From b94b44a0ced8f41b082fd4b1f99eac51260c7bf4 Mon Sep 17 00:00:00 2001
From: Stefano Ortolani <ortolanis@vmware.com>
Date: Fri, 12 Jul 2024 17:41:37 +0100
Subject: [PATCH] Replace Debian with Ubuntu 24.04 LTS

---
 core/Dockerfile                               | 50 ++++++++++++++-----
 ...ondrej-ubuntu-nginx-mainline-noble.sources | 24 +++++++++
 .../ondrej-ubuntu-php-noble.sources           | 23 +++++++++
 core/files/etc/nginx/sites-available/misp443  |  5 +-
 modules/Dockerfile                            | 15 ++++--
 5 files changed, 97 insertions(+), 20 deletions(-)
 create mode 100644 core/files/etc/apt/sources.list.d/ondrej-ubuntu-nginx-mainline-noble.sources
 create mode 100644 core/files/etc/apt/sources.list.d/ondrej-ubuntu-php-noble.sources

diff --git a/core/Dockerfile b/core/Dockerfile
index e86b94f..bcfd0f8 100644
--- a/core/Dockerfile
+++ b/core/Dockerfile
@@ -1,7 +1,7 @@
 ARG DOCKER_HUB_PROXY=""
 
 
-FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS php-base
+FROM "${DOCKER_HUB_PROXY}ubuntu:24.04" AS php-base
     ENV DEBIAN_FRONTEND noninteractive
 
     # Uncomment when building in corporate environments
@@ -9,12 +9,16 @@ FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS php-base
     # COPY ./rootca.crt /usr/lib/ssl/cert.pem
 
     RUN apt-get update; apt-get install -y --no-install-recommends \
-        lsb-release \
-        ca-certificates \
-        curl
-    RUN curl -sSLo /tmp/debsuryorg-archive-keyring.deb https://packages.sury.org/debsuryorg-archive-keyring.deb
-    RUN dpkg -i /tmp/debsuryorg-archive-keyring.deb
-    RUN echo "deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list
+        ca-certificates
+
+    COPY files/etc/apt/sources.list.d/ondrej-ubuntu-php-noble.sources /etc/apt/sources.list.d/ondrej-ubuntu-php-noble.sources
+    COPY files/etc/apt/sources.list.d/ondrej-ubuntu-nginx-mainline-noble.sources /etc/apt/sources.list.d/ondrej-ubuntu-nginx-mainline-noble.sources
+
+    # RUN apt-get update; apt-get install -y --no-install-recommends \
+    #    software-properties-common
+    #    # && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+    # RUN add-apt-repository ppa:ondrej/php
+    # RUN add-apt-repository ppa:ondrej/nginx-mainline
     RUN apt-get update
 
 
@@ -23,6 +27,7 @@ FROM php-base AS composer-build
     ENV COMPOSER_ALLOW_SUPERUSER 1
     ARG CORE_TAG
     ARG CORE_COMMIT
+    ARG TARGETPLATFORM
 
     RUN apt-get install -y --no-install-recommends \
         php7.4 \
@@ -42,10 +47,26 @@ FROM php-base AS composer-build
 
