Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-04-20 06:02:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

tweak deploy, add autoheal, start update Dockerfiles

Browse source 
- tweak deploy a little further
- start with rebuilding Dockerfiles
- rework healthcheck for adbhoney CPU issues
- bump adbhoney, ciscoasa, citrixhoneypot, conpot, cowriepot, ddospot to alpine 3.19
- fix conpot issue with py 3.11
- bump conpot to latest master
- bump cowrie to latest master
- add autoheal to tpotinit to restart unhealthy container (if healthcheck enabled)
This commit is contained in:
t3chn0m4g3 2024-02-27 20:11:16 +01:00
parent 22d2bdff7e
commit f9a9c8c4bf
27 changed files with 354 additions and 140 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
compose/mobile.yml
View file

@ -51,7 +51,7 @@ services:
- ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro
- ${TPOT_DATA_PATH}/blackhole:/etc/blackhole
- ${TPOT_DATA_PATH}:/data
- /var/run/docker.sock:/var/run/docker.sock:ro
##################
#### Honeypots

2
compose/raspberry_showcase.yml
View file

@ -51,7 +51,7 @@ services:
- ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro
- ${TPOT_DATA_PATH}/blackhole:/etc/blackhole
- ${TPOT_DATA_PATH}:/data
- /var/run/docker.sock:/var/run/docker.sock:ro
##################
#### Honeypots

2
compose/sensor.yml
View file

@ -49,7 +49,7 @@ services:
- ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro
- ${TPOT_DATA_PATH}/blackhole:/etc/blackhole
- ${TPOT_DATA_PATH}:/data
- /var/run/docker.sock:/var/run/docker.sock:ro
##################
#### Honeypots

1
compose/standard.yml
View file

@ -50,6 +50,7 @@ services:
- ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro
- ${TPOT_DATA_PATH}/blackhole:/etc/blackhole
- ${TPOT_DATA_PATH}:/data
- /var/run/docker.sock:/var/run/docker.sock:ro
##################

2
compose/tpot_services.yml
View file

@ -57,7 +57,7 @@ services:
- ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro
- ${TPOT_DATA_PATH}/blackhole:/etc/blackhole
- ${TPOT_DATA_PATH}:/data
- /var/run/docker.sock:/var/run/docker.sock:ro
##################
#### Honeypots

14
deploy.sh
View file

@ -22,12 +22,24 @@ EOF
if ! grep -q 'TPOT_TYPE=HIVE' "$HOME/tpotce/.env";
then
echo "# This script is only supported on HIVE installations."
echo
exit 1
fi
# Check if running on a supported distribution
mySUPPORTED_DISTRIBUTIONS=("AlmaLinux" "Debian GNU/Linux" "Fedora Linux" "openSUSE Tumbleweed" "Raspbian GNU/Linux" "Rocky Linux" "Ubuntu")
myCURRENT_DISTRIBUTION=$(awk -F= '/^NAME/{print $2}' /etc/os-release | tr -d '"')
if [[ ! " ${mySUPPORTED_DISTRIBUTIONS[@]} " =~ " ${myCURRENT_DISTRIBUTION} " ]];
then
echo "# Only the following distributions are supported: AlmaLinux, Fedora, Debian, openSUSE Tumbleweed, Rocky Linux and Ubuntu."
echo
exit 1
fi
echo "${myDEPLOY}"
echo
echo "This script will prepare a T-Pot SENSOR installation to transmit logs into this HIVE."
echo "# This script will prepare a T-Pot SENSOR installation to transmit logs into this HIVE."
echo
# Ask if a T-Pot SENSOR was installed

1
docker-compose.yml
View file

@ -50,6 +50,7 @@ services:
- ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro
- ${TPOT_DATA_PATH}/blackhole:/etc/blackhole
- ${TPOT_DATA_PATH}:/data
- /var/run/docker.sock:/var/run/docker.sock:ro
##################

