Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add uwsgi vars to docker-compose.yml #11186

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Add uwsgi vars to docker-compose.yml #11186

wants to merge 1 commit into from

Conversation

optimistic5
Copy link
Contributor

Description

Add variables for nginx service in docker-compose.yml.
Without them, nginx will create default /run/defectdojo/usgi_server which is

server uwsgi:3031;

Having these variables will give opportunity to change the name of the uwsgi service in docker-compose.yml and properly create /run/defectdojo/usgi_server

@github-actions github-actions bot added the docker label Nov 4, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Nov 4, 2024

DryRun Security Summary

The provided code change in the docker-compose.yml file appears to be related to the configuration of the Nginx service in the DefectDojo application, and it is important to ensure that the entire deployment process, including the configuration of environment variables, database connections, and volume mounts, is properly secured to mitigate potential security risks.

Expand for full summary

Summary:

The provided code change in the docker-compose.yml file appears to be related to the configuration of the Nginx service in the DefectDojo application. The changes include the addition of two new environment variables, DD_UWSGI_HOST and DD_UWSGI_PORT, which are likely used to configure the connection between the Nginx service and the uWSGI service.

From an application security perspective, it is important to ensure that the entire deployment process, including the configuration of environment variables, database connections, and volume mounts, is properly secured to mitigate potential security risks. This includes ensuring that sensitive information, such as the DD_SECRET_KEY and DD_CREDENTIAL_AES_256_KEY, is properly secured and not exposed in the deployment process. Additionally, it is crucial to ensure that the database connection, Celery broker, and initialization process are all properly secured and configured with appropriate access controls.

Files Changed:

  • docker-compose.yml: The changes in this file include the addition of two new environment variables, DD_UWSGI_HOST and DD_UWSGI_PORT, which are likely used to configure the connection between the Nginx service and the uWSGI service. The application also uses several other environment variables, such as DD_SECRET_KEY, DD_CREDENTIAL_AES_256_KEY, DD_DATABASE_URL, and DD_CELERY_BROKER_URL, which should be properly secured and configured with appropriate access controls. The application also uses an initializer service to initialize the application, including creating the admin user, which should be reviewed to ensure that the initialization process is secure.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@kiblik
Copy link
Contributor

kiblik commented Nov 4, 2024

Any idea, why these

django-DefectDojo/Dockerfile.nginx-debian

Lines 92 to 93 in fb442d2

DD_UWSGI_HOST="uwsgi" \
DD_UWSGI_PORT="3031" \

django-DefectDojo/Dockerfile.nginx-alpine

Lines 159 to 160 in fb442d2

DD_UWSGI_HOST="uwsgi" \
DD_UWSGI_PORT="3031" \

are not enough?

@optimistic5
Copy link
Contributor Author

@kiblik your snippet will work in case you build your local image.
But if you use public image in your docker-compose service - it will take defaults.

    image: "defectdojo/defectdojo-django:2.39.4-debian"

@kiblik
Copy link
Contributor

kiblik commented Nov 4, 2024

@kiblik your snippet will work in case you build your local image.
But if you use public image in your docker-compose service - it will take defaults.

    image: "defectdojo/defectdojo-django:2.39.4-debian"

Please tell where I'm wrong but I see it as part of public image as well (layer 25): https://hub.docker.com/layers/defectdojo/defectdojo-nginx/2.39.4-debian/images/sha256-61d336d0100f6b505af222b6e49d8ccb0f1cb7951e5ec24541a934286a9cec8a?context=explore

You mentioned django image but I suppose you wanted to write nginx.

@mtesauro
Copy link
Contributor

mtesauro commented Nov 5, 2024

@optimistic5 I agree with @kiblik here.

You can either set an env variable or add it to the compose stanza when using the existing upstream container image directly from Docker hub.

Have you tried adding a stanza similar to the below to your compose section for Nginx to override the default?

    environment:
      DD_UWSGI_PORT=3333
      ...

(assuming you wanted port 3333)

Here's the relevant line of the Nginx container entrypoint script that set's that dynamically.
https://github.com/DefectDojo/django-DefectDojo/blob/master/docker/entrypoint-nginx.sh#L36-L37

I've done this in the past without any issue/problems.

@optimistic5
Copy link
Contributor Author

no, no.
@kiblik @mtesauro
Let me explain in more details.

