From dd45a4908da61cdf5c0b62ce78bc9decb3a45ac7 Mon Sep 17 00:00:00 2001 From: Gabe Date: Thu, 7 Jan 2021 16:24:11 -0700 Subject: [PATCH 1/4] Update Falcon Sensor Dockerfile - Clean up single line invocations to be multi-line - Parameterize the rpm name for sensor install - Update Readme - Remove root user as it is considered redundant --- Dockerfile | 81 +++++++++++++++++++++++++----------------------------- README.md | 25 ++++++----------- 2 files changed, 45 insertions(+), 61 deletions(-) diff --git a/Dockerfile b/Dockerfile index e88e8e1..06e8e73 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,66 +4,59 @@ # see https://developers.redhat.com/products/rhel/ubi # FROM registry.access.redhat.com/ubi8/ubi:8.1 -USER root + +ARG container_version + +# BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') +ARG BUILD_DATE + +# VCS_REF=$(git rev-parse --short HEAD) +ARG VCS_REF + +ARG FALCON_RPM # # Friendly reminder that generated container images are from an open source # project, and not a formal CrowdStrike product. # -LABEL maintainer="https://github.com/CrowdStrike/dockerfiles/" - -# -# Apply updates to base image. -# -RUN yum -y update --disablerepo=* --enablerepo=ubi-8-appstream --enablerepo=ubi-8-baseos && yum -y clean all && rm -rf /var/cache/yum +LABEL maintainer="https://github.com/CrowdStrike/dockerfiles/" \ + org.label-schema.build-date=$BUILD_DATE \ + org.label-schema.schema-version="1.0" \ + org.label-schema.description="CrowdStrike's Containerized Falcon Linux Sensor" \ + org.label-schema.vendor="https://github.com/CrowdStrike/dockerfiles/" \ + org.label-schema.url="https://github.com/CrowdStrike/dockerfiles/" \ + org.label-schema.vcs-url="https://github.com/CrowdStrike/dockerfiles/" \ + org.label-schema.vcs-ref=$VCS_REF \ + org.label-schema.docker.cmd="docker run -d --privileged -v /var/log:/var/log \ + --mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock \ + --net=host --pid=host --uts=host --ipc=host \ + falcon-sensor" \ + org.label-schema.container_version=$container_version \ + io.openshift.tags="crowdstrike,falcon" \ + io.k8s.description="CrowdStrike's Containerized Falcon Linux Sensor" +# io.openshift.min-memory 8Gi +# io.openshift.min-cpu 4 # -# Copy Falcon Agent RPM into container & install it, then remove the RPM +# 1. Apply updates to base image and install dependencies +# 2. Copy Falcon Agent RPM into container & install it, then remove the RPM # -# TO DO: For now this script copies the full RPM and renames to /tmp/falcon-agent.rpm. This should be -# changed to a parameter at some point. -# -COPY ./falcon-sensor-6.14.0-11150.el8.x86_64.rpm /tmp/falcon-agent.rpm -RUN yum -y install --disablerepo=* --enablerepo=ubi-8-appstream --enablerepo=ubi-8-baseos libnl3 net-tools zip openssl hostname iproute /tmp/falcon-agent.rpm && yum -y clean all && rm -rf /var/cache/yum && rm /tmp/falcon-agent.rpm +COPY ./$FALCON_RPM /tmp/falcon-sensor.rpm +RUN yum -y update && \ + yum -y install --disablerepo=* \ + --enablerepo=ubi-8-appstream \ + --enablerepo=ubi-8-baseos \ + libnl3 net-tools zip openssl hostname iproute /tmp/falcon-sensor.rpm && \ + yum -y clean all && rm -rf /var/cache/yum && \ + rm -f /tmp/falcon-sensor.rpm # # Copy the entrypoint script into the container and make sure # that its executable. Add the symlink for backwards compatability # COPY entrypoint.sh /usr/local/bin/ -RUN chmod +x /usr/local/bin/entrypoint.sh RUN ln -s /usr/local/bin/entrypoint.sh / - -ARG container_version - -# BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') -ARG BUILD_DATE - -# VCS_REF=$(git rev-parse --short HEAD) -ARG VCS_REF - -# Standard Dockerfile Tags -LABEL org.label-schema.build-date $BUILD_DATE -LABEL org.label-schema.schema-version "1.0" -LABEL org.label-schema.description "CrowdStrike's Containerized Falcon Linux Sensor" -LABEL org.label-schema.vendor "https://github.com/CrowdStrike/dockerfiles/" -LABEL org.label-schema.url "https://github.com/CrowdStrike/dockerfiles/" -LABEL org.label-schema.vcs-url "https://github.com/CrowdStrike/dockerfiles/" -LABEL org.label-schema.vcs-ref $VCS_REF -LABEL org.label-schema.docker.cmd \ - "docker run -d --privileged -v /var/log:/var/log \ - --mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock \ - --net=host --pid=host --uts=host --ipc=host \ - falcon-sensor" -LABEL org.label-schema.container_version $container_version - -# OpenShift-specific Tags -LABEL io.openshift.tags crowdstrike,falcon -LABEL io.k8s.description "CrowdStrike's Containerized Falcon Linux Sensor" -#LABEL io.openshift.min-memory 8Gi -#LABEL io.openshift.min-cpu 4 - ENV PATH ".:/bin:/usr/bin:/sbin:/usr/sbin" WORKDIR /opt/CrowdStrike diff --git a/README.md b/README.md index d46074a..a07dfdb 100644 --- a/README.md +++ b/README.md @@ -2,29 +2,19 @@ This project helps build the scaffolding for customers to containerize their falcon sensor. ## Pre-Launch Checklist -* Install `docker` if not already present on the build host. In theory -[podman](https://developers.redhat.com/blog/2019/02/21/podman-and-buildah-for-docker-users/) should be -a drop-in replacement for development on Linux hosts, but has not yet been tested. +* Install `docker` or `podman` if not already present on the build host. The following instructions use `docker` commands, but `podman` commands work just fine as well. * Your CrowdStrike Customer ID (CID) is required to ensure the container associates itself with your account upon launch. Your CID can be found at [https://falcon.crowdstrike.com/hosts/sensor-downloads](https://falcon.crowdstrike.com/hosts/sensor-downloads). -* Update entrypoint.sh with your CID, e.g.: +* Update entrypoint.sh with your CID if you wish to hard-code your CID, e.g.: ```console CLOUDSIM_CID="YOURCID" ``` - This could be replaced with a sed one-liner such as ``sed -i 's/YOURCID/xyz/r' entrypoint.sh``. Try not to commit your CID to your Git repo! - -* Download the RHEL/CentOS/Oracle 8 sensor from [https://falcon.crowdstrike.com/hosts/sensor-downloads](https://falcon.crowdstrike.com/hosts/sensor-downloads) and place into this directory. The ``Dockerfile`` references this file and copies it into the container during ``docker build``: - - ```shell - COPY ./falcon-sensor-5.33.0-9808.el8.x86_64.rpm /tmp/falcon-agent.rpm - - RUN yum -y install --disablerepo=* --enablerepo=ubi-8-appstream --enablerepo=ubi-8-baseos /tmp/falcon-agent.rpm && yum -y clean all && rm -rf /var/cache/yum && rm /tmp/falcon-agent.rpm - ``` - - At some point we'll parameterize the RPM name. + This could be replaced with a sed one-liner such as ``sed -i 's/YOURCID/xyz/r' entrypoint.sh``. Try not to commit your CID to your Git repo! + Alternatively, using `-e FALCONCTL_OPT_CID=<>` when running the container detached (when the `-d` argument is used. See below) is easier rather than hard-coding your CID and creating a new container image. +* Download the RHEL/CentOS/Oracle 8 sensor from [https://falcon.crowdstrike.com/hosts/sensor-downloads](https://falcon.crowdstrike.com/hosts/sensor-downloads) and place into this directory. The ``Dockerfile`` references this file and copies it into the container during ``docker build`` through the build argument `FALCON_RPM`. ## Build Build the container using the [included Dockerfile](https://github.com/CrowdStrike/dockerfiles/blob/master/Dockerfile) through a command such as: @@ -33,6 +23,7 @@ Build the container using the [included Dockerfile](https://github.com/CrowdStri $ docker build --no-cache=true \ --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \ --build-arg VCS_REF=$(git rev-parse --short HEAD) \ +--build-arg FALCON_RPM=falcon-sensor-5.33.0-9808.el8.x86_64.rpm -t falcon-sensor:latest . ``` @@ -92,7 +83,7 @@ $ CONTAINER_ID=$(docker run -d \ -v /var/log:/var/log falcon-sensor) ``` -Replace ``<>`` with your CrowdStrike Customer ID (CID). This can be found at [https://falcon.crowdstrike.com/hosts/sensor-downloads](https://falcon.crowdstrike.com/hosts/sensor-downloads). +Replace ``<>`` with your CrowdStrike Customer ID (CID). This can be found at [https://falcon.crowdstrike.com/hosts/sensor-downloads](https://falcon.crowdstrike.com/hosts/sensor-downloads). ### Running `falconctl` `falconctl` can be invoked inside a running sensor container with `docker exec`: @@ -124,4 +115,4 @@ $ docker push yourDockerHubAccount/yourPrivateRepo ``` ## Many Thanks -Thank you to [Dinesh Subhraveti](https://www.linkedin.com/in/subhraveti/) whose initial code inspired this repo! \ No newline at end of file +Thank you to [Dinesh Subhraveti](https://www.linkedin.com/in/subhraveti/) whose initial code inspired this repo! From 137ec8ba7e782a9fe74821c4123c26db47a13bfa Mon Sep 17 00:00:00 2001 From: Gabe Date: Thu, 7 Jan 2021 16:28:36 -0700 Subject: [PATCH 2/4] Update permissions --- entrypoint.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 entrypoint.sh diff --git a/entrypoint.sh b/entrypoint.sh old mode 100644 new mode 100755 From 896118204a0e783985e73f1eceb01d459f54bf82 Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Fri, 8 Jan 2021 08:52:42 -0700 Subject: [PATCH 3/4] Update README.md for podman and build link for docker users Co-authored-by: Shawn Wells --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a07dfdb..b76062a 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ This project helps build the scaffolding for customers to containerize their falcon sensor. ## Pre-Launch Checklist -* Install `docker` or `podman` if not already present on the build host. The following instructions use `docker` commands, but `podman` commands work just fine as well. +* Install `docker` or `podman` if not already present on the build host. The following instructions use `docker` commands, but `podman` commands [work just fine as well](https://developers.redhat.com/blog/2019/02/21/podman-and-buildah-for-docker-users/). * Your CrowdStrike Customer ID (CID) is required to ensure the container associates itself with your account upon launch. Your CID can be found at [https://falcon.crowdstrike.com/hosts/sensor-downloads](https://falcon.crowdstrike.com/hosts/sensor-downloads). From e384ecacba41df4395d5188453d5a4c1754570e0 Mon Sep 17 00:00:00 2001 From: Gabe Date: Fri, 8 Jan 2021 09:30:11 -0700 Subject: [PATCH 4/4] Read USER invocation for root to help clarity --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 06e8e73..f5c960e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,7 @@ # see https://developers.redhat.com/products/rhel/ubi # FROM registry.access.redhat.com/ubi8/ubi:8.1 +USER root ARG container_version