metasploit-framework/Dockerfile

FROM ruby:2.6.6-alpine3.10 AS builder
LABEL maintainer="Rapid7"

ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
ENV APP_HOME=/usr/src/metasploit-framework
ENV BUNDLE_IGNORE_MESSAGES="true"
WORKDIR $APP_HOME

COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME/
COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb
COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb
COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb

RUN apk add --no-cache \
      autoconf \
      bison \
      build-base \
      ruby-dev \
      openssl-dev \
      readline-dev \
      sqlite-dev \
      postgresql-dev \
      libpcap-dev \
      libxml2-dev \
      libxslt-dev \
      yaml-dev \
      zlib-dev \
      ncurses-dev \
      git \
    && echo "gem: --no-document" > /etc/gemrc \
    && gem update --system 3.0.6 \
    && bundle install --force --clean --no-cache --system $BUNDLER_ARGS \
    # temp fix for https://github.com/bundler/bundler/issues/6680
    && rm -rf /usr/local/bundle/cache \
    # needed so non root users can read content of the bundle
    && chmod -R a+r /usr/local/bundle


FROM ruby:2.6.5-alpine3.10
LABEL maintainer="Rapid7"

ENV APP_HOME=/usr/src/metasploit-framework
ENV NMAP_PRIVILEGED=""
ENV METASPLOIT_GROUP=metasploit

# used for the copy command
RUN addgroup -S $METASPLOIT_GROUP

RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python python3 ncurses libcap su-exec

RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)

COPY --from=builder /usr/local/bundle /usr/local/bundle
RUN chown -R root:metasploit /usr/local/bundle
COPY . $APP_HOME/
RUN chown -R root:metasploit $APP_HOME/
RUN chmod 664 $APP_HOME/Gemfile.lock
RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml

WORKDIR $APP_HOME

# we need this entrypoint to dynamically create a user
# matching the hosts UID and GID so we can mount something
# from the users home directory. If the IDs don't match
# it results in access denied errors.
ENTRYPOINT ["docker/entrypoint.sh"]

CMD ["./msfconsole", "-r", "docker/msfconsole.rc", "-y", "$APP_HOME/config/database.yml"]
bump ruby versions Address a some recent Ruby vulns by bumping suggested versions to the latest release. 2020-04-15 20:57:49 +08:00			`FROM ruby:2.6.6-alpine3.10 AS builder`
more docker work 2017-11-29 04:35:20 +08:00			`LABEL maintainer="Rapid7"`
Dockerfile and Docker Compose for Metasploit Adds a basic Dockerfile and docker-compose config. `docker-compose.yml` adds a named volume for postgres so data should persist. `$HOME/.msf4` will be mounted to `/root/.msf4` by default. port 4444 is exposed by default Basic Usage: docker/bin/msfconsole docker/bin/msfvenom 2016-07-19 02:38:57 +08:00
more docker work 2017-04-22 08:10:00 +08:00			`ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"`
change docker root exec 2018-10-22 04:30:01 +08:00			`ENV APP_HOME=/usr/src/metasploit-framework`
more docker work 2017-11-29 04:35:20 +08:00			`ENV BUNDLE_IGNORE_MESSAGES="true"`
Dockerfile and Docker Compose for Metasploit Adds a basic Dockerfile and docker-compose config. `docker-compose.yml` adds a named volume for postgres so data should persist. `$HOME/.msf4` will be mounted to `/root/.msf4` by default. port 4444 is exposed by default Basic Usage: docker/bin/msfconsole docker/bin/msfvenom 2016-07-19 02:38:57 +08:00			`WORKDIR $APP_HOME`