14
docker/adbhoney/Dockerfile
View file

@ -1,14 +1,15 @@
FROM alpine:3.17
FROM alpine:3.19
#
# Include dist
COPY dist/ /root/dist/
#
# Install packages
RUN apk --no-cache -U add \
git \
procps \
py3-requests \
python3 && \
git \
procps \
py3-psutil \
py3-requests \
python3 && \
#
# Install adbhoney from git
git clone https://github.com/huuck/ADBHoney /opt/adbhoney && \
@ -16,6 +17,7 @@ RUN apk --no-cache -U add \
# git checkout 2417a7a982f4fd527b3a048048df9a23178767ad && \
git checkout 42afd98611724ca3d694a48b694c957e8d953db4 && \
cp /root/dist/adbhoney.cfg /opt/adbhoney && \
cp /root/dist/cpu_check.py /opt/adbhoney && \
sed -i 's/dst_ip/dest_ip/' /opt/adbhoney/adbhoney/core.py && \
sed -i 's/dst_port/dest_port/' /opt/adbhoney/adbhoney/core.py && \
#
@ -31,7 +33,7 @@ RUN apk --no-cache -U add \
# Set workdir and start adbhoney
STOPSIGNAL SIGINT
# Adbhoney sometimes hangs at 100% CPU usage, if detected process will be killed and container restarts per docker-compose settings
HEALTHCHECK CMD if [ $(ps -C mpv -p 1 -o %cpu | tail -n 1 | cut -f 1 -d ".") -gt 75 ]; then kill -2 1; else exit 0; fi
HEALTHCHECK --interval=5m --timeout=30s --retries=3 CMD python3 /opt/adbhoney/cpu_check.py
USER adbhoney:adbhoney
WORKDIR /opt/adbhoney/
CMD /usr/bin/python3 run.py

10
docker/adbhoney/dist/cpu_check.py vendored Normal file
View file

@ -0,0 +1,10 @@
import psutil
# Get the overall CPU usage percentage
cpu_usage = psutil.cpu_percent(interval=1)
print(cpu_usage)
# Check CPU usage threshold
if cpu_usage >= 75: # Adjust the threshold as needed
exit(1)
else:
exit(0)

4
docker/adbhoney/docker-compose.yml
View file

@ -19,5 +19,5 @@ services:
image: "dtagdevsec/adbhoney:alpha"
read_only: true
volumes:
- /data/adbhoney/log:/opt/adbhoney/log
- /data/adbhoney/downloads:/opt/adbhoney/dl
- $HOME/tpotce/data/adbhoney/log:/opt/adbhoney/log
- $HOME/tpotce/data/adbhoney/downloads:/opt/adbhoney/dl

4
docker/ciscoasa/Dockerfile
View file

@ -1,4 +1,4 @@
FROM alpine:3.17
FROM alpine:3.19
#
# Include dist
COPY dist/ /root/dist/
@ -27,7 +27,7 @@ RUN apk --no-cache -U upgrade && \
cd ciscoasa_honeypot && \
git checkout d6e91f1aab7fe6fc01fabf2046e76b68dd6dc9e2 && \
sed -i "s/git+git/git+https/g" requirements.txt && \
pip3 install --no-cache-dir -r requirements.txt && \
pip3 install --break-system-packages --no-cache-dir -r requirements.txt && \
cp /root/dist/asa_server.py /opt/ciscoasa_honeypot && \
chown -R ciscoasa:ciscoasa /opt/ciscoasa_honeypot && \
#

2
docker/ciscoasa/docker-compose.yml
View file

@ -22,4 +22,4 @@ services:
image: "dtagdevsec/ciscoasa:alpha"
read_only: true
volumes:
- /data/ciscoasa/log:/var/log/ciscoasa
- $HOME/tpotce/data/ciscoasa/log:/var/log/ciscoasa

