256", - "value": "37f2c1f0372a45554f1b89924fbb134fc24c3756efaedf11e07f599494e0eff9" - } - } - ] -} diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000..ad3044e --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,63 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "elastic/kibana/kibana" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "7.10.0" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "redhat/ubi/ubi8" + BASE_TAG: "8.3" + +# Docker image labels +labels: + org.opencontainers.image.title: "kibana" + ## Human-readable description of the software packaged in the image + # org.opencontainers.image.description: "FIXME" + ## License(s) under which contained software is distributed + # org.opencontainers.image.licenses: "FIXME" + ## URL to find more information on the image + # org.opencontainers.image.url: "FIXME" + ## Name of the distributing entity, organization or individual + # org.opencontainers.image.vendor: "FIXME" + org.opencontainers.image.version: "7.10.0" + ## Keywords to help with search (ex. "cicd,gitops,golang") + # mil.dso.ironbank.image.keywords: "FIXME" + ## This value can be "opensource" or "commercial" + # mil.dso.ironbank.image.type: "FIXME" + ## Product the image belongs to for grouping multiple images + # mil.dso.ironbank.product.name: "FIXME" + +# List of resources to make available to the offline build context +resources: +- filename: kibana-7.10.0-linux-x86_64.tar.gz + url: https://artifacts.elastic.co/downloads/kibana/kibana-7.10.0-linux-x86_64.tar.gz + validation: + type: sha512 + value: 385fe5d875ba074e0931a1e9ebbac8e3d91d300ca478f589da06b01c68e4694c5953a538afd6c385bdccec0f0d3cda1a5dc39f1b56e41d584cdcab8fba466677 +- filename: dumb-init + url: https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_amd64 + validation: + type: sha256 + value: 37f2c1f0372a45554f1b89924fbb134fc24c3756efaedf11e07f599494e0eff9 + +# List of project maintainers +# FIXME: Fill in the following details for the current container owner in the whitelist +# FIXME: Include any other vendor information if applicable +maintainers: +- email: "nassim.kammah@elastic.co" +# # The name of the current container owner +# name: "FIXME" +# # The gitlab username of the current container owner +# username: "FIXME" +# cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT +# - name: "FIXME" +# username: "FIXME" +# email: "FIXME" -- GitLab From 5b37d918dd739b6515cfda4fb359c4d7436d0522 Mon Sep 17 00:00:00 2001 From: Tyler Smalley Date: Mon, 21 Dec 2020 15:20:51 -0800 Subject: [PATCH 2/8] Upgrade Kibana to 7.10.1 Signed-off-by: Tyler Smalley --- Dockerfile | 6 +++--- Jenkinsfile | 2 +- download.json | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 80cac2d..cb623cc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,8 +14,8 @@ RUN yum update --setopt=tsflags=nodocs -y && \ RUN mkdir /usr/share/kibana WORKDIR /usr/share/kibana -COPY --chown=1000:0 kibana-7.10.0-linux-x86_64.tar.gz . -RUN tar --strip-components=1 -zxf kibana-7.10.0-linux-x86_64.tar.gz +COPY --chown=1000:0 kibana-7.10.1-linux-x86_64.tar.gz . +RUN tar --strip-components=1 -zxf kibana-7.10.1-linux-x86_64.tar.gz # Ensure that group permissions are the same as user permissions. # This will help when relying on GID-0 to run Kibana, rather than UID-1000. # OpenShift does this, for example. @@ -66,7 +66,7 @@ RUN find / -xdev -perm -4000 -exec chmod u-s {} + RUN groupadd --gid 1000 kibana && useradd --uid 1000 --gid 1000 --home-dir /usr/share/kibana --no-create-home kibana USER kibana -LABEL org.label-schema.schema-version="1.0" org.label-schema.vendor="Elastic" org.label-schema.name="kibana" org.label-schema.version="7.10.0" org.label-schema.url="https://www.elastic.co/products/kibana" org.label-schema.vcs-url="https://github.com/elastic/kibana" org.label-schema.license="Elastic License" license="Elastic License" +LABEL org.label-schema.schema-version="1.0" org.label-schema.vendor="Elastic" org.label-schema.name="kibana" org.label-schema.version="7.10.1" org.label-schema.url="https://www.elastic.co/products/kibana" org.label-schema.vcs-url="https://github.com/elastic/kibana" org.label-schema.license="Elastic License" license="Elastic License" ENTRYPOINT ["/usr/local/bin/dumb-init", "--"] diff --git a/Jenkinsfile b/Jenkinsfile index f60d67a..0d0038f 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,2 +1,2 @@ @Library('DCCSCR@master') _ -dccscrPipeline(version: '7.10.0') +dccscrPipeline(version: '7.10.1') diff --git a/download.json b/download.json index 4dc3748..2358c76 100644 --- a/download.json +++ b/download.json @@ -1,11 +1,11 @@ { "resources": [ { - "url": "https://artifacts.elastic.co/downloads/kibana/kibana-7.10.0-linux-x86_64.tar.gz", - "filename": "kibana-7.10.0-linux-x86_64.tar.gz", + "url": "https://artifacts.elastic.co/downloads/kibana/kibana-7.10.1-linux-x86_64.tar.gz", + "filename": "kibana-7.10.1-linux-x86_64.tar.gz", "validation": { "type": "sha512", - "value": "385fe5d875ba074e0931a1e9ebbac8e3d91d300ca478f589da06b01c68e4694c5953a538afd6c385bdccec0f0d3cda1a5dc39f1b56e41d584cdcab8fba466677" + "value": "bf332b3c13c4d71d3e6a1e8b68cca85b215151b5130f862ea14c548f72bca0978829cd49af8d8e9ce1bc46098c65add7d8a0cf5ec4767b219a0cd7474ec78f11" } }, { -- GitLab From 225a83d95d714170394040100756fd01d7adbe6b Mon Sep 17 00:00:00 2001 From: Tyler Smalley Date: Thu, 14 Jan 2021 12:23:03 -0800 Subject: [PATCH 3/8] Updates labels/maintainers Signed-off-by: Tyler Smalley --- hardening_manifest.yaml | 38 ++++++++++++-------------------------- 1 file changed, 12 insertions(+), 26 deletions(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index ad3044e..5f1fd19 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -19,21 +19,14 @@ args: # Docker image labels labels: org.opencontainers.image.title: "kibana" - ## Human-readable description of the software packaged in the image - # org.opencontainers.image.description: "FIXME" - ## License(s) under which contained software is distributed - # org.opencontainers.image.licenses: "FIXME" - ## URL to find more information on the image - # org.opencontainers.image.url: "FIXME" - ## Name of the distributing entity, organization or individual - # org.opencontainers.image.vendor: "FIXME" - org.opencontainers.image.version: "7.10.0" - ## Keywords to help with search (ex. "cicd,gitops,golang") - # mil.dso.ironbank.image.keywords: "FIXME" - ## This value can be "opensource" or "commercial" - # mil.dso.ironbank.image.type: "FIXME" - ## Product the image belongs to for grouping multiple images - # mil.dso.ironbank.product.name: "FIXME" + org.opencontainers.image.description: "Your window into the Elastic Stack." + org.opencontainers.image.licenses: "Elastic License" + org.opencontainers.image.url: "https://www.elastic.co/products/kibana" + org.opencontainers.image.vendor: "Elastic" + org.opencontainers.image.version: "7.10.1" + # mil.dso.ironbank.image.keywords: "" + # mil.dso.ironbank.image.type: "commercial" + mil.dso.ironbank.product.name: "Kibana" # List of resources to make available to the offline build context resources: @@ -49,15 +42,8 @@ resources: value: 37f2c1f0372a45554f1b89924fbb134fc24c3756efaedf11e07f599494e0eff9 # List of project maintainers -# FIXME: Fill in the following details for the current container owner in the whitelist -# FIXME: Include any other vendor information if applicable maintainers: -- email: "nassim.kammah@elastic.co" -# # The name of the current container owner -# name: "FIXME" -# # The gitlab username of the current container owner -# username: "FIXME" -# cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT -# - name: "FIXME" -# username: "FIXME" -# email: "FIXME" +- name: "Tyler Smalley" + email: "tyler.smalley@elastic.co" + username: "tylersmalley" + cht_member: false -- GitLab From 43e1eb37ac0cf220c0ce6bc48065ecfedf4717c2 Mon Sep 17 00:00:00 2001 From: Tyler Smalley Date: Thu, 14 Jan 2021 12:23:18 -0800 Subject: [PATCH 4/8] Updates resources for 7.10.1 Signed-off-by: Tyler Smalley --- hardening_manifest.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 5f1fd19..697880d 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -30,11 +30,11 @@ labels: # List of resources to make available to the offline build context resources: -- filename: kibana-7.10.0-linux-x86_64.tar.gz - url: https://artifacts.elastic.co/downloads/kibana/kibana-7.10.0-linux-x86_64.tar.gz +- filename: kibana-7.10.1-linux-x86_64.tar.gz + url: https://artifacts.elastic.co/downloads/kibana/kibana-7.10.1-linux-x86_64.tar.gz validation: type: sha512 - value: 385fe5d875ba074e0931a1e9ebbac8e3d91d300ca478f589da06b01c68e4694c5953a538afd6c385bdccec0f0d3cda1a5dc39f1b56e41d584cdcab8fba466677 + value: bf332b3c13c4d71d3e6a1e8b68cca85b215151b5130f862ea14c548f72bca0978829cd49af8d8e9ce1bc46098c65add7d8a0cf5ec4767b219a0cd7474ec78f11 - filename: dumb-init url: https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_amd64 validation: -- GitLab From 58adb819eb0f1cd8a6c9629d3e95c5de68fc565b Mon Sep 17 00:00:00 2001 From: Tyler Smalley Date: Thu, 14 Jan 2021 12:30:02 -0800 Subject: [PATCH 5/8] Update tag to reflect 7.10.1 Signed-off-by: Tyler Smalley --- hardening_manifest.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 697880d..20c040a 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,7 +8,7 @@ name: "elastic/kibana/kibana" # The most specific version should be the first tag and will be shown # on ironbank.dsop.io tags: -- "7.10.0" +- "7.10.1" - "latest" # Build args passed to Dockerfile ARGs -- GitLab From 093b9c2f0888acb7b2077686885d4e5e53e03528 Mon Sep 17 00:00:00 2001 From: "alexander.klepal" Date: Fri, 15 Jan 2021 15:20:21 +0000 Subject: [PATCH 6/8] Update hardening_manifest.yaml --- hardening_manifest.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 20c040a..7be6f06 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -43,7 +43,12 @@ resources: # List of project maintainers maintainers: -- name: "Tyler Smalley" - email: "tyler.smalley@elastic.co" +- email: "tyler.smalley@elastic.co" + name: "Tyler Smalley" username: "tylersmalley" cht_member: false +- email: "klepal_alexander@bah.com" + name: "Alexander Klepal" + username: "alexander.klepal" + cht_member: true + -- GitLab From b4a0ef71f940e062cdd147b1f0a7476433c7a281 Mon Sep 17 00:00:00 2001 From: Tyler Smalley Date: Mon, 25 Jan 2021 13:39:49 -0800 Subject: [PATCH 7/8] Upgrade Kibana to 7.10.2 