From 66c529e610d0c8609790fc39b8676d3dfc5b849c Mon Sep 17 00:00:00 2001 From: Andras Fekete Date: Fri, 14 Jul 2023 12:18:56 -0400 Subject: [PATCH 1/6] Add in PKIXSSH --- Docker/Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Docker/Dockerfile b/Docker/Dockerfile index dc4681f21..aa1887027 100644 --- a/Docker/Dockerfile +++ b/Docker/Dockerfile @@ -25,6 +25,10 @@ RUN mkdir /opt/sources RUN cd /opt/sources && git clone --single-branch https://github.com/cisco/hash-sigs.git && cd hash-sigs && git checkout b0631b8891295bf2929e68761205337b7c031726 \ && sed -i 's/USE_OPENSSL 1/USE_OPENSSL 0/g' sha256.h && make -j4 hss_lib_thread.a +# Install pkixssh to /opt/pkixssh for X509 interop testing with wolfSSH +RUN mkdir /var/empty +RUN cd /opt/sources && wget https://roumenpetrov.info/secsh/src/pkixssh-14.1.1.tar.gz && tar xvf pkixssh-14.1.1.tar.gz && cd pkixssh-14.1.1 && ./configure --prefix=/opt/pkixssh/ --exec-prefix=/opt/pkixssh/ && make install + # Allow non-root to use tcpdump (will need NET_RAW and NET_ADMIN capability when running the container) RUN setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/tcpdump From 6b1513a769cd19b3435f465689d79989e090915e Mon Sep 17 00:00:00 2001 From: Andras Fekete Date: Wed, 19 Jul 2023 15:24:28 -0400 Subject: [PATCH 2/6] Clean up garbage characters --- Docker/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Docker/Dockerfile b/Docker/Dockerfile index aa1887027..6fcaa9db6 100644 --- a/Docker/Dockerfile +++ b/Docker/Dockerfile @@ -26,8 +26,8 @@ RUN cd /opt/sources && git clone --single-branch https://github.com/cisco/hash-s && sed -i 's/USE_OPENSSL 1/USE_OPENSSL 0/g' sha256.h && make -j4 hss_lib_thread.a # Install pkixssh to /opt/pkixssh for X509 interop testing with wolfSSH -RUN mkdir /var/empty -RUN cd /opt/sources && wget https://roumenpetrov.info/secsh/src/pkixssh-14.1.1.tar.gz && tar xvf pkixssh-14.1.1.tar.gz && cd pkixssh-14.1.1 && ./configure --prefix=/opt/pkixssh/ --exec-prefix=/opt/pkixssh/ && make install +RUN mkdir /var/empty +RUN cd /opt/sources && wget https://roumenpetrov.info/secsh/src/pkixssh-14.1.1.tar.gz && tar xvf pkixssh-14.1.1.tar.gz && cd pkixssh-14.1.1 && ./configure --prefix=/opt/pkixssh/ --exec-prefix=/opt/pkixssh/ && make install # Allow non-root to use tcpdump (will need NET_RAW and NET_ADMIN capability when running the container) RUN setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/tcpdump From 568bf35555f09389b3e3944b8c2baf6ec0583a13 Mon Sep 17 00:00:00 2001 From: Andras Fekete Date: Fri, 11 Aug 2023 11:22:08 -0400 Subject: [PATCH 3/6] Reduce image size --- Docker/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Docker/Dockerfile b/Docker/Dockerfile index 6fcaa9db6..5ee11295b 100644 --- a/Docker/Dockerfile +++ b/Docker/Dockerfile @@ -27,7 +27,7 @@ RUN cd /opt/sources && git clone --single-branch https://github.com/cisco/hash-s # Install pkixssh to /opt/pkixssh for X509 interop testing with wolfSSH RUN mkdir /var/empty -RUN cd /opt/sources && wget https://roumenpetrov.info/secsh/src/pkixssh-14.1.1.tar.gz && tar xvf pkixssh-14.1.1.tar.gz && cd pkixssh-14.1.1 && ./configure --prefix=/opt/pkixssh/ --exec-prefix=/opt/pkixssh/ && make install +RUN cd /opt/sources && wget -q -O- https://roumenpetrov.info/secsh/src/pkixssh-14.1.1.tar.gz | tar xzf - && cd pkixssh-14.1.1 && ./configure --prefix=/opt/pkixssh/ --exec-prefix=/opt/pkixssh/ && make install # Allow non-root to use tcpdump (will need NET_RAW and NET_ADMIN capability when running the container) RUN setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/tcpdump From 4167a51fe9298fec1cad79b7eedaac24184bdcdb Mon Sep 17 00:00:00 2001 From: Andras Fekete Date: Fri, 11 Aug 2023 11:23:09 -0400 Subject: [PATCH 4/6] Add in 'udp-proxy' --- Docker/Dockerfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Docker/Dockerfile b/Docker/Dockerfile