8
docker/citrixhoneypot/Dockerfile
View file

@ -1,14 +1,14 @@
FROM alpine:3.17
FROM alpine:3.19
#
# Install packages
RUN apk --no-cache -U add \
git \
libcap \
openssl \
openssl \
py3-pip \
python3 && \
#
pip3 install --no-cache-dir python-json-logger && \
pip3 install --break-system-packages --no-cache-dir python-json-logger && \
#
# Install CitrixHoneypot from GitHub
git clone https://github.com/t3chn0m4g3/CitrixHoneypot /opt/citrixhoneypot && \
@ -28,7 +28,7 @@ RUN apk --no-cache -U add \
addgroup -g 2000 citrixhoneypot && \
adduser -S -H -s /bin/ash -u 2000 -D -g 2000 citrixhoneypot && \
chown -R citrixhoneypot:citrixhoneypot /opt/citrixhoneypot && \
setcap cap_net_bind_service=+ep /usr/bin/python3.10 && \
setcap cap_net_bind_service=+ep $(readlink -f $(type -P python3)) && \
#
# Clean up
apk del --purge git \

2
docker/citrixhoneypot/docker-compose.yml
View file

@ -19,4 +19,4 @@ services:
image: "dtagdevsec/citrixhoneypot:alpha"
read_only: true
volumes:
- /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs
- $HOME/tpotce/data/citrixhoneypot/logs:/opt/citrixhoneypot/logs

89
docker/conpot/Dockerfile
View file

@ -1,52 +1,56 @@
FROM alpine:3.17
FROM alpine:3.19
#
# Include dist
COPY dist/ /root/dist/
#
# Setup apt
RUN apk --no-cache -U add \
build-base \
cython \
file \
git \
libev \
libtool \
libcap \
libffi-dev \
libxslt \
libxslt-dev \
mariadb-dev \
pkgconfig \
procps \
python3 \
python3-dev \
py3-cffi \
py3-cryptography \
py3-freezegun \
py3-gevent \
py3-lxml \
py3-natsort \
py3-pip \
py3-ply \
py3-psutil \
py3-pycryptodomex \
py3-pytest \
py3-requests \
py3-pyserial \
py3-setuptools \
py3-slugify \
py3-snmp \
py3-sphinx \
py3-wheel \
py3-zope-event \
py3-zope-interface \
wget && \
build-base \
cython \
file \
git \
libev \
libtool \
libcap \
libffi-dev \
libxslt \
libxslt-dev \
mariadb-dev \
pkgconfig \
procps \
python3 \
python3-dev \
py3-cffi \
py3-cryptography \
py3-freezegun \
py3-gevent \
py3-lxml \
py3-natsort \
py3-pip \
py3-ply \
py3-psutil \
py3-pycryptodomex \
py3-pytest \
py3-requests \
py3-pyserial \
py3-setuptools \
py3-slugify \
py3-snmp \
py3-sphinx \
py3-wheel \
py3-zope-event \
py3-zope-interface \
wget && \
#
# Setup ConPot
git clone https://github.com/t3chn0m4g3/cpppo /opt/cpppo && \
cd /opt/cpppo && \
pip3 install --break-system-packages --no-cache-dir --upgrade pip && \
pip3 install --break-system-packages --no-cache-dir . && \
git clone https://github.com/mushorg/conpot /opt/conpot && \
cd /opt/conpot/ && \
git checkout b3740505fd26d82473c0d7be405b372fa0f82575 && \
#git checkout 1c2382ea290b611fdc6a0a5f9572c7504bcb616e && \
git checkout 26c67d11b08a855a28e87abd186d959741f46c7f && \
# git checkout b3740505fd26d82473c0d7be405b372fa0f82575 && \
# Change template default ports if <1024
sed -i 's/port="2121"/port="21"/' /opt/conpot/conpot/templates/default/ftp/ftp.xml && \
sed -i 's/port="8800"/port="80"/' /opt/conpot/conpot/templates/default/http/http.xml && \
@ -58,17 +62,16 @@ RUN apk --no-cache -U add \
sed -i 's/port="16100"/port="161"/' /opt/conpot/conpot/templates/IEC104/snmp/snmp.xml && \
sed -i 's/port="6230"/port="623"/' /opt/conpot/conpot/templates/ipmi/ipmi/ipmi.xml && \
cp /root/dist/requirements.txt . && \
pip3 install --no-cache-dir --upgrade pip && \
pip3 install --no-cache-dir . && \
pip3 install --break-system-packages --no-cache-dir . && \
cd / && \
rm -rf /opt/conpot /tmp/* /var/tmp/* && \
setcap cap_net_bind_service=+ep /usr/bin/python3.10 && \
setcap cap_net_bind_service=+ep $(readlink -f $(type -P python3)) && \
#
# Get wireshark manuf db for scapy, setup configs, user, groups
mkdir -p /etc/conpot /var/log/conpot /usr/share/wireshark && \
wget https://www.wireshark.org/download/automated/data/manuf -o /usr/share/wireshark/manuf && \
cp /root/dist/conpot.cfg /etc/conpot/conpot.cfg && \
cp -R /root/dist/templates /usr/lib/python3.10/site-packages/conpot/ && \
cp -R /root/dist/templates /usr/lib/$(readlink -f $(type -P python3) | cut -f4 -d"/")/site-packages/conpot/ && \
addgroup -g 2000 conpot && \
adduser -S -s /bin/ash -u 2000 -D -g 2000 conpot && \
#

2
docker/conpot/dist/conpot.cfg vendored
View file

@ -3,7 +3,7 @@ sensorid = conpot
[virtual_file_system]
data_fs_url = %(CONPOT_TMP)s
fs_url = tar:///usr/lib/python3.10/site-packages/conpot/data.tar
fs_url = tar:///usr/lib/python3.11/site-packages/conpot/data.tar
[session]
timeout = 30

4
docker/conpot/dist/requirements.txt vendored
View file

@ -3,6 +3,7 @@ pysmi
libtaxii>=1.1.0
crc16
scapy==2.4.3rc1
scapy==2.4.3rc1
hpfeeds3
modbus-tk
stix-validator
@ -12,9 +13,8 @@ bacpypes==0.17.0
pyghmi==1.4.1
mixbox
modbus-tk
cpppo
#cpppo
fs==2.3.0
tftpy
# some freezegun versions broken
pycrypto
sphinx_rtd_theme

10
docker/conpot/docker-compose.yml
View file

@ -40,7 +40,7 @@ services:
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
- $HOME/tpotce/data/conpot/log:/var/log/conpot
# Conpot IEC104 service
conpot_IEC104:
@ -64,7 +64,7 @@ services:
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
- $HOME/tpotce/data/conpot/log:/var/log/conpot
# Conpot guardian_ast service
conpot_guardian_ast:
@ -87,7 +87,7 @@ services:
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
- $HOME/tpotce/data/conpot/log:/var/log/conpot
# Conpot ipmi
conpot_ipmi:
@ -110,7 +110,7 @@ services:
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
- $HOME/tpotce/data/conpot/log:/var/log/conpot
# Conpot kamstrup_382
conpot_kamstrup_382:
@ -134,4 +134,4 @@ services:
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
- $HOME/tpotce/data/conpot/log:/var/log/conpot

72
docker/cowrie/Dockerfile
View file

@ -1,37 +1,37 @@
FROM alpine:3.17
FROM alpine:3.19
#
# Include dist
COPY dist/ /root/dist/
#
# Get and install dependencies & packages
RUN apk --no-cache -U add \
bash \
build-base \
git \
gmp-dev \
libcap \
libffi-dev \
mpc1-dev \
mpfr-dev \
openssl \
openssl-dev \
py3-appdirs \
py3-asn1-modules \
py3-attrs \
py3-bcrypt \
py3-cryptography \
py3-dateutil \
py3-greenlet \
py3-mysqlclient \
py3-openssl \
py3-packaging \
py3-parsing \
py3-pip \
py3-service_identity \
py3-treq \
py3-twisted \
python3 \
python3-dev && \
bash \
build-base \
git \
gmp-dev \
libcap \
libffi-dev \
mpc1-dev \
mpfr-dev \
openssl \
openssl-dev \
py3-appdirs \
py3-asn1-modules \
py3-attrs \
py3-bcrypt \
py3-cryptography \
py3-dateutil \
py3-greenlet \
py3-mysqlclient \
py3-openssl \
py3-packaging \
py3-parsing \
py3-pip \
py3-service_identity \
py3-treq \
py3-twisted \
python3 \
python3-dev && \
#
# Setup user
addgroup -g 2000 cowrie && \
@ -40,20 +40,20 @@ RUN apk --no-cache -U add \
# Install cowrie
mkdir -p /home/cowrie && \
cd /home/cowrie && \
git clone --depth=1 https://github.com/cowrie/cowrie -b v2.5.0 && \
#git clone --depth=1 https://github.com/cowrie/cowrie && \
# git clone --depth=1 https://github.com/cowrie/cowrie -b v2.5.0 && \
git clone --depth=1 https://github.com/cowrie/cowrie && \
cd cowrie && \
#git checkout 8b1e1cf4db0d3b0e70b470cf40385bbbd3ed1733 && \
git checkout 3394082040c02d91e79efa2c640ad68da9fe2231 && \
mkdir -p log && \
cp /root/dist/requirements.txt . && \
pip3 install --upgrade pip && \
pip3 install -r requirements.txt && \
pip3 install --break-system-packages --upgrade pip && \
pip3 install --break-system-packages -r requirements.txt && \
#
# Setup configs
export PYTHON_DIR=$(python3 --version | tr '[A-Z]' '[a-z]' | tr -d ' ' | cut -d '.' -f 1,2 ) && \
setcap cap_net_bind_service=+ep /usr/bin/$PYTHON_DIR && \
#export PYTHON_DIR=$(python3 --version | tr '[A-Z]' '[a-z]' | tr -d ' ' | cut -d '.' -f 1,2 ) && \
setcap cap_net_bind_service=+ep $(readlink -f $(type -P python3)) && \
cp /root/dist/cowrie.cfg /home/cowrie/cowrie/cowrie.cfg && \
chown cowrie:cowrie -R /home/cowrie/* /usr/lib/$PYTHON_DIR/site-packages/twisted/plugins && \
chown cowrie:cowrie -R /home/cowrie/* /usr/lib/$(readlink -f $(type -P python3) | cut -f4 -d"/")/site-packages/twisted/plugins && \
#
# Start Cowrie once to prevent dropin.cache errors upon container start caused by read-only filesystem
su - cowrie -c "export PYTHONPATH=/home/cowrie/cowrie:/home/cowrie/cowrie/src && \

8
docker/cowrie/docker-compose.yml
View file

@ -23,7 +23,7 @@ services:
image: "dtagdevsec/cowrie:alpha"
read_only: true
volumes:
- /data/cowrie/downloads:/home/cowrie/cowrie/dl
- /data/cowrie/keys:/home/cowrie/cowrie/etc
- /data/cowrie/log:/home/cowrie/cowrie/log
- /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty
- $HOME/tpotce/data/cowrie/downloads:/home/cowrie/cowrie/dl
- $HOME/tpotce/data/cowrie/keys:/home/cowrie/cowrie/etc
- $HOME/tpotce/data/cowrie/log:/home/cowrie/cowrie/log
- $HOME/tpotce/data/cowrie/log/tty:/home/cowrie/cowrie/log/tty

34
docker/ddospot/Dockerfile
View file

@ -1,22 +1,22 @@
FROM alpine:3.17
FROM alpine:3.19
#
# Include dist
COPY dist/ /root/dist/
#
# Install packages
RUN apk --no-cache -U add \
build-base \
git \
libcap \
py3-colorama \
py3-greenlet \
py3-pip \
py3-schedule \
py3-sqlalchemy \
py3-twisted \
py3-wheel \
python3 \
python3-dev && \
build-base \
git \
libcap \
py3-colorama \
py3-greenlet \
py3-pip \
py3-schedule \
py3-sqlalchemy \
py3-twisted \
py3-wheel \
python3 \
python3-dev && \
#
# Install ddospot from GitHub and setup
mkdir -p /opt && \
@ -40,8 +40,8 @@ RUN apk --no-cache -U add \
sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/ntp/ntpot.conf && \
sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/ssdp/ssdpot.conf && \
cp /root/dist/requirements.txt . && \
pip3 install -r ddospot/requirements.txt && \
setcap cap_net_bind_service=+ep /usr/bin/python3.10 && \
pip3 install --break-system-packages -r ddospot/requirements.txt && \
setcap cap_net_bind_service=+ep $(readlink -f $(type -P python3)) && \
#
# Setup user, groups and configs
addgroup -g 2000 ddospot && \
@ -50,8 +50,8 @@ RUN apk --no-cache -U add \
#
# Clean up
apk del --purge build-base \
git \
python3-dev && \
git \
python3-dev && \
rm -rf /root/* && \
rm -rf /opt/ddospot/.git && \
rm -rf /var/cache/apk/*

6
docker/ddospot/docker-compose.yml
View file

@ -23,6 +23,6 @@ services:
image: "dtagdevsec/ddospot:alpha"
read_only: true
volumes:
- /data/ddospot/log:/opt/ddospot/ddospot/logs
- /data/ddospot/bl:/opt/ddospot/ddospot/bl
- /data/ddospot/db:/opt/ddospot/ddospot/db
- $HOME/tpotce/data/ddospot/log:/opt/ddospot/ddospot/logs
- $HOME/tpotce/data/ddospot/bl:/opt/ddospot/ddospot/bl
- $HOME/tpotce/data/ddospot/db:/opt/ddospot/ddospot/db

2
docker/tpotinit/Dockerfile
View file

@ -41,6 +41,6 @@ RUN apk --no-cache -U add \
#
# Run tpotinit
WORKDIR /opt/tpot
HEALTHCHECK --retries=1000 --interval=5s CMD test -f /tmp/success || exit 1
HEALTHCHECK --interval=5s CMD pgrep -f autoheal || exit 1
STOPSIGNAL SIGKILL
CMD ["/opt/tpot/entrypoint.sh"]