     WORKDIR /tmp
     ADD https://raw.githubusercontent.com/MISP/MISP/${CORE_COMMIT:-${CORE_TAG}}/app/composer.json /tmp
-    COPY --from=composer:latest /usr/bin/composer /usr/bin/composer
-    RUN composer config --no-interaction allow-plugins.composer/installers true
-    RUN composer install
-    RUN composer require --with-all-dependencies --no-interaction \
+    COPY --from=composer:2.7.7 /usr/bin/composer /usr/bin/composer
+
+    # See: https://github.com/curl/curl/issues/14154
+    RUN <<-EOF
+        if [ "$TARGETPLATFORM" = "linux/arm64" ]; then
+            cp /usr/bin/composer /composer.phar
+            mkdir /out/
+            php -r '$phar = new Phar("/composer.phar"); $phar->extractTo("/out/");'
+            sed -i "/'verify_peer_name' =>.*/a 'verify_peer_status' => CURLOPT_SSL_VERIFYSTATUS," /out/src/Composer/Util/Http/CurlDownloader.php
+            sed -i "/\$options = StreamContextFactory.*/a \$options['ssl']['verify_peer'] = false;" /out/src/Composer/Util/Http/CurlDownloader.php
+            sed -i "/\$options = StreamContextFactory.*/a \$options['ssl']['verify_peer_name'] = false;" /out/src/Composer/Util/Http/CurlDownloader.php
+            sed -i "/\$options = StreamContextFactory.*/a \$options['ssl']['verify_peer_status'] = false;" /out/src/Composer/Util/Http/CurlDownloader.php
+            rm /usr/bin/composer
+            ln -s /out/bin/composer /usr/bin/composer
+        fi
+EOF
+
+    RUN php /usr/bin/composer config --no-interaction allow-plugins.composer/installers true
+    RUN php /usr/bin/composer install
+    RUN php /usr/bin/composer require --with-all-dependencies --no-interaction \
         supervisorphp/supervisor:^4.0 \
         guzzlehttp/guzzle:^7.4.5 \
         lstrojny/fxmlrpc \
@@ -105,6 +126,7 @@ FROM php-base AS python-build
 
     RUN apt-get install -y --no-install-recommends \
         git \
+        python3-pip \
         && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
 
     # Download MISP using git in the /var/www/ directory. Remove unnecessary items.
@@ -177,6 +199,7 @@ FROM php-base
         gpg-agent \
         mariadb-client \
         rsync \
+        python3-pip \
         # PHP Requirements
         php7.4 \
         php7.4-apcu \
@@ -195,7 +218,7 @@ FROM php-base
         libldap-common \
         librdkafka1 \
         libbrotli1 \
-        libsimdjson14 \
+        libsimdjson19 \
         libzstd1 \
         ssdeep \
         libfuzzy2 \
@@ -209,13 +232,14 @@ FROM php-base
 
     # Install python modules
     COPY --from=python-build /wheels /wheels
-    RUN pip install --no-cache-dir /wheels/*.whl && rm -rf /wheels
+    RUN pip install --break-system-packages --no-cache-dir /wheels/*.whl && rm -rf /wheels
 
     # PHP: install prebuilt libraries, then install the app's PHP deps
     COPY --from=php-build ["/usr/lib/php/${PHP_VER}/ssdeep.so", "/usr/lib/php/${PHP_VER}/rdkafka.so", "/usr/lib/php/${PHP_VER}/brotli.so", "/usr/lib/php/${PHP_VER}/simdjson.so", "/usr/lib/php/${PHP_VER}/zstd.so", "/usr/lib/php/${PHP_VER}/"]
 
     # Do an early chown to limit image size
     COPY --from=python-build --chown=www-data:www-data --chmod=0550 /var/www/MISP /var/www/MISP
+    COPY --from=composer-build --chown=www-data:www-data --chmod=0550 /tmp/composer.lock /var/www/MISP/app/composer.lock
     COPY --from=composer-build --chown=www-data:www-data --chmod=0550 /tmp/Vendor /var/www/MISP/app/Vendor
     COPY --from=composer-build --chown=www-data:www-data --chmod=0550 /tmp/Plugin /var/www/MISP/app/Plugin
 