Lets took official docker-comopse.yml and let's do 2 modifications:

  1. remove build, so we will use official image
  2. change name of docker-compose uwsgi services
docker-compose.yml 
# This docker-compose.yml file  is fully functional to evaluate DefectDojo
# in your local environment.
#
# Although Docker Compose is one of the supported installation methods to
# deploy a containerized DefectDojo in a production environment, the
# docker-compose.yml file is not intended for production use without first
# customizing it to your particular situation.
---
services:
nginx:
  image: "defectdojo/defectdojo-nginx:${NGINX_VERSION:-latest}"
  depends_on:
    - dd-demo-uwsgi
  environment:
    NGINX_METRICS_ENABLED: "${NGINX_METRICS_ENABLED:-false}"
  volumes:
    - defectdojo_media:/usr/share/nginx/html/media
  ports:
    - target: 8080
      published: ${DD_PORT:-8080}
      protocol: tcp
      mode: host
    - target: 8443
      published: ${DD_TLS_PORT:-8443}
      protocol: tcp
      mode: host
dd-demo-uwsgi:
  image: "defectdojo/defectdojo-django:${DJANGO_VERSION:-latest}"
  depends_on:
    - postgres
  entrypoint: ['/wait-for-it.sh', '${DD_DATABASE_HOST:-postgres}:${DD_DATABASE_PORT:-5432}', '-t', '30', '--', '/entrypoint-uwsgi.sh']
  environment:
    DD_DEBUG: 'False'
    DD_DJANGO_METRICS_ENABLED: "${DD_DJANGO_METRICS_ENABLED:-False}"
    DD_ALLOWED_HOSTS: "${DD_ALLOWED_HOSTS:-*}"
    DD_DATABASE_URL: ${DD_DATABASE_URL:-postgresql://defectdojo:defectdojo@postgres:5432/defectdojo}
    DD_CELERY_BROKER_URL: ${DD_CELERY_BROKER_URL:-redis://redis:6379/0}
    DD_SECRET_KEY: "${DD_SECRET_KEY:-hhZCp@D28z!n@NED*yB!ROMt+WzsY*iq}"
    DD_CREDENTIAL_AES_256_KEY: "${DD_CREDENTIAL_AES_256_KEY:-&91a*agLqesc*0DJ+2*bAbsUZfR*4nLw}"
    DD_DATABASE_READINESS_TIMEOUT: "${DD_DATABASE_READINESS_TIMEOUT:-30}"
  volumes:
      - type: bind
        source: ./docker/extra_settings
        target: /app/docker/extra_settings
      - "defectdojo_media:${DD_MEDIA_ROOT:-/app/media}"
celerybeat:
  image: "defectdojo/defectdojo-django:${DJANGO_VERSION:-latest}"
  depends_on:
    - postgres
    - redis
  entrypoint: ['/wait-for-it.sh', '${DD_DATABASE_HOST:-postgres}:${DD_DATABASE_PORT:-5432}', '-t', '30', '--', '/entrypoint-celery-beat.sh']
  environment:
    DD_DATABASE_URL: ${DD_DATABASE_URL:-postgresql://defectdojo:defectdojo@postgres:5432/defectdojo}
    DD_CELERY_BROKER_URL: ${DD_CELERY_BROKER_URL:-redis://redis:6379/0}
    DD_SECRET_KEY: "${DD_SECRET_KEY:-hhZCp@D28z!n@NED*yB!ROMt+WzsY*iq}"
    DD_CREDENTIAL_AES_256_KEY: "${DD_CREDENTIAL_AES_256_KEY:-&91a*agLqesc*0DJ+2*bAbsUZfR*4nLw}"
    DD_DATABASE_READINESS_TIMEOUT: "${DD_DATABASE_READINESS_TIMEOUT:-30}"
  volumes:
      - type: bind
        source: ./docker/extra_settings
        target: /app/docker/extra_settings
celeryworker:
  image: "defectdojo/defectdojo-django:${DJANGO_VERSION:-latest}"
  depends_on:
    - postgres
    - redis
  entrypoint: ['/wait-for-it.sh', '${DD_DATABASE_HOST:-postgres}:${DD_DATABASE_PORT:-5432}', '-t', '30', '--', '/entrypoint-celery-worker.sh']
  environment:
    DD_DATABASE_URL: ${DD_DATABASE_URL:-postgresql://defectdojo:defectdojo@postgres:5432/defectdojo}
    DD_CELERY_BROKER_URL: ${DD_CELERY_BROKER_URL:-redis://redis:6379/0}
    DD_SECRET_KEY: "${DD_SECRET_KEY:-hhZCp@D28z!n@NED*yB!ROMt+WzsY*iq}"
    DD_CREDENTIAL_AES_256_KEY: "${DD_CREDENTIAL_AES_256_KEY:-&91a*agLqesc*0DJ+2*bAbsUZfR*4nLw}"
    DD_DATABASE_READINESS_TIMEOUT: "${DD_DATABASE_READINESS_TIMEOUT:-30}"
  volumes:
      - type: bind
        source: ./docker/extra_settings
        target: /app/docker/extra_settings
      - "defectdojo_media:${DD_MEDIA_ROOT:-/app/media}"
initializer:
  image: "defectdojo/defectdojo-django:${DJANGO_VERSION:-latest}"
  depends_on:
    - postgres
  entrypoint: ['/wait-for-it.sh', '${DD_DATABASE_HOST:-postgres}:${DD_DATABASE_PORT:-5432}', '--', '/entrypoint-initializer.sh']
  environment:
    DD_DATABASE_URL: ${DD_DATABASE_URL:-postgresql://defectdojo:defectdojo@postgres:5432/defectdojo}
    DD_ADMIN_USER: "${DD_ADMIN_USER:-admin}"
    DD_ADMIN_MAIL: "${DD_ADMIN_USER:-admin@defectdojo.local}"
    DD_ADMIN_FIRST_NAME: "${DD_ADMIN_FIRST_NAME:-Admin}"
    DD_ADMIN_LAST_NAME: "${DD_ADMIN_LAST_NAME:-User}"
    DD_INITIALIZE: "${DD_INITIALIZE:-true}"
    DD_SECRET_KEY: "${DD_SECRET_KEY:-hhZCp@D28z!n@NED*yB!ROMt+WzsY*iq}"
    DD_CREDENTIAL_AES_256_KEY: "${DD_CREDENTIAL_AES_256_KEY:-&91a*agLqesc*0DJ+2*bAbsUZfR*4nLw}"
    DD_DATABASE_READINESS_TIMEOUT: "${DD_DATABASE_READINESS_TIMEOUT:-30}"
  volumes:
      - type: bind
        source: ./docker/extra_settings
        target: /app/docker/extra_settings
postgres:
  image: postgres:17.0-alpine@sha256:14195b0729fce792f47ae3c3704d6fd04305826d57af3b01d5b4d004667df174
  environment:
    POSTGRES_DB: ${DD_DATABASE_NAME:-defectdojo}
    POSTGRES_USER: ${DD_DATABASE_USER:-defectdojo}
    POSTGRES_PASSWORD: ${DD_DATABASE_PASSWORD:-defectdojo}
  volumes:
    - defectdojo_postgres:/var/lib/postgresql/data
redis:
  image: redis:7.2.5-alpine@sha256:6aaf3f5e6bc8a592fbfe2cccf19eb36d27c39d12dab4f4b01556b7449e7b1f44
  volumes:
    - defectdojo_redis:/data
volumes:
defectdojo_postgres: {}
defectdojo_media: {}
defectdojo_redis: {}
I changed service `uwsgi` to `dd-demo-uwsgi` and I changed under `nginx` part `depends_on` to `dd-demo-uwsgi`