171
docker/tpotinit/dist/autoheal.sh vendored Executable file
View file

@ -0,0 +1,171 @@
#!/usr/bin/env sh
####################################################################
# docker-autoheal: https://github.com/willfarrell/docker-autoheal
####################################################################
set -e
# shellcheck disable=2039
set -o pipefail
DOCKER_SOCK=${DOCKER_SOCK:-/var/run/docker.sock}
UNIX_SOCK=""
CURL_TIMEOUT=${CURL_TIMEOUT:-30}
WEBHOOK_URL=${WEBHOOK_URL:-""}
WEBHOOK_JSON_KEY=${WEBHOOK_JSON_KEY:-"text"}
APPRISE_URL=${APPRISE_URL:-""}
# only use unix domain socket if no TCP endpoint is defined
case "${DOCKER_SOCK}" in
"tcp://"*) HTTP_ENDPOINT="$(echo ${DOCKER_SOCK} | sed 's#tcp://#http://#')"
;;
"tcps://"*) HTTP_ENDPOINT="$(echo ${DOCKER_SOCK} | sed 's#tcps://#https://#')"
CA="--cacert /certs/ca.pem"
CLIENT_KEY="--key /certs/client-key.pem"
CLIENT_CERT="--cert /certs/client-cert.pem"
;;
*) HTTP_ENDPOINT="http://localhost"
UNIX_SOCK="--unix-socket ${DOCKER_SOCK}"
;;
esac
# AUTOHEAL_CONTAINER_LABEL=${AUTOHEAL_CONTAINER_LABEL:-autoheal}
AUTOHEAL_CONTAINER_LABEL=${AUTOHEAL_CONTAINER_LABEL:-all}
AUTOHEAL_START_PERIOD=${AUTOHEAL_START_PERIOD:-0}
AUTOHEAL_INTERVAL=${AUTOHEAL_INTERVAL:-5}
AUTOHEAL_DEFAULT_STOP_TIMEOUT=${AUTOHEAL_DEFAULT_STOP_TIMEOUT:-10}
docker_curl() {
curl --max-time "${CURL_TIMEOUT}" --no-buffer -s \
${CA} ${CLIENT_KEY} ${CLIENT_CERT} \
${UNIX_SOCK} \
"$@"
}
# shellcheck disable=2039
get_container_info() {
local label_filter
local url
# Set container selector
if [ "$AUTOHEAL_CONTAINER_LABEL" = "all" ]
then
label_filter=""
else
label_filter=",\"label\":\[\"${AUTOHEAL_CONTAINER_LABEL}=true\"\]"
fi
url="${HTTP_ENDPOINT}/containers/json?filters=\{\"health\":\[\"unhealthy\"\]${label_filter}\}"
docker_curl "$url"
}
# shellcheck disable=2039
restart_container() {
local container_id="$1"
local timeout="$2"
docker_curl -f -X POST "${HTTP_ENDPOINT}/containers/${container_id}/restart?t=${timeout}"
}
notify_webhook() {
local text="$@"
if [ -n "$WEBHOOK_URL" ]
then
# execute webhook requests as background process to prevent healer from blocking
curl -s -X POST -H "Content-type: application/json" -d "$(generate_webhook_payload $text)" $WEBHOOK_URL
fi
if [ -n "$APPRISE_URL" ]
then
# execute webhook requests as background process to prevent healer from blocking
curl -s -X POST -H "Content-type: application/json" -d "$(generate_apprise_payload $text)" $APPRISE_URL
fi
}
notify_post_restart_script() {
if [ -n "$POST_RESTART_SCRIPT" ]
then
# execute post restart script as background process to prevent healer from blocking
$POST_RESTART_SCRIPT "$@" &
fi
}
# https://towardsdatascience.com/proper-ways-to-pass-environment-variables-in-json-for-curl-post-f797d2698bf3
generate_webhook_payload() {
local text="$@"
cat <<EOF
{
"$WEBHOOK_JSON_KEY":"$text"
}
EOF
}
generate_apprise_payload() {
local text="$@"
cat <<EOF
{
"title":"Autoheal",
"body":"$text"
}
EOF
}
# SIGTERM-handler
term_handler() {
exit 143 # 128 + 15 -- SIGTERM
}
# shellcheck disable=2039
trap 'kill $$; term_handler' SIGTERM
if [ "$1" = "autoheal" ]
then
if [ -n "$UNIX_SOCK" ] && ! [ -S "$DOCKER_SOCK" ]
then
echo "unix socket is currently not available" >&2
exit 1
fi
# Delayed startup
if [ "$AUTOHEAL_START_PERIOD" -gt 0 ]
then
echo "Monitoring containers for unhealthy status in $AUTOHEAL_START_PERIOD second(s)"
sleep "$AUTOHEAL_START_PERIOD" &
wait $!
fi
while true
do
STOP_TIMEOUT=".Labels[\"autoheal.stop.timeout\"] // $AUTOHEAL_DEFAULT_STOP_TIMEOUT"
get_container_info | \
jq -r ".[] | select(.Labels[\"autoheal\"] != \"False\") | foreach . as \$CONTAINER([];[]; \$CONTAINER | .Id, .Names[0], .State, ${STOP_TIMEOUT})" | \
while read -r CONTAINER_ID && read -r CONTAINER_NAME && read -r CONTAINER_STATE && read -r TIMEOUT
do
# shellcheck disable=2039
CONTAINER_SHORT_ID=${CONTAINER_ID:0:12}
DATE=$(date +%d-%m-%Y" "%H:%M:%S)
if [ "$CONTAINER_NAME" = "null" ]
then
echo "$DATE Container name of (${CONTAINER_SHORT_ID}) is null, which implies container does not exist - don't restart" >&2
elif [ "$CONTAINER_STATE" = "restarting" ]
then
echo "$DATE Container $CONTAINER_NAME (${CONTAINER_SHORT_ID}) found to be restarting - don't restart"
else
echo "$DATE Container $CONTAINER_NAME (${CONTAINER_SHORT_ID}) found to be unhealthy - Restarting container now with ${TIMEOUT}s timeout"
if ! restart_container "$CONTAINER_ID" "$TIMEOUT"
then
echo "$DATE Restarting container $CONTAINER_SHORT_ID failed" >&2
notify_webhook "Container ${CONTAINER_NAME:1} (${CONTAINER_SHORT_ID}) found to be unhealthy. Failed to restart the container!" &
else
notify_webhook "Container ${CONTAINER_NAME:1} (${CONTAINER_SHORT_ID}) found to be unhealthy. Successfully restarted the container!" &
fi
notify_post_restart_script "$CONTAINER_NAME" "$CONTAINER_SHORT_ID" "$CONTAINER_STATE" "$TIMEOUT" &
fi
done
sleep "$AUTOHEAL_INTERVAL" &
wait $!
done
else
exec "$@"
fi