index 5ee11295b..218be5c3f 100644 --- a/Docker/Dockerfile +++ b/Docker/Dockerfile @@ -5,9 +5,10 @@ USER root ARG DEPS_WOLFSSL="build-essential autoconf libtool clang clang-tools zlib1g-dev libuv1-dev libpam0g-dev valgrind git linux-headers-generic gcc-multilib g++-multilib libpcap-dev bubblewrap gdb iputils-ping lldb bsdmainutils netcat binutils-arm-linux-gnueabi binutils-aarch64-linux-gnu" ARG DEPS_LIBOQS="astyle cmake gcc ninja-build libssl-dev python3-pytest python3-pytest-xdist unzip xsltproc doxygen graphviz python3-yaml valgrind git" +ARG DEPS_UDP_PROXY="wget libevent-dev" ARG DEPS_TESTS="abi-dumper libcurl4-openssl-dev tcpdump" RUN DEBIAN_FRONTEND=noninteractive apt update && apt install -y apt-utils \ - && apt install -y ${DEPS_WOLFSSL} ${DEPS_LIBOQS} ${DEPS_TESTS} \ + && apt install -y ${DEPS_WOLFSSL} ${DEPS_LIBOQS} ${DEPS_UDP_PROXY} ${DEPS_TESTS} \ && apt clean -y && rm -rf /var/lib/apt/lists/* ARG USER=docker @@ -29,6 +30,9 @@ RUN cd /opt/sources && git clone --single-branch https://github.com/cisco/hash-s RUN mkdir /var/empty RUN cd /opt/sources && wget -q -O- https://roumenpetrov.info/secsh/src/pkixssh-14.1.1.tar.gz | tar xzf - && cd pkixssh-14.1.1 && ./configure --prefix=/opt/pkixssh/ --exec-prefix=/opt/pkixssh/ && make install +# Install udp/tcp-proxy +RUN cd /opt/sources && git clone --depth=1 --single-branch --branch=main http://github.com/wolfssl/udp-proxy && cd udp-proxy && make && cp tcp_proxy udp_proxy /bin/. + # Allow non-root to use tcpdump (will need NET_RAW and NET_ADMIN capability when running the container) RUN setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/tcpdump From 5002ef19b1cf03146b9fbf5d9a551d1da414e78b Mon Sep 17 00:00:00 2001 From: Andras Fekete Date: Mon, 14 Aug 2023 11:21:00 -0400 Subject: [PATCH 5/6] Give GDB permission to attach to processes as non-root --- Docker/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Docker/Dockerfile b/Docker/Dockerfile index 218be5c3f..f0f74507f 100644 --- a/Docker/Dockerfile +++ b/Docker/Dockerfile @@ -35,5 +35,7 @@ RUN cd /opt/sources && git clone --depth=1 --single-branch --branch=main http:// # Allow non-root to use tcpdump (will need NET_RAW and NET_ADMIN capability when running the container) RUN setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/tcpdump +# Allow non-root to use gdb on processes (will need SYS_PTRACE capability when running the container) +RUN setcap 'CAP_SYS_PTRACE+eip' /usr/bin/gdb USER ${UID}:${GID} \ No newline at end of file From 300c1834539fccba05e512aaf3c3678c05944a13 Mon Sep 17 00:00:00 2001 From: Andras Fekete Date: Mon, 14 Aug 2023 11:21:12 -0400 Subject: [PATCH 6/6] Update README --- Docker/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Docker/README.md b/Docker/README.md index 8855aba30..bb4ba3eb9 100644 --- a/Docker/README.md +++ b/Docker/README.md @@ -1,7 +1,7 @@ # Overview -This is a simple Docker environment for compiling and running WolfSSL. Use `run.sh` to build everything (Docker container, WolfSSL, etc.). This script takes in arguments that can be passed to `./configure`. For example: `run.sh --enable-all` +This is a Docker environment for compiling, testing and running WolfSSL. Use `run.sh` to build everything (Docker container, WolfSSL, etc.). This script takes in arguments that can be passed to `./configure`. For example: `run.sh --enable-all` -When the compilation and tests succeed, you will be dropped in to a shell environment within the container. This can be useful to build other things within the environment. +When the compilation and tests succeed, you will be dropped in to a shell environment within the container. This can be useful to build other things within the environment. Additional tests can be run as well as debugging of code. # FAQ ## permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock