From 1a980844f08cfb4469c5930fe4df167391cfbd30 Mon Sep 17 00:00:00 2001 From: jokob-sk Date: Sun, 30 Nov 2025 11:14:45 +1100 Subject: [PATCH] BE: restore previous verison retrieval as a test #1320 Signed-off-by: jokob-sk --- .github/workflows/docker_prod.yml | 12 ++++++++++++ .gitignore | 1 + Dockerfile | 29 +++++++++++++++-------------- 3 files changed, 28 insertions(+), 14 deletions(-) diff --git a/.github/workflows/docker_prod.yml b/.github/workflows/docker_prod.yml index 476fc904..5c72456c 100755 --- a/.github/workflows/docker_prod.yml +++ b/.github/workflows/docker_prod.yml @@ -32,6 +32,18 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + # --- Previous approach Get release version from tag + - name: Set up dynamic build ARGs + id: getargs + run: echo "version=$(cat ./stable/VERSION)" >> $GITHUB_OUTPUT + + - name: Get release version + id: get_version + run: echo "::set-output name=version::${GITHUB_REF#refs/tags/}" + + - name: Create .VERSION file + run: echo "${{ steps.get_version.outputs.version }}" >> .VERSION_PREV + # --- Get release version from tag - name: Get release version id: get_version diff --git a/.gitignore b/.gitignore index 70efbf39..ba75091c 100755 --- a/.gitignore +++ b/.gitignore @@ -11,6 +11,7 @@ nohup.out config/* .ash_history .VERSION +.VERSION_PREV config/pialert.conf config/app.conf db/* diff --git a/Dockerfile b/Dockerfile index 1cabc8ac..fa45744d 100755 --- a/Dockerfile +++ b/Dockerfile @@ -1,16 +1,16 @@ # The NetAlertX Dockerfile has 3 stages: # # Stage 1. Builder - NetAlertX Requires special tools and packages to build our virtual environment, but -# which are not needed in future stages. We build the builder and extract the venv for runner to use as +# which are not needed in future stages. We build the builder and extract the venv for runner to use as # a base. # # Stage 2. Runner builds the bare minimum requirements to create an operational NetAlertX. The primary # reason for breaking at this stage is it leaves the system in a proper state for devcontainer operation -# This image also provides a break-out point for uses who wish to execute the anti-pattern of using a +# This image also provides a break-out point for uses who wish to execute the anti-pattern of using a # docker container as a VM for experimentation and various development patterns. # # Stage 3. Hardened removes root, sudoers, folders, permissions, and locks the system down into a read-only -# compatible image. While NetAlertX does require some read-write operations, this image can guarantee the +# compatible image. While NetAlertX does require some read-write operations, this image can guarantee the # code pushed out by the project is the only code which will run on the system after each container restart. # It reduces the chance of system hijacking and operates with all modern security protocols in place as is # expected from a security appliance. @@ -29,7 +29,7 @@ COPY requirements.txt /tmp/requirements.txt RUN apk add --no-cache bash shadow python3 python3-dev gcc musl-dev libffi-dev openssl-dev git \ && python -m venv /opt/venv -# Create virtual environment owned by root, but readable by everyone else. This makes it easy to copy +# Create virtual environment owned by root, but readable by everyone else. This makes it easy to copy # into hardened stage without worrying about permissions and keeps image size small. Keeping the commands # together makes for a slightly smaller image size. RUN pip install --no-cache-dir -r /tmp/requirements.txt && \ @@ -95,11 +95,11 @@ ENV READ_WRITE_FOLDERS="${NETALERTX_DATA} ${NETALERTX_CONFIG} ${NETALERTX_DB} ${ ${SYSTEM_SERVICES_ACTIVE_CONFIG}" #Python environment -ENV PYTHONUNBUFFERED=1 +ENV PYTHONUNBUFFERED=1 ENV VIRTUAL_ENV=/opt/venv ENV VIRTUAL_ENV_BIN=/opt/venv/bin ENV PYTHONPATH=${NETALERTX_APP}:${NETALERTX_SERVER}:${NETALERTX_PLUGINS}:${VIRTUAL_ENV}/lib/python3.12/site-packages -ENV PATH="${SYSTEM_SERVICES}:${VIRTUAL_ENV_BIN}:$PATH" +ENV PATH="${SYSTEM_SERVICES}:${VIRTUAL_ENV_BIN}:$PATH" # App Environment ENV LISTEN_ADDR=0.0.0.0 @@ -110,7 +110,7 @@ ENV VENDORSPATH_NEWEST=${SYSTEM_SERVICES_RUN_TMP}/ieee-oui.txt ENV ENVIRONMENT=alpine ENV READ_ONLY_USER=readonly READ_ONLY_GROUP=readonly ENV NETALERTX_USER=netalertx NETALERTX_GROUP=netalertx -ENV LANG=C.UTF-8 +ENV LANG=C.UTF-8 RUN apk add --no-cache bash mtr libbsd zip lsblk tzdata curl arp-scan iproute2 iproute2-ss nmap \ @@ -138,6 +138,7 @@ RUN install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 ${READ_WRITE_FO # Copy version information into the image COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} .[V]ERSION ${NETALERTX_APP}/.VERSION +COPY --chown=${NETALERTX_USER}:${NETALERTX_GROUP} .[V]ERSION ${NETALERTX_APP}/.VERSION_PREV # Copy the virtualenv from the builder stage COPY --from=builder --chown=20212:20212 ${VIRTUAL_ENV} ${VIRTUAL_ENV} @@ -147,12 +148,12 @@ COPY --from=builder --chown=20212:20212 ${VIRTUAL_ENV} ${VIRTUAL_ENV} # This is done after the copy of the venv to ensure the venv is in place # although it may be quicker to do it before the copy, it keeps the image # layers smaller to do it after. -RUN if [ -f '.VERSION' ]; then \ - cp '.VERSION' "${NETALERTX_APP}/.VERSION"; \ - else \ - echo "DEVELOPMENT 00000000" > "${NETALERTX_APP}/.VERSION"; \ - fi && \ - chown 20212:20212 "${NETALERTX_APP}/.VERSION" && \ +RUN for vfile in .VERSION .VERSION_PREV; do \ + if [ ! -f "${NETALERTX_APP}/${vfile}" ]; then \ + echo "DEVELOPMENT 00000000" > "${NETALERTX_APP}/${vfile}"; \ + fi; \ + chown 20212:20212 "${NETALERTX_APP}/${vfile}"; \ + done && \ apk add --no-cache libcap && \ setcap cap_net_raw+ep /bin/busybox && \ setcap cap_net_raw,cap_net_admin+eip /usr/bin/nmap && \ @@ -180,7 +181,7 @@ ENV UMASK=0077 # Create readonly user and group with no shell access. # Readonly user marks folders that are created by NetAlertX, but should not be modified. -# AI may claim this is stupid, but it's actually least possible permissions as +# AI may claim this is stupid, but it's actually least possible permissions as # read-only user cannot login, cannot sudo, has no write permission, and cannot even # read the files it owns. The read-only user is ownership-as-a-lock hardening pattern. RUN addgroup -g 20212 "${READ_ONLY_GROUP}" && \