25
docker/tpotinit/dist/entrypoint.sh vendored
View file

@ -132,6 +132,14 @@ if [ "${myOSTYPE}" == "linuxkit" ] && [ "${TPOT_OSTYPE}" == "linux" ];
echo "# Aborting."
echo
exit 1
else
if ! [ -S /var/run/docker.sock ];
then
echo "# Cannot access /var/run/docker.sock, check docker-compose.yml for proper volume definition."
echo
echo "# Aborting."
exit 1
fi
fi
# Validate environment variables
@ -292,18 +300,23 @@ echo
figlet "Starting ..."
figlet "T-Pot: ${TPOT_VERSION}"
echo
touch /tmp/success
# We want to see true source for UDP packets in container (https://github.com/moby/libnetwork/issues/1994)
# Start autoheal if running on a supported os
if [ "${myOSTYPE}" != "linuxkit" ];
then
sleep 60
sleep 1
echo "# Dropping UDP connection tables to improve visibility of true source IPs."
/usr/sbin/conntrack -D -p udp
# Starting container health monitoring
echo
figlet "Starting ..."
figlet "Autoheal"
echo "# Now monitoring healthcheck enabled containers to automatically restart them when unhealthy."
echo
exec /opt/tpot/autoheal.sh autoheal
else
echo
echo "# Docker Desktop for macOS or Windows detected, Conntrack feature is not supported."
echo
fi
# Keep the container running ...
sleep infinity
fi

2
docker/tpotinit/docker-compose.yml
View file

@ -11,7 +11,7 @@ services:
restart: "no"
image: "ghcr.io/telekom-security/tpotinit:alpha"
volumes:
# - /var/run/docker.sock:/var/run/docker.sock:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- $HOME/tpotce/data:/data
network_mode: "host"
cap_add:

1
install.sh
View file

@ -33,6 +33,7 @@ myCURRENT_DISTRIBUTION=$(awk -F= '/^NAME/{print $2}' /etc/os-release | tr -d '"'
if [[ ! " ${mySUPPORTED_DISTRIBUTIONS[@]} " =~ " ${myCURRENT_DISTRIBUTION} " ]];
then
echo "### Only the following distributions are supported: AlmaLinux, Fedora, Debian, openSUSE Tumbleweed, Rocky Linux and Ubuntu."
echo "### Please follow the T-Pot documentation on how to run T-Pot on macOS, Windows and other currently unsupported platforms."
echo
exit 1
fi