What will happen?
nginx will start with entrypoint-nginx.sh, on line 37 it will create /run/defectdojo/uwsgi_server with DD_UWSGI_HOST and DD_UWSGI_PORT which is default uwsgi and 3031.
But our host of uwsgi now called dd-demo-uwsgi.
We will get this error in nginx
image

To solve it during entrypoint-nginx.sh we need to provide proper values of DD_UWSGI_HOST and DD_UWSGI_PORT, which can we set with changes I made in PR.

@kiblik
Copy link
Contributor

kiblik commented Nov 5, 2024

If you change name of container in docker-compose.yaml, you are performing customization (changing of default setup). It is absolutly fine. But it means you are aware that this change mind require also change of some other params to non-default values.

I do not understand why it is needed to define the same defaults on 2 different places.
You can change mentioned EnvVars in your setup without defining new defaults in the common repository.

And if you see it handy for others, to let them know, what need to be adjusted in case of change of container name, I suppose it might be done in documentation.

@optimistic5
Copy link
Contributor Author

@kiblik
let's talk from a different angle.

I do not understand why it is needed to define the same defaults on 2 different places.

In Dockerfile.django-debian we already have variables like

DD_ADMIN_USER
DD_ADMIN_MAIL
DD_ADMIN_FIRST_NAME
DD_ADMIN_LAST_NAME
DD_INITIALIZE

at the same time in docker-compose.yml we have default for them, right? Looks like it "defined in the same default on 2 different places", right?
No, we have defaults and we overwrite them.

  1. If I changed name of service for postgres I would easily understand that I need to change
    DD_DATABASE_URL variable. It will take minute for me.
    In my case when I changed uwsgi service name I spend few hours on issue from screenshot above.
    I was reading nginx config, then docker/entrypoint-uwsgi.sh then docker/entrypoint-nginx.sh to understand that nginx construct uwsgi connection string from variables which I should redefine.

  2. If you run two instances of docker-compose.yml in one docker network it will work unexpectedly.
    Second docker-compose will connect to uwsgi:3031 of first docker-compose.

  3. It is a matter of consistency. Why do we have variables and defaults for DD_DATABASE_HOST and DD_CELERY_BROKER_URL, but not for uwsgi?

Thank you.

@kiblik
Copy link
Contributor

kiblik commented Nov 5, 2024

@optimistic5, now I better understand your point of view. Thank you.

TBH, I'm also not happy about other defaults (you listed DD_ADMIN_USER, DD_ADMIN_MAIL, ...) as well and I (personally) would prefer to drop them as well. This would have to be connected with better documentation of all settings (static in EnvVars and dynamic in UI) - to avoid the necessity to read the code.

I do not have the capacity at the moment to perform this ^ kind of improvement. But I would be happy to know the options of others in the community. This is open source and if it makes sense to others, let's go for it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
docker
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@optimistic5 @kiblik @mtesauro