diff --git a/core/files/etc/apt/sources.list.d/ondrej-ubuntu-nginx-mainline-noble.sources b/core/files/etc/apt/sources.list.d/ondrej-ubuntu-nginx-mainline-noble.sources
new file mode 100644
index 0000000..0536632
--- /dev/null
+++ b/core/files/etc/apt/sources.list.d/ondrej-ubuntu-nginx-mainline-noble.sources
@@ -0,0 +1,24 @@
+Types: deb
+URIs: https://ppa.launchpadcontent.net/ondrej/nginx-mainline/ubuntu/
+Suites: noble
+Components: main
+Signed-By:
+ -----BEGIN PGP PUBLIC KEY BLOCK-----
+ .
+ mI0ESX35nAEEALKDCUDVXvmW9n+T/+3G1DnTpoWh9/1xNaz/RrUH6fQKhHr568F8
+ hfnZP/2CGYVYkW9hxP9LVW9IDvzcmnhgIwK+ddeaPZqh3T/FM4OTA7Q78HSvR81m
+ Jpf2iMLm/Zvh89ZsmP2sIgZuARiaHo8lxoTSLtmKXsM3FsJVlusyewHfABEBAAG0
+ H0xhdW5jaHBhZCBQUEEgZm9yIE9uZMWZZWogU3Vyw72ItgQTAQIAIAUCSX35nAIb
+ AwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEE9OoKrlJnpsQjYD/jW1NlIFAlT6
+ EvF2xfVbkhERii9MapjaUsSso4XLCEmZdEGX54GQ01svXnrivwnd/kmhKvyxCqiN
+ LDY/dOaK8MK//bDI6mqdKmG8XbP2vsdsxhifNC+GH/OwaDPvn1TyYB653kwyruCG
+ FjEnCreZTcRUu2oBQyolORDl+BmF4DjLiQEzBBABCgAdFiEECvaBvTqO/UqmWMI/
+ thEcm0xImQEFAmXTV0AACgkQthEcm0xImQGTTggAhuMHGeBZlRUAsZE7jJM7Mf06
+ /WIhcgUfBfSFnJFlFH+xdEe/GFYyVk9kingDsPh90Ecnt4n8DJHTlsuUV1+SPBIO
+ JfbQTUjx1n/+Ck+TVKzRByvrpRXtiZQ214m3zbhZpme2eBBMItZByjG7g925NUIq
+ rL+R5ZoEcZvVlYscfsA0Sr8yJTsGJPefuLYI6eJkNDa1QkzBkSSW4XaCfNIxNBRs
+ zN/qGe3xy0bibOaC4T2TcbZPSAVP855ahNbLAdqkyfAutiEWcKZmQpR9qNh4482k
+ 0pXVlQJ8UB860gVFHjwjFm/MsCeX8yfeAi38ZyInWL2OSG2pDx5ZzNESwnCPIg==
+ =N1rh
+ -----END PGP PUBLIC KEY BLOCK-----
+
diff --git a/core/files/etc/apt/sources.list.d/ondrej-ubuntu-php-noble.sources b/core/files/etc/apt/sources.list.d/ondrej-ubuntu-php-noble.sources
new file mode 100644
index 0000000..18d8fe1
--- /dev/null
+++ b/core/files/etc/apt/sources.list.d/ondrej-ubuntu-php-noble.sources
@@ -0,0 +1,23 @@
+Types: deb
+URIs: https://ppa.launchpadcontent.net/ondrej/php/ubuntu/
+Suites: noble
+Components: main
+Signed-By: -----BEGIN PGP PUBLIC KEY BLOCK-----
+ .
+ mI0ESX35nAEEALKDCUDVXvmW9n+T/+3G1DnTpoWh9/1xNaz/RrUH6fQKhHr568F8
+ hfnZP/2CGYVYkW9hxP9LVW9IDvzcmnhgIwK+ddeaPZqh3T/FM4OTA7Q78HSvR81m
+ Jpf2iMLm/Zvh89ZsmP2sIgZuARiaHo8lxoTSLtmKXsM3FsJVlusyewHfABEBAAG0
+ H0xhdW5jaHBhZCBQUEEgZm9yIE9uZMWZZWogU3Vyw72ItgQTAQIAIAUCSX35nAIb
+ AwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEE9OoKrlJnpsQjYD/jW1NlIFAlT6
+ EvF2xfVbkhERii9MapjaUsSso4XLCEmZdEGX54GQ01svXnrivwnd/kmhKvyxCqiN
+ LDY/dOaK8MK//bDI6mqdKmG8XbP2vsdsxhifNC+GH/OwaDPvn1TyYB653kwyruCG
+ FjEnCreZTcRUu2oBQyolORDl+BmF4DjLiQEzBBABCgAdFiEECvaBvTqO/UqmWMI/
+ thEcm0xImQEFAmXTV0AACgkQthEcm0xImQGTTggAhuMHGeBZlRUAsZE7jJM7Mf06
+ /WIhcgUfBfSFnJFlFH+xdEe/GFYyVk9kingDsPh90Ecnt4n8DJHTlsuUV1+SPBIO
+ JfbQTUjx1n/+Ck+TVKzRByvrpRXtiZQ214m3zbhZpme2eBBMItZByjG7g925NUIq
+ rL+R5ZoEcZvVlYscfsA0Sr8yJTsGJPefuLYI6eJkNDa1QkzBkSSW4XaCfNIxNBRs
+ zN/qGe3xy0bibOaC4T2TcbZPSAVP855ahNbLAdqkyfAutiEWcKZmQpR9qNh4482k
+ 0pXVlQJ8UB860gVFHjwjFm/MsCeX8yfeAi38ZyInWL2OSG2pDx5ZzNESwnCPIg==
+ =N1rh
+ -----END PGP PUBLIC KEY BLOCK-----
+
diff --git a/core/files/etc/nginx/sites-available/misp443 b/core/files/etc/nginx/sites-available/misp443
index d38b810..06492d0 100644
--- a/core/files/etc/nginx/sites-available/misp443
+++ b/core/files/etc/nginx/sites-available/misp443
@@ -1,6 +1,7 @@
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2  on;
 