change docker root exec 2018-10-22 04:30:01 +08:00			`COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME/`
more docker work 2017-11-29 04:35:20 +08:00			`COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb`
			`COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb`
			`COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb`
Dockerfile and Docker Compose for Metasploit Adds a basic Dockerfile and docker-compose config. `docker-compose.yml` adds a named volume for postgres so data should persist. `$HOME/.msf4` will be mounted to `/root/.msf4` by default. port 4444 is exposed by default Basic Usage: docker/bin/msfconsole docker/bin/msfvenom 2016-07-19 02:38:57 +08:00
Dockerfile: Use Multi-Stage Build 2018-10-04 07:54:35 +08:00			`RUN apk add --no-cache \`
more docker work 2017-04-22 08:10:00 +08:00			`autoconf \`
			`bison \`
			`build-base \`
			`ruby-dev \`
update to ruby 2.6.1 and alpine 3.9 2019-02-06 00:57:38 +08:00			`openssl-dev \`
more docker work 2017-04-22 08:10:00 +08:00			`readline-dev \`
			`sqlite-dev \`
			`postgresql-dev \`
			`libpcap-dev \`
			`libxml2-dev \`
			`libxslt-dev \`
			`yaml-dev \`
			`zlib-dev \`
			`ncurses-dev \`
git is really needed in docker too 2017-07-17 22:41:47 +08:00			`git \`
lock rubygems version for Docker image Latest rubygems release for 3.1.0 vendors bundler 2.1.0 creating compatibilty issues. Lock for now until all relates issues can be addressed. 2019-12-17 00:05:07 +08:00			`&& echo "gem: --no-document" > /etc/gemrc \`
			`&& gem update --system 3.0.6 \`
Need to `force` on bunlde when using `clean`. 2020-01-10 01:28:43 +08:00			`&& bundle install --force --clean --no-cache --system $BUNDLER_ARGS \`
remove bundle cache after install 2018-10-04 19:23:55 +08:00			`# temp fix for https://github.com/bundler/bundler/issues/6680`
reduce docker image size 2018-10-04 22:21:46 +08:00			`&& rm -rf /usr/local/bundle/cache \`
			`# needed so non root users can read content of the bundle`
			`&& chmod -R a+r /usr/local/bundle`

Dockerfile: Use Multi-Stage Build 2018-10-04 07:54:35 +08:00
Updated Dockerfile to Alpine 3.10 with Ruby 2.6.5 2019-10-31 06:16:03 +08:00			`FROM ruby:2.6.5-alpine3.10`
Dockerfile: Use Multi-Stage Build 2018-10-04 07:54:35 +08:00			`LABEL maintainer="Rapid7"`

change docker root exec 2018-10-22 04:30:01 +08:00			`ENV APP_HOME=/usr/src/metasploit-framework`
Dockerfile: Use Multi-Stage Build 2018-10-04 07:54:35 +08:00			`ENV NMAP_PRIVILEGED=""`
change docker root exec 2018-10-22 04:30:01 +08:00			`ENV METASPLOIT_GROUP=metasploit`
Dockerfile: Use Multi-Stage Build 2018-10-04 07:54:35 +08:00
change docker root exec 2018-10-22 04:30:01 +08:00			`# used for the copy command`
			`RUN addgroup -S $METASPLOIT_GROUP`
Dockerfile: Use Multi-Stage Build 2018-10-04 07:54:35 +08:00
			`RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python python3 ncurses libcap su-exec`

add caps to ruby 2017-04-27 16:55:03 +08:00			`RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)`
more docker work 2017-11-29 04:35:20 +08:00			`RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)`
add caps to ruby 2017-04-27 16:55:03 +08:00
fix compatibility with --chown flag with COPY 2019-09-10 12:02:26 +08:00			`COPY --from=builder /usr/local/bundle /usr/local/bundle`
			`RUN chown -R root:metasploit /usr/local/bundle`
			`COPY . $APP_HOME/`
			`RUN chown -R root:metasploit $APP_HOME/`
fix permissions bug Gemfile.lock There was an error while trying to write to /usr/src/metasploit-framework/Gemfile.lock. It is likely that you need to grant write permissions for that path. 2019-09-09 18:59:19 +08:00			`RUN chmod 664 $APP_HOME/Gemfile.lock`
change docker root exec 2018-10-22 04:30:01 +08:00			`RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml`

reduce docker image size 2018-10-04 22:21:46 +08:00			`WORKDIR $APP_HOME`
change docker root exec 2018-10-22 04:30:01 +08:00
another approach 2018-02-18 03:12:35 +08:00			`# we need this entrypoint to dynamically create a user`
			`# matching the hosts UID and GID so we can mount something`
			`# from the users home directory. If the IDs don't match`
change docker root exec 2018-10-22 04:30:01 +08:00			`# it results in access denied errors.`
another approach 2018-02-18 03:12:35 +08:00			`ENTRYPOINT ["docker/entrypoint.sh"]`

change docker root exec 2018-10-22 04:30:01 +08:00			`CMD ["./msfconsole", "-r", "docker/msfconsole.rc", "-y", "$APP_HOME/config/database.yml"]`