Add docker-compose for grr

.github/workflows/build.yml

@@ -223,6 +223,50 @@ jobs:
           path: gcs_upload_dir/
           retention-days: 1
 
+  build-push-docker-base-image:
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository }}
+    runs-on: ubuntu-22.04
+    needs:
+      - build-centos
+      - build-ubuntu
+      - build-osx
+      - build-windows
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Download installers from GitHub artifacts
+        id: download
+        uses: actions/download-artifact@v4
+        with:
+          pattern: '*_installer*'
+          path: _installers
+      - name: Login to GitHub Container registry
+        # if: ${{ github.event_name == 'push' }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        # if: ${{ github.event_name == 'push' }}
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        # if: ${{ github.event_name == 'push' }}
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile.base
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
   test-ubuntu-e2e:
     continue-on-error: true  # Debug follow up step.
     runs-on: ubuntu-22.04

Dockerfile.base

@@ -0,0 +1,62 @@
+FROM ubuntu:22.04 AS builder
+
+LABEL maintainer="[email protected]"
+
+ENV DEBIAN_FRONTEND noninteractive
+# Buffering output (sometimes indefinitely if a thread is stuck in
+# a loop) makes for a non-optimal user experience when containers
+# are run in the foreground, so we disable that.
+ENV PYTHONUNBUFFERED 0
+
+RUN apt-get update && \
+  apt-get install -y \
+  default-jre \
+  python-is-python3 \
+  python3-dev \
+  python3-pip \
+  python3-venv \
+  python3-mysqldb \
+  build-essential \
+  linux-headers-generic \ 
+  dh-make \
+  rpm
+
+# Only available when building as part of Github Actions.
+COPY _installers* /client_installers
+
+ENV VIRTUAL_ENV /usr/share/grr-server
+ENV GRR_SOURCE /usr/src/grr
+
+RUN python -m venv --system-site-packages $VIRTUAL_ENV
+ENV PATH="$VIRTUAL_ENV/bin:$PATH"
+
+RUN pip install wheel nodeenv grpcio-tools==1.60
+
+RUN nodeenv -p --prebuilt --node=16.13.0
+
+RUN mkdir ${GRR_SOURCE}
+ADD . ${GRR_SOURCE}
+
+WORKDIR ${GRR_SOURCE}
+
+RUN cd grr/server/grr_response_server/gui/static && \
+  npm ci && npm run gulp compile
+
+RUN python grr/proto/makefile.py && \
+  python grr/core/grr_response_core/artifacts/makefile.py
+
+RUN pip install grr/proto \
+  pip install grr/core \
+  pip install grr/client \
+  pip install grr/server \
+  pip install grr/client_builder \
+  pip install api_client/python
+
+RUN rm -r ${GRR_SOURCE}
+
+WORKDIR /
+
+ENTRYPOINT [ "grr_server" ]
+
+
+