Signed-off-by: Tyler Smalley --- Dockerfile | 4 ++-- hardening_manifest.yaml | 10 +++++----- scripts/kibana-docker | 4 ++++ 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 14b80c8..5fe80de 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,8 +14,8 @@ RUN yum update --setopt=tsflags=nodocs -y && \ RUN mkdir /usr/share/kibana WORKDIR /usr/share/kibana -COPY --chown=1000:0 kibana-7.10.1-linux-x86_64.tar.gz . -RUN tar --strip-components=1 -zxf kibana-7.10.1-linux-x86_64.tar.gz +COPY --chown=1000:0 kibana-7.10.2-linux-x86_64.tar.gz . +RUN tar --strip-components=1 -zxf kibana-7.10.2-linux-x86_64.tar.gz # Ensure that group permissions are the same as user permissions. # This will help when relying on GID-0 to run Kibana, rather than UID-1000. # OpenShift does this, for example. diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 7be6f06..528eda6 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,7 +8,7 @@ name: "elastic/kibana/kibana" # The most specific version should be the first tag and will be shown # on ironbank.dsop.io tags: -- "7.10.1" +- "7.10.2" - "latest" # Build args passed to Dockerfile ARGs @@ -23,18 +23,18 @@ labels: org.opencontainers.image.licenses: "Elastic License" org.opencontainers.image.url: "https://www.elastic.co/products/kibana" org.opencontainers.image.vendor: "Elastic" - org.opencontainers.image.version: "7.10.1" + org.opencontainers.image.version: "7.10.2" # mil.dso.ironbank.image.keywords: "" # mil.dso.ironbank.image.type: "commercial" mil.dso.ironbank.product.name: "Kibana" # List of resources to make available to the offline build context resources: -- filename: kibana-7.10.1-linux-x86_64.tar.gz - url: https://artifacts.elastic.co/downloads/kibana/kibana-7.10.1-linux-x86_64.tar.gz +- filename: kibana-7.10.2-linux-x86_64.tar.gz + url: https://artifacts.elastic.co/downloads/kibana/kibana-7.10.2-linux-x86_64.tar.gz validation: type: sha512 - value: bf332b3c13c4d71d3e6a1e8b68cca85b215151b5130f862ea14c548f72bca0978829cd49af8d8e9ce1bc46098c65add7d8a0cf5ec4767b219a0cd7474ec78f11 + value: aa68f850cc09cf5dcb7c0b48bb8df788ca58eaad38d96141b8e59917fd38b42c728c0968f7cb2c8132c5aaeb595525cdde0859554346c496f53c569e03abe412 - filename: dumb-init url: https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_amd64 validation: diff --git a/scripts/kibana-docker b/scripts/kibana-docker index f8d5bd7..49feba1 100755 --- a/scripts/kibana-docker +++ b/scripts/kibana-docker @@ -162,6 +162,9 @@ kibana_vars=( xpack.code.security.gitProtocolWhitelist xpack.encryptedSavedObjects.encryptionKey xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys + xpack.fleet.agents.elasticsearch.host + xpack.fleet.agents.kibana.host + xpack.fleet.agents.tlsCheckDisabled xpack.graph.enabled xpack.graph.canEditDrillDownUrls xpack.graph.savePolicy @@ -234,6 +237,7 @@ kibana_vars=( xpack.security.authc.oidc.realm xpack.security.authc.saml.realm xpack.security.authc.saml.maxRedirectURLSize + xpack.security.authc.selector.enabled xpack.security.cookieName xpack.security.enabled xpack.security.encryptionKey -- GitLab From 052c8bede15fe49dbda6447adef1e6c9a9fc09f4 Mon Sep 17 00:00:00 2001 From: Tyler Smalley Date: Mon, 1 Feb 2021 14:03:00 -0800 Subject: [PATCH 8/8] Use tini for init, add fonts, and minor updates This change brings us in-line with the upstream Dockerfile changes in the Kibana repository, including formatting to make diffs easier. Signed-off-by: Tyler Smalley --- Dockerfile | 24 ++++++++++++++---------- hardening_manifest.yaml | 14 +++++++++----- 2 files changed, 23 insertions(+), 15 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5fe80de..9408762 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,6 +16,7 @@ RUN mkdir /usr/share/kibana WORKDIR /usr/share/kibana COPY --chown=1000:0 kibana-7.10.2-linux-x86_64.tar.gz . RUN tar --strip-components=1 -zxf kibana-7.10.2-linux-x86_64.tar.gz + # Ensure that group permissions are the same as user permissions. # This will help when relying on GID-0 to run Kibana, rather than UID-1000. # OpenShift does this, for example. @@ -31,15 +32,19 @@ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} EXPOSE 5601 RUN yum update --setopt=tsflags=nodocs -y && \ - yum install -y fontconfig freetype shadow-utils libnss3.so && \ + yum install -y fontconfig freetype shadow-utils nss && \ yum clean all COPY LICENSE /licenses/elastic-kibana # Add a dumb init process -WORKDIR /usr/local/bin -COPY dumb-init /usr/local/bin/dumb-init -RUN chmod +x /usr/local/bin/dumb-init +COPY tini /bin/tini +RUN chmod +x /bin/tini + +# Noto Fonts +RUN mkdir /usr/share/fonts/local +COPY NotoSansCJK-Regular.ttc /usr/share/fonts/local/NotoSansCJK-Regular.ttc +RUN fc-cache -v # Bring in Kibana from the initial stage. COPY --from=prep_files --chown=1000:0 /usr/share/kibana /usr/share/kibana @@ -56,17 +61,16 @@ COPY --chown=1000:0 config/kibana.yml /usr/share/kibana/config/kibana.yml # variables and translate them to Kibana CLI options. COPY --chown=1000:0 scripts/kibana-docker /usr/local/bin/ -# Ensure gid 0 write permissions for OpenShift. -RUN chmod g+ws /usr/share/kibana && find /usr/share/kibana -gid 0 -and -not -perm /g+w -exec chmod g+w {} \; - # Remove the suid bit everywhere to mitigate "Stack Clash" RUN find / -xdev -perm -4000 -exec chmod u-s {} + # Provide a non-root user to run the process. -RUN groupadd --gid 1000 kibana && useradd --uid 1000 --gid 1000 --home-dir /usr/share/kibana --no-create-home kibana -USER kibana +RUN groupadd --gid 1000 kibana && \ + useradd --uid 1000 --gid 1000 -G 0 \ + --home-dir /usr/share/kibana --no-create-home \ + kibana -ENTRYPOINT ["/usr/local/bin/dumb-init", "--"] +ENTRYPOINT ["/bin/tini", "--"] CMD ["/usr/local/bin/kibana-docker"] diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 528eda6..52c0f10 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -35,11 +35,16 @@ resources: validation: type: sha512 value: aa68f850cc09cf5dcb7c0b48bb8df788ca58eaad38d96141b8e59917fd38b42c728c0968f7cb2c8132c5aaeb595525cdde0859554346c496f53c569e03abe412 -- filename: dumb-init - url: https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_amd64 +- filename: tini + url: https://github.com/krallin/tini/releases/download/v0.19.0/tini-amd64 validation: - type: sha256 - value: 37f2c1f0372a45554f1b89924fbb134fc24c3756efaedf11e07f599494e0eff9 + type: sha512 + value: 8053cc21a3a9bdd6042a495349d1856ae8d3b3e7664c9654198de0087af031f5d41139ec85a2f5d7d2febd22ec3f280767ff23b9d5f63d490584e2b7ad3c218c +- filename: NotoSansCJK-Regular.ttc + url: https://github.com/googlefonts/noto-cjk/raw/NotoSansV2.001/NotoSansCJK-Regular.ttc + validation: + type: sha512 + value: 0ce56bde1853fed3e53282505bac65707385275a27816c29712ab04c187aa249797c82c58759b2b36c210d4e2683eda92359d739a8045cb8385c2c34d37cc9e1 # List of project maintainers maintainers: @@ -51,4 +56,3 @@ maintainers: name: "Alexander Klepal" username: "alexander.klepal" cht_member: true - -- GitLab