[Snyk] Security upgrade debian from buster-slim to bullseye-20220527-slim

.dockerignore

@@ -0,0 +1,2 @@
+.gitignore
+db-variables.env.sample

.gitignore

@@ -0,0 +1 @@
+db-variables.env

Dockerfile

@@ -1,26 +1,77 @@
-FROM debian:buster-slim
+FROM debian:bullseye-slim
 
 MAINTAINER Adriel Kloppenburg
 
 ARG DEBIAN_FRONTEND=noninteractive
+ARG DENYHOSTS_VERSION='v3.0.1'
+ARG ORACLE_MYSQL=true
+ARG MARIADB_MYSQL=false
 
 RUN apt-get update \
- && apt-get -qy --no-install-recommends --no-install-suggests install curl gnupg2 \
- && echo "deb http://www.vanbest.org/reprepro/ unstable main contrib non-free" >> /etc/apt/sources.list \
- && curl http://www.vanbest.org/janpascal/debian-archive-key.asc | apt-key add - \
- && apt-get update \
- && apt-get -qy --no-install-recommends --no-install-suggests install denyhosts-server \
- && apt-get -qy purge gnupg2 \
- && rm -rf /var/lib/apt/lists/*
+    && apt-get -qy --no-install-recommends --no-install-suggests install gnupg2 git \
+    python-is-python3 python3-setuptools libpython3.9-dev \
+    libgeoip-dev geoip-database libsodium23 \
+    supervisor \
+    && rm -rf /var/lib/apt/lists/* \
+    && apt -y autoremove \
+    && apt -y autoclean
 
-RUN ln -sf /dev/stdout /var/log/denyhosts-server/denyhosts-server.log
+RUN apt-get update  \
+    && apt-get -qy install python3-pip \
+    && rm -rf /var/lib/apt/lists/* \
+    && apt -y autoremove \
+    && apt -y autoclean \
+    && git config --global http.sslverify false
+
+
+RUN if $MARIADB_MYSQL; then  \
+    apt-get -qy --no-install-recommends --no-install-suggests install python3-mysqldb \
+    && rm -rf /var/lib/apt/lists/* \
+    && apt -y autoremove \
+    && apt -y autoclean \
+    ; fi
+
+RUN if $ORACLE_MYSQL; then \
+    python3 -m pip install mysql-connector-python \
+    && rm -rf /var/lib/apt/lists/* \
+    && apt -y autoremove \
+    && apt -y autoclean \
+    && git clone https://github.com/denyhosts/twistar.git \
+    && cd twistar \
+    && python3 setup.py install \
+    && cd .. \
+    && rm -rf twistar \
+    ; fi
+
+
+RUN git clone https://github.com/denyhosts/denyhosts_sync.git \
+    && cd denyhosts_sync \
+    && git checkout tags/${DENYHOSTS_VERSION} -b ${DENYHOSTS_VERSION} \
+    && python3 -m pip install -r requirements.txt \
+    && python3 setup.py install \
+    && cp /denyhosts_sync/build/scripts-*/denyhosts-server /usr/local/bin/denyhosts-server \
+    && cp -v /denyhosts_sync/build/scripts-*/denyhosts-server /usr/local/bin/denyhosts-server  \
+    && cp /denyhosts_sync/denyhosts-server.conf.example /etc/denyhosts-server.conf \
+    && rm -rf /denyhosts_sync \
+    && mkdir -p /var/log/denyhosts-server \
+    && touch /var/log/denyhosts-server/denyhosts-server.log \
+    && ln -sf /dev/stdout /var/log/denyhosts-server/denyhosts-server.log
+
+RUN apt-get -qy purge gnupg2 git \
+    && apt -y autoremove \
+    && apt -y autoclean
 
 HEALTHCHECK --interval=5m --timeout=3s \
   CMD curl -f http://localhost:9911/ || exit 1
 
-COPY run.sh /run.sh
-RUN chmod +x /run.sh
+WORKDIR /app
+COPY run.sh ./
+RUN chmod +x run.sh
+RUN if $MARIADB_MYSQL; then \
+    sed -i 's/type: mysql.connector/type: MySQLdb/' run.sh \
+    ; fi
+COPY supervisord.conf /etc/supervisord.conf.d/supervisord.conf
 
 EXPOSE 9911
 
-ENTRYPOINT ["/run.sh"]
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf.d/supervisord.conf"]

README.md

@@ -14,9 +14,14 @@ It'll change to "unhealthy" when it can no longer retrieve the site via http://l
 
 ## Usage
 
-There is a example [docker-compose.yml](https://github.com/adriel/denyhosts-sync-docker/blob/master/docker-compose.yml) file included in the repository to help you get started, fill in the missing parts.
-
-There also is a [db-variables.env](https://github.com/adriel/denyhosts-sync-docker/blob/master/db-variables.env) file where you can enter the database details like; database name, username/password, hostname etc, which is linked to, in both the server and database images.
+There is an example [docker-compose.yml](https://github.com/adriel/denyhosts-sync-docker/blob/master/docker-compose.yml) 
+file included in the repository to help you get started, 
+fill in the missing parts.
+
+There also is a [db-variables.env.sample](https://github.com/adriel/denyhosts-sync-docker/blob/master/db-variables.env) 
+file.  Copy the sample file as db-variables.env.  Then you can enter your database details like; 
+database name, username/password, hostname etc, 
+which is linked to, in both the server and database images.
 
 Put both these files into a directory and run `docker-compose up -d` in that directory and it'll start both images.
 

db-variables.env → db-variables.env.sample

@@ -3,3 +3,7 @@ MYSQL_DATABASE=<Pick a DB name>
 MYSQL_USER=<Pick a user DB username>
 MYSQL_PASSWORD=<Pick DB user password>
 MYSQL_PORT=3306
+MYSQL_ROOT_PASSWORD=<Enter a password for root>
+# Uncomment a line below if you would like an alternative engine instead of Innodb
+#INIT_ROCKSDB
+#INIT_TOKUDB

docker-compose.yml

@@ -1,25 +1,28 @@
 version: "3.3"
+
 services:
-  denyhosts-sync:
+  denyhosts:
       container_name: "DenyHosts_Sync"
       restart: unless-stopped
-      image: adriel/denyhosts-sync
+      build: .
+      image: denyhosts-sync
       env_file:
-        - db-variables.env
+      - db-variables.env
       ports:
         - "9911:9911"
       networks:
         - denyhosts
+      depends_on:
+        - database
   database:
-    container_name: MariaDB
+    container_name: DenyhostsPerconaDB
     restart: unless-stopped
-    image: mariadb:latest
+    image: percona:latest
+    command: mysqld --sql-mode="NO_ENGINE_SUBSTITUTION"
     env_file:
       - db-variables.env
     volumes:
       - "/location/to/store/database:/var/lib/mysql"
-    environment:
-      - MYSQL_ROOT_PASSWORD=<Pick DB root password>
     expose:
       - "3306"
     networks:

run.sh

@@ -6,8 +6,8 @@ set -o pipefail
 TABLE='country_history'
 
 printf "[database]
-# Type of database. Choice of sqlite3, MySQLdb, psycopg2 (PostgreSQL)
-type: mysql
+# Type of database. Choice of sqlite3, MySQLdb, mysql.connector, psycopg2 (PostgreSQL)
+type: mysql.connector
 
 db: ${MYSQL_DATABASE}
 host: ${MYSQL_HOSTNAME}
@@ -16,7 +16,14 @@ passwd: ${MYSQL_PASSWORD}
 
 # Maximum size of database connection pool. Default: 5
 # For high volume servers, set this to 100 or so.
-cp_max: 100" > /etc/denyhosts-server-database.conf
+cp_max: 100
+
+[sync]
+[maintenance]
+[logging]
+[stats]
+[peering]
+" > /etc/denyhosts-server-database.conf
 
 # Check if DB is running and accessable
 until mysql -u "${MYSQL_USER}" -p"${MYSQL_PASSWORD}" --host="${MYSQL_HOSTNAME}" --port="${MYSQL_PORT}" -e "select 1" &>/dev/null; do
@@ -32,7 +39,7 @@ if [[ $(mysql -N -s -u "${MYSQL_USER}" -p"${MYSQL_PASSWORD}" --host="${MYSQL_HOS
     echo "Tables exists - starting server"
 else
     echo 'Tables do not exist - creating tables'
-    echo 'Y' | /usr/bin/denyhosts-server --recreate-database
+    echo 'Y' | /usr/local/bin/denyhosts-server --recreate-database -c /etc/denyhosts-server-database.conf
 fi
 
-/usr/bin/denyhosts-server -c /etc/denyhosts-server.conf
+/usr/local/bin/denyhosts-server -c /etc/denyhosts-server-database.conf

supervisord.conf

@@ -0,0 +1,31 @@
+[unix_http_server]
+file=/tmp/supervisor.sock ; (the path to the socket file)
+
+[supervisord]
+loglevel=info ; (log level;default info; others: debug,warn,trace)
+pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
+nodaemon=true ; (start in foreground if true;default false)
+minfds=1024 ; (min. avail startup file descriptors;default 1024)
+minprocs=200 ; (min. avail process descriptors;default 200)
+
+
+; the below section must remain in the config file for RPC
+; (supervisorctl/web interface) to work, additional interfaces may be
+; added by defining them in separate rpcinterface: sections
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+[supervisorctl]
+serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL for a unix socket
+
+[program:denyhosts]
+command=/bin/bash /app/run.sh
+process_name=%(program_name)s
+directory=/app/
+autostart=true
+autorestart=true
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/fd/1
+stderr_logfile_maxbytes=0
+