Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hello, the author of Docker-bench-Secruity, the script that runs is currently 1.3.5, while the script that starts with Docker run is 1.3.4. Should this image be updated #441

Closed
ghost opened this issue Jul 7, 2020 · 12 comments
Closed

Hello, the author of Docker-bench-Secruity, the script that runs is currently 1.3.5, while the script that starts with Docker run is 1.3.4. Should this image be updated #441

ghost opened this issue Jul 7, 2020 · 12 comments

Comments

@ghost
Copy link

ghost commented Jul 7, 2020

The above is run using a script

# sh docker-bench-security.sh 
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.5
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------

The following one USES Docker Run

Digest: sha256:ddbdf4f86af4405da4a8a7b7cc62bb63bfeb75e85bf22d2ece70c204d7cfabb8
Status: Downloaded newer image for docker/docker-bench-security:latest
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.4
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
# ------------------------------------------------------------------------------
@konstruktoid
Copy link
Collaborator

Hi @zhaocheng173, it's a known issue. #405

@ghost
Copy link
Author

ghost commented Jul 7, 2020

Using this binary package to build the image directly, is the image made the latest v1.3.5 ?

@konstruktoid
Copy link
Collaborator

If you're cloning this repository and building an image, you'll get the updated code.

git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
docker build --no-cache -t docker-bench-security .

@ghost
Copy link
Author

ghost commented Jul 7, 2020

After execution it was found that an error was reported and my system was using centos7.7
Could you tell me how to modify this place?

# cat /etc/redhat-release 
CentOS Linux release 7.7.1908 (Core)

# docker build --no-cache -t docker-bench-security .

WARNING: Ignoring https://alpine.global.ssl.fastly.net/alpine/v3.10/main/x86_64/APKINDEX.tar.gz: network error (check Internet connection and firewall)
WARNING: Ignoring https://alpine.global.ssl.fastly.net/alpine/v3.10/community/x86_64/APKINDEX.tar.gz: network error (check Internet connection and firewall)
ERROR: unsatisfiable constraints:
  docker-cli (missing):
    required by: world[docker-cli]
  dumb-init (missing):
    required by: world[dumb-init]
  iproute2 (missing):
    required by: world[iproute2]
The command '/bin/sh -c set -eux;   sed -i 's!http://dl-cdn.alpinelinux.org/!https://alpine.global.ssl.fastly.net/!g' /etc/apk/repositories &&   apk add --no-cache     iproute2     docker-cli     dumb-init' returned a non-zero code: 3

RUN set -eux; \
  sed -i 's!http://dl-cdn.alpinelinux.org/!https://alpine.global.ssl.fastly.net/!g' /etc/apk/repositories && \
  apk add --no-cache \
    iproute2 \
    docker-cli \
    dumb-init

@konstruktoid
Copy link
Collaborator

You had an network issue when building.

WARNING: Ignoring https://alpine.global.ssl.fastly.net/alpine/v3.10/main/x86_64/APKINDEX.tar.gz: network error (check Internet connection and firewall)
WARNING: Ignoring https://alpine.global.ssl.fastly.net/alpine/v3.10/community/x86_64/APKINDEX.tar.gz: network error (check Internet connection and firewall)

@ghost
Copy link
Author

ghost commented Jul 7, 2020

It should be. I can't access this piece. Can the author build a mirror of this piece

@konstruktoid
Copy link
Collaborator 

$ docker build --no-cache -t docker-bench-security .
Sending build context to Docker daemon  220.2kB
Step 1/9 : FROM alpine:3.12
3.12: Pulling from library/alpine
df20fa9351a1: Pull complete 
Digest: sha256:185518070891758909c9f839cf4ca393ee977ac378609f700f60a771a2dfe321
Status: Downloaded newer image for alpine:3.12
 ---> a24bb4013296
Step 2/9 : LABEL   org.label-schema.name="docker-bench-security"   org.label-schema.url="https://dockerbench.com"   org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
 ---> Running in dd2fc6f05a63
Removing intermediate container dd2fc6f05a63
 ---> da604b456537
Step 3/9 : RUN set -eux;   sed -i 's!http://dl-cdn.alpinelinux.org/!https://alpine.global.ssl.fastly.net/!g' /etc/apk/repositories &&   apk add --no-cache     iproute2     docker-cli     dumb-init
 ---> Running in 4ffde4c5c1f3
+ sed -i 's!http://dl-cdn.alpinelinux.org/!https://alpine.global.ssl.fastly.net/!g' /etc/apk/repositories
+ apk add --no-cache iproute2 docker-cli dumb-init
fetch https://alpine.global.ssl.fastly.net/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
fetch https://alpine.global.ssl.fastly.net/alpine/v3.12/community/x86_64/APKINDEX.tar.gz
(1/11) Installing ca-certificates (20191127-r4)
(2/11) Installing docker-cli (19.03.11-r0)
(3/11) Installing dumb-init (1.2.2-r1)
(4/11) Installing libbz2 (1.0.8-r1)
(5/11) Installing fts (1.2.7-r1)
(6/11) Installing xz-libs (5.2.5-r0)
(7/11) Installing libelf (0.179-r0)
(8/11) Installing libmnl (1.0.4-r0)
(9/11) Installing libnftnl-libs (1.1.6-r0)
(10/11) Installing iptables (1.8.4-r1)
(11/11) Installing iproute2 (5.6.0-r0)
Executing iproute2-5.6.0-r0.post-install
Executing busybox-1.31.1-r16.trigger
Executing ca-certificates-20191127-r4.trigger
OK: 81 MiB in 25 packages
Removing intermediate container 4ffde4c5c1f3
 ---> 580e277eedc1
Step 4/9 : COPY ./*.sh /usr/local/bin/
 ---> 227dcd78a69c
Step 5/9 : COPY ./tests/*.sh /usr/local/bin/tests/
 ---> 3ccb2e51e3b3
Step 6/9 : HEALTHCHECK CMD exit 0
 ---> Running in 4d9775c3551d
Removing intermediate container 4d9775c3551d
 ---> 4a2a7e35c4a1
Step 7/9 : WORKDIR /usr/local/bin
 ---> Running in b6054301653c
Removing intermediate container b6054301653c
 ---> aa3ad3849b23
Step 8/9 : ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ]
 ---> Running in aed3912e081b
Removing intermediate container aed3912e081b
 ---> 3fb846ca7a1f
Step 9/9 : CMD [""]
 ---> Running in da295ecc8c65
Removing intermediate container da295ecc8c65
 ---> 7ac0f5a74c38
Successfully built 7ac0f5a74c38
Successfully tagged docker-bench-security:latest

@ghost
Copy link
Author

ghost commented Jul 7, 2020

Can I upload the image to Docker hub? I always fail to build it due to network reasons

@konstruktoid
Copy link
Collaborator

Feel free to do so.

@ghost
Copy link
Author

ghost commented Jul 7, 2020

Well, my image cannot be built due to network reasons. Can the author upload the image of 1.3.5 to Docker Hub?

@konstruktoid
Copy link
Collaborator

I actually can't, see #405 (comment)

@konstruktoid
Copy link
Collaborator

Closing since we're all waiting for the Docker organization.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@konstruktoid