docker-compose.yaml

@@ -0,0 +1,174 @@
+services:
+  db:
+    image: mysql:8.2
+    env_file: docker/.env
+    container_name: grr-db
+    hostname: mysql-host
+    command: [
+      --max_allowed_packet=40M,
+      --log_bin_trust_function_creators=1
+    ]
+    restart: always
+    volumes:
+      - ./docker_config_files/mysql/init.sh:/docker-entrypoint-initdb.d/init.sh
+      - db_data:/var/lib/mysql:rw
+    ports:
+      - "3306" 
+    expose:
+      - "3306"
+    networks:
+      - server-network
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
+      timeout: 5s
+      retries: 10
+
+  grr-admin-ui:
+    build:
+      dockerfile: Dockerfile.base
+      context: .
+    container_name: grr-admin-ui
+    hostname: admin-ui
+    restart: always
+    depends_on: 
+      db:
+        condition: service_healthy
+    volumes:
+      - ./docker_config_files/server:/configs/
+    ports:
+      - "8000"
+      - "8080"
+    expose:
+      - 8080
+      - 8000
+    networks:
+      - server-network
+    tty: true
+    stdin_open: true
+    command:
+      - -component
+      - admin_ui
+      - -config 
+      - /configs/grr.server.yaml
+      - --verbose
+
+  grr-fleetspeak-frontend:
+    build:
+      dockerfile: Dockerfile.base
+      context: .
+    container_name: grr-fleetspeak-frontend
+    hostname: grr-fleetspeak-frontend
+    depends_on: 
+      db:
+        condition: service_healthy
+    volumes:
+      - ./docker_config_files/server/:/configs/
+    ports:
+      - "11111"
+    restart: always
+    stdin_open: true
+    tty: true
+    networks:
+      - server-network
+    command:
+      - -component
+      - frontend
+      - -config 
+      - /configs/grr.server.yaml
+      - --verbose
+
+  fleetspeak-admin:
+    image: ghcr.io/google/fleetspeak:master
+    container_name: fleetspeak-admin
+    hostname: fleetspeak-admin
+    depends_on: 
+      db:
+        condition: service_healthy
+    networks:
+      - server-network
+    ports:
+      - "4444"
+    volumes:
+      - ./docker_config_files/server/:/configs/
+    stdin_open: true
+    tty: true
+    entrypoint: [
+      "server", 
+      "-components_config",
+      "/configs/admin.components.config",
+      "-services_config", 
+      "/configs/grr_frontend.service",
+      "-alsologtostderr",
+      "-v",
+      "1000"
+    ]
+
+  fleetspeak-frontend:
+    image: ghcr.io/google/fleetspeak:master
+    container_name: fleetspeak-frontend
+    hostname: fleetspeak-frontend
+    depends_on: 
+      db:
+        condition: service_healthy
+    networks:
+      - server-network
+    ports: 
+      - "4443"
+    volumes:
+      - ./docker_config_files/server/:/configs/
+    entrypoint: [
+      "server", 
+      "-components_config",
+      "/configs/frontend.components.config",
+      "-services_config", 
+      "/configs/grr_frontend.service",
+      "-alsologtostderr",
+      "-v",
+      "1000"
+    ]
+
+  grr-worker:
+    build:
+      dockerfile: Dockerfile.base
+      context: .
+    container_name: grr-worker
+    volumes:
+      - ./docker_config_files/server/:/configs/
+    hostname: grr-worker
+    depends_on: 
+      db:
+        condition: service_healthy
+    restart: always
+    stdin_open: true
+    tty: true
+    networks:
+      - server-network
+    command:
+      - -component
+      - worker
+      - -config 
+      - /configs/grr.server.yaml
+      - --verbose
+
+  # linux-client:
+  #   build:
+  #     dockerfile: docker/client/Dockerfile.linux
+  #   container_name: grr-linux-client
+  #   restart: always
+  #   depends_on: 
+  #     - db
+  #     - fleetspeak-frontend
+  #   volumes:
+  #     - installers/:/installers/
+  #   tty: true
+  #   stdin_open: true
+  #   networks:
+  #     - server-network
+  #   entrypoint: /entrypoint.sh
+
+volumes:
+  db_data:
+  installers:
+networks:
+  server-network:
+

docker/.env

@@ -0,0 +1,12 @@
+ADMIN_PASSWORD="admin"
+
+MYSQL_ROOT_PASSWORD='root'
+MYSQL_ROOT_HOST="%"
+
+FLEETSPEAK_DB='fleetspeak'
+FLEETSPEAK_DB_USER='fleetspeak-user'
+FLEETSPEAK_DB_PASSWORD='fleetspeak-password'
+
+GRR_DB='grr'
+GRR_DB_USER='grru'
+GRR_DB_PASSWORD='grrp'

docker/client/Dockerfile.linux

@@ -0,0 +1,9 @@
+FROM ubuntu:22.04
+
+LABEL maintainer="[email protected]"
+
+RUN apt-get update
+RUN apt-get install -y iputils-ping
+
+COPY ./docker/client/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh

docker/client/entrypoint.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+dpkg -i /installers/*.deb
+
+./usr/bin/fleetspeak-client \
+    -alsologtostderr \
+    -std_forward \
+    -config /configs/client.config

docker_config_files/client/client.config

@@ -0,0 +1,20 @@
+server: "fleetspeak-frontend:4443"
+trusted_certs: |
+  -----BEGIN CERTIFICATE-----
+  MIIByjCCAXCgAwIBAgIQRXLVvpuGxHhfDTlZ3drY8TAKBggqhkjOPQQDAjAjMSEw
+  HwYDVQQDExhGbGVldHNwZWFrIEZsZWV0c3BlYWsgQ0EwHhcNMjMxMjE1MTQyMTQ2
+  WhcNMjQxMjE0MTQyMTQ2WjAnMSUwIwYDVQQDExxGbGVldHNwZWFrIEZsZWV0c3Bl
+  YWsgU2VydmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaCG+J04RBhTCTDgr
+  Ml+KfTLOab/vOsNix+zMzzG8C+7Sz5K3Jf/wqCRlScft3IK0wJo7PMT1+kJTWHxo
+  bHFD+qOBgTB/MA4GA1UdDwEB/wQEAwIChDAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
+  DgQWBBTvdTLzfJCcEx9x6/DQo9u6JErv/jAfBgNVHSMEGDAWgBTDqQ/s7QxdkVU+
+  qXUTazg4lzhDUTAcBgNVHREEFTATghFmbGVldHNwZWFrLXNlcnZlcjAKBggqhkjO
+  PQQDAgNIADBFAiBtWzU2jEBrEIwt2rxfL68KfSAXb1wL1cs4NFqXj0vGUQIhAJJJ
+  vh+1vmpSS1Az9yxQoZK8Upo4wJe6zg2SfokzY681
+  -----END CERTIFICATE-----
+client_label: ""
+filesystem_handler: {
+  configuration_directory:"/configs/fleetspeak-config"
+  state_file:"/fleetspeak-client.state"
+}
+streaming:true