     # disable access logs
     access_log off;
diff --git a/modules/Dockerfile b/modules/Dockerfile
index 1ef48ad..cb7105d 100644
--- a/modules/Dockerfile
+++ b/modules/Dockerfile
@@ -1,7 +1,8 @@
 ARG DOCKER_HUB_PROXY=""
 
-FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS python-build
+FROM "${DOCKER_HUB_PROXY}ubuntu:24.04" AS python-build
     ENV DEBIAN_FRONTEND noninteractive
+
     ARG MODULES_TAG
     ARG MODULES_COMMIT
     ARG LIBFAUP_COMMIT
@@ -9,6 +10,10 @@ FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS python-build
     RUN apt-get update && apt-get install -y --no-install-recommends \
         cmake \
         git \
+        python3-dev \
+        python3-pip \
+        python3-wheel \
+        pipenv \
         build-essential \
         libpoppler-cpp-dev \
         libfuzzy-dev \
@@ -30,7 +35,6 @@ FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS python-build
 EOF
 
     WORKDIR /srv/misp-modules
-    RUN pip install pipenv
     COPY files/Pipfile Pipfile
     COPY files/Pipfile.lock Pipfile.lock
     RUN pipenv requirements > requirements.txt
@@ -58,7 +62,7 @@ EOF
     RUN rm -rf /srv/faup
 
 
-FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm"
+FROM "${DOCKER_HUB_PROXY}ubuntu:24.04"
     ENV DEBIAN_FRONTEND noninteractive
 
     RUN apt-get update && apt-get install -y --no-install-recommends \
@@ -71,17 +75,18 @@ FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm"
         libxml2 \
         libxslt1.1  \
         libzbar0 \
+        python3-pip \
         && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
 
     COPY --from=python-build /wheels /wheels
     COPY --from=python-build /usr/local/lib/libfaupl* /usr/local/lib/
     RUN ldconfig
-    RUN pip install --no-cache-dir --use-deprecated=legacy-resolver /wheels/*.whl && rm -rf /wheels
+    RUN pip install --break-system-packages --no-cache-dir --use-deprecated=legacy-resolver /wheels/*.whl && rm -rf /wheels
 
     # Since we compile faup ourselves and lua is not required anymore, we can load our own library 
     #   and skip the pre-compiled blob to improve compatibility with other architectures like ARM
     RUN sed -i s/LoadLibrary\(LOAD_LIB\)/LoadLibrary\(\"\\/usr\\/local\\/lib\\/libfaupl.so\"\)/ \
-        /usr/local/lib/python3.12/site-packages/pyfaup/__init__.py
+        /usr/local/lib/python3.12/dist-packages/pyfaup/__init__.py
 
     # Disable (all) warnings raised when using 'future'
     RUN sed -i '/import sys/a import warnings\nwarnings.warn = lambda *args, **kwargs: None' \