docker_config_files/client/fleetspeak-config/grr_client.service

@@ -0,0 +1,9 @@
+name: "GRR"
+factory: "Daemon"
+config: {
+  [type.googleapis.com/fleetspeak.daemonservice.Config]: {
+    argv: "/venv/bin/grr_client"
+    argv: "--config"
+    argv: "/configs/grr.client.yaml"
+  }
+}

docker_config_files/client/grr.client.yaml

@@ -0,0 +1,7 @@
+Client.fleetspeak_enabled: true
+Client.foreman_check_frequency: 10  # seconds
+Logging.verbose: true
+Logging.engines: file,stderr
+Logging.path: /tmp/grr-client
+Logging.filename: /tmp/grr-client/grr-client.log
+Config.writeback: /tmp/grr-client/grr-client.local.yaml

docker_config_files/mysql/init.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -ex
+
+echo "** Creating default DB for GRR and fleetspeak"
+
+mysql -u root -p$MYSQL_ROOT_PASSWORD --execute \
+"CREATE USER'$GRR_DB_USER'@'$MYSQL_ROOT_HOST' IDENTIFIED BY '$GRR_DB_PASSWORD';
+CREATE DATABASE $GRR_DB;
+GRANT ALL ON $GRR_DB.* TO '$GRR_DB_USER'@'$MYSQL_ROOT_HOST';
+CREATE USER '$FLEETSPEAK_DB_USER'@'$MYSQL_ROOT_HOST' IDENTIFIED BY '$FLEETSPEAK_DB_PASSWORD';
+CREATE DATABASE $FLEETSPEAK_DB;
+GRANT ALL ON $FLEETSPEAK_DB.* TO '$FLEETSPEAK_DB_USER'@'$MYSQL_ROOT_HOST';
+FLUSH PRIVILEGES;"
+
+echo "** Finished creating DBs and users"

docker_config_files/server/admin.components.config

@@ -0,0 +1,5 @@
+mysql_data_source_name: "fleetspeak-user:fleetspeak-password@tcp(mysql-host:3306)/fleetspeak"
+admin_config: <
+  listen_address: "0.0.0.0:4444"
+>
+notification_use_http_notifier: true

docker_config_files/server/frontend.components.config

@@ -0,0 +1,8 @@
+mysql_data_source_name: "fleetspeak-user:fleetspeak-password@tcp(mysql-host:3306)/fleetspeak"
+https_config: <
+  listen_address: "fleetspeak-frontend:4443"
+  certificates: "-----BEGIN CERTIFICATE-----\nMIIByjCCAXCgAwIBAgIQRXLVvpuGxHhfDTlZ3drY8TAKBggqhkjOPQQDAjAjMSEw\nHwYDVQQDExhGbGVldHNwZWFrIEZsZWV0c3BlYWsgQ0EwHhcNMjMxMjE1MTQyMTQ2\nWhcNMjQxMjE0MTQyMTQ2WjAnMSUwIwYDVQQDExxGbGVldHNwZWFrIEZsZWV0c3Bl\nYWsgU2VydmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaCG+J04RBhTCTDgr\nMl+KfTLOab/vOsNix+zMzzG8C+7Sz5K3Jf/wqCRlScft3IK0wJo7PMT1+kJTWHxo\nbHFD+qOBgTB/MA4GA1UdDwEB/wQEAwIChDAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud\nDgQWBBTvdTLzfJCcEx9x6/DQo9u6JErv/jAfBgNVHSMEGDAWgBTDqQ/s7QxdkVU+\nqXUTazg4lzhDUTAcBgNVHREEFTATghFmbGVldHNwZWFrLXNlcnZlcjAKBggqhkjO\nPQQDAgNIADBFAiBtWzU2jEBrEIwt2rxfL68KfSAXb1wL1cs4NFqXj0vGUQIhAJJJ\nvh+1vmpSS1Az9yxQoZK8Upo4wJe6zg2SfokzY681\n-----END CERTIFICATE-----\n"
+  key: "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIGjnSoIzlA7spP1jJDXNYT9VSG0Y2FLNqEsatkPfvaOWoAoGCCqGSM49\nAwEHoUQDQgAEaCG+J04RBhTCTDgrMl+KfTLOab/vOsNix+zMzzG8C+7Sz5K3Jf/w\nqCRlScft3IK0wJo7PMT1+kJTWHxobHFD+g==\n-----END EC PRIVATE KEY-----"
+>
+notification_listen_address: "fleetspeak-frontend:10000"
+notification_public_address: "fleetspeak-frontend:10000"